{"id":13389485,"url":"https://github.com/CHYbeta/Web-Security-Learning","last_synced_at":"2025-03-13T14:31:21.464Z","repository":{"id":37382108,"uuid":"100763890","full_name":"CHYbeta/Web-Security-Learning","owner":"CHYbeta","description":"Web-Security-Learning","archived":false,"fork":false,"pushed_at":"2021-10-02T15:30:54.000Z","size":927,"stargazers_count":4219,"open_issues_count":6,"forks_count":1013,"subscribers_count":219,"default_branch":"master","last_synced_at":"2025-01-28T14:47:21.066Z","etag":null,"topics":["security","sqlinjection","xss"],"latest_commit_sha":null,"homepage":"https://chybeta.github.io/2017/08/19/Web-Security-Learning/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CHYbeta.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-19T02:17:42.000Z","updated_at":"2025-01-23T17:01:57.000Z","dependencies_parsed_at":"2022-07-12T12:50:39.281Z","dependency_job_id":null,"html_url":"https://github.com/CHYbeta/Web-Security-Learning","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CHYbeta%2FWeb-Security-Learning","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CHYbeta%2FWeb-Security-Learning/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CHYbeta%2FWeb-Security-Learning/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CHYbeta%2FWeb-Security-Learning/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CHYbeta","download_url":"https://codeload.github.com/CHYbeta/Web-Security-Learning/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243422454,"owners_count":20288461,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","sqlinjection","xss"],"created_at":"2024-07-30T13:01:13.298Z","updated_at":"2025-03-13T14:31:21.064Z","avatar_url":"https://github.com/CHYbeta.png","language":"HTML","readme":"# [Web-Security-Learning](https://chybeta.github.io/2017/08/19/Web-Security-Learning/)\n\n项目地址： https://github.com/CHYbeta/Web-Security-Learning\n\n知识星球【漏洞攻防】：https://t.zsxq.com/mm2zBeq \n\n\n![](zsxq.png)\n\n\n\n目录：\n- [Web-Security-Learning](#web-security-learning)\n- [Web Security](#web-security)\n  - [sql注入](#sql注入)\n    - [MySql](#mysql)\n    - [MSSQL](#mssql)\n    - [PostgreSQL](#postgresql)\n    - [MongoDB](#mongodb)\n    - [技巧](#技巧)\n    - [工具](#工具)\n  - [XSS](#xss)\n  - [CSRF](#csrf)\n  - [其他前端安全](#其他前端安全)\n  - [SSRF](#ssrf)\n  - [XXE](#xxe)\n  - [JSONP注入](#jsonp注入)\n  - [SSTI](#ssti)\n  - [代码执行 / 命令执行](#代码执行--命令执行)\n  - [文件包含](#文件包含)\n  - [文件上传 / 解析漏洞](#文件上传--解析漏洞)\n  - [逻辑漏洞](#逻辑漏洞)\n  - [未授权访问/信息泄露](#未授权访问信息泄露)\n    - [redis](#redis)\n  - [RPO(relative path overwrite)](#rporelative-path-overwrite)\n  - [Web Cache](#web-cache)\n  - [PHP相关](#php相关)\n    - [弱类型](#弱类型)\n    - [随机数问题](#随机数问题)\n    - [伪协议](#伪协议)\n    - [序列化](#序列化)\n    - [php mail header injection](#php-mail-header-injection)\n    - [其他](#其他)\n    - [php代码审计](#php代码审计)\n  - [java-Web](#java-web)\n    - [反序列](#反序列)\n    - [Struct2](#struct2)\n    - [java-Web代码审计](#java-web代码审计)\n    - [其他](#其他-1)\n  - [python-Web](#python-web)\n  - [Node-js](#node-js)\n  - [WAF相关](#waf相关)\n- [渗透测试](#渗透测试)\n  - [Course](#course)\n  - [信息收集](#信息收集)\n  - [渗透](#渗透)\n  - [渗透实战](#渗透实战)\n  - [提权](#提权)\n  - [渗透技巧](#渗透技巧)\n  - [运维](#运维)\n  - [DDOS](#ddos)\n- [CTF](#ctf)\n  - [技巧总结](#技巧总结)\n- [杂](#杂)\n\n\u003c!-- more --\u003e\n\n# Web Security\n\n## sql注入\n\n### MySql\n+ [MySQL False 注入及技巧总结](https://www.anquanke.com/post/id/86021)\n+ [MySQL 注入攻击与防御](https://www.anquanke.com/post/id/85936)\n+ [sql注入学习总结 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==\u0026mid=2247484372\u0026idx=1\u0026sn=ffcc51a88c9acf96c312421b75fc2a26\u0026chksm=ec1e33fcdb69baea53838fd545a236c0deb8a42f3b341ee0879c9e4ac9427c2147fab95b6669#rd)\n+ [SQL注入防御与绕过的几种姿势](https://www.anquanke.com/post/id/86005)\n+ [MySQL偏门技巧](http://rcoil.me/2017/05/MySQL%E5%81%8F%E9%97%A8%E6%8A%80%E5%B7%A7/)\n+ [mysql注入可报错时爆表名、字段名、库名](http://www.wupco.cn/?p=4117)\n+ [高级SQL注入:混淆和绕过](http://www.cnblogs.com/croot/p/3450262.html)\n+ [Mysql约束攻击](https://ch1st.github.io/2017/10/19/Mysql%E7%BA%A6%E6%9D%9F%E6%94%BB%E5%87%BB/)\n+ [Mysql数据库渗透及漏洞利用总结 ](https://xianzhi.aliyun.com/forum/topic/1491/)\n+ [MySQL绕过WAF实战技巧 ](http://www.freebuf.com/articles/web/155570.html)\n+ [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)\n+ [SQL注入的“冷门姿势” ](http://www.freebuf.com/articles/web/155876.html)\n+ [时间延迟盲注的三种加速注入方式mysql](https://www.ch1st.cn/?p=44)\n+ [基于时间的高效的SQL盲注-使用MySQL的位运算符](https://xz.aliyun.com/t/3054)\n+ [Mysql UDF BackDoor](https://xz.aliyun.com/t/2365)\n+ [mysql小括号被过滤后的盲注](https://www.th1s.cn/index.php/2018/02/26/213.html)\n+ [SSRF To RCE in MySQL](http://docs.ioin.in/writeup/mp.weixin.qq.com/49ca504e-3b31-40ac-8591-f833086cb588/index.html)\n+ [MySQL-盲注浅析](http://rcoil.me/2017/11/MySQL-%E7%9B%B2%E6%B3%A8%E6%B5%85%E6%9E%90/)\n+ [Mysql字符编码利用技巧](https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html)\n+ [MySQL Injection in Update, Insert and Delete](https://osandamalith.com/2017/02/08/mysql-injection-in-update-insert-and-delete/)\n\n### MSSQL\n+ [MSSQL DBA权限获取WEBSHELL的过程 ](http://fuping.site/2017/05/16/MSSQL-DBA-Permission-GET-WEBSHELL/)\n+ [MSSQL 注入攻击与防御](https://www.anquanke.com/post/id/86011)\n+ [CLR在SQL Server中的利用技术分](http://docs.ioin.in/writeup/cert.360.cn/_files_CLR_E5_9C_A8SQL_20Server_E4_B8_AD_E7_9A_84_E5_88_A9_E7_94_A8_E6_8A_80_E6_9C_AF_E5_88_86_E6_9E_90_pdf/index.pdf)\n+ [MSSQL不使用xp_cmdshell执行命令并获取回显的两种方法](https://zhuanlan.zhihu.com/p/33322584)\n\n### PostgreSQL\n+ [postgresql数据库利用方式 