README.md

# [Web-Security-Learning](https://chybeta.github.io/2017/08/19/Web-Security-Learning/)

项目地址： https://github.com/CHYbeta/Web-Security-Learning

知识星球【漏洞攻防】：https://t.zsxq.com/mm2zBeq 


![](zsxq.png)



目录：
- [Web-Security-Learning](#web-security-learning)
- [Web Security](#web-security)
  - [sql注入](#sql注入)
    - [MySql](#mysql)
    - [MSSQL](#mssql)
    - [PostgreSQL](#postgresql)
    - [MongoDB](#mongodb)
    - [技巧](#技巧)
    - [工具](#工具)
  - [XSS](#xss)
  - [CSRF](#csrf)
  - [其他前端安全](#其他前端安全)
  - [SSRF](#ssrf)
  - [XXE](#xxe)
  - [JSONP注入](#jsonp注入)
  - [SSTI](#ssti)
  - [代码执行 / 命令执行](#代码执行--命令执行)
  - [文件包含](#文件包含)
  - [文件上传 / 解析漏洞](#文件上传--解析漏洞)
  - [逻辑漏洞](#逻辑漏洞)
  - [未授权访问/信息泄露](#未授权访问信息泄露)
    - [redis](#redis)
  - [RPO(relative path overwrite)](#rporelative-path-overwrite)
  - [Web Cache](#web-cache)
  - [PHP相关](#php相关)
    - [弱类型](#弱类型)
    - [随机数问题](#随机数问题)
    - [伪协议](#伪协议)
    - [序列化](#序列化)
    - [php mail header injection](#php-mail-header-injection)
    - [其他](#其他)
    - [php代码审计](#php代码审计)
  - [java-Web](#java-web)
    - [反序列](#反序列)
    - [Struct2](#struct2)
    - [java-Web代码审计](#java-web代码审计)
    - [其他](#其他-1)
  - [python-Web](#python-web)
  - [Node-js](#node-js)
  - [WAF相关](#waf相关)
- [渗透测试](#渗透测试)
  - [Course](#course)
  - [信息收集](#信息收集)
  - [渗透](#渗透)
  - [渗透实战](#渗透实战)
  - [提权](#提权)
  - [渗透技巧](#渗透技巧)
  - [运维](#运维)
  - [DDOS](#ddos)
- [CTF](#ctf)
  - [技巧总结](#技巧总结)
- [杂](#杂)

<!-- more -->

# Web Security

## sql注入

### MySql
+ [MySQL False 注入及技巧总结](https://www.anquanke.com/post/id/86021)
+ [MySQL 注入攻击与防御](https://www.anquanke.com/post/id/85936)
+ [sql注入学习总结 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484372&idx=1&sn=ffcc51a88c9acf96c312421b75fc2a26&chksm=ec1e33fcdb69baea53838fd545a236c0deb8a42f3b341ee0879c9e4ac9427c2147fab95b6669#rd)
+ [SQL注入防御与绕过的几种姿势](https://www.anquanke.com/post/id/86005)
+ [MySQL偏门技巧](http://rcoil.me/2017/05/MySQL%E5%81%8F%E9%97%A8%E6%8A%80%E5%B7%A7/)
+ [mysql注入可报错时爆表名、字段名、库名](http://www.wupco.cn/?p=4117)
+ [高级SQL注入:混淆和绕过](http://www.cnblogs.com/croot/p/3450262.html)
+ [Mysql约束攻击](https://ch1st.github.io/2017/10/19/Mysql%E7%BA%A6%E6%9D%9F%E6%94%BB%E5%87%BB/)
+ [Mysql数据库渗透及漏洞利用总结 ](https://xianzhi.aliyun.com/forum/topic/1491/)
+ [MySQL绕过WAF实战技巧 ](http://www.freebuf.com/articles/web/155570.html)
+ [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
+ [SQL注入的“冷门姿势” ](http://www.freebuf.com/articles/web/155876.html)
+ [时间延迟盲注的三种加速注入方式mysql](https://www.ch1st.cn/?p=44)
+ [基于时间的高效的SQL盲注-使用MySQL的位运算符](https://xz.aliyun.com/t/3054)
+ [Mysql UDF BackDoor](https://xz.aliyun.com/t/2365)
+ [mysql小括号被过滤后的盲注](https://www.th1s.cn/index.php/2018/02/26/213.html)
+ [SSRF To RCE in MySQL](http://docs.ioin.in/writeup/mp.weixin.qq.com/49ca504e-3b31-40ac-8591-f833086cb588/index.html)
+ [MySQL-盲注浅析](http://rcoil.me/2017/11/MySQL-%E7%9B%B2%E6%B3%A8%E6%B5%85%E6%9E%90/)
+ [Mysql字符编码利用技巧](https://www.leavesongs.com/PENETRATION/mysql-charset-trick.html)
+ [MySQL Injection in Update, Insert and Delete](https://osandamalith.com/2017/02/08/mysql-injection-in-update-insert-and-delete/)

### MSSQL
+ [MSSQL DBA权限获取WEBSHELL的过程 ](http://fuping.site/2017/05/16/MSSQL-DBA-Permission-GET-WEBSHELL/)
+ [MSSQL 注入攻击与防御](https://www.anquanke.com/post/id/86011)
+ [CLR在SQL Server中的利用技术分](http://docs.ioin.in/writeup/cert.360.cn/_files_CLR_E5_9C_A8SQL_20Server_E4_B8_AD_E7_9A_84_E5_88_A9_E7_94_A8_E6_8A_80_E6_9C_AF_E5_88_86_E6_9E_90_pdf/index.pdf)
+ [MSSQL不使用xp_cmdshell执行命令并获取回显的两种方法](https://zhuanlan.zhihu.com/p/33322584)

### PostgreSQL
+ [postgresql数据库利用方式 ](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484788&idx=1&sn=8a53b1c64d864cd01bab095d97a17715&chksm=ec1e355cdb69bc4a2535bc1a053bfde3ec1838d03936ba8e44156818e91bbec9b5b04a744005#rd)
+ [PostgreSQL渗透测试指南](https://www.anquanke.com/post/id/86468)
+ [渗透中利用postgresql getshell ](http://www.jianfensec.com/postgresql_getshell.html)

### MongoDB
+ [十分钟看懂MongoDB攻防实战](http://www.freebuf.com/articles/database/148823.html)
+ [MongoDB安全 – PHP注入检测](http://www.mottoin.com/94341.html)
+ [技术分享：如何Hacking MongoDB？](https://www.freebuf.com/articles/network/101494.html)
+ [MongoDB安全，php中的注入攻击](https://www.anquanke.com/post/id/84009)
+ [一个MongoDB注入攻击案例分析](https://www.freebuf.com/articles/web/106085.html)

### 技巧
+ [我的WafBypass之道（SQL注入篇）](https://xz.aliyun.com/t/368)
+ [Bypass 360主机卫士SQL注入防御](http://www.cnblogs.com/xiaozi/p/7275134.html)
+ [SQL注入之骚姿势小记](https://mp.weixin.qq.com/s/ORsciwsBGQJhFdKqceprSw)
+ [CTF比赛中SQL注入的一些经验总结 ](http://www.freebuf.com/articles/web/137094.html)
+ [如何绕过WAF/NGWAF的libinjection实现SQL注入](http://bobao.360.cn/learning/detail/3855.html)
+ [HackMe-SQL-Injection-Challenges](https://github.com/breakthenet/HackMe-SQL-Injection-Challenges)
+ [绕过WAF注入](https://bbs.ichunqiu.com/thread-25397-1-1.html?from=sec)
+ [bypassGET和POST的注入防御思路分享](https://bbs.ichunqiu.com/thread-16134-1-1.html?from=sec)
+ [SQL注入的常规思路及奇葩技巧 ](https://mp.weixin.qq.com/s/hBkJ1M6LRgssNyQyati1ng)
+ [Beyond SQLi: Obfuscate and Bypass](https://www.exploit-db.com/papers/17934/)
+ [Dnslog在SQL注入中的实战](https://www.anquanke.com/post/id/98096)
+ [SQL注入：如何通过Python CGIHTTPServer绕过CSRF tokens](https://www.anquanke.com/post/id/87022)
+ [BypassD盾IIS防火墙SQL注入防御（多姿势）](https://xz.aliyun.com/t/40)


