Completed
Variant Hunting #2
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Finding 0days in Enterprise Web Applications
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 What is HCL Digital Experience /IBM Websphere Portal
- 3 Decompiling JARS
- 4 Finding The Attack Surface
- 5 Finding the endpoint . One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the configfiles/code are triggered by . This one was easy, they …
- 6 Chaining a Lotus Domino Open Redirect
- 7 Variant Hunting • Discovering other occurrences of similar vulnerabilities
- 8 Super SSRF
- 9 Variant Hunting #2
- 10 Chaining the vulnerability through IBM KC
- 11 Fail: Another attempt at XXE
- 12 Post Auth RCE via Directory Traversal
- 13 References
- 14 What is Solarwinds Web Help Desk? . Basically a central ticket management system for your enterprise • Connect with Solarwinds Orion
- 15 Development Hardcoded Credentials
- 16 Production Hardcoded Credentials
- 17 What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF
- 18 Hibernate Query Routes
- 19 Putting it all together
- 20 Exploit Writeup
- 21 What is Sitecore's Experience Platform?
- 22 Grabbing Sitecore Source Code
- 23 Mapping out the attack surface
- 24 Discovering the vulnerable endpoint . When we investigated some of the files inside the sitecore/hel directory, we following contents
- 25 Report.cs
- 26 ReportDataSerializer.cs
- 27 Crafting a payload
- 28 Final RCE Payload
- 29 Blob Handler.ashx
- 30 Encryption Function
- 31 Getting the Master Key
- 32 Default Master Key