tag:blogger.com,1999:blog-2987759532072489303Sat, 21 Mar 2026 07:39:49 +0000WebHackingRCECVEBugBountyPHPJavaXSSAuthentication BypassDeserializationExchangeHITCONProxyLogonProxyOracleProxyShellPwn2OwnCGIPadding OracleApacheBinary ExploitationCTFGithubJenkinsSQL InjectionSSL VPNSSRFCSPCache PoisoningGoogleHash TableIISJRMPMDMMicrosoftNTLMProxyNotShellProxyRelayRPCRelayThis is Orange Speaking :)http://orange-tw.blogspot.com/noreply@blogger.com (Orange Tsai)Blogger93125en-usnoThis is Orange Speaking :)noreply@blogger.comtag:blogger.com,1999:blog-2987759532072489303.post-63371703473550635Fri, 09 Aug 2024 03:00:00 +00002024-08-12T18:52:09.755+08:00ApacheAuthentication BypassCGICVEPHPRCEWebHacking Orange Tsai (@orange_8361)  |  繁體中文版本  |  English VersionHey there! This is my research on Apache HTTP Server presented at Black Hat USA 2024. Additionally, this research will also be presented at HITCON and OrangeCon. If you’re interested in getting a preview, you can check the slides here: Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! Also,http://orange-tw.blogspot.com/2024/08/confusion-attacks-en.htmlnoreply@blogger.com (Orange Tsai)0tag:blogger.com,1999:blog-2987759532072489303.post-7490293080162529882Fri, 09 Aug 2024 03:00:00 +00002024-08-12T18:51:36.878+08:00ApacheAuthentication BypassCGICVEPHPRCEWebHacking Orange Tsai (@orange_8361)  |  繁體中文版本  |  English Version嗨，這是我今年發表在 Black Hat USA 2024 上針對 Apache HTTP Server 的研究。 此外，這份研究也將在 HITCON 和 OrangeCon 上發表，有興趣搶先了解可點此取得投影片： Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! 另外也謝謝來自 Akamai 的友善聯繫！ 此份研究發表後第一時間他們也發佈了緩解措施 (詳情可參考 Akamai 的部落格)。TL;DR這篇文章探索了 Apache HTTP Server 中存在的架構問題，介紹了數個 Httpd 的架構債，包含 3 種不同的 http://orange-tw.blogspot.com/2024/08/confusion-attacks-ch.htmlnoreply@blogger.com (Orange Tsai)0tag:blogger.com,1999:blog-2987759532072489303.post-280209916334138832Thu, 06 Jun 2024 22:00:00 +00002024-06-07T14:47:32.303+08:00CGICVEPHPRCE This is a side story/extra bug while I’m preparing for my Black Hat USA presentation. I believe most of the details have already been covered in the official advisory (should be published soon). Although PHP-CGI has gradually been phased out over time, this vulnerability affects XAMPP for Windows by default, allowing unauthenticated attackers to execute arbitrary code on remote XAMPP http://orange-tw.blogspot.com/2024/06/cve-2024-4577-yet-another-php-rce.htmlnoreply@blogger.com (Orange Tsai)0tag:blogger.com,1999:blog-2987759532072489303.post-7381055862186784874Sat, 12 Aug 2023 08:00:00 +00002023-08-17T01:16:12.064+08:00RCEWebHackingTL;DR for Hackers & Researchers: this is a more conceptual talk for web developers. All are in Mandarin but you can check the slides here if interested.好久沒有打部落格了，紀錄一下這次我在 WebConf 2023 上的演講，大概就是把 Web Security 這十年的演化趨勢分類、並給出相對應的攻擊手法當案例，雖然沒配演講看投影片應該不知道在供三小，不過有興趣還是可以點這邊獲得投影片!由於聽眾皆為網站開發者 (涵蓋前端、後端甚至架構師)，因此選用的攻擊手法力求簡單、可快速理解又有趣，不談到防禦手法也在因為短短 45 分鐘內絕對涵蓋不完，所以給自己訂下的小目標是: 只要有一項也好，如果開發者遇到同樣場景、腦中會跳出個http://orange-tw.blogspot.com/2023/08/2023-webconf-the-evolution-of-web-security.htmlnoreply@blogger.com (Orange Tsai)0tag:blogger.com,1999:blog-2987759532072489303.post-9170173093020925587Wed, 19 Oct 2022 07:58:00 +00002022-10-19T15:58:50.274+08:00Authentication BypassCVEExchangeNTLMProxyLogonProxyNotShellProxyOracleProxyRelayProxyShellPwn2OwnRCERelayRPCWebHacking This is a cross-post blog from DEVCORE. You can check