Polygonal Background

Recent Posts

30 September, 2024
  • Posted By Charles Fol
  • iconv libc glibc cve-2024-2961 php filter blind file read

Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 3)

Full Article

In this blog post, we will explore how we can exploit CNEXT, but blind, covering the cases where we have a file read primitive, but cannot get the output.

17 June, 2024
  • Posted By Charles Fol
  • iconv libc glibc cve-2024-2961 php filter roundcube

Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 2)

Full Article

In this blog post, we will explore a new way of exploiting the vulnerability on PHP, using direct calls to iconv(), and illustrate the vulnerability by targeting Roundcube, a popular PHP webmail.

05 June, 2024
  • Posted By Noël Maccary
  • tool burp scripting python extension cryptography

Scalpel: a Burp Suite extension to edit HTTP traffic, in Python 3

Full Article

Scalpel is a Burp extension for intercepting and rewriting HTTP traffic, either on the fly or in the Repeater using Python 3 scripts.

27 May, 2024
  • Posted By Charles Fol
  • iconv libc glibc cve-2024-2961 php filter

Iconv, set the charset to RCE: Exploiting the glibc to hack the PHP engine (part 1)

Full Article

A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Looking for targets lead mainly to disappointment. On PHP however, the bug shone, and proved useful in exploiting its engine in two different ways.

11 December, 2023
  • Posted By Charles Fol
  • php filter chain prefix suffix

Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix

Full Article

We introduce a tool that uses PHP filters to wrap PHP resources in an arbitrary prefix and suffix.

04 December, 2023
  • Posted By Charles Fol
  • owncloud CVE-2023-49103 CVE-2023-49105 privilege escalation rce phpinfo

Owncloud: details about CVE-2023-49103 and CVE-2023-49105

Full Article

We provide details about CVE-2023-49103 and CVE-2023-49105

31 January, 2023
  • Posted By Charles Fol
  • vbulletin rce exploit unserialize autoload 0-day

Unserializable, but unreachable: Remote code execution on vBulletin

Full Article

Ambionics Security team discovered a pre-authentication remote code execution in vBulletin 5.6.9.

29 August, 2022
  • Posted By Charles Fol
  • watchguard firewall router firebox xtm exploit binary remote CVE-2022-31789 CVE-2022-31790 WSGA-2022-00017 WSGA-2022-00015 WSGA-2022-00018

Blind exploits to rule WatchGuard firewalls

Full Article

Early this year we had the opportunity to pentest Watchguard firewalls (XTM, Firebox) for a red team engagement. This blogpost will follow the journey in which I discover 5 vulnerabilities - 2 patched along the way - and build 8 distinct exploits, and finally obtain an unpatched pre-authentication remote root 0-day on every WatchGuard Firebox/XTM appliance.

12 January, 2022
  • Posted By Charles Fol
  • spip unauthenticated sqli root-me challenge

Hacking Root-Me: SPIP SQL injection leading to RCE (challenge)

Full Article

We identified a vulnerability in SPIP's SQL engine, which allowed us to access the backoffice of the hacking platform Root-Me.

21 October, 2021
  • Posted By Charles FOL
  • php fpm php-fpm local root privilege escalation exploit vulnerability nginx iis apache CVE-2021-21703

PHP-FPM local root vulnerability (CVE-2021-21703)

Full Article

This article reveals a privilege escalation vulnerability affecting PHP-FPM.

12 January, 2021
  • Posted By Charles Fol
  • laravel rce debug file write file read CVE-2021-3129

Laravel <= v8.4.2 debug mode: Remote code execution

Full Article

Ambionics Security team discovered an RCE in Laravel, when the framework is in debug mode.

19 November, 2020
  • Posted By Charles Fol
  • sqreen rce heap overflow rules js microagent

Remote code execution on Sqreen: exploiting the microagent

Full Article

Ambionics Security team discovered a heap overflow that results in remote code execution on Sqreen's microagent.

19 October, 2020
  • Posted By Charles Fol
  • php symfony secret fragment ezplatform ezpublish bolt

Secret fragments: Remote code execution on Symfony based websites

Full Article

Remote code execution using Symfony's _fragment's page and unsecure secret values.

06 January, 2020
  • Posted By Charles Fol
  • php mt_rand mt_srand predict seed bruteforce

Breaking PHP's mt_rand() with 2 values and no bruteforce

Full Article

We demonstrate how one can recover mt_rand()'s seed with only two outputs and without any bruteforce.

29 March, 2019
  • Posted By Charles Fol
  • magento unauthenticated sqli exploit

Magento 2.2.0 <= 2.3.0 Unauthenticated SQLi

Full Article

Several flaws have been identified in the latest version of Magento 2, allowing an attacker to obtain complete control over the server. We're now releasing the exploit for the unauthenticated SQL injection. We'll release the details for the RCE vulnerability at a later time.

22 February, 2019
  • Posted By Charles Fol
  • drupal rce exploit vulnerability details

Exploiting Drupal8's REST RCE

Full Article

Exploitation and mitigation bypasses for the new Drupal 8 RCE (SA-CORE-2019-003, CVE-2019-6340), targeting the REST module.

16 July, 2018
  • Posted By Charles Fol
  • prestashop session cookie privilege escalation

PrestaShop 1.6 Privilege Escalation

Full Article

Prestashop 1.6.1.19 sessions can be read and written by an attacker, resulting in a range of vulnerabilities including privilege escalation and remote code execution.

04 July, 2017
  • Posted By Charles Fol
  • php exploit vulnerability unserialize library gadget

PHP Generic Gadget Chains: Exploiting unserialize in unknown environments

Full Article

We're introducing a new tool to generate unserialize() payloads easily from common libraries.

17 May, 2017
  • Posted By Charles Fol
  • oracle peoplesoft xxe exploit vulnerability details system shell

Oracle PeopleSoft Remote Code Execution: Blind XXE to SYSTEM Shell

Full Article

Few months ago Ambionics Security team had the chance to audit Oracle PeopleSoft solutions. PeopleSoft applications contain a lot of unauthenticated endpoints with several not well documented XXE vulnerabilities. We'll show how you can get a full SYSTEM shell from that.

06 April, 2017
  • Posted By Charles Fol
  • typo3 module sqli news exploit vulnerability details

TYPO3 News module SQL Injection

Full Article

Ambionics Security team discovered a pre-authentication SQL Injection in TYPO3 News module. This module is the 20th most used module of TYPO3 with almost 60,000 downloads.

08 March, 2017
  • Posted By Charles Fol
  • drupal module unserialize services exploit vulnerability details

Drupal 7.x Services module unserialize() to RCE

Full Article

While working on the Drupal module Services, the Ambionics Security team discovered a critical remote code execution vulnerability.

21 February, 2017
  • Posted By Charles Fol
  • grails pdf exploit vulnerability details

Grails PDF Plugin XXE

Full Article

Some times ago the Ambionics team encountered a very old instance of Grails which contained a plugin to generate PDFs from Groovy templates. Upon looking for the plugin's source code we discovered an XXE vulnerability.

20 January, 2017
  • Posted By Charles Fol
  • joomla exploit vulnerability details

CVE-2016-9838 - Joomla! Account Takeover & Remote Code Execution

Full Article

As a new year comes, it is a good time to review two high impact vulnerabilities that were discovered four years apart, but that are in fact rooted in the same piece of code.