[ { "title": "泛微e9分析思路", "link": "https://xz.aliyun.com/news/92131", "published": "2026-05-13 12:53:11", "id": "https://xz.aliyun.com/news/92131", "summary": { "@type": "html", "#text": "本文基于泛微e9(9.00.210804版本),系统阐述OA系统的安全审计方法。文章涵盖环境搭建、六大类路由(/weaver/、/api/、/services/*、/dwr/*等)的分析,详细剖析SecurityMain安全过滤机制、XssRequestWeblogic参数过滤、登录绕过等技术要点。通过FileDownloadLocation文件读取、browser.jsp SQL注入等实战案例," } }, { "title": "copy failed 原理详解", "link": "https://xz.aliyun.com/news/92128", "published": "2026-05-12 14:34:18", "id": "https://xz.aliyun.com/news/92128", "summary": { "@type": "html", "#text": "Copy Fail (CVE-2026-31431) 是 Linux 内核身份验证加密模块中的一个逻辑错误。它允许**非特权用户向任意可读文件的页缓存中写入 4 字节的任意数据,并且支持多次写入**" } }, { "title": "【漏洞研究】多层内容解析链引发的 XSS 语义错位绕过及根因分析", "link": "https://xz.aliyun.com/news/92125", "published": "2026-05-12 05:28:32", "id": "https://xz.aliyun.com/news/92125", "summary": { "@type": "html", "#text": "在 Markdown、公式渲染等富内容处理场景下,由于第三方组件与浏览器底层(HTML、URL、JS 解析器)在实体解码、协议提取和规范化处理上存在机制差异,极易引发解析层面的语义错位,导致了XSS防御体系的 Bypass" } }, { "title": "GraalVM Polyglot 沙箱逃逸:跨语言上下文 RCE", "link": "https://xz.aliyun.com/news/92120", "published": "2026-05-11 09:34:57", "id": "https://xz.aliyun.com/news/92120", "summary": { "@type": "html", "#text": "从受限JavaScript沙箱到宿主Java环境的完整攻击链构造与纵深防御" } }, { "title": "记一次实战文件上传的简单bypass", "link": "https://xz.aliyun.com/news/92118", "published": "2026-05-11 07:09:29", "id": "https://xz.aliyun.com/news/92118", "summary": { "@type": "html", "#text": "文字来自本人实战经历(已修复)" } }, { "title": "复现 ICLR 2026 在审《TrojanPraise》:从 12% 到 42% 的 LoRA 越狱调参实战", "link": "https://xz.aliyun.com/news/92116", "published": "2026-05-11 06:16:03", "id": "https://xz.aliyun.com/news/92116", "summary": { "@type": "html", "#text": "一个越狱调参实验" } }, { "title": "Defender与svchost", "link": "https://xz.aliyun.com/news/92112", "published": "2026-05-10 18:09:18", "id": "https://xz.aliyun.com/news/92112", "summary": { "@type": "html", "#text": "Defender与svchost" } }, { "title": "提示词注入也能获得上万美元赏金?Gemini App 漏洞分析", "link": "https://xz.aliyun.com/news/92110", "published": "2026-05-10 03:25:47", "id": "https://xz.aliyun.com/news/92110", "summary": { "@type": "html", "#text": "分析最近 Gemini App 的两个间接提示词注入漏洞,总结间接提示词注入实战攻击手法" } }, { "title": "伪装为HelloGPT安装程序的银狐木马样本分析", "link": "https://xz.aliyun.com/news/92109", "published": "2026-05-10 03:16:44", "id": "https://xz.aliyun.com/news/92109", "summary": { "@type": "html", "#text": "在野银狐样本分析" } }, { "title": "ASM 劫持:绕过、篡改与无痕驻留", "link": "https://xz.aliyun.com/news/92108", "published": "2026-05-09 11:56:52", "id": "https://xz.aliyun.com/news/92108", "summary": { "@type": "html", "#text": "通过Attach API动态注入Agent,利用ASM在字节码层面改写目标类的方法体,实现认证逻辑的运行时绕过、业务逻辑的精确篡改,以及Agent自身的无痕持久化。" } }, { "title": "AMSI对抗技术", "link": "https://xz.aliyun.com/news/92105", "published": "2026-05-08 15:53:30", "id": "https://xz.aliyun.com/news/92105", "summary": { "@type": "html", "#text": "AMSI对抗技术" } }, { "title": "Java Attach API内存注入", "link": "https://xz.aliyun.com/news/92103", "published": "2026-05-08 11:15:26", "id": "https://xz.aliyun.com/news/92103", "summary": { "@type": "html", "#text": "通过 Java Attach API的底层Unix Domain Socket通信协议,结合Linux内核memfd_create系统调用实现纯内存态Agent注入。" } }, { "title": "HackTheBox AirTouch:一场从 SNMP 泄露打进 WPA2 无线内网的攻击链", "link": "https://xz.aliyun.com/news/92102", "published": "2026-05-08 10:15:01", "id": "https://xz.aliyun.com/news/92102", "summary": { "@type": "html", "#text": "本文记录 HackTheBox 靶机 AirTouch 的完整渗透过程。