RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayOrange

A Journey Combining Web Hacking and Binary Exploitation in Real World!

24 February 2021 at 07:00
Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I reproduced this in my lab environment and made this topic. This topic is also presented in RealWorld CTF Live Forum and OWASP Hong Kong 2021 Techday. It's also on YouTube now! Although it is speaking in Mandarin, the slides and subtitles are in English

How I Hacked Facebook Again! Unauthenticated RCE on MobileIron MDM

12 September 2020 at 09:25
Author: Orange TsaiThis is a cross-post blog from DEVCORE. 中文版請參閱這裡 Hi, it’s a long time since my last article. This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got

你用它上網,我用它進你內網! 中華電信數據機遠端代碼執行漏洞

11 November 2019 at 10:15
For non-native readers, this is a writeup of my DEVCORE Conference 2019 talk. Describe a misconfiguration that exposed a magic service on port 3097 on our country's largest ISP, and how we find RCE on that to affect more than 250,000 modems :P 大家好,我是 Orange! 這次的文章,是我在 DEVCORE Conference 2019 上所分享的議題,講述如何從中華電信的一個設定疏失,到串出可以掌控數十萬、甚至數百萬台的家用數據機漏洞! 前言 身為 DEVCORE 的研究團隊,我們的工作就是研究最新的攻擊趨勢、挖掘最新

An analysis and thought about recently PHP-FPM RCE(CVE-2019-11043)

29 October 2019 at 16:45
First of all, this is such a really interesting bug! From a small memory defect to code execution. It combines both binary and web technique so that’s why it interested me to trace into. This is just a simple analysis, you can also check the bug report and the author neex’s exploit to know the original story :D Originally, this write-up should be published earlier, but I am now traveling and

Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!

2 September 2019 at 14:00
Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_) P.S. This is a cross-post blog from DEVCORE Hi, this is the last part of Attacking SSL VPN series. If you haven’t read previous articles yet, here are the quick links for you: Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as

Attacking SSL VPN - Part 2: Breaking the Fortigate SSL VPN

9 August 2019 at 20:53
Author: Meh Chang(@mehqq_) and Orange Tsai(@orange_8361) This is also the cross-post blog from DEVCORE Last month, we talked about Palo Alto Networks GlobalProtect RCE as an appetizer. Today, here comes the main dish! If you cannot go to Black Hat or DEFCON for our talk, or you are interested in more details, here is the slides for you! Infiltrating Corporate Intranet Like NSA: Pre-auth

Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as Case Study!

17 July 2019 at 12:27
Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_) P.S. This is a cross-post blog from DEVCORE SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take

A Wormable XSS on HackMD!

12 March 2019 at 12:00
在 Web Security 中,我喜歡伺服器端的漏洞更勝於客戶端的漏洞!(當然可以直接拿 shell 的客戶端洞不在此限XD) 因為可以直接控制別人的伺服器對我來說更有趣! 正因如此,我以往的文章對於 XSS 及 CSRF 等相關弱點也較少著墨(仔細翻一下也只有 2018 年 Google CTF 那篇XD),剛好這次的漏洞小小有趣,秉持著教育及炫耀(?)的心態就來發個文了XD 最近需要自架共筆伺服器,調查了一些市面上支援 Markdown 的共筆平台,最後還是選擇了國產的 HackMD! 當然,對於自己要使用的軟體都會習慣性的檢視一下安全性,否則怎麼敢放心使用? 因此花了約半天對 HackMD 進行了一次原始碼檢測(Code Review)! HackMD 是一款由台灣人自行研發的線上 Markdown 共筆系統,除了在台灣資訊圈流行外,也被許多台灣研討會如 COSCUP,

Hacking Jenkins Part 2 - Abusing Meta Programming for Unauthenticated RCE!

19 February 2019 at 12:00
This is also a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本! #2019-02-22-updated #2019-05-10-updated #2019-05-10-released-exploit code awesome-jenkins-rce-2019 #2019-07-02-updated the slides is out! --- Hello everyone! This is the Hacking Jenkins series part two! For those people who still have not read the part one yet, you can check following link to get some basis and

Hacking Jenkins Part 1 - Play with Dynamic Routing

16 January 2019 at 12:10
This is a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本! # Part two is out, please check this --- In software engineering, the Continuous Integration and Continuous Delivery is a best practice for developers to reduce routine works. In the CI/CD, the most well-known tool is Jenkins. Due to its ease of use, awesome Pipeline system and integration of Container, Jenkins is

