Clik here to view.
SOLUZIONE Seeweb Hacking Contest 2017: Music Of The Atoms
Da Lunedì 15 Maggio 2017 alle ore 10:00 a Mercoledì 31 Maggio 2017 alle ore 10:00 si è svolto l’hacking contest di Seeweb al quale abbiamo avuto l’onore di partecipare. Anche per questa edizione siamo...
View ArticleClik here to view.
FridaLab – Writeup
Today I solved FridaLab, a playground Android application for playing with Frida and testing your skills. The app is made of various challenges, with increasing difficulty, that will guide you through...
View ArticleClik here to view.
WebTech, identify technologies used on websites
Introduction We’re very proud to release WebTech as open-source software.WebTech is a Python software that can identify web technologies by visiting a given website, parsing a single response file or...
View ArticleClik here to view.
Nagios XI 5.5.10: XSS to #
Tl;dr A remote attacker could trick an authenticated victim (with “autodiscovery job” creation privileges) to visit a malicious URL and obtain a remote root shell via a reflected Cross-Site Scripting...
View ArticleClik here to view.
Exploiting Apache Solr through OpenCMS
Tl;dr It’s possible to exploit a known Apache Solr vulnerability through OpenCMS. During one of my last Penetration Test I was asked to analyze some OpenCMS instances. Before the assessment I wasn’t...
View ArticleClik here to view.
Exploiting an old noVNC XSS (CVE-2017-18635) in OpenStack
TL;DR: noVNC had a DOM-based XSS that allowed attackers to use a malicious VNCserver to inject JavaScript code inside the web page.As OpenStack uses noVNC and its patching system doesn’t update third...
View ArticleClik here to view.
Don’t open that XML: XXE to RCE in XML plugins for VS Code, Eclipse, Theia, …
TL;DR LSP4XML, the library used to parse XML files in VSCode-XML, Eclipse’s wildwebdeveloper, theia-xml and more, was affected by an XXE (CVE-2019-18213) which lead to RCE (CVE-2019-18212) exploitable...
View ArticleClik here to view.
NotSoSmartConfig: broadcasting WiFi credentials Over-The-Air
During one of our latest Penetration Tests we tested an IoT device based on the ESP32 SoC by EspressIF. While assessing the activation procedure we faced for the first time a beautiful yet dangerous...
View ArticleClik here to view.
1-click RCE on Keybase
TL;DR Keybase clients allowed to send links in chats with arbitrary schemes and arbitrary display text. On Windows it was possible to send an apparently harmless link which, when clicked, could...
View ArticleClik here to view.
Sometimes they come back: exfiltration through MySQL and CVE-2020-11579
Let’s jump straight to the strange behavior: up until PHP 7.2.16 it was possible by default to exfiltrate local files via the MySQL LOCAL INFILE feature through the connection to a malicious MySQL...
View Article