初始阶段仅发现 SSH 服务开放,但通过 UDP 扫描定位到 SNMP 服务,并利用默认 community string 读取到 consultant 账号密码。登录后发现目标处于 Docker 容器化无线实验环境中,进一步枚举虚拟无线网卡与网络拓扑。随后针对 AirTouch-Internet 执行监听、Deauth 攻击" } }, { "title": "伪装成10086官网流量的Cobalt Strike木马深度分析", "link": "https://xz.aliyun.com/news/92100", "published": "2026-05-07 15:45:48", "id": "https://xz.aliyun.com/news/92100", "summary": { "@type": "html", "#text": "海量IP地址字符串转码生成shellcode、Beacon木马伪造Referer请求头为10086官网" } }, { "title": "提示词注入原理及注入开源模型的一种特定手法", "link": "https://xz.aliyun.com/news/92098", "published": "2026-05-07 03:21:38", "id": "https://xz.aliyun.com/news/92098", "summary": { "@type": "html", "#text": "简单讲讲chat_template。" } }, { "title": "从客户端加密配置到伪造签名:一次支付金额篡改漏洞的挖掘实录", "link": "https://xz.aliyun.com/news/92096", "published": "2026-05-07 00:52:17", "id": "https://xz.aliyun.com/news/92096", "summary": { "@type": "html", "#text": "从客户端加密配置到伪造签名:一次支付金额篡改漏洞的挖掘实录" } }, { "title": "ISCC2026 web WP", "link": "https://xz.aliyun.com/news/92095", "published": "2026-05-06 09:24:30", "id": "https://xz.aliyun.com/news/92095", "summary": { "@type": "html", "#text": "iscc2026web方向wp" } }, { "title": "针对RSA攻击的总结", "link": "https://xz.aliyun.com/news/92094", "published": "2026-05-06 08:56:16", "id": "https://xz.aliyun.com/news/92094", "summary": { "@type": "html", "#text": "主要是围绕RSA的coppersmith、动态题目、RSA变种展开" } }, { "title": "[原创]trx ctf 2026 house of fishing", "link": "https://xz.aliyun.com/news/92088", "published": "2026-05-06 02:55:24", "id": "https://xz.aliyun.com/news/92088", "summary": { "@type": "html", "#text": "文章首发于看雪论坛 [原创]trx ctf 2026 house of fishing 参考文献TRX CTF 2026 house-of-fishing Writeup · rawpayload前言看了一下 trxctf 2026 的堆题,这题看上去很简单,只需要一个任意地址写将 *admin 修改成目标的地址即可触发后门函数,从而getshell,但是程序没有 show() 功能,因此无法通过" } }, { "title": "2026长城杯决赛game题解", "link": "https://xz.aliyun.com/news/92087", "published": "2026-05-06 02:08:24", "id": "https://xz.aliyun.com/news/92087", "summary": { "@type": "html", "#text": "主要还是放在逆向上" } }, { "title": "第三届“长城杯”网数智安全大赛(防护赛)总决赛Java题部分", "link": "https://xz.aliyun.com/news/92085", "published": "2026-05-05 11:40:15", "id": "https://xz.aliyun.com/news/92085", "summary": { "@type": "html", "#text": "尝尝长城杯国赛决赛,还是挺有意思的." } }, { "title": "Apache Shiro 反序列化与权限绕过漏洞分析及利用", "link": "https://xz.aliyun.com/news/92083", "published": "2026-05-05 06:12:11", "id": "https://xz.aliyun.com/news/92083", "summary": { "@type": "html", "#text": "前言:在平时测一些站点的时候,几乎都会有登录框或者一些权限存在区分的地方,在这些地方大部分又是使用shiro框架来负责权限操作的;网上的一些原理或者操作太过抽象和分散,于是这篇文章就是谈谈shiro框架的一些漏洞合集和简单分析。首先什么是shiro框架呢?Apache Shiro 是一个功能强大且易于使用的 Java 安全框架,用于处理身份验证、授权、加密和会话管理等核心安全性问题。Shiro 可" } }, { "title": "《从低危未授权到多个系统沦陷:一次市攻防实战记录》", "link": "https://xz.aliyun.com/news/92082", "published": "2026-05-05 04:55:41", "id": "https://xz.aliyun.com/news/92082", "summary": { "@type": "html", "#text": "分享一次在某市攻防演练中的实战记录,通过一个普通的登录页面,最终拿下多个后台系统权限。" } }, { "title": "长城杯 2026 决赛 Shop 题 GLIBC 2.43 Heap 利用与 Tcache 劫持", "link": "https://xz.aliyun.com/news/92081", "published": "2026-05-04 16:10:24", "id": "https://xz.aliyun.com/news/92081", "summary": { "@type": "html", "#text": "本文复现了长城杯 2026 决赛 Shop 题目的解题过程,重点分析了 GLIBC 2.43 版本下堆结构体的逆向还原方法。文章详细阐述了通过伪造 Unsortedbin 泄露基址、利用 Tcache Perthread Struct 偏移缺陷劫持堆块指针以及栈迁移执行 ORW 的技术细节。