Hi, this blog post is just a short post to address the technique part in one of my Red Team cases last year. I believe it's worth sharing, so I reproduced this in my lab environment and made this topic. This topic is also presented in RealWorld CTF Live Forum and OWASP Hong Kong 2021 Techday. It's also on YouTube now! Although it is speaking in Mandarin, the slides and subtitles are in English :P
- [Slides] A Journey Combining Web Hacking and Binary Exploitation in Real World!
- [Video] A Journey Combining Web Hacking and Binary Exploitation in Real World!
As a result, we combined a type juggling 0day on PHPWind to crack the secret key and PHP Use-After-Free(CVE-2015-0273) on an encrypted PHPWind unserialized()
call to pop out shells on our target server. Since the target environment is unknown to us, the hard part is to build all things blindly. Although there is already a famous case about exploiting PHP Use-After-Free on PornHub Bug Bounty, our environment and exploitation steps are different! Here I would also like to thank my colleague Meh Chang for working together. Please check the slides and video for details!