Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

GLPI users with maintenance privileges can perform SQL/XML dumps. This functionality was vulnerable to CSRF. This can also come in a zip format.

This feature can be used in order to write the file to any location, including with other URI's, such as FTP! For code execution (which is always the end goal) there is something else we need though: the location of the webroot. This webroot is actually a hash...

The webroot could be leaked by a cookie that was by set from the server. The cookie could be calculated by the following: "glpi_".md5(realpath(GLPI_ROOT)). Although this is an MD5 hash, by using Hashcat to brute force this hash, the path could be recovered!

This is where things get REAL crazy. Can a zip file be turned into a webshell via valid PHP? That is the question that the research asked.

After learning a ton about gzip and doing a bunch of brute forcing on dumped SQL and XML, a positive gzip file was identified that was somehow valid PHP to pop a shell!

This was incredible research that required a ton of amazing innovation. I highly recommend reading this article in full.