From 1d588c0fd1ce5061ae8cb0e20c1851d81474083c Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Sun, 10 Dec 2023 16:07:18 +0800
Subject: [PATCH 01/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Apache Struts2 文件上传分析(S2-066)
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 998b2d6..d8f412a 100644
--- a/README.md
+++ b/README.md
@@ -221,7 +221,7 @@
 - [S2-032学习(清空_memberAccess当中excludedXXX限制通过构造函数调用/使用DefaultMemberAccess覆盖SecurityMemberAccess绕过限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-032%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-045学习(通过container获取全局共享的OgnlUtil实例来清除SecurityMemberAccess当中属性的限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-045%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-057学习(突破#context被删除限制，从attr作用域获取context对象)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-057%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
-
+- [S2-066学习(变量覆盖的有趣的例子)](https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/)
 
 
 ## 8.关于Tomcat的一些小研究

From b0b9d97ee735338c1d57a78d9289a015eea9c958 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 14 Dec 2023 23:06:09 +0800
Subject: [PATCH 02/41] Update README.md

CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index d8f412a..8027373 100644
--- a/README.md
+++ b/README.md
@@ -396,6 +396,7 @@
   - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms)
   - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514)
   - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577)
+  - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
 
 
 

From 0fd015423adb489d84b5882e002a8cc67afea0e7 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Tue, 19 Dec 2023 17:13:23 +0800
Subject: [PATCH 03/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

任意文件下载漏洞的利用思考(总结非常细！)
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 8027373..5487138 100644
--- a/README.md
+++ b/README.md
@@ -477,6 +477,7 @@
 - [某软件监控页面RCE漏洞分析(虽然过于简单，但是可以借此了解下OA系统)](https://xz.aliyun.com/t/11778)
 - [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s/xxAtjFvk9RxWiY-pwGf8Ow)
 - [某Cloud系统漏洞分析](https://forum.butian.net/share/2529)
+- [任意文件下载漏洞的利用思考(总结非常细！)](https://mp.weixin.qq.com/s/3y62xuQJAj2gmtBSKvHHug)
 
 
 ## 比赛反思

From ce90a5fd10ef21877bc141a21bce49726d3e27ff Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 21 Dec 2023 10:31:22 +0800
Subject: [PATCH 04/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

浅谈Spring与安全约束SecurityConstraint
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 5487138..e5359ea 100644
--- a/README.md
+++ b/README.md
@@ -276,6 +276,7 @@
 
 
 ## 11.Spring
+-[浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283)
 
 - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md)
 

From c49b9b5c8eb7c21fb69a748a7aa7a5b21299a245 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 21 Dec 2023 10:31:55 +0800
Subject: [PATCH 05/41] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e5359ea..53aa0eb 100644
--- a/README.md
+++ b/README.md
@@ -276,7 +276,7 @@
 
 
 ## 11.Spring
--[浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283)
+- [浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283)
 
 - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md)
 

From a90959efc899541adea965422ade4e8a375c79d5 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 21 Dec 2023 10:37:47 +0800
Subject: [PATCH 06/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 53aa0eb..f97791b 100644
--- a/README.md
+++ b/README.md
@@ -276,6 +276,7 @@
 
 
 ## 11.Spring
+- [浅谈SpringWeb请求解析过程(很不错的文章把低版本一些绕过的特性基本都提到了)](https://forum.butian.net/share/2214)
 - [浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283)
 
 - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md)

From 51f90702af465a58323016da55ea2e024cb4e316 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Fri, 22 Dec 2023 21:26:37 +0800
Subject: [PATCH 07/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index f97791b..857f92a 100644
--- a/README.md
+++ b/README.md
@@ -442,6 +442,7 @@
 
 ## 19.ASM与JVM学习
 
+- [目前看到关于ASM框架最详细的学习教程](https://lsieun.github.io/java/asm/)
 - [JAVA虚拟机执行模型(关注引入了栈映射帧，用于加快虚拟机中类验证过程的速度)](https://www.cnblogs.com/coding-way/p/6600647.html)
 - [What is a stack map frame](https://stackoverflow.com/questions/25109942/what-is-a-stack-map-frame)
   - 这里比较有意思的是：Java 1.7引入了此选项以加速类验证。框架分为两部分：变量类型和堆栈类型。第一帧由方法类型描述。在每个GOTO / JUMP调用之后，您需要提供堆栈映射框架的更新描述。为了节省空间，可以使用SAME，APPEND等选项，也可以通过指定变量类型的FULL数组再次描述所有变量。

From e581e2915cde55755a4b8eac8f5dc99888bb33b0 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Sat, 23 Dec 2023 02:01:01 +0800
Subject: [PATCH 08/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新2023补天白帽大会议题
---
 README.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 857f92a..bb548da 100644
--- a/README.md
+++ b/README.md
@@ -439,15 +439,17 @@
 - [网上看到的Jetty的部分解析特性(支持%uxxx)](https://www.wangan.com/p/7fyg8k2c7781675a)
 
