Clik here to view.
Hongcms 3.0.0后台SQL注入漏洞分析
* 本文作者:BlackWater,本文属CodeSec原创奖励计划,未经许可禁止转载。 一、背景介绍 HongCMS是一个轻量级的中英文企业网站系统,访问速度极快,使用简单,程序代码简洁严谨,功能强大,完全免费开源,可用于建设各种类型的中英文网站,同时它是一个小型开发框架。 二、漏洞描述 程序在后台进行清空数据库操作时对传入的数据库名过滤不严格,可插入和执行恶意sql语句。 三、影响版本...
View ArticlePost-quantum security on Airbus’s radar
A great deal of investment is being made in developing quantum computers, especially by China, and once that goal has been reached, many current encryption methods could be compromised. The ability of...
View Article25 Cybersecurity Job Interview Questions (and Answers)
As with any job interview, an applicant for a cybersecurity position needs to speak knowledgeably about the specific job’s responsibilities and the field in general. Information security job interview...
View ArticleBluetooth Security Flaw Could Allow Attackers to Snoop on Your Data
According to the report of Carnegie Mellon's US Computer Emergency Response Team (CERT), Apple, Google and Intel's hardware are on the Bluetooth security risk. A potentially critical flaw is...
View ArticleClik here to view.
New Spectre cyberthreat evades patches
Credit: CC0 Public Domain "Spectre" was a prescient name for the processor vulnerability that takes advantage of speculative execution. Since its initial discovery in January, 2018, at least three...
View ArticleGitLab 发布安全更新 11.1.2、11.0.5 和 10.8.7
GitLab 发布安全更新11.1.2、11.0.5 和10.8.7,这些版本包含许多重要的安全修复程序,强烈建议立即将所有 GitLab 安装升级到其中一个版本。漏洞详细信息将在大约 30 天内在问题跟踪器上公布。 安全更新内容涉及以下几个方面: Markdown DoS Information Disclosure Prometheus Metrics CSRF in System Hooks...
View ArticleClik here to view.
赛门铁克:黑客组织Leafminer正对中东发动大规模网络攻击
赛门铁克发布 报告 称,黑客组织正在利用公开的自定义工具攻击中东的基础设施和政府组织机构。 这个黑客组织被称为 “Leafminer”,它已利用多种入侵技术渗透至位于阿塞拜疆、以色列、黎巴嫩和沙特阿拉伯的大量组织机构。研究人员观测到该组织使用水坑网站、漏洞扫描和暴力登录尝试盗取数据。 研究人员认为该组织“高度活跃”,自从2017年年初就发动多种攻击活动。该组织攻击的行业包括能源、政府、金融和通信。...
View ArticleClik here to view.
The Importance of Awareness
You know what your wardrobe consists of, both the things you wear regularly, as well as your old uniform or letter jacket, and that Christmas sweater you wear as a courtesy to Aunt Mabel who spent all...
View ArticleWhy Penetration Testing and Assessments Should Include Real-World Scenarios
Penetration testing and other technical assessments are designed to be practical, useful exercises to examine your security defenses and look for holes in your network or applications. There’s real...
View ArticleClik here to view.
Java代码审计丨某开源系统源码审计
*本文作者:黑客小平哥,本文属 CodeSec 原创奖励计划,未经许可禁止转载。 java源代码审计相关资料一直比较少,今天抽空给大家写一篇简单的开源代码审计,这是个做公司网站的开源模板,由于项目比较小,本次就针对几个比较严重的漏洞讲解一下发现的过程,其它的一些小漏洞,包括XSS一类的就不写了,希望给大家学习帮助。...
View ArticleClik here to view.
Crypto Wallet to Replace Private Keys With Encrypted QR Codes
Decentralized cryptocurrency wallet SafeWallet is launching a new QR code-based user identification system to replace mnemonic phrases and private keys, the firm announced Friday. The app, operated by...
View ArticleFileless Threat CactusTorch Abuses .NET to Infect Systems
Over the past several months, security researchers have observed increased activity from a malware threat called CactusTorch that uses fileless techniques and reputable windows executables to avoid...
View ArticleThis CEO Explains Why the Market of Cyber Security Has Never Seen a Downfall...
Opinions expressed by Entrepreneur contributors are their own. After leaving its mark in cyber security space, London-based Avast is now exploring the IoT market with home automation technologies and...
View ArticleCSO Spotlight: Nasrin Rexai, General Electric
Nasrin Rezai is GE’s Global Chief Information and Product Cyber Security Officer, responsible for all aspects of cybersecurity strategy and operations for GE products and enterprise, including incident...
View ArticleClik here to view.
Introduction to SQL Injection
SQL Injection is another type of security attack that can do serious damage to your application. It's important to find SQL Injection vulnerabilities before a malicious user does. In SQL Injection, a...
View ArticleClik here to view.
安全研究 | 关于explorer一键挖矿病毒的分析研究
近期我们的海青安全研究实验室捕获了一个新的挖矿木马样本,目前网络上还未见到关于它的分析。与以往的木马相比,这次捕获的样本有了不小的“进化”:手段更加隐蔽,清除更加困难。我们对它的各项特点进行了分析,希望给行业内带来针对此类木马的新的认识,进而发掘更有效的防护措施。 一、木马简介 业务环境:powershellv3及以上版本(v1/v2未测试) 二、木马特点...
View ArticleClik here to view.
【漏洞分析】Modx Revolution远程代码执行漏洞CVE-2018-1000207
阅读: 9 近日, MODx 官方发布通告称其 MODx Revolution 2.6.4 及之前的版本存在2个高危漏洞,攻击者可以通过该漏洞远程执行任意代码,从而获取网站的控制权或者删除任意文件。 本文分析其中的 CVE-2018-1000207 漏洞,并分别分析MODx 2.5.1和2.6.4版本漏洞形成原因和PoC构造。 文章目录 0x01 概述 近日, MODx 官方发布通告称其 MODx...
View ArticleClik here to view.
SafeWallet aims to make cryptocurrency transactions easier and more secure
Anyone who has dabbled in Bitcoin or other cryptocurrencies knows that the wallet process for storing and using coins can be a bit of a pain. Wallet users are often forced to use long private keys and...
View ArticleClik here to view.
FBI通缉令:这41名黑客正在被通缉
美国联邦调查局(FBI) 在其官网罗列了41名“头号黑客通缉犯”,涉及世界上技能最高超的黑客,他们涉嫌执行国家支持型间谍活动,入侵美国水利设施等。 FBI 41名“头号黑客通缉犯”(排名不分先后) 一、伊朗黑客 FBI官网信息传送如下: 贝赫扎德米斯瑞(Behzad Mesri) 网络活动:盗窃HBO《权力的游戏》 ,索要赎金 米斯瑞也被称为“Skote...
View ArticleClik here to view.
使用Winrm.vbs绕过应用白名单执行任意未签名代码的分析
严正声明:本文仅限于技术探讨,严禁用于其他用途。 绕过技术 winrm.vbs(System31中的一个windows签名脚本)能够执行攻击者控制的XSL,它不会受到 相关脚本主机 的限制,并实现任意无符号代码执行。...
View Article