The p4 Helix Command-Line Client accepts and responds to Perforce protocol commands supplied by a connected server without any validation. A malicious Perforce server can send arbitrary Perforce protocol commands to connecting clients in order to expose the contents of client system files or write arbitrary files on the client system.
My goal for this CTF was to primarily use tools and scripts that I had personally written to complete it. Throughout this challenge I used and extended my personal toolkit extensively. All the proof of concept tools I have produced as a result of this CTF are available in a GitHub Gist.
In UniFi Video 3.10.0 and prior, due to the lack of CSRF protection, it is possible to abuse the Web API to make changes on the server configuration without the user consent, requiring the attacker to lure an authenticated user to access on attacker controlled page.
HackerOne bug report to Ubiquiti Inc.: The UniFi Video Configuration Restore functionality is vulnerable to a path traversal vulnerability when extracting the contents of POSTed zip files.
HackerOne bug report to Ubiquiti Inc.: The UniFi Video Configuration Restore functionality is vulnerable to CSRF. A successful attack would allow modification of any application configuration setting, including creating new administrative users.
HackerOne bug report to SEMrush: The Project Site Audit function is vulnerable to XXE when parsing sitemap.xml files.
Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components.
The CFNetwork Proxies subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 mishandles URLs in http and https requests, which allows remote attackers to obtain sensitive information via unspecified vectors.
In this post I examine techniques and optimizations which can be used to efficiently extract SQL query results from Blind SQL Injection vulnerabilities. With the correct techniques and optimizations the majority of SQL query results can be extracted using at most two requests per character in the result string plus two requests for a length check. Under certain conditions results may be able to be extracted using significantly fewer requests.
This post draws together known Blind SQL Injection data extraction techniques and builds upon them in order to reduce the number of requests required to extract query results to the absolute minimum.
Proxy Auto-Config (PAC) files can specify a JavaScript function called for all URL requests with the full URL path which exposes more information than would be sent to the proxy itself in the case of HTTPS. Normally the Proxy Auto-Config file is specified by the user or machine owner and presumed to be non-malicious, but if a user has enabled Web Proxy Auto Detect (WPAD) this file can be served remotely. This vulnerability affects Firefox < 51.