 
-
 ## 19.ASM与JVM学习
 
-- [目前看到关于ASM框架最详细的学习教程](https://lsieun.github.io/java/asm/)
+
 - [JAVA虚拟机执行模型(关注引入了栈映射帧，用于加快虚拟机中类验证过程的速度)](https://www.cnblogs.com/coding-way/p/6600647.html)
 - [What is a stack map frame](https://stackoverflow.com/questions/25109942/what-is-a-stack-map-frame)
   - 这里比较有意思的是：Java 1.7引入了此选项以加速类验证。框架分为两部分：变量类型和堆栈类型。第一帧由方法类型描述。在每个GOTO / JUMP调用之后，您需要提供堆栈映射框架的更新描述。为了节省空间，可以使用SAME，APPEND等选项，也可以通过指定变量类型的FULL数组再次描述所有变量。
 - [为什么JVM需要DUP指令](https://www.cnblogs.com/clayjj/p/7698035.html)
 
+## 20.议题
+- [Hacking FernFlower](https://y4tacker.github.io/2023/12/22/year/2023/12/Hacking-FernFlower/)
+
 
 
 ## 其他分享

From 7b3210f822128a65dbd04a399ffce86d87e7c195 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Wed, 27 Dec 2023 22:40:13 +0800
Subject: [PATCH 09/41] Update README.md

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index bb548da..6b33142 100644
--- a/README.md
+++ b/README.md
@@ -373,6 +373,9 @@
   - [Apache Airflow: Bypass permission verification to view task instances of other dags(CVE-2023-42663)](https://hackerone.com/reports/2208656)
   - [Apache Jackrabbit RMI 远程代码执行漏洞分析(CVE-2023-37895)(这个漏洞适合了解RMI攻击的基础)](https://xz.aliyun.com/t/13118)
   - [Apache ActiveMQ Jolokia远程代码执行不依赖JDK打法](https://y4tacker.github.io/2023/11/30/year/2023/11/Apache-ActiveMQ-Jolokia%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E4%B8%8D%E4%BE%9D%E8%B5%96JDK%E6%89%93%E6%B3%95/)
+  - Apache OFBiz
+     - [Apache OFBiz漏洞 CVE-2023-49070 的前世今生(非常详细)](https://mp.weixin.qq.com/s/iAvitO6otPdHSu1SjRNX3g)
+     - [Apache OFBiz未授权命令执行浅析(CVE-2023-51467)](https://y4tacker.github.io/2023/12/27/year/2023/12/Apache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467/)
 - Oracle
   - [Oracle E-Business Suite Unauthenticated RCE](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-21587/index.md)
   - [Exploiting an Order of Operations Bug to Achieve RCE in Oracle Opera](https://blog.assetnote.io/2023/04/30/rce-oracle-opera/)

From 99d8e846427c22efadd5c4c8d1c19db8eba17427 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 28 Dec 2023 09:34:53 +0800
Subject: [PATCH 10/41] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6b33142..8171c92 100644
--- a/README.md
+++ b/README.md
@@ -385,7 +385,7 @@
 - Nacos
 
   - [Aliababa Nacos hessian JRaft反序列化(文章里提到的只能打一次有误，后经过研究可以打多次)](https://y4er.com/posts/nacos-hessian-rce/ )
-    - [Nacos 多次打非完全体方案(这人也没完全考虑到容错，但是网上暂时只有这人的，实际上在构建WriteRequest缺少setOperation)(慎用！别把别人打崩了！)](https://github.com/c0olw/NacosRce)
+    - [Nacos 多次打非完美方案(这人也没完全考虑到容错，但是网上暂时只有这人的，实际上在构建WriteRequest缺少setOperation)(慎用！别把别人打崩了！)](https://github.com/c0olw/NacosRce)
    
 - Adobe
   - [CVE-2023-29298: Adobe ColdFusion Access Control Bypass](https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/)

From 88f23665f74361d42a42c527ed8866ae214f666f Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 8 Jan 2024 18:43:08 +0800
Subject: [PATCH 11/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 8171c92..a6186c1 100644
--- a/README.md
+++ b/README.md
@@ -367,6 +367,7 @@
   - [Apache Commons JXPath 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-41852/index.md)
   - [Apache Commons Text 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-42889/index.md)
   - [Log4j2-RCE分析](http://blog.gm7.org/%E4%B8%AA%E4%BA%BA%E7%9F%A5%E8%AF%86%E5%BA%93/02.%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1/01.Java%E5%AE%89%E5%85%A8/03.%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/06.log4j2_rce%E5%88%86%E6%9E%90.html#%E5%A4%8D%E7%8E%B0)
+    - [Log4j2不出网检测(靠类型转换、危害有限思路值得学习)](https://cloud.tencent.com/developer/article/2036012)
   - [Apache Flink RCE via jar/plan API Endpoint in JDK8](https://mp.weixin.qq.com/s?__biz=MzkyNDA5NjgyMg==&mid=2247495227&idx=1&sn=5ab9bcc3d89d57ff9799f88c3363814c&chksm=c1d9ae62f6ae2774dd25902c116f6c24f3e5bbf68836f676c25aac53f2c6b771b4a3823c3e7e&mpshare=1&scene=1&srcid=0325kmXWImZrXe0btPMEsJDY&sharer_sharetime=1679735505328&sharer_shareid=19374164c9d8647c6159e09a97bb1208#rd)
   - [Apache Dubbo 反序列化漏洞（CVE-2023-23638）分析及利用探索](https://yyhylh.github.io/2023/04/08/Apache%20dubbo%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E%EF%BC%88CVE-2023-23638%EF%BC%89%E5%88%86%E6%9E%90%E5%8F%8A%E5%88%A9%E7%94%A8%E6%8E%A2%E7%B4%A2/)
   - [Apache Dubbo反序列化漏洞（CVE-2023-23638）完整利用及工程化实践](https://yyhylh.github.io/2023/05/11/Apache%20Dubbo%20%EF%BC%88CVE-2023-23638%EF%BC%89%E5%AE%8C%E6%95%B4%E5%88%A9%E7%94%A8%E5%8F%8A%E5%B7%A5%E7%A8%8B%E5%8C%96%E5%AE%9E%E8%B7%B5/)

