第九周/20211129红队推送

【特别推荐】

=============

XLL技术分析：能否为Office文件钓鱼破局？

https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/

【漏洞研究】

Apache JSPWiki 任意文件删除漏洞（CVE-2021-44140）

https://cve.report/CVE-2021-44140

所有Windows版本均受影响，Cisco Talos发现一个高危提权漏洞

https://www.cnbeta.com/articles/tech/1207121.htm

TP-Link TL-XVR1800L 设备零日漏洞

https://securityaffairs.co/wordpress/125016/hacking/0-day-tp-link-wi-fi-6.html?utm\_source=feedly&utm\_medium=rss&utm\_campaign=0-day-tp-link-wi-fi-6

漏洞发掘者WP：CVE-2021-43557（Apache APISIX）

https://xvnpw.github.io/posts/cve\_2021\_43557\_apache\_apisix\_path\_traversal\_in\_request\_uri\_variable/

Popping iOS <=14.7 with IOMFB（CVE-2021-30807）

https://jsherman212.github.io/2021/11/28/popping\_ios14\_with\_iomfb.html

Poc&Patch：Exchange RCE（CVE-2021-42321）

https://www.bleepingcomputer.com/news/security/exploit-released-for-microsoft-exchange-rce-bug-patch-now/

【红队工具】

适用于红队演习的各种EDR相关信息

https://github.com/Mr-Un1k0d3r/EDRs/

4-ZERO-3：Tool to bypass 403/401

https://github.com/Dheerajmadhukar/4-ZERO-3

Katana：Python Tool For google Hacking

https://github.com/TebbaaX/Katana

不用写代码的图形化爬虫平台

https://github.com/ssssssss-team/spider-flow

汽车安全测试工具集

https://github.com/firmianay/Vehicle-Security-Toolkit

【红队文章】

WP：HackTheBox - Union

https://0xdf.gitlab.io/2021/11/22/htb-union.html

使用JADX和Frida进行Andriod应用逆向

https://httptoolkit.tech/blog/android-reverse-engineering/

从APPLE.COM的XSS发现到构建POC获取PII

https://zseano.medium.com/finding-xss-on-apple-com-and-building-a-proof-of-concept-to-leak-your-pii-information-d7bc93cff2df

2021信息安全挑战赛Writeup完整版

https://spaceraccoon.dev/the-infosecurity-challenge-2021-full-writeup-battle-royale-for-30k

---

更多详情请查看原文