Recent Posts

In this blog post, we describe new techniques to dump PHP files leveraging filters, and a tool that does it, lightyear.

In this blog post, we will explore how we can exploit CNEXT, but blind, covering the cases where we have a file read primitive, but cannot get the output.

In this blog post, we will explore a new way of exploiting the vulnerability on PHP, using direct calls to iconv(), and illustrate the vulnerability by targeting Roundcube, a popular PHP webmail.

Scalpel is a Burp extension for intercepting and rewriting HTTP traffic, either on the fly or in the Repeater using Python 3 scripts.

A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc, the base library for linux programs. Despite being reachable in multiple well-known libraries or executables, it proved rarely exploitable — while it didn't provide much leeway, it required hard-to-achieve preconditions. Looking for targets lead mainly to disappointment. On PHP however, the bug shone, and proved useful in exploiting its engine in two different ways.

We introduce a tool that uses PHP filters to wrap PHP resources in an arbitrary prefix and suffix.

We provide details about CVE-2023-49103 and CVE-2023-49105

Ambionics Security team discovered a pre-authentication remote code execution in vBulletin 5.6.9.

Early this year we had the opportunity to pentest Watchguard firewalls (XTM, Firebox) for a red team engagement. This blogpost will follow the journey in which I discover 5 vulnerabilities - 2 patched along the way - and build 8 distinct exploits, and finally obtain an unpatched pre-authentication remote root 0-day on every WatchGuard Firebox/XTM appliance.

We identified a vulnerability in SPIP's SQL engine, which allowed us to access the backoffice of the hacking platform Root-Me.

This article reveals a privilege escalation vulnerability affecting PHP-FPM.

Ambionics Security team discovered an RCE in Laravel, when the framework is in debug mode.

Ambionics Security team discovered a heap overflow that results in remote code execution on Sqreen's microagent.

Remote code execution using Symfony's _fragment's page and unsecure secret values.

We demonstrate how one can recover mt_rand()'s seed with only two outputs and without any bruteforce.

Several flaws have been identified in the latest version of Magento 2, allowing an attacker to obtain complete control over the server. We're now releasing the exploit for the unauthenticated SQL injection. We'll release the details for the RCE vulnerability at a later time.

Exploitation and mitigation bypasses for the new Drupal 8 RCE (SA-CORE-2019-003, CVE-2019-6340), targeting the REST module.

Prestashop 1.6.1.19 sessions can be read and written by an attacker, resulting in a range of vulnerabilities including privilege escalation and remote code execution.

We're introducing a new tool to generate unserialize() payloads easily from common libraries.

Few months ago Ambionics Security team had the chance to audit Oracle PeopleSoft solutions. PeopleSoft applications contain a lot of unauthenticated endpoints with several not well documented XXE vulnerabilities. We'll show how you can get a full SYSTEM shell from that.

Ambionics Security team discovered a pre-authentication SQL Injection in TYPO3 News module. This module is the 20th most used module of TYPO3 with almost 60,000 downloads.

While working on the Drupal module Services, the Ambionics Security team discovered a critical remote code execution vulnerability.

Some times ago the Ambionics team encountered a very old instance of Grails which contained a plugin to generate PDFs from Groovy templates. Upon looking for the plugin's source code we discovered an XXE vulnerability.

As a new year comes, it is a good time to review two high impact vulnerabilities that were discovered four years apart, but that are in fact rooted in the same piece of code.