From 244b858e9ee92f6717570aa8914d1a4cd05976ed Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Wed, 10 Jan 2024 10:28:59 +0800
Subject: [PATCH 12/41] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a6186c1..94bdbd0 100644
--- a/README.md
+++ b/README.md
@@ -403,7 +403,7 @@
   - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514)
   - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577)
   - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
-
+  - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/)
 
 
 

From 14492e007dbb5c057b5d303a51935ee2609ee7f8 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Wed, 10 Jan 2024 10:30:41 +0800
Subject: [PATCH 13/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)
---
 README.md | 23 +----------------------
 1 file changed, 1 insertion(+), 22 deletions(-)

diff --git a/README.md b/README.md
index 94bdbd0..fd0f299 100644
--- a/README.md
+++ b/README.md
@@ -278,36 +278,23 @@
 ## 11.Spring
 - [浅谈SpringWeb请求解析过程(很不错的文章把低版本一些绕过的特性基本都提到了)](https://forum.butian.net/share/2214)
 - [浅谈Spring与安全约束SecurityConstraint](https://forum.butian.net/index.php/share/2283)
-
 - [SpirngBoot下结合Tomcat实现无OOB方式下的回显](https://github.com/Y4tacker/JavaSec/blob/main/5.%E5%86%85%E5%AD%98%E9%A9%AC%E5%AD%A6%E4%B9%A0/Spring/springboot-tomcat%E5%9B%9E%E6%98%BE/index.md)
-
 - [低版本SpringBoot-SpEL表达式注入漏洞复现分析](https://y4tacker.github.io/2022/02/07/year/2022/2/%E4%BD%8E%E7%89%88%E6%9C%ACSpringBoot-SpEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0%E5%88%86%E6%9E%90/)
-
 - [SpringCloud-SnakeYAML-RCE(高版本不可用)](https://y4tacker.github.io/2022/02/08/year/2022/2/SpringCloud-SnakeYAML-RCE/)
-
 - [Spring Boot Vulnerability Exploit Check List](https://github.com/LandGrey/SpringBootVulExploit)
-
 - [SSRF to Rce with Jolokia and Mbeans](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/SSRF%20to%20RCE%20with%20Jolokia%20and%20MBeans%20%E2%80%A2%20Think%20Love%20Share.pdf)
-
 - [CVE-2022-22947 SpringCloudGateWay 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/CVE-2022-22947%20SpringCloudGateWay%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/index.md)
-
 - [Spring Cloud Function-SPEL(利用面不大)](https://hosch3n.github.io/2022/03/26/SpringCloudFunction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/)
-
 - [SpringMVC框架任意代码执行漏洞(CVE-2010-1622)分析](http://rui0.cn/archives/1158)
-
 - [Spring Beans RCE分析(CVE-2022-22965)(我还是喜欢叫Spring4shell，自己懒得写了，这篇还可以，稍微注意下AccessLogValve这个类WBS)](https://xz.aliyun.com/t/11129)
-
 - [Spring Data MongoDB SpEL表达式注入(CVE-2022-22980)(能看但是有些逻辑还是讲得很混乱总体而已还是好的作为参考即可)](https://xz.aliyun.com/t/11484)
-
 - [SpringBoot全局注册Filter过滤XSS](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/SpringBoot%E5%85%A8%E5%B1%80%E6%B3%A8%E5%86%8CFilter%E8%BF%87%E6%BB%A4XSS/index.md)
-
 - [Springboot devtools反序列化(难点在于secret的获取，当然比如有actuator端点暴露情况下就会变得容易)](https://novysodope.github.io/2022/05/11/77/)
 - [浅谈Spring中的Controller参数的验证机制(注意Hibernate Validator的正确配置)](https://forum.butian.net/share/2538)
 
 ## 12.Shiro
 
 - [Shiro RememberMe 漏洞检测的探索之路(长亭的一些总结非常不错)](https://stack.chaitin.com/techblog/detail?id=39)
-
 - [Shiro另类检测方式](http://www.lmxspace.com/2020/08/24/%E4%B8%80%E7%A7%8D%E5%8F%A6%E7%B1%BB%E7%9A%84shiro%E6%A3%80%E6%B5%8B%E6%96%B9%E5%BC%8F/)
 - [浅谈Shiro执行任意反序列化gadget的方案](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/%E6%B5%85%E8%B0%88Shiro%E6%89%A7%E8%A1%8C%E4%BB%BB%E6%84%8F%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96gadget%E7%9A%84%E6%96%B9%E6%A1%88/index.md)
 - [CVE-2010-3863权限绕过(通过/./admin绕过/admin,/abc/../admin)](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/CVE-2010-3863%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/index.md)
@@ -321,7 +308,7 @@
 - [CVE-2020-13933特殊场景权限绕过(通过/unauthorize/%3b)](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/CVE-2020-13933%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87/index.md)
 - [SpringBoot2.3.0下Shiro<=1.5.1权限绕过(通过/aa;/%2e%2e/unauthorize绕过对/unauthorize拦截，当然也可以不用目录穿越/;y4tacker/unauthorize也可以)](https://github.com/Y4tacker/JavaSec/tree/main/11.Spring/SpringBoot2.3.0%E4%B8%8BShiro%3C%3D1.5.1%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87)
 - [Spring-Shiro1.5.2 Bypass(通过/unauthorize/a%252Fa绕过对/unauthorize/*的权限限制)](https://github.com/Y4tacker/JavaSec/blob/main/12.Shiro/Spring-Shiro1.5.2%20Bypass/index.md) 
--  [记一次 Shiro 的实战利用(突破限制shiro 550利用payload的长度，这种方式不能很好对抗检测文件落地，其实也可以配合上下文一些无害属性多次set写入加载)](https://mp.weixin.qq.com/s/w9sMhMrCy1pofOV-h94qbQ)
+- [记一次 Shiro 的实战利用(突破限制shiro 550利用payload的长度，这种方式不能很好对抗检测文件落地，其实也可以配合上下文一些无害属性多次set写入加载)](https://mp.weixin.qq.com/s/w9sMhMrCy1pofOV-h94qbQ)
 
