sorry for the NO update, but got time last weekend and tried out the ODBC convert sql injection exploit for MSSQL and implemented it on sqli helper. easy to spot exploitable page, just add a qoute, if you get “Microsoft OLE DB Provider for SQL Server error ‘80040e07′” then its exploitable

Useing NMAP perform scanning Through VPN

The vulnerability is caused due to the IOCTL handler of the "tmactmon.sys"
driver improperly processing user space parameters. This exploit execute
arbitrary code in kernel space via a specially crafted IOCTL.
 

毫无疑问，web是近几年的热点，各种各样的服务都开始网络化，用户的敏感信息也开始不只是存储在自己的计算机里，而开始存储在服务提供商的数据库里，用户无须为这些数据的存储和处理消费本地资源，只需要使用一个终端就可以访问和使用这些数据，而这些终端往往只需要一个浏览器和一些小小的网速就可以了。这样的服务非常多，譬如非常典型的一个例子就是webmail，用户收发邮件，联系朋友或者客户，只需要打开浏览器就足够了。
 

「鬼網」的曝光是由於達賴喇嘛辦公室懷疑電腦遭入侵，委請電腦安全專家專家檢查，多倫多大學蒙克國際研究中心(Munk Center for International Studies)發現，不僅達賴喇嘛在印度的流亡政府、布魯塞爾、倫敦、紐約辦公室的電腦遭祕密植入惡意軟體，長達10個月的相關調查並揭發了更廣泛的電子間諜活動，研究人員已把調查發現通知國際司法機構。

#Trace: 新版本的WordPress和phpbb已经弃用md5，采用phpass加密了（还有其他一些开源WEB程序）。原来DarkC0de上发布了一个phpass.py，是配合字典破解的，这个Phpass_Crack也是。PasswordsPro官方下载的最新版本也已经支持phpass的破解，有字典攻击和暴力破解等方式可选（选择md5(phpbb3) Modul）。

I’m putting my slides online from recent talks at CanSecWest and SOURCE Boston. I have some plans to get a micro-attack-database of useful Unicode characters online soon. The idea is to compress the massive Unicode database into just the characters we’re interested in as testers - ones that can manipulate casing operations, normalization routines, best-fits and other categories to produce useful inputs for fuzzing, web-testing, and visual effects.

Metasploit更新了，0day，顶。
 

A web-borne vulnerability lurking in a popular email application seriously compromised the security of 40 million accounts until it was fixed early last month, independent researchers said.

InfoGuard,简称iGuard,俗称网页文件防止篡改器.

#Trace：windows下的MSF（Metasploit）自动渗透测试的教程。

I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make sure you’ve filtered XSS correctly on your application.

by Ryat
http://bbs.wolvez.org
2009-03-24

影响2.5.x和2.6.x,其他版本未测试

I announced Watcher at CanSecWest and I’m happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence also announced our it at MIX09 yesterday. Check out his talk at http://videos.visitmix.com/MIX09/T54F it’s an eye opener for Web developers - introducing us to the new features of IE8 while also covering state-of-the-art secure development practices for today’s Web applications.