This is a cross-post blog from DEVCORE. You can check the series on: A New Attack Surface on MS Exchange Part 1 - ProxyLogon! A New Attack Surface on MS Exchange Part 2 - ProxyOracle! A New Attack Surface on MS Exchange Part 3 - ProxyShell! A New Attack Surface on MS Exchange Part 4 - ProxyRelay! Hi, this is a long-time-pending article. We could

Hi, this is my fifth time speaking at Black Hat USA and DEFCON. You can get the slide copy and video there: Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (slides) Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (video - TBD) As the most fundamental Data Structure in Computer Science, Hash Table is extensively

Author: Orange Tsai(@orange_8361) from DEVCORE P.S. This is a cross-post blog from Zero Day Initiative (ZDI) This is a guest post DEVCORE collaborated with Zero Day Initiative (ZDI) and published at their blog, which describes the exploit chain we demonstrated at Pwn2Own 2021!  Please visit the following link to read that :)FROM PWN2OWN 2021: A NEW

Author: Orange Tsai(@orange_8361) P.S. This is a cross-post blog from DEVCORE The series of A New Attack Surface on MS Exchange:A New Attack Surface on MS Exchange Part 1 - ProxyLogon!A New Attack Surface on MS Exchange Part 2 - ProxyOracle!A New Attack Surface on MS Exchange Part 3 - ProxyShell!A New Attack Surface on MS Exchange Part 4 - ProxyRelay!

Author: Orange Tsai(@orange_8361) P.S. This is a cross-post blog from DEVCORE Hi, this is the part 2 of the New MS Exchange Attack Surface. Because this article refers to several architecture introductions and attack surface concepts in the previous article, you could find the first piece here: A New Attack Surface on MS Exchange Part 1

Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I reproduced this in my lab environment and made this topic. This topic is also presented in RealWorld CTF Live Forum and OWASP Hong Kong 2021 Techday. It's also on YouTube now! Although it is speaking in Mandarin, the slides and subtitles are in English

Author: Orange TsaiThis is a cross-post blog from DEVCORE. 中文版請參閱這裡 Hi, it’s a long time since my last article. This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and got

For non-native readers, this is a writeup of my DEVCORE Conference 2019 talk. Describe a misconfiguration that exposed a magic service on port 3097 on our country's largest ISP, and how we find RCE on that to affect more than 250,000 modems :P 大家好，我是 Orange! 這次的文章，是我在 DEVCORE Conference 2019 上所分享的議題，講述如何從中華電信的一個設定疏失，到串出可以掌控數十萬、甚至數百萬台的家用數據機漏洞! 前言 身為 DEVCORE 的研究團隊，我們的工作就是研究最新的攻擊趨勢、挖掘最新

First of all, this is such a really interesting bug! From a small memory defect to code execution. It combines both binary and web technique so that’s why it interested me to trace into. This is just a simple analysis, you can also check the bug report and the author neex’s exploit to know the original story :D Originally, this write-up should be published earlier, but I am now traveling and

Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_) P.S. This is a cross-post blog from DEVCORE Hi, this is the last part of Attacking SSL VPN series. If you haven’t read previous articles yet, here are the quick links for you: Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as

Author: Meh Chang(@mehqq_) and Orange Tsai(@orange_8361) This is also the cross-post blog from DEVCORE Last month, we talked about Palo Alto Networks GlobalProtect RCE as an appetizer. Today, here comes the main dish! If you cannot go to Black Hat or DEFCON for our talk, or you are interested in more details, here is the slides for you! Infiltrating Corporate Intranet Like NSA: Pre-auth

Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_) P.S. This is a cross-post blog from DEVCORE SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even take

在 Web Security 中，我喜歡伺服器端的漏洞更勝於客戶端的漏洞!(當然可以直接拿 shell 的客戶端洞不在此限XD) 因為可以直接控制別人的伺服器對我來說更有趣! 正因如此，我以往的文章對於 XSS 及 CSRF 等相關弱點也較少著墨(仔細翻一下也只有 2018 年 Google CTF 那篇XD)，剛好這次的漏洞小小有趣，秉持著教育及炫耀(?)的心態就來發個文了XD 最近需要自架共筆伺服器，調查了一些市面上支援 Markdown 的共筆平台，最後還是選擇了國產的 HackMD! 當然，對於自己要使用的軟體都會習慣性的檢視一下安全性，否則怎麼敢放心使用? 因此花了約半天對 HackMD 進行了一次原始碼檢測(Code Review)! HackMD 是一款由台灣人自行研發的線上 Markdown 共筆系統，除了在台灣資訊圈流行外，也被許多台灣研討會如 COSCUP,

