├── .gitattributes ├── .gitignore ├── README.md ├── SUMMARY.md ├── zsxq.png └── zsxq_ldgf.png /.gitattributes: -------------------------------------------------------------------------------- 1 | *.md linguist-language=HTML -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Node rules: 2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 3 | .grunt 4 | 5 | ## Dependency directory 6 | ## Commenting this out is preferred by some people, see 7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git 8 | node_modules 9 | 10 | # Book build output 11 | _book 12 | 13 | # eBook build output 14 | *.epub 15 | *.mobi 16 | *.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # [Web-Security-Learning](https://chybeta.github.io/2017/08/19/Web-Security-Learning/) 2 | 3 | 项目地址: https://github.com/CHYbeta/Web-Security-Learning 4 | 5 | 知识星球【漏洞攻防】:https://t.zsxq.com/mm2zBeq 6 | 7 | 8 | ![](zsxq.png) 9 | 10 | 11 | 12 | 目录: 13 | - [Web-Security-Learning](#web-security-learning) 14 | - [Web Security](#web-security) 15 | - [sql注入](#sql注入) 16 | - [MySql](#mysql) 17 | - [MSSQL](#mssql) 18 | - [PostgreSQL](#postgresql) 19 | - [MongoDB](#mongodb) 20 | - [技巧](#技巧) 21 | - [工具](#工具) 22 | - [XSS](#xss) 23 | - [CSRF](#csrf) 24 | - [其他前端安全](#其他前端安全) 25 | - [SSRF](#ssrf) 26 | - [XXE](#xxe) 27 | - [JSONP注入](#jsonp注入) 28 | - [SSTI](#ssti) 29 | - [代码执行 / 命令执行](#代码执行--命令执行) 30 | - [文件包含](#文件包含) 31 | - [文件上传 / 解析漏洞](#文件上传--解析漏洞) 32 | - [逻辑漏洞](#逻辑漏洞) 33 | - [未授权访问/信息泄露](#未授权访问信息泄露) 34 | - [redis](#redis) 35 | - [RPO(relative path overwrite)](#rporelative-path-overwrite) 36 | - [Web Cache](#web-cache) 37 | - [PHP相关](#php相关) 38 | - [弱类型](#弱类型) 39 | - [随机数问题](#随机数问题) 40 | - [伪协议](#伪协议) 41 | - [序列化](#序列化) 42 | - [php mail header injection](#php-mail-header-injection) 43 | - [其他](#其他) 44 | - [php代码审计](#php代码审计) 45 | - [java-Web](#java-web) 46 | - [反序列](#反序列) 47 | - [Struct2](#struct2) 48 | - [java-Web代码审计](#java-web代码审计) 49 | - [其他](#其他-1) 50 | - [python-Web](#python-web) 51 | - [Node-js](#node-js) 52 | - [WAF相关](#waf相关) 53 | - [渗透测试](#渗透测试) 54 | - [Course](#course) 55 | - [信息收集](#信息收集) 56 | - [渗透](#渗透) 57 | - [渗透实战](#渗透实战) 58 | - [提权](#提权) 59 | - [渗透技巧](#渗透技巧) 60 | - [运维](#运维) 61 | - [DDOS](#ddos) 62 | - [CTF](#ctf) 63 | - [技巧总结](#技巧总结) 64 | - [杂](#杂) 65 | 66 | 67 | 68 | # Web Security 69 | 70 | ## sql注入 71 | 72 | ### MySql 73 | + [MySQL False 注入及技巧总结](https://www.anquanke.com/post/id/86021) 74 | + [MySQL 注入攻击与防御](https://www.anquanke.com/post/id/85936) 75 | + [sql注入学习总结 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484372&idx=1&sn=ffcc51a88c9acf96c312421b75fc2a26&chksm=ec1e33fcdb69baea53838fd545a236c0deb8a42f3b341ee0879c9e4ac9427c2147fab95b6669#rd) 76 | + [SQL注入防御与绕过的几种姿势](https://www.anquanke.com/post/id/86005) 77 | + [MySQL偏门技巧](http://rcoil.me/2017/05/MySQL%E5%81%8F%E9%97%A8%E6%8A%80%E5%B7%A7/) 78 | + [mysql注入可报错时爆表名、字段名、库名](http://www.wupco.cn/?p=4117) 79 | + [高级SQL注入:混淆和绕过](http://www.cnblogs.com/croot/p/3450262.html) 80 | + [Mysql约束攻击](https://ch1st.github.io/2017/10/19/Mysql%E7%BA%A6%E6%9D%9F%E6%94%BB%E5%87%BB/) 81 | + [Mysql数据库渗透及漏洞利用总结 ](https://xianzhi.aliyun.com/forum/topic/1491/) 82 | + [MySQL绕过WAF实战技巧 ](http://www.freebuf.com/articles/web/155570.html) 83 | + [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/) 84 | + [SQL注入的“冷门姿势” ](http://www.freebuf.com/articles/web/155876.html) 85 | + [时间延迟盲注的三种加速注入方式mysql](https://www.ch1st.cn/?p=44) 86 | + [基于时间的高效的SQL盲注-使用MySQL的位运算符](https://xz.aliyun.com/t/3054) 87 | + [Mysql UDF BackDoor](https://xz.aliyun.com/t/2365) 88 | + [mysql小括号被过滤后的盲注](https://www.th1s.cn/index.php/2018/02/26/213.html) 89 | + [SSRF To RCE in MySQL](http://docs.ioin.in/writeup/mp.weixin.qq.com/49ca504e-3b31-40ac-8591-f833086cb588/index.html) 90 | + [MySQL-盲注浅析](http://rcoil.me/2017/11/MySQL-%E7%9B%B2%E6%B3%A8%E6%B5%85%E6%9E%90/) 91 | + [Mysql字符编码利用技巧](https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html) 92 | + [MySQL Injection in Update, Insert and Delete](https://osandamalith.com/2017/02/08/mysql-injection-in-update-insert-and-delete/) 93 | 94 | ### MSSQL 95 | + [MSSQL DBA权限获取WEBSHELL的过程 ](http://fuping.site/2017/05/16/MSSQL-DBA-Permission-GET-WEBSHELL/) 96 | + [MSSQL 注入攻击与防御](https://www.anquanke.com/post/id/86011) 97 | + [CLR在SQL Server中的利用技术分](http://docs.ioin.in/writeup/cert.360.cn/_files_CLR_E5_9C_A8SQL_20Server_E4_B8_AD_E7_9A_84_E5_88_A9_E7_94_A8_E6_8A_80_E6_9C_AF_E5_88_86_E6_9E_90_pdf/index.pdf) 98 | + [MSSQL不使用xp_cmdshell执行命令并获取回显的两种方法](https://zhuanlan.zhihu.com/p/33322584) 99 | 100 | ### PostgreSQL 101 | + [postgresql数据库利用方式 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484788&idx=1&sn=8a53b1c64d864cd01bab095d97a17715&chksm=ec1e355cdb69bc4a2535bc1a053bfde3ec1838d03936ba8e44156818e91bbec9b5b04a744005#rd) 102 | + [PostgreSQL渗透测试指南](https://www.anquanke.com/post/id/86468) 103 | + [渗透中利用postgresql getshell ](http://www.jianfensec.com/postgresql_getshell.html) 104 | 105 | ### MongoDB 106 | + [十分钟看懂MongoDB攻防实战](http://www.freebuf.com/articles/database/148823.html) 107 | + [MongoDB安全 – PHP注入检测](http://www.mottoin.com/94341.html) 108 | + [技术分享:如何Hacking MongoDB?](https://www.freebuf.com/articles/network/101494.html) 109 | + [MongoDB安全,php中的注入攻击](https://www.anquanke.com/post/id/84009) 110 | + [一个MongoDB注入攻击案例分析](https://www.freebuf.com/articles/web/106085.html) 111 | 112 | ### 技巧 113 | + [我的WafBypass之道(SQL注入篇)](https://xz.aliyun.com/t/368) 114 | + [Bypass 360主机卫士SQL注入防御](http://www.cnblogs.com/xiaozi/p/7275134.html) 115 | + [SQL注入之骚姿势小记](https://mp.weixin.qq.com/s/ORsciwsBGQJhFdKqceprSw) 116 | + [CTF比赛中SQL注入的一些经验总结 ](http://www.freebuf.com/articles/web/137094.html) 117 | + [如何绕过WAF/NGWAF的libinjection实现SQL注入](http://bobao.360.cn/learning/detail/3855.html) 118 | + [HackMe-SQL-Injection-Challenges](https://github.com/breakthenet/HackMe-SQL-Injection-Challenges) 119 | + [绕过WAF注入](https://bbs.ichunqiu.com/thread-25397-1-1.html?from=sec) 120 | + [bypassGET和POST的注入防御思路分享](https://bbs.ichunqiu.com/thread-16134-1-1.html?from=sec) 121 | + [SQL注入的常规思路及奇葩技巧 ](https://mp.weixin.qq.com/s/hBkJ1M6LRgssNyQyati1ng) 122 | + [Beyond SQLi: Obfuscate and Bypass](https://www.exploit-db.com/papers/17934/) 123 | + [Dnslog在SQL注入中的实战](https://www.anquanke.com/post/id/98096) 124 | + [SQL注入:如何通过Python CGIHTTPServer绕过CSRF tokens](https://www.anquanke.com/post/id/87022) 125 | + [BypassD盾IIS防火墙SQL注入防御(多姿势)](https://xz.aliyun.com/t/40) 126 | 127 | 128 | ### 工具 129 | + [sqlmap自带的tamper你了解多少? ](https://mp.weixin.qq.com/s/vEEoMacmETUA4yZODY8xMQ) 130 | + [sqlmap的使用 ---- 自带绕过脚本tamper](https://xz.aliyun.com/t/2746) 131 | + [使用burp macros和sqlmap绕过csrf防护进行sql注入](http://bobao.360.cn/learning/detail/3557.html) 132 | + [sqlmap 使用总结 ](http://www.zerokeeper.com/web-security/sqlmap-usage-summary.html) 133 | + [SQLmap tamper脚本注释](http://www.lengbaikai.net/?p=110) 134 | + [通过Burp以及自定义的Sqlmap Tamper进行二次SQL注入](http://www.4hou.com/system/6945.html) 135 | + [SQLMAP JSON格式检测](https://xz.aliyun.com/t/1091) 136 | + [记一份SQLmap使用手册小结(一)](https://xz.aliyun.com/t/3010) 137 | + [记一份SQLmap使用手册小结(二)](https://xz.aliyun.com/t/3011) 138 | 139 | ## XSS 140 | + [漫谈同源策略攻防](https://www.anquanke.com/post/id/86078) 141 | + [再谈同源策略 ](https://lightless.me/archives/review-SOP.html) 142 | + [跨域方法总结](https://xz.aliyun.com/t/224) 143 | + [前端安全系列(一):如何防止XSS攻击?](https://segmentfault.com/a/1190000016551188) 144 | + [浅谈跨站脚本攻击与防御 ](http://thief.one/2017/05/31/1/) 145 | + [跨站的艺术-XSS入门与介绍](http://www.fooying.com/the-art-of-xss-1-introduction/) 146 | + [DOMXSS Wiki](https://github.com/wisec/domxsswiki/wiki) 147 | + [XSS Bypass Cookbook](https://xz.aliyun.com/t/311) 148 | + [Content Security Policy 入门教程](https://jaq.alibaba.com/community/art/show?spm=a313e.7916646.24000001.49.ZP8rXN&articleid=518) 149 | + [从瑞士军刀到变形金刚--XSS攻击面拓展](https://xz.aliyun.com/t/96) 150 | + [前端防御从入门到弃坑--CSP变迁](https://paper.seebug.org/423/) 151 | + [严格 CSP 下的几种有趣的思路(34c3 CTF)](http://www.melodia.pw/?p=935) 152 | + [Bypassing CSP using polyglot JPEGs ](http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html) 153 | + [Bypass unsafe-inline mode CSP](http://paper.seebug.org/91/) 154 | + [Chrome XSS Auditor – SVG Bypass](https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/) 155 | + [Cross site scripting payload for fuzzing](https://xianzhi.aliyun.com/forum/read/1704.html) 156 | + [XSS Without Dots](https://markitzeroday.com/character-restrictions/xss/2017/07/26/xss-without-dots.html) 157 | + [Alternative to Javascript Pseudo-Protocol](http://brutelogic.com.br/blog/alternative-javascript-pseudo-protocol/) 158 | + [不常见的xss利用探索](http://docs.ioin.in/writeup/wps2015.org/_2016_06_27__E4_B8_8D_E5_B8_B8_E8_A7_81_E7_9A_84xss_E5_88_A9_E7_94_A8_E6_8E_A2_E7_B4_A2_/index.html) 159 | + [XSS攻击另类玩法](https://bbs.ichunqiu.com/thread-25578-1-1.html?from=sec) 160 | + [XSS易容术---bypass之编码混淆篇+辅助脚本编写](https://bbs.ichunqiu.com/thread-17500-1-1.html?from=sec) 161 | + [Xssing Web With Unicodes](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html) 162 | + [Electron hack —— 跨平台 XSS ](https://mp.weixin.qq.com/s?__biz=MzU2NjE2NjIxNg==&mid=2247483756&idx=1&sn=96ae19e53426d5088718b6d37996e700&source=41#wechat_redirect) 163 | + [XSS without HTML: Client-Side Template Injection with AngularJS ](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html) 164 | + [Modern Alchemy: Turning XSS into RCE](https://blog.doyensec.com/2017/08/03/electron-framework-security.html) 165 | + [先知XSS挑战赛 - L3m0n Writeup](https://xz.aliyun.com/t/83) 166 | + [SheepSec: 7 Reflected Cross-site Scripting (XSS) Examples](http://sheepsec.com/blog/7-reflected-xss.html) 167 | + [Browser's XSS Filter Bypass Cheat Sheet](https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet) 168 | + [妙用JavaScript绕过XSS过滤](https://www.anquanke.com/post/id/86849) 169 | 170 | ## CSRF 171 | + [Wiping Out CSRF](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f) 172 | + [CSRF攻击与防御](https://www.cnblogs.com/phpstudy2015-6/p/6771239.html) 173 | + [用代码来细说Csrf漏洞危害以及防御](https://bbs.ichunqiu.com/thread-24127-1-1.html?from=sec) 174 | + [Cookie-Form型CSRF防御机制的不足与反思](https://www.leavesongs.com/PENETRATION/think-about-cookie-form-csrf-protected.html) 175 | + [关于JSON CSRF的一些思考](https://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==&mid=2247484126&idx=1&sn=f437882b19bed8d99d0a00938accc0c8&chksm=e89e2a06dfe9a310506419467ada63bee80f10c32267d0b11ea7d1f5491c5afdb344c5dac74e&mpshare=1&scene=23&srcid=0614BOCQBHPjaS2IOtADI3PP#rd) 176 | + [Exploiting JSON Cross Site Request Forgery (CSRF) using Flash](http://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/) 177 | + [浅谈Session机制及CSRF攻防 ](https://mp.weixin.qq.com/s/aID_N9bgq91EM26qVSVBXw) 178 | + [CSRF 花式绕过Referer技巧](https://www.ohlinge.cn/web/csrf_referer.html) 179 | + [各大SRC中的CSRF技巧](http://www.freebuf.com/column/151816.html) 180 | + [白帽子挖洞—跨站请求伪造(CSRF)篇 ](http://www.freebuf.com/column/153543.html) 181 | + [读取型CSRF-需要交互的内容劫持](https://bbs.ichunqiu.com/thread-36314-1-1.html) 182 | 183 | ## 其他前端安全 184 | + [HTML中,闭合优先的神奇标签 ](https://mp.weixin.qq.com/s?