该案例展" } }, { "title": "php8 首个 bypass disable function漏洞", "link": "https://xz.aliyun.com/news/92079", "published": "2026-05-04 00:38:27", "id": "https://xz.aliyun.com/news/92079", "summary": { "@type": "html", "#text": "php8 首个 bypass disable function漏洞,已武器化为蚁剑插件" } }, { "title": "2026SUCTF SU_LightNovel WriteWp", "link": "https://xz.aliyun.com/news/92078", "published": "2026-05-03 17:36:55", "id": "https://xz.aliyun.com/news/92078", "summary": { "@type": "html", "#text": "2026SUCTF 域流量题目SU_LightNovel解题思路,涉及rpc计划任务流量、ADCS、U2U和TimeRoasting攻击等知识" } }, { "title": "把CC4链拆到字节码:一文看透Java反序列化从PriorityQueue到TemplatesImpl的完整触发路径", "link": "https://xz.aliyun.com/news/92075", "published": "2026-05-03 09:01:50", "id": "https://xz.aliyun.com/news/92075", "summary": { "@type": "html", "#text": "一文看透Java反序列化从PriorityQueue到TemplatesImpl的完整触发路径" } }, { "title": "Hessian 二次反序列化新链从零到一挖掘", "link": "https://xz.aliyun.com/news/92074", "published": "2026-05-02 16:14:25", "id": "https://xz.aliyun.com/news/92074", "summary": { "@type": "html", "#text": "记录一条新的hessian二次反序列化链的完整分析过程" } }, { "title": "Apache Camel JMS 反序列化(CVE-2026-40860)漏洞分析", "link": "https://xz.aliyun.com/news/92073", "published": "2026-05-02 10:15:21", "id": "https://xz.aliyun.com/news/92073", "summary": { "@type": "html", "#text": "Apache Camel JMS 反序列化(CVE-2026-40860)漏洞分析漏洞概述Apache Camel 的核心目标是把各种不同的系统、协议和数据格式“粘合”在一起。它实现了著名的企业集成模式(Enterprise Integration Patterns, EIP),比如拆分消息、聚合消息、动态路由等。受影响版本中,JmsBinding.extractBodyFromJms() 方法在" } }, { "title": "无境靶机 Dawn Breaker WP复盘", "link": "https://xz.aliyun.com/news/92072", "published": "2026-05-02 06:56:31", "id": "https://xz.aliyun.com/news/92072", "summary": { "@type": "html", "#text": "“摘下你黯淡的衰亡,换一束爆燃的火花”" } }, { "title": "如何绕过EDR实现DumpHash", "link": "https://xz.aliyun.com/news/92069", "published": "2026-05-01 10:04:30", "id": "https://xz.aliyun.com/news/92069", "summary": { "@type": "html", "#text": "本文简略的梳理了Windows DumpHash的流程,并通过系统白程序Reg.exe的拓展应用,巧妙的绕过了杀软的拦截点,实现了绕过EDR从而DumpHash的目的,同时根据实际测试,该方法针对Windows系列系统具有有效性,操作难度不大,具有实战价值。" } }, { "title": "【漏洞复现】cPanel&WHM认证绕过漏洞(CVE-2026-41940)分析", "link": "https://xz.aliyun.com/news/92068", "published": "2026-04-30 12:59:03", "id": "https://xz.aliyun.com/news/92068", "summary": { "@type": "html", "#text": "本文详细分析了 cPanel & WHM 认证绕过漏洞(CVE-2026-41940)的原理与复现过程,该漏洞源于系统会话机制未严格过滤换行符(CRLF),未授权攻击者可利用此缺陷,在预认证阶段将伪造的 root 权限标识注入至底层 Session 文件中。随后通过触发缓存提升机制使恶意数据生效,从而直接绕过登录校验,获取WHM 管理员权限。" } }, { "title": "PHP Filter Chain 无文件 RCE分析", "link": "https://xz.aliyun.com/news/92067", "published": "2026-04-30 09:42:33", "id": "https://xz.aliyun.com/news/92067", "summary": { "@type": "html", "#text": "通过精心构造 php://filter 链,在不写入任何文件的前提下,将一个普通的本地文件包含(LFI)漏洞直接升级为远程代码执行(RCE)。" } }, { "title": "红队钓鱼攻击的全链路复盘", "link": "https://xz.aliyun.com/news/92064", "published": "2026-04-30 02:00:53", "id": "https://xz.aliyun.com/news/92064", "summary": { "@type": "html", "#text": "红队钓鱼-前期邮箱搜集、spf绕过、钓鱼环境搭建、钓鱼文件制作" } }, { "title": "面向大模型隐私推理的安全协议-MPC与ZK的角色分工", "link": "https://xz.aliyun.com/news/92061", "published": "2026-04-29 09:37:00", "id": "https://xz.aliyun.com/news/92061", "summary": { "@type": "html", "#text": "面向大模型隐私推理的安全协议-MPC与ZK的角色分工" } }, { "title": "Agentic / Context", "link": "https://xz.aliyun.com/news/92060", "published": "2026-04-29 09:35:42", "id": "https://xz.aliyun.com/news/92060", "summary": { "@type": "html", "#text": "Agentic / Context" } }, { "title": "AI洪流下的防守对抗新范式", "link": "https://xz.aliyun.com/news/92059", "published": "2026-04-29 09:34:25", "id": "https://xz.aliyun.com/news/92059", "summary": { "@type": "html", "#text": "AI洪流下的防守对抗新范式" } }, { "title": "LLM 能帮一个安全工程师干些什么", "link": "https://xz.aliyun.com/news/92058", "published": "2026-04-29 09:33:16", "id": "https://xz.aliyun.com/news/92058", "summary": { "@type": "html", "#text": "LLM 能帮一个安全工程师干些什么" } }, { "title": "从 SMB 到 RDP:一次横向移动攻击链的深度剖析", "link": "https://xz.aliyun.com/news/92057", "published": "2026-04-29 09:30:45", "id": "https://xz.aliyun.com/news/92057", "summary": { "@type": "html", "#text": "在内网攻防对抗中,攻击者常利用 SMB、WinRM 等合法管理协议进行横向移动,并通过 SMB3 和 RDP 等协议的加密特性隐藏恶意行为,给应急响应与威胁溯源带来了巨大挑战。