This is also a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本! #2019-02-22-updated #2019-05-10-updated #2019-05-10-released-exploit code awesome-jenkins-rce-2019 #2019-07-02-updated the slides is out! --- Hello everyone! This is the Hacking Jenkins series part two! For those people who still have not read the part one yet, you can check following link to get some basis and

This is a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本! # Part two is out, please check this --- In software engineering, the Continuous Integration and Continuous Delivery is a best practice for developers to reduce routine works. In the CI/CD, the most well-known tool is Jenkins. Due to its ease of use, awesome Pipeline system and integration of Container, Jenkins is

In every year’s HITCON CTF, I will prepare at least one PHP exploit challenge which the source code is very straightforward, short and easy to review but hard to exploit! I have put all my challenges in this GitHub repo you can check, and here are some lists :P 2017 Baby^H Master PHP 2017 (0/1541 solved) Phar protocol to deserialize malicious object Hardcode anonymous function name \

Hi! This is the case study in my Black Hat USA 2018 and DEFCON 26 talk, you can also check slides here: Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out In past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parser

gCalc is the web challenge in Google CTF 2018 quals and only 15 teams solved during 2 days’ competition! This challenge is a very interesting challenge that give me lots of fun. I love the challenge that challenged your exploit skill instead of giving you lots of code to find a simple vulnerability or guessing without any hint. So that I want to write a writeup to note this :P The challenge

打 CTF 打膩覺得沒啥新鮮感嗎，來試試打掉整個 CTF 計分板吧! 前幾個月，剛好看到某個大型 CTF 比賽開放註冊，但不允許台灣參加有點難過 :(看著官網最下面發現是 FlappyPig 所主辦，又附上 GitHub 原始碼 秉持著練習 Java code review 的精神就 git clone 下來找洞了! (以下測試皆在 FlappyPig 的允許下友情測試，漏洞回報官方後也經過同意發文)在有原始碼的狀況下進行 Java 的 code review 第一件事當然是去了解第三方 Libraries 的相依性，關於 Java 的生態系我也在幾年前的文章小小分享過，當有個底層函式庫出現問題時是整個上層的應用皆受影響!從 pom.xml 觀察發現用了Spring Framework 4.2.4從版本來看似乎很棒沒什麼重大問題 Mybatis 3.3.1一個 Java ORM

Author: Orange Tsai(@orange_8361) from DEVCORE Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities. This is an simple and interesting case, and seems easy to exploit in real world! Affected All PHP version PHP 5 < 5.6.33 PHP 7.0 < 7.0.27 PHP 7.1 < 7.1.13 PHP 7.2 < 7.2.1 Vulnerability Details The vulnerability is on the file ext/gd/

Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences. It's really a memorable experience :P Thanks Review Boards for the acceptance. This post is a simple case

Before GitHub Enterprise is the on-premises version of GitHub.com that you can deploy a whole GitHub service in your private network for businesses. You can get 45-days free trial and download the VM from enterprise.github.com. After you deployed, you will see like bellow: Now, I have all the GitHub environment in a VM. It's interesting, so I decided to look deeper into VM :P

本來這篇文章叫做 HITCON CTF 2016 初賽出題小記的，可是擺著擺著就兩個月過去惹～ 轉來寫寫跟 Java 有關的東西XD 關於序今年五六月的時候，看到某個曾經很多人用但快停止維護的 Java Web Framework 弱點的修補方式感覺還有戲所以開始追一下原始碼挖 0-Day，順便整理一下 Java Web 相關弱點 — 😊覺得有趣。 通常自己在外面演講時對於 Web Security 的分類中大致可分為三個世界: File-Based 的世界，一個檔案對應一個入口點如經典的 ASP, PHP, ASPX 等 Route-Based 的世界，一個路徑對應一組函數(功能)如經典的 Rails, NodeJS, Django 等 Java 的世界，Java 的世界極其複雜自成一格獨立討論 當然三種分類並不是獨立開來，如常見 PHP MVC 用 Rewrite 將