__biz=MzA4MDA1NDE3Mw==&mid=2647715481&idx=1&sn=a4d930d5a944a5a6c0361a3c6c57d3d5) 185 | + [JavaScript Dangerous Functions (Part 1) - HTML Manipulation ](http://blog.blueclosure.com/2017/09/javascript-dangerous-functions-part-1.html) 186 | + [safari本地文件读取漏洞之扩展攻击面](http://www.wupco.cn/?p=4134) 187 | + [利用脚本注入漏洞攻击ReactJS应用程序](http://www.freebuf.com/articles/web/144988.html) 188 | + [当代 Web 的 JSON 劫持技巧](http://paper.seebug.org/130/?from=timeline&isappinstalled=0) 189 | + [从微信小程序看前端代码安全](https://share.whuboy.com/weapp.html) 190 | 191 | 192 | ## SSRF 193 | + [SSRF(服务器端请求伪造)测试资源](https://paper.seebug.org/393/) 194 | + [Build Your SSRF Exploit Framework SSRF](http://docs.ioin.in/writeup/fuzz.wuyun.org/_src_build_your_ssrf_exp_autowork_pdf/index.pdf) 195 | + [SSRF攻击实例解析](http://www.freebuf.com/articles/web/20407.html) 196 | + [SSRF漏洞分析与利用](http://www.4o4notfound.org/index.php/archives/33/) 197 | + [SSRF漏洞的挖掘经验](https://www.secpulse.com/archives/4747.html) 198 | + [SSRF漏洞的利用与学习](http://uknowsec.cn/posts/notes/SSRF%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html) 199 | + [SSRF漏洞中绕过IP限制的几种方法总结](http://www.freebuf.com/articles/web/135342.html) 200 | + [What is Server Side Request Forgery (SSRF)?](https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/) 201 | + [Use DNS Rebinding to Bypass SSRF in Java](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483742&idx=1&sn=e7265d5351a6d9ed30d90be1c17be041) 202 | + [SSRF in JAVA](https://xz.aliyun.com/t/206) 203 | + [DNS Rebinding技术绕过SSRF/代理IP限制](http://www.mottoin.com/95734.html) 204 | + [SSRF Tips](http://blog.safebuff.com/2016/07/03/SSRF-Tips/) 205 | + [soap导致的SSRF](https://xz.aliyun.com/t/2960) 206 | + [SSRF:CVE-2017-9993 FFmpeg + AVI + HLS](https://hackmd.io/p/H1B9zOg_W#) 207 | + [通过拆分攻击实现的SSRF攻击](https://xz.aliyun.com/t/2894) 208 | + [SSRF攻击文档翻译](https://xz.aliyun.com/t/2421) 209 | + [PHP SSRF Techniques How to bypass filter_var(), preg_match() and parse_url()](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51) 210 | 211 | 212 | ## XXE 213 | 214 | + [浅谈XXE漏洞攻击与防御](http://thief.one/2017/06/20/1/) 215 | + [XXE漏洞分析](http://www.4o4notfound.org/index.php/archives/29/) 216 | + [XML实体注入漏洞攻与防](http://www.hackersb.cn/hacker/211.html) 217 | + [XML实体注入漏洞的利用与学习](http://uknowsec.cn/posts/notes/XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html) 218 | + [XXE注入:攻击与防御 - XXE Injection: Attack and Prevent](http://le4f.net/post/xxe-injection-attack_and_prevent) 219 | + [XXE (XML External Entity Injection) 漏洞实践](http://www.mottoin.com/101806.html) 220 | + [黑夜的猎杀-盲打XXE](https://xianzhi.aliyun.com/forum/read/1837.html) 221 | + [Hunting in the Dark - Blind XXE](https://blog.zsec.uk/blind-xxe-learning/) 222 | + [XMLExternal Entity漏洞培训模块](https://www.sans.org/freading-room/whitepapers/application/hands-on-xml-external-entity-vulnerability-training-module-34397) 223 | + [XXE被提起时我们会想到什么](http://www.mottoin.com/88085.html) 224 | + [XXE漏洞的简单理解和测试](http://www.mottoin.com/92794.html) 225 | + [XXE漏洞攻防之我见](http://bobao.360.cn/learning/detail/3841.html) 226 | + [XXE漏洞利用的一些技巧](http://www.91ri.org/17052.html) 227 | + [神奇的Content-Type——在JSON中玩转XXE攻击](http://bobao.360.cn/learning/detail/360.html) 228 | + [XXE-DTD Cheat Sheet](https://web-in-security.blogspot.jp/2016/03/xxe-cheat-sheet.html) 229 | + [XML? Be cautious!](https://blog.pragmatists.com/xml-be-cautious-69a981fdc56a) 230 | + [XSLT Server Side Injection Attacks](https://www.contextis.com/blog/xslt-server-side-injection-attacks) 231 | + [Java XXE Vulnerability](https://joychou.org/web/java-xxe-vulnerability.html) 232 | + [xml-attacks.md](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870) 233 | 234 | ## JSONP注入 235 | + [JSONP注入解析 ](http://www.freebuf.com/articles/web/126347.html) 236 | + [JSONP 安全攻防技术](http://blog.knownsec.com/2015/03/jsonp_security_technic/) 237 | + [一次关于JSONP的小实验与总结](http://www.cnblogs.com/vimsk/archive/2013/01/29/2877888.html) 238 | + [利用JSONP跨域获取信息](https://xianzhi.aliyun.com/forum/read/1571.html) 239 | + [关于跨域和jsonp的一些理解(新手向)](https://segmentfault.com/a/1190000009577990) 240 | + [水坑攻击之Jsonp hijacking-信息劫持](http://www.mottoin.com/article/web/88237.html) 241 | 242 | ## SSTI 243 | + [Jinja2 template injection filter bypasses](https://0day.work/jinja2-template-injection-filter-bypasses/) 244 | + [乱弹Flask注入](http://www.freebuf.com/articles/web/88768.html) 245 | + [服务端模板注入攻击 (SSTI)之浅析 ](http://www.freebuf.com/vuls/83999.html) 246 | + [Exploring SSTI in Flask/Jinja2](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/) 247 | + [Flask Jinja2开发中遇到的的服务端注入问题研究](http://www.freebuf.com/articles/web/136118.html) 248 | + [FlaskJinja2 开发中遇到的的服务端注入问题研究 II](http://www.freebuf.com/articles/web/136180.html) 249 | + [Exploring SSTI in Flask/Jinja2, Part II](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/) 250 | + [Injecting Flask](https://nvisium.com/blog/2015/12/07/injecting-flask/) 251 | + [Server-Side Template Injection: RCE for the modern webapp](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf) 252 | + [Exploiting Python Code Injection in Web Applications](https://sethsec.blogspot.jp/2016/11/exploiting-python-code-injection-in-web.html) 253 | + [利用 Python 特性在 Jinja2 模板中执行任意代码](http://rickgray.me/2016/02/24/use-python-features-to-execute-arbitrary-codes-in-jinja2-templates/) 254 | + [Python 模板字符串与模板注入](https://virusdefender.net/index.php/archives/761/) 255 | + [Ruby ERB Template Injection](https://www.trustedsec.com/2017/09/rubyerb-template-injection/) 256 | + [服务端模板注入攻击](https://zhuanlan.zhihu.com/p/28823933) 257 | 258 | ## 代码执行 / 命令执行 259 | + [从PHP源码与扩展开发谈PHP任意代码执行与防御](https://blog.zsxsoft.com/post/30) 260 | + [Command Injection/Shell Injection](https://www.exploit-db.com/docs/42593.pdf) 261 | + [PHP Code Injection Analysis](http://www.polaris-lab.com/index.php/archives/254/) 262 | + [ 利用环境变量LD_PRELOAD来绕过php