Web Security
Pentest
tunnel
- suo5 : 一款高性能 HTTP 代理隧道工具
- icmptunnel : Transparently tunnel your IP traffic through ICMP echo and reply packets.
- awesome-tunneling : List of ngrok alternatives and other ngrok-like tunneling software and services. Focus on self-hosting.
LPE
C&C
- CHAOS
- byob
- Havoc
- sliver : Adversary Emulation Framework
- Quasar : Remote Administration Tool for Windows
Bypass AV
- BypassAV : This map lists the essential techniques to bypass anti-virus and EDR
- NTDLLReflection : Bypass Userland EDR hooks by Loading Reflective Ntdll in memory from a remote server based on Windows ReleaseID to avoid opening a handle to ntdll , and trigger exported APIs from the export table
botnet
- enemy : enemy SSH Telnet IoT botnet
Exploit
Weblogic
- CVE-2023-21839: Weblogic CVE-2023-21839 RCE (无需Java依赖一键RCE)
Fortinet
- CVE-2022-39952 : POC for CVE-2022-39952 affecting Fortinet FortiNAC
Vul Database
Other Tools
- BinaryCutting-Tool: 二进制文件切割&合并工具
- SecretScanner : Find secrets and passwords in container images and file systems
- secrets-patterns-db : Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
- RedTeam-Tools : Tools and Techniques for Red Team / Penetration Testing
Resources
- RedTeaming-Tactics-and-Techniques : Red Teaming Tactics and Techniques
Basic Vul type
XSS
- weaponised-XSS-payloads : XSS payloads designed to turn alert(1) into P1
Dependency Confusion Attack
- Dependency-Confusion : All About Dependency Confusion Attack, (Detecting, Finding, Mitigating)
代码审计
Java
resources
blogs
tools
JavaScript
tools
- sourcemapper: Extract JavaScript source trees from Sourcemap files
PHP
ASP.NET
resources
- awesome-dotnet-security : C# 代码审计的资源汇总,入门必备
- doNet 安全矩阵 : 为数不多的专门介绍 .NET 安全的公众号
- WebGoat.Net : 靶场
- NET-Deserialize : 总结了十篇.Net反序列化文章,持续更新
- SharpSphere : .NET Project for Attacking vCenter
- pyvmomi : VMware vSphere API Python Bindings
blogs
tools
- Fortify SCA :代码审计工具
- puma-scan : Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code.
- dotnet-retire : Open source vulnerability scanner for .NET Core projects
- RedCsharp: Collection of C# projects. Useful for pentesting and redteaming.
Web 3.0
- Awesome-web3-Security : A curated list of web3Security materials and resources For Pentesters and Bug Hunters.
云安全
- Attack_Code : 文章 Attack Code 的详细全文 希望是一篇不错的云安全入门材料
BlueTeam
tools
- Huorong-ATP-Rules : 基于 MITRE ATT&CK™ 和恶意软件行为特征编写而成的火绒自定义防护规则.
文档 & 思维导图
- Mindmap: 包含众多网络安全技术、方法、课程和认证的思维导图。
- sec-chart : 安全思维导图集合
- SecMind : 安全导图
- Red-Team : Red-Team Attack Guid
- APT_REPORT : Interesting APT Report Collection And Some Special IOC
Binary Security
Reverse
- Sekiryu : Automatic decompilation and analysis of binary files with your favorite decompiler and and ChatGPT
- obfuscation_detection : Scripts and a Binary Ninja plugin to pinpoint obfuscated code
- ImHex : A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM.
Fuzz
- clusterfuzz : Scalable fuzzing infrastructure.
AIGC
- awesome-chatgpt-prompts-zh : ChatGPT 中文调教指南。各种场景使用指南。学习怎么让它听你的话。
Other Tools
- TrafficMonitor : 这是一个用于显示当前网速、CPU及内存利用率的桌面悬浮窗软件,并支持任务栏显示,支持更换皮肤。