Skip to content

Instantly share code, notes, and snippets.

paul-axe /
Created Jun 22, 2019

card maker

Simple web challenge. Application was built with React framework, and contained reporting functionality:

fetch("/api/report", {
    method: "POST",
    body: JSON.stringify({ hash: x }),
    headers: {
        "Content-Type": "application/json"
paul-axe /
Created Jan 20, 2019

The challenge was based on drupal7 with obvious unserialize call added.

Trying to build a chain and the first solution i found was based on following chain:


abstract class DrupalCacheArray
    public function __destruct() {
        $data = array();
paul-axe /
Last active Apr 29, 2018


We got file with sequence recorded from /dev/input/event* file. It's easy to replay events from file using following command

# sleep 3; cat event0 > /dev/input/by-path/platform-i8042-serio-0-event-kbd

After that switch to another terminal window or text editor and we will se following commands

vim key.txt
32ix^[o^[5if ^[Icde^[A653^[BBi3333^[BBicdef87236363^[llr2elr20elxlxlxhi3^[A64^[kdd:wq
View 2

Application was built from 2 parts - frontend page ( and backend page (, communicating via postMessage. There were several issues:

  1. Stored XSS on user profile page.

It's also possible to make victim browser trigger a click on injected element

if(location.hash.slice(1) == 'report'){

There was 2 security issues in application:

  1. WAF stored blocked users IP in mysql database, while application used postgresql database.

The problem is in max_allowed_packet option in my.cnf. Mysql will discard all packets larger than value of this option. So it's possible to bypass WAF using big payload in first argument sent to server.

  1. Vulnerable postgresql library.

The vulnerability is described here:

paul-axe /
Created Oct 27, 2017
ZeroNights 2017 Day #3 / YOUAREWELCOME writeup
  1. XSS in feedback form. Got access to moderator account. Nothing useful here though, except the list of approved accounts.
  2. Trying to register own team - got password to email. Password is 4 digits, so can be easily bruteforced.
  3. Login form is protected with simple captcha. Wrote simple script using pytesseract to recognize captcha and bruteforce login form. After 10 minutes got password for one of approved team account.
import sys                                                                 
import io                   
import re                     
import requests                     
import pytesseract