disable_function执行系统命令](http://doc.ph0en1x.com/wooyun_drops/%E5%88%A9%E7%94%A8%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8FLD_PRELOAD%E6%9D%A5%E7%BB%95%E8%BF%87php%20disable_function%E6%89%A7%E8%A1%8C%E7%B3%BB%E7%BB%9F%E5%91%BD%E4%BB%A4.html) 263 | + [Hack PHP mail additional_parameters](http://blog.nsfocus.net/hack-php-mail-additional_parameters/) 264 | + [详细解析PHP mail()函数漏洞利用技巧](https://www.anquanke.com/post/id/86028) 265 | + [在PHP应用程序开发中不正当使用mail()函数引发的血案](https://www.anquanke.com/post/id/86015) 266 | + [基于时间反馈的RCE](http://www.mottoin.com/article/web/97678.html) 267 | + [正则表达式使用不当引发的系统命令执行漏洞](https://www.anquanke.com/post/id/85698) 268 | + [命令注入突破长度限制 ](http://www.freebuf.com/articles/web/154453.html) 269 | 270 | ## 文件包含 271 | + [php文件包含漏洞 ](https://chybeta.github.io/2017/10/08/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/) 272 | + [Turning LFI into RFI](https://l.avala.mp/?p=241) 273 | + [PHP文件包含漏洞总结](http://wooyun.jozxing.cc/static/drops/tips-3827.html) 274 | + [常见文件包含发生场景与防御](https://www.anquanke.com/post/id/86123) 275 | + [zip或phar协议包含文件](https://bl4ck.in/tricks/2015/06/10/zip%E6%88%96phar%E5%8D%8F%E8%AE%AE%E5%8C%85%E5%90%AB%E6%96%87%E4%BB%B6.html) 276 | + [文件包含漏洞 一](http://drops.blbana.cc/2016/08/12/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e/) 277 | + [文件包含漏洞 二](http://drops.blbana.cc/2016/12/03/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e-ef-bc-88-e4-ba-8c-ef-bc-89/) 278 | 279 | 280 | ## 文件上传 / 解析漏洞 281 | + [Upload-labs通关手册](https://xz.aliyun.com/t/2435) 282 | + [文件上传和WAF的攻与防](https://www.secfree.com/article-585.html) 283 | + [我的WafBypass之道(upload篇)](https://xz.aliyun.com/t/337) 284 | + [文件上传漏洞(绕过姿势) ](http://thief.one/2016/09/22/%E4%B8%8A%E4%BC%A0%E6%9C%A8%E9%A9%AC%E5%A7%BF%E5%8A%BF%E6%B1%87%E6%80%BB-%E6%AC%A2%E8%BF%8E%E8%A1%A5%E5%85%85/) 285 | + [服务器解析漏洞 ](http://thief.one/2016/09/21/%E6%9C%8D%E5%8A%A1%E5%99%A8%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E/) 286 | + [文件上传总结 ](https://masterxsec.github.io/2017/04/26/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%80%BB%E7%BB%93/) 287 | + [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html) 288 | + [渗透测试方法论之文件上传](https://bbs.ichunqiu.com/thread-23193-1-1.html?from=sec) 289 | + [关于文件名解析的一些探索](https://landgrey.me/filetype-parsing-attack/) 290 | + [Web安全 — 上传漏洞绕过 ](http://www.freebuf.com/column/161357.html) 291 | + [上传绕过WAF](http://docs.ioin.in/writeup/www.am0s.com/_jchw_376_html/index.html) 292 | 293 | ## 逻辑漏洞 294 | + [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html) 295 | + [逻辑至上——内含各种酷炫姿势](https://www.anquanke.com/post/id/85947) 296 | + [Web安全测试中常见逻辑漏洞解析(实战篇)](http://www.freebuf.com/vuls/112339.html) 297 | + [逻辑漏洞之密码重置 ](https://mp.weixin.qq.com/s/Lynmqd_ieEoNJ3mmyv9eQQ) 298 | + [逻辑漏洞之支付漏洞](https://mp.weixin.qq.com/s/w22omfxO8vU6XzixXWmBxg) 299 | + [逻辑漏洞之越权访问](https://mp.weixin.qq.com/s/ChiXtcrEyQeLkGOkm4PTog) 300 | + [密码找回逻辑漏洞总结](http://wooyun.jozxing.cc/static/drops/web-5048.html) 301 | + [一些常见的重置密码漏洞分析整理](http://wooyun.jozxing.cc/static/drops/papers-2035.html) 302 | + [密码逻辑漏洞小总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_643/index.html) 303 | + [漏洞挖掘之逻辑漏洞挖掘](https://bbs.ichunqiu.com/thread-21161-1-1.html) 304 | + [tom0li: 逻辑漏洞小结](https://tom0li.github.io/%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E%E5%B0%8F%E7%BB%93/) 305 | 306 | ## 未授权访问/信息泄露 307 | + [未授权访问的tips](https://xz.aliyun.com/t/2320) 308 | + [未授权访问漏洞总结](https://www.secpulse.com/archives/61101.html) 309 | + [未授权访问漏洞的检测与利用 ](https://thief.one/2017/12/08/1/) 310 | + [常见Web源码泄露总结](http://www.mottoin.com/95749.html) 311 | + [挖洞技巧:信息泄露之总结](https://www.anquanke.com/post/id/94787) 312 | ### redis 313 | + [利用redis写webshell](https://www.leavesongs.com/PENETRATION/write-webshell-via-redis-server.html) 314 | + [Redis 未授权访问配合 SSH key 文件利用分析](http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/) 315 | + [redis未授权访问漏洞利用总结](https://xianzhi.aliyun.com/forum/read/750.html)。 316 | + [【应急响应】redis未授权访问致远程植入挖矿脚本(防御篇) ](https://mp.weixin.qq.com/s/eUTZsGUGSO0AeBUaxq4Q2w) 317 | 318 | ## RPO(relative path overwrite) 319 | + [深入剖析RPO漏洞](https://xz.aliyun.com/t/2220) 320 | + [初探 Relative Path Overwrite](https://xz.aliyun.com/t/193) 321 | + [Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities](http://blog.portswigger.net/2015/02/prssi.html) 322 | + [RPO](http://www.thespanner.co.uk/2014/03/21/rpo/) 323 | + [A few RPO exploitation techniques](http://www.mbsd.jp/Whitepaper/rpo.pdf) 324 | + [新型Web攻击技术:RPO攻击初探](https://mp.weixin.qq.com/s/P-ncFmNZfBteJBQr8INzsw) 325 | + [RPO Gadgets](https://blog.innerht.ml/rpo-gadgets/) 326 | 327 | ## Web Cache 328 | + [浅析 Web Cache 欺骗攻击](https://www.anquanke.com/post/id/86049) 329 | + [Practical Web Cache Poisoning](https://portswigger.net/blog/practical-web-cache-poisoning) 330 | + [实战web缓存中毒](https://xz.aliyun.com/t/2585) 331 | + [WEB CACHE DECEPTION ATTACK](https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view) 332 | + [详解Web缓存欺骗攻击](https://www.anquanke.com/post/id/86516) 333 | 334 | 335 | ## PHP相关 336 | ### 弱类型 337 | + [从弱类型利用以及对象注入到SQL注入](https://www.anquanke.com/post/id/85455) 338 | + [PHP中“==”运算符的安全问题](http://bobao.360.cn/learning/detail/2924.html) 339 | + [PHP弱类型安全问题总结 ](http://blog.spoock.com/2016/06/25/weakly-typed-security/) 340 | + [浅谈PHP弱类型安全](http://wooyun.jozxing.cc/static/drops/tips-4483.html) 341 | + [php比较操作符的安全问题](http://wooyun.jozxing.cc/static/drops/tips-7679.html) 342 | 343 | ### 随机数问题 344 | + [PHP mt_rand()随机数安全 ](https://mp.weixin.qq.com/s/3TgBKXHw3MC61qIYELanJg) 345 | + [Cracking PHP rand()](http://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/) 346 | + [php里的随机数](http://5alt.me/2017/06/php%E9%87%8C%E7%9A%84%E9%9A%8F%E6%9C%BA%E6%95%B0/) 347 | + [php_mt_seed - PHP mt_rand() seed