A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Impacket is a collection of Python classes for working with network protocols.

Web path scanner

Fast subdomains enumeration tool for penetration testers

Credentials recovery project

OneForAll是一款功能强大的子域收集工具

You Know, For WEB Fuzzing ! 日站用的字典。

Web application fuzzer

爆破字典

A python script that finds endpoints in JavaScript files

巡风是一款适用于企业内网的漏洞快速应急，巡航扫描系统。

A fast sub domain brute tool for pentesters

A `.git` folder disclosure exploit

WPA/WPA2 密码字典，用于 wifi 密码暴力破解

This tool generates gopher link for exploiting SSRF and gaining RCE in various servers

The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.

JSFinder is a tool for quickly extracting URLs and subdomains from JS files on a website.

各种漏洞poc、Exp的收集或编写

A fast vulnerability scanner helps pentesters pinpoint possibly vulnerable targets from a large number of web servers

Stealing Signatures and Making One Invalid Signature at a Time

Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profiles

渗透测试插件化并发框架 / Open-sourced remote vulnerability PoC/EXP framework

Windows exploits, mostly precompiled. Not being updated. Check https://github.com/SecWiki/windows-kernel-exploits instead.

A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.

Test tool for CVE-2020-1472

A .DS_Store file disclosure exploit. It parses .DS_Store file and downloads files recursively.

🕷️ A `.git` folder exploiting tool that is able to restore the entire Git repository, including stash, common branches and common tags.

Python2编写的struts2漏洞全版本检测和利用工具

MySQL Fake Server use to help MySQL Client File Reading and JDBC Client Java Deserialize

口令爆破字典，有键盘组合字典、拼音字典、字母与数字混合这三种类型