forked from CHYbeta/Web-Security-Learning
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.md
628 lines (563 loc) · 48.1 KB
/
README.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
# [Web-Security-Learning](https://chybeta.github.io/2017/08/19/Web-Security-Learning/)
项目地址: https://github.com/CHYbeta/Web-Security-Learning
知识星球【漏洞攻防】:https://t.zsxq.com/mm2zBeq
![](zsxq.png)
目录:
- [Web-Security-Learning](#web-security-learning)
- [Web Security](#web-security)
- [sql注入](#sql注入)
- [MySql](#mysql)
- [MSSQL](#mssql)
- [PostgreSQL](#postgresql)
- [MongoDB](#mongodb)
- [技巧](#技巧)
- [工具](#工具)
- [XSS](#xss)
- [CSRF](#csrf)
- [其他前端安全](#其他前端安全)
- [SSRF](#ssrf)
- [XXE](#xxe)
- [JSONP注入](#jsonp注入)
- [SSTI](#ssti)
- [代码执行 / 命令执行](#代码执行--命令执行)
- [文件包含](#文件包含)
- [文件上传 / 解析漏洞](#文件上传--解析漏洞)
- [逻辑漏洞](#逻辑漏洞)
- [未授权访问/信息泄露](#未授权访问信息泄露)
- [redis](#redis)
- [RPO(relative path overwrite)](#rporelative-path-overwrite)
- [Web Cache](#web-cache)
- [PHP相关](#php相关)
- [弱类型](#弱类型)
- [随机数问题](#随机数问题)
- [伪协议](#伪协议)
- [序列化](#序列化)
- [php mail header injection](#php-mail-header-injection)
- [其他](#其他)
- [php代码审计](#php代码审计)
- [java-Web](#java-web)
- [反序列](#反序列)
- [Struct2](#struct2)
- [java-Web代码审计](#java-web代码审计)
- [其他](#其他-1)
- [python-Web](#python-web)
- [Node-js](#node-js)
- [WAF相关](#waf相关)
- [渗透测试](#渗透测试)
- [Course](#course)
- [信息收集](#信息收集)
- [渗透](#渗透)
- [渗透实战](#渗透实战)
- [提权](#提权)
- [渗透技巧](#渗透技巧)
- [运维](#运维)
- [DDOS](#ddos)
- [CTF](#ctf)
- [技巧总结](#技巧总结)
- [杂](#杂)
<!-- more -->
# Web Security
## sql注入
### MySql
+ [MySQL False 注入及技巧总结](https://www.anquanke.com/post/id/86021)
+ [MySQL 注入攻击与防御](https://www.anquanke.com/post/id/85936)
+ [sql注入学习总结 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484372&idx=1&sn=ffcc51a88c9acf96c312421b75fc2a26&chksm=ec1e33fcdb69baea53838fd545a236c0deb8a42f3b341ee0879c9e4ac9427c2147fab95b6669#rd)
+ [SQL注入防御与绕过的几种姿势](https://www.anquanke.com/post/id/86005)
+ [MySQL偏门技巧](http://rcoil.me/2017/05/MySQL%E5%81%8F%E9%97%A8%E6%8A%80%E5%B7%A7/)
+ [mysql注入可报错时爆表名、字段名、库名](http://www.wupco.cn/?p=4117)
+ [高级SQL注入:混淆和绕过](http://www.cnblogs.com/croot/p/3450262.html)
+ [Mysql约束攻击](https://ch1st.github.io/2017/10/19/Mysql%E7%BA%A6%E6%9D%9F%E6%94%BB%E5%87%BB/)
+ [Mysql数据库渗透及漏洞利用总结 ](https://xianzhi.aliyun.com/forum/topic/1491/)
+ [MySQL绕过WAF实战技巧 ](http://www.freebuf.com/articles/web/155570.html)
+ [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
+ [SQL注入的“冷门姿势” ](http://www.freebuf.com/articles/web/155876.html)
+ [时间延迟盲注的三种加速注入方式mysql](https://www.ch1st.cn/?p=44)
+ [基于时间的高效的SQL盲注-使用MySQL的位运算符](https://xz.aliyun.com/t/3054)
+ [Mysql UDF BackDoor](https://xz.aliyun.com/t/2365)
+ [mysql小括号被过滤后的盲注](https://www.th1s.cn/index.php/2018/02/26/213.html)
+ [SSRF To RCE in MySQL](http://docs.ioin.in/writeup/mp.weixin.qq.com/49ca504e-3b31-40ac-8591-f833086cb588/index.html)
+ [MySQL-盲注浅析](http://rcoil.me/2017/11/MySQL-%E7%9B%B2%E6%B3%A8%E6%B5%85%E6%9E%90/)
+ [Mysql字符编码利用技巧](https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html)
+ [MySQL Injection in Update, Insert and Delete](https://osandamalith.com/2017/02/08/mysql-injection-in-update-insert-and-delete/)
### MSSQL
+ [MSSQL DBA权限获取WEBSHELL的过程 ](http://fuping.site/2017/05/16/MSSQL-DBA-Permission-GET-WEBSHELL/)
+ [MSSQL 注入攻击与防御](https://www.anquanke.com/post/id/86011)
+ [CLR在SQL Server中的利用技术分](http://docs.ioin.in/writeup/cert.360.cn/_files_CLR_E5_9C_A8SQL_20Server_E4_B8_AD_E7_9A_84_E5_88_A9_E7_94_A8_E6_8A_80_E6_9C_AF_E5_88_86_E6_9E_90_pdf/index.pdf)
+ [MSSQL不使用xp_cmdshell执行命令并获取回显的两种方法](https://zhuanlan.zhihu.com/p/33322584)
### PostgreSQL
+ [postgresql数据库利用方式 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484788&idx=1&sn=8a53b1c64d864cd01bab095d97a17715&chksm=ec1e355cdb69bc4a2535bc1a053bfde3ec1838d03936ba8e44156818e91bbec9b5b04a744005#rd)
+ [PostgreSQL渗透测试指南](https://www.anquanke.com/post/id/86468)
+ [渗透中利用postgresql getshell ](http://www.jianfensec.com/postgresql_getshell.html)
### MongoDB
+ [十分钟看懂MongoDB攻防实战](http://www.freebuf.com/articles/database/148823.html)
+ [MongoDB安全 – PHP注入检测](http://www.mottoin.com/94341.html)
+ [技术分享:如何Hacking MongoDB?](https://www.freebuf.com/articles/network/101494.html)
+ [MongoDB安全,php中的注入攻击](https://www.anquanke.com/post/id/84009)
+ [一个MongoDB注入攻击案例分析](https://www.freebuf.com/articles/web/106085.html)
### 技巧
+ [我的WafBypass之道(SQL注入篇)](https://xz.aliyun.com/t/368)
+ [Bypass 360主机卫士SQL注入防御](http://www.cnblogs.com/xiaozi/p/7275134.html)
+ [SQL注入之骚姿势小记](https://mp.weixin.qq.com/s/ORsciwsBGQJhFdKqceprSw)
+ [CTF比赛中SQL注入的一些经验总结 ](http://www.freebuf.com/articles/web/137094.html)
+ [如何绕过WAF/NGWAF的libinjection实现SQL注入](http://bobao.360.cn/learning/detail/3855.html)
+ [HackMe-SQL-Injection-Challenges](https://github.com/breakthenet/HackMe-SQL-Injection-Challenges)
+ [绕过WAF注入](https://bbs.ichunqiu.com/thread-25397-1-1.html?from=sec)
+ [bypassGET和POST的注入防御思路分享](https://bbs.ichunqiu.com/thread-16134-1-1.html?from=sec)
+ [SQL注入的常规思路及奇葩技巧 ](https://mp.weixin.qq.com/s/hBkJ1M6LRgssNyQyati1ng)
+ [Beyond SQLi: Obfuscate and Bypass](https://www.exploit-db.com/papers/17934/)
