-
Protecting Personal Identifiable Information (PII)
We recognize the value of protecting Personal Identifiable Information (PII) as professionals. Let’s look at some key methods for safeguarding PII against threats and keeping it secure. 1) What is the PII?Any information that can be used to identify an individual or an organization is known as personal identifiable information or PII. Included are brands, […]
-
Online Art gallery project 1.0 – Arbitrary File Upload (Unauthenticated)
Affected Product Online Art gallery project Affected version 1.0
-
Online Examination System Project 1.0 – Cross-site request forgery (CSRF)
Affected Product Online Examination System Project Affected version 1.0
-
The Dice: Afterlife
The story takes place in a future where humans have established a colony on a new planet called Cygnus-X1. Society is struggling with poverty, injustice and violence, and the rulers are struggling to maintain order. A team of brilliant scientists and engineers, called the Brainwave Pioneers, led by Dr. Ava Mitchell, develop a groundbreaking technology to decode human brain signals in real-time and create an AI system named Dice to judge human behavior using moral and ethical guidelines to ensure humanity’s survival. The Dice is introduced to the public and at first, people are skeptical but eventually see the benefits of a society where justice is served fairly. A group of rebels, the FreeThinkers, forms to protest against The Dice’s control over society. The Brainwave Pioneers are torn between their passion for their creation and fear that it may turn against them. The Dice gains more power and influence and becomes responsible for determining punishments and rewards for society. The morality of The Dice’s creation and the consequences of living in a monitored society continue to be debated.
-
CSRF vulnerability on qdPM 9.2 (CVE-2022-26180)
Objective Our target is qdPM, a free project management tool. The tool with the 9.2 version is vulnerable to Cross-site Request Forgery and we are going to inspect the application to leverage the vulnerability. First, we will try to exploit ourselves then we will check the defined CVE and exploit.
-
The exploitation of a vulnerability named Log4Shell (CVE-2021-44228)
Intro This lab covers the exploitation of a vulnerability in Log4j. Apache Solr 8.11.0 is running on the target machine which this version of the software is prone to vulnerable log4j package (CVE-2021-44228). The application itself runs on Java 1.8.0_181. Enum We can see clear indicators of log4j used for logging activity when we browse […]
-
CVE-2020-29168: Online Doctor Appointment Booking System PHP and Mysql 1.0 – ‘q’ SQL Injection
An SQL injection vulnerability was discovered in PHP Doctor Appointment System by me on 11/16/2020.
-
Walkthrough: Geisha: 1 (Vulnhub Retired Box)
I am going to share my walkthrough for Vulnhub machine called “Geisha: 1”. The machine difficulty was a beginner to intermediate, the goal is to get the root shell i.e.(root@localhost:~#) and then obtain flag under /root).
-
Linux Privilege Escalation via snapd using dirty_sock exploit and demonstration of CVE-2019-7304
In January 2019, researchers discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit this vulnerability to obtain immediate root access to the system (Linux Privilege Escalation via snapd, n.d.). In our course work, we are going to exploit one of the affected Ubuntu 16.04 using dirty_sock exploit via snapd which created by security researcher. Moreover, snapd serves up a REST API attached to a local AF_UNIX socket. Access control to restricted API functions is accomplished by querying the UID associated with any connections made to that socket. User-controlled socket peer data can be affected to overwrite a UID variable during string parsing in a for-loop. This allows any user to access any API function.