the series on: A New Attack Surface on MS Exchange Part 1 - ProxyLogon! A New Attack Surface on MS Exchange Part 2 - ProxyOracle! A New Attack Surface on MS Exchange Part 3 - ProxyShell! A New Attack Surface on MS Exchange Part 4 - ProxyRelay! Hi, this is a long-time-pending article. We could http://orange-tw.blogspot.com/2022/10/proxyrelay-a-new-attack-surface-on-ms-exchange-part-4.htmlnoreply@blogger.com (Orange Tsai)0台灣23.69781 120.960515-27.969674791403595 50.648015 75.3652947914036 -168.726985tag:blogger.com,1999:blog-2987759532072489303.post-3868021539939094436Wed, 17 Aug 2022 16:00:00 +00002022-08-18T01:31:06.420+08:00Authentication BypassBinary ExploitationBugBountyCache PoisoningCVEHash TableIISMicrosoftWebHacking Hi, this is my fifth time speaking at Black Hat USA and DEFCON. You can get the slide copy and video there: Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (slides) Let’s Dance in the Cache - Destabilizing Hash Table on Microsoft IIS (video - TBD) As the most fundamental Data Structure in Computer Science, Hash Table is extensively http://orange-tw.blogspot.com/2022/08/lets-dance-in-the-cache-destabilizing-hash-table-on-microsoft-iis.htmlnoreply@blogger.com (Orange Tsai)0tag:blogger.com,1999:blog-2987759532072489303.post-8052790033965476461Wed, 18 Aug 2021 15:08:00 +00002022-10-19T16:45:35.613+08:00ExchangePadding OracleProxyLogonProxyOracleProxyShellPwn2OwnRCEWebHackingXSS Author: Orange Tsai(@orange_8361) from DEVCORE P.S. This is a cross-post blog from Zero Day Initiative (ZDI) This is a guest post DEVCORE collaborated with Zero Day Initiative (ZDI) and published at their blog, which describes the exploit chain we demonstrated at Pwn2Own 2021!  Please visit the following link to read that :)FROM PWN2OWN 2021http://orange-tw.blogspot.com/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.htmlnoreply@blogger.com (Orange Tsai)0tag:blogger.com,1999:blog-2987759532072489303.post-217206737184460687Fri, 06 Aug 2021 15:57:00 +00002022-10-19T16:45:32.907+08:00ExchangePadding OracleProxyLogonProxyOracleProxyShellPwn2OwnRCEWebHackingXSS Author: Orange Tsai(@orange_8361) P.S. This is a cross-post blog from DEVCORE Hi, this is the part 2 of the New MS Exchange Attack Surface. Because this article refers to several architecture introductions and attack surface concepts in the previous article, you could find the first piece here: A New Attack Surface on MS Exchange Part 1 http://orange-tw.blogspot.com/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.htmlnoreply@blogger.com (Orange Tsai)1tag:blogger.com,1999:blog-2987759532072489303.post-674306214530021249Fri, 06 Aug 2021 15:57:00 +00002022-10-19T16:45:05.512+08:00ExchangePadding OracleProxyLogonProxyOracleProxyShellPwn2OwnRCEWebHackingXSS Author: Orange Tsai(@orange_8361) P.S. This is a cross-post blog from DEVCORE The series of A New Attack Surface on MS Exchange:A New Attack Surface on MS Exchange Part 1 - ProxyLogon!A New Attack Surface on MS Exchange Part 2 - ProxyOracle!A New Attack Surface on MS Exchange Part 3 - ProxyShell!A New Attack Surface on MS Exchange Part 4 - ProxyRelay! http://orange-tw.blogspot.com/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.htmlnoreply@blogger.com (Orange Tsai)1tag:blogger.com,1999:blog-2987759532072489303.post-6717899733046637874Wed, 24 Feb 2021 07:00:00 +00002021-02-24T22:07:41.643+08:00Binary