Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

VteNext is a CRM in Italy. Upon initially searching through the PHP codebase of the demo release with semgrep default PHP rules, they find some interesting sinks.

The first issue they find is an XSS vulnerability resulting from poor sanitization of user-controlled JSON input. Interestingly enough, this works because the Content-Type of the response is text/html. So, making a call directly to this endpoint leads to reflected XSS. This is in a POST request at the moment, which is unexploitable.

The application supports various HTTP methods. The CSRF token checks are only done on POST requests. The processing will be done on an endpoint regardless of the verb. By changing the verb to GET, it creates a CSRF token bypass.

If you combine one and two, an XSS can be created from a GET request by a user now! Sometimes, small things can be chained together to make exploits worse. Session cookies are secured with the HTTPOnly cookie flags, making them inaccessible via XSS. The Touch module exposes the PHPSESSID ID in the page - this appears just to be some JSON request data. In other locations, phpinfo() can be used to leak session cookies as well.

The final piece to the puzzle was a set of SQL injections. Although they are using adb->pquery() to execute the query, the user's input is directly inserted into the statement. It seems like they were trying to prevent SQL injection, but misunderstood it. In this case, the $_REQUEST['fieldname'] can be used to read any field from any table. They use this primitive to steal password reset tokens from the DB.

They found a password reset function that just didn't check the user's previous password. This is because a parameter skipOldPwdCheck is used on function calls, but it's never set. Overall, a good set of bugs!