Enumeration, Data Exfiltration, and SSRF Attacks

Image for post
Image for post
Photo by Marcel Ardivan on Unsplash

I am currently taking Web Application Bootcamp by Vivek Ramachandran from Pentester Academy to refresh my testing skills for the OWASP top 10 vulnerabilities. What a better way to end the “unpredictable” year, right !!

I decided to share the testing methodology I developed while taking the class and solving the challenges.

Today, I will explore XML External Entity vulnerability aka XXE and how we can leverage it in performing data exfiltration and SSRF attacks.

Before we dive into it, let’s cover the fundamentals.


  • XML External Entity Attack Overview
  • Impact
  • Exploitation Demo
  • Prevention
  • Resources


XML is a markup language designed for storing and transporting data. We commonly used in configuration files and web services. …

SSH Port Forwarding, Network Pentesting, Pivoting

Image for post
Image for post
Dženis Hasanica- Unsplash

A year ago, I worked on one of the eLearning Security labs while taking the PTP course. During one of the labs, I compromised an external web server where I found MySQL and RDP’s internal services running on the localhost.

The firewall set up on that network blocks any inbound traffic to these services. To interact with them, I needed to tunnel the traffic from the internal compromised machine to mine and bypass the firewall restriction — that technique is called Port forwarding or tunneling.

Today, we are going to talk about local and remote port tunneling with the SSH protocol. …

Image for post
Image for post
Photo by Karsten Winegeart on Unsplash

Recently working on the Sniper machine on hack the box, I came across a technique of exploiting a remote file inclusion on a PHP application with SMB.

Before working on this machine, my understanding was that PHP applications are vulnerable to Remote File Inclusion ONLY when “allow_url_include” and “allow_url_fopen” functions are set to On. However, what I learned is that these restrictions apply only to HTTP and FTP protocols.

  • Allow_url_include function allows the inclusion of a remote file using a URL rather than a local file path.
  • allow_url_fopen allows data retrieval from a remote server or website.

The inclusion restriction does not apply to SMB UNC paths.

Chaining Command Injection vulnerability & Insecure Configuration to obtain AWS account information

Image for post
Image for post

There is a common misconception that cloud-hosted services are more secure than traditional ones. Well, as it might be partially correct on the infrastructure level, they still have user-controlled elements that can contribute to their vulnerability.

This short tutorial will explore how to exploit a vulnerable Lambda function and leak its AWS account information.

Before we jump into it, let’s go over the fundamental terminology.


  • AWS Lambda Function
  • Command Injection (OWASP A1 Injections)
  • Exploitation Demo
  • Resources


Lambda function is an AWS serverless computing service designed to execute code only when needed or triggered. Once the execution is over, the computing instance that runs the code decommissions itself. You can create as many functions as the application needs for handling different tasks. …

Basic Server-Side Request Forgery on Selenium Grid Framework

Image for post
Image for post
Photo by Isabel Galvez on Unsplash

Recently I was reading through bug bounty write-ups as it is becoming my favorite pastime activity in the quarantine. I came across a Selenium Grid article written by Peter Jaric; he explained the lack of authentication and the hardening of security measures on a Selenium Grid framework.

Searching more online, I found out that Selenium Grid, out of the box, offers no built-in authentication and has the functionality of loading scripts that make the server vulnerable to Server-Side Request Forgery attack.

I decided to learn more about the SSRF attacks and apply it to the Selenium Grid testing instances that I built in my lab. As usual, before we get started, we will go over the key concepts before delving into the exploitation part. …

Remote Code Execution through Insecure Deserialization Vulnerability

Image for post
Image for post
Photo by Pankaj Patel on Unsplash

Today, I will go over one of the OWASP’s top 10 vulnerabilities, Insecure Deserialization focusing on exploiting basic .NET applications.


Serialization is the process of turning data objects into a stream of bytes that can be stored in files, memories, and databases or sent over a network, between different components of an application, and in API calls.

Deserialization is the opposite process; it restores the stream bytes into their original state of objects before they were serialized.

Insecure deserialization is passing manipulated serialized objects that can be interpreted by the application leading to its control. The impact of this vulnerability ranges from denial-of-service attacks, bypass authentications to arbitrary code execution. …

Data Exfiltration in OpenEMR 2018 v5.0.1

Image for post
Image for post
Photo by Jouwen Wang on Unsplash

Applications errors and warning messages are significant for understanding the application’s infrastructure and its underlying technologies. If you can get an application to communicate back to you during testing with viewable errors, you will understand the application’s behavior better.

This article will focus on exfiltrating data through XPATH functions in MySQL error-based injections. I’ll be going through the manual enumeration of an application, discovering the SQL vulnerability, and then using the Intruder feature in Burp Suite to automate the database dumping.

📔 $_Key_Concepts_To_Cover:

  • In-Band Error Based SQL Injection.
  • XPath functions in MySQL.
  • Identifying the SQL vulnerability with manual testing. …

Linux Privilege Escalation Technique

Image for post
Image for post
Photo by Charl Folscher on Unsplash

There are many common techniques in Linux privilege escalation that are related to abusing SUID programs. In this quick tutorial, we will talk about the method of hijacking relative paths to escalate privileges.

Before we get started, let’s create a baseline understanding of what SUID is, the difference between Absolute paths and Relative paths, and how we can use them to our advantage.

SUID, known as (Set User ID), is a special Linux type permission that allows a user to run a file with the same level of permission as the file owner. …

Exploit Analysis of OpenNetAdmin v18.1.1

Image for post
Image for post
Photo by Kev Seto on Unsplash

OpenNetAdmin is a Network Management application that provides a database of managed inventory of IPs, subnets, and hosts in a network with a centralized AJAX web interface. The application is an Opensource written in PHP; you can view the source code on GitHub “ONA Project.”

  • Full command-line interface for scripting and batch maintenance. Local or remote capabilities.
  • Plugin system to extend the functionality
  • Manage DNS and DHCP server configs, archive host configs
  • Full CLI interface for batch and scripting

The vulnerability found in v18.1.1 allows for a code execution that leads to a full compromise of the hosting machine. …

Basic methodology to approach LFI vulnerability when Pentesting a Web Application

Image for post
Image for post

Local File Inclusion is a vulnerability often found in poorly-written web applications. This vulnerability occurs when a web application allows the user to submit input into files or upload files to the server — Offensive Security.

Most modern programming languages have a mechanism to prevent this type of vulnerability .However, old languages such as Java, ASP.NET, and our known friend PHP are still prone to produce this issue if implemented incorrectly.

A successful attack would expose sensitive information about the running web server, such as configuration files, world-readable files and system files. In some cases, this vulnerability can be escalated to remote code execution by uploading a remote shell and compromising the entire web server. …


Nairuz Abulhul

I spent 70% of the time reading security stuff and 30% trying to make it work !!! aka Pentester >>Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store