参考链接
========================================
官方文档
----------------------------------------
- `ognl `_
- `Java SE Security Guide `_
- `Java RMI Release Notes for JDK 6 `_
- `Java Release Notes for JDK 7 `_
机制说明
----------------------------------------
- `深入理解Java类加载 `_
反序列化
----------------------------------------
标准
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- `Java序列化【草案一】 `_
- `Java 14 Object Serialization Specification `_
利用与技巧
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- `Marshalling Pickles how deserializing objects can ruin your day `_
- `AppSecCali 2015: Marshalling Pickles `_
- `More serialization hacks with AnnotationInvocationHandler `_
- `Pure JRE 8 RCE Deserialization gadget `_
- `Breaking Defensive Serialization `_
- `Java反序列化漏洞从入门到深入 `_
- `Java反序列化漏洞通用利用分析 `_
- `JRE8u20反序列化漏洞分析 `_
- `浅析Java序列化和反序列化 `_
- `Commons Collections Java反序列化漏洞深入分析 `_
- `FAR SIDES OF JAVA REMOTE PROTOCOLS `_
- `JDK8u20反序列化漏洞新型PoC思路及具体实现 `_
- `Pwn a CTF Platform with Java JRMP Gadget `_
- `漫谈 JEP 290 `_
框架
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- `WebLogic反序列化漏洞漫谈 `_
- `从WebLogic看反序列化漏洞的利用与防御 `_
- `JSON反序列化之殇 `_
- `Shiro组件漏洞与攻击链分析 `_
- `Application Security With Apache Shiro `_
- `Shiro安全框架【快速入门】 `_
- `Shiro 实战(四) - 过滤器机制 `_
沙箱
----------------------------------------
- `Java Sandbox Escape `_
框架
----------------------------------------
- `Struts `_
- `Struts Examples `_
- `Eclipse Jetty `_
- `SpringBootVulExploit `_ SpringBoot 相关漏洞学习资料,利用方法和技巧合集,黑盒安全评估 checklist
框架利用技巧
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- `Spring Boot Fat Jar 写文件漏洞到稳定 RCE 的探索 `_
RMI
----------------------------------------
- `Java RMI与RPC的区别 `_
- `Remote Method Invocation (RMI) `_
- `Java 中 RMI、JNDI、LADP、JRMP、JMX、JMS那些事儿 `_
- `Oracle: Developing T3 Clients `_
JNDI
----------------------------------------
- `Overview of JNDI `_
- `关于 JNDI 注入 `_
- `A Journey From JNDI LDAP Manipulation To RCE `_
- `如何绕过高版本JDK的限制进行JNDI注入 `_
WebShell
----------------------------------------
- `各种姿势jsp webshell `_
其他漏洞
----------------------------------------
- `JAVA常见的XXE漏洞写法和防御 `_