本文以2026软件系统安全赛中的典型内网横向移动流量分析赛题为分析对象,详细梳理了攻击链的完整还原过程。首先,从网络流量中提取 NetNTLMv2 响应并离线破解以获取明文凭据;随后,利用该凭据解密 WinRM 会话,识别并" } }, { "title": "AI For Security:AI在云产品安全建设中能做什么?", "link": "https://xz.aliyun.com/news/92056", "published": "2026-04-29 09:30:38", "id": "https://xz.aliyun.com/news/92056", "summary": { "@type": "html", "#text": "AI For Security:AI在云产品安全建设中能做什么?" } }, { "title": "挖掘某EDR组件滥用", "link": "https://xz.aliyun.com/news/92054", "published": "2026-04-29 08:54:11", "id": "https://xz.aliyun.com/news/92054", "summary": { "@type": "html", "#text": "在某次攻防下遇到的edr环境,对其进行挖掘,发现可以滥用的程序" } }, { "title": "THM-RazorBlack", "link": "https://xz.aliyun.com/news/92052", "published": "2026-04-29 06:49:39", "id": "https://xz.aliyun.com/news/92052", "summary": { "@type": "html", "#text": "THM-RazorBlack-writeup" } }, { "title": "记某涉案Ubuntu服务器镜像的仿真分析", "link": "https://xz.aliyun.com/news/92048", "published": "2026-04-28 12:24:22", "id": "https://xz.aliyun.com/news/92048", "summary": { "@type": "html", "#text": "从initramfs到系统恢复" } }, { "title": "基于AI生成的WinRAR钓鱼网站攻防分析", "link": "https://xz.aliyun.com/news/92047", "published": "2026-04-28 12:20:39", "id": "https://xz.aliyun.com/news/92047", "summary": { "@type": "html", "#text": "钓鱼网站利用AI生成逼真页面、仿冒官方域名排名,诱导用户下载携带恶意载荷的“WinRAR安装包”。" } }, { "title": "从2026数字中国创新大赛数字安全赛道 网络安全 决赛 Bridge题目 入门鸿蒙逆向", "link": "https://xz.aliyun.com/news/92046", "published": "2026-04-28 09:52:51", "id": "https://xz.aliyun.com/news/92046", "summary": { "@type": "html", "#text": "``0解鸿蒙逆向题`` 对于一个没有系统接触过鸿蒙逆向的小白,在线下比赛中做出来确实比较困难,这篇文章从鸿蒙小白的角度 探讨 鸿蒙hap包逆向的完整流程及重点难点\n\n随着HarmonyOS NEXT在2024年底正式商用,纯鸿蒙应用的数量在过去一年多迅速增长,安全研究领域对鸿蒙逆向的需求也随之而来。与Android生态成熟的逆向工具链相比,鸿蒙逆向目前仍处于早期阶段,公开的分析资" } }, { "title": "2026DCIC数字中国创新大赛网安赛道初赛部分题解", "link": "https://xz.aliyun.com/news/92044", "published": "2026-04-28 08:13:41", "id": "https://xz.aliyun.com/news/92044", "summary": { "@type": "html", "#text": "比赛部分题解" } }, { "title": "interactive-process-mcp:让 AI Agent 拥有交互式终端能力", "link": "https://xz.aliyun.com/news/92043", "published": "2026-04-27 14:56:03", "id": "https://xz.aliyun.com/news/92043", "summary": { "@type": "html", "#text": "当我们在终端里工作时,大量操作本质上是多轮交互的过程——SSH 登录服务器需要先输入密码,再执行命令;Python REPL 中逐行调试代码,每一步都依赖上一步的结果;交互式安装程序不时弹出 [Y/n] 提示等待回应。这些场景对人类来说稀松平常,但对于 AI Agent 而言却是一道难题:它们原生只能执行一次性命令,运行完毕立刻返回结果,无法在多个对话轮次中持续地读写同一个进程。\n intera" } }, { "title": "内网渗透靶场之春秋云镜-Brute4Road【详细解析】", "link": "https://xz.aliyun.com/news/92042", "published": "2026-04-27 13:39:36", "id": "https://xz.aliyun.com/news/92042", "summary": { "@type": "html", "#text": "靶标介绍:\nBrute4Road是一套难度为中等的靶场环境,完成该挑战可以帮助玩家了解内网渗透中的代理转发、内网扫描、信息收集、特权提升以及横向移动技术方法,加强对域环境核心认证机制的理解,以及掌握域环境渗透中一些有趣的技术要点。该靶场共有4个flag,分布于不同的靶机。" } }, { "title": "我做了一个用自然语言挖漏洞的 AI 渗透工具:VulnClaw", "link": "https://xz.aliyun.com/news/92040", "published": "2026-04-27 09:36:58", "id": "https://xz.aliyun.com/news/92040", "summary": { "@type": "html", "#text": "记得以前做渗透,信息收集要开一堆工具,漏洞利用要自己找 POC,报告写完一天没了。\n最近写了一个 CLI 工具 VulnClaw,把这个流程串起来了:\n自然语言输入 → AI 理解意图 → MCP 工具链 → 全自动渗透 → 自动出报告。