Hi, today I’ll do a quick article to talk about Smarty PHP and I’ll reveal something I found on the template library that could be a 0day. What’s Smarty? Smarty is a PHP library allowing the usage of Templates in PHP. It is a library widely used in PHP development, MVC and so on. …
Hi everybody, today I’ll talk about Google Web Toolkit, or GWT. This is something I had in my current assessment and I never had to do it before. Quick description Google Web Toolkit is a set of tools used to create complex tools using JavaScript to interface with Java applications. It has a special …
Hi everybody, today I’ll talk about the identification of an XPATH injection. I spent a few hours on that issue earlier in the day, because I was stupid enough to think it was a DBMS. Anyway, here are a few things that could point to the presence of the usage of an XPATH query. …
Hey, today I’ll do a quick article since I’m a lot busy for these few days. I’ll talk about server-side includes and how to exploit them. What’s a SSI? A Server-side include (SSI) is a server-side scripting language used almost exclusively for the web. The most used feature on SSI is the ability to include …
Hi, today I’ll do a quick article after some research and development I did earlier this day. It is related to the way Oracle store data inside files, particularly .DBF files. What are DBF files? DBF is the file format used by Oracle to store the main part of its data structure. When you …
Hi, today I’ll talk about something I had to do today for a ctf, not too interesting but still something new I learned. Identifying a browser The theory is pretty simple. All html features are not properly supported on all browsers, and as such, it is possible on some pages to fingerprint the browser used …
Hi, today I’ll explain a quick article I didn’t know about that was sent by a colleague today. The techniques and exploit presented in this article are not new since they were released in 2015 but it could still be useful on some instances. This article is inspired by two vulnerabilities, respectively for Joomla (here …
Hi, today I’ll talk really quick about some general tips on Burp Suite Pro, I’ll merge some tips I already knew with some I learned myself since I started my new job. You can set up an upstream Socks server via a SSH server using the -D option on SSH, works pretty fine. You can …
Hey. Today I’ll talk about the main subject of my first chapter in binary exploitation. I’ll talk about how unserialize works in PHP and think about some ways to exploit that to be able to do ROP with a use-after-free. What’s unserialize? unserialize() is a PHP function used to transform a string into various …
Hi everybody, as I said previously, my first goal with that category is to be able to exploit an unserialize bug using a use-after-free attack. Doing a double free on a fastbin is similar to a use-after-free since it allows two object to have the same address so we can overlap structures to be able …