diff --git a/README.md b/README.md
index e45eb19..7b814d6 100644
--- a/README.md
+++ b/README.md
@@ -14,8 +14,6 @@
 
 <p align="right">2021年10月18日，梦的开始</p>
 
-<br/>
-
 ## 1.基础篇
 
 - [Java反射](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E5%8F%8D%E5%B0%84/%E5%8F%8D%E5%B0%84.md)
@@ -38,7 +36,9 @@
 - [JSTL(看菜鸟教程即可)](https://www.runoob.com/jsp/jsp-jstl.html)
 - [JEP290基础概念](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/JEP290%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%A6%82%E5%BF%B5/index.md)
 - [Java中的XXE](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/Java%E4%B8%AD%E7%9A%84XXE/index.md)
+  - [XML 相关漏洞风险研究(关于XML结构方面的介绍可以看看这篇文章，浅显易懂)](https://evilpan.com/2024/06/02/xml-vulnerabilities/) 
   - [XML外部实体注入（XXE）攻击方式汇总(关于XXE可以延伸继续看看)](https://tttang.com/archive/1813/)
+  - [No-FTP:高版本JDK如何通过XXE-OOB读取多行文件(Windows)](https://y4tacker.github.io/2025/11/10/year/2025/11/No-FTP-%E9%AB%98%E7%89%88%E6%9C%ACJDK%E5%A6%82%E4%BD%95%E9%80%9A%E8%BF%87XXE-OOB%E8%AF%BB%E5%8F%96%E5%A4%9A%E8%A1%8C%E6%96%87%E4%BB%B6/)
   - [绕过WAF保护的XXE(一些通用的流量混淆方式)](https://xz.aliyun.com/t/4059?accounttraceid=04ba92e87b2342b9a14daca5812cc52aoxob&time__1311=n4mx0DnDBiitiQo4GNulxU2nD9iBDc70ZAnYD)
 - [通过反射扫描被注解修饰的类](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/%E9%80%9A%E8%BF%87%E5%8F%8D%E5%B0%84%E6%89%AB%E6%8F%8F%E8%A2%AB%E6%B3%A8%E8%A7%A3%E4%BF%AE%E9%A5%B0%E7%9A%84%E7%B1%BB/index.md)
 - [低版本下Java文件系统00截断](https://github.com/Y4tacker/JavaSec/blob/main/1.%E5%9F%BA%E7%A1%80%E7%9F%A5%E8%AF%86/%E4%BD%8E%E7%89%88%E6%9C%AC%E4%B8%8BJava%E6%96%87%E4%BB%B6%E7%B3%BB%E7%BB%9F00%E6%88%AA%E6%96%AD/index.md)
@@ -51,6 +51,7 @@
 
 如果想系统学习CC链、CB链的话这部分还是推荐p牛的[Java安全漫谈](https://github.com/phith0n/JavaThings)，我只是简单写写便于自己复习而已(这部分看我下面的share并不适合新人，过了这么久看过网上很多文章还是觉得P牛写的更适合新人)
 
+- [Java 反序列化取经路(强推)](https://su18.org/post/ysuserial/)
 - [Java反序列化之URLDNS](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS/Java%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E4%B9%8BURLDNS.md)
 - [CommonsCollections1笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections1/CommonsCollections1.md)
 - [CommonsCollections2笔记](https://github.com/Y4tacker/JavaSec/blob/main/2.反序列化专区/CommonsCollections2/CommonsCollections2.md)
@@ -189,6 +190,7 @@
   - [看不见的 Jsp-WebShell 第二式增强之无痕](https://mp.weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoA)
 
   - [Spring cloud gateway通过SPEL注入内存马](https://gv7.me/articles/2022/the-spring-cloud-gateway-inject-memshell-through-spel-expressions/)
+    - [Java安全攻防之Spring Cloud Gateway攻击Redis](https://mp.weixin.qq.com/s/6U1KaLrrtq2dxg55IYASFg)
 
 
 - Tools
@@ -224,7 +226,7 @@
 - [S2-045学习(通过container获取全局共享的OgnlUtil实例来清除SecurityMemberAccess当中属性的限制)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-045%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-057学习(突破#context被删除限制，从attr作用域获取context对象)](https://github.com/Y4tacker/JavaSec/blob/main/7.Struts2%E4%B8%93%E5%8C%BA/S2-057%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/index.md)
 - [S2-066学习(变量覆盖的有趣的例子)](https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E5%88%86%E6%9E%90-S2-066/)
-
+- [S2-067学习](https://y4tacker.github.io/2024/12/16/year/2024/12/Apache-Struts2-%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E9%80%BB%E8%BE%91%E7%BB%95%E8%BF%87-CVE-2024-53677-S2-067/)
 