 
 
@@ -335,7 +322,6 @@
 - [半自动化挖掘request实现多种中间件回显](https://gv7.me/articles/2020/semi-automatic-mining-request-implements-multiple-middleware-echo/)
 
 
-
 ## 14. JSPWebshell
 
 - [JSP-Webshells集合(三梦的总结挺全面的利用点)](https://github.com/threedr3am/JSP-Webshells)
@@ -344,11 +330,9 @@
 - [JspWebshell编码混淆篇(unicode和html实体编码那些就懒得写了技术性不强)](https://y4tacker.github.io/2022/11/27/year/2022/11/%E6%B5%85%E8%B0%88JspWebshell%E4%B9%8B%E7%BC%96%E7%A0%81/)
 
 
-
 ## 15.Waf
 
 - [Java文件上传大杀器-绕waf(针对commons-fileupload组件)](https://y4tacker.github.io/2022/02/25/year/2022/2/Java%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%A4%A7%E6%9D%80%E5%99%A8-%E7%BB%95waf(%E9%92%88%E5%AF%B9commons-fileupload%E7%BB%84%E4%BB%B6)/)
-
 - [探寻Java文件上传流量层面waf绕过姿势系列一](https://y4tacker.github.io/2022/06/19/year/2022/6/%E6%8E%A2%E5%AF%BBTomcat%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%B5%81%E9%87%8F%E5%B1%82%E9%9D%A2%E7%BB%95waf%E6%96%B0%E5%A7%BF%E5%8A%BF/)
 - [探寻Java文件上传流量层面waf绕过姿势系列二](https://y4tacker.github.io/2022/06/21/year/2022/6/%E6%8E%A2%E5%AF%BBJava%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%B5%81%E9%87%8F%E5%B1%82%E9%9D%A2waf%E7%BB%95%E8%BF%87%E5%A7%BF%E5%8A%BF%E7%B3%BB%E5%88%97%E4%BA%8C/)
 - [Java反序列化数据绕WAF之加大量脏数据 | 回忆飘如雪 (gv7.me)](https://gv7.me/articles/2021/java-deserialize-data-bypass-waf-by-adding-a-lot-of-dirty-data/)
@@ -357,11 +341,9 @@
 - [RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
 
 
-
 ## 16.漏洞复现
 
 - Apache
-
   - [Apache Commons Configuration 远程代码执行(虽然是配置文件RCE但也有学习意义)](https://xz.aliyun.com/t/11527)
   - [Apache Spark shell command injection vulnerability via Spark UI(之前很早前在我的各个知识星球分享了)](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-33891/index.md)
   - [Apache Commons JXPath 远程代码执行](https://github.com/Y4tacker/JavaSec/blob/main/16.%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0/CVE-2022-41852/index.md)
@@ -384,16 +366,13 @@
 - Spring
   - [Spring-Kafka-POC-CVE-2023-34040](https://github.com/Contrast-Security-OSS/Spring-Kafka-POC-CVE-2023-34040)
 - Nacos
-
   - [Aliababa Nacos hessian JRaft反序列化(文章里提到的只能打一次有误，后经过研究可以打多次)](https://y4er.com/posts/nacos-hessian-rce/ )
     - [Nacos 多次打非完美方案(这人也没完全考虑到容错，但是网上暂时只有这人的，实际上在构建WriteRequest缺少setOperation)(慎用！别把别人打崩了！)](https://github.com/c0olw/NacosRce)
-   
 - Adobe
   - [CVE-2023-29298: Adobe ColdFusion Access Control Bypass](https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/)
   - [Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE](https://blog.projectdiscovery.io/adobe-coldfusion-rce/)
 - Smartbi
 	- [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/)
-
 - Others
   - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/)
   - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w)

From 49c22b0ce9e356b90f6916b01b5c8f0d3d99c932 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 22 Jan 2024 17:35:54 +0800
Subject: [PATCH 14/41] Update README.md

Atlassian Confluence-Remote Code Execution(CVE-2023-22527)
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fd0f299..784b9f5 100644
--- a/README.md
+++ b/README.md
@@ -383,7 +383,7 @@
   - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577)
   - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
   - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/)
-
+  - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/)
 
