Public

Post having been made public (grouped by technologies):

Technology	Articles
AfterLogic	C110001: AfterLogic, PHP Object Injection to Remote Code Execution (pre-auth)
Bolt CMS	C1110: Bolt CMS <= 3.7.1, Profiler = RCE (pre-auth) B2: Bolt CMS <= 3.7.1, Profiler + Extensions = RCE (pre-auth)
CodeIgniter4	C110000: CodeIgniter4, file deletion Gadget Chain
D-Link	C101101: D-Link DIR-865L, Memory corruptions lead to Remote Code Execution (pre-auth) C101100: D-Link DIR-865L, Unsigned firmware upload lead to persistent backdoor (pre-auth) C101011: D-Link DIR-865L, Remote Code Execution (pre-auth)
Dolibarr	C10011: Dolibarr 12.0.3, SQLi to RCE (post-auth) C10010: Dolibarr 12.0.3, Multiple SQL injection (post-auth) C10001: Dolibarr 12.0.3, Multiple XSS to RCE
Dompdf	C11110: Dompdf multiple file deletion Gadget Chains
Drupal	B19: How to backdoor Drupal (new versions) like a bro
Jolokia	C11011: Jolokia <= 1.7.1, Remote Code Execution (pre-auth)
Linux	L1: Let’s learn Linux Kernel exploitation - part 2 L0: Let’s learn Linux Kernel exploitation - part 1 B16: Python loves capabilities
mPDF	C100111: mPDF <= 8.1, SSRF
Netgear	C110100: Attacking Netgear D6000, Mutiple Remotes Code Execution (pre-auth) - part 3 C110011: Attacking Netgear D6000, Mutiple Remotes Code Execution (pre-auth) - part 2 C110010: Attacking Netgear D6000, Mutiple Remotes Code Execution (pre-auth) - part 1 C100110: Netgear R6200v2, Remote Code Execution (pre-auth) C100000: Netgear DGND4000, Remote Code Execution (pre-auth) - part 2 C11111: Netgear DGND4000, Remote Code Execution (pre-auth) - part 1 C11100: ReadyNAS OS 6 <= 6.10.6, Remote Code Execution (post-auth) B10: Looking into routeur Netgear DG834Gv2 - part 4 B9: Looking into routeur Netgear DG834Gv2 - part 3 B8: Looking into routeur Netgear DG834Gv2 - part 2 B7: Looking into routeur Netgear DG834Gv2 - part 1
PHP	B18: SlowHorses enlarges your exploitation window while racing C101010: PHP SplDoublyLinkedList::pop() Use After Free B12: Introduction to exploitation of the PHP interpreter by writing a 1day for CVE-2016-3132
PHPBoost CMS	C10111: PHPBoost CMS 5.2, PHP Object Injection (pre-auth) C10101: PHPBoost CMS 5.2, SSRF (pre-auth)
PHPFusion	B1: PHPFusion RCE (post-auth) C111: PHPFusion v9.03.60, PHP Object Injection to SQL injection (pre-auth) C110: PHPFusion v9.03.60, PHP Object Injection (pre-auth) B0: Trolling PHP-Fusion editors C101: PHPFusion v9.03.50, Stored XSS (post-auth) C100: PHPFusion v9.03.50, Reflected XSS (pre-auth)
PHPWord	C101111: PHPWord, file deletion Gadget Chain
PROJECTWORLDS	B3: Back to basics
Qnap	B13: Qnap QTS light backdooring C100100: Qnap QTS, Race Condition to Remote Code Execution (post-auth) C100001: Qnap QTS <= 5.0.0.2055 build 20220531, Remote Code Execution (post-auth)
Rukovoditel	C1010: Rukovoditel v2.6.1, File Upload + LFI to RCE (post-auth) C1001: Rukovoditel v2.7, SQL injection (post-auth) C1000: Rukovoditel v2.7, Stored XSS (post-auth)
Sendy	C10100: Sendy 5.1.1, SSRF (pre-auth)
Snappy	C101110: Snappy, file deletion Gadget Chain
SPIP	C110111: SPIP, Generic method to get RCE (post-auth) C110110: SPIP <= 4.1.16, 1-Click RCE (pre-auth) - part 2 C110101: SPIP <= 4.1.16, 1-Click RCE (pre-auth) - part 1 C11010: SPIP <= 4.2.0, Remote Code Execution (pre-auth) C11001: SPIP <= 3.2.7, Remote Code Execution (post-auth) C11000: SPIP <= 3.2.7, Remote Code Execution (post-auth)
Squiz Matrix	C1111: Squiz Matrix, multiple XSS (post-auth)
Symfony	B17: Symfony <= v6.4, let’s unlock some more mystery on the fragment exploit
Typo3	C11101: Typo3’s core, file deletion Gadget Chain B6: Typo3’s template language TypoScript, Full Path Disclosure - part 3 B5: Typo3’s template language TypoScript, SQL injection - part 2 B4: Typo3’s template language TypoScript, RCE - part 1 C1101: Looking into Typo3 v10.4.3 source code - part 3 C1100: Looking into Typo3 v10.4.3 source code - part 2 C1011: Looking into Typo3 v10.4.3 source code - part 1
vBulletin	B14: vBulletin, PHP Object Injection (pre-auth)
Wansview	B11: Looking into the camera Wansview Q6
Wordpress	B15: Wordpress plugins, automated vulnerability scanning C0: Wordpress plugin Simple File List <= v4.2.2, RCE (pre-auth)
YesWiki	C11: YesWiki version cercopitheque 2020-04-18-1, LFI to RCE (pre-auth) C10: YesWiki version cercopitheque 2020-04-18-1, SQL injection (pre-auth) C1: YesWiki version cercopitheque 2020-04-18-1, Reflected XSS (pre-auth)
Zabbix	C10000: Zabbix >= v5.2.0, PHP Object Injection (pre-auth)