+ [Dnslog在SQL注入中的实战](https://www.anquanke.com/post/id/98096)
+ [SQL注入:如何通过Python CGIHTTPServer绕过CSRF tokens](https://www.anquanke.com/post/id/87022)
+ [BypassD盾IIS防火墙SQL注入防御(多姿势)](https://xz.aliyun.com/t/40)
### 工具
+ [sqlmap自带的tamper你了解多少? ](https://mp.weixin.qq.com/s/vEEoMacmETUA4yZODY8xMQ)
+ [sqlmap的使用 ---- 自带绕过脚本tamper](https://xz.aliyun.com/t/2746)
+ [使用burp macros和sqlmap绕过csrf防护进行sql注入](http://bobao.360.cn/learning/detail/3557.html)
+ [sqlmap 使用总结 ](http://www.zerokeeper.com/web-security/sqlmap-usage-summary.html)
+ [SQLmap tamper脚本注释](http://www.lengbaikai.net/?p=110)
+ [通过Burp以及自定义的Sqlmap Tamper进行二次SQL注入](http://www.4hou.com/system/6945.html)
+ [SQLMAP JSON格式检测](https://xz.aliyun.com/t/1091)
+ [记一份SQLmap使用手册小结(一)](https://xz.aliyun.com/t/3010)
+ [记一份SQLmap使用手册小结(二)](https://xz.aliyun.com/t/3011)
## XSS
+ [漫谈同源策略攻防](https://www.anquanke.com/post/id/86078)
+ [再谈同源策略 ](https://lightless.me/archives/review-SOP.html)
+ [跨域方法总结](https://xz.aliyun.com/t/224)
+ [前端安全系列(一):如何防止XSS攻击?](https://segmentfault.com/a/1190000016551188)
+ [浅谈跨站脚本攻击与防御 ](http://thief.one/2017/05/31/1/)
+ [跨站的艺术-XSS入门与介绍](http://www.fooying.com/the-art-of-xss-1-introduction/)
+ [DOMXSS Wiki](https://github.com/wisec/domxsswiki/wiki)
+ [XSS Bypass Cookbook](https://xz.aliyun.com/t/311)
+ [Content Security Policy 入门教程](https://jaq.alibaba.com/community/art/show?spm=a313e.7916646.24000001.49.ZP8rXN&articleid=518)
+ [从瑞士军刀到变形金刚--XSS攻击面拓展](https://xz.aliyun.com/t/96)
+ [前端防御从入门到弃坑--CSP变迁](https://paper.seebug.org/423/)
+ [严格 CSP 下的几种有趣的思路(34c3 CTF)](http://www.melodia.pw/?p=935)
+ [Bypassing CSP using polyglot JPEGs ](http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html)
+ [Bypass unsafe-inline mode CSP](http://paper.seebug.org/91/)
+ [Chrome XSS Auditor – SVG Bypass](https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/)
+ [Cross site scripting payload for fuzzing](https://xianzhi.aliyun.com/forum/read/1704.html)
+ [XSS Without Dots](https://markitzeroday.com/character-restrictions/xss/2017/07/26/xss-without-dots.html)
+ [Alternative to Javascript Pseudo-Protocol](http://brutelogic.com.br/blog/alternative-javascript-pseudo-protocol/)
+ [不常见的xss利用探索](http://docs.ioin.in/writeup/wps2015.org/_2016_06_27__E4_B8_8D_E5_B8_B8_E8_A7_81_E7_9A_84xss_E5_88_A9_E7_94_A8_E6_8E_A2_E7_B4_A2_/index.html)
+ [XSS攻击另类玩法](https://bbs.ichunqiu.com/thread-25578-1-1.html?from=sec)
+ [XSS易容术---bypass之编码混淆篇+辅助脚本编写](https://bbs.ichunqiu.com/thread-17500-1-1.html?from=sec)
+ [Xssing Web With Unicodes](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
+ [Electron hack —— 跨平台 XSS ](https://mp.weixin.qq.com/s?__biz=MzU2NjE2NjIxNg==&mid=2247483756&idx=1&sn=96ae19e53426d5088718b6d37996e700&source=41#wechat_redirect)
+ [XSS without HTML: Client-Side Template Injection with AngularJS ](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html)
+ [Modern Alchemy: Turning XSS into RCE](https://blog.doyensec.com/2017/08/03/electron-framework-security.html)
+ [先知XSS挑战赛 - L3m0n Writeup](https://xz.aliyun.com/t/83)
+ [SheepSec: 7 Reflected Cross-site Scripting (XSS) Examples](http://sheepsec.com/blog/7-reflected-xss.html)
+ [Browser's XSS Filter Bypass Cheat Sheet](https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet)
+ [妙用JavaScript绕过XSS过滤](https://www.anquanke.com/post/id/86849)
## CSRF
+ [Wiping Out CSRF](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
+ [CSRF攻击与防御](https://www.cnblogs.com/phpstudy2015-6/p/6771239.html)
+ [用代码来细说Csrf漏洞危害以及防御](https://bbs.ichunqiu.com/thread-24127-1-1.html?from=sec)
+ [Cookie-Form型CSRF防御机制的不足与反思](https://www.leavesongs.com/PENETRATION/think-about-cookie-form-csrf-protected.html)
+ [关于JSON CSRF的一些思考](https://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==&mid=2247484126&idx=1&sn=f437882b19bed8d99d0a00938accc0c8&chksm=e89e2a06dfe9a310506419467ada63bee80f10c32267d0b11ea7d1f5491c5afdb344c5dac74e&mpshare=1&scene=23&srcid=0614BOCQBHPjaS2IOtADI3PP#rd)
+ [Exploiting JSON Cross Site Request Forgery (CSRF) using Flash](http://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/)
+ [浅谈Session机制及CSRF攻防 ](https://mp.weixin.qq.com/s/aID_N9bgq91EM26qVSVBXw)
+ [CSRF 花式绕过Referer技巧](https://www.ohlinge.cn/web/csrf_referer.html)
+ [各大SRC中的CSRF技巧](http://www.freebuf.com/column/151816.html)
+ [白帽子挖洞—跨站请求伪造(CSRF)篇 ](http://www.freebuf.com/column/153543.html)
+ [读取型CSRF-需要交互的内容劫持](https://bbs.ichunqiu.com/thread-36314-1-1.html)
## 其他前端安全
+ [HTML中,闭合优先的神奇标签 ](https://mp.weixin.qq.com/s?__biz=MzA4MDA1NDE3Mw==&mid=2647715481&idx=1&sn=a4d930d5a944a5a6c0361a3c6c57d3d5)
+ [JavaScript Dangerous Functions (Part 1) - HTML Manipulation ](http://blog.blueclosure.com/2017/09/javascript-dangerous-functions-part-1.html)
+ [safari本地文件读取漏洞之扩展攻击面](http://www.wupco.cn/?p=4134)
+ [利用脚本注入漏洞攻击ReactJS应用程序](http://www.freebuf.com/articles/web/144988.html)
+ [当代 Web 的 JSON 劫持技巧](http://paper.seebug.org/130/?from=timeline&isappinstalled=0)
+ [从微信小程序看前端代码安全](https://share.whuboy.com/weapp.html)
## SSRF
+ [SSRF(服务器端请求伪造)测试资源](https://paper.seebug.org/393/)