 
 ## 17.模板引擎+表达式相关

From 9c248bdb99bc303813c550d05b42654bb2b6ae05 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 29 Jan 2024 10:26:49 +0800
Subject: [PATCH 15/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Jenkins文件读取漏洞拾遗（CVE-2024-23897）
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 784b9f5..885302d 100644
--- a/README.md
+++ b/README.md
@@ -384,6 +384,7 @@
   - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
   - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/)
   - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/)
+  - [Jenkins文件读取漏洞拾遗（CVE-2024-23897）](https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html)
 
 
 ## 17.模板引擎+表达式相关

From e3286edb907fc22b95e7c98221f26bc66946de0c Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 26 Feb 2024 16:48:25 +0800
Subject: [PATCH 16/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

UTF-8 Overlong Encoding导致的安全问题
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 885302d..5d50e0a 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,7 @@
 - [JDK7u21](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/JDK7u21/index.md)
 - [AspectJWeaver写文件](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/AspectJWeaver/AspectJWeaver.md)
 - [反序列化在渗透测试当中值得关注的点](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E5%BD%93%E4%B8%AD%E5%80%BC%E5%BE%97%E5%85%B3%E6%B3%A8%E7%9A%84%E7%82%B9/index.md)
+- [UTF-8 Overlong Encoding导致的安全问题(在绕过流量设备上非常有帮助)](https://mp.weixin.qq.com/s/fcuKNfLXiFxWrIYQPq7OCg)
 - [构造java探测class反序列化gadget](https://mp.weixin.qq.com/s/KncxkSIZ7HVXZ0iNAX8xPA)
   - [对URLDNS探测class的补充(为什么本地明明没有这个类却有"DNS解析")](https://github.com/Y4tacker/JavaSec/blob/main/2.%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B8%93%E5%8C%BA/URLDNS%E6%8E%A2%E6%B5%8Bclass%E7%9A%84%E8%A1%A5%E5%85%85/index.md)
 - [利用Swing构造反序列化SSRF/RCE(JDK CVE-2023-21939)](https://github.com/Y4Sec-Team/CVE-2023-21939)

From 53657f19e2f9426026c0ccf07ce127a708d0d635 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Tue, 5 Mar 2024 16:16:47 +0800
Subject: [PATCH 17/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 5d50e0a..e45eb19 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,7 @@
 - [JEP290基础概念](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/JEP290%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5/index.md)
 - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md)
   - [XML外部实体注入（XXE）攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/)
+  - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD)
 - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md)
 - [低版本下Java文件系统00截断](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E4%BD%8E%E7%89%88%E6%9C%AC%E4%B8%8BJava%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F00%E6%88%AA%E6%96%AD/index.md)
 - [有趣的XSS之Normalize](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E6%9C%89%E8%B6%A3%E7%9A%84XSS%E4%B9%8BNormalize/index.md)

From fa08334b04ce09b19397e87b70134d2df6514eba Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Sun, 24 Mar 2024 20:31:20 +0800
Subject: [PATCH 18/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index e45eb19..b33d7cf 100644
--- a/README.md
+++ b/README.md
@@ -435,6 +435,7 @@
 
 ## 20.议题
 - [Hacking FernFlower](https://y4tacker.github.io/2023/12/22/year/2023/12/Hacking-FernFlower/)
+  - [议题相关代码](https://github.com/Y4tacker/HackingFernFlower)
 
 
 

From a99fcfe38e114bedcccdb36d43e0ce6883722559 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Tue, 26 Mar 2024 09:51:45 +0800
Subject: [PATCH 19/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新帆软channel接口反序列化漏洞分析(二次反序列化一些实战场景利用)
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index b33d7cf..b812beb 100644
--- a/README.md
+++ b/README.md
@@ -461,6 +461,7 @@
 - [Java Web —— 从内存中Dump JDBC数据库明文密码(还挺好玩的)](https://mp.weixin.qq.com/s/QCfqO2BJuhSOr58rldZzxA)
 - [如何带依赖打包Jar](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Maven/index.md)
 - [一些Java二次反序列化的点(持续收集)](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Java%E4%BA%8C%E6%AC%A1%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/Java%E8%A7%A6%E5%8F%91%E4%BA%8C%E6%AC%A1%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E7%9A%84%E7%82%B9.md)
+  - [帆软channel接口反序列化漏洞分析(二次反序列化一些实战场景利用)](https://forum.butian.net/share/2806)
 - [自己写的OpenRasp分析](https://y4tacker.github.io/2022/05/28/year/2022/5/OpenRasp%E5%88%86%E6%9E%90/)
 - [Apache Unomi 表达式注入攻防](https://github.com/1135/unomi_exploit)
 - [JEXL3表达式注入](https://xz.aliyun.com/t/8099)

From 8c84ea3ac77190fd83d4de5b954e63679243a023 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 1 Apr 2024 18:39:07 +0800
Subject: [PATCH 20/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新“Java安全攻防之Spring Cloud Gateway攻击Redis”
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index b812beb..13b1ed7 100644
--- a/README.md
+++ b/README.md
@@ -189,6 +189,7 @@
   - [看不见的 Jsp-WebShell 第二式增强之无痕](https://mp.weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoA)
 
   - [Spring cloud gateway通过SPEL注入内存马](https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/)
+    - [Java安全攻防之Spring Cloud Gateway攻击Redis](https://mp.weixin.qq.com/s/6U1KaLrrtq2dxg55IYASFg)
 
