From cf52fcfeea524938b9c6ec1568407342a7af58a6 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Wed, 4 Sep 2024 10:30:46 +0800
Subject: [PATCH 1/6] Update README.md

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index d2408e9..7623b4f 100644
--- a/README.md
+++ b/README.md
@@ -50,6 +50,7 @@
 
 如果想系统学习CC链、CB链的话这部分还是推荐p牛的[Java安全漫谈](https://github.com/phith0n/JavaThings)，我只是简单写写便于自己复习而已(这部分看我下面的share并不适合新人，过了这么久看过网上很多文章还是觉得P牛写的更适合新人)
 
+- [Java 反序列化取经路(强推)](https://su18.org/post/ysuserial/)
 - [Java反序列化之URLDNS](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS.md)
 - [CommonsCollections1笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections1/CommonsCollections1.md)
 - [CommonsCollections2笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections2/CommonsCollections2.md)

From 8140d9ea62bdb4efb6553bab75ff7a9527166dfe Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Fri, 11 Oct 2024 15:51:04 +0800
Subject: [PATCH 2/6] =?UTF-8?q?Update=20Java=E8=A7=A6=E5=8F=91=E4=BA=8C?=
 =?UTF-8?q?=E6=AC=A1=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E7=82=B9?=
 =?UTF-8?q?.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

更新二次反序列化利用点
---
 ...2\217\345\210\227\345\214\226\347\232\204\347\202\271.md" | 5 +++++
 1 file changed, 5 insertions(+)

diff --git "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
index 9767f82..97fb857 100644
--- "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
+++ "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
@@ -313,3 +313,8 @@ public class DemoTest {
 ```
 
 具体分析见https://y4tacker.github.io/2022/02/06/year/2022/2/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget%E7%9A%84%E5%AD%A6%E4%B9%A0/#hex%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%97%E8%8A%82%E5%8A%A0%E8%BD%BD%E5%99%A8
+
+
+##  org.pac4j.core.profile.InternalAttributeHandler#restore
+使用{#sb64}rO0ABXN...serizalized_object_in_base64...，隐藏TemplatesImpl，可惜不是通用的
+参考链接：https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/

From 99bb136c0f4e758126778538588819ed199e8b1b Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Fri, 11 Oct 2024 15:57:31 +0800
Subject: [PATCH 3/6] =?UTF-8?q?Update=20Java=E8=A7=A6=E5=8F=91=E4=BA=8C?=
 =?UTF-8?q?=E6=AC=A1=E5=8F=8D=E5=BA=8F=E5=88=97=E5=8C=96=E7=9A=84=E7=82=B9?=
 =?UTF-8?q?.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...5\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" | 1 +
 1 file changed, 1 insertion(+)

diff --git "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
index 97fb857..3ac9afe 100644
--- "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
+++ "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
@@ -317,4 +317,5 @@ public class DemoTest {
 
 ##  org.pac4j.core.profile.InternalAttributeHandler#restore
 使用{#sb64}rO0ABXN...serizalized_object_in_base64...，隐藏TemplatesImpl，可惜不是通用的
+另外很可惜的是高版本还做了删除，具体可以看公告：https://github.com/pac4j/pac4j/blob/1c198f3fbadc4e8c94bc953327e4e2a38c888525/documentation/blog/what_s_new_in_pac4j_v4_1.md?plain=1#L16
 参考链接：https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/

From b082f562c7655af991bf7cb78f87b743a5552ec6 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 16 Dec 2024 23:10:40 +0800
Subject: [PATCH 4/6] Update README.md

Update CVE-2024-53677(S2-067)
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7623b4f..a71ee0c 100644
--- a/README.md
+++ b/README.md
@@ -225,7 +225,7 @@
 - [S2-045学习(通过container获取全局共享的OgnlUtil实例来清除SecurityMemberAccess当中属性的限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-045%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-057学习(突破#context被删除限制，从attr作用域获取context对象)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-057%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-066学习(变量覆盖的有趣的例子)](https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/)
-
+- [S2-067学习](https://y4tacker.github.io/2024/12/16/year/2024/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%80%BB%E8%BE%91%E7%BB%95%E8%BF%87-CVE-2024-53677-S2-067/)
 
 ## 8.关于Tomcat的一些小研究
 

From f8b923bacf07d188d99ae7d94943fdab3f1d9c47 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Sun, 5 Jan 2025 18:42:49 +0800
Subject: [PATCH 5/6] Update README.md

---
 README.md | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/README.md b/README.md
index a71ee0c..87f4e22 100644
--- a/README.md
+++ b/README.md
@@ -531,14 +531,6 @@
 - [回忆飘如雪](https://gv7.me/)
 
 
-## 知识星球
-
-<br/>
-知识星球试运营，后面主要会发一些应急漏洞的分析(前提我会😜) 
-
-Ps:想不想进随意，大部分漏洞我都会发在博客当中，少部分自己觉得不那么有意思的漏洞可能只会发在星球中，谁让我喜欢为爱发电呢(当然大0day不会发)
-
-<img src="https://github.com/Y4tacker/JavaSec/assets/56486273/08eab771-b1cd-4d97-a3a9-173b78fdc997" align="center"></img>
 
 
 

From a6e0f8cc3a63622b768c3b46297c66dc8a0a85f0 Mon Sep 17 00:00:00 2001
From: Y4tacker <56486273+Y4tacker@users.noreply.github.com>
Date: Mon, 10 Nov 2025 19:47:01 +0800
Subject: [PATCH 6/6] Update README.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add No-FTP:高版本JDK如何通过XXE-OOB读取多行文件(WIndows)
---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index 87f4e22..7b814d6 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,7 @@
 - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md)
   - [XML 相关漏洞风险研究(关于XML结构方面的介绍可以看看这篇文章，浅显易懂)](https://evilpan.com/2024/06/02/xml-vulnerabilities/) 
   - [XML外部实体注入（XXE）攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/)
+  - [No-FTP:高版本JDK如何通过XXE-OOB读取多行文件(Windows)](https://y4tacker.github.io/2025/11/10/year/2025/11/No-FTP-%E9%AB%98%E7%89%88%E6%9C%ACJDK%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87XXE-OOB%E8%AF%BB%E5%8F%96%E5%A4%9A%E8%A1%8C%E6%96%87%E4%BB%B6/)
   - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD)
 - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md)
 - [低版本下Java文件系统00截断](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E4%BD%8E%E7%89%88%E6%9C%AC%E4%B8%8BJava%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F00%E6%88%AA%E6%96%AD/index.md)