+ [Build Your SSRF Exploit Framework SSRF](http://docs.ioin.in/writeup/fuzz.wuyun.org/_src_build_your_ssrf_exp_autowork_pdf/index.pdf)
+ [SSRF攻击实例解析](http://www.freebuf.com/articles/web/20407.html)
+ [SSRF漏洞分析与利用](http://www.4o4notfound.org/index.php/archives/33/)
+ [SSRF漏洞的挖掘经验](https://www.secpulse.com/archives/4747.html)
+ [SSRF漏洞的利用与学习](http://uknowsec.cn/posts/notes/SSRF%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html)
+ [SSRF漏洞中绕过IP限制的几种方法总结](http://www.freebuf.com/articles/web/135342.html)
+ [What is Server Side Request Forgery (SSRF)?](https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/)
+ [Use DNS Rebinding to Bypass SSRF in Java](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483742&idx=1&sn=e7265d5351a6d9ed30d90be1c17be041)
+ [SSRF in JAVA](https://xz.aliyun.com/t/206)
+ [DNS Rebinding技术绕过SSRF/代理IP限制](http://www.mottoin.com/95734.html)
+ [SSRF Tips](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
+ [soap导致的SSRF](https://xz.aliyun.com/t/2960)
+ [SSRF:CVE-2017-9993 FFmpeg + AVI + HLS](https://hackmd.io/p/H1B9zOg_W#)
+ [通过拆分攻击实现的SSRF攻击](https://xz.aliyun.com/t/2894)
+ [SSRF攻击文档翻译](https://xz.aliyun.com/t/2421)
+ [PHP SSRF Techniques How to bypass filter_var(), preg_match() and parse_url()](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)
## XXE
+ [浅谈XXE漏洞攻击与防御](http://thief.one/2017/06/20/1/)
+ [XXE漏洞分析](http://www.4o4notfound.org/index.php/archives/29/)
+ [XML实体注入漏洞攻与防](http://www.hackersb.cn/hacker/211.html)
+ [XML实体注入漏洞的利用与学习](http://uknowsec.cn/posts/notes/XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html)
+ [XXE注入:攻击与防御 - XXE Injection: Attack and Prevent](http://le4f.net/post/xxe-injection-attack_and_prevent)
+ [XXE (XML External Entity Injection) 漏洞实践](http://www.mottoin.com/101806.html)
+ [黑夜的猎杀-盲打XXE](https://xianzhi.aliyun.com/forum/read/1837.html)
+ [Hunting in the Dark - Blind XXE](https://blog.zsec.uk/blind-xxe-learning/)
+ [XMLExternal Entity漏洞培训模块](https://www.sans.org/freading-room/whitepapers/application/hands-on-xml-external-entity-vulnerability-training-module-34397)
+ [XXE被提起时我们会想到什么](http://www.mottoin.com/88085.html)
+ [XXE漏洞的简单理解和测试](http://www.mottoin.com/92794.html)
+ [XXE漏洞攻防之我见](http://bobao.360.cn/learning/detail/3841.html)
+ [XXE漏洞利用的一些技巧](http://www.91ri.org/17052.html)
+ [神奇的Content-Type——在JSON中玩转XXE攻击](http://bobao.360.cn/learning/detail/360.html)
+ [XXE-DTD Cheat Sheet](https://web-in-security.blogspot.jp/2016/03/xxe-cheat-sheet.html)
+ [XML? Be cautious!](https://blog.pragmatists.com/xml-be-cautious-69a981fdc56a)
+ [XSLT Server Side Injection Attacks](https://www.contextis.com/blog/xslt-server-side-injection-attacks)
+ [Java XXE Vulnerability](https://joychou.org/web/java-xxe-vulnerability.html)
+ [xml-attacks.md](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)
## JSONP注入
+ [JSONP注入解析 ](http://www.freebuf.com/articles/web/126347.html)
+ [JSONP 安全攻防技术](http://blog.knownsec.com/2015/03/jsonp_security_technic/)
+ [一次关于JSONP的小实验与总结](http://www.cnblogs.com/vimsk/archive/2013/01/29/2877888.html)
+ [利用JSONP跨域获取信息](https://xianzhi.aliyun.com/forum/read/1571.html)
+ [关于跨域和jsonp的一些理解(新手向)](https://segmentfault.com/a/1190000009577990)
+ [水坑攻击之Jsonp hijacking-信息劫持](http://www.mottoin.com/article/web/88237.html)
## SSTI
+ [Jinja2 template injection filter bypasses](https://0day.work/jinja2-template-injection-filter-bypasses/)
+ [乱弹Flask注入](http://www.freebuf.com/articles/web/88768.html)
+ [服务端模板注入攻击 (SSTI)之浅析 ](http://www.freebuf.com/vuls/83999.html)
+ [Exploring SSTI in Flask/Jinja2](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/)
+ [Flask Jinja2开发中遇到的的服务端注入问题研究](http://www.freebuf.com/articles/web/136118.html)
+ [FlaskJinja2 开发中遇到的的服务端注入问题研究 II](http://www.freebuf.com/articles/web/136180.html)
+ [Exploring SSTI in Flask/Jinja2, Part II](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
+ [Injecting Flask](https://nvisium.com/blog/2015/12/07/injecting-flask/)
+ [Server-Side Template Injection: RCE for the modern webapp](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
+ [Exploiting Python Code Injection in Web Applications](https://sethsec.blogspot.jp/2016/11/exploiting-python-code-injection-in-web.html)
+ [利用 Python 特性在 Jinja2 模板中执行任意代码](http://rickgray.me/2016/02/24/use-python-features-to-execute-arbitrary-codes-in-jinja2-templates/)
+ [Python 模板字符串与模板注入](https://virusdefender.net/index.php/archives/761/)
+ [Ruby ERB Template Injection](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
+ [服务端模板注入攻击](https://zhuanlan.zhihu.com/p/28823933)
## 代码执行 / 命令执行
+ [从PHP源码与扩展开发谈PHP任意代码执行与防御](https://blog.zsxsoft.com/post/30)
+ [Command Injection/Shell Injection](https://www.exploit-db.com/docs/42593.pdf)
+ [PHP Code Injection Analysis](http://www.polaris-lab.com/index.php/archives/254/)
+ [ 利用环境变量LD_PRELOAD来绕过php disable_function执行系统命令](http://doc.ph0en1x.com/wooyun_drops/%E5%88%A9%E7%94%A8%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8FLD_PRELOAD%E6%9D%A5%E7%BB%95%E8%BF%87php%20disable_function%E6%89%A7%E8%A1%8C%E7%B3%BB%E7%BB%9F%E5%91%BD%E4%BB%A4.html)
