Phew, so I just spent my whole day debugging a supposedly RCE I got during an assessment. I’ll talk in this article about what happened and how I managed to debug a faulty plugin. Long story short So, I won’t explain how I got access to the admin page for obvious reasons but what …
Search Results for: | pen
Hi everybody, today I’ll talk about Express, which is a NodeJS framework used to create web applications and how to abuse it to exploit a directory traversal on some implementations. Directory traversal You probably already know what is a directory traversal, but in short, it is based on the ability to use “../”, which …
Hi, today I’ll write a quick article on how to tunnel a linux server through a bounce you don’t want to give access easily. The steps are pretty easy to do: Creating a virtual machine The virtual machine will act as the server the victim will connect to. Because we don’t want to give an …
Hi everybody, this week I’ll be traveling for work, so I won’t have a lot of time to do lenghty articles. The subject of the day is gonna be security again, more specifically about web and CORS. CORS CORS or Cross-Origin Resource Sharing is a mechanism using HTTP headers to specify that an application running …
Hey, today I’ll talk about security and more specifically pentest once again. I feel lucky these days because I feel I learn new things every weeks at least. Today I’ll talk about server-side JavaScript but not on MongoDB, rather I’ll speak about GatewayScript, which is a proprietary language by IBM. GatewayScript GatewayScript is used mainly …
Hi, today I’ll do a quick preamble article about NoSQL Injection, more specifically on MongoDB. I found an interesting way to call the $where operator when you’re in an NoSQL injection inside a field. Current techniques Normally, you are not supposed to be able to call the $where operator since it is a top-level …
Hey, so I’ve been doing some follow-up research on the vulnerability I found in Smarty and I’ll be doing a quick post on what I found, with the conditions needed to trigger it. Version affected So I’m not finished with the testing obviously but there were some weird things, such as the fact that …
Hi, today I’ll do a quick article to talk about Smarty PHP and I’ll reveal something I found on the template library that could be a 0day. What’s Smarty? Smarty is a PHP library allowing the usage of Templates in PHP. It is a library widely used in PHP development, MVC and so on. …
Hi, today I’ll talk about a quick analysis of some privilege escalation/local root on AIX servers. Quick summary Generally, when finding a privilege escalation on a system, here are the general steps you’ll take: Check the crontab for root or privileged user scripts Verify if you have access to sudo using sudo -l Identify and …
Hi everybody, today I’ll talk about Google Web Toolkit, or GWT. This is something I had in my current assessment and I never had to do it before. Quick description Google Web Toolkit is a set of tools used to create complex tools using JavaScript to interface with Java applications. It has a special …