cwkiller/Java-Puzzle

Readme badge preview -

If you own this repo, copy the snippet below and add it to your README.md

[![RelatedRepos](https://img.shields.io/badge/related-repos-yellow)](https://relatedrepos.com/gh/cwkiller/Java-Puzzle)

cwkiller / Java-Puzzle

一个专注于 Java Web 特性、配置和 Trick 的安全谜题集合

☆117

Alternatives and similar repositories for Java-Puzzle

Users that are interested in Java-Puzzle are comparing it to the libraries listed below

Sorting:

yulate / jdbc-tricks
View on GitHub
《深入JDBC安全：特殊URL构造与不出网反序列化利用技术揭秘》对应研究总结项目 "Deep Dive into JDBC Security: Special URL Construction and Non-Networked Deserialization Explo…
☆570Feb 7, 2026Updated 2 weeks ago
tabby-sec / tabby-vul-finder
View on GitHub
A vul-finder for loading CPG and automated finding vul-call-chains
☆71Jul 22, 2025Updated 7 months ago
unam4 / c3p0explore
View on GitHub
c3p0 new gadget
☆28Apr 1, 2025Updated 10 months ago
ReaJason / No-One
View on GitHub
No One（无名）：Next Generation Polyglot Website Manager
☆73Updated this week
cwkiller / ClassLinefix
View on GitHub
Java bytecode line number restoration tool
☆134Aug 31, 2025Updated 6 months ago
yzddmr6 / Java-Js-Engine-Payloads
View on GitHub
Java Js Engine Payloads All in one
☆289Aug 21, 2023Updated 2 years ago
1ucky7 / MySQL_Fake_Server_for_woodpecker_yso
View on GitHub
MySQL_Fake_Server-啄木鸟yso适配版
☆45Sep 20, 2024Updated last year
vaycore / DNStxt-exp
View on GitHub
一个提供查询 TXT 记录的 DNS 服务利用工具。例如：可配合 Windows 下的 certutil 工具传输小文件（64KB）
☆37Dec 31, 2021Updated 4 years ago
h3h3qaq / JDK-CodeQLDB-Builder
View on GitHub
使用 Docker 一键构建 JDK 源码的 CodeQL 数据库，方便使用 CodeQL 查找 JDK 中的数据。
☆27May 14, 2025Updated 9 months ago
cwkiller / JDBC-PROXY-Bypass
View on GitHub
利用代理驱动绕过JDBC Attack检测
☆143Jun 15, 2025Updated 8 months ago
AFKL1919 / CTF-Challenges
View on GitHub
A collection of all the CTF challenges I have made.
☆11Aug 24, 2022Updated 3 years ago
kezibei / fastjson_payload
View on GitHub
☆239Updated this week
c0ny1 / ascii-jar
View on GitHub
构造字节在ASCII范围内的jar
☆139Feb 14, 2022Updated 4 years ago
Ar3h / utf8-overlong-agent
View on GitHub
使用 agent 实现反序列化 utf8 overlong
☆83Apr 24, 2024Updated last year
Ar3h / putter
View on GitHub
命令执行写任意文件，主要用于命令执行但不出网情况
☆30Sep 9, 2023Updated 2 years ago
ax1sX / RouteCheck-Alpha
View on GitHub
A Java Route Collection Tool
☆102Aug 1, 2024Updated last year
h00klod0er / JSFindAPI
View on GitHub
JSFindAPI是一款自动从html页面中获取js链接，并自动访问js提取js中的api路径，然后自动进行api未授权测试的插件，同时也可被动监听，当访问js时自动提取api进行访问，提取api接口主要根据AJAX，XMLHttpRequest，axios，Vue.js等…
☆30Oct 20, 2025Updated 4 months ago
XF-FS / WebBatchRequestpro
View on GitHub
一个批量请求工具
☆41Dec 14, 2025Updated 2 months ago
SecurityCrux / secrux
View on GitHub
SeCrux is a true enterprise-grade security management platform that seamlessly integrates with any form of SAST and SCA scanners, empower…