+ [Hack PHP mail additional_parameters](http://blog.nsfocus.net/hack-php-mail-additional_parameters/)
+ [详细解析PHP mail()函数漏洞利用技巧](https://www.anquanke.com/post/id/86028)
+ [在PHP应用程序开发中不正当使用mail()函数引发的血案](https://www.anquanke.com/post/id/86015)
+ [基于时间反馈的RCE](http://www.mottoin.com/article/web/97678.html)
+ [正则表达式使用不当引发的系统命令执行漏洞](https://www.anquanke.com/post/id/85698)
+ [命令注入突破长度限制 ](http://www.freebuf.com/articles/web/154453.html)
## 文件包含
+ [php文件包含漏洞 ](https://chybeta.github.io/2017/10/08/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/)
+ [Turning LFI into RFI](https://l.avala.mp/?p=241)
+ [PHP文件包含漏洞总结](http://wooyun.jozxing.cc/static/drops/tips-3827.html)
+ [常见文件包含发生场景与防御](https://www.anquanke.com/post/id/86123)
+ [zip或phar协议包含文件](https://bl4ck.in/tricks/2015/06/10/zip%E6%88%96phar%E5%8D%8F%E8%AE%AE%E5%8C%85%E5%90%AB%E6%96%87%E4%BB%B6.html)
+ [文件包含漏洞 一](http://drops.blbana.cc/2016/08/12/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e/)
+ [文件包含漏洞 二](http://drops.blbana.cc/2016/12/03/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e-ef-bc-88-e4-ba-8c-ef-bc-89/)
## 文件上传 / 解析漏洞
+ [Upload-labs通关手册](https://xz.aliyun.com/t/2435)
+ [文件上传和WAF的攻与防](https://www.secfree.com/article-585.html)
+ [我的WafBypass之道(upload篇)](https://xz.aliyun.com/t/337)
+ [文件上传漏洞(绕过姿势) ](http://thief.one/2016/09/22/%E4%B8%8A%E4%BC%A0%E6%9C%A8%E9%A9%AC%E5%A7%BF%E5%8A%BF%E6%B1%87%E6%80%BB-%E6%AC%A2%E8%BF%8E%E8%A1%A5%E5%85%85/)
+ [服务器解析漏洞 ](http://thief.one/2016/09/21/%E6%9C%8D%E5%8A%A1%E5%99%A8%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E/)
+ [文件上传总结 ](https://masterxsec.github.io/2017/04/26/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%80%BB%E7%BB%93/)
+ [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html)
+ [渗透测试方法论之文件上传](https://bbs.ichunqiu.com/thread-23193-1-1.html?from=sec)
+ [关于文件名解析的一些探索](https://landgrey.me/filetype-parsing-attack/)
+ [Web安全 — 上传漏洞绕过 ](http://www.freebuf.com/column/161357.html)
+ [上传绕过WAF](http://docs.ioin.in/writeup/www.am0s.com/_jchw_376_html/index.html)
## 逻辑漏洞
+ [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html)
+ [逻辑至上——内含各种酷炫姿势](https://www.anquanke.com/post/id/85947)
+ [Web安全测试中常见逻辑漏洞解析(实战篇)](http://www.freebuf.com/vuls/112339.html)
+ [逻辑漏洞之密码重置 ](https://mp.weixin.qq.com/s/Lynmqd_ieEoNJ3mmyv9eQQ)
+ [逻辑漏洞之支付漏洞](https://mp.weixin.qq.com/s/w22omfxO8vU6XzixXWmBxg)
+ [逻辑漏洞之越权访问](https://mp.weixin.qq.com/s/ChiXtcrEyQeLkGOkm4PTog)
+ [密码找回逻辑漏洞总结](http://wooyun.jozxing.cc/static/drops/web-5048.html)
+ [一些常见的重置密码漏洞分析整理](http://wooyun.jozxing.cc/static/drops/papers-2035.html)
+ [密码逻辑漏洞小总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_643/index.html)
+ [漏洞挖掘之逻辑漏洞挖掘](https://bbs.ichunqiu.com/thread-21161-1-1.html)
+ [tom0li: 逻辑漏洞小结](https://tom0li.github.io/%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E%E5%B0%8F%E7%BB%93/)
## 未授权访问/信息泄露
+ [未授权访问的tips](https://xz.aliyun.com/t/2320)
+ [未授权访问漏洞总结](https://www.secpulse.com/archives/61101.html)
+ [未授权访问漏洞的检测与利用 ](https://thief.one/2017/12/08/1/)
+ [常见Web源码泄露总结](http://www.mottoin.com/95749.html)
+ [挖洞技巧:信息泄露之总结](https://www.anquanke.com/post/id/94787)
### redis
+ [利用redis写webshell](https://www.leavesongs.com/PENETRATION/write-webshell-via-redis-server.html)
+ [Redis 未授权访问配合 SSH key 文件利用分析](http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/)
+ [redis未授权访问漏洞利用总结](https://xianzhi.aliyun.com/forum/read/750.html)。
+ [【应急响应】redis未授权访问致远程植入挖矿脚本(防御篇) ](https://mp.weixin.qq.com/s/eUTZsGUGSO0AeBUaxq4Q2w)
## RPO(relative path overwrite)
+ [深入剖析RPO漏洞](https://xz.aliyun.com/t/2220)
+ [初探 Relative Path Overwrite](https://xz.aliyun.com/t/193)
+ [Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities](http://blog.portswigger.net/2015/02/prssi.html)
+ [RPO](http://www.thespanner.co.uk/2014/03/21/rpo/)
+ [A few RPO exploitation techniques](http://www.mbsd.jp/Whitepaper/rpo.pdf)
+ [新型Web攻击技术:RPO攻击初探](https://mp.weixin.qq.com/s/P-ncFmNZfBteJBQr8INzsw)
+ [RPO Gadgets](https://blog.innerht.ml/rpo-gadgets/)
## Web Cache
+ [浅析 Web Cache 欺骗攻击](https://www.anquanke.com/post/id/86049)
+ [Practical Web Cache Poisoning](https://portswigger.net/blog/practical-web-cache-poisoning)
+ [实战web缓存中毒](https://xz.aliyun.com/t/2585)
+ [WEB CACHE DECEPTION ATTACK](https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view)
+ [详解Web缓存欺骗攻击](https://www.anquanke.com/post/id/86516)
## PHP相关
### 弱类型
+ [从弱类型利用以及对象注入到SQL注入](https://www.anquanke.com/post/id/85455)
+ [PHP中“==”运算符的安全问题](http://bobao.360.cn/learning/detail/2924.html)
+ [PHP弱类型安全问题总结 ](http://blog.spoock.com/2016/06/25/weakly-typed-security/)
+ [浅谈PHP弱类型安全](http://wooyun.jozxing.cc/static/drops/tips-4483.html)
+ [php比较操作符的安全问题](http://wooyun.jozxing.cc/static/drops/tips-7679.html)
### 随机数问题
+ [PHP mt_rand()随机数安全 ](https://mp.weixin.qq.com/s/3TgBKXHw3MC61qIYELanJg)
+ [Cracking PHP rand()](http://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/)
+ [php里的随机数](http://5alt.me/2017/06/php%E9%87%8C%E7%9A%84%E9%9A%8F%E6%9C%BA%E6%95%B0/)
+ [php_mt_seed - PHP mt_rand() seed cracker](http://www.openwall.com/php_mt_seed/)
