While I was working on a famous bug bounty program, WPScan returns me the list of the plugins configured on the Wordpress install. Here is what I found in one of them: Image Gallery by Huge-IT.

WPScan output, no issues known:

[+] Name: gallery-images - v1.8.6  
 |  Location: https://[REDACTED]/wp-content/plugins/gallery-images/  
 |  Readme: https://[REDACTED]/wp-content/plugins/gallery-images/readme.txt  

After a fast search on exploit-db.com with no success, I finally decided to download it and read the code to find vulnerabilites by myself. Since the readme was available, I was able to confirm the version of the plugin.

I was looking for two kind of vulnerabilities: file upload and sql injection. First thing I did was to locate PHP files, and grepping the result to find Content-Disposition header:

$ find . -name "*.php*" | xargs grep -i header
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:		/*HEIGHT FROM HEADER.PHP*/
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./Front_end/gallery_front_end_view.php:							header("Location:".$actual_link."");
./admin/gallery_func.php:			header('Location: admin.php?page=gallerys_huge_it_gallery&id='.$rowsldccs->id.'&task=apply');
./admin/gallery_view.php:	header('Location: admin.php?page=gallerys_huge_it_gallery&id='.$row->id.'&task=apply');
./admin/gallery_view.php:	<div id="gallery-header">

Amazon Simple Storage Service aka S3 is a cloud storage for the Internet. You first create a bucket and you can then upload any number of objects (photos, videos, documents etc.) to it. However if the permissions (ACL) are not well settled, bad things can happen.

Recently disclosed by Hackerone, a misconfiguration in their Amazon Web Services S3 buckets allowed any authenticated user to write in there. From here an attacker could upload a malicious file waiting for someone open it, or overwrite existing files.

When you crawl a website, you can you can check the presence of S3 by intercepting calls to amazonaws.com. The bucket call can have different look: https://<aws_region>.amazonaws.com/<bucket_name>/<file_path>

Once you get the bucket name, you can execute many tests using awscli to check his permissions. If you try to access to a bucket who doesn’t exist, you’ll get this message:

$ aws s3 ls s3://gwen001-azertyuiop  
A client error (NoSuchBucket) occurred when calling the ListObjects operation: The specified bucket does not exist

If you try to execute a command you are not allowed to, you’ll then get something like this:

$ aws s3 ls s3://gwen001-test000/
A client error (AccessDenied) occurred when calling the ListObjects operation: Access Denied

bWAPP is a PHP web application which is intentionnally crackable. It covers a very large set of common vulns but also some unusual case you can meet on the Internet.

The goal here is to train your development skill and hacking knowledge to be able to write a better (more secure) code. Compared to DVWA, you have to consider bWAPP as a much more advanced level of difficulty.



Written in Python by Miroslav Stamper, Sqlmap is probably the best automated tool to detect and exploit SQL Injection.

Sqlmap fully supports many databases as MySQL, Microsoft SQL Server, PostgreSQL, Oracle (and many more) and is able to detect the following injection types : Boolean based blind, Error based, Union based, Stacked queries, Time based blind, Inline queries. Depending of the target status, sqlmap is also able to :

  • prompt an interactive sql shell
  • download/upload files
  • prompt a web shell
  • crack hashed password using a dictionnary attack
  • and a lot more…

Below some examples of the main functions using bWAPP

Basic usage

sqlmap basic usage

In this example sqlmap has detected that the GET parameter title of the search function is vulnerable to sql injection. Well done! Plus it found that 4 different types of injection can be used for exploitation. Note that sqlmap has also detected that the parameter is vulnerable to XSS attacks which is unfortunatly very common these days…

To perform test on POST field you should write: --data="title=sqlitest&action=search"

In the next example, I’ll turn off the verbose mode.



Anyone who ever deals with server managment knows the famous ping utility. Ping send ICMP request to a remote host, it’s commonly used to test if a server is alive or to know his ip address. However ping options allow us to customize this requests in some way, then it becomes possible to transfer any type of data. For the purpose I test my script with different media types like png or mp3 and it worked perfectly.

The idea

By default ping requests are formed with 98 bytes including 56 bytes of data and various headers. With the -p option, ping allows you to customize 16 of those 56 bytes:

ping test

Here is the request catched with tcpdump on the remote host:

ping capture

As you can see the submitted string repeats again and again until the end of the data request. If you provide a string longer than 16 bytes it will be truncated. From here, we can convert any data to hexa and send it through ping request.