书签
突然失眠了,我仔细想了想以后还是给自己定个目标吧,以前总担心涉及到未知的领域会没有产出什么的,其实这些都是空想
今年的任务,先提升大量的阅读能力和基础知识的积累…希望未来会踏入安研领域…
揭秘安全研究 - 第 1 部分
https://alexplaskett.github.io/demystifying-security-research-part1/
他的人生目标
http://blog.cr4.sh/p/blog-page.html
kernle
windows ioctl 的常见方式,后续会有fuzzer
https://www.cyberark.com/resources/threat-research-blog/finding-bugs-in-windows-drivers-part-1-wdm
1、dos 因为没有检查长度导致后续未处理好异常
2、read,因为没清0长度和iomanger的读取长度过长,出现读取越界,问题是为什么重复读取0x10000,我估计是另外的代码多次读取.或者分配systembuffer或者…
3、任意写,
可利用windbg调试ioctl
https://blog.csdn.net/m0_46125480/article/details/120607653
shellcode lpe bypass dep 与 平衡执行流 利用溢出的方式,这个也类似与找gedage
https://www.anquanke.com/post/id/219087?display=mobile
操作系统的安全问题,以及评估点,主要在于区分界限,增加操作系统漏洞的相关面,在漏洞利用中,需要一些操作系统的issues去进一步增加危害,注重于单独测试操作系统的层面,未细读
https://swarm.ptsecurity.com/a-kernel-hacker-meets-fuchsia-os/
用uboot"操控"某路由器设备,修改uboot-patch,安装busybox
https://www.anquanke.com/post/id/275630
springboot env的一些点,可以修改一些请求arg,获取一些数据,以前遗漏的一个点
https://www.jianshu.com/p/ae4be3af5231
https://www.anquanke.com/post/id/275261
gitlab硬编码问题,给oauth认证用户设置了硬编码username与password,通用
https://www.anquanke.com/post/id/272220
tomcat jmx相关以及nmap的细致详情
https://www.anquanke.com/post/id/85442
https://xz.aliyun.com/t/11450
https://github.com/4ra1n/tomcat-jmxproxy-rce-exp
JBoss remoting2协议及其反序列化分析
https://blog.play2win.top/2022/06/02/JBoss%20remoting2%E5%8D%8F%E8%AE%AE%E5%8F%8A%E5%85%B6%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%88%86%E6%9E%90/
浏览器的漏洞利用在于实现内存的喷射,喷到wasm的地址,填充shellcode,需要了解array的内存布局,此个不是特别清晰,有机会实现漏洞利用的,可以细致分析看
https://infosecwriteups.com/zero-day-vulnerability-chromium-v8-js-engine-issue-1303458-use-after-free-in-x64-instruction-e874419436a6
调试edge的charc引擎,很细致,但基于个人缺少浏览器的基础,对浏览器通用的内存模型还是有所欠缺
https://connormcgarr.github.io/type-confusion-part-1/
ida中插入相关的结构体
https://hshrzd.wordpress.com/2022/02/09/ida-tips-how-to-use-a-custom-structure/
权限提升令牌窃取,windbg调试
https://hshrzd.wordpress.com/2017/06/22/starting-with-windows-kernel-exploitation-part-3-stealing-the-access-token/
一些fuzzer的文章仿真的一些材料
https://qiuhao.org/
关于无源攻击的方法以及电源管理上的一些小知识
Mordechai Guri
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-using-pc-fan-vibrations/
apci风扇
https://www.manualslib.com/manual/473375/Intel-D945plnm.html?page=20#manual
DPTF(Dynamic Platform and Thermal Framework)动态平台和热框架
https://zhuanlan.zhihu.com/p/55859374
acpi高级配置和电源接口
https://blog.csdn.net/gaojy19881225/article/details/80027213
盒上笔记本背后的机理发生了什么
https://zhuanlan.zhihu.com/p/54714978
、
异常操作
jira ssrf 未细看
https://github.com/assetnote/jira-mobile-ssrf-exploit
横向未读
https://github.com/RiccardoAncarani/talks/blob/master/F-Secure/unorthodox-lateral-movement.pdf
wpa3 wifi,最近发现这个频段与频道,我就想到高频…
https://conference.hitb.org/hitbsecconf2022sin/session/attacking-wpa3-new-vulnerabilities-and-exploit-framework/
油管上的php ruby nodejs django, javascript的材料
https://twitter.com/dhakal_ananda/status/1544574015779606529
windows 11的利用原语
https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/
https://conference.hitb.org/hitbsecconf2022sin/session/demystifying-remote-linux-kernel-exploitation/
https://github.com/openssl/openssl/issues/18625
https://github.com/hugsy/gef
https://arxiv.org/pdf/2207.01739.pdf
https://github.com/asdfugil/haxx
https://github.com/SummitRoute/imdsv2_wall_of_shame
https://github.com/zhuowei/SimServeriOS/blob/main/SimServeriOS/main.m
https://www.kitploit.com/2022/07/cspparse-tool-to-evaluate-content.html
https://github.com/kubesphere/kubeeye
https://socfortress.medium.com/windows-registry-forensic-analysis-using-chainsaw-wazuh-agent-and-sigma-rules-40dbceba7201
https://fuzzinglabs.com/rust-security-training/
https://www.kitploit.com/2022/07/cspparse-tool-to-evaluate-content.html?utm_source=dlvr.it&utm_medium=twitter
https://conference.hitb.org/hitbsecconf2022sin/session/edr-evasion-primer-for-red-teamers/
https://mp.weixin.qq.com/s/k–9E7arucCai3ul6yxTKA