\nGitHub 开源,MIT 协议,欢迎试用。" } }, { "title": "中转钓鱼攻击劫持 opencode,claudecode,openclaw", "link": "https://xz.aliyun.com/news/92038", "published": "2026-04-27 03:34:20", "id": "https://xz.aliyun.com/news/92038", "summary": { "@type": "html", "#text": "通过构造恶意的中转站来劫持 opencode,claudecode,openclaw 从而实现命令执行,乃至于上线 c2" } }, { "title": "2026数字中国创新大赛数字安全赛道 网络安全 决赛 FlagVault", "link": "https://xz.aliyun.com/news/92036", "published": "2026-04-26 12:03:31", "id": "https://xz.aliyun.com/news/92036", "summary": { "@type": "html", "#text": "决赛一共有3个题目有解, 一个misc,两个逆向 ,misc考的是流量分析,逆向考的是 安卓native逆向,和 exe逆向\n这个题目全场12解,也是感受到了CTF 线上和线下的巨大差异,在AI时代,线上貌似谁都可以成为全栈,大家都很浮躁,静下心来学东西的人变少了,线下一脱离ai,就原型毕露了 (当然也包括我),还是想要劝勉一下自己,希望自己不要浮躁,踏实求学" } }, { "title": "Python Class Pollution:从属性覆盖到远程代码执行", "link": "https://xz.aliyun.com/news/92035", "published": "2026-04-26 10:17:16", "id": "https://xz.aliyun.com/news/92035", "summary": { "@type": "html", "#text": "类属性污染实现全局权限提升、__globals__ 劫持覆盖 Flask SECRET_KEY 实现会话伪造、以及全局变量篡改实现 RCE。" } }, { "title": "MazeSec靶机SDL提权部分复盘:探究Linux跨分区移动底层逻辑", "link": "https://xz.aliyun.com/news/92032", "published": "2026-04-26 04:26:53", "id": "https://xz.aliyun.com/news/92032", "summary": { "@type": "html", "#text": "本文深入剖析了一类由安全工具隔离机制引发的非典型特权提升漏洞。文章以 ClamAV 的 clamscan --move 参数为切入点,通过对比 /tmp (tmpfs 独立分区) 与 /home (根分区同设备) 两个不同路径下的文件移动行为,揭示了 Linux 内核系统调用 rename() 在跨分区场景下的 Fallback(降级)机制。" } }, { "title": "谁在用你的带宽赚钱?揭秘你的住宅网络是如何沦为代理节点的", "link": "https://xz.aliyun.com/news/92031", "published": "2026-04-26 03:14:35", "id": "https://xz.aliyun.com/news/92031", "summary": { "@type": "html", "#text": "FlixVision APK 应用。表面上以免费观看电影、电视节目为噱头吸引用户安装,背地里却悄悄占用用户宽带资源,私自搭建隐蔽的网络代理通道。" } }, { "title": "Agent Mitm Hijack", "link": "https://xz.aliyun.com/news/92030", "published": "2026-04-25 14:15:42", "id": "https://xz.aliyun.com/news/92030", "summary": { "@type": "html", "#text": "一种全新的AI Agent攻击方式(或许也不那么新)" } }, { "title": "近期ActiveMQ Jolokia的两个漏洞以及部分历史漏洞分析", "link": "https://xz.aliyun.com/news/92029", "published": "2026-04-25 13:53:32", "id": "https://xz.aliyun.com/news/92029", "summary": { "@type": "html", "#text": "最近ActiveMQ出了两个有关Jolokia的新漏洞,之前都没看过ActiveMQ,借此机会分析一下,顺带把之前的几个重点漏洞也简单分析一遍。" } }, { "title": "AI代码审计工作流实现-从想法到实现自动化日入CVE50+、CNVD若干", "link": "https://xz.aliyun.com/news/92027", "published": "2026-04-24 19:53:47", "id": "https://xz.aliyun.com/news/92027", "summary": { "@type": "html", "#text": "AI代码审计工作流实现-从想法到实现自动化日入CVE50+、CNVD若干" } }, { "title": "记攻防中的钓鱼样本分析", "link": "https://xz.aliyun.com/news/92026", "published": "2026-04-24 15:57:46", "id": "https://xz.aliyun.com/news/92026", "summary": { "@type": "html", "#text": "一次攻防下钓鱼GO木马的详细分析,拿下CS shellcode" } }, { "title": "【漏洞分析】Node-tar Hardlink边界绕过问题深度分析", "link": "https://xz.aliyun.com/news/92025", "published": "2026-04-24 13:40:41", "id": "https://xz.aliyun.com/news/92025", "summary": { "@type": "html", "#text": "以 Node-tar 的 CVE-2026-24842 为例,分析 hardlink path traversal 是如何绕过提取目录边界的,以及在常见业务场景下,如何一步步演变成任意文件读取、文件覆盖,甚至进一步的代码执行风险" } }, { "title": "Linux ELF Shellcode 生成与 Fileless 实战", "link": "https://xz.aliyun.com/news/92022", "published": "2026-04-24 04:05:41", "id": "https://xz.aliyun.com/news/92022", "summary": { "@type": "html", "#text": "Linux ELF Shellcode 生成与 Fileless 实战,通过zigdonut生成Linux下的shellcode" } }, { "title": "Slopsquatting供应链投毒", "link": "https://xz.aliyun.com/news/92021", "published": "2026-04-23 10:59:59", "id": "https://xz.aliyun.com/news/92021", "summary": { "@type": "html", "#text": "Slopsquatting——由 slop(对 AI 低质量输出的俗称)和 squatting(域名/包名抢注)组合而成。