Aggregator

In mid-summer 2025, the ToolShell vulnerability (CVE-2025-53770) became the catalyst for a major wave of compromises. Attackers exploited

The post ToolShell Exploit: China-Linked Hackers Target Global Critical Infrastructure appeared first on Penetration Testing Tools.

--此次漏洞挖掘，通过简单的手机验证码绕过，多次复用，最终达到了接管数百企业账号以及数万学生账号的成果。

North Korea has intensified its reliance on cybercrime and the overseas remote employment of its citizens to circumvent

The post North Korea Stole $2.8 Billion in Crypto to Fund Weapons Programs, Report Says appeared first on Penetration Testing Tools.

Polar2025秋季个人挑战赛web

在日常的渗透测试中，我们常会遇到一片空白的页面，让许多师傅感到无从下手。其实，这种“空白”往往只是表象，背后可能隐藏着未被发现的管理后台、API接口甚至是安全漏洞。本文总结了几种实用的思路，旨在将“空白页”变为突破口，打开渗透测试的新视角。

关于ASIS CTF比赛还是很多好玩的东西，因为最近在研究前端安全的东西，很适合做这类的题，所以如果你也在研究前端安全可以来看看这篇文章

流量样本涉及到webshell流量、CS流量的识别、解密及分析，感觉跟实战很接近，和各位师傅分享下分析思路。

A vulnerability categorized as critical has been discovered in Tenda CH22 1.0.0.1. Affected by this issue is the function fromNatStaticSetting of the file /goform/NatStaticSetting. Executing manipulation of the argument page can lead to buffer overflow. This vulnerability is registered as CVE-2025-12322. It is possible to launch the attack remotely. Furthermore, an exploit is available.

通过定制化Prompt实现小型项目高效代码生成，兼顾规范性与实用性

大华智慧园区综合管理平台审计

The Lazarus hacking group has resurfaced—this time targeting European defence firms engaged in unmanned aerial systems development. ESET

The post Operation DreamJob: Lazarus Targets European Drone Makers with Malware Lures appeared first on Penetration Testing Tools.

Submit #674151 / VDB-330101

A vulnerability was found in ZTE ZXMP M721 5.30.020.001P01. It has been rated as problematic. Affected by this vulnerability is an unknown functionality. Performing manipulation results in use of hard-coded cryptographic key . This vulnerability is cataloged as CVE-2025-46582. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Google WearOS. It has been declared as problematic. Affected is an unknown function of the component Messages. Such manipulation leads to insufficient verification of data authenticity. This vulnerability is listed as CVE-2025-12080. The attack must be carried out locally. There is no available exploit. It is recommended to upgrade the affected component.

通过调试混淆JS代码，分析sign生成机制，定位关键加密流程，并用Python还原算法成功绕过校验。

本文涵盖了二进制安全从入门到精通的完整知识体系，建议读者结合实际环境进行练习，在实践中不断深化理解。如有疑问，欢迎交流讨论。

模糊测试作为自动化漏洞发现的核心技术，已成为现代软件安全测试的重要组成部分。libFuzzer作为LLVM生态中的代表性工具，凭借其覆盖率驱动的智能变异策略和易于集成的特性，广泛应用于各类软件项目的安全测试中 本文从模糊测试的基本原理出发，系统介绍libFuzzer的核心概念、环境配置、实战应用和调试技巧。通过具体的代码示例和实战案例，帮助读者掌握libFuzzer的基础使用方法，建立完整的模糊

用友 ServiceDispatcherServlet1、前言在最近的安全通报中，用友 U8 Cloud 曝光出若干能被链式利用的缺陷：一类是 ServiceDispatcherServlet 的反序列化入口，但其中有很多条链路可允许攻击者将文件写入应用可执行或可访问的位置或者执行命令。这类问题常被组合成“先得执行权限，再落地 webshell”的攻击链。本章将从原理出发，分层解释有回显与无回显场

The PhantomCaptcha operation proved to be one of the most sophisticated phishing campaigns of recent months, directed at

The post PhantomCaptcha: Sophisticated Phishing Used to Hijack Aid Groups appeared first on Penetration Testing Tools.

比尔盖茨支持的核电公司 TerraPower 通过了美国核管理委员会的环评（Environmental Impact Statement），批准了核设施的建造许可证。TerraPower 的非核设施已从 2024 年 6 月开始建造。TerraPower 计划建造的凯默勒一号机组（Kemmerer Unit 1）将是美国首座使用液态钠冷却而不是水冷却的商业核反应堆。凯默勒是燃煤 Naughton 发电厂的所在地，该发电厂将于 2026 年停止使用燃煤，十年后停止燃烧天然气。TerraPower 项目将用一个 345 兆瓦的反应堆取代它，TerraPower 反应堆将开创性地使用许多以前未在商业上部署过的技术。其中包括需要最少换料的反应堆设计、液态钠冷却以及熔盐蓄热系统，该系统将为发电厂提供更好地与可再生能源整合必需的灵活性。