“How CVE-2025–4123 Turned Grafana Into a Hacker’s Playground”
Grafana中的高危漏洞CVE-2025–4123因未正确处理用户输入路径,导致路径遍历、XSS、SSRF及账户接管等连锁攻击,最终引发全面账户控制风险。
Aggregator
Payload in the Haystack: Using Wayback & ParamSpider to Find a Forgotten Upload Endpoint
9 months 4 weeks ago
深夜渗透测试中,利用自动化工具发现隐藏上传端点并成功执行ZIP Slip漏洞获取权限,最终获得赏金资助生活。
Payload in the Haystack: Using Wayback & ParamSpider to Find a Forgotten Upload Endpoint
9 months 4 weeks ago
深夜渗透测试中,通过ParamSpider和Wayback组合工具发现隐藏/upload端点,利用ZIP Slip漏洞成功入侵目标系统并获得赏金。
“From a 404 Page to $5k: How I Chained Forgotten Bugs Into a Critical Exploit”
9 months 4 weeks ago
从看似无用的路径遍历漏洞入手,通过深入分析和创造性思考,成功将其转化为远程代码执行,并获得高额赏金。
“From a 404 Page to $5k: How I Chained Forgotten Bugs Into a Critical Exploit”
9 months 4 weeks ago
从看似无用的漏洞入手,通过参数测试发现本地文件包含(LFI)漏洞,利用特殊路径构造请求,最终实现远程代码执行(RCE),获得高额奖金,展现了耐心和创造力在安全研究中的重要性。
“$ The Art of Smart Recon: How I Found 10+ Vulnerabilities Without Firing a Single Exploit”
9 months 4 weeks ago
文章讲述了作者在漏洞挖掘过程中从依赖自动化工具到掌握侦察技术的转变。通过关注被忽略的攻击面、手动调查和历史数据,作者成功发现大量漏洞,尤其是收购公司遗留系统中的高危问题。
“$ The Art of Smart Recon: How I Found 10+ Vulnerabilities Without Firing a Single Exploit”
9 months 4 weeks ago
作者在漏洞挖掘中认识到侦察的重要性,指出常见错误如忽视隐藏攻击面、依赖自动化工具和忽略历史数据,并通过分析收购公司遗留系统找到大量漏洞。
Tumblr Post+ Creator and Got Paid $100
9 months 4 weeks ago
Tumblr的Post+系统中发现一个低影响但意外的漏洞:用户可订阅已退出Post+的创作者。该漏洞涉及访问控制和支付流程问题,并最终为报告者带来$100奖励。
How Our Team Bypassed YouTube Authorization and Uploaded Videos to ANY Channel — $6,337 Bounty
9 months 4 weeks ago
作者发现YouTube内部工具Video Builder存在严重授权绕过漏洞,攻击者可修改请求中的channelId参数上传视频至任意频道。该漏洞因后端缺乏授权验证导致,Google已修复并奖励$6,337。
I want to brute force my attendance in UNI (SEATS APP)
9 months 4 weeks ago
文章描述了一位学生希望破解学校使用的SEATS考勤系统。该系统使用6位数代码进行签到,手动尝试耗时过长(仅15分钟可输入),因此寻求暴力破解方法以快速获取正确代码。
Popular npm linter packages hijacked via phishing to drop malware
9 months 4 weeks ago
Popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked this week and turned into malware droppers, in a supply chain attack achieved via targeted phishing and credential theft. [...]
Ax Sharma
3 дня, 12 компаний, 400 ГБ данных: Akira выжигает бизнес за бизнесом
9 months 4 weeks ago
Компании падают, как домино — без правил, без жалости, без шанса на спасение.
CVE-2025-6771
9 months 4 weeks ago
Currently trending CVE - Hype Score: 29 - OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
CVE-2025-4428
9 months 4 weeks ago
Currently trending CVE - Hype Score: 29 - Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials
9 months 4 weeks ago
A sophisticated phishing campaign targeting Turkish defense and aerospace enterprises has emerged, delivering a highly evasive variant of the Snake Keylogger malware through fraudulent emails impersonating TUSAŞ (Turkish Aerospace Industries). The malicious campaign distributes files disguised as contractual documents, specifically using the filename “TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe” to deceive recipients into […]
The post Snake Keylogger Evades Windows Defender and Scheduled Tasks to Harvest Login Credentials appeared first on Cyber Security News.
Tushar Subhra Dutta
手机系统不一样,如何远程帮父母的小米手机解决问题?
9 months 4 weeks ago
文章探讨了如何远程帮助父母使用小米手机的问题。建议包括通过视频通话指导操作、使用小米通话应用进行远程控制或统一手机品牌以简化问题。然而,这些方法各有优缺点,最终建议还是尽量面对面解决问题。
【重保情报资讯】2025-07-19
9 months 4 weeks ago
登录tix.qq.com获取更多资讯
ChatGPT"s GPT-5-reasoning-alpha model spotted ahead of launch
9 months 4 weeks ago
文章指出GPT-5可能即将发布,并整合了多个模型的突破;同时OpenAI正在测试名为o3-alpha的新模型,在编码和前端设计方面表现更优。
ChatGPT's GPT-5-reasoning-alpha model spotted ahead of launch
9 months 4 weeks ago
GPT-5 might be just a few days or weeks away, as we've spotted references to a new model called gpt-5-reasoning-alpha-2025-07-13. [...]
Mayank Parmar
第131篇:黑客猎杀黑客•意大利黑客军火商HackingTeam被攻陷全纪录
9 months 4 weeks ago