ExploitationCVEDeserializationHITCONPHPRCEWebHacking Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I reproduced this in my lab environment and made this topic. This topic is also presented in RealWorld CTF Live Forum and OWASP Hong Kong 2021 Techday. It's also on YouTube now! Although it is speaking in Mandarin, the slides and subtitles are http://orange-tw.blogspot.com/2021/02/a-journey-combining-web-and-binary-exploitation.htmlnoreply@blogger.com (Orange Tsai)8tag:blogger.com,1999:blog-2987759532072489303.post-3108587654264579897Sat, 12 Sep 2020 09:25:00 +00002020-09-13T16:13:33.604+08:00BugBountyCVEDeserializationHITCONJavaMDMRCEWebHacking Author: Orange TsaiThis is a cross-post blog from DEVCORE. 中文版請參閱這裡 Hi, it’s a long time since my last article. This new post is about my research this March, which talks about how I found vulnerabilities on a leading Mobile Device Management product and bypassed several limitations to achieve unauthenticated RCE. All the vulnerabilities have been reported to the vendor and http://orange-tw.blogspot.com/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.htmlnoreply@blogger.com (Orange Tsai)17tag:blogger.com,1999:blog-2987759532072489303.post-7734075457001825871Mon, 11 Nov 2019 10:15:00 +00002019-12-27T07:41:16.988+08:00CVERCE For non-native readers, this is a writeup of my DEVCORE Conference 2019 talk. Describe a misconfiguration that exposed a magic service on port 3097 on our country's largest ISP, and how we find RCE on that to affect more than 250,000 modems :P 大家好，我是 Orange! 這次的文章，是我在 DEVCORE Conference 2019 上所分享的議題，講述如何從中華電信的一個設定疏失，到串出可以掌控數十萬、甚至數百萬台的家用數據機漏洞! 前言 身為 DEVCORE 的研究團隊，我們的工作http://orange-tw.blogspot.com/2019/11/HiNet-GPON-Modem-RCE.htmlnoreply@blogger.com (Orange Tsai)11tag:blogger.com,1999:blog-2987759532072489303.post-5977903639391208144Tue, 29 Oct 2019 16:45:00 +00002019-10-30T22:46:40.209+08:00CVEPHPRCE First of all, this is such a really interesting bug! From a small memory defect to code execution. It combines both binary and web technique so that’s why it interested me to trace into. This is just a simple analysis, you can also check the bug report and the author neex’s exploit to know the original story :D Originally, this write-up should be published earlier, but I am now traveling andhttp://orange-tw.blogspot.com/2019/10/an-analysis-and-thought-about-recently.htmlnoreply@blogger.com (Orange Tsai)4tag:blogger.com,1999:blog-2987759532072489303.post-2767570323381203634Mon, 02 Sep 2019 14:00:00 +00002019-09-03T00:18:22.002+08:00BugBountyCVERCESQL InjectionSSL VPNSSRFWebHacking Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_) P.S. This is a cross-post blog from DEVCORE Hi, this is the last part of Attacking SSL VPN series. If you haven’t read previous articles yet, here are the quick links for you: Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs Attacking SSL VPN - Part 1: PreAuth RCE on Palo Alto GlobalProtect, with Uber as http://orange-tw.blogspot.com/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.htmlnoreply@blogger.com (Orange Tsai)8tag:blogger.com,1999:blog-2987759532072489303.post-6381319859462987788Fri, 09 Aug 2019 20:53:00 +00002019-09-02T19:32:44.706+08:00CVERCESSL VPN Author: Meh Chang(@mehqq_) and Orange Tsai(@orange_8361) This is also the cross-post blog from DEVCORE Last month, we talked about Palo Alto Networks