A list of useful payloads and bypass for Web Application Security and Pentest/CTF

one-click face swap

📱 objection - runtime mobile exploration

安卓应用层抓包通杀脚本

Automated Adversary Emulation Platform

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

A frida tool to dump dex in memory to support security engineers analyzing malware.

安卓应用安全学习

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.

Investigate malicious Windows logon by visualizing and analyzing Windows event log

Tool for Active Directory Certificate Services enumeration and abuse

WeChatOpenDevTool 微信小程序强制开启开发者工具

ART环境下自动化脱壳方案

Notes about attacking Jenkins servers

Bypass firewall for traffic forwarding using webshell 一款使用webshell进行流量转发的出网工具

AD Security Intrusion Detection System

MySQL Fake Server use to help MySQL Client File Reading and JDBC Client Java Deserialize

CTF Archives: Collection of CTF Challenges.

mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse

A blind XXE injection callback handler. Uses HTTP and FTP to extract information. Originally written in Ruby by ONsec-Lab.

Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.

命令执行不回显但DNS协议出网的命令回显场景解决方案

Exfiltrate blind remote code execution output over DNS via Burp Collaborator.

xmind\code\articles for my personal blog 个人博客上的资源备份存储，也是个人分享的汇总

HTTP.ninja

CTF Challenge Logs by Myself

This tool was written as PoC to article https://waf.ninja/libinjection-fuzz-to-bypass/