Random security-related stuff - Research

When it’s not a bug, it’s a feature. When it’s not a security issue, it’s a bug
A bypass of the PHP open_basedir directive
Read more: php-openbasedir-bypass

From .user.ini upload to RCE
An uncommon file upload exploitation technique against PHP in CGI mode
Read more: php-ini-rce

FuckFastCGI made simpler
Revisiting FuckFastCGI to create a PHP-only exploit
Read more: ffcgi-made-simpler

Arbitrary file read in King-Avis Prestahop module (CVE-2023-3031)
An arbitrary local file read in the King-Avis Prestahop module
Read more: CVE-2023-3031

Some CVEs related to Mobatime
Multiple vulnerabilities affecting Mobatime mobile and web apps
Read more: CVE-2023-3032, CVE-2023-3033, CVE-2023-3064/5/6

127.0.0.1, sweet 127.0.0.1
An SSRF filter bypass on Tiny File Manager
Read more: Tiny File Manager Localhost filter bypass

Hidden in plain sight
A few thoughts about PHP webshells
Read more: Hidden in plain sight

Hidden in plain sight - 2nd part
A few thoughts about PHP webshells
Read more: Hidden in plain sight - 2

Come to verify my self-signed token !
Another JWT abuse, spoofing the ISS claim
Read more: From SSRF to authentication bypass

Exploiting flawed access controls in GLPI < 10.0.13
Please give me the list of the users with their passwords
Read more: CVE-2024-27930 - CVE-2024-27937 - Walkthrough

Exploiting an uncommon SQL injection (CVE-2024-27096) - GLPI < 10.0.13
A few thoughts about CVE-2024-27096
Read more: Exploiting CVE-2024-27096

CVE-2024-29889 and CVE-2024-31456 - GLPI < 10.0.15 SQL injections
Daemons of the past make GLPI < 10.0.15 vulnerable to SQL injections
Read more: Exploiting CVE-2024-29889 and CVE-2024-31456

CVE-2024-37148 - GLPI < 10.0.16 authenticated SQL injections
One vulnerability may hide another
Read more: Exploiting CVE-2024-37148

Recent Posts

Exploiting CVE-2024-37148

3 minute read

Intro When it comes to input sanitisation, who is responsible, the function or the caller ? Or both ? And if no one does, hoping that the other one will do t...

Exploiting CVE-2024-27096

6 minute read

Intro A few weeks ago, I discovered during an intrusion test two vulnerabilities affecting GLPI 10.0.12, that was the latest public version at this time. The...

From SSRF to authentication bypass

4 minute read

I won’t insult you by explaining once again what JSON Web Tokens (JWTs) are, and how to attack them. A plethora of awesome articles exists on the Web, descri...

Hidden in plain sight - Part 2

12 minute read

A few days ago, I published a blog post about PHP webshells, ending with a discussion about filters evasion by getting rid of the pattern $_. The latter is c...

I want to talk to your managed code

12 minute read

TL;DR A few experiments about mixed managed/unmanaged assemblies. To begin with, we start by presenting a C# programme that hides a part of its payload in an...

Qakbot JScript dropper analysis

11 minute read

It was a sunny and warm summer afternoon, and while normal people would rush to the beach, I decided to devote myself to one of my favourite activities: suff...

CVE-2023-3033

3 minute read

This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera...

CVE-2023-3032

less than 1 minute read

Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use...

CVE-2023-3031

less than 1 minute read

King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc...

FuckFastCGI made simpler

3 minute read

Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open_basedir and disable_functio...

PHP .user.ini risks

7 minute read

I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open_basedir...

PHP open_basedir bypass

3 minute read

PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini...

Self modifying C program - Polymorphic

17 minute read

A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that ...