GlobalProtect RCE as an appetizer. Today, here comes the main dish! If you cannot go to Black Hat or DEFCON for our talk, or you are interested in more details, here is the slides for you! Infiltrating Corporate Intranet Like NSA: Pre-auth http://orange-tw.blogspot.com/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.htmlnoreply@blogger.com (Orange Tsai)7tag:blogger.com,1999:blog-2987759532072489303.post-478025510206587411Wed, 17 Jul 2019 12:27:00 +00002019-07-17T20:35:49.386+08:00BugBountyCVERCE Author: Orange Tsai(@orange_8361) and Meh Chang(@mehqq_) P.S. This is a cross-post blog from DEVCORE SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to your intranet. Once the SSL VPN server is compromised, attackers can infiltrate your Intranet and even takehttp://orange-tw.blogspot.com/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.htmlnoreply@blogger.com (Orange Tsai)14tag:blogger.com,1999:blog-2987759532072489303.post-2571910671656030400Tue, 12 Mar 2019 12:00:00 +00002019-03-14T18:09:44.498+08:00CSPWebHackingXSS 在 Web Security 中，我喜歡伺服器端的漏洞更勝於客戶端的漏洞!(當然可以直接拿 shell 的客戶端洞不在此限XD) 因為可以直接控制別人的伺服器對我來說更有趣! 正因如此，我以往的文章對於 XSS 及 CSRF 等相關弱點也較少著墨(仔細翻一下也只有 2018 年 Google CTF 那篇XD)，剛好這次的漏洞小小有趣，秉持著教育及炫耀(?)的心態就來發個文了XD 最近需要自架共筆伺服器，調查了一些市面上支援 Markdown 的共筆平台，最後還是選擇了國產的 HackMD! 當然，對於自己要使用的軟體都會習慣性的檢視一下安全性，否則怎麼敢放心使用? 因此花了約半天對 HackMD 進行了一次原始碼檢測(Code Review)! HackMD 是一款由台灣人自行研發的線上 Markdown 共筆系統，除了在台灣資訊圈流行外，也被許多台灣研討會如 COSCUP,http://orange-tw.blogspot.com/2019/03/a-wormable-xss-on-hackmd.htmlnoreply@blogger.com (Orange Tsai)3tag:blogger.com,1999:blog-2987759532072489303.post-4992859796278385546Tue, 19 Feb 2019 12:00:00 +00002020-02-15T00:41:39.056+08:00CVEJavaJenkinsRCEWebHacking This is also a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本! #2019-02-22-updated #2019-05-10-updated #2019-05-10-released-exploit code awesome-jenkins-rce-2019 #2019-07-02-updated the slides is out! --- Hello everyone! This is the Hacking Jenkins series part two! For those people who still have not read the part one yet, you can check following link to get some basis and http://orange-tw.blogspot.com/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlnoreply@blogger.com (Orange Tsai)13tag:blogger.com,1999:blog-2987759532072489303.post-4289153678951352252Wed, 16 Jan 2019 12:10:00 +00002019-03-12T11:41:06.522+08:00CVEJavaJenkinsSSRFWebHacking This is a cross-post blog from DEVCORE, this post is in English, 而這裡是中文版本! # Part two is out, please check this --- In software engineering, the Continuous Integration and Continuous Delivery is a best practice for developers to reduce routine works. In the CI/CD, the most well-known tool is Jenkins. Due to its ease of use, awesome Pipeline system and integration of Container, Jenkins is http://orange-tw.blogspot.com/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlnoreply@blogger.com (Orange Tsai)0tag:blogger.com,1999:blog-2987759532072489303.post-6842416429319259007Tue, 23 Oct 2018 16:19:00 +00002018-10-24T15:41:58.203+08:00CTFDeserializationHITCONPHPRCEWebHacking In every year’s HITCON CTF, I will prepare at least one PHP exploit challenge which the source code is very straightforward, short and easy to review but hard to exploit! I have put all my challenges in this GitHub repo you can check, and here are some lists :P 2017 Baby^H Master PHP 2017 (0/1541 solved) Phar protocol to deserialize