Exploiting CVE-2024-27096
Intro A few weeks ago, I discovered during an intrusion test two vulnerabilities affecting GLPI 10.0.12, that was the latest public version at this time. The...
Random security-related stuff - Research
When it’s not a bug, it’s a feature. When it’s not a security issue, it’s a bug
A bypass of the PHP open_basedir directive
Read more: php-openbasedir-bypass
From .user.ini upload to RCE
An uncommon file upload exploitation technique against PHP in CGI mode
Read more: php-ini-rce
FuckFastCGI made simpler
Revisiting FuckFastCGI to create a PHP-only exploit
Read more: ffcgi-made-simpler
Arbitrary file read in King-Avis Prestahop module (CVE-2023-3031)
An arbitrary local file read in the King-Avis Prestahop module
Read more: CVE-2023-3031
Some CVEs related to Mobatime
Multiple vulnerabilities affecting Mobatime mobile and web apps
Read more: CVE-2023-3032, CVE-2023-3033, CVE-2023-3064/5/6
127.0.0.1, sweet 127.0.0.1
An SSRF filter bypass on Tiny File Manager
Read more: Tiny File Manager Localhost filter bypass
Hidden in plain sight
A few thoughts about PHP webshells
Read more: Hidden in plain sight
Hidden in plain sight - 2nd part
A few thoughts about PHP webshells
Read more: Hidden in plain sight - 2
Come to verify my self-signed token !
Another JWT abuse, spoofing the ISS claim
Read more: From SSRF to authentication bypass
CVE-2024-27930 - CVE-2024-27937 - Walkthrough
Please give me the list of the users with their passwords
Read more: Exploiting flawed access controls in GLPI < 10.0.13
CVE-2024-27096 - GLPI < 10.0.13 SQL injection
A few thoughts about CVE-2024-27096
Read more: Exploiting an uncommon SQL injection (CVE-2024-27096)
Recent Posts
CVE-2024-27937 - CVE-2024-27930 - Walkthrough
I was recently tasked with auditing the application GLPI, a few days after its latest release (10.0.12 at the time of writing). The latter stands for Gestion...
From SSRF to authentication bypass
I won’t insult you by explaining once again what JSON Web Tokens (JWTs) are, and how to attack them. A plethora of awesome articles exists on the Web, descri...
Hidden in plain sight - Part 2
A few days ago, I published a blog post about PHP webshells, ending with a discussion about filters evasion by getting rid of the pattern $_. The latter is c...
Hidden in plain sight
A few thoughts about PHP webshells …
Tiny File Manager - There’s no place like home
I remember this carpet, at the entrance of the Computer Science faculty, with this message There’s no place like 127.0.0.1/8. A joke that would create two ca...
I want to talk to your managed code
TL;DR A few experiments about mixed managed/unmanaged assemblies. To begin with, we start by presenting a C# programme that hides a part of its payload in an...
Qakbot JScript dropper analysis
It was a sunny and warm summer afternoon, and while normal people would rush to the beach, I decided to devote myself to one of my favourite activities: suff...
CVE-2023-3064, CVE-2023-3065, and CVE-2023-3066
The reader should first take a look at the articles related to CVE-2023-3032 and CVE-2023-3033 that I published a few days ago to get more context.
CVE-2023-3033
This walkthrough presents another vulnerability discovered on the Mobatime web application (see CVE-2023-3032, same version 06.7.2022 affected). This vulnera...
CVE-2023-3032
Mobatime offers various time-related products, such as check-in solutions. In versions up to 06.7.2022, an arbitrary file upload allowed an authenticated use...
CVE-2023-3031
King-Avis is a Prestashop module developed by Webbax. In versions older than 17.3.15, the latter suffers from an authenticated path traversal, leading to loc...
FuckFastCGI made simpler
Let’s render unto Caesar the things that are Caesar’s, the exploit FuckFastCGI is not mine and is a brilliant one, bypassing open_basedir and disable_functio...
PHP .user.ini risks
I have to admit, PHP is not my favourite, but such powerful language sometimes really amazes me. Two days ago, I found a bypass of the directive open_basedir...
PHP open_basedir bypass
PHP is a really powerful language, and as a wise man once said, with great power comes great responsibilities. There is nothing more frustrating than obtaini...
Self modifying C program - Polymorphic
A few weeks ago, a good friend of mine asked me if it was possible to create such a program, as it could modify itself. After some thoughts, I answered that ...
Self modifying C program - Metamorphic (Basic)
In the previous article, I described how I wrote a simple polymorphic program. “Polymorphic” means that the program (the binary) changes its appearance every...
Diving into Viking Horde - Android malware analysis
The malware presented in this blog post appeared on Google Play in 2016. I heard about it thanks to this article published on checkpoint.com. The malicious a...
Diving into SLocker - Android malware analysis
Ransomwares are really interesting malwares because of their very specific purpose. Indeed, a ransomware will not necessarily try to be stealth or persistent...
Diving into Sberbank Android banker - Android malware analysis
A few days ago, I found this article about a malware targeting Sberbank, a big Russian bank. The app disguises itself as a web application, stealing in backg...
Diving into ruMMS - Android malware analysis
RuMMS is a malware targetting Russian users, distributed via websites as a file named mms.apk [1]. This article is inspired by this analysis made by FireEye ...
Diving into dsencrypt - Android malware analysis
Could a 5-classes Android app be so harmful ? dsencrypt says “yes”…
Attacking Android Accessibility Service (AAS) - Part IV
~$ cat How_an_Android_app_could_escalate_its_privileges_Part4.txt
Attacking Android Accessibility Service (AAS) - Part III
~$ cat How_an_Android_app_could_escalate_its_privileges_Part3.txt
Attacking Android Accessibility Service (AAS) - Part II
~$ cat How_an_Android_app_could_escalate_its_privileges_Part2.txt
Attacking Android Accessibility Service (AAS) - Part I
~$ cat How_an_Android_app_could_escalate_its_privileges.txt
Practical attacks against mobile browsers using extensions
Even if the thesis introduces the extensions internals, and analyses the difference between mobile and desktop browsers in terms of likelihood, efficiency an...