+ [The GLIBC random number generator](http://www.mscs.dal.ca/~selinger/random/)
+ [一道伪随机数的CTF题](https://github.com/wonderkun/CTF_web/blob/master/web500-2/writeup.pdf)
### 伪协议
+ [谈一谈php://filter的妙用](www.leavesongs.com/PENETRATION/php-filter-magic.html)
+ [php 伪协议](http://lorexxar.cn/2016/09/14/php-wei/)
+ [利用 Gopher 协议拓展攻击面](https://blog.chaitin.cn/gopher-attack-surfaces/)
+ [PHP伪协议之 Phar 协议(绕过包含)](https://www.bodkin.ren/?p=902)
+ [PHP伪协议分析与应用](http://www.4o4notfound.org/index.php/archives/31/)
+ [LFI、RFI、PHP封装协议安全问题学习](http://www.cnblogs.com/LittleHann/p/3665062.html)
### 序列化
+ [PHP反序列化漏洞](http://bobao.360.cn/learning/detail/4122.html)
+ [浅谈php反序列化漏洞 ](https://chybeta.github.io/2017/06/17/%E6%B5%85%E8%B0%88php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/)
+ [PHP反序列化漏洞成因及漏洞挖掘技巧与案例](http://bobao.360.cn/learning/detail/3193.html)
### php mail header injection
+ [What is Email Header Injection?](https://www.acunetix.com/blog/articles/email-header-injection/)
+ [PHP Email Injection Example](http://resources.infosecinstitute.com/email-injection/)
### 其他
+ [对于Php Shell Bypass思路总结](https://www.inksec.cn/2017/11/06/bypass_shell_4/)
+ [Decrypt PHP's eval based encryption with debugger ](https://mp.weixin.qq.com/s?__biz=MzIxNjU3ODMyOQ==&mid=2247483693&idx=1&sn=ed49fc13d8e09f12d87675adff18919f)
+ [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
+ [Xdebug: A Tiny Attack Surface](https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface)
+ [Exploitable PHP functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)
+ [从WordPress SQLi谈PHP格式化字符串问题](https://paper.seebug.org/386/)
+ [php & apache2 &操作系统之间的一些黑魔法](http://wonderkun.cc/index.html/?p=626)
+ [php内存破坏漏洞exp编写和禁用函数绕过](http://blog.th3s3v3n.xyz/2016/05/01/bin/2016-5-1-php%E5%86%85%E5%AD%98%E7%A0%B4%E5%9D%8F%E6%BC%8F%E6%B4%9Eexp%E7%BC%96%E5%86%99%E5%92%8C%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87/)
+ [挖掘PHP禁用函数绕过利用姿势](http://blog.th3s3v3n.xyz/2016/11/20/web/%E6%8C%96%E6%8E%98PHP%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87%E5%88%A9%E7%94%A8%E5%A7%BF%E5%8A%BF/)
+ [.user.ini文件构成的PHP后门](http://wooyun.jozxing.cc/static/drops/tips-3424.html)
### php代码审计
+ [PHP漏洞挖掘——进阶篇](http://blog.nsfocus.net/php-vulnerability-mining/)
+ [论PHP常见的漏洞](http://wooyun.jozxing.cc/static/drops/papers-4544.html)
+ [浅谈代码审计入门实战:某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html)
+ [ctf中的php代码审计技巧](http://www.am0s.com/ctf/200.html)
+ [PHP代码审计tips](http://docs.ioin.in/writeup/www.91ri.org/_15074_html/index.html)
+ [代码审计之文件越权和文件上传搜索技巧](http://docs.ioin.in/writeup/blog.heysec.org/_archives_170/index.html)
+ [PHP代码审计入门集合](http://wiki.ioin.in/post/group/6Rb)
+ [PHP代码审计学习](http://phantom0301.cc/2017/06/06/codeaudit/)
+ [PHP漏洞挖掘思路+实例](http://wooyun.jozxing.cc/static/drops/tips-838.html)
+ [PHP漏洞挖掘思路+实例 第二章](http://wooyun.jozxing.cc/static/drops/tips-858.html)
+ [浅谈代码审计入门实战:某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html)
+ [PHP 代码审计小结 (一) ](https://www.chery666.cn/blog/2017/12/11/Code-audit.html)
+ [2018 PHP 应用程序安全设计指北 ](https://laravel-china.org/articles/7235/2018-php-application-security-design)
## java-Web
### 反序列
+ [Java_JSON反序列化之殇_看雪安全开发者峰会](https://github.com/shengqi158/fastjson-remote-code-execute-poc/blob/master/Java_JSON%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8B%E6%AE%87_%E7%9C%8B%E9%9B%AA%E5%AE%89%E5%85%A8%E5%BC%80%E5%8F%91%E8%80%85%E5%B3%B0%E4%BC%9A.pdf)
+ [从反射链的构造看Java反序列漏洞](http://www.freebuf.com/news/150872.html)
+ [Java反序列化漏洞从理解到实践](http://bobao.360.cn/learning/detail/4474.html)
+ [Java 序列化与反序列化安全分析 ](http://mp.weixin.qq.com/s?__biz=MzI5ODE0ODA5MQ==&mid=2652278247&idx=1&sn=044893b732e4ffa267b00ffe1d9e4727&chksm=f7486473c03fed6525f0a869cbc4ddc03051cda92bb946377c4d831054954159542350768cf3&mpshare=1&scene=23&srcid=0919MUXFBglgDUEtLOha0wbo#rd)
+ [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)
+ [如何攻击Java反序列化过程](http://bobao.360.cn/learning/detail/4267.html)
+ [深入理解JAVA反序列化漏洞](https://www.vulbox.com/knowledge/detail/?id=11)
+ [Attacking Java Deserialization](https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/)
+ [jackson反序列化详细分析](http://bobao.360.cn/learning/detail/4118.html)
+ [Java安全之反序列化漏洞分析 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=2247484200&idx=1&sn=8f3201f44e6374d65589d00d91f7148e)
+ [fastjson 反序列化漏洞 POC 分析 ](https://mp.weixin.qq.com/s/0a5krhX-V_yCkz-zDN5kGg)
+ [Apache Commons Collections反序列化漏洞学习](http://pirogue.org/2017/12/22/javaSerialKiller/)
### Struct2
+ [Struts2 命令执行系列回顾](http://www.zerokeeper.com/vul-analysis/struts2-command-execution-series-review.html)
### java-Web代码审计
+ [JAVA代码审计的一些Tips(附脚本)](https://xianzhi.aliyun.com/forum/topic/1633/)
+ [Java代码审计连载之—SQL注入](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=22170&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [Java代码审计连载之—任意文件下载](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=23587&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [Java代码审计连载之—XSS](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=22875&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [Java代码审计连载之—添油加醋](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=25475&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [JAVA安全编码与代码审计.md](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md)
