2022

• Let's Dance in the Cache - Destabilizing Hash Table on Microsoft IIS

2021

• A New Attack Surface on MS Exchange Part 3 - ProxyShell!
• A New Attack Surface on MS Exchange Part 2 - ProxyOracle!
• A New Attack Surface on MS Exchange Part 1 - ProxyLogon!

2020

• How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM
• 看我如何再一次駭進 Facebook，一個在 MobileIron MDM 上的遠端程式碼執行漏洞!

2019

• 你用它上網，我用它進你內網! 中華電信數據機遠端代碼執行漏洞
• Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!
• Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!
• Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!(EN)
• Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!
• Hacking Jenkins Part 1 - Play with Dynamic Routing (EN)
• Hacking Jenkins Part 1 - Play with Dynamic Routing

2016

• Advisory: Accellion File Transfer Appliance Vulnerability
• Accellion File Transfer Appliance 弱點報告
• How I Hacked Facebook, and Found Someone's Backdoor Script
• 滲透 Facebook 的思路與發現