### 工具
+ [sqlmap自带的tamper你了解多少？ ](https://mp.weixin.qq.com/s/vEEoMacmETUA4yZODY8xMQ)
+ [sqlmap的使用 ---- 自带绕过脚本tamper](https://xz.aliyun.com/t/2746)
+ [使用burp macros和sqlmap绕过csrf防护进行sql注入](http://bobao.360.cn/learning/detail/3557.html)
+ [sqlmap 使用总结 ](http://www.zerokeeper.com/web-security/sqlmap-usage-summary.html)
+ [SQLmap tamper脚本注释](http://www.lengbaikai.net/?p=110)
+ [通过Burp以及自定义的Sqlmap Tamper进行二次SQL注入](http://www.4hou.com/system/6945.html)
+ [SQLMAP  JSON格式检测](https://xz.aliyun.com/t/1091)
+ [记一份SQLmap使用手册小结（一）](https://xz.aliyun.com/t/3010)
+ [记一份SQLmap使用手册小结（二）](https://xz.aliyun.com/t/3011)

## XSS
+ [漫谈同源策略攻防](https://www.anquanke.com/post/id/86078)
+ [再谈同源策略 ](https://lightless.me/archives/review-SOP.html)
+ [跨域方法总结](https://xz.aliyun.com/t/224)
+ [前端安全系列（一）：如何防止XSS攻击？](https://segmentfault.com/a/1190000016551188)
+ [浅谈跨站脚本攻击与防御 ](http://thief.one/2017/05/31/1/)
+ [跨站的艺术-XSS入门与介绍](http://www.fooying.com/the-art-of-xss-1-introduction/)
+ [DOMXSS Wiki](https://github.com/wisec/domxsswiki/wiki)
+ [XSS Bypass Cookbook](https://xz.aliyun.com/t/311)
+ [Content Security Policy 入门教程](https://jaq.alibaba.com/community/art/show?spm=a313e.7916646.24000001.49.ZP8rXN&articleid=518)
+ [从瑞士军刀到变形金刚--XSS攻击面拓展](https://xz.aliyun.com/t/96)
+ [前端防御从入门到弃坑--CSP变迁](https://paper.seebug.org/423/)
+ [严格 CSP 下的几种有趣的思路（34c3 CTF）](http://www.melodia.pw/?p=935)
+ [Bypassing CSP using polyglot JPEGs ](http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html)
+ [Bypass unsafe-inline mode CSP](http://paper.seebug.org/91/)
+ [Chrome XSS Auditor – SVG Bypass](https://brutelogic.com.br/blog/chrome-xss-auditor-svg-bypass/)
+ [Cross site scripting payload for fuzzing](https://xianzhi.aliyun.com/forum/read/1704.html)
+ [XSS Without Dots](https://markitzeroday.com/character-restrictions/xss/2017/07/26/xss-without-dots.html)
+ [Alternative to Javascript Pseudo-Protocol](http://brutelogic.com.br/blog/alternative-javascript-pseudo-protocol/)
+ [不常见的xss利用探索](http://docs.ioin.in/writeup/wps2015.org/_2016_06_27__E4_B8_8D_E5_B8_B8_E8_A7_81_E7_9A_84xss_E5_88_A9_E7_94_A8_E6_8E_A2_E7_B4_A2_/index.html)
+ [XSS攻击另类玩法](https://bbs.ichunqiu.com/thread-25578-1-1.html?from=sec)
+ [XSS易容术---bypass之编码混淆篇+辅助脚本编写](https://bbs.ichunqiu.com/thread-17500-1-1.html?from=sec)
+ [Xssing Web With Unicodes](http://blog.rakeshmane.com/2017/08/xssing-web-part-2.html)
+ [Electron hack —— 跨平台 XSS ](https://mp.weixin.qq.com/s?__biz=MzU2NjE2NjIxNg==&mid=2247483756&amp;idx=1&amp;sn=96ae19e53426d5088718b6d37996e700&source=41#wechat_redirect)
+ [XSS without HTML: Client-Side Template Injection with AngularJS ](http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html)
+ [Modern Alchemy: Turning XSS into RCE](https://blog.doyensec.com/2017/08/03/electron-framework-security.html)
+ [先知XSS挑战赛 - L3m0n Writeup](https://xz.aliyun.com/t/83)
+ [SheepSec: 7 Reflected Cross-site Scripting (XSS) Examples](http://sheepsec.com/blog/7-reflected-xss.html)
+ [Browser's XSS Filter Bypass Cheat Sheet](https://github.com/masatokinugawa/filterbypass/wiki/Browser's-XSS-Filter-Bypass-Cheat-Sheet)
+ [妙用JavaScript绕过XSS过滤](https://www.anquanke.com/post/id/86849)

## CSRF
+ [Wiping Out CSRF](https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
+ [CSRF攻击与防御](https://www.cnblogs.com/phpstudy2015-6/p/6771239.html)
+ [用代码来细说Csrf漏洞危害以及防御](https://bbs.ichunqiu.com/thread-24127-1-1.html?from=sec)
+ [Cookie-Form型CSRF防御机制的不足与反思](https://www.leavesongs.com/PENETRATION/think-about-cookie-form-csrf-protected.html)
+ [关于JSON CSRF的一些思考](https://mp.weixin.qq.com/s?__biz=MzIzMTc1MjExOQ==&mid=2247484126&idx=1&sn=f437882b19bed8d99d0a00938accc0c8&chksm=e89e2a06dfe9a310506419467ada63bee80f10c32267d0b11ea7d1f5491c5afdb344c5dac74e&mpshare=1&scene=23&srcid=0614BOCQBHPjaS2IOtADI3PP#rd)
+ [Exploiting JSON Cross Site Request Forgery (CSRF) using Flash](http://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/)
+ [浅谈Session机制及CSRF攻防 ](https://mp.weixin.qq.com/s/aID_N9bgq91EM26qVSVBXw)
+ [CSRF 花式绕过Referer技巧](https://www.ohlinge.cn/web/csrf_referer.html)
+ [各大SRC中的CSRF技巧](http://www.freebuf.com/column/151816.html)
+ [白帽子挖洞—跨站请求伪造（CSRF）篇 ](http://www.freebuf.com/column/153543.html)
+ [读取型CSRF-需要交互的内容劫持](https://bbs.ichunqiu.com/thread-36314-1-1.html)

## 其他前端安全
+ [HTML中，闭合优先的神奇标签 ](https://mp.weixin.qq.com/s?__biz=MzA4MDA1NDE3Mw==&mid=2647715481&idx=1&sn=a4d930d5a944a5a6c0361a3c6c57d3d5)
+ [JavaScript Dangerous Functions (Part 1) - HTML Manipulation ](http://blog.blueclosure.com/2017/09/javascript-dangerous-functions-part-1.html)
+ [safari本地文件读取漏洞之扩展攻击面](http://www.wupco.cn/?p=4134)
+ [利用脚本注入漏洞攻击ReactJS应用程序](http://www.freebuf.com/articles/web/144988.html)
+ [当代 Web 的 JSON 劫持技巧](http://paper.seebug.org/130/?from=timeline&isappinstalled=0)
+ [从微信小程序看前端代码安全](https://share.whuboy.com/weapp.html)