大语言模型(LLM)在生成代码时会「幻觉」出实际不存在的第三方包名,而攻击者只需提前在 PyPI、npm 等公共包仓库中注册这些幻觉名称,植入恶意载荷,然后静待开发者按照 AI 的建议执行 pip install。" } }, { "title": "【AI赋能】六阶段AI流水线赋能APP安全分析实战", "link": "https://xz.aliyun.com/news/92020", "published": "2026-04-23 07:15:48", "id": "https://xz.aliyun.com/news/92020", "summary": { "@type": "html", "#text": "面向移动安全分析场景的 6 阶段总控 Skill。用于统一调度 APK 静态侦察、流量与代码对齐、SO/JNI 深度分析、加密与漏洞综合分析、验证设计与报告交付流程。" } }, { "title": "Letta AI 最新版未修复漏洞", "link": "https://xz.aliyun.com/news/92018", "published": "2026-04-23 02:30:13", "id": "https://xz.aliyun.com/news/92018", "summary": { "@type": "html", "#text": "该漏洞允许攻击者通过 REST API 提供了一个 /v1/tools/run端点,利用任意 payload 在目标服务器上执行任意 Python 代码或系统命令。" } }, { "title": "SGLang GGUF 投毒致 RCE 漏洞(CVE-2026-5760)", "link": "https://xz.aliyun.com/news/92017", "published": "2026-04-22 15:45:03", "id": "https://xz.aliyun.com/news/92017", "summary": { "@type": "html", "#text": "该漏洞存在于大模型推理引擎 SGLang 中(影响 v0.5.9 及以下版本)。其核心逻辑非常直接:SGLang 在处理 /v1/rerank 请求时,会读取 GGUF 模型文件中的 tokenizer.chat_template 字段,并将其放入一个无沙箱限制的 Jinja2 环境中进行渲染。" } }, { "title": "结合代码分析CVE-2026-33439 OpenAM 反序列化漏洞", "link": "https://xz.aliyun.com/news/92015", "published": "2026-04-22 09:58:37", "id": "https://xz.aliyun.com/news/92015", "summary": { "@type": "html", "#text": "结合代码分析CVE-2026-33439 OpenAM 反序列化漏洞" } }, { "title": "js原型链污染原理及绕过", "link": "https://xz.aliyun.com/news/92013", "published": "2026-04-22 08:12:46", "id": "https://xz.aliyun.com/news/92013", "summary": { "@type": "html", "#text": "一文讲明js原型链污染原理及概念误区,包含常见绕过思路" } }, { "title": "用魔法打败魔法:自动化越狱提示词的生成", "link": "https://xz.aliyun.com/news/92012", "published": "2026-04-22 05:59:52", "id": "https://xz.aliyun.com/news/92012", "summary": { "@type": "html", "#text": "自动化越狱提示词的生成" } }, { "title": "qemu虚拟化逃逸", "link": "https://xz.aliyun.com/news/92009", "published": "2026-04-22 02:59:17", "id": "https://xz.aliyun.com/news/92009", "summary": { "@type": "html", "#text": "第一次做这种类型的,大体记录一下过程" } }, { "title": "2025ccb决赛interpreter", "link": "https://xz.aliyun.com/news/92004", "published": "2026-04-21 02:20:53", "id": "https://xz.aliyun.com/news/92004", "summary": { "@type": "html", "#text": "一个自定义的序列化的题目" } }, { "title": "在野利用CVE-2026-34621漏洞PDF样本深度分析", "link": "https://xz.aliyun.com/news/92003", "published": "2026-04-20 15:59:55", "id": "https://xz.aliyun.com/news/92003", "summary": { "@type": "html", "#text": "模拟构建漏洞 PDF 响应载荷后发现,该载荷可异常驻留并嵌入 Adobe Acrobat Reader 内部,即便关闭 PDF、重启软件乃至操作系统,仍能持续触发恶意代码执行。" } }, { "title": "2025ciscn决赛ez_orw", "link": "https://xz.aliyun.com/news/92001", "published": "2026-04-20 11:41:59", "id": "https://xz.aliyun.com/news/92001", "summary": { "@type": "html", "#text": "这个题目考了花指令,魔改rc4,protobuf,纯字符shellcode,考的很多,这里借此简单的总结一下各个部分" } }, { "title": "2026软件安全赛半决赛PWN Robo_admin WP fix&break", "link": "https://xz.aliyun.com/news/91999", "published": "2026-04-19 14:33:20", "id": "https://xz.aliyun.com/news/91999", "summary": { "@type": "html", "#text": "2026软件安全赛半决赛PWN Robo_admin WP fix&break" } }, { "title": "软件系统安全赛2026分区赛 Web NodeJs", "link": "https://xz.aliyun.com/news/91998", "published": "2026-04-19 13:29:29", "id": "https://xz.aliyun.com/news/91998", "summary": { "@type": "html", "#text": "该文章介绍了一道 Node.js CTF 题目的解题思路:攻击者首先利用 /changepassword 接口的 merge() 函数原型链污染漏洞,注入 isAdmin: true 提权为管理员;随后通过 CVE-2026-22709 绕过 vm2 沙箱执行任意命令;最后利用 root 权限的 /backup.sh 定时脚本,将 /flag 内容写入静态目录实现读取。