 
 - Tools

From 35c6418f32ac5224ae5f6ab8c9ad45150752f4af Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 9 May 2024 13:58:55 +0800
Subject: [PATCH 21/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新整理CrushFTP漏洞
---
 README.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 13b1ed7..913949f 100644
--- a/README.md
+++ b/README.md
@@ -375,7 +375,12 @@
   - [CVE-2023-29298: Adobe ColdFusion Access Control Bypass](https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/)
   - [Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE](https://blog.projectdiscovery.io/adobe-coldfusion-rce/)
 - Smartbi
-	- [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/)
+  - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/)
+- CrushFTP
+  - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
+  - [浅析CrushFTP之VFS逃逸](https://y4tacker.github.io/2024/04/23/year/2024/4/%E6%B5%85%E6%9E%90CrushFTP%E4%B9%8BVFS%E9%80%83%E9%80%B8/)
+  - [CrushFTP Unauthenticated Remote Code Execution(CVE-2024-4040)](https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis)
+  - [CrushFTP后利用提权分析(CVE-2024-4040)](https://y4tacker.github.io/2024/04/25/year/2024/4/CrushFTP%E5%90%8E%E5%88%A9%E7%94%A8%E6%8F%90%E6%9D%83%E5%88%86%E6%9E%90-CVE-2024-4040/)
 - Others
   - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/)
   - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w)
@@ -384,7 +389,6 @@
   - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms)
   - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514)
   - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577)
-  - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
   - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/)
   - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/)
   - [Jenkins文件读取漏洞拾遗（CVE-2024-23897）](https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html)

From 59e20640ddb7601b10255aec5819e95093c6a9d2 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 20 May 2024 10:50:10 +0800
Subject: [PATCH 22/41] Update README.md

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 913949f..f2f7e2f 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,9 @@
 <p align="right">2021年10月18日，梦的开始</p>
 
 <br/>
+知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜)
+![Bug Hunter](https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997)
+
 
 ## 1.基础篇
 

From 79a23affff66e5d7454d8acd2814e8a0201d942e Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 20 May 2024 10:50:28 +0800
Subject: [PATCH 23/41] Update README.md

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f2f7e2f..ad2fd38 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,8 @@
 <p align="right">2021年10月18日，梦的开始</p>
 
 <br/>
-知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜)
+知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
+
 ![Bug Hunter](https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997)
 
 

From bcbb4525172a2a33ee30772edd90d3b710d51978 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 20 May 2024 10:51:40 +0800
Subject: [PATCH 24/41] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ad2fd38..a430c9b 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@
 <br/>
 知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
 
-![Bug Hunter](https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997)
+<img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
 
 
 ## 1.基础篇

From 4373be9973ab79f246dcaf25509a83c979707d59 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 23 May 2024 15:48:40 +0800
Subject: [PATCH 25/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index a430c9b..9d1499c 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@
 
 <br/>
 知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
+Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中
 
 <img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
 

From afe3fc98188292748208d719e4b31e50435adfe6 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 23 May 2024 15:49:37 +0800
Subject: [PATCH 26/41] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9d1499c..02116fe 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@
 
 <br/>
 知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
-Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中
+Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢 
 
 <img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
 

From 8c852d3d3ec48f0c9ed1780e642ae06aaaea9efe Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 23 May 2024 15:50:49 +0800
Subject: [PATCH 27/41] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 02116fe..d4a9c57 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,7 @@
 <p align="right">2021年10月18日，梦的开始</p>
 
 <br/>
-知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
+知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜)  
 Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢 
 
 <img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>

From f3b15d59e30df63d49e821ec43a6a08d4497a179 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Thu, 23 May 2024 15:51:09 +0800
Subject: [PATCH 28/41] Update README.md

---
 README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d4a9c57..9a6cb9d 100644
--- a/README.md
+++ b/README.md
@@ -15,7 +15,8 @@
 <p align="right">2021年10月18日，梦的开始</p>
 
 <br/>
-知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜)  
+知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
+
 Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢 
 
 <img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>

From f098935f640e4a17e990251a36b24de246ce8009 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Tue, 28 May 2024 09:46:47 +0800
Subject: [PATCH 29/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新JetBrains TeamCity权限绕过(CVE-2024-23917)(这篇文章还讲解了一些容器与SpringBoot的流程知识)
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 9a6cb9d..144eaba 100644
--- a/README.md
+++ b/README.md
@@ -394,6 +394,7 @@ Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分
   - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/)
   - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms)
   - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514)
+  - [JetBrains TeamCity权限绕过(CVE-2024-23917)(这篇文章还讲解了一些容器与SpringBoot的流程知识)](https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/)
   - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577)
   - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/)
   - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/)

From 84effdd5d719474892ef06843e5f4a55d0f162ed Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Wed, 5 Jun 2024 09:41:53 +0800
Subject: [PATCH 30/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新反序列化toString链
---
 README.md | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 144eaba..137c87d 100644
--- a/README.md
+++ b/README.md
@@ -14,14 +14,6 @@
 
 <p align="right">2021年10月18日，梦的开始</p>
 
-<br/>
-知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
-
-Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢 
-
-<img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
-
-
 ## 1.基础篇
 
 - [Java反射](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E5%8F%8D%E5%B0%84/%E5%8F%8D%E5%B0%84.md)
@@ -483,6 +475,7 @@ Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分
 - [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s/xxAtjFvk9RxWiY-pwGf8Ow)
 - [某Cloud系统漏洞分析](https://forum.butian.net/share/2529)
 - [任意文件下载漏洞的利用思考(总结非常细！)](https://mp.weixin.qq.com/s/3y62xuQJAj2gmtBSKvHHug)
+- [jdk新入口挖掘(新的toString链)](https://xz.aliyun.com/t/14732)
 