## SSRF
+ [SSRF（服务器端请求伪造）测试资源](https://paper.seebug.org/393/)
+ [Build Your SSRF Exploit Framework SSRF](http://docs.ioin.in/writeup/fuzz.wuyun.org/_src_build_your_ssrf_exp_autowork_pdf/index.pdf)
+ [SSRF攻击实例解析](http://www.freebuf.com/articles/web/20407.html)
+ [SSRF漏洞分析与利用](http://www.4o4notfound.org/index.php/archives/33/)
+ [SSRF漏洞的挖掘经验](https://www.secpulse.com/archives/4747.html)
+ [SSRF漏洞的利用与学习](http://uknowsec.cn/posts/notes/SSRF%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html)
+ [SSRF漏洞中绕过IP限制的几种方法总结](http://www.freebuf.com/articles/web/135342.html)
+ [What is Server Side Request Forgery (SSRF)?](https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/)
+ [Use DNS Rebinding to Bypass SSRF in Java](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483742&idx=1&sn=e7265d5351a6d9ed30d90be1c17be041)
+ [SSRF in JAVA](https://xz.aliyun.com/t/206)
+ [DNS Rebinding技术绕过SSRF/代理IP限制](http://www.mottoin.com/95734.html)
+ [SSRF Tips](http://blog.safebuff.com/2016/07/03/SSRF-Tips/)
+ [soap导致的SSRF](https://xz.aliyun.com/t/2960)
+ [SSRF:CVE-2017-9993 FFmpeg + AVI + HLS](https://hackmd.io/p/H1B9zOg_W#)
+ [通过拆分攻击实现的SSRF攻击](https://xz.aliyun.com/t/2894)
+ [SSRF攻击文档翻译](https://xz.aliyun.com/t/2421)
+ [PHP SSRF Techniques How to bypass filter_var(), preg_match() and parse_url()](https://medium.com/secjuice/php-ssrf-techniques-9d422cb28d51)


## XXE

+ [浅谈XXE漏洞攻击与防御](http://thief.one/2017/06/20/1/)
+ [XXE漏洞分析](http://www.4o4notfound.org/index.php/archives/29/)
+ [XML实体注入漏洞攻与防](http://www.hackersb.cn/hacker/211.html)
+ [XML实体注入漏洞的利用与学习](http://uknowsec.cn/posts/notes/XML%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E7%9A%84%E5%88%A9%E7%94%A8%E4%B8%8E%E5%AD%A6%E4%B9%A0.html)
+ [XXE注入:攻击与防御 - XXE Injection: Attack and Prevent](http://le4f.net/post/xxe-injection-attack_and_prevent)
+ [XXE (XML External Entity Injection) 漏洞实践](http://www.mottoin.com/101806.html)
+ [黑夜的猎杀-盲打XXE](https://xianzhi.aliyun.com/forum/read/1837.html)
+ [Hunting in the Dark - Blind XXE](https://blog.zsec.uk/blind-xxe-learning/)
+ [XMLExternal Entity漏洞培训模块](https://www.sans.org/freading-room/whitepapers/application/hands-on-xml-external-entity-vulnerability-training-module-34397)
+ [XXE被提起时我们会想到什么](http://www.mottoin.com/88085.html)
+ [XXE漏洞的简单理解和测试](http://www.mottoin.com/92794.html)
+ [XXE漏洞攻防之我见](http://bobao.360.cn/learning/detail/3841.html)
+ [XXE漏洞利用的一些技巧](http://www.91ri.org/17052.html)
+ [神奇的Content-Type——在JSON中玩转XXE攻击](http://bobao.360.cn/learning/detail/360.html)
+ [XXE-DTD Cheat Sheet](https://web-in-security.blogspot.jp/2016/03/xxe-cheat-sheet.html)
+ [XML? Be cautious!](https://blog.pragmatists.com/xml-be-cautious-69a981fdc56a)
+ [XSLT Server Side Injection Attacks](https://www.contextis.com/blog/xslt-server-side-injection-attacks)
+ [Java XXE Vulnerability](https://joychou.org/web/java-xxe-vulnerability.html)
+ [xml-attacks.md](https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870)

## JSONP注入
+ [JSONP注入解析 ](http://www.freebuf.com/articles/web/126347.html)
+ [JSONP 安全攻防技术](http://blog.knownsec.com/2015/03/jsonp_security_technic/)
+ [一次关于JSONP的小实验与总结](http://www.cnblogs.com/vimsk/archive/2013/01/29/2877888.html)
+ [利用JSONP跨域获取信息](https://xianzhi.aliyun.com/forum/read/1571.html)
+ [关于跨域和jsonp的一些理解(新手向)](https://segmentfault.com/a/1190000009577990)
+ [水坑攻击之Jsonp hijacking-信息劫持](http://www.mottoin.com/article/web/88237.html)

## SSTI
+ [Jinja2 template injection filter bypasses](https://0day.work/jinja2-template-injection-filter-bypasses/)
+ [乱弹Flask注入](http://www.freebuf.com/articles/web/88768.html)
+ [服务端模板注入攻击 （SSTI）之浅析 ](http://www.freebuf.com/vuls/83999.html)
+ [Exploring SSTI in Flask/Jinja2](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2/)
+ [Flask Jinja2开发中遇到的的服务端注入问题研究](http://www.freebuf.com/articles/web/136118.html)
+ [FlaskJinja2 开发中遇到的的服务端注入问题研究 II](http://www.freebuf.com/articles/web/136180.html)
+ [Exploring SSTI in Flask/Jinja2, Part II](https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/)
+ [Injecting Flask](https://nvisium.com/blog/2015/12/07/injecting-flask/)
+ [Server-Side Template Injection: RCE for the modern webapp](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
+ [Exploiting Python Code Injection in Web Applications](https://sethsec.blogspot.jp/2016/11/exploiting-python-code-injection-in-web.html)
+ [利用 Python 特性在 Jinja2 模板中执行任意代码](http://rickgray.me/2016/02/24/use-python-features-to-execute-arbitrary-codes-in-jinja2-templates/)
+ [Python 模板字符串与模板注入](https://virusdefender.net/index.php/archives/761/)
+ [Ruby ERB Template Injection](https://www.trustedsec.com/2017/09/rubyerb-template-injection/)
+ [服务端模板注入攻击](https://zhuanlan.zhihu.com/p/28823933)

## 代码执行 / 命令执行
+ [从PHP源码与扩展开发谈PHP任意代码执行与防御](https://blog.zsxsoft.com/post/30)
+ [Command Injection/Shell Injection](https://www.exploit-db.com/docs/42593.pdf)
+ [PHP Code Injection Analysis](http://www.polaris-lab.com/index.php/archives/254/)
+ [	利用环境变量LD_PRELOAD来绕过php disable_function执行系统命令](http://doc.ph0en1x.com/wooyun_drops/%E5%88%A9%E7%94%A8%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8FLD_PRELOAD%E6%9D%A5%E7%BB%95%E8%BF%87php%20disable_function%E6%89%A7%E8%A1%8C%E7%B3%BB%E7%BB%9F%E5%91%BD%E4%BB%A4.html)
+ [Hack PHP mail additional_parameters](http://blog.nsfocus.net/hack-php-mail-additional_parameters/)
+ [详细解析PHP mail()函数漏洞利用技巧](https://www.anquanke.com/post/id/86028)
+ [在PHP应用程序开发中不正当使用mail()函数引发的血案](https://www.anquanke.com/post/id/86015)
+ [基于时间反馈的RCE](http://www.mottoin.com/article/web/97678.html)
+ [正则表达式使用不当引发的系统命令执行漏洞](https://www.anquanke.com/post/id/85698)
+ [命令注入突破长度限制 ](http://www.freebuf.com/articles/web/154453.html)
  