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==\u0026mid=2247484788\u0026idx=1\u0026sn=8a53b1c64d864cd01bab095d97a17715\u0026chksm=ec1e355cdb69bc4a2535bc1a053bfde3ec1838d03936ba8e44156818e91bbec9b5b04a744005#rd)\n+ [PostgreSQL渗透测试指南](https://www.anquanke.com/post/id/86468)\n+ [渗透中利用postgresql getshell ](http://www.jianfensec.com/postgresql_getshell.html)\n\n### MongoDB\n+ [十分钟看懂MongoDB攻防实战](http://www.freebuf.com/articles/database/148823.html)\n+ [MongoDB安全 – PHP注入检测](http://www.mottoin.com/94341.html)\n+ [技术分享：如何Hacking MongoDB？](https://www.freebuf.com/articles/network/101494.html)\n+ [MongoDB安全，php中的注入攻击](https://www.anquanke.com/post/id/84009)\n+ [一个MongoDB注入攻击案例分析](https://www.freebuf.com/articles/web/106085.html)\n\n### 技巧\n+ [我的WafBypass之道（SQL注入篇）](https://xz.aliyun.com/t/368)\n+ [Bypass 360主机卫士SQL注入防御](http://www.cnblogs.com/xiaozi/p/7275134.html)\n+ [SQL注入之骚姿势小记](https://mp.weixin.qq.com/s/ORsciwsBGQJhFdKqceprSw)\n+ [CTF比赛中SQL注入的一些经验总结 ](http://www.freebuf.com/articles/web/137094.html)\n+ [如何绕过WAF/NGWAF的libinjection实现SQL注入](http://bobao.360.cn/learning/detail/3855.html)\n+ [HackMe-SQL-Injection-Challenges](https://github.com/breakthenet/HackMe-SQL-Injection-Challenges)\n+ [绕过WAF注入](https://bbs.ichunqiu.com/thread-25397-1-1.html?from=sec)\n+ [bypassGET和POST的注入防御思路分享](https://bbs.ichunqiu.com/thread-16134-1-1.html?from=sec)\n+ [SQL注入的常规思路及奇葩技巧 ](https://mp.weixin.qq.com/s/hBkJ1M6LRgssNyQyati1ng)\n+ [Beyond SQLi: Obfuscate and Bypass](https://www.exploit-db.com/papers/17934/)\n+ [Dnslog在SQL注入中的实战](https://www.anquanke.com/post/id/98096)\n+ [SQL注入：如何通过Python CGIHTTPServer绕过CSRF tokens](https://www.anquanke.com/post/id/87022)\n+ [BypassD盾IIS防火墙SQL注入防御（多姿势）](https://xz.aliyun.com/t/40)\n\n\n### 工具\n+ [sqlmap自带的tamper你了解多少？ ](https://mp.weixin.qq.com/s/vEEoMacmETUA4yZODY8xMQ)\n+ [sqlmap的使用 ---- 自带绕过脚本tamper](https://xz.aliyun.com/t/2746)\n+ [使用burp macros和sqlmap绕过csrf防护进行sql注入](http://bobao.360.cn/learning/detail/3557.html)\n+ [sqlmap 使用总结 ](http://www.zerokeeper.com/web-security/sqlmap-usage-summary.html)\n+ [SQLmap tamper脚本注释](http://www.lengbaikai.net/?p=110)\n+ [通过Burp以及自定义的Sqlmap Tamper进行二次SQL注入](http://www.4hou.com/system/6945.html)\n+ [SQLMAP  JSON格式检测](https://xz.aliyun.com/t/1091)\n+ [记一份SQLmap使用手册小结（一）](https://xz.aliyun.com/t/3010)\n+ [记一份SQLmap使用手册小结（二）](https://xz.aliyun.com/t/3011)\n\n## XSS\n+ [漫谈同源策略攻防](https://www.anquanke.com/post/id/86078)\n+ [再谈同源策略 ](https://lightless.me/archives/review-SOP.html)\n+ [跨域方法总结](https://xz.aliyun.com/t/224)\n+ [前端安全系列（一）：如何防止XSS攻击？](https://segmentfault.com/a/1190000016551188)\n+ [浅谈跨站脚本攻击与防御 ](http://thief.one/2017/05/31/1/)\n+ [跨站的艺术-XSS入门与介绍](http://www.fooying.com/the-art-of-xss-1-introduction/)\n+ [DOMXSS Wiki](https://github.com/wisec/domxsswiki/wiki)\n+ [XSS Bypass Cookbook](https://xz.aliyun.com/t/311)\n+ [Content Security Policy 入门教程](https://jaq.alibaba.com/community/art/show?spm=a313e.7916646.24000001.49.ZP8rXN\u0026articleid=518)\n+ [从瑞士军刀到变形金刚--XSS攻击面拓展](https://xz.aliyun.com/t/96)\n+ [前端防御从入门到弃坑--CSP变迁](https://paper.seebug.org/423/)\n+ [严格 CSP 下的几种有趣的思路（34c3 CTF）](http://www.melodia.pw/?p=935)\n+ [Bypassing CSP using polyglot JPEGs ](http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html)\n+ [Bypass unsafe-inline mode CSP](http://paper.seebug.org/91/)\n+ [Chrome XSS Auditor – SVG Bypass](https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/)\n+ [Cross site scripting payload for fuzzing](https://xianzhi.aliyun.com/forum/read/1704.html)\n+ [XSS Without Dots](https://markitzeroday.com/character-restrictions/xss/2017/07/26/xss-without-dots.html)\n+ [Alternative to Javascript Pseudo-Protocol](http://brutelogic.com.br/blog/alternative-javascript-pseudo-protocol/)\n+ [不常见的xss利用探索](http://docs.ioin.in/writeup/wps2015.org/_2016_06_27__E4_B8_8D_E5_B8_B8_E8_A7_81_E7_9A_84xss_E5_88_A9_E7_94_A8_E6_8E_A2_E7_B4_A2_/index.html)\n+ [XSS攻击另类玩法](https://bbs.ichunqiu.com/thread-25578-1-1.html?from=sec)\n+ [XSS易容术---bypass之编码混淆篇+辅助脚本编写](https://bbs.ichunqiu.com/thread-17500-1-1.html?from=sec)\n+ [Xssing Web With Unicodes](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)\n+ [Electron hack —— 跨平台 XSS ](https://mp.weixin.qq.com/s?__biz=MzU2NjE2NjIxNg==\u0026mid=2247483756\u0026amp;idx=1\u0026amp;sn=96ae19e53426d5088718b6d37996e700\u0026source=41#wechat_redirect)\n+ [XSS without HTML: Client-Side Template Injection with AngularJS ](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html)\n+ [Modern Alchemy: Turning XSS into RCE](https://blog.doyensec.com/2017/08/03/electron-framework-security.html)\n+ [先知XSS挑战赛 - L3m0n Writeup](https://xz.aliyun.com/t/83)\n+ [SheepSec: 7 Reflected Cross-site Scripting (XSS) Examples](http://sheepsec.com/blog/7-reflected-xss.html)\n+ [Browser's XSS Filter Bypass Cheat Sheet](https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet)\n+ [妙用JavaScript绕过XSS过滤](https://www.anquanke.com/post/id/86849)\n\n## CSRF\n+ [Wiping Out CSRF](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)\n+ [CSRF攻击与防御](https://www.cnblogs.com/phpstudy2015-6/p/6771239.html)\n+ [用代码来细说Csrf漏洞危害以及防御](https://bbs.ichunqiu.com/thread-24127-1-1.html?from=sec)\n+ [Cookie-Form型CSRF防御机制的不足与反思](https://www.leavesongs.com/PENETRATION/think-about-cookie-form-csrf-protected.html)\n+ [关于JSON CSRF的一些思考](https://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==\u0026mid=2247484126\u0026idx=1\u0026sn=f437882b19bed8d99d0a00938accc0c8\u0026chksm=e89e2a06dfe9a310506419467ada63bee80f10c32267d0b11ea7d1f5491c5afdb344c5dac74e\u0026mpshare=1\u0026scene=23\u0026srcid=0614BOCQBHPjaS2IOtADI3PP#rd)\n+ [Exploiting JSON Cross Site Request Forgery (CSRF) using Flash](http://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/)\n+ [浅谈Session机制及CSRF攻防 ](https://mp.weixin.qq.com/s/aID_N9bgq91EM26qVSVBXw)\n+ [CSRF 花式绕过Referer技巧](https://www.ohlinge.cn/web/csrf_referer.html)\n+ [各大SRC中的CSRF技巧](http://www.freebuf.com/column/151816.html)\n+ [白帽子挖洞—跨站请求伪造（CSRF）篇 ](http://www.freebuf.com/column/153543.html)\n+ [读取型CSRF-需要交互的内容劫持](https://bbs.ichunqiu.com/thread-36314-1-1.html)\n\n## 其他前端安全\n+ [HTML中，闭合优先的神奇标签 ](https://mp.weixin.qq.com/s?