 
 ## 比赛反思
@@ -534,6 +527,17 @@ Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分
 - [回忆飘如雪](https://gv7.me/)
 
 
+## 知识星球
+
+<br/>
+知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
+
+Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢 
+
+<img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
+
+
+
 
 ## 更多
 

From 831661aa8e4566e88e1ffb181b053c1762419eed Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Tue, 18 Jun 2024 22:50:10 +0800
Subject: [PATCH 31/41] Update README.md

Update Smartbi
---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 137c87d..9787a60 100644
--- a/README.md
+++ b/README.md
@@ -374,6 +374,8 @@
   - [Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE](https://blog.projectdiscovery.io/adobe-coldfusion-rce/)
 - Smartbi
   - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/)
+  - [浅析Smartbi逻辑漏洞(2)](https://y4tacker.github.io/2023/08/23/year/2023/8/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E-2/)
+  - [浅析Smartbi逻辑漏洞(3)](https://y4tacker.github.io/2024/04/19/year/2024/4/%E6%B5%85%E6%9E%90SmartBi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E-3/)
 - CrushFTP
   - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
   - [浅析CrushFTP之VFS逃逸](https://y4tacker.github.io/2024/04/23/year/2024/4/%E6%B5%85%E6%9E%90CrushFTP%E4%B9%8BVFS%E9%80%83%E9%80%B8/)

From 4fbd70bc0d7913f89b1df5c8a017624c5abb0255 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Tue, 18 Jun 2024 22:55:40 +0800
Subject: [PATCH 32/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Update XML 相关漏洞风险研究
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 9787a60..930bf21 100644
--- a/README.md
+++ b/README.md
@@ -36,6 +36,7 @@
 - [JSTL(看菜鸟教程即可)](https://www.runoob.com/jsp/jsp-jstl.html)
 - [JEP290基础概念](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/JEP290%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5/index.md)
 - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md)
+  - [XML 相关漏洞风险研究(关于XML结构方面的介绍可以看看这篇文章，浅显易懂)](https://evilpan.com/2024/06/02/xml-vulnerabilities/) 
   - [XML外部实体注入（XXE）攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/)
   - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD)
 - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md)

From 85587e55ca31b840cd167921b5a7c82c076b79f1 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Tue, 23 Jul 2024 17:21:21 +0800
Subject: [PATCH 33/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 930bf21..8bd311b 100644
--- a/README.md
+++ b/README.md
@@ -387,6 +387,7 @@
   - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w)
   - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/)
   - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/)
+  - [浅析GeoServer property 表达式注入代码执行(CVE-2024-36401)](https://y4tacker.github.io/2024/07/03/year/2024/7/%E6%B5%85%E6%9E%90GeoServer-property-%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C-CVE-2024-36401/)
   - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms)
   - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514)
   - [JetBrains TeamCity权限绕过(CVE-2024-23917)(这篇文章还讲解了一些容器与SpringBoot的流程知识)](https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/)

From a103573551ae31ca3534743c1c53251842571edf Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Fri, 26 Jul 2024 10:35:54 +0800
Subject: [PATCH 34/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新浅谈JFinal的DenyAccessJsp绕过
---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 8bd311b..fbf763b 100644
--- a/README.md
+++ b/README.md
@@ -429,9 +429,8 @@
 - [Tomcat URL解析差异性导致的安全问题(网上看到的主要关注HttpServletRequest中几个解析URL的函数这个问题)](https://xz.aliyun.com/t/7544)
 - [Tomcat中url解析特性](https://github.com/Y4tacker/JavaSec/blob/main/8.%E5%85%B3%E4%BA%8ETomcat%E7%9A%84%E4%B8%80%E4%BA%9B%E5%88%86%E4%BA%AB/Tomcat%E4%B8%ADurl%E8%A7%A3%E6%9E%90%E7%89%B9%E6%80%A7/index.md)
 - [SpringBoot2.3.0以下路由%2e跨目录处理(可用于权限绕过)](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/SpringBoot2.3.0%E4%BB%A5%E4%B8%8B%E8%B7%AF%E7%94%B1%252e%E8%B7%A8%E7%9B%AE%E5%BD%95%E5%A4%84%E7%90%86(%E5%8F%AF%E7%94%A8%E4%BA%8E%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87)/index.md)
-
 - [网上看到的Jetty的部分解析特性(支持%uxxx)](https://www.wangan.com/p/7fyg8k2c7781675a)
-
+- [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899)
 
 ## 19.ASM与JVM学习
 

From 8995ac4bb87bcc9a89311d926d68e50628e78650 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Fri, 26 Jul 2024 10:36:40 +0800
Subject: [PATCH 35/41] Update README.md

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fbf763b..d2408e9 100644
--- a/README.md
+++ b/README.md
@@ -535,7 +535,7 @@
 <br/>
 知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
 
-Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢 
+Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢(当然大0day不会发)
 
 <img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
 

From cf52fcfeea524938b9c6ec1568407342a7af58a6 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Wed, 4 Sep 2024 10:30:46 +0800
Subject: [PATCH 36/41] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index d2408e9..7623b4f 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@
 
