0x00漏洞
1.Github私有页面的XSS漏洞
https://robertchen.cc/blog/2021/04/03/github-pages-xss
2.知名CMS Umbraco的提权漏洞(CVE-2020-29454)
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/elevate-yourself-to-admin-in-umb-cms-890-cve-2020-29454/
0x01工具
1.EXIF-GPS-Steganography:使用EXIF GPS数据在图像中隐藏短信
https://github.com/LucasN-dev/EXIF-GPS-Steganography
https://lucasn-dev.github.io/EXIF-GPS-Steganography/
2.wappalyzergo:Wappalyzer的GoLang版本,高性能,用于大规模自动化扫描
https://github.com/projectdiscovery/wappalyzergo
3.Scylla:极简的信息收集引擎,查找有关用户名、网站、电话号码等的高级信息
https://github.com/DoubleThreatSecurity/Scylla
4.CANalyse:车辆网络分析和攻击工具
https://github.com/KartheekLade/CANalyse
https://kartheeklade.medium.com/what-is-canalyse-and-how-do-i-control-hack-cars-through-telegram-part-1-de358640becf
5.uac:对事件响应的实时响应收集工具,使用内置工具来自动收集类Unix系统工件
https://github.com/tclahr/uac
0x02恶意代码
1.攻击者在LinkedIn上伪造职业招聘,对专业人士进行鱼叉式钓鱼攻击
https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire
2.APT组织Cycldek在针对越南政府和军事实体的高级网络间谍活动使用的FoundCore远控
https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/
0x03技术
1.使用Kaitai Struct为Ghidra添加XCOFF结构体支持
https://blog.silentsignal.eu/2021/04/06/adding-xcoff-support-to-ghidra-with-kaitai-struct/
2.使用jsfuzz对JavaScript npm/nodejs/code (omggif)进行Fuzzing
https://www.youtube.com/watch?v=1U_jIeHesZg
3.使用Shodan和SQL对AWS IP进行威胁狩猎
https://steampipe.io/blog/use-shodan-to-test-aws-public-ip
4.Time for an upgrade
https://blog.grimm-co.com/2021/04/time-for-upgrade.html
5.演示通过Windows PowerShell(内置的Mimikatz模块作为域控制器的一部分)在受感染的Windows计算机上执行的各种攻击和任务
https://www.hackingarticles.in/powershell-empire-for-pentester-mimikatz-module/
6.深入了解React Native生物识别库的安全性
https://blog.nviso.eu/2021/04/06/a-closer-look-at-the-security-of-react-native-biometric-libraries/
7.漏洞利用工具包介绍
https://exploitpack.gitbook.io/exploit-pack-manual-pages/
