A somewhat curated list of links to various topics in application security.
Link | Excerpt |
---|---|
👩💻IW Weekly #39 : $10,000 Bounty, Zero-click Account Takeover, Stored XSS, Open Redirection Vulnerability, SQL Injection, RCE, Reconnaissance Techniques, and much more… | Welcome to the #IWWeekly39 - the Monday newsletter that brings the best in Infosec straight to your inbox. IWCON2022 finally came to a glorious end ❤️ Thank you for joining us. |
The Tale Of SSRF To RCE on .GOV Domain | Welcome back, I hope everyone is well. Without further hesitation let’s dive into it! What is SSRF? SSRF is Server Side Request Forgery. This is a high/critical vulnerability when demonstrated with impact. |
Chaining an Blind SSRF bug to Get an RCE | My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be Discussing how I was able to get RCE by using Blind SSRF. But still there is a chance that will will missing some url. |
Just Gopher It: Escalating a Blind SSRF to RCE for $15k | The bug bounty program which this vulnerability was discovered on has not allowed for public disclosure, therefore I will not be directly naming the program involved. What I can say — this was discovered on the main scope of one of Hackerone’s longest-running, largest bug bounty programs. |
Learn About Command Injection Attacks | Remote code execution vulnerabilities are a class of vulnerabilities that happen when attackers can execute their code on your machine. One of the ways this can happen is through command injection vulnerabilities. |
Remote Code Execution explained with real life bug bounty reports | Might help other people. |
How I found RCE But Got Duplicated | So first of All i can not show You the Name Of the Site Because Of security Issue But Let me tell You How Was I am able to bypass the file Upload functionality to Upload a shell to the website. |
SQL injection to RCE | In the next lines I will expose a case that I experimented in a customer penetration testing days ago, in my opinion was interest how I needed concatenate a few factors to get the RCE. For obvious reasons, some customer data will be anonymized. |
Diving into unserialize(): More than RCE | Last time, we talked about how PHP’s unserialize leads to vulnerabilities, and how an attacker can utilize it to achieve RCE. Today, let’s discuss some of the different ways that an attacker can exploit an unserialize() vulnerability. |
WRITE UP – Private bug bounty $$,$$$ USD: “RCE as root on Marathon-Mesos instance” | Hi everyone It’s been a while since my last post but I’m back, I want to tell you a short story about why your professional background mather when you do bug bounties (in my case my job as DevOps engineer) if you know how something works, you might be able to break it. |
Jenkins RCE PoC or simple pre-auth remote code execution on the Server. | Once upon a time, a friend of mine asked me a question — "Do you know any fresh RCE for the Jenkins environment ?". I was informed already about some old RCE PoC's but that was not what we need at that time. It was a fresh Jenkins environment. |
Two Easy RCE in Atlassian Products | It was a long time from my last article. It was so many interesting results in my work. Seems that it's right time to share my knowledge and experience with you. But first, I wanna inform that two issues in that article well known. And both of that have CVE numbers with patches and software updates. |
Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! | As far as I can tell this vulnerability also impacts Ringcentral. Ringcentral for their web conference system is a white labeled Zoom system. This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user's permission. |
From SSRF To RCE in PDFReacter | What is PDFReacter? - PDFReacter is a parser which parses HTML content from HTML to PDF. While testing an application I have identified that an application is using the PDFReacter parser. |
Ruby 2.x Universal RCE Deserialization Gadget Chain | This blog post details exploitation of arbitrary deserialization for the Ruby programming language and releases the first public universal gadget chain to achieve arbitrary command execution for Ruby 2.x. |
How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System | In past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser and the URL fetcher that leads to whole SSRF bypass! |
Latex to RCE, Private Bug Bounty Program | I had participated in a private bug bounty program about one year ago, I want to publish what I’ve learned from. The CMS was a journal site giving service to authors, editors and etc. I accomplished to get editor account by an XSS which I’m not going through with this story. |
How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE! | Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences. |
RCE by uploading a web.config | By uploading a web.config I was able to bypass the blacklist, which blocks files with an executable extension (such as ‘.asp’ and ‘.aspx’). After setting execution rights to ‘.config’ and then adding asp code in the web.config I was able to execute code…. |
XSS and RCE | RCE (Remote Code Execution) is a critical vulnerability which usually is the final goal of an attack. With code execution, it’s possible to compromise servers, clients and entire networks. |
Windows-RCE-exploits | The exploit samples database is a repository for RCE (remote code execution) exploits and Proof-of-Concepts for WINDOWS, the samples are uploaded for education purposes for red and blue teams. |
How I found 2.9 RCE at Yahoo! Bug Bounty program | Hi. I’m kedrisec and I want to describe 3 vulnerabilities that I found as part of the security research at Yahoo Bug Bounty program. So, lets begin. The Yahoo’s Bug Bounty program include a lot of services and I decided to work around Brightroll. |
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! | This vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands. |
#BugBounty — How I was able to bypass firewall to get RCE and then went from server shell to get root user account! | This vulnerability blog is about when Apache struts2 CVE-2013–2251 went viral and was getting highly exploited because of the impact of vulnerability which was leading to execution of remote commands. |
LFI to RCE via access_log injection | Just wanna share a trick from Local File Inclusion/File Path Traversal to Remote Code Execution by injecting the access_log. I have a target http://proqualitycontrol.com/index.php?page=aboutus and it’s vulnerable to LFI/FPT. It’s a live website. Inject the target with ../../../../../../../../.. |
Meraki RCE: When Red Team and Vulnerability Research Fell in Love | When I joined Salesforce, before moving over to vulnerability research, I worked in the Red Team. Our mission was to strengthen Salesforce’s security posture by acting as an external attacker. In one assessment, I installed a pwnplug inside a meeting room. |
Taking note: XSS to RCE in the Simplenote Electron client | Originally released in 2013, Electron is a framework for creating native desktop products with JavaScript, HTML, and CSS. Since then, companies such as Microsoft and Slack have built Electron into their development process. |
Leading the Blind to Light! - A Chain to RCE | Let's take a breath for a moment, it is 2017. And Still SQL Injection, 17-18 years since its inception is an issue! |
PHPMailer < 5.2.18 Remote Code Execution | PHPMailer is the world's most popular transport class, with an estimated 9 million users worldwide. Downloads continue at a significant pace daily. Used by many open-source projects: WordPress, Drupal, 1CRM, SugarCRM, Yii, Joomla! and many more PHPMailer before its version 5.2. |
From LFI to RCE in php | Everyone knows about the (hopefully dead) /proc/self/environ and /var/log/apache2/error.log tricks to get a shell from a LFI, but it seems that only a few people knows about the tmp_name one. |