把出過的 CTF Web 題都整理上 GitHub 惹，包括原始碼、解法、所用到技術、散落在外的 Write ups 等等 This is the repository of CTF Web challenges I made. It contains challs's source code, solution, write ups and some idea explanation. Hope you will like it :) https://github.com/orangetw/My-CTF-Web-Challenges

This is my talk about being a Bug Bounty Hunter at HITCON Community 2016 It shared some of my views on finding bugs and some case studies, such as Facebook Remote Code Execution... more details Uber Remote Code Execution... more details developer.apple.com Remote Code Execution abs.apple.com Remote Code Execution b.login.yahoo.com Remote Code Execution... more details eBay SQL Injection

千呼萬喚始出來XD How I Hacked Facebook, and Found Someone's Backdoor Script (English Version) 滲透 Facebook 的思路與發現 (中文版本) 看來再找一個 Google 的 RCE 就可以把各大公司的 RCE 系列給蒐集全了XD

好久沒 po 文了XD 幾天前，Uber 公佈了 Bug Bounty 計畫，從  Hackerone 上看到獎金不低，最少的 XSS / CSRF 都有 3000 美金起就跳下來看一下有什麼好玩的XD 從官方公佈的技術細節發現 Uber 主要網站是以 Python Flask 以及 NodeJS 為架構，所以在尋找漏洞的時候自然會比較偏以測試這兩種 Framework 的漏洞為主! Uber 網站在進行一些動作如修改電話、姓名時，會以寄信及簡訊的方式告知使用者帳號進行了變更，在某次動作後發現 Uber 寄過來的信如下圖，怎麼名字會多個 "2" XDDDD 往前追查原因才發現進入點是在 Riders.uber.com，Riders.uber.com 為修改個人資料以及顯示帳單、行程行程的地方，在修改的姓名中，使用了 {{ 1+1 }} 這個 payload

當初好像沒留底稿只發布在 Facebook 跟烏雲 今天睡醒發現又有人在轉貼這篇，想說留個備份好了XD Facebook 連結 Wooyun 知識庫連結 HITCON KnowledgeBase 連結 ---------- 決賽 Attack & Defense 也出了一道 Web 題目 0ops 成員 5alt 也寫了一篇筆記 HITCON CTF 2015 Final Webful Writeup 寫的真棒XD 看得我自己心癢癢都想寫一篇來解釋各個洞為什麼要這樣設計了XD 出 Final 時候本意就是要把環境模擬成真實環境，讓平常 Web 狗的各種猥瑣流可以得心應手而不是淪為解題形式在實戰中派不上用場 　 除了各個 API 接口的互相影響 單點淪陷 = 全部淪陷 外 還有模擬 Discuz UC_KEY 的應用，SECRET_KEY 洩漏的各種利用方式順便防止 Replay

先說這篇純粹炫耀文xD 暨 2013 年 Yahoo 開始有 Bug Bounty 那時搶個流行找了兩個漏洞回報 Yahoo 然後 Yahoo Bug Bounty Part 1 - 台灣 Yahoo Blog 任意檔案下載漏洞 Yahoo Bug Bounty Part 2 - *.login.yahoo.com 遠端代碼執行漏洞 就沒有然後了。之後就變成電競選手在打 CTF 了 直到今年年中，想說至少把幾間大公司的漏洞回報榜都留個名字就開始繼續挖洞 不過實際下去挖掘的時候發現差異滿大的，好挖好找嚴重性大的漏洞都已經被找走 感覺挖漏洞的藍海時代已經過惹 現在要當獎金獵人只能往比較前端跟設計上的小疏失挖掘，賺不到甚麼大錢XD 花了一點時間 survey 歷年出過的一些漏洞以及前端相關的一些攻擊手法 找到了個 Google 某官方的 CSRF 導致個人資訊