CodeQL extractor for java, which don't need to compile java source

Reverse proxies cheatsheet

An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerability

Academic papers and articles that I read related to web hacking, fuzzing, etc. / 阅读过的Web安全方向、模糊测试方向的一些论文与阅读笔记

One place for all the default credentials to assist the Blue/Red teamers identifying devices with default password 🛡️

KunLun-M是一个完全开源的静态白盒扫描工具，支持PHP、JavaScript的语义扫描，基础安全、组件安全扫描，Chrome Ext\Solidity的基础扫描。

红队作战中比较常遇到的一些重点系统漏洞整理。

从零开始内网渗透学习

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

This is a webshell open source project

快速搭建各种漏洞环境(Various vulnerability environment)

AoiAWD-专为比赛设计，便携性好，低权限运行的EDR系统。

This tool generates gopher link for exploiting SSRF and gaining RCE in various servers

PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

Java RMI enumeration and attack tool.

盘点近年来的数据泄露、供应链污染事件

Exphub[漏洞利用脚本库] 包括Webloigc、Struts2、Tomcat、Nexus、Solr、Jboss、Drupal的漏洞利用脚本，最新添加CVE-2020-14882、CVE-2020-11444、CVE-2020-10204、CVE-2020-10199、CVE-2020-1938、CVE-2020-2551、CVE-2020-2555、CVE-2020-2883、CVE-…

Pre-Built Vulnerable Environments Based on Docker-Compose

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, se…