Tag: hacking

  • RCE Vulnerability in QBittorrent

    In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86. The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released 2 days…

  • Connection-Locked CL.TE HTTP De-Sync Attacks

    I’ve spent the majority of the days since watching James Kettle’s talk rewatching it, reading the paper and supporting materials, and hacking away at the Python code. I’ve learned that HTTP De-Sync attacks are highly complex, and they provide a number of challenges. On the other hand, they are incredibly powerful and versatile, and this…

  • Client Side De-Sync and Synch0le

    Defcon just started publishing this year’s talks on YouTube and it includes an excellent talk by James Kettle on HTTP De-Sync attacks, furthering his research from last year. I found the subject fascinating and highly recommend you check out the talk, paper and corresponding Burpsuite plugins, along with the Portswigger labs to try it for…

  • PoC Exploit Development: Apache Any23 RCE

    When researching for another project this week, I came across a couple of CVEs, with no exploits, for Apache’s Any23 service. As I couldn’t find any exploit code online, I decided to try and write my own. One CVE, CVE-2021-40146 is a RCE vulnerability, with no exploit code online. Follow the link and you’ll see…

  • TryHackMe Writeup: Reversing ELF

    I love a good crackme. It was one of the first things I practised when I did my first CTF (Pico) this year. This challenge is for newcomers to Reverse Engineering. Crackme1 Nothing special, you just need to give execution permissions to the binary and then execute it. Crackme2 This binary asks us for a…

  • DVWA: Weak Session IDs – Impossible Difficulty Part II

    Last time we quickly ran through the method for cracking the cookies issued by an instance of PHP issuing outputs from mt_rand(). However, the method used was flawed. We can do better just by attacking the problem some more. First, a basic optimisation to solve two problems at once. When running early attack code, I…

  • DVWA: Weak Session IDs – Impossible difficulty Part I

    DVWA stands for Damn Vulnerable Web Application, and it certainly lives up to its name. It’s intended for beginners to the field of hacking – which definitely describes me – and includes a list of challenges commonly seen in real hacking engagements like SQL Injection, Cross-Site Scripting and File Inclusion/File Upload vulnerabilities, etc. How you…