Original Source:

Props to

for compiling the most comprehensive wordlist downloads on the web. Copying links here just in case blogspot ever blows up. Additionally head over to

they have some specialized wordlists from various sources including the hacked RockYou database and a skim of Facebook names/usernames for a total of 14,488,929 distinct passwords to be exact, collected from 32,943,045 users.

新版本改进如下：
1，增加数据压缩功能（使用系统自带的makecab.exe和expand.exe）。
2，Base64编码采用Microsoft.XMLDOM，速度快，代码更简洁。
3，echo生成临时脚本时文件名不带后缀，避免杀毒软件频繁扫描，提高效率。新版本改进如下：
1，增加数据压缩功能（使用系统自带的makecab.exe和expand.exe）。
2，Base64编码采用Microsoft.XMLDOM，速度快，代码更简洁。
3，echo生成临时脚本时文件名不带后缀，避免杀毒软件频繁扫描，提高效率。

#Trace:  用Adobe ColdFusion的不少啊.

#Trace: 提权大杀器,上个月就看到新闻 。作者在black hat大会之后把代码公布了。
This new presentation will detail new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. These new attacks allow to bypass new Windows services protections such as Per service SID, Write restricted token, etc. It will be demonstrated that almost any process with impersonation rights can elevate privileges to Local System account and completely compromise Windows OSs. While the issues are not critical in nature since impersonation rights are required, they allow to exploit services such as IIS 6, IIS 7, SQL Server, etc. in some specific scenarios. Exploits code for those services will be released. The presentation will be given in a very practical way showing how the new issues were found, with what tools, techniques, etc. allowing the participants to learn how to easily find these kind security issues in Windows operating systems.

the file includes the following  site sections:
bruteforce, c0de,  cheatsheets,  encryption,  exploits,  ircbots,  misc,  others,  scanners and  tutorials

菜刀最新版20100629
Asp.Net数据库操作更完善，原来连接会超时这次可以再体验一下！扫描模块更新、浏览器右键加入本IP网页搜索功能、反IDS的加强、其它...

Exploit-db.com has finally got around to syncing our exploits archive and SVN server. Both the downloadable archive and SVN server will be updated once a week.

谁共享一下自己的john.pot啊。

感谢xnquan的 投递

#Trace:Offensive Security 的教程

#Trace: 1.07组织结构大调整,及时更新,扩充字典.

Also people must be aware of that this system is usually available from the Internet and can be hacked to get access to the operation system of the server in DMZ and then to the internal servers of corporate environment and in this paper we will show how to do this.

Metasploit has A LOT of exploits, but from time to time you will very likely need to use exploits that are not part of the framework. Whether it is an exploit from www.exploit-db.com that spawns a shell or a netcat listener you can still use the framework to control the host. As long as you have a shell bound to a TCP port you can use metasploit to interact with that victim. What's more, you can upgrade that shell to a meterpreter session so you can benefit from the full power of the framework.

Burp suite是由portswigger开发的一套用于Web渗透测试的集成套件，它包含了Proxy,spider,scanner(付费版本),intruder,repeater,sequencer,decoder,comparer等模块，每个模块都有其独特的用途，给专业和非专业的Web渗透测试人员的测试工作带来了极大的便利。

本文以伴江行购物联盟(多用户)美化修改 v4.3上传漏洞演示repeater模块的其中一个应用。

This approach is also useful for targeted use of brute force for discovery using, for example, lists of known vulnerable scripts sorted by platform type, default locations of critical files of popular apps, high quality lists of common directory names.