cracker](http://www.openwall.com/php_mt_seed/) 348 | + [The GLIBC random number generator](http://www.mscs.dal.ca/~selinger/random/) 349 | + [一道伪随机数的CTF题](https://github.com/wonderkun/CTF_web/blob/master/web500-2/writeup.pdf) 350 | 351 | ### 伪协议 352 | + [谈一谈php://filter的妙用](www.leavesongs.com/PENETRATION/php-filter-magic.html) 353 | + [php 伪协议](http://lorexxar.cn/2016/09/14/php-wei/) 354 | + [利用 Gopher 协议拓展攻击面](https://blog.chaitin.cn/gopher-attack-surfaces/) 355 | + [PHP伪协议之 Phar 协议(绕过包含)](https://www.bodkin.ren/?p=902) 356 | + [PHP伪协议分析与应用](http://www.4o4notfound.org/index.php/archives/31/) 357 | + [LFI、RFI、PHP封装协议安全问题学习](http://www.cnblogs.com/LittleHann/p/3665062.html) 358 | 359 | ### 序列化 360 | + [PHP反序列化漏洞](http://bobao.360.cn/learning/detail/4122.html) 361 | + [浅谈php反序列化漏洞 ](https://chybeta.github.io/2017/06/17/%E6%B5%85%E8%B0%88php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/) 362 | + [PHP反序列化漏洞成因及漏洞挖掘技巧与案例](http://bobao.360.cn/learning/detail/3193.html) 363 | 364 | ### php mail header injection 365 | + [What is Email Header Injection?](https://www.acunetix.com/blog/articles/email-header-injection/) 366 | + [PHP Email Injection Example](http://resources.infosecinstitute.com/email-injection/) 367 | 368 | ### 其他 369 | + [对于Php Shell Bypass思路总结](https://www.inksec.cn/2017/11/06/bypass_shell_4/) 370 | + [Decrypt PHP's eval based encryption with debugger ](https://mp.weixin.qq.com/s?__biz=MzIxNjU3ODMyOQ==&mid=2247483693&idx=1&sn=ed49fc13d8e09f12d87675adff18919f) 371 | + [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/) 372 | + [Xdebug: A Tiny Attack Surface](https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface) 373 | + [Exploitable PHP functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions) 374 | + [从WordPress SQLi谈PHP格式化字符串问题](https://paper.seebug.org/386/) 375 | + [php & apache2 &操作系统之间的一些黑魔法](http://wonderkun.cc/index.html/?p=626) 376 | + [php内存破坏漏洞exp编写和禁用函数绕过](http://blog.th3s3v3n.xyz/2016/05/01/bin/2016-5-1-php%E5%86%85%E5%AD%98%E7%A0%B4%E5%9D%8F%E6%BC%8F%E6%B4%9Eexp%E7%BC%96%E5%86%99%E5%92%8C%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87/) 377 | + [挖掘PHP禁用函数绕过利用姿势](http://blog.th3s3v3n.xyz/2016/11/20/web/%E6%8C%96%E6%8E%98PHP%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87%E5%88%A9%E7%94%A8%E5%A7%BF%E5%8A%BF/) 378 | + [.user.ini文件构成的PHP后门](http://wooyun.jozxing.cc/static/drops/tips-3424.html) 379 | 380 | 381 | ### php代码审计 382 | + [PHP漏洞挖掘——进阶篇](http://blog.nsfocus.net/php-vulnerability-mining/) 383 | + [论PHP常见的漏洞](http://wooyun.jozxing.cc/static/drops/papers-4544.html) 384 | + [浅谈代码审计入门实战:某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html) 385 | + [ctf中的php代码审计技巧](http://www.am0s.com/ctf/200.html) 386 | + [PHP代码审计tips](http://docs.ioin.in/writeup/www.91ri.org/_15074_html/index.html) 387 | + [代码审计之文件越权和文件上传搜索技巧](http://docs.ioin.in/writeup/blog.heysec.org/_archives_170/index.html) 388 | + [PHP代码审计入门集合](http://wiki.ioin.in/post/group/6Rb) 389 | + [PHP代码审计学习](http://phantom0301.cc/2017/06/06/codeaudit/) 390 | + [PHP漏洞挖掘思路+实例](http://wooyun.jozxing.cc/static/drops/tips-838.html) 391 | + [PHP漏洞挖掘思路+实例 第二章](http://wooyun.jozxing.cc/static/drops/tips-858.html) 392 | + [浅谈代码审计入门实战:某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html) 393 | + [PHP 代码审计小结 (一) ](https://www.chery666.cn/blog/2017/12/11/Code-audit.html) 394 | + [2018 PHP 应用程序安全设计指北 ](https://laravel-china.org/articles/7235/2018-php-application-security-design) 395 | 396 | ## java-Web 397 | ### 反序列 398 | + [Java_JSON反序列化之殇_看雪安全开发者峰会](https://github.com/shengqi158/fastjson-remote-code-execute-poc/blob/master/Java_JSON%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8B%E6%AE%87_%E7%9C%8B%E9%9B%AA%E5%AE%89%E5%85%A8%E5%BC%80%E5%8F%91%E8%80%85%E5%B3%B0%E4%BC%9A.pdf) 399 | + [从反射链的构造看Java反序列漏洞](http://www.freebuf.com/news/150872.html) 400 | + [Java反序列化漏洞从理解到实践](http://bobao.360.cn/learning/detail/4474.html) 401 | + [Java 序列化与反序列化安全分析 ](http://mp.weixin.qq.com/s?__biz=MzI5ODE0ODA5MQ==&mid=2652278247&idx=1&sn=044893b732e4ffa267b00ffe1d9e4727&chksm=f7486473c03fed6525f0a869cbc4ddc03051cda92bb946377c4d831054954159542350768cf3&mpshare=1&scene=23&srcid=0919MUXFBglgDUEtLOha0wbo#rd) 402 | + [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet) 403 | + [如何攻击Java反序列化过程](http://bobao.360.cn/learning/detail/4267.html) 404 | + [深入理解JAVA反序列化漏洞](https://www.vulbox.com/knowledge/detail/?id=11) 405 | + [Attacking Java Deserialization](https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/) 406 | + [jackson反序列化详细分析](http://bobao.360.cn/learning/detail/4118.html) 407 | + [Java安全之反序列化漏洞分析 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=2247484200&idx=1&sn=8f3201f44e6374d65589d00d91f7148e) 408 | + [fastjson 反序列化漏洞 POC 分析 ](https://mp.weixin.qq.com/s/0a5krhX-V_yCkz-zDN5kGg) 409 | + [Apache Commons Collections反序列化漏洞学习](http://pirogue.org/2017/12/22/javaSerialKiller/) 410 | 411 | ### Struct2 412 | + [Struts2 命令执行系列回顾](http://www.zerokeeper.com/vul-analysis/struts2-command-execution-series-review.html) 413 | 414 | ### java-Web代码审计 415 | + [JAVA代码审计的一些Tips(附脚本)](https://xianzhi.aliyun.com/forum/topic/1633/) 416 | + [Java代码审计连载之—SQL注入](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=22170&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD) 417 | + [Java代码审计连载之—任意文件下载](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=23587&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD) 418 | + [Java代码审计连载之—XSS](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=22875&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD) 419 | + [Java代码审计连载之—添油加醋](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=25475&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD) 