Alexandru Postolache

Pentest-Tools.com, Security Research Engineer

Alex is a passionate security engineer and a bug bounty hunter. He loves researching and discovering vulnerabilities in web applications, as well as finding ways to improve his day-to-day work. He also enjoys writing in-depth research articles by highlighting the technical details in ways that make our readers better understand core concepts.

Alexandru Postolache

Alex is a passionate security engineer and a bug bounty hunter. He loves researching and discovering vulnerabilities in web applications, as well as finding ways to improve his day-to-day work. He also enjoys writing in-depth research articles by highlighting the technical details in ways that make our readers better understand core concepts.

Posts by this author

Vulnerabilities
Authenticated Magento RCE with deserialized PHAR files

Back in August 2019, I reported a security vulnerability in Magento affecting versions 2.3.2, 2.3.3, and 2.3.4 using the HackerOne bug bounty platform. The bug impacted some installations of Magento and it allowed us to gain Remote Code Execution based on the way PHAR files are deserialized and by abusing Magento’s Protocol Directives.

Alexandru Postolache

Published at

03 Aug 2022

Updated at

26 Jul 2022

9 min read
Vulnerabilities
How to exploit the PHAR Deserialization Vulnerability

At Blackhat US-18, Sam Thomas introduced a new way to exploit PHAR Deserialization Vulnerabilities in PHP. See which stream wrapper this new type of attack abuses and how it works.

Alexandru Postolache

Published at

29 May 2020

Updated at

21 Feb 2023

10 min read
Security Research
Exploiting SQL Injection in Magento Using Sqlmap

In this article we show a new method of exploiting the critical SQL Injection vulnerability in Magento (CVE-2019-7139), using the well known SQLMap tool.

Alexandru Postolache

Published at

14 Jun 2019

Updated at

07 Jul 2022

10 min read