☆203Feb 10, 2026Updated 2 weeks ago
flowerwind / AutoGenerateXalanPayload
View on GitHub
cve-2022-34169 延伸出的Jdk Xalan的payload自动生成工具，可根据不同的Jdk生成出其所对应的xslt文件
☆93Jan 17, 2023Updated 3 years ago
Chanzi-keji / chanzi
View on GitHub
"chanzi" is a simple and user-friendly JAVA SAST tool that utilizes taint analysis technology, includes built-in common vulnerability ru…
☆479Feb 1, 2026Updated 3 weeks ago
pen4uin / java-echo-generator
View on GitHub
一款支持自定义的 Java 回显载荷生成工具｜A customizable Java echo payload generation tool.
☆461Jan 12, 2025Updated last year
Lotus6 / JavaGadgetGenerator
View on GitHub
JavaGadgetGenerator 工具，支持 ysoserial，Hessian，字节码，Expr/SSTI，Shiro，JDBC 等 Gadget 生成，封装，混淆，出网延迟探测，内存马注入等...
☆549Dec 7, 2025Updated 2 months ago
Whoopsunix / JavaRce
View on GitHub
Common Exploitation Techniques for Java RCE Vulnerabilities in Real-World Scenarios | 实战场景较通用的 Java Rce 相关漏洞的利用方式
☆545Mar 6, 2025Updated 11 months ago
v9d0g / CVE-2024-43044-POC
View on GitHub
CVE-2024-43044的利用方式
☆20Aug 13, 2024Updated last year
X1r0z / hacking-espresso
View on GitHub
Hacking GraalVM Espresso - Abusing Continuation API to Make ROP-like Attack
☆36Aug 27, 2025Updated 6 months ago
Whoopsunix / utf-8-overlong-encoding
View on GitHub
抽离出 utf-8-overlong-encoding 的序列化逻辑，实现 2 3 字节加密序列化数组
☆139Mar 11, 2024Updated last year
lokerxx / JavaVul
View on GitHub
JAVA 安全靶场，IAST 测试用例，JAVA漏洞复现，代码审计，SAST测试用例，安全扫描（主动和被动），JAVA漏洞靶场，RASP测试用例； Java Security Testbed, IAST Test Cases, Java Vulnerability R…
☆272Sep 6, 2024Updated last year
mumumumuo / RaceCondition
View on GitHub
Burp条件竞争测试插件
☆25Aug 21, 2025Updated 6 months ago
OneSourceCat / XxlJob-Hessian-RCE
View on GitHub
XxlJob<=2.1.2配置不当情况下反序列化RCE
☆120Nov 2, 2020Updated 5 years ago
BofeiC / JDD-PocLearning
View on GitHub
☆25Jul 2, 2024Updated last year
YYHYlh / Dubbo-Scan
View on GitHub
一款让你不只在dubbo-sample、vulhub或者其他测试环境里检测和利用成功的Apache Dubbo 漏洞检测工具。
☆171Aug 9, 2023Updated 2 years ago
Mechoy / jarVuln
View on GitHub
一些jar包相关的漏洞
☆24Sep 24, 2024Updated last year
private-xss / sensitive-info-tool
View on GitHub
☆47Sep 30, 2025Updated 5 months ago
byname66 / SerializeJava
View on GitHub
用Go+Fyne开发的，展示JAVA序列化流以及集成一键插入脏数据,UTF过长编码绕WAF(Utf OverLoad Encoding),修改类SerializeVersionUID功能的图形化工具。
☆125Jan 14, 2025Updated last year
ReaJason / MemShellParty
View on GitHub
一款专注于 Java 主流 Web 中间件的内存马快速生成工具，致力于简化安全研究人员和红队成员的工作流程，提升攻防效率
☆1,339Feb 8, 2026Updated 2 weeks ago
luelueking / Deserial_Sink_With_JDBC
View on GitHub
Some ReadObject Sink With JDBC
☆243May 8, 2024Updated last year
A0WaQ4 / HexDnsEchoT
View on GitHub
命令执行不回显但DNS协议出网的命令回显场景解决方案（修改为使用ceye接收请求，添加自定义DNS服务器）
☆292Aug 20, 2023Updated 2 years ago
B0T1eR / ysoSimple
View on GitHub
ysoSimple：简易的Java漏洞利用工具，集成Java反序列化，Hessian反序列化，XStream反序列化，SnakeYaml反序列化，Shiro550，JSF反序列化，SSTI模板注入，JdbcAttackPayload，JNDIAttack，字节码生成。
☆105Jan 20, 2026Updated last month