Aggregator

漏洞赏金平台承诺双赢，但部分企业利用“不会修复”标签、狭窄范围或悄悄打补丁规避支付。猎手们投入大量时间却无回报，真实攻击链被定义为“范围外”。

夜班清洁工 Rosa 在 NexaCorp 工作时意外发现公司安全漏洞：从 QR 码提示、《1984》书中的线索到《水培入门》中的数据流解决方案。这些发现揭示了 CEO 绕过 MFA 的方式及公司隐藏的比特币矿机等秘密。

Name: ENOWARS 9 (an ENOWARS event.)
Date: July 19, 2025, noon — 19 July 2025, 21:00 UTC  [add to calendar]
Format: Attack-Defense
On-line
Offical URL: https://9.enowars.com/
Rating weight: 100.00
Event organizers: ENOFLAG

ИИ научили всё делать за вас. Кроме одного — не нарваться на мошенников.

A sophisticated cyberattack campaign targeting Microsoft SharePoint servers has been discovered exploiting a newly weaponized vulnerability chain dubbed “ToolShell,” enabling attackers to gain complete remote control over vulnerable systems without authentication. Eye Security, a Dutch cybersecurity firm, identified the active exploitation on July 18, 2025, revealing what security researchers describe as one of the most […]

The post SharePoint 0-Day RCE Vulnerability Actively Exploited in the Wild to Gain Full Server Access appeared first on Cyber Security News.

用户希望编辑游戏库存以获取大量虚拟货币，并接受可能被封号的风险。

该问题源于AES算法自实现过程中类型误用导致密钥泄露，解决此问题需要熟悉AES算法的实现过程，能够发现异常点加以利用

Cisco has issued an updated advisory regarding a critical vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products. This flaw enables remote attackers to execute arbitrary code on the...

The post Critical Cisco ISE RCE (CVSS 10.0) Follows Active FortiWeb Exploits appeared first on Penetration Testing Tools.

在一次日常渗透过程中，遇到了传输过程进行加密的网站，利用bp插件autoDecoder还原了加解密过程。由于对插件以及js代码分析还不太熟练，折腾了好久，记录了实操过程中遇到的关键点

随着大语言模型（LLM）能力的爆炸性提升，越来越多企业和开发者将其用于问答系统、代码生成、自动代理等关键场景。然而，安全性问题也随之而来。传统的越狱（jailbreak）手法虽然已经被广泛研究，但近年来一种更隐蔽、对抗性更强的攻击方式逐渐浮出水面——分解攻击（Decomposition Attack）

文件上传功能作为现代Web应用的核心交互模块，其安全防护水平直接关系到系统的整体安全性。本文基于OWASP、CVE等权威研究，结合2024-2025年最新漏洞案例，系统剖析了文件上传场景下的XSS攻击技术演进路径。研究揭示：云原生架构的普及使攻击面从传统Web服务器扩展至对象存储服务，防御策略需要构建包含七层检测机制的立体防护体系。通过分析Ghost CMS（CVE-2024-23724）、Squ

某些淘系APP使用私有协议（如SPDY）进行网络通信，导致传统抓包工具（如Charles、Fiddler）无法直接抓取数据包。本文将介绍如何绕过该私有协议，并分析其请求参数的生成过程。

在互联网大厂工作中接触学习了MCP与安全的应用以及MCP本身的安全，本文为MCP应用与安全开篇，先带读者从0开始学习研究MCP底层逻辑原理，并实操开发两个MCP Server服务，从基础架构入手，探讨MCP的核心机制及安全挑战。

结合调式分析malloc源码，即其漏洞利用

简单性和显而易见性完全是主观的，与数学几乎无关。

当前环境出现异常，需完成验证后方可继续访问。

JetBrains宣布IntelliJ IDEA从2025.3起采用统一发行版，合并社区免费版和付费 Ultimate版为单一安装包。免费用户获得更多功能，试用更方便。

链接无法访问，请检查链接是否正确或提供更多文章信息以便总结。

A vulnerability, which was classified as problematic, was found in Microsoft Windows. Affected is an unknown function of the component Imaging Component. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2025-47980. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Microsoft Windows. It has been rated as critical. Affected by this issue is some unknown functionality of the component Connected Devices Platform Service. The manipulation leads to use after free. This vulnerability is handled as CVE-2025-48000. Attacking locally is a requirement. There is no exploit available. It is recommended to apply a patch to fix this issue.