__biz=MzA4MDA1NDE3Mw==\u0026mid=2647715481\u0026idx=1\u0026sn=a4d930d5a944a5a6c0361a3c6c57d3d5)\n+ [JavaScript Dangerous Functions (Part 1) - HTML Manipulation ](http://blog.blueclosure.com/2017/09/javascript-dangerous-functions-part-1.html)\n+ [safari本地文件读取漏洞之扩展攻击面](http://www.wupco.cn/?p=4134)\n+ [利用脚本注入漏洞攻击ReactJS应用程序](http://www.freebuf.com/articles/web/144988.html)\n+ [当代 Web 的 JSON 劫持技巧](http://paper.seebug.org/130/?from=timeline\u0026isappinstalled=0)\n+ [从微信小程序看前端代码安全](https://share.whuboy.com/weapp.html)\n\n\n## SSRF\n+ [SSRF（服务器端请求伪造）测试资源](https://paper.seebug.org/393/)\n+ [Build Your SSRF Exploit Framework SSRF](http://docs.ioin.in/writeup/fuzz.wuyun.org/_src_build_your_ssrf_exp_autowork_pdf/index.pdf)\n+ [SSRF攻击实例解析](http://www.freebuf.com/articles/web/20407.html)\n+ [SSRF漏洞分析与利用](http://www.4o4notfound.org/index.php/archives/33/)\n+ [SSRF漏洞的挖掘经验](https://www.secpulse.com/archives/4747.html)\n+ [SSRF漏洞的利用与学习](http://uknowsec.cn/posts/notes/SSRF%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html)\n+ [SSRF漏洞中绕过IP限制的几种方法总结](http://www.freebuf.com/articles/web/135342.html)\n+ [What is Server Side Request Forgery (SSRF)?](https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/)\n+ [Use DNS Rebinding to Bypass SSRF in Java](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==\u0026mid=2247483742\u0026idx=1\u0026sn=e7265d5351a6d9ed30d90be1c17be041)\n+ [SSRF in JAVA](https://xz.aliyun.com/t/206)\n+ [DNS Rebinding技术绕过SSRF/代理IP限制](http://www.mottoin.com/95734.html)\n+ [SSRF Tips](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)\n+ [soap导致的SSRF](https://xz.aliyun.com/t/2960)\n+ [SSRF:CVE-2017-9993 FFmpeg + AVI + HLS](https://hackmd.io/p/H1B9zOg_W#)\n+ [通过拆分攻击实现的SSRF攻击](https://xz.aliyun.com/t/2894)\n+ [SSRF攻击文档翻译](https://xz.aliyun.com/t/2421)\n+ [PHP SSRF Techniques How to bypass filter_var(), preg_match() and parse_url()](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)\n\n\n## XXE\n\n+ [浅谈XXE漏洞攻击与防御](http://thief.one/2017/06/20/1/)\n+ [XXE漏洞分析](http://www.4o4notfound.org/index.php/archives/29/)\n+ [XML实体注入漏洞攻与防](http://www.hackersb.cn/hacker/211.html)\n+ [XML实体注入漏洞的利用与学习](http://uknowsec.cn/posts/notes/XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html)\n+ [XXE注入:攻击与防御 - XXE Injection: Attack and Prevent](http://le4f.net/post/xxe-injection-attack_and_prevent)\n+ [XXE (XML External Entity Injection) 漏洞实践](http://www.mottoin.com/101806.html)\n+ [黑夜的猎杀-盲打XXE](https://xianzhi.aliyun.com/forum/read/1837.html)\n+ [Hunting in the Dark - Blind XXE](https://blog.zsec.uk/blind-xxe-learning/)\n+ [XMLExternal Entity漏洞培训模块](https://www.sans.org/freading-room/whitepapers/application/hands-on-xml-external-entity-vulnerability-training-module-34397)\n+ [XXE被提起时我们会想到什么](http://www.mottoin.com/88085.html)\n+ [XXE漏洞的简单理解和测试](http://www.mottoin.com/92794.html)\n+ [XXE漏洞攻防之我见](http://bobao.360.cn/learning/detail/3841.html)\n+ [XXE漏洞利用的一些技巧](http://www.91ri.org/17052.html)\n+ [神奇的Content-Type——在JSON中玩转XXE攻击](http://bobao.360.cn/learning/detail/360.html)\n+ [XXE-DTD Cheat Sheet](https://web-in-security.blogspot.jp/2016/03/xxe-cheat-sheet.html)\n+ [XML? Be cautious!](https://blog.pragmatists.com/xml-be-cautious-69a981fdc56a)\n+ [XSLT Server Side Injection Attacks](https://www.contextis.com/blog/xslt-server-side-injection-attacks)\n+ [Java XXE Vulnerability](https://joychou.org/web/java-xxe-vulnerability.html)\n+ [xml-attacks.md](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)\n\n## JSONP注入\n+ [JSONP注入解析 ](http://www.freebuf.com/articles/web/126347.html)\n+ [JSONP 安全攻防技术](http://blog.knownsec.com/2015/03/jsonp_security_technic/)\n+ [一次关于JSONP的小实验与总结](http://www.cnblogs.com/vimsk/archive/2013/01/29/2877888.html)\n+ [利用JSONP跨域获取信息](https://xianzhi.aliyun.com/forum/read/1571.html)\n+ [关于跨域和jsonp的一些理解(新手向)](https://segmentfault.com/a/1190000009577990)\n+ [水坑攻击之Jsonp hijacking-信息劫持](http://www.mottoin.com/article/web/88237.html)\n\n## SSTI\n+ [Jinja2 template injection filter bypasses](https://0day.work/jinja2-template-injection-filter-bypasses/)\n+ [乱弹Flask注入](http://www.freebuf.com/articles/web/88768.html)\n+ [服务端模板注入攻击 （SSTI）之浅析 ](http://www.freebuf.com/vuls/83999.html)\n+ [Exploring SSTI in Flask/Jinja2](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/)\n+ [Flask Jinja2开发中遇到的的服务端注入问题研究](http://www.freebuf.com/articles/web/136118.html)\n+ [FlaskJinja2 开发中遇到的的服务端注入问题研究 II](http://www.freebuf.com/articles/web/136180.html)\n+ [Exploring SSTI in Flask/Jinja2, Part II](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)\n+ [Injecting Flask](https://nvisium.com/blog/2015/12/07/injecting-flask/)\n+ [Server-Side Template Injection: RCE for the modern webapp](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)\n+ [Exploiting Python Code Injection in Web