HITCON CTF 2018 - One Line PHP Challenge

23 October 2018 at 16:19
In every year’s HITCON CTF, I will prepare at least one PHP exploit challenge which the source code is very straightforward, short and easy to review but hard to exploit! I have put all my challenges in this GitHub repo you can check, and here are some lists :P 2017 Baby^H Master PHP 2017 (0/1541 solved) Phar protocol to deserialize malicious object Hardcode anonymous function name \

How I Chained 4 Bugs(Features?) into RCE on Amazon Collaboration System

10 August 2018 at 20:10
Hi! This is the case study in my Black Hat USA 2018 and DEFCON 26 talk, you can also check slides here: Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out In past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser

Google CTF 2018 Quals Web Challenge - gCalc

27 June 2018 at 07:40
gCalc is the web challenge in Google CTF 2018 quals and only 15 teams solved during 2 days’ competition! This challenge is a very interesting challenge that give me lots of fun. I love the challenge that challenged your exploit skill instead of giving you lots of code to find a simple vulnerability or guessing without any hint. So that I want to write a writeup to note this :P The challenge

Pwn a CTF Platform with Java JRMP Gadget

26 March 2018 at 12:00
打 CTF 打膩覺得沒啥新鮮感嗎,來試試打掉整個 CTF 計分板吧! 前幾個月,剛好看到某個大型 CTF 比賽開放註冊,但不允許台灣參加有點難過 :(看著官網最下面發現是 FlappyPig 所主辦,又附上 GitHub 原始碼 秉持著練習 Java code review 的精神就 git clone 下來找洞了! (以下測試皆在 FlappyPig 的允許下友情測試,漏洞回報官方後也經過同意發文)在有原始碼的狀況下進行 Java 的 code review 第一件事當然是去了解第三方 Libraries 的相依性,關於 Java 的生態系我也在幾年前的文章小小分享過,當有個底層函式庫出現問題時是整個上層的應用皆受影響!從 pom.xml 觀察發現用了Spring Framework 4.2.4從版本來看似乎很棒沒什麼重大問題 Mybatis 3.3.1一個 Java ORM

PHP CVE-2018-5711 - Hanging Websites by a Harmful GIF

21 January 2018 at 15:21
Author: Orange Tsai(@orange_8361) from DEVCORE Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities. This is an simple and interesting case, and seems easy to exploit in real world! Affected All PHP version PHP 5 < 5.6.33 PHP 7.0 < 7.0.27 PHP 7.1 < 7.1.13 PHP 7.2 < 7.2.1 Vulnerability Details The vulnerability is on the file ext/gd/

How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!

28 July 2017 at 06:00
Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences. It's really a memorable experience :P Thanks Review Boards for the acceptance. This post is a simple case

GitHub Enterprise SQL Injection

7 January 2017 at 08:50
Before GitHub Enterprise is the on-premises version of that you can deploy a whole GitHub service in your private network for businesses. You can get 45-days free trial and download the VM from After you deployed, you will see like bellow: Now, I have all the GitHub environment in a VM. It's interesting, so I decided to look deeper into VM :P

[隨筆] Java Web 漏洞生態食物鏈

7 December 2016 at 14:18
本來這篇文章叫做 HITCON CTF 2016 初賽出題小記的,可是擺著擺著就兩個月過去惹~ 轉來寫寫跟 Java 有關的東西XD 關於序今年五六月的時候,看到某個曾經很多人用但快停止維護的 Java Web Framework 弱點的修補方式感覺還有戲所以開始追一下原始碼挖 0-Day,順便整理一下 Java Web 相關弱點 — 😊覺得有趣。 通常自己在外面演講時對於 Web Security 的分類中大致可分為三個世界: File-Based 的世界,一個檔案對應一個入口點如經典的 ASP, PHP, ASPX 等 Route-Based 的世界,一個路徑對應一組函數(功能)如經典的 Rails, NodeJS, Django 等 Java 的世界,Java 的世界極其複雜自成一格獨立討論 當然三種分類並不是獨立開來,如常見 PHP MVC 用 Rewrite 將

Collection of CTF Web Challenges I made

13 October 2016 at 03:27
把出過的 CTF Web 題都整理上 GitHub 惹,包括原始碼、解法、所用到技術、散落在外的 Write ups 等等 This is the repository of CTF Web challenges I made. It contains challs's source code, solution, write ups and some idea explanation. Hope you will like it :)