记一道取证题分析和试错过程
今年线上线下ctf比赛都出现了很多取证题,在此拿一道题来进行分析,并讲述工具利用
Aggregator
朝鲜、伊朗、俄罗斯背景黑客组织在新型攻击中采用ClickFix技术
4 months 2 weeks ago
朝鲜、伊朗、俄罗斯黑客利用ClickFix技术发动高针对性间谍攻击。
CVE-2022-20547 | Google Android 13.0 Bluetooth AdapterService.java permission (A-240301753)
4 months 2 weeks ago
A vulnerability, which was classified as critical, has been found in Google Android 13.0. This issue affects some unknown processing of the file AdapterService.java of the component Bluetooth. The manipulation leads to permission issues.
The identification of this vulnerability is CVE-2022-20547. It is possible to launch the attack on the local host. There is no exploit available.
It is recommended to apply a patch to fix this issue.
vuldb.com
CVE-2009-4429 | Alexander Hass Sections module up to 6.x-1.1 Name cross site scripting (EDB-10485 / XFDB-54860)
4 months 2 weeks ago
A vulnerability, which was classified as problematic, has been found in Alexander Hass Sections module up to 6.x-1.1. This issue affects some unknown processing. The manipulation of the argument Name leads to cross site scripting.
The identification of this vulnerability is CVE-2009-4429. The attack may be initiated remotely. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
vuldb.com
Cyber threats now a daily reality for one in three businesses
4 months 2 weeks ago
Businesses are losing out on an average of $98.5 million a year as a consequence of cyber threats, fraud, regulatory hurdles and operational inefficiencies, according to research from FIS and Oxford Economics. The cost of disharmony is highest among technology companies, followed by insurance, financial services and fintech respondents. The study revealed nine sources of disharmony, defined as disruptions and inefficiencies across the money lifecycle, with the most significant ones including: 88% of respondents identified … More →
The post Cyber threats now a daily reality for one in three businesses appeared first on Help Net Security.
Help Net Security
一个LummaStealer样本的反混淆分析
4 months 2 weeks ago
Lumma Stealer;反混淆;
2025数字中国创新大赛-移动互联网(APP)安全积分争夺赛初赛 Writeup
4 months 2 weeks ago
2025数字中国创新大赛-移动互联网(APP)安全积分争夺赛初赛 Writeup
CVE-2023-36022 | Microsoft Edge prior 118.0.2088.88/119.0.2151.44 Remote Code Execution
4 months 2 weeks ago
A vulnerability classified as critical was found in Microsoft Edge. Affected by this vulnerability is an unknown functionality. The manipulation leads to Remote Code Execution.
This vulnerability is known as CVE-2023-36022. The attack can be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2023-36034 | Microsoft Edge prior 118.0.2088.88/119.0.2151.44 use after free
4 months 2 weeks ago
A vulnerability, which was classified as critical, has been found in Microsoft Edge. Affected by this issue is some unknown functionality. The manipulation leads to use after free.
This vulnerability is handled as CVE-2023-36034. The attack may be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2023-36029 | Microsoft Edge up to 104.0.1293.47 on Android
4 months 2 weeks ago
A vulnerability, which was classified as problematic, was found in Microsoft Edge on Android. This affects an unknown part. The manipulation leads to an unknown weakness.
This vulnerability is uniquely identified as CVE-2023-36029. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2021-4431 | msyk FMDataAPI up to 22 FMDataAPI_Sample.php cross site scripting
4 months 2 weeks ago
A vulnerability classified as problematic has been found in msyk FMDataAPI up to 22. Affected is an unknown function of the file FMDataAPI_Sample.php. The manipulation leads to cross site scripting.
This vulnerability is traded as CVE-2021-4431. It is possible to launch the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2023-45360 | MediaWiki prior 1.35.12/1.39.5/1.40.1 i18n Message MediaWiki:Youhavenewmessagesfromusers youhavenewmessagesmanyusers/youhavenewmessages cross site scripting
4 months 2 weeks ago
A vulnerability has been found in MediaWiki and classified as problematic. Affected by this vulnerability is the function youhavenewmessagesmanyusers/youhavenewmessages of the file MediaWiki:Youhavenewmessagesfromusers of the component i18n Message Handler. The manipulation leads to cross site scripting.
This vulnerability is known as CVE-2023-45360. The attack can be launched remotely. There is no exploit available.
It is recommended to upgrade the affected component.
vuldb.com
CVE-2023-46822 | Visser Labs Store Exporter for WooCommerce Plugin up to 2.7.2 on WordPress cross site scripting
4 months 2 weeks ago
A vulnerability was found in Visser Labs Store Exporter for WooCommerce Plugin up to 2.7.2 on WordPress. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to cross site scripting.
The identification of this vulnerability is CVE-2023-46822. The attack may be initiated remotely. There is no exploit available.
vuldb.com
用户数超 12 亿的「美版闲鱼」,盘活了整个 Facebook
4 months 2 weeks ago
匪夷所思的「交易」背后,藏着脸书初心的「社交」本质。
CVE-2006-5645 | Trend Micro ServerProtect up to 5.58 RAR Archive Header resource management (EDB-2912 / XFDB-35572)
4 months 2 weeks ago
A vulnerability has been found in Trend Micro ServerProtect up to 5.58 and classified as critical. Affected by this vulnerability is an unknown functionality of the component RAR Archive Header Handler. The manipulation leads to improper resource management.
This vulnerability is known as CVE-2006-5645. The attack can be launched remotely. Furthermore, there is an exploit available.