核心链:原型污染提权 → v" } }, { "title": "记edusrc的几个未授权案例的挖掘", "link": "https://xz.aliyun.com/news/91997", "published": "2026-04-19 11:13:32", "id": "https://xz.aliyun.com/news/91997", "summary": { "@type": "html", "#text": "在遇到vue框架的时候,使用相关插件进行接口相关的测试,往往更容易找到突破口。" } }, { "title": "PWN核心利用手法归纳总结", "link": "https://xz.aliyun.com/news/91995", "published": "2026-04-19 01:46:34", "id": "https://xz.aliyun.com/news/91995", "summary": { "@type": "html", "#text": "结合简单模型实验,直指漏洞利用" } }, { "title": "CVE-2026-1207: Django raster lookups on PostGIS SQL注入漏洞", "link": "https://xz.aliyun.com/news/91993", "published": "2026-04-18 16:32:36", "id": "https://xz.aliyun.com/news/91993", "summary": { "@type": "html", "#text": "Django 框架在使用 PostGIS 查询地理栅格(raster)数据时,若将未经验证的用户输入直接作为 band index(波段索引)参数,会引发 SQL 注入" } }, { "title": "b01lers CTF 2026 wp", "link": "https://xz.aliyun.com/news/91991", "published": "2026-04-18 07:42:41", "id": "https://xz.aliyun.com/news/91991", "summary": { "@type": "html", "#text": "https://b01lersc.tf/challenges" } }, { "title": "利用Linux io_uring子系统绕过安全监控机制", "link": "https://xz.aliyun.com/news/91990", "published": "2026-04-18 06:20:16", "id": "https://xz.aliyun.com/news/91990", "summary": { "@type": "html", "#text": "io_uring是Linux 5.1引入的高性能异步I/O框架,通过共享内存环形缓冲区实现用户态与内核态的零拷贝通信。" } }, { "title": "从签名绕过到密钥伪造——JWT认证机制的五条攻击路径", "link": "https://xz.aliyun.com/news/91989", "published": "2026-04-18 04:15:29", "id": "https://xz.aliyun.com/news/91989", "summary": { "@type": "html", "#text": "一次简单的小实验,文末有项目附件,欢迎交流!" } }, { "title": "上手实测阿里的大模型围栏:我发现了这些问题...", "link": "https://xz.aliyun.com/news/91987", "published": "2026-04-17 13:31:19", "id": "https://xz.aliyun.com/news/91987", "summary": { "@type": "html", "#text": "本文详细评估了阿里 AAIG 开源的独立大模型安全围栏 YuFeng-XGuard 的防御能力、核心优势以及现存的软肋" } }, { "title": "AI 安全攻防实战:从对抗攻击到隐私泄露", "link": "https://xz.aliyun.com/news/91984", "published": "2026-04-17 05:12:43", "id": "https://xz.aliyun.com/news/91984", "summary": { "@type": "html", "#text": "本文聚焦于深度神经网络的全生命周期安全,系统性地剖析了人工智能模型在推理、训练及隐私保护三大环节面临的威胁。文章首先从理论层面定义了攻击面,随后结合经典例题,深入阐述了对抗样本的扰动生成机理、数据投毒的后门植入逻辑以及梯度泄露的隐私复原数学原理" } }, { "title": "抢先加入AI时代顶尖安全团队!阿里云2027届实习生招聘来了!", "link": "https://xz.aliyun.com/news/91981", "published": "2026-04-16 08:21:37", "id": "https://xz.aliyun.com/news/91981", "summary": { "@type": "html", "#text": "抢先加入AI时代顶尖安全团队!阿里云2027届实习生招聘来了!" } }, { "title": "Tomcat Tribes 分布式通信节点反序列化分析", "link": "https://xz.aliyun.com/news/91980", "published": "2026-04-16 08:00:33", "id": "https://xz.aliyun.com/news/91980", "summary": { "@type": "html", "#text": "Tomcat Tribes 分布式通信节点反序列化分析" } }, { "title": "穿透静态检测:EDR对抗技术的分层实现", "link": "https://xz.aliyun.com/news/91978", "published": "2026-04-15 14:15:09", "id": "https://xz.aliyun.com/news/91978", "summary": { "@type": "html", "#text": "EDR 对抗技术的分层拆解" } }, { "title": "2026CISCN半决赛minidb详解", "link": "https://xz.aliyun.com/news/91977", "published": "2026-04-15 13:23:46", "id": "https://xz.aliyun.com/news/91977", "summary": { "@type": "html", "#text": "第一次做数据库类型的heap,和常规的heap从利用和调试上都差距很多,网上都是打heap,这里通过连续伪造打的stack" } }, { "title": "基于ptrace与/proc/mem的Linux无文件进程注入:攻击实现与内存取证检测", "link": "https://xz.aliyun.com/news/91971", "published": "2026-04-15 03:27:52", "id": "https://xz.aliyun.com/news/91971", "summary": { "@type": "html", "#text": "如何在不向磁盘写入任何文件的前提下,将payload注入到一个已有的合法进程中长期驻留?\n这不是一个新问题。Windows平台上的进程注入技术(CreateRemoteThread、APC Injection、Process Hollowing)已经被研究得相当充分,MITRE ATT&CK的T1055条目下列出了十余种子技术。