-
WordPress Transposh: Exploiting a Blind SQL Injection via XSS
Introduction You probably have read about my recent swamp of CVEs affecting a WordPress plugin called Transposh Translation Filter, which resulted in more than $30,000 in bounties: [CVE-2021-24910] Transposh <= 1.0.7 “tp_tp” Unauthenticated Reflected Cross-Site Scripting [CVE-2021-24911] Transposh <= 1.0.7 “tp_translation” Unauthenticated Stored Cross-Site Scripting [CVE-2021-24912] Transposh <= 1.0.8.1 Multiple Cross-Site Request Forgeries [CVE-2022-2461] Transposh […]
/
-
AWAE Course and OSWE Exam Review
Introduction This is a review of the Advanced Web Attacks and Exploitation (WEB-300) course and its OSWE exam by Offensive-Security. I’ve taken this course because I was curious about what secret tricks this course will offer for its money, especially considering that I’ve done a lot of source code reviews in different languages already. This […]
/
-
Smuggling an (Un)exploitable XSS
This is the story about how I’ve chained a seemingly uninteresting request smuggling vulnerability with an even more uninteresting header-based XSS to redirect network-internal web site users without any user interaction to arbitrary pages. This post also introduces a 0day in ArcGis Enterprise Server. However, this post is not about how request smuggling works. If […]
/
-
CVE-2020-16171: Exploiting Acronis Cyber Backup for Fun and Emails
You have probably read one or more blog posts about SSRFs, many being escalated to RCE. While this might be the ultimate goal, this post is about an often overlooked impact of SSRFs: application logic impact. This post will tell you the story about an unauthenticated SSRF affecting Acronis Cyber Backup up to v12.5 Build […]
/
-
Bug Bounty Platforms vs. GDPR: A Case Study
What Do Bug Bounty Platforms Store About Their Hackers? I do care a lot about data protection and privacy things. I’ve also been in the situation, where a bug bounty platform was able to track me down due to an incident, which was the initial trigger to ask myself: How did they do it? And […]
/
-
H1-4420: From Quiz to Admin – Chaining Two 0-Days to Compromise An Uber WordPress
TL;DR While doing recon for H1-4420, I stumbled upon a WordPress blog that had a plugin enabled called SlickQuiz. Although the latest version 1.3.7.1 was installed and I haven’t found any publicly disclosed vulnerabilities, it still somehow sounded like a bad idea to run a plugin that hasn’t been tested with the last three major […]
/
-
About a Sucuri RCE…and How Not to Handle Bug Bounty Reports
TL;DR Sucuri is a self-proclaimed “most recommended website security service among web professionals” offering protection, monitoring and malware removal services. They ran a Bug Bounty program on HackerOne and also blogged about how important securityreports are. While their program was still active, I’ve been hacking on them quite a lot which eventually ranked me #1 […]
/
-
CVE-2018-7841: Schneider Electric U.Motion Builder Remote Code Execution 0-day
I came across an unauthenticated Remote Code Execution vulnerability (called CVE-2018-7841) on an IoT device which was apparently using a component provided by Schneider Electric called U.Motion Builder. While I’ve found it using my usual BurpSuite foo, I later noticed that there is already a public advisory about a very similar looking issue published by […]
/
-
Dell KACE K1000 Remote Code Execution – the Story of Bug K1-18652
This is the story of an unauthenticated RCE affecting one of Dropbox’s in scope vendors during last year’s H1-3120 event. It’s one of my more recon-intensive, yet simple, vulnerabilities, and it (probably) helped me to become MVH by the end of the day ;-). TL;DR It’s all about an undisclosed but fixed bug in the […]
/