 ## 8.关于Tomcat的一些小研究
 
@@ -374,16 +376,24 @@
   - [CVE-2023-29298: Adobe ColdFusion Access Control Bypass](https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/)
   - [Analysis CVE-2023-29300: Adobe ColdFusion Pre-Auth RCE](https://blog.projectdiscovery.io/adobe-coldfusion-rce/)
 - Smartbi
-	- [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/)
+  - [浅析Smartbi逻辑漏洞](https://y4tacker.github.io/2023/07/05/year/2023/7/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/)
+  - [浅析Smartbi逻辑漏洞(2)](https://y4tacker.github.io/2023/08/23/year/2023/8/%E6%B5%85%E6%9E%90Smartbi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E-2/)
+  - [浅析Smartbi逻辑漏洞(3)](https://y4tacker.github.io/2024/04/19/year/2024/4/%E6%B5%85%E6%9E%90SmartBi%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E-3/)
+- CrushFTP
+  - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
+  - [浅析CrushFTP之VFS逃逸](https://y4tacker.github.io/2024/04/23/year/2024/4/%E6%B5%85%E6%9E%90CrushFTP%E4%B9%8BVFS%E9%80%83%E9%80%B8/)
+  - [CrushFTP Unauthenticated Remote Code Execution(CVE-2024-4040)](https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis)
+  - [CrushFTP后利用提权分析(CVE-2024-4040)](https://y4tacker.github.io/2024/04/25/year/2024/4/CrushFTP%E5%90%8E%E5%88%A9%E7%94%A8%E6%8F%90%E6%9D%83%E5%88%86%E6%9E%90-CVE-2024-4040/)
 - Others
   - [HtmlUnit-RCE](https://siebene.github.io/2022/12/30/HtmlUnit-RCE/)
   - [openfire鉴权绕过漏洞原理解析(主要是学习jetty对%u002e请求的解析支持)](https://mp.weixin.qq.com/s/EzfB8CM4y4aNtKFJqSOM1w)
   - [Metabase-Pre auth RCE](https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/)
   - [Ivanti Sentry Authentication Bypass](https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/)
+  - [浅析GeoServer property 表达式注入代码执行(CVE-2024-36401)](https://y4tacker.github.io/2024/07/03/year/2024/7/%E6%B5%85%E6%9E%90GeoServer-property-%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C-CVE-2024-36401/)
   - [UNAUTHENTICATED SERVER SIDE REQUEST FORGERY & CRLF INJECTION IN GEOSERVER WMS(CRLF注入的好例子)](https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms)
   - [JetBrains TeamCity 任意代码执行漏洞分析(CVE-2023-42793)](https://forum.butian.net/share/2514)
+  - [JetBrains TeamCity权限绕过(CVE-2024-23917)(这篇文章还讲解了一些容器与SpringBoot的流程知识)](https://blog.0daylabs.com/2024/05/27/jetbrains-teamcity-auth-bypass/)
   - [SysAid On-Prem Software(CVE-2023-47246)](https://forum.butian.net/share/2577)
-  - [CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)](https://y4tacker.github.io/2023/12/10/year/2023/12/CrushFTP-Unauthenticated-Remote-Code-Execution-CVE-2023-43177/)
   - [MCMS属性覆盖全版本Bypass分析(又又又是一个属性覆盖带来的漏洞)](https://y4tacker.github.io/2023/12/28/year/2023/12/%E5%8F%88%E5%8F%88%E5%8F%88%E6%98%AF%E4%B8%80%E4%B8%AA%E5%B1%9E%E6%80%A7%E8%A6%86%E7%9B%96%E5%B8%A6%E6%9D%A5%E7%9A%84%E6%BC%8F%E6%B4%9E/)
   - [Atlassian Confluence-Remote Code Execution(CVE-2023-22527)](https://blog.projectdiscovery.io/atlassian-confluence-ssti-remote-code-execution/)
   - [Jenkins文件读取漏洞拾遗（CVE-2024-23897）](https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html)
@@ -421,9 +431,8 @@
 - [Tomcat URL解析差异性导致的安全问题(网上看到的主要关注HttpServletRequest中几个解析URL的函数这个问题)](https://xz.aliyun.com/t/7544)
 - [Tomcat中url解析特性](https://github.com/Y4tacker/JavaSec/blob/main/8.%E5%85%B3%E4%BA%8ETomcat%E7%9A%84%E4%B8%80%E4%BA%9B%E5%88%86%E4%BA%AB/Tomcat%E4%B8%ADurl%E8%A7%A3%E6%9E%90%E7%89%B9%E6%80%A7/index.md)
 - [SpringBoot2.3.0以下路由%2e跨目录处理(可用于权限绕过)](https://github.com/Y4tacker/JavaSec/blob/main/11.Spring/SpringBoot2.3.0%E4%BB%A5%E4%B8%8B%E8%B7%AF%E7%94%B1%252e%E8%B7%A8%E7%9B%AE%E5%BD%95%E5%A4%84%E7%90%86(%E5%8F%AF%E7%94%A8%E4%BA%8E%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87)/index.md)
-
 - [网上看到的Jetty的部分解析特性(支持%uxxx)](https://www.wangan.com/p/7fyg8k2c7781675a)
-
+- [浅谈JFinal的DenyAccessJsp绕过](https://forum.butian.net/share/1899)
 
