This one was a fun little hack. Versions 5.4.1.7 and below, and 5.4.0.12 and below of the X-Cart PHP ecommerce platform are affected by an unauthenticated vulnerability that allows an…
I was chatting to @Random_Robbie at the inaugural BSides Liverpool (@BSidesLivrpool), when he mentioned a new Adobe ColdFusion RCE and then said… “There’s no public exploit.” I’ve dabbled a bit…
Note: This is an old write-up from 2016 but I was prompted to resurrect it after my tweet about it was recently retweeted. I do think it’s a good example…
In October 2017 I published an overview and video proof-of-concept of a Java RMI/deserialization vulnerability affecting the Flex Integration service of Adobe ColdFusion. I held off on publishing all of…
Fun with PHP deserialization and some accidental WordPress bugs. A few months ago I was putting together a blog post on PHP deserialization vulnerabilities. I decided to look for a…
The name gives it away, Java Management Extensions (JMX) is a potentially juicy target for attack. One of the ways that a JMX service may be exposed is using Java…
Last week I wrote about how I semi-blindly produced an RCE exploit for the BMC Server Automation RSCD service without access to a test environment. Since then I’ve got my…
If you’ve ever come across BMC Server Automation during network scanning then you may have seen Nessus flag up a Critical vulnerability titled “BMC Server Automation RSCD Agent Weak ACL NSH…
This morning I spotted a tweet mentioning an “Apache James 3.0.1 JMX Server Deserialization” vulnerability, CVE-2017-12628, which caught my eye because I wrote a generic JMX deserialization exploit which is…
During my research into the Java Remote Method Invocation (RMI) protocol, the most common RMI service that I came across was Adobe ColdFusion’s Flex integration service which is used to…
NickstaDB 