但Linux侧的讨论往往停留在LD_PRELOAD这类启动时劫持手段," } }, { "title": "致远V7.0SP3历史漏洞分析", "link": "https://xz.aliyun.com/news/91970", "published": "2026-04-15 02:46:55", "id": "https://xz.aliyun.com/news/91970", "summary": { "@type": "html", "#text": "致远V7.0SP3基于seeyonreport(帆软报表v9)的历史漏洞分析" } }, { "title": "House of storm学习", "link": "https://xz.aliyun.com/news/91969", "published": "2026-04-14 12:53:36", "id": "https://xz.aliyun.com/news/91969", "summary": { "@type": "html", "#text": "遇到一个只有这个手法才能解决的题目,结合源码理解一下这个题目,顺便总结一下堆所学的知识" } }, { "title": "2026ciscn半决赛", "link": "https://xz.aliyun.com/news/91968", "published": "2026-04-14 12:26:39", "id": "https://xz.aliyun.com/news/91968", "summary": { "@type": "html", "#text": "赛场时候的做题" } }, { "title": "红队基础设施建设--重定向器", "link": "https://xz.aliyun.com/news/91967", "published": "2026-04-14 09:46:07", "id": "https://xz.aliyun.com/news/91967", "summary": { "@type": "html", "#text": "红队基础设施建设--重定向器" } }, { "title": "2026数字中国pwn", "link": "https://xz.aliyun.com/news/91966", "published": "2026-04-14 08:43:26", "id": "https://xz.aliyun.com/news/91966", "summary": { "@type": "html", "#text": "第二个零解题确实做不出来,8字节任意地址写没有泄露的ioctl支持解决不了" } }, { "title": "Langflow 1.8.3 CodeParser eval() —RCE漏洞分析+POC", "link": "https://xz.aliyun.com/news/91965", "published": "2026-04-14 07:59:50", "id": "https://xz.aliyun.com/news/91965", "summary": { "@type": "html", "#text": "小0day;CodeParser.parse_callable_details() 方法在解析函数的返回类型注解时,将注解字符串通过 ast.unparse() 提取后直接传递给 eval() 执行。" } }, { "title": "2026数字中国创新大赛网络安全赛道部分wp", "link": "https://xz.aliyun.com/news/91964", "published": "2026-04-14 02:39:29", "id": "https://xz.aliyun.com/news/91964", "summary": { "@type": "html", "#text": "本文是有关2026数字中国创新大赛网络安全赛道(北京赛区)部分wp" } }, { "title": "契约锁电子签章系统登录接口组合漏洞挖掘", "link": "https://xz.aliyun.com/news/91963", "published": "2026-04-13 15:10:33", "id": "https://xz.aliyun.com/news/91963", "summary": { "@type": "html", "#text": "在契约锁电子签章系统的安全审计中,通过分析官方补丁包发现一处逻辑漏洞:短信验证码校验可被绕过,导致任意用户注册。尽管登录环节设置了短信验证码及多项参数校验,但由于短信发送条件判断存在歧义,且注册与登录流程过度耦合,形成了一条完整的攻击路径。" } }, { "title": "告别正则堆砌:一种基于信息熵与词汇占比的 JS 硬编码高精度发现方案", "link": "https://xz.aliyun.com/news/91962", "published": "2026-04-13 14:52:10", "id": "https://xz.aliyun.com/news/91962", "summary": { "@type": "html", "#text": "基于多维度统计特征的轻量级硬编码密钥检测算法,通过归一化香农熵、语义占比及动态阈值策略,在不依赖外部模型与网络的前提下,实现前端代码中敏感信息的高召回识别。" } }, { "title": "UDS诊断服务滥用实现CAN总线完全接管", "link": "https://xz.aliyun.com/news/91961", "published": "2026-04-13 08:55:52", "id": "https://xz.aliyun.com/news/91961", "summary": { "@type": "html", "#text": "笔者将从协议原理出发,分析UDS诊断服务的设计缺陷,完整复现从\"被动监听\"到\"主动控车\"的攻击链路,并探讨车载网络安全的防御方案。" } }, { "title": "记录如何通过内存镜像提取微信密钥并解密数据库", "link": "https://xz.aliyun.com/news/91960", "published": "2026-04-13 06:53:25", "id": "https://xz.aliyun.com/news/91960", "summary": { "@type": "html", "#text": "平航杯2026-内存取证,古法处理内存镜像,提取微信4.x最新版本的key+salt,并解密加密数据库" } }, { "title": "AWD古剑山线下PWN全解", "link": "https://xz.aliyun.com/news/91959", "published": "2026-04-13 02:39:37", "id": "https://xz.aliyun.com/news/91959", "summary": { "@type": "html", "#text": "heap是赛后复现,2.23太长时间没有做已经是很生疏了" } }, { "title": "2026数字中国网络和数据安全积分争夺团队赛--数据安全赛道writeup", "link": "https://xz.aliyun.com/news/91956", "published": "2026-04-12 12:54:35", "id": "https://xz.aliyun.com/news/91956", "summary": { "@type": "html", "#text": "https://www.dcic-china.com/competitions/10214" } }, { "title": "记一次同一单位的两个小程序唇齿相依的危害", "link": "https://xz.aliyun.com/news/91952", "published": "2026-04-12 05:13:57", "id": "https://xz.aliyun.com/news/91952", "summary": { "@type": "html", "#text": "本文章均来自本人实战" } } ]