Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CyberPanel is a free web hosting control plane. Under the hood, it's a fairly simple Django app. The main purpose of it is setting up services like FTP, SSH, etc. on a box. It has a login screen to prevent everyone from being able to do this of course.

While reviewing the code, they noticed that authentication checks were added manually to every API instead of being global through a middleware. From reviewing previous finding, they found an authentication bypass for file upload through a missed authentication check. From reading about previous findings, they determined that command injection and authentication issues were likely. Do your homework kids!

Using Semgrep, they stumbled across upgrademysqlstatus. This is missing authentication and executes arbitrary commands on the OS. The best of both worlds!

Unfortunately, the command injection didn't work because of a recently added secMiddleware that was doing input validation on inputs to prevent these types of issues. After fuzzing it and trying some Linux tricks they didn't find anything. However, they did notice a funny design flaw with the input validation!

secMiddleware was only checking the inputs IF it was a POST request. However, each request in Django can be processed by more than one verb. So, by making an OPTIONS request the verification is bypassed. This means we have a successful pre-auth command injection. They found another variant of this as well.

Good write-up! I like that the author did their homework on previous bugs in order to identify pervasive bug patterns in the code base. The bypass for the input validation was quite funny as well.