Authenticated Magento RCE with deserialized PHAR files

Back in August 2019, I reported a security vulnerability in Magento affecting versions 2.3.2, 2.3.3, and 2.3.4 using the HackerOne bug bounty platform. The bug impacted some installations of Magento and it allowed us to gain Remote Code Execution based on the way PHAR files are deserialized and by abusing Magento’s Protocol Directives.

Alexandru Postolache

Published at: 03 Aug 2022

9 min read

Read the article titled exploit-http.sys-rce-cve-2022-3129.png

Vulnerabilities

How to exploit the HTTP.sys Remote Code Execution vulnerability (CVE-2022-21907)

Pattern recognition is what hundreds of security specialists in our community voted as the skill to cultivate for a rewarding infosec career. While we have some innate pattern recognition abilities, developing them is essential – and that’s a matter of practice. Working in offensive security gives you plenty of opportunities to do this, with new vulnerabilities ripe for close examination. So let’s go ahead and do just that while discovering how this CVE carries echoes from another vulnerability from a while back.

Stefan Iridon

Published at: 28 Feb 2022

5 min read

Read the article titled how-to-exploit-vmware-vcenter-rce-cve-2021-21985-.png

Vulnerabilities

How to exploit the VMware vCenter RCE with Pentest-Tools.com (CVE-2021-21985)

More high-risk vulnerabilities mean more work for you. The good news? You won’t be out of work anytime soon. The bad news? You’ll probably work a lot more than you anticipate. So how do you balance the good and the not-so-great? By having a replicable process for when a high-risk CVE that leads to RCE hits your targets (the likes of CVE-2021-21985).

Stefan Iridon

Published at: 25 Jan 2022

6 min read

How we detect Log4Shell on Pentest-Tools.comHow-we-detect-Log4Shell-at-pentest-tools.com.png

Security Research Vulnerabilities

How we detect and exploit Log4Shell to help you find targets using vulnerable Log4j versions

We’re breaking down our technique for detecting CVE-2021-44228 (Log4Shell) because we believe our users should understand what’s happening behind the scanners so they can avoid a false sense of security.

Adrian Furtuna

Published at: 17 Dec 2021

4 min read

Read the article titled Detect-Log4Shell-scanner.png

Vulnerabilities

Log4Shell scanner: detect and exploit Log4j CVE-2021-44228 in your network and web apps

We almost made it to a much-needed holiday break… and then Log4Shell happened.

Daniel Bechenea

Published at: 14 Dec 2021

6 min read

Read the article titled detect-cve-2021-22205-with-pentest-tools.com_.png

Vulnerabilities

Detect and exploit Gitlab CE/EE RCE with Pentest-Tools.com (CVE-2021-22205)

“Just patch it!” is the usual advice when a vulnerability hits (and it’s not a zero-day). But it’s never that simple in organizations that have to manage layers upon layers of infrastructure. When you have to deal with a critical CVE like the latest unauthenticated RCE in Gitlab (CVSSv3 10.0), the tangled, messy process of patching bubbles to the surface.

Daniel Bechenea

Published at: 05 Nov 2021

7 min read

Read the article titled rce-windows-dns-sigred-vulnerability.webp

Vulnerabilities

The 17-year-old DNS vulnerability that leads to RCE in Windows

Previously on our blog, we unpacked vulnerabilities in web applications, firewalls, SMB protocols… and now we have a DNS one.

Cristian Cornea

Published at: 17 Jul 2020

5 min read

Read the article titled bip-ip-tmui-rce-vulnerability.webp

Vulnerabilities

How to attack F5 BIG-IP using CVE-2020-5902 (TMUI RCE)

Let’s tackle a vulnerability that broke out not only in BIG-IP firewalls but also on social media! When a major issue affecting a security product emerges, it immediately makes the headlines, the paradox of the situation impossible to ignore.

Cristian Cornea

Published at: 08 Jul 2020

7 min read

Read the article titled rce-windows-10-exploiting-smbleedingghost.webp

Vulnerabilities

How to chain SMBleed and SMBGhost to get RCE in Windows 10

Think like an attacker, act like a defender. That’s the pentesters’ mantra, if you ask me. That’s why today we’re diving into one of the most interesting tactics that malicious actors use: vulnerability chaining.

Cristian Cornea

Published at: 07 Jul 2020

7 min read

Read the article titled dotnetnuke-cookie-deserialization-remote-code-exploit-guide..webp

Vulnerabilities

How to exploit the DotNetNuke Cookie Deserialization

We looked at around 300 DotNetNuke deployments in the wild and discovered that one in five installations was vulnerable to CVE-2017-9822. That includes governmental and banking websites. As part of this research, we discovered a Remote Code Execution vulnerability exploitable through DNN Cookie Deserialization in one of the U.S. Department Of Defense’s biggest websites. After having responsibly reported it through HackerOne, the DOD solved the high-severity vulnerability and disclosed the report, with all details now publicly available.

Cristian Cornea

Published at: 10 Jun 2020

14 min read

Read the article titled phar-deserialization-vulnerability.webp

Vulnerabilities

How to exploit the PHAR Deserialization Vulnerability

At Blackhat US-18, Sam Thomas introduced a new way to exploit PHAR Deserialization Vulnerabilities in PHP. See which stream wrapper this new type of attack abuses and how it works.

Alexandru Postolache

Published at: 29 May 2020

10 min read

Read the article titled detect-microsoft-smbghost-pentest-tools.com_-1.webp

Vulnerabilities

How to detect the Microsoft SMBGhost vulnerability with Pentest-Tools.com

For the past couple of weeks, a critical RCE vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3) has kept both the Microsoft users and the security community on their toes. To help our customers better detect if their Windows hosts were affected by the critical SMBGhost vulnerability, we developed and added a new, dedicated scanner on Pentest-Tools.com.

Ioana Rijnetu

Published at: 23 Mar 2020

4 min read