Alexandru Postolache

Pentest-Tools.com, Security Research Engineer

Alex is a passionate security engineer and a bug bounty hunter. He loves researching and discovering vulnerabilities in web applications, as well as finding ways to improve his day-to-day work. He also enjoys writing in-depth research articles by highlighting the technical details in ways that make our readers better understand core concepts.

Alex is a passionate security engineer and a bug bounty hunter. He loves researching and discovering vulnerabilities in web applications, as well as finding ways to improve his day-to-day work. He also enjoys writing in-depth research articles by highlighting the technical details in ways that make our readers better understand core concepts.

Posts by this author

Authenticated Magento RCE with deserialized PHAR files
Back in August 2019, I reported a security vulnerability in Magento affecting versions 2.3.2, 2.3.3, and 2.3.4 using the HackerOne bug bounty platform. The bug impacted some installations of Magento and it allowed us to gain Remote Code Execution based on the way PHAR files are deserialized and by abusing Magento’s Protocol Directives.
Author(s)
Alexandru Postolache
Published at
03 Aug 2022
Updated at
18 Jul 2023
How to exploit the PHAR Deserialization Vulnerability
At Blackhat US-18, Sam Thomas introduced a new way to exploit PHAR Deserialization Vulnerabilities in PHP. See which stream wrapper this new type of attack abuses and how it works.
Author(s)
Alexandru Postolache
Published at
29 May 2020
Updated at
13 Apr 2023
Exploiting SQL Injection in Magento Using Sqlmap
In this article we show a new method of exploiting the critical SQL Injection vulnerability in Magento (CVE-2019-7139), using the well known SQLMap tool.
Author(s)
Alexandru Postolache
Published at
14 Jun 2019
Updated at
07 Jul 2022