SOLUZIONE Seeweb Hacking Contest 2017: Music Of The Atoms
Da Lunedì 15 Maggio 2017 alle ore 10:00 a Mercoledì 31 Maggio 2017 alle ore 10:00 si è svolto l’hacking contest di Seeweb al quale abbiamo avuto l’onore di partecipare. Anche per questa edizione siamo...
View ArticleFridaLab – Writeup
Today I solved FridaLab, a playground Android application for playing with Frida and testing your skills. The app is made of various challenges, with increasing difficulty, that will guide you through...
View ArticleWebTech, identify technologies used on websites
Introduction We’re very proud to release WebTech as open-source software.WebTech is a Python software that can identify web technologies by visiting a given website, parsing a single response file or...
View ArticleNagios XI 5.5.10: XSS to #
Tl;dr A remote attacker could trick an authenticated victim (with “autodiscovery job” creation privileges) to visit a malicious URL and obtain a remote root shell via a reflected Cross-Site Scripting...
View ArticleExploiting Apache Solr through OpenCMS
Tl;dr It’s possible to exploit a known Apache Solr vulnerability through OpenCMS. During one of my last Penetration Test I was asked to analyze some OpenCMS instances. Before the assessment I wasn’t...
View ArticleExploiting an old noVNC XSS (CVE-2017-18635) in OpenStack
TL;DR: noVNC had a DOM-based XSS that allowed attackers to use a malicious VNCserver to inject JavaScript code inside the web page.As OpenStack uses noVNC and its patching system doesn’t update third...
View ArticleDon’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, …
TL;DR LSP4XML, the library used to parse XML files in VSCode-XML, Eclipse’s wildwebdeveloper, theia-xml and more, was affected by an XXE (CVE-2019-18213) which lead to RCE (CVE-2019-18212) exploitable...
View ArticleNotSoSmartConfig: broadcasting WiFi credentials Over-The-Air
During one of our latest Penetration Tests we tested an IoT device based on the ESP32 SoC by EspressIF. While assessing the activation procedure we faced for the first time a beautiful yet dangerous...
View Article1-click RCE on Keybase
TL;DR Keybase clients allowed to send links in chats with arbitrary schemes and arbitrary display text. On Windows it was possible to send an apparently harmless link which, when clicked, could...
View ArticleSometimes they come back: exfiltration through MySQL and CVE-2020-11579
Let’s jump straight to the strange behavior: up until PHP 7.2.16 it was possible by default to exfiltrate local files via the MySQL LOCAL INFILE feature through the connection to a malicious MySQL...
View Article