Skip to content

Latest commit

 

History

History

wtf

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
checker
checker
 
 
dev
dev
 
 
service
service
 
 
sploits
sploits
 
 
README.md
README.md
 
 

README.md

wtf

  • Author: Vlad Roskov (v0s)
  • Language: PHP
  • Idea: Apache in old versions allows requests consisting of a single word, triggering /index.php and treating the word as REQUEST_METHOD
  • Bugs: backdoor triggered via CRC32 forcing, SQL injection, RCE via IV manipulation

Vulns

  1. Obvious backdoor in the plaintext part. Trigger by constructing an SQL query and forcing its CRC32 to 0xDEADdbDB using e.g. crchack

    Example SQL query

  2. Simple SQL injection inside get/put API methods

    Exploit

  3. RCE via IV manipulation

    Exploit

Development stages

Here