Exploit Blind SQL Injection to deserialize objects and execute code | Elf Resources @ X-MAS CTF 2022 скачать в хорошем качестве

Exploit Blind SQL Injection to deserialize objects and execute code | Elf Resources @ X-MAS CTF 2022

Elf Resources is an easy-to-medium web challenge from the X-MAS CTF 2022, involving the exploitation of a blind SQL Injection in order to retrieve some python objects and then exploit an arbitrary deserialization vulnerability to exfiltrate the flag. === Timestamp === 00:00 - Intro 00:22 - Attack surface analyses 00:43 - Testing the Elf's Id parameter 01:31 - Installing Hackvector 01:42 - Exploitation of the SQL Injection with sqlmap 02:31 - Elf's data column analyses 02:49 - Wrap up about serialization, deserialization, and pickle 03:21 - Attack planning and assumptions 03:38 - Understanding and reproducing the object with a custom script 04:03 - Assumptions about the implementation of the API and how to attack it 05:10 - Exploiting blind SQL Injection and arbitrary deserialization to exfiltrate the flag 05:42 - Exfiltrate and analyze the vulnerable code 06:30 - Vulnerability remediations and suggestions 06:47 - Conclusion If you enjoyed the video leave a like and subscribe to my channel! For writeups in text format or other articles related to Ethical Hacking go to my blog: https://maoutis.github.io/ --- Would you like to support my work? Offer me a virtual coffee :) https://www.buymeacoffee.com/0xbro Check out my socials: Twitter:   / 0xbro1   Linkedin:   / mattia-0xbro-brollo-b4129614b   Shout-out to those who supported me during the CTF: https://github.com/m3ssap0 https://negromarco.it/ https://morelli.dev/ https://bullsoc.com/ Tags: #XMASCTF #sqlinjection #ctf #hacking