SonarSource

Java's URI.resolve() will return its parameter if it is an absolute URL, which can be abused to perform SSRF. By using http:/example.com# as artifact the final URL will start with http:/example.com#, which the OkHttp library will accept when making the request.

This is indeed a format string vulnerability! The second argument of syslog() is supposed to be a format, not arbitrary data. In this case, the compiler emits a warning (-Wformat-security) but that’s not the case for the dependencies you may use.

Two bugs were to be found. addslashes() is not enough to protect against SQL injections because the interpolated value is not surrounded by quotes. This value is later used in the external shell call without proper escaping. A payload like 1--$(id>foo) is enough to gain RCE!

Extracted files are sanitized against Path Traversals. However, after two dots were removed from the target filename, backslashes were removed. This means that an attacker could craft a path such as .\./.\.shell.jsp, which turns into ../../shell.jsp

You can achieve RCE by uploading a malicious file called `img-converter.exe` that will then be executed instead of the one installed on the system.

When executing commands by name (e.g. `img-converter`) on Windows, the OS looks for the executable in the current directory first and only after that in the PATH. This applies here because the command is executed in the directory where the file is copied to.

Hint: it has something to do with the PATH!

It was an easy one for the week-end: after looking at python_jwt, we can notice that the function at line 10 processes the token but does not verify its signature. Thus, in line 12, an attacker can impersonate any user, resulting in login bypass.

When parsing the JSON data, fastJSON invokes CSRFToken’s setters, leading to a command injection. This is the theory behind crafting "chains" to exploit arbitrary deserialization vulnerabilities, based on the behaviour of the library and the available classes.

Here is the answer: there are two ways to serialize classes in PHP, both with O: and C:. The second encoding mode is not supported by the blocklist, and arbitrary objects could then be deserialized! It's not enough to get RCE, but it's a good start.