+ [Java代码审计PPT ](https://xianzhi.aliyun.com/forum/read/1904.html)
### 其他
+ [关于 JNDI 注入](http://bobao.360.cn/learning/detail/4564.html)
+ [层层放大java审计的攻击面 ](https://mp.weixin.qq.com/s/WT1EXEryUGGqHQpSi959xw)
+ [以Java的视角来聊聊SQL注入 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=2247483954&idx=1&sn=418b7e55b16c717ee5140af990298e22&chksm=e8fe9e3bdf89172d0670690060944bf2434cc2d2e8fba4477711299a0775cf3735a2022c0778#rd)
+ [站在Java的视角,深度分析防不胜防的小偷——“XSS” ](http://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=100000340&idx=1&sn=6ca4ec15ef6338daf1d4a907351d7c08&chksm=68fe9e5d5f89174b44fd0cae2e3d5c0018859d3d1dc6d60a2e16dcde34499ba224d6ea17a982#rd)
+ [你的 Java web 配置安全吗? ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=100000318&idx=1&sn=9011af3e3968e0d87499605ef1a68291&chksm=68fe9e375f8917213297855bd9e1ab1203ae4c9b0b5ca351de7b2c0f7a7799bd1f4843cd13f4#rd)
+ [spring任意文件读取](https://github.com/ilmila/springcss-cve-2014-3625/tree/master/src)
+ [在 Runtime.getRuntime().exec(String cmd) 中执行任意shell命令的几种方法](https://mp.weixin.qq.com/s/zCe_O37rdRqgN-Yvlq1FDg)
## python-Web
+ [python web 安全总结](http://bobao.360.cn/learning/detail/4522.html)
+ [Defencely Clarifies Python Object Injection Exploitation](http://defencely.com/blog/defencely-clarifies-python-object-injection-exploitation/)
+ [Exploiting Python Deserialization Vulnerabilities](https://crowdshield.com/blog.php?name=exploiting-python-deserialization-vulnerabilities)
+ [Explaining and exploiting deserialization vulnerability with Python(EN)](https://dan.lousqui.fr/explaining-and-exploiting-deserialization-vulnerability-with-python-en.html)
+ [Python PyYAML反序列化漏洞实验和Payload构造](http://www.polaris-lab.com/index.php/archives/375/)
+ [Python 格式化字符串漏洞(Django为例)](https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html)
+ [format注入](http://www.venenof.com/index.php/archives/360/)
+ [Be Careful with Python's New-Style String Format](http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/)
+ [Python urllib HTTP头注入漏洞](http://www.tuicool.com/articles/2iIj2eR)
+ [Hack Redis via Python urllib HTTP Header Injection](https://security.tencent.com/index.php/blog/msg/106)
+ [Python Waf黑名单过滤下的一些Bypass思路](http://www.0aa.me/index.php/archives/123/)
+ [Python沙箱逃逸的n种姿势](https://mp.weixin.qq.com/s/PLI-yjqmA3gwk5w3KHzOyA)
+ [利用内存破坏实现Python沙盒逃逸 ](https://mp.weixin.qq.com/s/s9fAskmp4Bb42OYsiQJFaw)
+ [Python Sandbox Bypass](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483665&idx=1&sn=4b18de09738fdc5291634db1ca2dd55a)
+ [pyt: 针对 Python 应用程序的源码静态分析工具](https://github.com/python-security/pyt)
+ [Exploiting Python PIL Module Command Execution Vulnerability](http://docs.ioin.in/writeup/github.com/_neargle_PIL_RCE_By_GhostButt/index.html)
+ [文件解压之过 Python中的代码执行](http://bobao.360.cn/learning/detail/4503.html)
## Node-js
+ [浅谈Node.js Web的安全问题](http://www.freebuf.com/articles/web/152891.html)
+ [node.js + postgres 从注入到Getshell](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html)
+ [Pentesting Node.js Application : Nodejs Application Security(需翻墙)](http://www.websecgeeks.com/2017/04/pentesting-nodejs-application-nodejs.html)
+ [从零开始学习渗透Node.js应用程序 ](https://bbs.ichunqiu.com/thread-21810-1-1.html?from=sec)
+ [Node.js 中遇到含空格 URL 的神奇“Bug”——小范围深入 HTTP 协议](https://segmentfault.com/a/1190000012407268)
## WAF相关
+ [详谈WAF与静态统计分析](http://bobao.360.cn/learning/detail/4670.html)
+ [牛逼牛逼的payload和bypass总结](https://github.com/swisskyrepo/PayloadsAllTheThings)
+ [WAF绕过参考资料](http://www.mottoin.com/100887.html)
+ [浅谈WAF绕过技巧](http://www.freebuf.com/articles/web/136723.html)
+ [addslashes防注入的绕过案例](https://xianzhi.aliyun.com/forum/read/753.html?fpage=6)
+ [浅谈json参数解析对waf绕过的影响](https://xianzhi.aliyun.com/forum/read/553.html?fpage=8)
+ [WAF攻防研究之四个层次Bypass WAF](http://weibo.com/ttarticle/p/show?id=2309404007261092631700)
+ [使用HTTP头去绕过WAF ](http://www.sohu.com/a/110066439_468673)
+ [会找漏洞的时光机: Pinpointing Vulnerabilities](https://www.inforsec.org/wp/?p=1993)
# 渗透测试
## Course
+ [Web Service 渗透测试从入门到精通](http://bobao.360.cn/learning/detail/3741.html)
+ [渗透标准](https://www.processon.com/view/583e8834e4b08e31357bb727)
+ [Penetration Testing Tools Cheat Sheet](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/)
## 信息收集
+ [看我如何收集全网IP的whois信息 ](https://mp.weixin.qq.com/s/qz0b42DKhgo1sfitcUKhtQ)
+ [浅谈Web渗透测试中的信息收集 ](http://www.freebuf.com/articles/web/142767.html)
+ [渗透测试教程:如何侦查目标以及收集信息?](http://www.4hou.com/penetration/6850.html)
+ [本屌的web漏洞扫描器思路 技巧总结(域名信息收集篇)](weibo.com/ttarticle/p/show?id=2309404088584863883789)
+ [子域名的艺术](http://www.91ri.org/17001.html)
+ [渗透测试向导之子域名枚举技术](http://www.freebuf.com/articles/network/161046.html)
+ [实例演示如何科学的进行子域名收集](http://bobao.360.cn/learning/detail/4119.html)
+ [【渗透神器系列】搜索引擎 ](http://thief.one/2017/05/19/1/)
+ [域渗透基础简单信息收集(基础篇)](https://xianzhi.aliyun.com/forum/read/805.html)