## 文件包含
+ [php文件包含漏洞 ](https://chybeta.github.io/2017/10/08/php%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E/)
+ [Turning LFI into RFI](https://l.avala.mp/?p=241)
+ [PHP文件包含漏洞总结](http://wooyun.jozxing.cc/static/drops/tips-3827.html)
+ [常见文件包含发生场景与防御](https://www.anquanke.com/post/id/86123)
+ [zip或phar协议包含文件](https://bl4ck.in/tricks/2015/06/10/zip%E6%88%96phar%E5%8D%8F%E8%AE%AE%E5%8C%85%E5%90%AB%E6%96%87%E4%BB%B6.html)
+ [文件包含漏洞 一](http://drops.blbana.cc/2016/08/12/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e/)
+ [文件包含漏洞 二](http://drops.blbana.cc/2016/12/03/e6-96-87-e4-bb-b6-e5-8c-85-e5-90-ab-e6-bc-8f-e6-b4-9e-ef-bc-88-e4-ba-8c-ef-bc-89/)


## 文件上传 / 解析漏洞
+ [Upload-labs通关手册](https://xz.aliyun.com/t/2435)
+ [文件上传和WAF的攻与防](https://www.secfree.com/article-585.html)
+ [我的WafBypass之道（upload篇）](https://xz.aliyun.com/t/337)
+ [文件上传漏洞（绕过姿势） ](http://thief.one/2016/09/22/%E4%B8%8A%E4%BC%A0%E6%9C%A8%E9%A9%AC%E5%A7%BF%E5%8A%BF%E6%B1%87%E6%80%BB-%E6%AC%A2%E8%BF%8E%E8%A1%A5%E5%85%85/)
+ [服务器解析漏洞 ](http://thief.one/2016/09/21/%E6%9C%8D%E5%8A%A1%E5%99%A8%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E/)
+ [文件上传总结 ](https://masterxsec.github.io/2017/04/26/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%80%BB%E7%BB%93/)
+ [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html)
+ [渗透测试方法论之文件上传](https://bbs.ichunqiu.com/thread-23193-1-1.html?from=sec)
+ [关于文件名解析的一些探索](https://landgrey.me/filetype-parsing-attack/)
+ [Web安全 — 上传漏洞绕过 ](http://www.freebuf.com/column/161357.html)
+ [上传绕过WAF](http://docs.ioin.in/writeup/www.am0s.com/_jchw_376_html/index.html)

## 逻辑漏洞
+ [代码审计之逻辑上传漏洞挖掘](http://wooyun.jozxing.cc/static/drops/papers-1957.html)
+ [逻辑至上——内含各种酷炫姿势](https://www.anquanke.com/post/id/85947)
+ [Web安全测试中常见逻辑漏洞解析（实战篇）](http://www.freebuf.com/vuls/112339.html)
+ [逻辑漏洞之密码重置 ](https://mp.weixin.qq.com/s/Lynmqd_ieEoNJ3mmyv9eQQ)
+ [逻辑漏洞之支付漏洞](https://mp.weixin.qq.com/s/w22omfxO8vU6XzixXWmBxg)
+ [逻辑漏洞之越权访问](https://mp.weixin.qq.com/s/ChiXtcrEyQeLkGOkm4PTog)
+ [密码找回逻辑漏洞总结](http://wooyun.jozxing.cc/static/drops/web-5048.html)
+ [一些常见的重置密码漏洞分析整理](http://wooyun.jozxing.cc/static/drops/papers-2035.html)
+ [密码逻辑漏洞小总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_643/index.html)
+ [漏洞挖掘之逻辑漏洞挖掘](https://bbs.ichunqiu.com/thread-21161-1-1.html)
+ [tom0li: 逻辑漏洞小结](https://tom0li.github.io/%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E%E5%B0%8F%E7%BB%93/)

## 未授权访问/信息泄露
+ [未授权访问的tips](https://xz.aliyun.com/t/2320)
+ [未授权访问漏洞总结](https://www.secpulse.com/archives/61101.html)
+ [未授权访问漏洞的检测与利用 ](https://thief.one/2017/12/08/1/)
+ [常见Web源码泄露总结](http://www.mottoin.com/95749.html)
+ [挖洞技巧：信息泄露之总结](https://www.anquanke.com/post/id/94787)
### redis
+ [利用redis写webshell](https://www.leavesongs.com/PENETRATION/write-webshell-via-redis-server.html)
+ [Redis 未授权访问配合 SSH key 文件利用分析](http://blog.knownsec.com/2015/11/analysis-of-redis-unauthorized-of-expolit/)
+ [redis未授权访问漏洞利用总结](https://xianzhi.aliyun.com/forum/read/750.html)。
+ [【应急响应】redis未授权访问致远程植入挖矿脚本（防御篇） ](https://mp.weixin.qq.com/s/eUTZsGUGSO0AeBUaxq4Q2w)

## RPO(relative path overwrite)
+ [深入剖析RPO漏洞](https://xz.aliyun.com/t/2220)
+ [初探 Relative Path Overwrite](https://xz.aliyun.com/t/193)
+ [Detecting and exploiting path-relative stylesheet import (PRSSI) vulnerabilities](http://blog.portswigger.net/2015/02/prssi.html)
+ [RPO](http://www.thespanner.co.uk/2014/03/21/rpo/)
+ [A few RPO exploitation techniques](http://www.mbsd.jp/Whitepaper/rpo.pdf)
+ [新型Web攻击技术：RPO攻击初探](https://mp.weixin.qq.com/s/P-ncFmNZfBteJBQr8INzsw)
+ [RPO Gadgets](https://blog.innerht.ml/rpo-gadgets/)

## Web Cache
+ [浅析 Web Cache 欺骗攻击](https://www.anquanke.com/post/id/86049)
+ [Practical Web Cache Poisoning](https://portswigger.net/blog/practical-web-cache-poisoning)
+ [实战web缓存中毒](https://xz.aliyun.com/t/2585)
+ [WEB CACHE DECEPTION ATTACK](https://drive.google.com/file/d/0BxuNjp5J7XUIdkotUm5Jem5IZUk/view)
+ [详解Web缓存欺骗攻击](https://www.anquanke.com/post/id/86516)
  

## PHP相关
### 弱类型
+ [从弱类型利用以及对象注入到SQL注入](https://www.anquanke.com/post/id/85455)
+ [PHP中“＝＝”运算符的安全问题](http://bobao.360.cn/learning/detail/2924.html)
+ [PHP弱类型安全问题总结 ](http://blog.spoock.com/2016/06/25/weakly-typed-security/)
+ [浅谈PHP弱类型安全](http://wooyun.jozxing.cc/static/drops/tips-4483.html)
+ [php比较操作符的安全问题](http://wooyun.jozxing.cc/static/drops/tips-7679.html)