 ## 19.ASM与JVM学习
 
@@ -435,6 +444,7 @@
 
 ## 20.议题
 - [Hacking FernFlower](https://y4tacker.github.io/2023/12/22/year/2023/12/Hacking-FernFlower/)
+  - [议题相关代码](https://github.com/Y4tacker/HackingFernFlower)
 
 
 
@@ -460,6 +470,7 @@
 - [Java Web —— 从内存中Dump JDBC数据库明文密码(还挺好玩的)](https://mp.weixin.qq.com/s/QCfqO2BJuhSOr58rldZzxA)
 - [如何带依赖打包Jar](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Maven/index.md)
 - [一些Java二次反序列化的点(持续收集)](https://github.com/Y4tacker/JavaSec/blob/main/%E5%85%B6%E4%BB%96/Java%E4%BA%8C%E6%AC%A1%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96/Java%E8%A7%A6%E5%8F%91%E4%BA%8C%E6%AC%A1%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E7%9A%84%E7%82%B9.md)
+  - [帆软channel接口反序列化漏洞分析(二次反序列化一些实战场景利用)](https://forum.butian.net/share/2806)
 - [自己写的OpenRasp分析](https://y4tacker.github.io/2022/05/28/year/2022/5/OpenRasp%E5%88%86%E6%9E%90/)
 - [Apache Unomi 表达式注入攻防](https://github.com/1135/unomi_exploit)
 - [JEXL3表达式注入](https://xz.aliyun.com/t/8099)
@@ -469,6 +480,7 @@
 - [JDK-Xalan的XSLT整数截断漏洞利用构造](https://mp.weixin.qq.com/s/xxAtjFvk9RxWiY-pwGf8Ow)
 - [某Cloud系统漏洞分析](https://forum.butian.net/share/2529)
 - [任意文件下载漏洞的利用思考(总结非常细！)](https://mp.weixin.qq.com/s/3y62xuQJAj2gmtBSKvHHug)
+- [jdk新入口挖掘(新的toString链)](https://xz.aliyun.com/t/14732)
 
 
 ## 比赛反思
@@ -521,6 +533,9 @@
 
 
 
+
+
+
 ## 更多
 
 
diff --git "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md" "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
index 9767f82..3ac9afe 100644
--- "a/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
+++ "b/\345\205\266\344\273\226/Java\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226/Java\350\247\246\345\217\221\344\272\214\346\254\241\345\217\215\345\272\217\345\210\227\345\214\226\347\232\204\347\202\271.md"
@@ -313,3 +313,9 @@ public class DemoTest {
 ```
 
 具体分析见https://y4tacker.github.io/2022/02/06/year/2022/2/c3p0%E7%9A%84%E4%B8%89%E4%B8%AAgadget%E7%9A%84%E5%AD%A6%E4%B9%A0/#hex%E5%BA%8F%E5%88%97%E5%8C%96%E5%AD%97%E8%8A%82%E5%8A%A0%E8%BD%BD%E5%99%A8
+
+
+##  org.pac4j.core.profile.InternalAttributeHandler#restore
+使用{#sb64}rO0ABXN...serizalized_object_in_base64...，隐藏TemplatesImpl，可惜不是通用的
+另外很可惜的是高版本还做了删除，具体可以看公告：https://github.com/pac4j/pac4j/blob/1c198f3fbadc4e8c94bc953327e4e2a38c888525/documentation/blog/what_s_new_in_pac4j_v4_1.md?plain=1#L16
+参考链接：https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/