Applications](https://sethsec.blogspot.jp/2016/11/exploiting-python-code-injection-in-web.html)\n+ [利用 Python 特性在 Jinja2 模板中执行任意代码](http://rickgray.me/2016/02/24/use-python-features-to-execute-arbitrary-codes-in-jinja2-templates/)\n+ [Python 模板字符串与模板注入](https://virusdefender.net/index.php/archives/761/)\n+ [Ruby ERB Template Injection](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)\n+ [服务端模板注入攻击](https://zhuanlan.zhihu.com/p/28823933)\n\n## 代码执行 / 命令执行\n+ [从PHP源码与扩展开发谈PHP任意代码执行与防御](https://blog.zsxsoft.com/post/30)\n+ [Command Injection/Shell Injection](https://www.exploit-db.com/docs/42593.pdf)\n+ [PHP Code Injection Analysis](http://www.polaris-lab.com/index.php/archives/254/)\n+ [\t利用环境变量LD_PRELOAD来绕过php disable_function执行系统命令](http://doc.ph0en1x.com/wooyun_drops/%E5%88%A9%E7%94%A8%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8FLD_PRELOAD%E6%9D%A5%E7%BB%95%E8%BF%87php%20disable_function%E6%89%A7%E8%A1%8C%E7%B3%BB%E7%BB%9F%E5%91%BD%E4%BB%A4.html)\n+ [Hack PHP mail additional_parameters](http://blog.nsfocus.net/hack-php-mail-additional_parameters/)\n+ [详细解析PHP mail()函数漏洞利用技巧](https://www.anquanke.com/post/id/86028)\n+ [在PHP应用程序开发中不正当使用mail()函数引发的血案](https://www.anquanke.com/post/id/86015)\n+ [基于时间反馈的RCE](http://www.mottoin.com/article/web/97678.html)\n+ [正则表达式使用不当引发的系统命令执行漏洞](https://www.anquanke.com/post/id/85698)\n+ [命令注入突破长度限制 ](http://www.freebuf.com/articles/web/154453.html)\n  \n## 文件包含\n+ [php文件包含漏洞 ](https://chybeta.github.io/2017/10/08/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/)\n+ [Turning LFI into RFI](https://l.avala.mp/?p=241)\n+ [PHP文件包含漏洞总结](http://wooyun.jozxing.cc/static/drops/tips-3827.html)\n+ [常见文件包含发生场景与防御](https://www.anquanke.com/post/id/86123)\n+ [zip或phar协议包含文件](https://bl4ck.in/tricks/2015/06/10/zip%E6%88%96phar%E5%8D%8F%E8%AE%AE%E5%8C%85%E5%90%AB%E6%96%87%E4%BB%B6.html)\n+ [文件包含漏洞 一](http://drops.blbana.cc/2016/08/12/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e/)\n+ [文件包含漏洞 二](http://drops.blbana.cc/2016/12/03/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e-ef-bc-88-e4-ba-8c-ef-bc-89/)\n\n\n## 文件上传 / 解析漏洞\n+ [Upload-labs通关手册](https://xz.aliyun.com/t/2435)\n+ [文件上传和WAF的攻与防](https://www.secfree.com/article-585.html)\n+ [我的WafBypass之道（upload篇）](https://xz.aliyun.com/t/337)\n+ [文件上传漏洞（绕过姿势） ](http://thief.one/2016/09/22/%E4%B8%8A%E4%BC%A0%E6%9C%A8%E9%A9%AC%E5%A7%BF%E5%8A%BF%E6%B1%87%E6%80%BB-%E6%AC%A2%E8%BF%8E%E8%A1%A5%E5%85%85/)\n+ [服务器解析漏洞 ](http://thief.one/2016/09/21/%E6%9C%8D%E5%8A%A1%E5%99%A8%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E/)\n+ [文件上传总结 ](https://masterxsec.github.io/2017/04/26/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%80%BB%E7%BB%93/)\n+ [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html)\n+ [渗透测试方法论之文件上传](https://bbs.ichunqiu.com/thread-23193-1-1.html?from=sec)\n+ [关于文件名解析的一些探索](https://landgrey.me/filetype-parsing-attack/)\n+ [Web安全 — 上传漏洞绕过 ](http://www.freebuf.com/column/161357.html)\n+ [上传绕过WAF](http://docs.ioin.in/writeup/www.am0s.com/_jchw_376_html/index.html)\n\n## 逻辑漏洞\n+ [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html)\n+ [逻辑至上——内含各种酷炫姿势](https://www.anquanke.com/post/id/85947)\n+ [Web安全测试中常见逻辑漏洞解析（实战篇）](http://www.freebuf.com/vuls/112339.html)\n+ [逻辑漏洞之密码重置 ](https://mp.weixin.qq.com/s/Lynmqd_ieEoNJ3mmyv9eQQ)\n+ [逻辑漏洞之支付漏洞](https://mp.weixin.qq.com/s/w22omfxO8vU6XzixXWmBxg)\n+ [逻辑漏洞之越权访问](https://mp.weixin.qq.com/s/ChiXtcrEyQeLkGOkm4PTog)\n+ [密码找回逻辑漏洞总结](http://wooyun.jozxing.cc/static/drops/web-5048.html)\n+ [一些常见的重置密码漏洞分析整理](http://wooyun.jozxing.cc/static/drops/papers-2035.html)\n+ [密码逻辑漏洞小总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_643/index.html)\n+ [漏洞挖掘之逻辑漏洞挖掘](https://bbs.ichunqiu.com/thread-21161-1-1.html)\n+ [tom0li: 逻辑漏洞小结](https://tom0li.github.io/%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E%E5%B0%8F%E7%BB%93/)\n\n## 未授权访问/信息泄露\n+ [未授权访问的tips](https://xz.aliyun.com/t/2320)\n+ [未授权访问漏洞总结](https://www.secpulse.com/archives/61101.html)\n+ [未授权访问漏洞的检测与利用 ](https://thief.one/2017/12/08/1/)\n+ [常见Web源码泄露总结](http://www.mottoin.com/95749.html)\n+ [挖洞技巧：信息泄露之总结](https://www.anquanke.com/post/id/94787)\n### redis\n+ [利用redis写webshell](https://www.leavesongs.com/PENETRATION/write-webshell-via-redis-server.html)\n+ [Redis 未授权访问配合 SSH key 文件利用分析](http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/)\n+ [redis未授权访问漏洞利用总结](https://xianzhi.aliyun.com/forum/read/750.html)。\n+ [【应急响应】redis未授权访问致远程植入挖矿脚本（防御篇） ](https://mp.weixin.qq.com/s/eUTZsGUGSO0AeBUaxq4Q2w)\n\n## RPO(relative path overwrite)\n+ [深入剖析RPO漏洞](https://xz.aliyun.com/t/2220)\n+ [初探 Relative Path Overwrite](https://xz.aliyun.com/t/193)\n+ [Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities](http://blog.portswigger.net/2015/02/prssi.html)\n+ [RPO](http://www.thespanner.co.uk/2014/03/21/rpo/)\n+ [A few RPO exploitation techniques](http://www.mbsd.jp/Whitepaper/rpo.pdf)\n+ [新型Web攻击技术：RPO攻击初探](https://mp.weixin.qq.com/s/P-ncFmNZfBteJBQr8INzsw)\n+ [RPO Gadgets](https://blog.innerht.ml/rpo-gadgets/)\n\n## Web Cache\n+ [浅析 Web Cache 欺骗攻击](https://www.anquanke.com/post/id/86049)\n+ [Practical Web Cache Poisoning](https://portswigger.net/blog/practical-web-cache-poisoning)\n+ [实战web缓存中毒](https://xz.aliyun.com/t/2585)\n+ [WEB CACHE DECEPTION ATTACK](https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view)\n+ [详解Web缓存欺骗攻击](https://www.anquanke.com/post/id/86516)\n  \n\n## PHP相关\n### 弱类型\n+ [从弱类型利用以及对象注入到SQL注入](https://www.anquanke.com/post/id/85455)\n+ [PHP中“＝＝”运算符的安全问题](http://bobao.360.cn/learning/detail/2924.html)\n+ [PHP弱类型安全问题总结 ](http://blog.spoock.com/2016/06/25/weakly-typed-security/)\n+ [浅谈PHP弱类型安全](http://wooyun.jozxing.cc/static/drops/tips-4483.html)\n+ [php比较操作符的安全问题](http://wooyun.jozxing.cc/static/drops/tips-7679.html)\n\n### 随机数问题\n+ [PHP mt_rand()随机数安全 ](https://mp.weixin.qq.com/s/3TgBKXHw3MC61qIYELanJg)\n+ [Cracking PHP rand()](http://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/)\n+ [php里的随机数](http://5alt.me/2017/06/php%E9%87%8C%E7%9A%84%E9%9A%8F%E6%9C%BA%E6%95%B0/)\n+ [php_mt_seed - PHP mt_rand() seed cracker](http://www.openwall.com/php_mt_seed/)\n+ [The GLIBC random number generator](http://www.mscs.dal.ca/~selinger/random/)\n+ [一道伪随机数的CTF题](https://github.com/wonderkun/CTF_web/blob/master/web500-2/writeup.pdf)\n\n### 伪协议\n+ [谈一谈php://filter的妙用](www.leavesongs.com/PENETRATION/php-filter-magic.html)\n+ [php 伪协议](http://lorexxar.cn/2016/09/14/php-wei/)\n+ [利用 Gopher 协议拓展攻击面](https://blog.chaitin.cn/gopher-attack-surfaces/)\n+ [PHP伪协议之 Phar 协议（绕过包含）](https://www.bodkin.ren/?p=902)\n+ [PHP伪协议分析与应用](http://www.4o4notfound.org/index.php/archives/31/)\n+ [LFI、RFI、PHP封装协议安全问题学习](http://www.cnblogs.com/LittleHann/p/3665062.html)\n\n### 序列化\n+ [PHP反序列化漏洞](http://bobao.360.cn/learning/detail/4122.html)\n+ [浅谈php反序列化漏洞 ](https://chybeta.github.io/2017/06/17/%E6%B5%85%E8%B0%88php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/)\n+ [PHP反序列化漏洞成因及漏洞挖掘技巧与案例](http://bobao.360.cn/learning/detail/3193.html)\n\n### php mail header injection\n+ [What is Email Header Injection?](https://www.acunetix.com/blog/articles/email-header-injection/)\n+ [PHP Email Injection Example](http://resources.infosecinstitute.com/email-injection/)\n\n### 其他\n+ [对于Php Shell Bypass思路总结](https://www.inksec.cn/2017/11/06/bypass_shell_4/)\n+ [Decrypt PHP's eval based encryption with debugger ](https://mp.weixin.qq.com/s?__biz=MzIxNjU3ODMyOQ==\u0026mid=2247483693\u0026idx=1\u0026sn=ed49fc13d8e09f12d87675adff18919f)\n+ [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)\n+ [Xdebug: A Tiny Attack Surface](https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface)\n+ [Exploitable PHP functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n+ [从WordPress SQLi谈PHP格式化字符串问题](https://paper.seebug.org/386/)\n+ [php \u0026 apache2 \u0026操作系统之间的一些黑魔法](http://wonderkun.cc/index.html/?p=626)\n+ [php内存破坏漏洞exp编写和禁用函数绕过](http://blog.th3s3v3n.xyz/2016/05/01/bin/2016-5-1-php%E5%86%85%E5%AD%98%E7%A0%B4%E5%9D%8F%E6%BC%8F%E6%B4%9Eexp%E7%BC%96%E5%86%99%E5%92%8C%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87/)\n+ [挖掘PHP禁用函数绕过利用姿势](http://blog.th3s3v3n.xyz/2016/11/20/web/%E6%8C%96%E6%8E%98PHP%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87%E5%88%A9%E7%94%A8%E5%A7%BF%E5%8A%BF/)\n+ [.user.ini文件构成的PHP后门](http://wooyun.jozxing.cc/static/drops/tips-3424.html)\n\n\n### php代码审计\n+ [PHP漏洞挖掘——进阶篇](http://blog.nsfocus.net/php-vulnerability-mining/)\n+ [论PHP常见的漏洞](http://wooyun.jozxing.cc/static/drops/papers-4544.html)\n+ [浅谈代码审计入门实战：某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html)\n+ [ctf中的php代码审计技巧](http://www.am0s.com/ctf/200.html)\n+ [PHP代码审计tips](http://docs.ioin.in/writeup/www.91ri.org/_15074_html/index.html)\n+ [代码审计之文件越权和文件上传搜索技巧](http://docs.ioin.in/writeup/blog.heysec.org/_archives_170/index.html)\n+ [PHP代码审计入门集合](http://wiki.ioin.in/post/group/6Rb)\n+ [PHP代码审计学习](http://phantom0301.cc/2017/06/06/codeaudit/)\n+ [PHP漏洞挖掘思路+实例](http://wooyun.jozxing.cc/static/drops/tips-838.html)\n+ [PHP漏洞挖掘思路+实例 第二章](http://wooyun.jozxing.cc/static/drops/tips-858.html)\n+ [浅谈代码审计入门实战：某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html)\n+ [PHP 代码审计小结 (一) ](https://www.chery666.cn/blog/2017/12/11/Code-audit.html)\n+ [2018 PHP 应用程序安全设计指北 ](https://laravel-china.org/articles/7235/2018-php-application-security-design)\n\n## java-Web\n### 反序列\n+ [Java_JSON反序列化之殇_看雪安全开发者峰会](https://github.com/shengqi158/fastjson-remote-code-execute-poc/blob/master/Java_JSON%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8B%E6%AE%87_%E7%9C%8B%E9%9B%AA%E5%AE%89%E5%85%A8%E5%BC%80%E5%8F%91%E8%80%85%E5%B3%B0%E4%BC%9A.pdf)\n+ [从反射链的构造看Java反序列漏洞](http://www.freebuf.com/news/150872.html)\n+ [Java反序列化漏洞从理解到实践](http://bobao.360.cn/learning/detail/4474.html)\n+ [Java 序列化与反序列化安全分析 ](http://mp.weixin.qq.com/s?__biz=MzI5ODE0ODA5MQ==\u0026mid=2652278247\u0026idx=1\u0026sn=044893b732e4ffa267b00ffe1d9e4727\u0026chksm=f7486473c03fed6525f0a869cbc4ddc03051cda92bb946377c4d831054954159542350768cf3\u0026mpshare=1\u0026scene=23\u0026srcid=0919MUXFBglgDUEtLOha0wbo#rd)\n+ [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)\n+ [如何攻击Java反序列化过程](http://bobao.360.cn/learning/detail/4267.html)\n+ [深入理解JAVA反序列化漏洞](https://www.vulbox.com/knowledge/detail/?id=11)\n+ [Attacking Java Deserialization](https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/)\n+ [jackson反序列化详细分析](http://bobao.360.cn/learning/detail/4118.html)\n+ [Java安全之反序列化漏洞分析 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==\u0026mid=2247484200\u0026idx=1\u0026sn=8f3201f44e6374d65589d00d91f7148e)\n+ [fastjson 反序列化漏洞 POC 分析 ](https://mp.weixin.qq.com/s/0a5krhX-V_yCkz-zDN5kGg)\n+ [Apache Commons Collections反序列化漏洞学习](http://pirogue.org/2017/12/22/javaSerialKiller/)\n\n### Struct2\n+ [Struts2 命令执行系列回顾](http://www.zerokeeper.com/vul-analysis/struts2-command-execution-series-review.html)\n\n### java-Web代码审计\n+ [JAVA代码审计的一些Tips(附脚本)](https://xianzhi.aliyun.com/forum/topic/1633/)\n+ [Java代码审计连载之—SQL注入](https://bbs.ichunqiu.com/forum.php?mod=viewthread\u0026tid=22170\u0026highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)\n+ [Java代码审计连载之—任意文件下载](https://bbs.ichunqiu.com/forum.php?mod=viewthread\u0026tid=23587\u0026highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)\n+ [Java代码审计连载之—XSS](https://bbs.ichunqiu.com/forum.php?mod=viewthread\u0026tid=22875\u0026highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)\n+ [Java代码审计连载之—添油加醋](https://bbs.ichunqiu.com/forum.php?mod=viewthread\u0026tid=25475\u0026highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)\n+ [JAVA安全编码与代码审计.md](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md)\n+ [Java代码审计PPT ](https://xianzhi.aliyun.com/forum/read/1904.html)\n\n### 其他\n\n+ [关于 JNDI 注入](http://bobao.360.cn/learning/detail/4564.html)\n+ [层层放大java审计的攻击面 ](https://mp.weixin.qq.com/s/WT1EXEryUGGqHQpSi959xw)\n+ [以Java的视角来聊聊SQL注入 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==\u0026mid=2247483954\u0026idx=1\u0026sn=418b7e55b16c717ee5140af990298e22\u0026chksm=e8fe9e3bdf89172d0670690060944bf2434cc2d2e8fba4477711299a0775cf3735a2022c0778#rd)\n+ [站在Java的视角，深度分析防不胜防的小偷——“XSS” ](http://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==\u0026mid=100000340\u0026idx=1\u0026sn=6ca4ec15ef6338daf1d4a907351d7c08\u0026chksm=68fe9e5d5f89174b44fd0cae2e3d5c0018859d3d1dc6d60a2e16dcde34499ba224d6ea17a982#rd)\n+ [你的 Java web 配置安全吗？ ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==\u0026mid=100000318\u0026idx=1\u0026sn=9011af3e3968e0d87499605ef1a68291\u0026chksm=68fe9e375f8917213297855bd9e1ab1203ae4c9b0b5ca351de7b2c0f7a7799bd1f4843cd13f4#rd)\n+ [spring任意文件读取](https://github.com/ilmila/springcss-cve-2014-3625/tree/master/src)\n+ [在 Runtime.getRuntime().exec(String cmd) 中执行任意shell命令的几种方法](https://mp.weixin.qq.com/s/zCe_O37rdRqgN-Yvlq1FDg)\n\n## python-Web\n+ [python web 安全总结](http://bobao.360.cn/learning/detail/4522.html)\n+ [Defencely Clarifies Python Object Injection Exploitation](http://defencely.com/blog/defencely-clarifies-python-object-injection-exploitation/)\n+ [Exploiting Python Deserialization Vulnerabilities](https://crowdshield.com/blog.php?name=exploiting-python-deserialization-vulnerabilities)\n+ [Explaining and exploiting deserialization vulnerability with Python(EN)](https://dan.lousqui.fr/explaining-and-exploiting-deserialization-vulnerability-with-python-en.html)\n+ [Python PyYAML反序列化漏洞实验和Payload构造](http://www.polaris-lab.com/index.php/archives/375/)\n+ [Python 格式化字符串漏洞（Django为例）](https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html)\n+ [format注入](http://www.venenof.com/index.php/archives/360/)\n+ [Be Careful with Python's New-Style String Format](http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/)\n+ [Python urllib HTTP头注入漏洞](http://www.tuicool.com/articles/2iIj2eR)\n+ [Hack Redis via Python urllib HTTP Header Injection](https://security.tencent.com/index.php/blog/msg/106)\n+ [Python Waf黑名单过滤下的一些Bypass思路](http://www.0aa.me/index.php/archives/123/)\n+ [Python沙箱逃逸的n种姿势](https://mp.weixin.qq.com/s/PLI-yjqmA3gwk5w3KHzOyA)\n+ [利用内存破坏实现Python沙盒逃逸 ](https://mp.weixin.qq.com/s/s9fAskmp4Bb42OYsiQJFaw)\n+ [Python Sandbox Bypass](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==\u0026mid=2247483665\u0026idx=1\u0026sn=4b18de09738fdc5291634db1ca2dd55a)\n+ [pyt: 针对 Python 应用程序的源码静态分析工具](https://github.com/python-security/pyt)\n+ [Exploiting Python PIL Module Command Execution Vulnerability](http://docs.ioin.in/writeup/github.com/_neargle_PIL_RCE_By_GhostButt/index.html)\n+ [文件解压之过 Python中的代码执行](http://bobao.360.cn/learning/detail/4503.html)\n\n## Node-js\n+ [浅谈Node.js Web的安全问题](http://www.freebuf.com/articles/web/152891.html)\n+ [node.js + postgres 从注入到Getshell](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html)\n+ [Pentesting Node.js Application : Nodejs Application Security(需翻墙)](http://www.websecgeeks.com/2017/04/pentesting-nodejs-application-nodejs.html)\n+ [从零开始学习渗透Node.js应用程序 ](https://bbs.ichunqiu.com/thread-21810-1-1.html?from=sec)\n+ [Node.js 中遇到含空格 URL 的神奇“Bug”——小范围深入 HTTP 协议](https://segmentfault.com/a/1190000012407268)\n\n## WAF相关\n+ [详谈WAF与静态统计分析](http://bobao.360.cn/learning/detail/4670.html)\n+ [牛逼牛逼的payload和bypass总结](https://github.com/swisskyrepo/PayloadsAllTheThings)\n+ [WAF绕过参考资料](http://www.mottoin.com/100887.html)\n+ [浅谈WAF绕过技巧](http://www.freebuf.com/articles/web/136723.html)\n+ [addslashes防注入的绕过案例](https://xianzhi.aliyun.com/forum/read/753.html?fpage=6)\n+ [浅谈json参数解析对waf绕过的影响](https://xianzhi.aliyun.com/forum/read/553.html?fpage=8)\n+ [WAF攻防研究之四个层次Bypass WAF](http://weibo.com/ttarticle/p/show?id=2309404007261092631700)\n+ [使用HTTP头去绕过WAF ](http://www.sohu.com/a/110066439_468673)\n+ [会找漏洞的时光机: Pinpointing Vulnerabilities](https://www.inforsec.org/wp/?p=1993)\n\n\n\n\n# 渗透测试\n## Course\n+ [Web Service 渗透测试从入门到精通](http://bobao.360.cn/learning/detail/3741.html)\n+ [渗透标准](https://www.processon.com/view/583e8834e4b08e31357bb727)\n+ [Penetration Testing Tools Cheat Sheet](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/)\n\n## 信息收集\n+ [看我如何收集全网IP的whois信息 ](https://mp.weixin.qq.com/s/qz0b42DKhgo1sfitcUKhtQ)\n+ [浅谈Web渗透测试中的信息收集 ](http://www.freebuf.com/articles/web/142767.html)\n+ [渗透测试教程：如何侦查目标以及收集信息？](http://www.4hou.com/penetration/6850.html)\n+ [本屌的web漏洞扫描器思路 技巧总结（域名信息收集篇）](weibo.com/ttarticle/p/show?id=2309404088584863883789)\n+ [子域名的艺术](http://www.91ri.org/17001.html)\n+ [渗透测试向导之子域名枚举技术](http://www.freebuf.com/articles/network/161046.html)\n+ [实例演示如何科学的进行子域名收集](http://bobao.360.cn/learning/detail/4119.html)\n+ [【渗透神器系列】搜索引擎 ](http://thief.one/2017/05/19/1/)\n+ [域渗透基础简单信息收集（基础篇）](https://xianzhi.aliyun.com/forum/read/805.html)\n+ [内网渗透定位技术总结](http://docs.ioin.in/writeup/www.mottoin.com/_92978_html/index.html)\n+ [后渗透攻防的信息收集](https://www.secpulse.com/archives/51527.html)\n+ [安全攻城师系列文章－敏感信息收集](http://www.mottoin.com/99951.html)\n+ [子域名枚举的艺术](http://www.mottoin.com/101362.html)\n+ [论二级域名收集的各种姿势](https://mp.weixin.qq.com/s/ardCYdZzaSjvSIZiFraWGA)\n+ [我眼中的渗透测试信息搜集](https://xianzhi.aliyun.com/forum/read/451.html?fpage=2)\n+ [大型目标渗透－01入侵信息搜集](https://xianzhi.aliyun.com/forum/read/1675.html)\n+ [乙方渗透测试之信息收集](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8B%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/)\n+ [挖洞技巧：信息泄露之总结](https://www.anquanke.com/post/id/94787)\n\n## 渗透\n+ [【玩转Linux系统】Linux内网渗透 ](https://mp.weixin.qq.com/s/VJBnXq3--0HBD7eVeifOKA)\n+ [渗透测试指南之域用户组的范围](http://www.4hou.com/penetration/7016.html)\n+ [内网主机发现技巧补充](http://mp.weixin.qq.com/s/l-Avt72ajCIo5GdMEwVx7A)\n+ [Linux 端口转发特征总结 ](https://mp.weixin.qq.com/s?__biz=MzA3Mzk1MDk1NA==\u0026mid=2651903919\u0026idx=1\u0026sn=686cc53137aa9e8ec323dda1e54a2c23)\n+ [内网渗透（持续更新） ](http://rcoil.me/2017/06/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/)\n+ [实战 SSH 端口转发](https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/index.html)\n+ [多重转发渗透隐藏内网](http://bobao.360.cn/learning/detail/3545.html)\n+ [内网转发姿势](http://www.03sec.com/3141.shtml)\n+ [内网转发的工具](https://mp.weixin.qq.com/s/EWL9-AUB_bTf7pU4S4A2zg)\n+ [Linux 下多种反弹 shell 方法](http://www.03sec.com/3140.shtml)\n+ [linux各种一句话反弹shell总结](http://bobao.360.cn/learning/detail/4551.html)\n+ [php 反弹shell](http://wolvez.club/?p=458)\n+ [利用ew轻松穿透多级目标内网](https://klionsec.github.io/2017/08/05/ew-tunnel/)\n+ [windows内网渗透杂谈](https://bl4ck.in/penetration/2017/03/20/windows%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E6%9D%82%E8%B0%88.html)\n+ [Windows域横向渗透](http://docs.ioin.in/writeup/www.mottoin.com/_89413_html/index.html)\n+ [内网渗透中转发工具总结](http://blog.neargle.com/SecNewsBak/drops/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B8%AD%E8%BD%AC%E5%8F%91%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93.html)\n+ [内网渗透思路整理与工具使用](http://bobao.360.cn/learning/detail/3683.html)\n+ [Cobalt strike在内网渗透中的使用 ](http://www.freebuf.com/sectool/125237.html)\n+ [反向socks5代理(windows版)](http://x95.org/archives/reverse-socks5-proxy.html)\n+ [Windows渗透基础](http://www.mottoin.com/89355.html)\n+ [通过双重跳板漫游隔离内网](https://xianzhi.aliyun.com/forum/read/768.html)\n+ [A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/)\n+ [穿越边界的姿势 ](https://mp.weixin.qq.com/s/l-0sWU4ijMOQWqRgsWcNFA)\n+ [内网端口转发及穿透](https://xianzhi.aliyun.com/forum/read/1715.html)\n+ [秘密渗透内网——利用 DNS 建立 VPN 传输隧道](http://www.4hou.com/technology/3143.html)\n+ [Reverse Shell Cheat Sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)\n+ [我所了解的内网渗透——内网渗透知识大总结](https://www.anquanke.com/post/id/92646)\n\n## 渗透实战\n+ [挖洞经验 | 看我如何综合利用4个漏洞实现GitHub Enterprise远程代码执行 ](http://www.freebuf.com/news/142680.html)\n+ [Splash SSRF到获取内网服务器ROOT权限](http://bobao.360.cn/learning/detail/4113.html)\n+ [Pivoting from blind SSRF to RCE with HashiCorp Consul](http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html)\n+ [我是如何通过命令执行到最终获取内网Root权限的 ](http://www.freebuf.com/articles/web/141579.html)\n+ [信息收集之SVN源代码社工获取及渗透实战](https://xianzhi.aliyun.com/forum/read/1629.html)\n+ [SQL注入+XXE+文件遍历漏洞组合拳渗透Deutsche Telekom](http://paper.seebug.org/256/)\n+ [渗透 Hacking Team](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8FHacking%20Team%E8%BF%87%E7%A8%8B.html)\n+ [由视频系统SQL注入到服务器权限](https://bbs.ichunqiu.com/thread-25827-1-1.html?from=sec)\n+ [From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection](http://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html)\n+ [浅谈渗透测试实战](http://docs.ioin.in/writeup/avfisher.win/_archives_381/index.html)\n+ [渗透测试学习笔记之案例一](http://avfisher.win/archives/741)\n+ [渗透测试学习笔记之案例二](http://avfisher.win/archives/756)\n+ [渗透测试学习笔记之案例四](http://avfisher.win/archives/784)\n+ [记一次内网渗透](http://killbit.me/2017/09/11/%E8%AE%B0%E4%B8%80%E6%AC%A1%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/)\n\n## 提权\n+ [提权技巧](http://www.secbox.cn/skill/5583.html)\n+ [linux-kernel-exploits Linux平台提权漏洞集合](https://github.com/SecWiki/linux-kernel-exploits)\n+ [windows-kernel-exploits Windows平台提权漏洞集合 ](https://github.com/SecWiki/windows-kernel-exploits)\n+ [Linux MySQL Udf 提权](http://www.91ri.org/16540.html)\n+ [windows提权系列上篇](http://mp.weixin.qq.com/s/uOArxXIfcI4fjqnF9BDJGA)\n+ [Windows提权系列中篇](https://mp.weixin.qq.com/s/ERXOLhWo0-lJbMV143I8hA)\n+ [获取SYSTEM权限的多种姿势](http://bobao.360.cn/learning/detail/4740.html)\n\n## 渗透技巧\n+ [乙方渗透测试之Fuzz爆破](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8BFuzz%E7%88%86%E7%A0%B4/)\n+ [域渗透神器Empire安装和简单使用 ](https://mp.weixin.qq.com/s/VqrUTW9z-yi3LqNNy-lE-Q)\n+ [如何将简单的Shell转换成为完全交互式的TTY ](http://www.freebuf.com/news/142195.html)\n+ [60字节 - 无文件渗透测试实验](https://www.n0tr00t.com/2017/03/09/penetration-test-without-file.html)\n+ [内网渗透思路探索之新思路的探索与验证](http://www.tuicool.com/articles/fMFB3mY)\n+ [Web端口复用正向后门研究实现与防御 ](http://www.freebuf.com/articles/web/142628.html)\n+ [谈谈端口探测的经验与原理](http://www.freebuf.com/articles/network/146087.html)\n+ [端口渗透总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_577/index.html)\n+ [端口扫描那些事](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==\u0026mid=2247484812\u0026idx=1\u0026sn=7d894b50b3947142fbfa3a4016f748d5\u0026chksm=ec1e35a4db69bcb2acfe7ecb3b0cd1d366c54bfa1feaafc62c4290b3fd2eddab9aa95a98f041#rd)\n+ [渗透技巧——通过cmd上传文件的N种方法 ](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7%E2%80%94%E2%80%94%E9%80%9A%E8%BF%87cmd%E4%B8%8A%E4%BC%A0%E6%96%87%E4%BB%B6%E7%9A%84N%E7%A7%8D%E6%96%B9%E6%B3%95.html)\n+ [域渗透TIPS：获取LAPS管理员密码 ](http://www.freebuf.com/articles/web/142659.html)\n+ [域渗透——Security Support Provider](http://blog.neargle.com/SecNewsBak/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Security%20Support%20Provider.html)\n+ [内网渗透随想](http://docs.ioin.in/writeup/www.91ri.org/_14390_html/index.html)\n+ [域渗透之流量劫持](http://bobao.360.cn/learning/detail/3266.html)\n+ [渗透技巧——快捷方式文件的参数隐藏技巧](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E6%96%87%E4%BB%B6%E7%9A%84%E5%8F%82%E6%95%B0%E9%9A%90%E8%97%8F%E6%8A%80%E5%B7%A7/)\n+ [后门整理](https://bbs.ichunqiu.com/thread-25119-1-1.html?from=sec)\n+ [Linux后门整理合集（脉搏推荐）](https://www.secpulse.com/archives/59674.html)\n\n## 运维\n+ [安全运维那些洞 ](https://mp.weixin.qq.com/s/5TfAF5-HR8iDA_qSIJkQ0Q)\n+ [美团外卖自动化业务运维系统建设](https://tech.meituan.com/digger_share.html)\n+ [饿了么运维基础设施进化史 ](https://mp.weixin.qq.com/s?__biz=MzA4Nzg5Nzc5OA==\u0026mid=2651668800\u0026idx=1\u0026sn=615af5f120d1298475aaf4825009cb30\u0026chksm=8bcb82e9bcbc0bff6309d9bbaf69cfc591624206b846e00d5004a68182c934dab921b7c25794\u0026scene=38#wechat_redirect)\n+ [nginx配置一篇足矣](http://www.xuxiaobo.com/?p=3869)\n+ [Docker Remote API的安全配置 ](http://p0sec.net/index.php/archives/115/)\n+ [Apache服务器安全配置 ](http://foreversong.cn/archives/789)\n+ [IIS服务器安全配置](http://foreversong.cn/archives/803)\n+ [Tomcat服务器安全配置](http://foreversong.cn/archives/816)\n+ [互联网企业安全之端口监控 ](https://mp.weixin.qq.com/s/SJKeXegWG3OQo4r0nBs7xQ)\n+ [Linux应急响应姿势浅谈](http://bobao.360.cn/learning/detail/4481.html)\n+ [黑客入侵应急分析手工排查](https://xianzhi.aliyun.com/forum/read/1655.html)\n+ [企业常见服务漏洞检测\u0026修复整理](http://www.mottoin.com/92742.html)\n+ [Linux基线加固](https://mp.weixin.qq.com/s/0nxiZw1NUoQTjxcd3zl6Zg)\n+ [Apache server security: 10 tips to secure installation](https://www.acunetix.com/blog/articles/10-tips-secure-apache-installation/)\n+ [Oracle数据库运维中的攻防实战（全） ](https://mp.weixin.qq.com/s/dpvBo6Bat5u4t8kSFRcv9w)\n+ [Linux服务器上监控网络带宽的18个常用命令](http://www.xuxiaobo.com/?p=3950)\n## DDOS\n+ [DDoS攻防补遗 ](https://yq.aliyun.com/articles/1795)\n+ [反射DDOS攻击防御的一点小想法 ](http://www.freebuf.com/column/138163.html)\n+ [DDOS攻击方式总结](https://www.secpulse.com/archives/64088.html\t)\n+ [DDoS防御和DDoS防护方法 你帮忙看看这7个说法靠不靠谱](http://toutiao.secjia.com/ddos-7tips)\n+ [DDoS防御和DDoS防护 来看个人站长、果壳网和安全公司怎么说 ](http://toutiao.secjia.com/ddos-prevention-protection)\n+ [DDoS防御之大流量DDoS防护方案 还有计算器估算损失](http://toutiao.secjia.com/ddos-prevention-protection-2)\n+ [freeBuf专栏 ](http://www.freebuf.com/author/%e9%bb%91%e6%88%88%e7%88%be)\n+ [遭受CC攻击的处理](http://www.xuxiaobo.com/?p=3923)\n\n# CTF\n## 技巧总结\n+ [CTF线下防御战 — 让你的靶机变成“铜墙铁壁”](http://bobao.360.cn/ctf/detail/210.html)\n+ [ctf-wiki](https://ctf-wiki.github.io/ctf-wiki/#/introduction)\n+ [CTF中那些脑洞大开的编码和加密](https://www.hackfun.org/CTF/coding-and-encryption-of-those-brain-holes-in-CTF.html)\n+ [CTF加密与解密 ](http://thief.one/2017/06/13/1/)\n+ [CTF中图片隐藏文件分离方法总结](https://www.hackfun.org/CTF/summary-of-image-hiding-files-in-CTF.html)\n+ [Md5扩展攻击的原理和应用](http://www.freebuf.com/articles/database/137129.html)\n+ [CTF比赛中关于zip的总结](http://bobao.360.cn/ctf/detail/203.html)\n+ [十五个Web狗的CTF出题套路](http://weibo.com/ttarticle/p/show?id=2309403980950244591011)\n+ [CTF备忘录](https://827977014.docs.qq.com/Bt2v7IZWnYo?type=1\u0026_wv=1\u0026_bid=2517)\n+ [rcoil:CTF线下攻防赛总结](http://rcoil.me/2017/06/CTF%E7%BA%BF%E4%B8%8B%E8%B5%9B%E6%80%BB%E7%BB%93/)\n+ [CTF内存取证入坑指南！稳！](http://www.freebuf.com/column/152545.html)\n\n# 杂\n+ [细致分析Padding Oracle渗透测试全解析 ](http://www.freebuf.com/articles/database/150606.html)\n+ [Exploring Compilation from TypeScript to WebAssembly](https://medium.com/web-on-the-edge/exploring-compilation-from-typescript-to-webassembly-f846d6befc12)\n+ [High-Level Approaches for Finding Vulnerabilities](http://jackson.thuraisamy.me/finding-vulnerabilities.html)\n+ [谈谈HTML5本地存储——WebStorage](http://syean.cn/2017/08/15/%E8%B0%88%E8%B0%88HTML5%E6%9C%AC%E5%9C%B0%E5%AD%98%E5%82%A8%E2%80%94%E2%80%94WebStorage/)\n+ [Linux下容易被忽视的那些命令用法](https://segmentfault.com/p/1210000010668099/read)\n+ [各种脚本语言不同版本一句话开启 HTTP 服务器的总结](http://www.mottoin.com/94895.html)\n+ [WebAssembly入门：将字节码带入Web世界](http://bobao.360.cn/learning/detail/3757.html)\n+ [phpwind 利用哈希长度扩展攻击进行getshell](https://www.leavesongs.com/PENETRATION/phpwind-hash-length-extension-attack.html)\n+ [深入理解hash长度扩展攻击（sha1为例） ](http://www.freebuf.com/articles/web/69264.html)\n+ [Joomla 框架的程序执行流程及目录结构分析](http://bobao.360.cn/learning/detail/3909.html)\n+ [如何通过恶意插件在Atom中植入后门](http://bobao.360.cn/learning/detail/4268.html)\n+ [CRLF Injection and Bypass Tencent WAF ](https://zhchbin.github.io/2016/01/31/CRLF-Injection-and-Bypass-WAF/)\n+ [Web之困笔记](http://www.au1ge.xyz/2017/08/09/web%E4%B9%8B%E5%9B%B0%E7%AC%94%E8%AE%B0/)\n+ [技术详解：基于Web的LDAP注入漏洞](http://www.4hou.com/technology/9090.html)\n\n","funding_links":[],"categories":["Pentest","HTML","HTML (177)"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCHYbeta%2FWeb-Security-Learning","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCHYbeta%2FWeb-Security-Learning","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCHYbeta%2FWeb-Security-Learning/lists"}