### 随机数问题
+ [PHP mt_rand()随机数安全 ](https://mp.weixin.qq.com/s/3TgBKXHw3MC61qIYELanJg)
+ [Cracking PHP rand()](http://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/)
+ [php里的随机数](http://5alt.me/2017/06/php%E9%87%8C%E7%9A%84%E9%9A%8F%E6%9C%BA%E6%95%B0/)
+ [php_mt_seed - PHP mt_rand() seed cracker](http://www.openwall.com/php_mt_seed/)
+ [The GLIBC random number generator](http://www.mscs.dal.ca/~selinger/random/)
+ [一道伪随机数的CTF题](https://github.com/wonderkun/CTF_web/blob/master/web500-2/writeup.pdf)

### 伪协议
+ [谈一谈php://filter的妙用](www.leavesongs.com/PENETRATION/php-filter-magic.html)
+ [php 伪协议](http://lorexxar.cn/2016/09/14/php-wei/)
+ [利用 Gopher 协议拓展攻击面](https://blog.chaitin.cn/gopher-attack-surfaces/)
+ [PHP伪协议之 Phar 协议（绕过包含）](https://www.bodkin.ren/?p=902)
+ [PHP伪协议分析与应用](http://www.4o4notfound.org/index.php/archives/31/)
+ [LFI、RFI、PHP封装协议安全问题学习](http://www.cnblogs.com/LittleHann/p/3665062.html)

### 序列化
+ [PHP反序列化漏洞](http://bobao.360.cn/learning/detail/4122.html)
+ [浅谈php反序列化漏洞 ](https://chybeta.github.io/2017/06/17/%E6%B5%85%E8%B0%88php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E/)
+ [PHP反序列化漏洞成因及漏洞挖掘技巧与案例](http://bobao.360.cn/learning/detail/3193.html)

### php mail header injection
+ [What is Email Header Injection?](https://www.acunetix.com/blog/articles/email-header-injection/)
+ [PHP Email Injection Example](http://resources.infosecinstitute.com/email-injection/)

### 其他
+ [对于Php Shell Bypass思路总结](https://www.inksec.cn/2017/11/06/bypass_shell_4/)
+ [Decrypt PHP's eval based encryption with debugger ](https://mp.weixin.qq.com/s?__biz=MzIxNjU3ODMyOQ==&mid=2247483693&idx=1&sn=ed49fc13d8e09f12d87675adff18919f)
+ [Upgrade from LFI to RCE via PHP Sessions](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/)
+ [Xdebug: A Tiny Attack Surface](https://ricterz.me/posts/Xdebug%3A%20A%20Tiny%20Attack%20Surface)
+ [Exploitable PHP functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)
+ [从WordPress SQLi谈PHP格式化字符串问题](https://paper.seebug.org/386/)
+ [php & apache2 &操作系统之间的一些黑魔法](http://wonderkun.cc/index.html/?p=626)
+ [php内存破坏漏洞exp编写和禁用函数绕过](http://blog.th3s3v3n.xyz/2016/05/01/bin/2016-5-1-php%E5%86%85%E5%AD%98%E7%A0%B4%E5%9D%8F%E6%BC%8F%E6%B4%9Eexp%E7%BC%96%E5%86%99%E5%92%8C%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87/)
+ [挖掘PHP禁用函数绕过利用姿势](http://blog.th3s3v3n.xyz/2016/11/20/web/%E6%8C%96%E6%8E%98PHP%E7%A6%81%E7%94%A8%E5%87%BD%E6%95%B0%E7%BB%95%E8%BF%87%E5%88%A9%E7%94%A8%E5%A7%BF%E5%8A%BF/)
+ [.user.ini文件构成的PHP后门](http://wooyun.jozxing.cc/static/drops/tips-3424.html)


### php代码审计
+ [PHP漏洞挖掘——进阶篇](http://blog.nsfocus.net/php-vulnerability-mining/)
+ [论PHP常见的漏洞](http://wooyun.jozxing.cc/static/drops/papers-4544.html)
+ [浅谈代码审计入门实战：某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html)
+ [ctf中的php代码审计技巧](http://www.am0s.com/ctf/200.html)
+ [PHP代码审计tips](http://docs.ioin.in/writeup/www.91ri.org/_15074_html/index.html)
+ [代码审计之文件越权和文件上传搜索技巧](http://docs.ioin.in/writeup/blog.heysec.org/_archives_170/index.html)
+ [PHP代码审计入门集合](http://wiki.ioin.in/post/group/6Rb)
+ [PHP代码审计学习](http://phantom0301.cc/2017/06/06/codeaudit/)
+ [PHP漏洞挖掘思路+实例](http://wooyun.jozxing.cc/static/drops/tips-838.html)
+ [PHP漏洞挖掘思路+实例 第二章](http://wooyun.jozxing.cc/static/drops/tips-858.html)
+ [浅谈代码审计入门实战：某博客系统最新版审计之旅 ](http://www.freebuf.com/articles/rookie/143554.html)
+ [PHP 代码审计小结 (一) ](https://www.chery666.cn/blog/2017/12/11/Code-audit.html)
+ [2018 PHP 应用程序安全设计指北 ](https://laravel-china.org/articles/7235/2018-php-application-security-design)

## java-Web
### 反序列
+ [Java_JSON反序列化之殇_看雪安全开发者峰会](https://github.com/shengqi158/fastjson-remote-code-execute-poc/blob/master/Java_JSON%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8B%E6%AE%87_%E7%9C%8B%E9%9B%AA%E5%AE%89%E5%85%A8%E5%BC%80%E5%8F%91%E8%80%85%E5%B3%B0%E4%BC%9A.pdf)
+ [从反射链的构造看Java反序列漏洞](http://www.freebuf.com/news/150872.html)
+ [Java反序列化漏洞从理解到实践](http://bobao.360.cn/learning/detail/4474.html)
+ [Java 序列化与反序列化安全分析 ](http://mp.weixin.qq.com/s?__biz=MzI5ODE0ODA5MQ==&mid=2652278247&idx=1&sn=044893b732e4ffa267b00ffe1d9e4727&chksm=f7486473c03fed6525f0a869cbc4ddc03051cda92bb946377c4d831054954159542350768cf3&mpshare=1&scene=23&srcid=0919MUXFBglgDUEtLOha0wbo#rd)
+ [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet)
+ [如何攻击Java反序列化过程](http://bobao.360.cn/learning/detail/4267.html)
+ [深入理解JAVA反序列化漏洞](https://www.vulbox.com/knowledge/detail/?id=11)
+ [Attacking Java Deserialization](https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/)
+ [jackson反序列化详细分析](http://bobao.360.cn/learning/detail/4118.html)
+ [Java安全之反序列化漏洞分析 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=2247484200&idx=1&sn=8f3201f44e6374d65589d00d91f7148e)
+ [fastjson 反序列化漏洞 POC 分析 ](https://mp.weixin.qq.com/s/0a5krhX-V_yCkz-zDN5kGg)
+ [Apache Commons Collections反序列化漏洞学习](http://pirogue.org/2017/12/22/javaSerialKiller/)

### Struct2
+ [Struts2 命令执行系列回顾](http://www.zerokeeper.com/vul-analysis/struts2-command-execution-series-review.html)

### java-Web代码审计
+ [JAVA代码审计的一些Tips(附脚本)](https://xianzhi.aliyun.com/forum/topic/1633/)
+ [Java代码审计连载之—SQL注入](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=22170&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [Java代码审计连载之—任意文件下载](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=23587&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [Java代码审计连载之—XSS](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=22875&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [Java代码审计连载之—添油加醋](https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=25475&highlight=Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E8%BF%9E%E8%BD%BD)
+ [JAVA安全编码与代码审计.md](https://github.com/Cryin/JavaID/blob/master/JAVA%E5%AE%89%E5%85%A8%E7%BC%96%E7%A0%81%E4%B8%8E%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1.md)
+ [Java代码审计PPT ](https://xianzhi.aliyun.com/forum/read/1904.html)