420 | + [JAVA安全编码与代码审计.md](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md) 421 | + [Java代码审计PPT ](https://xianzhi.aliyun.com/forum/read/1904.html) 422 | 423 | ### 其他 424 | 425 | + [关于 JNDI 注入](http://bobao.360.cn/learning/detail/4564.html) 426 | + [层层放大java审计的攻击面 ](https://mp.weixin.qq.com/s/WT1EXEryUGGqHQpSi959xw) 427 | + [以Java的视角来聊聊SQL注入 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=2247483954&idx=1&sn=418b7e55b16c717ee5140af990298e22&chksm=e8fe9e3bdf89172d0670690060944bf2434cc2d2e8fba4477711299a0775cf3735a2022c0778#rd) 428 | + [站在Java的视角,深度分析防不胜防的小偷——“XSS” ](http://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=100000340&idx=1&sn=6ca4ec15ef6338daf1d4a907351d7c08&chksm=68fe9e5d5f89174b44fd0cae2e3d5c0018859d3d1dc6d60a2e16dcde34499ba224d6ea17a982#rd) 429 | + [你的 Java web 配置安全吗? ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=100000318&idx=1&sn=9011af3e3968e0d87499605ef1a68291&chksm=68fe9e375f8917213297855bd9e1ab1203ae4c9b0b5ca351de7b2c0f7a7799bd1f4843cd13f4#rd) 430 | + [spring任意文件读取](https://github.com/ilmila/springcss-cve-2014-3625/tree/master/src) 431 | + [在 Runtime.getRuntime().exec(String cmd) 中执行任意shell命令的几种方法](https://mp.weixin.qq.com/s/zCe_O37rdRqgN-Yvlq1FDg) 432 | 433 | ## python-Web 434 | + [python web 安全总结](http://bobao.360.cn/learning/detail/4522.html) 435 | + [Defencely Clarifies Python Object Injection Exploitation](http://defencely.com/blog/defencely-clarifies-python-object-injection-exploitation/) 436 | + [Exploiting Python Deserialization Vulnerabilities](https://crowdshield.com/blog.php?name=exploiting-python-deserialization-vulnerabilities) 437 | + [Explaining and exploiting deserialization vulnerability with Python(EN)](https://dan.lousqui.fr/explaining-and-exploiting-deserialization-vulnerability-with-python-en.html) 438 | + [Python PyYAML反序列化漏洞实验和Payload构造](http://www.polaris-lab.com/index.php/archives/375/) 439 | + [Python 格式化字符串漏洞(Django为例)](https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html) 440 | + [format注入](http://www.venenof.com/index.php/archives/360/) 441 | + [Be Careful with Python's New-Style String Format](http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/) 442 | + [Python urllib HTTP头注入漏洞](http://www.tuicool.com/articles/2iIj2eR) 443 | + [Hack Redis via Python urllib HTTP Header Injection](https://security.tencent.com/index.php/blog/msg/106) 444 | + [Python Waf黑名单过滤下的一些Bypass思路](http://www.0aa.me/index.php/archives/123/) 445 | + [Python沙箱逃逸的n种姿势](https://mp.weixin.qq.com/s/PLI-yjqmA3gwk5w3KHzOyA) 446 | + [利用内存破坏实现Python沙盒逃逸 ](https://mp.weixin.qq.com/s/s9fAskmp4Bb42OYsiQJFaw) 447 | + [Python Sandbox Bypass](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483665&idx=1&sn=4b18de09738fdc5291634db1ca2dd55a) 448 | + [pyt: 针对 Python 应用程序的源码静态分析工具](https://github.com/python-security/pyt) 449 | + [Exploiting Python PIL Module Command Execution Vulnerability](http://docs.ioin.in/writeup/github.com/_neargle_PIL_RCE_By_GhostButt/index.html) 450 | + [文件解压之过 Python中的代码执行](http://bobao.360.cn/learning/detail/4503.html) 451 | 452 | ## Node-js 453 | + [浅谈Node.js Web的安全问题](http://www.freebuf.com/articles/web/152891.html) 454 | + [node.js + postgres 从注入到Getshell](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html) 455 | + [Pentesting Node.js Application : Nodejs Application Security(需翻墙)](http://www.websecgeeks.com/2017/04/pentesting-nodejs-application-nodejs.html) 456 | + [从零开始学习渗透Node.js应用程序 ](https://bbs.ichunqiu.com/thread-21810-1-1.html?from=sec) 457 | + [Node.js 中遇到含空格 URL 的神奇“Bug”——小范围深入 HTTP 协议](https://segmentfault.com/a/1190000012407268) 458 | 459 | ## WAF相关 460 | + [详谈WAF与静态统计分析](http://bobao.360.cn/learning/detail/4670.html) 461 | + [牛逼牛逼的payload和bypass总结](https://github.com/swisskyrepo/PayloadsAllTheThings) 462 | + [WAF绕过参考资料](http://www.mottoin.com/100887.html) 463 | + [浅谈WAF绕过技巧](http://www.freebuf.com/articles/web/136723.html) 464 | + [addslashes防注入的绕过案例](https://xianzhi.aliyun.com/forum/read/753.html?fpage=6) 465 | + [浅谈json参数解析对waf绕过的影响](https://xianzhi.aliyun.com/forum/read/553.html?fpage=8) 466 | + [WAF攻防研究之四个层次Bypass WAF](http://weibo.com/ttarticle/p/show?id=2309404007261092631700) 467 | + [使用HTTP头去绕过WAF ](http://www.sohu.com/a/110066439_468673) 468 | + [会找漏洞的时光机: Pinpointing Vulnerabilities](https://www.inforsec.org/wp/?p=1993) 469 | 470 | 471 | 472 | 473 | # 渗透测试 474 | ## Course 475 | + [Web Service 渗透测试从入门到精通](http://bobao.360.cn/learning/detail/3741.html) 476 | + [渗透标准](https://www.processon.com/view/583e8834e4b08e31357bb727) 477 | + [Penetration Testing Tools Cheat Sheet](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/) 478 | 479 | ## 信息收集 480 | + [看我如何收集全网IP的whois信息 ](https://mp.weixin.qq.com/s/qz0b42DKhgo1sfitcUKhtQ) 481 | + [浅谈Web渗透测试中的信息收集 ](http://www.freebuf.com/articles/web/142767.html) 482 | + [渗透测试教程:如何侦查目标以及收集信息?](http://www.4hou.com/penetration/6850.html) 483 | + [本屌的web漏洞扫描器思路 技巧总结(域名信息收集篇)](weibo.com/ttarticle/p/show?id=2309404088584863883789) 484 | + [子域名的艺术](http://www.91ri.org/17001.html) 485 | + [渗透测试向导之子域名枚举技术](http://www.freebuf.com/articles/network/161046.html) 486 | + [实例演示如何科学的进行子域名收集](http://bobao.360.cn/learning/detail/4119.html) 487 | + [【渗透神器系列】搜索引擎 ](http://thief.one/2017/05/19/1/) 488 | + [域渗透基础简单信息收集(基础篇)](https://xianzhi.aliyun.com/forum/read/805.html) 489 | + [内网渗透定位技术总结](http://docs.ioin.in/writeup/www.mottoin.com/_92978_html/index.html) 490 | + [后渗透攻防的信息收集](https://www.secpulse.com/archives/51527.html) 491 | + [安全攻城师系列文章-敏感信息收集](http://www.mottoin.com/99951.html) 492 | + [子域名枚举的艺术](http://www.mottoin.com/101362.html) 493 | + [论二级域名收集的各种姿势](https://mp.weixin.qq.com/s/ardCYdZzaSjvSIZiFraWGA) 494 | + [我眼中的渗透测试信息搜集](https://xianzhi.aliyun.com/forum/read/451.html?fpage=2) 495 | + [大型目标渗透-01入侵信息搜集](https://xianzhi.aliyun.com/forum/read/1675.html) 496 | + [乙方渗透测试之信息收集](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8B%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/) 497 | + [挖洞技巧:信息泄露之总结](https://www.anquanke.com/post/id/94787) 498 | 499 | ## 渗透 500 | + [【玩转Linux系统】Linux内网渗透 ](https://mp.weixin.qq.com/s/VJBnXq3--0HBD7eVeifOKA) 501 | + [渗透测试指南之域用户组的范围](http://www.4hou.com/penetration/7016.html) 502 | + [内网主机发现技巧补充](http://mp.weixin.qq.com/s/l-Avt72ajCIo5GdMEwVx7A) 503 | + [Linux 端口转发特征总结 ](https://mp.weixin.qq.com/s?