It is recommended to apply a patch to fix this issue.
vuldb.com
Why CISOs are watching the GenAI supply chain shift closely
4 months 2 weeks ago
In supply chain operations, GenAI is gaining traction. But according to Logility’s Supply Chain Horizons 2025 report, many security leaders remain uneasy about what that means for data protection, legacy tech, and trust in automation. The survey of 500 global supply chain leaders shows that 97% are already using some form of GenAI. But only a third are using tools designed specifically for supply chain tasks. And nearly half (43%) say they worry about how … More →
The post Why CISOs are watching the GenAI supply chain shift closely appeared first on Help Net Security.
Help Net Security
Midnight Blizzard在大使馆网络钓鱼中部署了新的GrapeLoader恶意软件
4 months 2 weeks ago
名为“Midnight Blizzard”的间谍组织发起了一场新的鱼叉式网络钓鱼活动,目标是欧洲的外交机构,包括大使馆。
“Midnight Blizzard”,又名“APT29”,是一个与俄罗斯对外情报局(SVR)有关的国家支持的网络间谍组织。
据Check Point Research称,新的攻击活动引入了一种以前未见过的恶意软件加载程序“GrapeLoader”,以及一种新的“WineLoader”后门。
恶意软件泛滥
这次网络钓鱼活动始于2025年1月,以一封从bakenhof (bakenhof)发送的欺骗外交部的电子邮件开始。com‘或’silry '。]com,邀请收件人参加品酒活动。
该电子邮件包含一个恶意链接,如果满足受害者目标条件,则触发下载ZIP归档文件(wine.zip)。如果不是,它会将受害者重定向到合法的外交部网站。
该存档文件包含一个合法的PowerPoint可执行文件(wine.exe),一个程序运行所需的合法DLL文件,以及恶意的GrapeLoader有效载荷(ppcore.dll)。
恶意软件加载程序通过DLL侧加载执行,它收集主机信息,通过Windows注册表修改建立持久性,并联系命令和控制(C2)来接收它在内存中加载的shellcode。
grapheloader执行链
GrapeLoader可能会取代之前使用的第一级HTA加载器RootSaw,它更隐蔽、更复杂。
Check Point强调其使用“PAGE_NOACCESS”内存保护和通过“ResumeThread”运行shellcode之前的10秒延迟,以隐藏反病毒和EDR扫描仪的恶意有效负载执行。
隐身的内存负载执行
GrapeLoader在这次活动中的主要任务是秘密侦察和交付WineLoader,它以木马化的VMware Tools DLL文件的形式到达。
一个后门
WineLoader是一个模块化的后门程序,可以收集详细的主机信息并促进间谍活动。
收集的数据包括:IP地址、运行进程名、Windows用户名、Windows机器名、进程ID、特权级别。
被盗的主机数据结构
这些信息可以帮助识别沙箱环境,并评估投放后续有效载荷的目标。
在最新的APT29活动中发现的新变体使用RVA复制,导出表不匹配和垃圾指令严重混淆,使其更难进行逆向工程。
解包程序比较
Check Point指出,与旧版本相比,新的WineLoader变体中的字符串混淆起着关键的反分析作用。
研究人员解释,以前像FLOSS这样的自动化工具可以很容易地从未包装的WINELOADER样本中提取和消除混淆字符串。新版本的改进实现破坏了这一过程,使自动字符串提取和去混淆失败。
由于该活动具有高度针对性,并且恶意软件完全在内存中运行,Check Point无法检索WineLoader的完整第二阶段有效载荷或额外插件,因此其功能的全部范围或每个受害者的定制性质仍然模糊。
Check Point的研究结果表明,APT29的战术和工具集不断发展,变得更加隐蔽和先进,需要多层防御和提高警惕来发现和阻止。
胡金鱼
CVE-2012-4932 | Simple Invoices prior 2007-02-02 index.php having cross site scripting (EDB-38115 / ID 803073)
4 months 2 weeks ago
A vulnerability, which was classified as problematic, was found in Simple Invoices. This affects an unknown part of the file index.php. The manipulation of the argument having leads to cross site scripting.
This vulnerability is uniquely identified as CVE-2012-4932. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
vuldb.com
Blue95 Topanga 释出
4 months 2 weeks ago
想要体验下复古的 Windows 95 吗?不需要真的去安装 Windows 95,你可以用 Linux。Blue95 是一个致力于集成 Windows 95 Xfce 主题再现 Windows 95 外观的 Linux 发行版,它是基于 Fedora,在 Fedora 42 释出之后,Blue95 释出了基于 Fedora 42 和 Xfce 4.20 桌面环境的 Blue95 Topanga。新版本集成了新的应用,包括用 jspaint.app 再现 Windows 95 画图应用的 Winblues Paint,将现有 Windows 95/98/ME/XP 主题应用于 Xfce 的工具 Chicago95 Plus!,为办公软件 LibreOffice 加入了定制 Windows 95 图标,默认 Flathub 应用商店 Flatpost,以及 Audacious 等等。
CVE-2002-1714 | Microsoft Internet Explorer up to 6.0 HTML DATA denial of service (EDB-21404 / XFDB-8904)
4 months 2 weeks ago
A vulnerability was found in Microsoft Internet Explorer up to 6.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component HTML Handler. The manipulation of the argument DATA leads to denial of service.
This vulnerability is known as CVE-2002-1714. The attack can be launched remotely. Furthermore, there is an exploit available.
It is recommended to upgrade the affected component.
vuldb.com