### 其他

+ [关于 JNDI 注入](http://bobao.360.cn/learning/detail/4564.html)
+ [层层放大java审计的攻击面 ](https://mp.weixin.qq.com/s/WT1EXEryUGGqHQpSi959xw)
+ [以Java的视角来聊聊SQL注入 ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=2247483954&idx=1&sn=418b7e55b16c717ee5140af990298e22&chksm=e8fe9e3bdf89172d0670690060944bf2434cc2d2e8fba4477711299a0775cf3735a2022c0778#rd)
+ [站在Java的视角，深度分析防不胜防的小偷——“XSS” ](http://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=100000340&idx=1&sn=6ca4ec15ef6338daf1d4a907351d7c08&chksm=68fe9e5d5f89174b44fd0cae2e3d5c0018859d3d1dc6d60a2e16dcde34499ba224d6ea17a982#rd)
+ [你的 Java web 配置安全吗？ ](https://mp.weixin.qq.com/s?__biz=MzIzMzgxOTQ5NA==&mid=100000318&idx=1&sn=9011af3e3968e0d87499605ef1a68291&chksm=68fe9e375f8917213297855bd9e1ab1203ae4c9b0b5ca351de7b2c0f7a7799bd1f4843cd13f4#rd)
+ [spring任意文件读取](https://github.com/ilmila/springcss-cve-2014-3625/tree/master/src)
+ [在 Runtime.getRuntime().exec(String cmd) 中执行任意shell命令的几种方法](https://mp.weixin.qq.com/s/zCe_O37rdRqgN-Yvlq1FDg)

## python-Web
+ [python web 安全总结](http://bobao.360.cn/learning/detail/4522.html)
+ [Defencely Clarifies Python Object Injection Exploitation](http://defencely.com/blog/defencely-clarifies-python-object-injection-exploitation/)
+ [Exploiting Python Deserialization Vulnerabilities](https://crowdshield.com/blog.php?name=exploiting-python-deserialization-vulnerabilities)
+ [Explaining and exploiting deserialization vulnerability with Python(EN)](https://dan.lousqui.fr/explaining-and-exploiting-deserialization-vulnerability-with-python-en.html)
+ [Python PyYAML反序列化漏洞实验和Payload构造](http://www.polaris-lab.com/index.php/archives/375/)
+ [Python 格式化字符串漏洞（Django为例）](https://www.leavesongs.com/PENETRATION/python-string-format-vulnerability.html)
+ [format注入](http://www.venenof.com/index.php/archives/360/)
+ [Be Careful with Python's New-Style String Format](http://lucumr.pocoo.org/2016/12/29/careful-with-str-format/)
+ [Python urllib HTTP头注入漏洞](http://www.tuicool.com/articles/2iIj2eR)
+ [Hack Redis via Python urllib HTTP Header Injection](https://security.tencent.com/index.php/blog/msg/106)
+ [Python Waf黑名单过滤下的一些Bypass思路](http://www.0aa.me/index.php/archives/123/)
+ [Python沙箱逃逸的n种姿势](https://mp.weixin.qq.com/s/PLI-yjqmA3gwk5w3KHzOyA)
+ [利用内存破坏实现Python沙盒逃逸 ](https://mp.weixin.qq.com/s/s9fAskmp4Bb42OYsiQJFaw)
+ [Python Sandbox Bypass](https://mp.weixin.qq.com/s?__biz=MzIzOTQ5NjUzOQ==&mid=2247483665&idx=1&sn=4b18de09738fdc5291634db1ca2dd55a)
+ [pyt: 针对 Python 应用程序的源码静态分析工具](https://github.com/python-security/pyt)
+ [Exploiting Python PIL Module Command Execution Vulnerability](http://docs.ioin.in/writeup/github.com/_neargle_PIL_RCE_By_GhostButt/index.html)
+ [文件解压之过 Python中的代码执行](http://bobao.360.cn/learning/detail/4503.html)

## Node-js
+ [浅谈Node.js Web的安全问题](http://www.freebuf.com/articles/web/152891.html)
+ [node.js + postgres 从注入到Getshell](https://www.leavesongs.com/PENETRATION/node-postgres-code-execution-vulnerability.html)
+ [Pentesting Node.js Application : Nodejs Application Security(需翻墙)](http://www.websecgeeks.com/2017/04/pentesting-nodejs-application-nodejs.html)
+ [从零开始学习渗透Node.js应用程序 ](https://bbs.ichunqiu.com/thread-21810-1-1.html?from=sec)
+ [Node.js 中遇到含空格 URL 的神奇“Bug”——小范围深入 HTTP 协议](https://segmentfault.com/a/1190000012407268)

## WAF相关
+ [详谈WAF与静态统计分析](http://bobao.360.cn/learning/detail/4670.html)
+ [牛逼牛逼的payload和bypass总结](https://github.com/swisskyrepo/PayloadsAllTheThings)
+ [WAF绕过参考资料](http://www.mottoin.com/100887.html)
+ [浅谈WAF绕过技巧](http://www.freebuf.com/articles/web/136723.html)
+ [addslashes防注入的绕过案例](https://xianzhi.aliyun.com/forum/read/753.html?fpage=6)
+ [浅谈json参数解析对waf绕过的影响](https://xianzhi.aliyun.com/forum/read/553.html?fpage=8)
+ [WAF攻防研究之四个层次Bypass WAF](http://weibo.com/ttarticle/p/show?id=2309404007261092631700)
+ [使用HTTP头去绕过WAF ](http://www.sohu.com/a/110066439_468673)
+ [会找漏洞的时光机: Pinpointing Vulnerabilities](https://www.inforsec.org/wp/?p=1993)




# 渗透测试
## Course
+ [Web Service 渗透测试从入门到精通](http://bobao.360.cn/learning/detail/3741.html)
+ [渗透标准](https://www.processon.com/view/583e8834e4b08e31357bb727)
+ [Penetration Testing Tools Cheat Sheet](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/)

## 信息收集
+ [看我如何收集全网IP的whois信息 ](https://mp.weixin.qq.com/s/qz0b42DKhgo1sfitcUKhtQ)
+ [浅谈Web渗透测试中的信息收集 ](http://www.freebuf.com/articles/web/142767.html)
+ [渗透测试教程：如何侦查目标以及收集信息？](http://www.4hou.com/penetration/6850.html)
+ [本屌的web漏洞扫描器思路 技巧总结（域名信息收集篇）](weibo.com/ttarticle/p/show?id=2309404088584863883789)
+ [子域名的艺术](http://www.91ri.org/17001.html)
+ [渗透测试向导之子域名枚举技术](http://www.freebuf.com/articles/network/161046.html)
+ [实例演示如何科学的进行子域名收集](http://bobao.360.cn/learning/detail/4119.html)
+ [【渗透神器系列】搜索引擎 ](http://thief.one/2017/05/19/1/)
+ [域渗透基础简单信息收集（基础篇）](https://xianzhi.aliyun.com/forum/read/805.html)
+ [内网渗透定位技术总结](http://docs.ioin.in/writeup/www.mottoin.com/_92978_html/index.html)
+ [后渗透攻防的信息收集](https://www.secpulse.com/archives/51527.html)
+ [安全攻城师系列文章－敏感信息收集](http://www.mottoin.com/99951.html)
+ [子域名枚举的艺术](http://www.mottoin.com/101362.html)
+ [论二级域名收集的各种姿势](https://mp.weixin.qq.com/s/ardCYdZzaSjvSIZiFraWGA)
+ [我眼中的渗透测试信息搜集](https://xianzhi.aliyun.com/forum/read/451.html?fpage=2)
+ [大型目标渗透－01入侵信息搜集](https://xianzhi.aliyun.com/forum/read/1675.html)
+ [乙方渗透测试之信息收集](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8B%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/)
+ [挖洞技巧：信息泄露之总结](https://www.anquanke.com/post/id/94787)

