BSides 2019: Code diving for pop chains

11 December 2019

bsides vienna 2019 talk

I gave a talk at the BSides 2019 Vienna about PHP Object Injection. Here is the abstract of this talk:

PHP Object Injection is a well known web vulnerability that could allow an attacker to perform different kinds of attacks by reusing and chaining existing code of the application(gadgets). Sometimes it is easier to find the vulnerability than discovering a proper chain for a remote code execution. This talk illustrates the long road of searching for various “POP chains” by disclosing details of a vulnerability for Okay-CMS. The code of the application will be analyzed and possible payloads will be discussed. A working unauthenticated remote code execution exploit will finally proof the concept.

The slides can be downloaded here: Slides

[ Programming  Security  News  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti