Pinned Repositories
dubbo-exp
dubbo学习demo,之前删了,重新上传。
FindClassInJars
个人用于在自动化挖掘gadget时,方便查找gadget chains中class所在jar包,以助于便捷审计测试gadget有效性的那么一个小工具。
gadgetinspector
一个利用ASM对字节码进行污点传播分析的静态代码审计应用(添加了大量代码注释,适合大家进行源码学习)。也加入了挖掘Fastjson反序列化gadget chains和SQLInject(JdbcTemplate、MyBatis、JPA、Hibernate、原生jdbc等)静态检测功能。并且加入了很多功能以方便进行漏洞自动化挖掘。
GuanYu
JVM runtime class loading protection agent.(JVM类加载保护agent)
JSP-WebShells
Collect JSP webshell of various implementation methods. 收集JSP Webshell的各种姿势
learnjavabug
Java安全相关的漏洞和技术demo,原生Java、Fastjson、Jackson、Hessian2、XML反序列化漏洞利用和Spring、Dubbo、Shiro、CAS、Tomcat、RMI、Nexus等框架\中间件\功能的exploits以及Java Security Manager绕过、Dubbo-Hessian2安全加固等等实践代码。
log-agent
利用agent hock指定的class,在jar运行周期内,用于跟踪被执行的方法,辅助做一些事情,比如挖洞啊
tomcat-cluster-session-sync-exp
tomcat使用了自带session同步功能时,不安全的配置(没有使用EncryptInterceptor)导致存在的反序列化漏洞,通过精心构造的数据包, 可以对使用了tomcat自带session同步功能的服务器进行攻击。PS:这个不是CVE-2020-9484,9484是session持久化的洞,这个是session集群同步的洞!
ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.优化了一些东西。
ZhouYu
(周瑜)Java - SpringBoot 持久化 WebShell 学习demo(不仅仅是SpringBoot,适合任何符合JavaEE规范的服务)
threedr3am's Repositories
threedr3am/learnjavabug
Java安全相关的漏洞和技术demo,原生Java、Fastjson、Jackson、Hessian2、XML反序列化漏洞利用和Spring、Dubbo、Shiro、CAS、Tomcat、RMI、Nexus等框架\中间件\功能的exploits以及Java Security Manager绕过、Dubbo-Hessian2安全加固等等实践代码。
threedr3am/JSP-WebShells
Collect JSP webshell of various implementation methods. 收集JSP Webshell的各种姿势
threedr3am/ZhouYu
(周瑜)Java - SpringBoot 持久化 WebShell 学习demo(不仅仅是SpringBoot,适合任何符合JavaEE规范的服务)
threedr3am/gadgetinspector
一个利用ASM对字节码进行污点传播分析的静态代码审计应用(添加了大量代码注释,适合大家进行源码学习)。也加入了挖掘Fastjson反序列化gadget chains和SQLInject(JdbcTemplate、MyBatis、JPA、Hibernate、原生jdbc等)静态检测功能。并且加入了很多功能以方便进行漏洞自动化挖掘。
threedr3am/ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.优化了一些东西。
threedr3am/dubbo-exp
dubbo学习demo,之前删了,重新上传。
threedr3am/wxwork-sdk-utils
企业微信工具包(机器人webhook utils),封装起来,使各种类型的消息构建更加简单,并加入推送工具,一步到位。
threedr3am/marshalsec
threedr3am/threedr3am.github.io
threedr3am/java-benchmarks
threedr3am/wx-work-robots-docker
瞎写玩玩~~~
threedr3am/cas-server-base
cas
threedr3am/hack-fastjson-1.2.80
threedr3am/JDR
threedr3am/nuclei-templates
Community curated list of templates for the nuclei engine to find security vulnerabilities.
threedr3am/radar
实时风控引擎(Risk Engine),自定义规则引擎(Rule Script),完美支持中文,适用于反欺诈(Anti-fraud)应用场景,开箱即用!!!移动互联网时代的风险管理利器,你 Get 到了吗?
threedr3am/swagger-hack
自动化爬取并自动测试所有swagger接口
threedr3am/watchvuln
一个高价值漏洞采集与推送服务 | A valueable vulnerability collection and push service
threedr3am/algorithm-and-risk-management
风控、大数据、算法。
threedr3am/DongTai
Dongtai IAST is an open-source Interactive Application Security Testing (IAST) tool that enables real-time detection of common vulnerabilities in Java applications and third-party components through passive instrumentation. It is particularly suitable for use in the testing phase of the development pipeline.
threedr3am/Fastjson
Fastjson姿势技巧集合
threedr3am/h2database
H2 is an embeddable RDBMS written in Java.
threedr3am/manjusaka
牛屎花 一款C2远控
threedr3am/momo-code-sec-inspector-java
IDEA静态代码安全审计及漏洞一键修复插件
threedr3am/quiltflower
Modern Java decompiler aiming to be as accurate as possible, with an emphasis on output quality. Fork of the Fernflower decompiler.
threedr3am/sec-chart
安全思维导图集合
threedr3am/sslscan
sslscan tests SSL/TLS enabled services to discover supported cipher suites
threedr3am/Tai-e
An easy-to-learn/use static analysis framework for Java
threedr3am/testssl.sh
Testing TLS/SSL encryption anywhere on any port
threedr3am/tsunami-security-scanner-plugins
This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.