__biz=MzA3Mzk1MDk1NA==&mid=2651903919&idx=1&sn=686cc53137aa9e8ec323dda1e54a2c23) 504 | + [内网渗透(持续更新) ](http://rcoil.me/2017/06/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/) 505 | + [实战 SSH 端口转发](https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/index.html) 506 | + [多重转发渗透隐藏内网](http://bobao.360.cn/learning/detail/3545.html) 507 | + [内网转发姿势](http://www.03sec.com/3141.shtml) 508 | + [内网转发的工具](https://mp.weixin.qq.com/s/EWL9-AUB_bTf7pU4S4A2zg) 509 | + [Linux 下多种反弹 shell 方法](http://www.03sec.com/3140.shtml) 510 | + [linux各种一句话反弹shell总结](http://bobao.360.cn/learning/detail/4551.html) 511 | + [php 反弹shell](http://wolvez.club/?p=458) 512 | + [利用ew轻松穿透多级目标内网](https://klionsec.github.io/2017/08/05/ew-tunnel/) 513 | + [windows内网渗透杂谈](https://bl4ck.in/penetration/2017/03/20/windows%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E6%9D%82%E8%B0%88.html) 514 | + [Windows域横向渗透](http://docs.ioin.in/writeup/www.mottoin.com/_89413_html/index.html) 515 | + [内网渗透中转发工具总结](http://blog.neargle.com/SecNewsBak/drops/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B8%AD%E8%BD%AC%E5%8F%91%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93.html) 516 | + [内网渗透思路整理与工具使用](http://bobao.360.cn/learning/detail/3683.html) 517 | + [Cobalt strike在内网渗透中的使用 ](http://www.freebuf.com/sectool/125237.html) 518 | + [反向socks5代理(windows版)](http://x95.org/archives/reverse-socks5-proxy.html) 519 | + [Windows渗透基础](http://www.mottoin.com/89355.html) 520 | + [通过双重跳板漫游隔离内网](https://xianzhi.aliyun.com/forum/read/768.html) 521 | + [A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/) 522 | + [穿越边界的姿势 ](https://mp.weixin.qq.com/s/l-0sWU4ijMOQWqRgsWcNFA) 523 | + [内网端口转发及穿透](https://xianzhi.aliyun.com/forum/read/1715.html) 524 | + [秘密渗透内网——利用 DNS 建立 VPN 传输隧道](http://www.4hou.com/technology/3143.html) 525 | + [Reverse Shell Cheat Sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) 526 | + [我所了解的内网渗透——内网渗透知识大总结](https://www.anquanke.com/post/id/92646) 527 | 528 | ## 渗透实战 529 | + [挖洞经验 | 看我如何综合利用4个漏洞实现GitHub Enterprise远程代码执行 ](http://www.freebuf.com/news/142680.html) 530 | + [Splash SSRF到获取内网服务器ROOT权限](http://bobao.360.cn/learning/detail/4113.html) 531 | + [Pivoting from blind SSRF to RCE with HashiCorp Consul](http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html) 532 | + [我是如何通过命令执行到最终获取内网Root权限的 ](http://www.freebuf.com/articles/web/141579.html) 533 | + [信息收集之SVN源代码社工获取及渗透实战](https://xianzhi.aliyun.com/forum/read/1629.html) 534 | + [SQL注入+XXE+文件遍历漏洞组合拳渗透Deutsche Telekom](http://paper.seebug.org/256/) 535 | + [渗透 Hacking Team](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8FHacking%20Team%E8%BF%87%E7%A8%8B.html) 536 | + [由视频系统SQL注入到服务器权限](https://bbs.ichunqiu.com/thread-25827-1-1.html?from=sec) 537 | + [From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection](http://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html) 538 | + [浅谈渗透测试实战](http://docs.ioin.in/writeup/avfisher.win/_archives_381/index.html) 539 | + [渗透测试学习笔记之案例一](http://avfisher.win/archives/741) 540 | + [渗透测试学习笔记之案例二](http://avfisher.win/archives/756) 541 | + [渗透测试学习笔记之案例四](http://avfisher.win/archives/784) 542 | + [记一次内网渗透](http://killbit.me/2017/09/11/%E8%AE%B0%E4%B8%80%E6%AC%A1%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/) 543 | 544 | ## 提权 545 | + [提权技巧](http://www.secbox.cn/skill/5583.html) 546 | + [linux-kernel-exploits Linux平台提权漏洞集合](https://github.com/SecWiki/linux-kernel-exploits) 547 | + [windows-kernel-exploits Windows平台提权漏洞集合 ](https://github.com/SecWiki/windows-kernel-exploits) 548 | + [Linux MySQL Udf 提权](http://www.91ri.org/16540.html) 549 | + [windows提权系列上篇](http://mp.weixin.qq.com/s/uOArxXIfcI4fjqnF9BDJGA) 550 | + [Windows提权系列中篇](https://mp.weixin.qq.com/s/ERXOLhWo0-lJbMV143I8hA) 551 | + [获取SYSTEM权限的多种姿势](http://bobao.360.cn/learning/detail/4740.html) 552 | 553 | ## 渗透技巧 554 | + [乙方渗透测试之Fuzz爆破](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8BFuzz%E7%88%86%E7%A0%B4/) 555 | + [域渗透神器Empire安装和简单使用 ](https://mp.weixin.qq.com/s/VqrUTW9z-yi3LqNNy-lE-Q) 556 | + [如何将简单的Shell转换成为完全交互式的TTY ](http://www.freebuf.com/news/142195.html) 557 | + [60字节 - 无文件渗透测试实验](https://www.n0tr00t.com/2017/03/09/penetration-test-without-file.html) 558 | + [内网渗透思路探索之新思路的探索与验证](http://www.tuicool.com/articles/fMFB3mY) 559 | + [Web端口复用正向后门研究实现与防御 ](http://www.freebuf.com/articles/web/142628.html) 560 | + [谈谈端口探测的经验与原理](http://www.freebuf.com/articles/network/146087.html) 561 | + [端口渗透总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_577/index.html) 562 | + [端口扫描那些事](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484812&idx=1&sn=7d894b50b3947142fbfa3a4016f748d5&chksm=ec1e35a4db69bcb2acfe7ecb3b0cd1d366c54bfa1feaafc62c4290b3fd2eddab9aa95a98f041#rd) 563 | + [渗透技巧——通过cmd上传文件的N种方法 ](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7%E2%80%94%E2%80%94%E9%80%9A%E8%BF%87cmd%E4%B8%8A%E4%BC%A0%E6%96%87%E4%BB%B6%E7%9A%84N%E7%A7%8D%E6%96%B9%E6%B3%95.html) 564 | + [域渗透TIPS:获取LAPS管理员密码 ](http://www.freebuf.com/articles/web/142659.html) 565 | + [域渗透——Security Support Provider](http://blog.neargle.com/SecNewsBak/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Security%20Support%20Provider.html) 566 | + [内网渗透随想](http://docs.ioin.in/writeup/www.91ri.org/_14390_html/index.html) 567 | + [域渗透之流量劫持](http://bobao.360.cn/learning/detail/3266.html) 568 | + [渗透技巧——快捷方式文件的参数隐藏技巧](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E6%96%87%E4%BB%B6%E7%9A%84%E5%8F%82%E6%95%B0%E9%9A%90%E8%97%8F%E6%8A%80%E5%B7%A7/) 569 | + [后门整理](https://bbs.ichunqiu.com/thread-25119-1-1.html?from=sec) 570 | + [Linux后门整理合集(脉搏推荐)](https://www.secpulse.com/archives/59674.html) 571 | 572 | ## 运维 573 | + [安全运维那些洞 ](https://mp.weixin.qq.com/s/5TfAF5-HR8iDA_qSIJkQ0Q) 574 | + [美团外卖自动化业务运维系统建设](https://tech.meituan.com/digger_share.html) 575 | + [饿了么运维基础设施进化史 ](https://mp.weixin.qq.com/s?__biz=MzA4Nzg5Nzc5OA==&mid=2651668800&idx=1&sn=615af5f120d1298475aaf4825009cb30&chksm=8bcb82e9bcbc0bff6309d9bbaf69cfc591624206b846e00d5004a68182c934dab921b7c25794&scene=38#wechat_redirect) 576 | + [nginx配置一篇足矣](http://www.xuxiaobo.com/?p=3869) 577 | + [Docker Remote API的安全配置 ](http://p0sec.net/index.php/archives/115/) 578 | + [Apache服务器安全配置 ](http://foreversong.cn/archives/789) 579 | + [IIS服务器安全配置](http://foreversong.cn/archives/803) 580 | + [Tomcat服务器安全配置](http://foreversong.cn/archives/816) 581 | + [互联网企业安全之端口监控 ](https://mp.weixin.qq.com/s/SJKeXegWG3OQo4r0nBs7xQ) 582 | + [Linux应急响应姿势浅谈](http://bobao.360.cn/learning/detail/4481.html) 583 | + [黑客入侵应急分析手工排查](https://xianzhi.aliyun.com/forum/read/1655.html) 584 | + [企业常见服务漏洞检测&修复整理](http://www.mottoin.com/92742.html) 585 | + [Linux基线加固](https://mp.weixin.qq.com/s/0nxiZw1NUoQTjxcd3zl6Zg) 586 | + [Apache server security: 10 tips to secure installation](https://www.acunetix.com/blog/articles/10-tips-secure-apache-installation/) 587 | + [Oracle数据库运维中的攻防实战(全) ](https://mp.weixin.qq.com/s/dpvBo6Bat5u4t8kSFRcv9w) 588 | + [Linux服务器上监控网络带宽的18个常用命令](http://www.xuxiaobo.com/?p=3950) 589 | ## DDOS 590 | + [DDoS攻防补遗 ](https://yq.aliyun.com/articles/1795) 591 | + [反射DDOS攻击防御的一点小想法 ](http://www.freebuf.com/column/138163.html) 592 | + [DDOS攻击方式总结](https://www.secpulse.com/archives/64088.html ) 593 | + [DDoS防御和DDoS防护方法 你帮忙看看这7个说法靠不靠谱](http://toutiao.secjia.com/ddos-7tips) 594 | + [DDoS防御和DDoS防护 来看个人站长、果壳网和安全公司怎么说 ](http://toutiao.secjia.com/ddos-prevention-protection) 595 | + [DDoS防御之大流量DDoS防护方案 还有计算器估算损失](http://toutiao.secjia.com/ddos-prevention-protection-2) 596 | + [freeBuf专栏 ](http://www.freebuf.com/author/%e9%bb%91%e6%88%88%e7%88%be) 597 | + [遭受CC攻击的处理](http://www.xuxiaobo.com/?p=3923) 598 | 599 | # CTF 600 | ## 技巧总结 601 | + [CTF线下防御战 — 让你的靶机变成“铜墙铁壁”](http://bobao.360.cn/ctf/detail/210.html) 602 | + [ctf-wiki](https://ctf-wiki.github.io/ctf-wiki/#/introduction) 603 | + [CTF中那些脑洞大开的编码和加密](https://www.hackfun.org/CTF/coding-and-encryption-of-those-brain-holes-in-CTF.html) 604 | + [CTF加密与解密 ](http://thief.one/2017/06/13/1/) 605 | + [CTF中图片隐藏文件分离方法总结](https://www.hackfun.org/CTF/summary-of-image-hiding-files-in-CTF.html) 606 | + [Md5扩展攻击的原理和应用](http://www.freebuf.com/articles/database/137129.html) 607 | + [CTF比赛中关于zip的总结](http://bobao.360.cn/ctf/detail/203.html) 608 | + [十五个Web狗的CTF出题套路](http://weibo.com/ttarticle/p/show?id=2309403980950244591011) 609 | + [CTF备忘录](https://827977014.docs.qq.com/Bt2v7IZWnYo?type=1&_wv=1&_bid=2517) 610 | + [rcoil:CTF线下攻防赛总结](http://rcoil.me/2017/06/CTF%E7%BA%BF%E4%B8%8B%E8%B5%9B%E6%80%BB%E7%BB%93/) 611 | + [CTF内存取证入坑指南!稳!](http://www.freebuf.com/column/152545.html) 612 | 613 | # 杂 614 | + [细致分析Padding Oracle渗透测试全解析 ](http://www.freebuf.com/articles/database/150606.html) 615 | + [Exploring Compilation from TypeScript to WebAssembly](https://medium.com/web-on-the-edge/exploring-compilation-from-typescript-to-webassembly-f846d6befc12) 616 | + [High-Level Approaches for Finding Vulnerabilities](http://jackson.thuraisamy.me/finding-vulnerabilities.html) 617 | + [谈谈HTML5本地存储——WebStorage](http://syean.cn/2017/08/15/%E8%B0%88%E8%B0%88HTML5%E6%9C%AC%E5%9C%B0%E5%AD%98%E5%82%A8%E2%80%94%E2%80%94WebStorage/) 618 | + [Linux下容易被忽视的那些命令用法](https://segmentfault.com/p/1210000010668099/read) 619 | + [各种脚本语言不同版本一句话开启 HTTP 服务器的总结](http://www.mottoin.com/94895.html) 620 | + [WebAssembly入门:将字节码带入Web世界](http://bobao.360.cn/learning/detail/3757.html) 621 | + [phpwind 利用哈希长度扩展攻击进行getshell](https://www.leavesongs.com/PENETRATION/phpwind-hash-length-extension-attack.html) 622 | + [深入理解hash长度扩展攻击(sha1为例) ](http://www.freebuf.com/articles/web/69264.html) 623 | + [Joomla 框架的程序执行流程及目录结构分析](http://bobao.360.cn/learning/detail/3909.html) 624 | + [如何通过恶意插件在Atom中植入后门](http://bobao.360.cn/learning/detail/4268.html) 625 | + [CRLF Injection and Bypass Tencent WAF ](https://zhchbin.github.io/2016/01/31/CRLF-Injection-and-Bypass-WAF/) 626 | + [Web之困笔记](http://www.au1ge.xyz/2017/08/09/web%E4%B9%8B%E5%9B%B0%E7%AC%94%E8%AE%B0/) 627 | + [技术详解:基于Web的LDAP注入漏洞](http://www.4hou.com/technology/9090.html) 628 | 629 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Summary 2 | 3 | * [Introduction](README.md) 4 | 5 | -------------------------------------------------------------------------------- /zsxq.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/Web-Security-Learning/5e9fa33b1ceb19f920bb8dfb21c94d1bddcbfbb7/zsxq.png -------------------------------------------------------------------------------- /zsxq_ldgf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CHYbeta/Web-Security-Learning/5e9fa33b1ceb19f920bb8dfb21c94d1bddcbfbb7/zsxq_ldgf.png --------------------------------------------------------------------------------