About Pablo Martinez

This author has not yet filled in any details.
So far Pablo Martinez has created 4 blog entries.

Vulnerabilities in Ampache (<=3.9.1)

By |21 Aug. 2019|

During a Red Team operation, multiple vulnerabilities where discovered in Ampache, an open source web platform for audio/video streaming. CVE codes have been assigned for two of them: CVE-2019-12385 (SQL injection) and CVE-2019-12386 (stored XSS). Ampache SQL injection (CVE-2019-12385) Communication with the database is made via the Dba class (ORM), which relays on PHP PDO to perform queries. Some of them are performed properly using prepared statements, but in other cases the Dba::escape method is used. lib/class/dba.class.php: 134: public static function escape($var) 135: { 136: $dbh = self::dbh(); 137: if (!$dbh) { 138: debug_event('Dba', 'Wrong dbh.', 1); 139: exit; 140: } 141: $var = $dbh->quote($var); 142: // This is slightly less ugly than it was, but still ugly 143: return ...

> Read More
Comments Off on Vulnerabilities in Ampache (<=3.9.1)

Red Team Tales 0x01: From MSSQL SQL Injection to RCE

By |20 Mar. 2018|

Introduction In a Red Team operation, a perimeter asset vulnerable to SQL Injection was identified. Through this vulnerability it was possible to execute commands on the server, requiring an unusual tactic to achieve the exfiltration of the output of the commands. In this article we will explain the approach that was followed to successfully compromise this first perimeter element that was later used to pivot the internal network. 0x01 - Stacked queries The starting environment is an ASP application that uses a Microsoft SQL Server as its database engine. The vulnerability is quickly located because, when inserting a simple quotation mark, an ODBC Driver error is displayed on the page indicating that the closing quotation mark is missing. After several ...

> Read More
 1

We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off in Cookies Settings

Necessary

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages. Keeping this cookie enabled helps us to improve our website.

Cookies policy