## 渗透
+ [【玩转Linux系统】Linux内网渗透 ](https://mp.weixin.qq.com/s/VJBnXq3--0HBD7eVeifOKA)
+ [渗透测试指南之域用户组的范围](http://www.4hou.com/penetration/7016.html)
+ [内网主机发现技巧补充](http://mp.weixin.qq.com/s/l-Avt72ajCIo5GdMEwVx7A)
+ [Linux 端口转发特征总结 ](https://mp.weixin.qq.com/s?__biz=MzA3Mzk1MDk1NA==&mid=2651903919&idx=1&sn=686cc53137aa9e8ec323dda1e54a2c23)
+ [内网渗透（持续更新） ](http://rcoil.me/2017/06/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/)
+ [实战 SSH 端口转发](https://www.ibm.com/developerworks/cn/linux/l-cn-sshforward/index.html)
+ [多重转发渗透隐藏内网](http://bobao.360.cn/learning/detail/3545.html)
+ [内网转发姿势](http://www.03sec.com/3141.shtml)
+ [内网转发的工具](https://mp.weixin.qq.com/s/EWL9-AUB_bTf7pU4S4A2zg)
+ [Linux 下多种反弹 shell 方法](http://www.03sec.com/3140.shtml)
+ [linux各种一句话反弹shell总结](http://bobao.360.cn/learning/detail/4551.html)
+ [php 反弹shell](http://wolvez.club/?p=458)
+ [利用ew轻松穿透多级目标内网](https://klionsec.github.io/2017/08/05/ew-tunnel/)
+ [windows内网渗透杂谈](https://bl4ck.in/penetration/2017/03/20/windows%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E6%9D%82%E8%B0%88.html)
+ [Windows域横向渗透](http://docs.ioin.in/writeup/www.mottoin.com/_89413_html/index.html)
+ [内网渗透中转发工具总结](http://blog.neargle.com/SecNewsBak/drops/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B8%AD%E8%BD%AC%E5%8F%91%E5%B7%A5%E5%85%B7%E6%80%BB%E7%BB%93.html)
+ [内网渗透思路整理与工具使用](http://bobao.360.cn/learning/detail/3683.html)
+ [Cobalt strike在内网渗透中的使用 ](http://www.freebuf.com/sectool/125237.html)
+ [反向socks5代理(windows版)](http://x95.org/archives/reverse-socks5-proxy.html)
+ [Windows渗透基础](http://www.mottoin.com/89355.html)
+ [通过双重跳板漫游隔离内网](https://xianzhi.aliyun.com/forum/read/768.html)
+ [A Red Teamer's guide to pivoting](https://artkond.com/2017/03/23/pivoting-guide/)
+ [穿越边界的姿势 ](https://mp.weixin.qq.com/s/l-0sWU4ijMOQWqRgsWcNFA)
+ [内网端口转发及穿透](https://xianzhi.aliyun.com/forum/read/1715.html)
+ [秘密渗透内网——利用 DNS 建立 VPN 传输隧道](http://www.4hou.com/technology/3143.html)
+ [Reverse Shell Cheat Sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
+ [我所了解的内网渗透——内网渗透知识大总结](https://www.anquanke.com/post/id/92646)

## 渗透实战
+ [挖洞经验 | 看我如何综合利用4个漏洞实现GitHub Enterprise远程代码执行 ](http://www.freebuf.com/news/142680.html)
+ [Splash SSRF到获取内网服务器ROOT权限](http://bobao.360.cn/learning/detail/4113.html)
+ [Pivoting from blind SSRF to RCE with HashiCorp Consul](http://www.kernelpicnic.net/2017/05/29/Pivoting-from-blind-SSRF-to-RCE-with-Hashicorp-Consul.html)
+ [我是如何通过命令执行到最终获取内网Root权限的 ](http://www.freebuf.com/articles/web/141579.html)
+ [信息收集之SVN源代码社工获取及渗透实战](https://xianzhi.aliyun.com/forum/read/1629.html)
+ [SQL注入+XXE+文件遍历漏洞组合拳渗透Deutsche Telekom](http://paper.seebug.org/256/)
+ [渗透 Hacking Team](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8FHacking%20Team%E8%BF%87%E7%A8%8B.html)
+ [由视频系统SQL注入到服务器权限](https://bbs.ichunqiu.com/thread-25827-1-1.html?from=sec)
+ [From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection](http://srcincite.io/blog/2017/05/22/from-serialized-to-shell-auditing-google-web-toolkit-with-el-injection.html)
+ [浅谈渗透测试实战](http://docs.ioin.in/writeup/avfisher.win/_archives_381/index.html)
+ [渗透测试学习笔记之案例一](http://avfisher.win/archives/741)
+ [渗透测试学习笔记之案例二](http://avfisher.win/archives/756)
+ [渗透测试学习笔记之案例四](http://avfisher.win/archives/784)
+ [记一次内网渗透](http://killbit.me/2017/09/11/%E8%AE%B0%E4%B8%80%E6%AC%A1%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F/)

## 提权
+ [提权技巧](http://www.secbox.cn/skill/5583.html)
+ [linux-kernel-exploits Linux平台提权漏洞集合](https://github.com/SecWiki/linux-kernel-exploits)
+ [windows-kernel-exploits Windows平台提权漏洞集合 ](https://github.com/SecWiki/windows-kernel-exploits)
+ [Linux MySQL Udf 提权](http://www.91ri.org/16540.html)
+ [windows提权系列上篇](http://mp.weixin.qq.com/s/uOArxXIfcI4fjqnF9BDJGA)
+ [Windows提权系列中篇](https://mp.weixin.qq.com/s/ERXOLhWo0-lJbMV143I8hA)
+ [获取SYSTEM权限的多种姿势](http://bobao.360.cn/learning/detail/4740.html)

## 渗透技巧
+ [乙方渗透测试之Fuzz爆破](http://www.cnnetarmy.com/%E4%B9%99%E6%96%B9%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B9%8BFuzz%E7%88%86%E7%A0%B4/)
+ [域渗透神器Empire安装和简单使用 ](https://mp.weixin.qq.com/s/VqrUTW9z-yi3LqNNy-lE-Q)
+ [如何将简单的Shell转换成为完全交互式的TTY ](http://www.freebuf.com/news/142195.html)
+ [60字节 - 无文件渗透测试实验](https://www.n0tr00t.com/2017/03/09/penetration-test-without-file.html)
+ [内网渗透思路探索之新思路的探索与验证](http://www.tuicool.com/articles/fMFB3mY)
+ [Web端口复用正向后门研究实现与防御 ](http://www.freebuf.com/articles/web/142628.html)
+ [谈谈端口探测的经验与原理](http://www.freebuf.com/articles/network/146087.html)
+ [端口渗透总结](http://docs.ioin.in/writeup/blog.heysec.org/_archives_577/index.html)
+ [端口扫描那些事](https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247484812&idx=1&sn=7d894b50b3947142fbfa3a4016f748d5&chksm=ec1e35a4db69bcb2acfe7ecb3b0cd1d366c54bfa1feaafc62c4290b3fd2eddab9aa95a98f041#rd)
+ [渗透技巧——通过cmd上传文件的N种方法 ](http://blog.neargle.com/SecNewsBak/drops/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7%E2%80%94%E2%80%94%E9%80%9A%E8%BF%87cmd%E4%B8%8A%E4%BC%A0%E6%96%87%E4%BB%B6%E7%9A%84N%E7%A7%8D%E6%96%B9%E6%B3%95.html)
+ [域渗透TIPS：获取LAPS管理员密码 ](http://www.freebuf.com/articles/web/142659.html)
+ [域渗透——Security Support Provider](http://blog.neargle.com/SecNewsBak/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Security%20Support%20Provider.html)
+ [内网渗透随想](http://docs.ioin.in/writeup/www.91ri.org/_14390_html/index.html)
+ [域渗透之流量劫持](http://bobao.360.cn/learning/detail/3266.html)
+ [渗透技巧——快捷方式文件的参数隐藏技巧](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E6%96%87%E4%BB%B6%E7%9A%84%E5%8F%82%E6%95%B0%E9%9A%90%E8%97%8F%E6%8A%80%E5%B7%A7/)
+ [后门整理](https://bbs.ichunqiu.com/thread-25119-1-1.html?from=sec)
+ [Linux后门整理合集（脉搏推荐）](https://www.secpulse.com/archives/59674.html)

