Aggregator

文章讲述了一次HTTP参数污染攻击的实践经历,通过发送重复URL参数成功绕过身份验证,访问内部API并获取隐藏数据,展示了如何利用技术细节发现并利用漏洞。

文章描述了一个针对Joomla 3.7.0漏洞的渗透测试过程，包括SQL注入、反向shell、SSH登录及Red Hat Linux权限提升，最终获取用户和root权限。

文章描述了一次针对模拟诈骗网站TechSupport1的渗透测试过程。通过Nmap扫描发现开放服务后，利用SMB枚举获取到包含Subrion CMS和WordPress凭证的文件。解码Subrion密码后发现漏洞并实现远程代码执行（RCE），最终通过权限提升获得root访问权限。

Threat actors have begun exploiting the Oracle Database Scheduler’s External Jobs feature to execute arbitrary commands on corporate database servers, enabling stealthy initial footholds and rapid escalation of privileges. By abusing the extjobo.exe executable, attackers can run encoded PowerShell commands, establish encrypted tunnels with Ngrok, and deploy ransomware, all while evading detection through aggressive cleanup […]

The post Threat Actors Exploit Oracle Database Scheduler to Infiltrate Corporate Networks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Attackers increasingly exploit Microsoft Exchange inbox rules to maintain persistence and exfiltrate data within enterprise environments.  A newly released tool, Inboxfuscation, leverages Unicode-based obfuscation to craft malicious inbox rules that slip past conventional security controls.  Developed by Permiso, the Inboxfuscation framework demonstrates how attackers can weaponize Exchange’s rule engine, creating stealthy persistence mechanisms that evade […]

The post New Inboxfuscation Tool That Bypasses Microsoft Exchange Inbox Rules and Evade Detection appeared first on Cyber Security News.

上传PHP反向壳到目标服务器，配置本地监听器并通过HTTP触发反向连接。成功获取用户凭据及密码，并利用PrintSpoofer进行权限提升以获取管理员桌面标志。

文章介绍了JSON Web Token (JWT) 的基本结构、用途及其潜在的安全风险。JWT由三部分组成：Header、Payload 和 Signature，常用于API认证和会话管理。文章还探讨了JWT的混淆技术、常见攻击方法（如暴力破解HMAC密钥、算法混淆、“none”算法攻击和声明伪造）以及防御措施。

每天收到大量垃圾邮件后，作者发现Google Apps Script可自动化清理Gmail中的求职提醒和促销邮件。

Spring Data JPA Auditing自动跟踪数据修改记录（创建者、更新者、时间），减少手动操作错误。通过@EnableJpaAuditing启用，并在实体中添加Auditable字段即可实现数据完整性和合规性需求。

A vulnerability described as critical has been identified in Linux Kernel up to 6.0.2. This vulnerability affects the function assoc_data of the component wifi. Executing manipulation can lead to use after free. This vulnerability is registered as CVE-2022-50413. The attack requires access to the local network. No exploit is available. Upgrading the affected component is recommended.

Вебинар пройдёт 23 сентября в 14:00 мск.

Airports in London, Brussels and Berlin are among those working to restore check-in systems and overcome delays after a ransomware attack on a U.S. technology provider.

Classroom Manager 获得 2025 年 Tech & Learning 卓越奖，在 Secondary Education 类别中脱颖而出。该工具通过浏览器扩展帮助教师实时监控学生设备活动、控制网络访问并保持学生专注。ManagedMethods 对此表示祝贺，并强调其使命是提升学习的安全性和有效性。

本场大赛聚焦于工业领域网络安全和数据安全领域典型场景，通过联邦靶场平台加多个分靶场的形式来提供环境，将业务场景抽象转化为关键技术挑战，着重考察选手针对工业控制系统、车联网系统、网络通信等关键基础设施的安全风险识别能力、高效漏洞修复技术以及灵活多变的即时应对策略，综合提升选手所具备的网络安全技能和网络攻防实战水平。

Преступники используют главный портал борьбы с преступностью, чтобы украсть данные граждан.

攻击者利用模型的漏洞，通过精心设计的输入补丁等，诱导模型做出错误预测或行为

SonicWall released a security advisory to assist their customers with protecting systems impacted by the MySonicWall cloud backup file incident. SonicWall’s investigation found that a malicious actor performed a series of brute force techniques against their MySonicWall.com web portal to gain access to a subset of customers’ preference files stored in their cloud backups. While credentials within the files were encrypted, the files also included information that actors can use to gain access to customers’ SonicWall Firewall devices. 

CISA recommends all SonicWall customers follow guidance in the advisory,[1] which includes logging into their customer account to verify whether their device is at risk. Customers with at-risk devices should implement the advisory’s containment and remediation guidance immediately. 

 

[1] Sonicwall.com, MySonicWall Cloud Backup File Incident, accessed September 22, 2025, https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330.

本文探讨了“氛围编码”（Vibe Coding）的概念及其引发的争议。氛围编码是一种非开发者通过自然语言描述需求，让生成式AI自动生成代码的方法。文章指出，这种方法虽然提高了创作效率，但也带来了安全风险。与专业开发者使用智能AI加速开发不同的是，非开发者使用氛围编码可能缺乏必要的安全措施。文中分析了AI生成代码可能存在的漏洞、恶意代码集成以及冗余问题，并强调了开发者对生成代码的责任和审查的重要性。

石油行业作为国民经济的重要支柱，其工业安全不仅直接影响经济社会的平稳运行，更是保障国家能源安全和社会公共安全的基石。 为扎实支撑护航新型工业化网络安全专项行动，进一步推动提升石油行业网络保障能力，国家工业信息安全发展研究中心创新行业赋能模式，聚焦石油行业网络安全人才选拔、技术研究等需求，举办石油工业场景锦标赛。 赛事聚焦石油行业工业控制系统、网络与数据安全核心领域，深度结合石油储

由于我自己学习tabby时发现好像没有特别仔细的入门文章，因此想写一个比较详细的从入门到学习挖掘链子思路文章，以减少大家入门tabby的时间，因为自己也是一个小菜，所以有啥不太对的地方欢迎各位佬们指出。