https://www.eventbrite.com/e/hardik-shah-finding-security-vulnerabilities-through-fuzzing-tickets-378979155857
https://github.com/executemalware/Malware-IOCs/blob/main/2022-07-05%20Emotet%20(E4)%20IOCs
https://github.com/whichbuffer/Lockbit-Black-3.0/blob/main/Threat%20Spotlight%20Lockbit%20Black%203.0%20Ransomware.pdf
https://montrehack.ca/2022/07/20/introduction-blockchain-security.html
https://www.microsoft.com/security/blog/2022/07/05/hive-ransomware-gets-upgrades-in-rust/
https://github.com/nkatasekonya/SXSS
https://github.com/quarkslab/binbloom
https://github.com/vivami/SauronEye
https://jsecurity101.medium.com/wmi-internals-part-1-41bb97e7f5eb
https://mayfly277.github.io/posts/GOADv2/
https://github.com/Orange-Cyberdefense/GOAD
https://windows-internals.com/one-i-o-ring-to-rule-them-all-a-full-read-write-exploit-primitive-on-windows-11/
https://labs.detectify.com/2022/07/06/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/
https://github.com/h3xduck/TripleCross
https://gist.github.com/Cracked5pider/1857e292a9fec28cba88bed80d4e509d
https://github.com/alexbieber/Bug_Bounty_writeups
https://www.openssl.org/news/secadv/20220705.txt
https://github.com/thinkst/canarytokens/security/advisories/GHSA-5675-3424-hpqr
https://www.accidentalrebel.com/converting-a-malware-dropper-to-x64-assembly.html
https://www.maltego.com/blog/investigating-usernames-using-the-maigret-transform-for-maltego/
https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7
全版本的lPE shellcode ,外加某公众号的令牌分析和某知识圈的lpe分析
https://github.com/winterknife/PINKPANTHER
https://github.com/0xToxin/Malware-IOCs/blob/main/Nanocore/Nanocore%20-%2005072022
https://github.com/citronneur/pamspy
https://github.com/BishopFox/sliver
https://blog.exodusintel.com/2022/06/23/tp-link-wr940n-wr941nd-uninitialized-pointer-vulnerability/
https://inteltechniques.com/
https://github.com/byt3bl33d3r/OffensiveNim/pull/51
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell
https://github.com/yardenshafir/IoRingReadWritePrimitive
https://www.hackers-arise.com/post/osint-google-hacking-and-dorks-to-find-key-information
https://twitter.com/frycos
https://www.twitch.tv/gamozo
https://github.com/Renegade-Labs/5head
https://x86re.com/
https://research.nccgroup.com/2022/07/05/flubot-the-evolution-of-a-notorious-android-banking-malware/
https://bugs.chromium.org/p/project-zero/issues/detail?id=2271
https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/
https://xelkomy.medium.com/how-i-was-able-to-get-1000-bounty-from-a-ds-store-file-dc2b7175e92c
https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/
https://infosecwriteups.com/zero-day-vulnerability-chromium-v8-js-engine-issue-1303458-use-after-free-in-x64-instruction-e874419436a6
IPC
https://csandker.io/2021/01/10/Offensive-Windows-IPC-1-NamedPipes.html
https://csandker.io/2021/02/21/Offensive-Windows-IPC-2-RPC.html
https://csandker.io/2022/05/24/Offensive-Windows-IPC-3-ALPC.html
突然想起来一句话,还挺有意思的…
原本想用nlp的东西实现聚类,没想到的是,一看nlp的东西,就犯困,导致迷迷糊糊听了一遍nlp相关的东西,就过去了,真实太恶心了…想了想 还是人力跟踪识别聚类巴…想想现阶段不适合…未来路太长,肝到哪就是哪吧…
除大量吸收外部碎片化的知识外,貌似是少了一些本质性的东西,1个实践,1个真正懂,1个讲明白,好处就是有了一定的底子,遇到新的议题或者新的技术,你可以快速的了解…只是了解
共性
开始时碎片化吸收,范围大,知识面多,基础知识需要大量吸收,对于未知的领域属于明白一丢丢,不属于经验丰富.
碎片后 提取共性,也就是计算机基础,研究历史漏洞,搞清目标的体系结构,优化测试方法,发现漏洞,漏洞利用,
最终发现所有的产出都是泛化后的产出…也就是细度后形成了广度产物…也就是没有详细细节的结论性的内容…形成结论性的东西,就要有详细细节的调研与支持.正如地球是圆的,这是结论,但是不需要技术论证,普遍都知道地球是圆的,不需要纠结为什么地球是圆的,这就是常识,常识也就是结论,但细节中的内容可以去论证其他的结论…最终我发现我少了很多的细节的产物,也就是所谓持续跟踪的能力…
理论
必然先看整个体系熟悉框架(历史漏洞或者开发角度),其次就是攻击手法的归一化,再次就是挖掘的手段,查看历史工具,学习历史工具,黑fuzz,白fuzz,黑fuzz需要分析opcoder,根据前提生成测试数据生成,打桩,内存监控,白fuzz,根据前提生成测试数据生成 需要语法分析,源码打桩,监控, 捕捉到异常,调试,追踪,发现触发原因的本质, 漏洞利用了解内存布局,形成初步shellcode,绕过系统保护机制,上下文调整防止崩溃,造就最终shellcode,最终优化,跟进补丁更新,跟进系统防护…这个过程有时候不一定偏执于某一方面,有时候,新的东西会给你带来新的思路,毕竟范围已定,泛化的东西大致是相同的,也就是寻求变异…菜鸡如我,知道自己太多的不足,目前还没有想好寻求突变进步解决的办法…
3555
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