malicious object Hardcode anonymous function http://orange-tw.blogspot.com/2018/10/hitcon-ctf-2018-one-line-php-challenge.htmlnoreply@blogger.com (Orange Tsai)6tag:blogger.com,1999:blog-2987759532072489303.post-5488483660931122730Fri, 10 Aug 2018 20:10:00 +00002018-08-11T08:16:59.515+08:00BugBountyRCEWebHacking Hi! This is the case study in my Black Hat USA 2018 and DEFCON 26 talk, you can also check slides here: Breaking Parser Logic! Take Your Path Normalization Off and Pop 0days Out In past two years, I started to pay more attention on the “inconsistency” bug. What's that? It’s just like my SSRF talk in Black Hat and GitHub SSRF to RCE case last year, finding inconsistency between the URL parserhttp://orange-tw.blogspot.com/2018/08/how-i-chained-4-bugs-features-into-rce-on-amazon.htmlnoreply@blogger.com (Orange Tsai)7tag:blogger.com,1999:blog-2987759532072489303.post-5399632956880834840Wed, 27 Jun 2018 07:40:00 +00002018-06-30T03:41:26.372+08:00CTFGoogleXSS gCalc is the web challenge in Google CTF 2018 quals and only 15 teams solved during 2 days’ competition! This challenge is a very interesting challenge that give me lots of fun. I love the challenge that challenged your exploit skill instead of giving you lots of code to find a simple vulnerability or guessing without any hint. So that I want to write a writeup to note this :P The challengehttp://orange-tw.blogspot.com/2018/06/google-ctf-2018-quals-web-gcalc.htmlnoreply@blogger.com (Orange Tsai)1tag:blogger.com,1999:blog-2987759532072489303.post-5804660873018215532Mon, 26 Mar 2018 12:00:00 +00002018-04-02T23:10:24.280+08:00DeserializationJavaJRMPRCEWebHacking 打 CTF 打膩覺得沒啥新鮮感嗎，來試試打掉整個 CTF 計分板吧! 前幾個月，剛好看到某個大型 CTF 比賽開放註冊，但不允許台灣參加有點難過 :(看著官網最下面發現是 FlappyPig 所主辦，又附上 GitHub 原始碼 秉持著練習 Java code review 的精神就 git clone 下來找洞了! (以下測試皆在 FlappyPig 的允許下友情測試，漏洞回報官方後也經過同意發文)在有原始碼的狀況下進行 Java 的 code review 第一件事當然是去了解第三方 Libraries 的相依性，關於 Java 的生態系我也在幾年前的文章小小分享過，當有個底層函式庫出現問題時是整個上層的應用皆受影響!從 pom.xml 觀察發現用了Spring Framework 4.2.4從版本來看似乎很棒沒什麼重大問題 http://orange-tw.blogspot.com/2018/03/pwn-ctf-platform-with-java-jrmp-gadget.htmlnoreply@blogger.com (Orange Tsai)21tag:blogger.com,1999:blog-2987759532072489303.post-9005955775564293093Sun, 21 Jan 2018 15:21:00 +00002018-01-22T01:05:06.949+08:00CVEPHPWebHacking Author: Orange Tsai(@orange_8361) from DEVCORE Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities. This is an simple and interesting case, and seems easy to exploit in real world! Affected All PHP version PHP 5 < 5.6.33 PHP 7.0 < 7.0.27 PHP 7.1 < 7.1.13 PHP 7.2 < 7.2.1 Vulnerability Details The vulnerability is on the http://orange-tw.blogspot.com/2018/01/php-cve-2018-5711-hanging-websites-by.htmlnoreply@blogger.com (Orange Tsai)2tag:blogger.com,1999:blog-2987759532072489303.post-2630067573832743873Fri, 28 Jul 2017 06:00:00 +00002017-07-29T04:05:54.247+08:00BugBountyGithubRCEWebHacking Hi, it’s been a long time since my last blog post. In the past few months, I spent lots of time preparing for the talk of Black Hat USA 2017 and DEF CON 25. Being a Black Hat and DEFCON speaker is part of my life goal ever. This is also my first English talk in such formal conferences. It's really a memorable experience :P Thanks Review Boards for the acceptance. This post is a simple http://orange-tw.blogspot.com/2017/07/how-i-chained-4-vulnerabilities-on.htmlnoreply@blogger.com (Orange Tsai)18