Posted in Exploits Penetration Testing Web Application

ATutor 2.2.4 ‘language_import’ Arbitrary File Upload / RCE (CVE-2019-12169)

This proof of concept is demonstrating a vulnerability in ‘/mods/_core/languages/language_import.php’ that can be used to get remote code execution. The code can be modified to…

Continue Reading?
Posted in Exploits Web Application

eLabFTW 1.8.5 ‘EntityController’ Arbitrary File Upload / RCE (CVE-2019-12185)

I was doing some research last night and I discovered a vulnerability in eLabFTW 1.8.5. So I went ahead and coded a proof of concept…

Continue Reading?
Posted in Exploits Web Application

ATutor 2.2.4 ‘Backup’ Remote Command Execution (CVE-2019-12170)

ATutor-Instructor-Backup-Exploit Exploit Title: ATutor 2.2.4 ‘Backup’ Remote Command Execution Google Dork: inurl:/ATutor/login.php Date: 5/13/2019 Exploit Author: Joseph McPeters Vendor Homepage: https://atutor.github.io/ Software Link: https://sourceforge.net/projects/atutor/files/latest/download Version:…

Continue Reading?
Posted in Penetration Testing Web Application

Deserialization Exploitation Framework

Deserializer Exploitation Framework * Enumerate the code entry points – What code does the deserializer call on my objects? * Enumerate the immediate gadget pool…

Continue Reading?
Posted in Computing Security Web Application

What is Deserialization?

OWASP Description: Data which is untrusted cannot be trusted to be well formed. Malformed data or unexpected data could be used to abuse application logic,…

Continue Reading?
Posted in Computing Security INFOSEC Web Application

Portswigger’s Web Academy Review

I have had the pleasure of testing out Portswigger’s web academy here lately. I just want to say that so far I have enjoyed it….

Continue Reading?