 如果想系统学习CC链、CB链的话这部分还是推荐p牛的[Java安全漫谈](https://github.com/phith0n/JavaThings)，我只是简单写写便于自己复习而已(这部分看我下面的share并不适合新人，过了这么久看过网上很多文章还是觉得P牛写的更适合新人)
 
+- [Java 反序列化取经路(强推)](https://su18.org/post/ysuserial/)
 - [Java反序列化之URLDNS](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS.md)
 - [CommonsCollections1笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections1/CommonsCollections1.md)
 - [CommonsCollections2笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections2/CommonsCollections2.md)

From 8140d9ea62bdb4efb6553bab75ff7a9527166dfe Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Fri, 11 Oct 2024 15:51:04 +0800
Subject: [PATCH 37/41] =?UTF-8?q?Update=20Java=E8=A7=A6=E5=8F=91=E4=BA=8C?=
 =?UTF-8?q?=E6=AC=A1=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E7=82=B9?=
 =?UTF-8?q?.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新二次反序列化利用点
---
 ...2\217\345\210\227\345\214\226\347\232\204\347\202\271.md" | 5 +++++
 1 file changed, 5 insertions(+)

diff --git "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
index 9767f82..97fb857 100644
--- "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
+++ "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
@@ -313,3 +313,8 @@ public class DemoTest {
 ```
 
 具体分析见https://y4tacker.github.io/2022/02/06/year/2022/2/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget%E7%9A%84%E5%AD%A6%E4%B9%A0/#hex%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%97%E8%8A%82%E5%8A%A0%E8%BD%BD%E5%99%A8
+
+
+##  org.pac4j.core.profile.InternalAttributeHandler#restore
+使用{#sb64}rO0ABXN...serizalized_object_in_base64...，隐藏TemplatesImpl，可惜不是通用的
+参考链接：https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/

From 99bb136c0f4e758126778538588819ed199e8b1b Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Fri, 11 Oct 2024 15:57:31 +0800
Subject: [PATCH 38/41] =?UTF-8?q?Update=20Java=E8=A7=A6=E5=8F=91=E4=BA=8C?=
 =?UTF-8?q?=E6=AC=A1=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E7=82=B9?=
 =?UTF-8?q?.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...5\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" | 1 +
 1 file changed, 1 insertion(+)

diff --git "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
index 97fb857..3ac9afe 100644
--- "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
+++ "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
@@ -317,4 +317,5 @@ public class DemoTest {
 
 ##  org.pac4j.core.profile.InternalAttributeHandler#restore
 使用{#sb64}rO0ABXN...serizalized_object_in_base64...，隐藏TemplatesImpl，可惜不是通用的
+另外很可惜的是高版本还做了删除，具体可以看公告：https://github.com/pac4j/pac4j/blob/1c198f3fbadc4e8c94bc953327e4e2a38c888525/documentation/blog/what_s_new_in_pac4j_v4_1.md?plain=1#L16
 参考链接：https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/

From b082f562c7655af991bf7cb78f87b743a5552ec6 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 16 Dec 2024 23:10:40 +0800
Subject: [PATCH 39/41] Update README.md

Update CVE-2024-53677(S2-067)
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7623b4f..a71ee0c 100644
--- a/README.md
+++ b/README.md
@@ -225,7 +225,7 @@
 - [S2-045学习(通过container获取全局共享的OgnlUtil实例来清除SecurityMemberAccess当中属性的限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-045%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-057学习(突破#context被删除限制，从attr作用域获取context对象)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-057%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-066学习(变量覆盖的有趣的例子)](https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/)
-
+- [S2-067学习](https://y4tacker.github.io/2024/12/16/year/2024/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%80%BB%E8%BE%91%E7%BB%95%E8%BF%87-CVE-2024-53677-S2-067/)
 
 ## 8.关于Tomcat的一些小研究
 

From f8b923bacf07d188d99ae7d94943fdab3f1d9c47 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Sun, 5 Jan 2025 18:42:49 +0800
Subject: [PATCH 40/41] Update README.md

---
 README.md | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/README.md b/README.md
index a71ee0c..87f4e22 100644
--- a/README.md
+++ b/README.md
@@ -531,14 +531,6 @@
 - [回忆飘如雪](https://gv7.me/)
 
 
-## 知识星球
-
-<br/>
-知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
-
-Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢(当然大0day不会发)
-
-<img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
 
 
 

From a6e0f8cc3a63622b768c3b46297c66dc8a0a85f0 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 10 Nov 2025 19:47:01 +0800
Subject: [PATCH 41/41] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add No-FTP:高版本JDK如何通过XXE-OOB读取多行文件(WIndows)
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 87f4e22..7b814d6 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@
 - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md)
   - [XML 相关漏洞风险研究(关于XML结构方面的介绍可以看看这篇文章，浅显易懂)](https://evilpan.com/2024/06/02/xml-vulnerabilities/) 
   - [XML外部实体注入（XXE）攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/)
+  - [No-FTP:高版本JDK如何通过XXE-OOB读取多行文件(Windows)](https://y4tacker.github.io/2025/11/10/year/2025/11/No-FTP-%E9%AB%98%E7%89%88%E6%9C%ACJDK%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87XXE-OOB%E8%AF%BB%E5%8F%96%E5%A4%9A%E8%A1%8C%E6%96%87%E4%BB%B6/)
   - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD)
 - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md)
 - [低版本下Java文件系统00截断](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E4%BD%8E%E7%89%88%E6%9C%AC%E4%B8%8BJava%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F00%E6%88%AA%E6%96%AD/index.md)