+ [内网渗透定位技术总结](http://docs.ioin.in/writeup/www.mottoin.com/_92978_html/index.html)
+ [后渗透攻防的信息收集](https://www.secpulse.com/archives/51527.html)
+ [安全攻城师系列文章-敏感信息收集](http://www.mottoin.com/99951.html)
+ [子域名枚举的艺术](http://www.mottoin.com/101362.html)
+ [论二级域名收集的各种姿势](https://mp.weixin.qq.com/s/ardCYdZzaSjvSIZiFraWGA)
+ [我眼中的渗透测试信息搜集](https://xianzhi.aliyun.com/forum/read/451.html?fpage=2)
+ [大型目标渗透-01入侵信息搜集](https://xianzhi.aliyun.com/forum/read/1675.html)
+ [乙方渗透测试之信息收集](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8B%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/)
+ [挖洞技巧:信息泄露之总结](https://www.anquanke.com/post/id/94787)
## 渗透
+ [【玩转Linux系统】Linux内网渗透 ](https://mp.weixin.qq.com/s/VJBnXq3--0HBD7eVeifOKA)
+ [渗透测试指南之域用户组的范围](http://www.4hou.com/penetration/7016.html)
+ [内网主机发现技巧补充](http://mp.weixin.qq.com/s/l-Avt72ajCIo5GdMEwVx7A)
+ [Linux 端口转发特征总结 ](https://mp.weixin.qq.com/s?__biz=MzA3Mzk1MDk1NA==&mid=2651903919&idx=1&sn=686cc53137aa9e8ec323dda1e54a2c23)
+ [内网渗透(持续更新) ](http://rcoil.me/2017/06/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/)
+ [实战 SSH 端口转发](https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/index.html)
+ [多重转发渗透隐藏内网](http://bobao.360.cn/learning/detail/3545.html)
+ [内网转发姿势](http://www.03sec.com/3141.shtml)
+ [内网转发的工具](https://mp.weixin.qq.com/s/EWL9-AUB_bTf7pU4S4A2zg)
+ [Linux 下多种反弹 shell 方法](http://www.03sec.com/3140.shtml)
+ [linux各种一句话反弹shell总结](http://bobao.360.cn/learning/detail/4551.html)
+ [php 反弹shell](http://wolvez.club/?p=458)
+ [利用ew轻松穿透多级目标内网](https://klionsec.github.io/2017/08/05/ew-tunnel/)
+ [windows内网渗透杂谈](https://bl4ck.in/penetration/2017/03/20/windows%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E6%9D%82%E8%B0%88.html)
+ [Windows域横向渗透](http://docs.ioin.in/writeup/www.mottoin.com/_89413_html/index.html)
+ [内网渗透中转发工具总结](http://blog.neargle.com/SecNewsBak/drops/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B8%AD%E8%BD%AC%E5%8F%91%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93.html)
+ [内网渗透思路整理与工具使用](http://bobao.360.cn/learning/detail/3683.html)
+ [Cobalt strike在内网渗透中的使用 ](http://www.freebuf.com/sectool/125237.html)
+ [反向socks5代理(windows版)](http://x95.org/archives/reverse-socks5-proxy.html)
+ [Windows渗透基础](http://www.mottoin.com/89355.html)
+ [通过双重跳板漫游隔离内网](https://xianzhi.aliyun.com/forum/read/768.html)
+ [A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/)
+ [穿越边界的姿势 ](https://mp.weixin.qq.com/s/l-0sWU4ijMOQWqRgsWcNFA)
+ [内网端口转发及穿透](https://xianzhi.aliyun.com/forum/read/1715.html)
+ [秘密渗透内网——利用 DNS 建立 VPN 传输隧道](http://www.4hou.com/technology/3143.html)
+ [Reverse Shell Cheat Sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
+ [我所了解的内网渗透——内网渗透知识大总结](https://www.anquanke.com/post/id/92646)
## 渗透实战
+ [挖洞经验 | 看我如何综合利用4个漏洞实现GitHub Enterprise远程代码执行 ](http://www.freebuf.com/news/142680.html)
+ [Splash SSRF到获取内网服务器ROOT权限](http://bobao.360.cn/learning/detail/4113.html)
+ [Pivoting from blind SSRF to RCE with HashiCorp Consul](http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html)
+ [我是如何通过命令执行到最终获取内网Root权限的 ](http://www.freebuf.com/articles/web/141579.html)
+ [信息收集之SVN源代码社工获取及渗透实战](https://xianzhi.aliyun.com/forum/read/1629.html)
+ [SQL注入+XXE+文件遍历漏洞组合拳渗透Deutsche Telekom](http://paper.seebug.org/256/)
+ [渗透 Hacking Team](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8FHacking%20Team%E8%BF%87%E7%A8%8B.html)
+ [由视频系统SQL注入到服务器权限](https://bbs.ichunqiu.com/thread-25827-1-1.html?from=sec)
+ [From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection](http://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html)
+ [浅谈渗透测试实战](http://docs.ioin.in/writeup/avfisher.win/_archives_381/index.html)
+ [渗透测试学习笔记之案例一](http://avfisher.win/archives/741)
+ [渗透测试学习笔记之案例二](http://avfisher.win/archives/756)
+ [渗透测试学习笔记之案例四](http://avfisher.win/archives/784)
+ [记一次内网渗透](http://killbit.me/2017/09/11/%E8%AE%B0%E4%B8%80%E6%AC%A1%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/)
## 提权
+ [提权技巧](http://www.secbox.cn/skill/5583.html)
+ [linux-kernel-exploits Linux平台提权漏洞集合](https://github.com/SecWiki/linux-kernel-exploits)
+ [windows-kernel-exploits Windows平台提权漏洞集合 ](https://github.com/SecWiki/windows-kernel-exploits)
+ [Linux MySQL Udf 提权](http://www.91ri.org/16540.html)
+ [windows提权系列上篇](http://mp.weixin.qq.com/s/uOArxXIfcI4fjqnF9BDJGA)
+ [Windows提权系列中篇](https://mp.weixin.qq.com/s/ERXOLhWo0-lJbMV143I8hA)
+ [获取SYSTEM权限的多种姿势](http://bobao.360.cn/learning/detail/4740.html)
## 渗透技巧
+ [乙方渗透测试之Fuzz爆破](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8BFuzz%E7%88%86%E7%A0%B4/)
+ [域渗透神器Empire安装和简单使用 ](https://mp.weixin.qq.com/s/VqrUTW9z-yi3LqNNy-lE-Q)
+ [如何将简单的Shell转换成为完全交互式的TTY ](http://www.freebuf.com/news/142195.html)
+ [60字节 - 无文件渗透测试实验](https://www.n0tr00t.com/2017/03/09/penetration-test-without-file.html)
+ [内网渗透思路探索之新思路的探索与验证](http://www.tuicool.com/articles/fMFB3mY)
+ [Web端口复用正向后门研究实现与防御 ](http://www.freebuf.com/articles/web/142628.html)
+ [谈谈端口探测的经验与原理](http://www.freebuf.com/articles/network/146087.html)
+ [端口渗透总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_577/index.html)
