Hey, so I’ve been doing some follow-up research on the vulnerability I found in Smarty and I’ll be doing a quick post on what I found, with the conditions needed to trigger it. Version affected So I’m not finished with the testing obviously but there were some weird things, such as the fact that …
Hi, today I’ll do a quick article to talk about Smarty PHP and I’ll reveal something I found on the template library that could be a 0day. What’s Smarty? Smarty is a PHP library allowing the usage of Templates in PHP. It is a library widely used in PHP development, MVC and so on. …
Hi everybody, today I’ll talk about Google Web Toolkit, or GWT. This is something I had in my current assessment and I never had to do it before. Quick description Google Web Toolkit is a set of tools used to create complex tools using JavaScript to interface with Java applications. It has a special …
Hi everybody, today I’ll talk about the identification of an XPATH injection. I spent a few hours on that issue earlier in the day, because I was stupid enough to think it was a DBMS. Anyway, here are a few things that could point to the presence of the usage of an XPATH query. …
Hi, today I’ll talk about something I had to do today for a ctf, not too interesting but still something new I learned. Identifying a browser The theory is pretty simple. All html features are not properly supported on all browsers, and as such, it is possible on some pages to fingerprint the browser used …
Hi, today I’ll explain a quick article I didn’t know about that was sent by a colleague today. The techniques and exploit presented in this article are not new since they were released in 2015 but it could still be useful on some instances. This article is inspired by two vulnerabilities, respectively for Joomla (here …
Hi, today I’ll talk really quick about some general tips on Burp Suite Pro, I’ll merge some tips I already knew with some I learned myself since I started my new job. You can set up an upstream Socks server via a SSH server using the -D option on SSH, works pretty fine. You can …
Hey. Today I’ll talk about the main subject of my first chapter in binary exploitation. I’ll talk about how unserialize works in PHP and think about some ways to exploit that to be able to do ROP with a use-after-free. What’s unserialize? unserialize() is a PHP function used to transform a string into various …
Hi, today I’ll talk about a general concept but I didn’t really dig that well since I generally pentest linux-based apps when it is a web assessment I have to do. ISAPI ISAPI is to IIS what CGI is to apache or nginx. Basically it is a method to wrap other programs as web …
It is harder and harder for me to write down new articles, not due to lack of content but more because of time and because of confidentiality and NDA. Right now I still want to continue the blog but it is clear for me that the reason I launched the blog doesn’t make a lot …