Aggregator

介绍如何利用Burp Suite手动检测OS命令注入漏洞的方法，强调其严重性和潜在风险，并提供实际步骤指导。

在Facebook Messenger for Windows中发现的关键漏洞通过路径遍历和DLL劫持技术实现远程代码执行（RCE），最终获得$111,750奖金。攻击链利用Messenger客户端对文件名处理不当的问题，在受限环境下通过精心设计的文件名突破限制，并利用Viber等应用的DLL加载机制实现代码执行。这一案例展示了多个低危漏洞结合后的巨大威胁，并强调了客户端验证和环境理解的重要性。

文章分享了作者参加CRTA（Red Team Analyst）认证考试的经历与学习心得。课程内容涵盖Active Directory基础知识及攻击技术（如Kerberoasting、Golden Ticket），适合Red Teaming新手。作者建议学员先完成视频学习再激活30天实验室，并记录命令与步骤以加深理解。考试难度适中但需灵活思考，最终作者在第二次尝试中成功通过。整体而言，课程设计优秀且实用性强。

文章讲述了作者通过时间基有效载荷、sqlmap和细致的侦察发现第一个SQL注入漏洞的经历，强调了SQL注入在Web安全中的重要性，并分享了耐心和细致侦察在漏洞挖掘中的关键作用。

文章讲述了一位新人通过时间戳载荷、sqlmap和侦察技术成功发现SQL注入漏洞的经历，展示了SQL注入在网络安全中的重要性，并强调了侦察在漏洞挖掘中的关键作用。

这篇文章介绍了rsync协议及其在文件同步中的应用。rsync通过增量传输算法提高效率，默认使用873端口。用户可通过匿名认证连接rsync服务，并使用命令行工具列出共享目录和下载文件。文章还展示了如何通过rsync获取flag.txt文件以完成任务。

关键词网络攻击俄罗斯背景黑客组织“噪音熊”（Noisy Bear）近期针对哈萨克斯坦能源行业发起了一场精心策划

关键词数据泄露近日，围绕 Salesloft 旗下 Drift 应用的安全事件有了最新进展。

关键词安全漏洞Django开发团队近日发布关键安全更新，修复该流行Python Web框架中存在的一个高危漏洞

关键词Claude9月5日，美国人工智能公司 Anthropic 在其官网发布公告，宣布即日起禁止多数股权由中

API已成为数字基础设施的核心，但随着使用量激增和复杂性增加，传统安全措施难以应对。AI和自动化进一步加剧了风险。现代API生态系统涉及多种协议和云环境，传统工具无法有效保护。Security Edge通过边缘安全、低延迟和实时监控提供解决方案。

A newly disclosed security flaw in pgAdmin4, the widely used open-source tool for managing PostgreSQL databases, has raised serious concerns among developers and database administrators across the world. The vulnerability, tracked as CVE-2025-9636, was recently highlighted in the GitHub Advisory Database and classified as High severity. The issue lies in a Cross-Origin Opener Policy (COOP) vulnerability that affects versions of […]

The post PgAdmin Vulnerability Allows Attackers to Gain Unauthorized Account Access appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Технические стандарты оказались мощнее армий — и лишь один игрок понял это вовремя.

作者在对目标网站进行子域名侦察时，使用subfinder发现两个dashboard子域名，并通过ffuf工具进一步fuzzing发现了更多潜在子域名。

360发布大模型安全卫士，以“四大智能体”破解AI安全难题

A vulnerability has been found in elunez eladmin up to 2.7 and classified as problematic. This affects the function queryErrorLogDetail of the file /api/logs/error/1 of the component SysLogController. The manipulation leads to improper authorization. This vulnerability is traded as CVE-2025-10084. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in SourceCodester Pet Grooming Management Software 1.0 and classified as critical. This vulnerability affects unknown code of the file manage_website.php. The manipulation results in unrestricted upload. This vulnerability is known as CVE-2025-10085. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability was found in fuyang_lipengjun platform 1.0.0. It has been classified as critical. This issue affects the function queryAll of the file /adposition/queryAll of the component AdPositionController. This manipulation causes improper authorization. This vulnerability is handled as CVE-2025-10086. The attack can be initiated remotely. Additionally, an exploit exists. Affects another part than CVE-2025-9936.

A vulnerability classified as critical has been found in Ditty Plugin up to 3.1.57 on WordPress. Affected by this issue is some unknown functionality. Performing manipulation results in server-side request forgery. This vulnerability is cataloged as CVE-2025-8085. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability identified as problematic has been detected in Open Design Alliance CDE inWEB SDK. This impacts an unknown function of the component Setting Handler. The manipulation leads to information disclosure. This vulnerability is listed as CVE-2024-12564. The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.