每日安全资讯-2020.7.6

声明:本文所有内容仅用于学习和研究目的,且不能违反《网络安全法》、《刑法》等相关要求,尤其禁止传播,或用于非善良目的。您查看本文,即视为遵守以上约定,否则责任自负。

今日导读:AVideo <8.9权限提升和文件包含导致了RCE、mount_apfs TCC绕过和提权、踩坑记录-Redis(Windows)的getshell、BIG5漏洞EXP已出等。

【漏洞分析区】
1、AVideo < 8.9 Privilege Escalation and File Inclusion that led to RCE
https://cube01.io/blog/Avideo-Remote-Code-Execution.html

2、Bypassing file upload filter by source code review in Bolt CMS
https://stazot.com/boltcms-file-upload-bypass/

3、Yet Another Froala 0-Day XSS
https://blog.compass-security.com/2020/07/yet-another-froala-0-day-xss/

4、CVE-2020-9771 - mount_apfs TCC bypass and privilege escalation

5、CVE-2020-13664 rupal 8 remote code execution- by estimating installation time of site

【技术分享区】
6、踩坑记录-Redis(Windows)的getshell
https://xz.aliyun.com/t/7940

7、Moodle LMS — SQL Injection using Unicode Characters

8、My First $15,000 Microsoft Windows Insider Preview Bug Bounty | How to Get Started

9、Code Audit of Boxcryptor
https://research.kudelskisecurity.com/2020/07/03/code-audit-of-boxcryptor/

10、Hardware breakpoints and exceptions on Windows

11、Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers

12、窥探有方——调试Released SGX Enclave
https://www.anquanke.com/post/id/209744

13、Art of bug bounty: a way from JS file analysis to XSS

14、Case Study I - Browser Anomaly with Facebook Apps -1500$
https://blog.easysiem.com/application-security/case-study-i-browser-anomaly-with-facebook-apps-1500usd

15、SecWiki周刊(2020/06/29-2020/07/05)
https://www.sec-wiki.com/weekly/331

2 1