## 运维
+ [安全运维那些洞 ](https://mp.weixin.qq.com/s/5TfAF5-HR8iDA_qSIJkQ0Q)
+ [美团外卖自动化业务运维系统建设](https://tech.meituan.com/digger_share.html)
+ [饿了么运维基础设施进化史 ](https://mp.weixin.qq.com/s?__biz=MzA4Nzg5Nzc5OA==&mid=2651668800&idx=1&sn=615af5f120d1298475aaf4825009cb30&chksm=8bcb82e9bcbc0bff6309d9bbaf69cfc591624206b846e00d5004a68182c934dab921b7c25794&scene=38#wechat_redirect)
+ [nginx配置一篇足矣](http://www.xuxiaobo.com/?p=3869)
+ [Docker Remote API的安全配置 ](http://p0sec.net/index.php/archives/115/)
+ [Apache服务器安全配置 ](http://foreversong.cn/archives/789)
+ [IIS服务器安全配置](http://foreversong.cn/archives/803)
+ [Tomcat服务器安全配置](http://foreversong.cn/archives/816)
+ [互联网企业安全之端口监控 ](https://mp.weixin.qq.com/s/SJKeXegWG3OQo4r0nBs7xQ)
+ [Linux应急响应姿势浅谈](http://bobao.360.cn/learning/detail/4481.html)
+ [黑客入侵应急分析手工排查](https://xianzhi.aliyun.com/forum/read/1655.html)
+ [企业常见服务漏洞检测&修复整理](http://www.mottoin.com/92742.html)
+ [Linux基线加固](https://mp.weixin.qq.com/s/0nxiZw1NUoQTjxcd3zl6Zg)
+ [Apache server security: 10 tips to secure installation](https://www.acunetix.com/blog/articles/10-tips-secure-apache-installation/)
+ [Oracle数据库运维中的攻防实战（全） ](https://mp.weixin.qq.com/s/dpvBo6Bat5u4t8kSFRcv9w)
+ [Linux服务器上监控网络带宽的18个常用命令](http://www.xuxiaobo.com/?p=3950)
## DDOS
+ [DDoS攻防补遗 ](https://yq.aliyun.com/articles/1795)
+ [反射DDOS攻击防御的一点小想法 ](http://www.freebuf.com/column/138163.html)
+ [DDOS攻击方式总结](https://www.secpulse.com/archives/64088.html	)
+ [DDoS防御和DDoS防护方法 你帮忙看看这7个说法靠不靠谱](http://toutiao.secjia.com/ddos-7tips)
+ [DDoS防御和DDoS防护 来看个人站长、果壳网和安全公司怎么说 ](http://toutiao.secjia.com/ddos-prevention-protection)
+ [DDoS防御之大流量DDoS防护方案 还有计算器估算损失](http://toutiao.secjia.com/ddos-prevention-protection-2)
+ [freeBuf专栏 ](http://www.freebuf.com/author/%e9%bb%91%e6%88%88%e7%88%be)
+ [遭受CC攻击的处理](http://www.xuxiaobo.com/?p=3923)

# CTF
## 技巧总结
+ [CTF线下防御战 — 让你的靶机变成“铜墙铁壁”](http://bobao.360.cn/ctf/detail/210.html)
+ [ctf-wiki](https://ctf-wiki.github.io/ctf-wiki/#/introduction)
+ [CTF中那些脑洞大开的编码和加密](https://www.hackfun.org/CTF/coding-and-encryption-of-those-brain-holes-in-CTF.html)
+ [CTF加密与解密 ](http://thief.one/2017/06/13/1/)
+ [CTF中图片隐藏文件分离方法总结](https://www.hackfun.org/CTF/summary-of-image-hiding-files-in-CTF.html)
+ [Md5扩展攻击的原理和应用](http://www.freebuf.com/articles/database/137129.html)
+ [CTF比赛中关于zip的总结](http://bobao.360.cn/ctf/detail/203.html)
+ [十五个Web狗的CTF出题套路](http://weibo.com/ttarticle/p/show?id=2309403980950244591011)
+ [CTF备忘录](https://827977014.docs.qq.com/Bt2v7IZWnYo?type=1&_wv=1&_bid=2517)
+ [rcoil:CTF线下攻防赛总结](http://rcoil.me/2017/06/CTF%E7%BA%BF%E4%B8%8B%E8%B5%9B%E6%80%BB%E7%BB%93/)
+ [CTF内存取证入坑指南！稳！](http://www.freebuf.com/column/152545.html)

# 杂
+ [细致分析Padding Oracle渗透测试全解析 ](http://www.freebuf.com/articles/database/150606.html)
+ [Exploring Compilation from TypeScript to WebAssembly](https://medium.com/web-on-the-edge/exploring-compilation-from-typescript-to-webassembly-f846d6befc12)
+ [High-Level Approaches for Finding Vulnerabilities](http://jackson.thuraisamy.me/finding-vulnerabilities.html)
+ [谈谈HTML5本地存储——WebStorage](http://syean.cn/2017/08/15/%E8%B0%88%E8%B0%88HTML5%E6%9C%AC%E5%9C%B0%E5%AD%98%E5%82%A8%E2%80%94%E2%80%94WebStorage/)
+ [Linux下容易被忽视的那些命令用法](https://segmentfault.com/p/1210000010668099/read)
+ [各种脚本语言不同版本一句话开启 HTTP 服务器的总结](http://www.mottoin.com/94895.html)
+ [WebAssembly入门：将字节码带入Web世界](http://bobao.360.cn/learning/detail/3757.html)
+ [phpwind 利用哈希长度扩展攻击进行getshell](https://www.leavesongs.com/PENETRATION/phpwind-hash-length-extension-attack.html)
+ [深入理解hash长度扩展攻击（sha1为例） ](http://www.freebuf.com/articles/web/69264.html)
+ [Joomla 框架的程序执行流程及目录结构分析](http://bobao.360.cn/learning/detail/3909.html)
+ [如何通过恶意插件在Atom中植入后门](http://bobao.360.cn/learning/detail/4268.html)
+ [CRLF Injection and Bypass Tencent WAF ](https://zhchbin.github.io/2016/01/31/CRLF-Injection-and-Bypass-WAF/)
+ [Web之困笔记](http://www.au1ge.xyz/2017/08/09/web%E4%B9%8B%E5%9B%B0%E7%AC%94%E8%AE%B0/)
+ [技术详解：基于Web的LDAP注入漏洞](http://www.4hou.com/technology/9090.html)