+ [端口扫描那些事](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484812&idx=1&sn=7d894b50b3947142fbfa3a4016f748d5&chksm=ec1e35a4db69bcb2acfe7ecb3b0cd1d366c54bfa1feaafc62c4290b3fd2eddab9aa95a98f041#rd)
+ [渗透技巧——通过cmd上传文件的N种方法 ](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7%E2%80%94%E2%80%94%E9%80%9A%E8%BF%87cmd%E4%B8%8A%E4%BC%A0%E6%96%87%E4%BB%B6%E7%9A%84N%E7%A7%8D%E6%96%B9%E6%B3%95.html)
+ [域渗透TIPS:获取LAPS管理员密码 ](http://www.freebuf.com/articles/web/142659.html)
+ [域渗透——Security Support Provider](http://blog.neargle.com/SecNewsBak/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Security%20Support%20Provider.html)
+ [内网渗透随想](http://docs.ioin.in/writeup/www.91ri.org/_14390_html/index.html)
+ [域渗透之流量劫持](http://bobao.360.cn/learning/detail/3266.html)
+ [渗透技巧——快捷方式文件的参数隐藏技巧](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E6%96%87%E4%BB%B6%E7%9A%84%E5%8F%82%E6%95%B0%E9%9A%90%E8%97%8F%E6%8A%80%E5%B7%A7/)
+ [后门整理](https://bbs.ichunqiu.com/thread-25119-1-1.html?from=sec)
+ [Linux后门整理合集(脉搏推荐)](https://www.secpulse.com/archives/59674.html)
## 运维
+ [安全运维那些洞 ](https://mp.weixin.qq.com/s/5TfAF5-HR8iDA_qSIJkQ0Q)
+ [美团外卖自动化业务运维系统建设](https://tech.meituan.com/digger_share.html)
+ [饿了么运维基础设施进化史 ](https://mp.weixin.qq.com/s?__biz=MzA4Nzg5Nzc5OA==&mid=2651668800&idx=1&sn=615af5f120d1298475aaf4825009cb30&chksm=8bcb82e9bcbc0bff6309d9bbaf69cfc591624206b846e00d5004a68182c934dab921b7c25794&scene=38#wechat_redirect)
+ [nginx配置一篇足矣](http://www.xuxiaobo.com/?p=3869)
+ [Docker Remote API的安全配置 ](http://p0sec.net/index.php/archives/115/)
+ [Apache服务器安全配置 ](http://foreversong.cn/archives/789)
+ [IIS服务器安全配置](http://foreversong.cn/archives/803)
+ [Tomcat服务器安全配置](http://foreversong.cn/archives/816)
+ [互联网企业安全之端口监控 ](https://mp.weixin.qq.com/s/SJKeXegWG3OQo4r0nBs7xQ)
+ [Linux应急响应姿势浅谈](http://bobao.360.cn/learning/detail/4481.html)
+ [黑客入侵应急分析手工排查](https://xianzhi.aliyun.com/forum/read/1655.html)
+ [企业常见服务漏洞检测&修复整理](http://www.mottoin.com/92742.html)
+ [Linux基线加固](https://mp.weixin.qq.com/s/0nxiZw1NUoQTjxcd3zl6Zg)
+ [Apache server security: 10 tips to secure installation](https://www.acunetix.com/blog/articles/10-tips-secure-apache-installation/)
+ [Oracle数据库运维中的攻防实战(全) ](https://mp.weixin.qq.com/s/dpvBo6Bat5u4t8kSFRcv9w)
+ [Linux服务器上监控网络带宽的18个常用命令](http://www.xuxiaobo.com/?p=3950)
## DDOS
+ [DDoS攻防补遗 ](https://yq.aliyun.com/articles/1795)
+ [反射DDOS攻击防御的一点小想法 ](http://www.freebuf.com/column/138163.html)
+ [DDOS攻击方式总结](https://www.secpulse.com/archives/64088.html )
+ [DDoS防御和DDoS防护方法 你帮忙看看这7个说法靠不靠谱](http://toutiao.secjia.com/ddos-7tips)
+ [DDoS防御和DDoS防护 来看个人站长、果壳网和安全公司怎么说 ](http://toutiao.secjia.com/ddos-prevention-protection)
+ [DDoS防御之大流量DDoS防护方案 还有计算器估算损失](http://toutiao.secjia.com/ddos-prevention-protection-2)
+ [freeBuf专栏 ](http://www.freebuf.com/author/%e9%bb%91%e6%88%88%e7%88%be)
+ [遭受CC攻击的处理](http://www.xuxiaobo.com/?p=3923)
# CTF
## 技巧总结
+ [CTF线下防御战 — 让你的靶机变成“铜墙铁壁”](http://bobao.360.cn/ctf/detail/210.html)
+ [ctf-wiki](https://ctf-wiki.github.io/ctf-wiki/#/introduction)
+ [CTF中那些脑洞大开的编码和加密](https://www.hackfun.org/CTF/coding-and-encryption-of-those-brain-holes-in-CTF.html)
+ [CTF加密与解密 ](http://thief.one/2017/06/13/1/)
+ [CTF中图片隐藏文件分离方法总结](https://www.hackfun.org/CTF/summary-of-image-hiding-files-in-CTF.html)
+ [Md5扩展攻击的原理和应用](http://www.freebuf.com/articles/database/137129.html)
+ [CTF比赛中关于zip的总结](http://bobao.360.cn/ctf/detail/203.html)
+ [十五个Web狗的CTF出题套路](http://weibo.com/ttarticle/p/show?id=2309403980950244591011)
+ [CTF备忘录](https://827977014.docs.qq.com/Bt2v7IZWnYo?type=1&_wv=1&_bid=2517)
+ [rcoil:CTF线下攻防赛总结](http://rcoil.me/2017/06/CTF%E7%BA%BF%E4%B8%8B%E8%B5%9B%E6%80%BB%E7%BB%93/)
+ [CTF内存取证入坑指南!稳!](http://www.freebuf.com/column/152545.html)
# 杂
+ [细致分析Padding Oracle渗透测试全解析 ](http://www.freebuf.com/articles/database/150606.html)
+ [Exploring Compilation from TypeScript to WebAssembly](https://medium.com/web-on-the-edge/exploring-compilation-from-typescript-to-webassembly-f846d6befc12)
+ [High-Level Approaches for Finding Vulnerabilities](http://jackson.thuraisamy.me/finding-vulnerabilities.html)
+ [谈谈HTML5本地存储——WebStorage](http://syean.cn/2017/08/15/%E8%B0%88%E8%B0%88HTML5%E6%9C%AC%E5%9C%B0%E5%AD%98%E5%82%A8%E2%80%94%E2%80%94WebStorage/)
+ [Linux下容易被忽视的那些命令用法](https://segmentfault.com/p/1210000010668099/read)
+ [各种脚本语言不同版本一句话开启 HTTP 服务器的总结](http://www.mottoin.com/94895.html)
+ [WebAssembly入门:将字节码带入Web世界](http://bobao.360.cn/learning/detail/3757.html)
+ [phpwind 利用哈希长度扩展攻击进行getshell](https://www.leavesongs.com/PENETRATION/phpwind-hash-length-extension-attack.html)
+ [深入理解hash长度扩展攻击(sha1为例) ](http://www.freebuf.com/articles/web/69264.html)
+ [Joomla 框架的程序执行流程及目录结构分析](http://bobao.360.cn/learning/detail/3909.html)
+ [如何通过恶意插件在Atom中植入后门](http://bobao.360.cn/learning/detail/4268.html)
+ [CRLF Injection and Bypass Tencent WAF ](https://zhchbin.github.io/2016/01/31/CRLF-Injection-and-Bypass-WAF/)
+ [Web之困笔记](http://www.au1ge.xyz/2017/08/09/web%E4%B9%8B%E5%9B%B0%E7%AC%94%E8%AE%B0/)
+ [技术详解:基于Web的LDAP注入漏洞](http://www.4hou.com/technology/9090.html)