Blog

A real-world pre-auth RCE chain: exposed CKFinder with no authentication, null byte filter bypass to upload a .cfm webshell, and OS command execution via ColdFusion cfexecute. Full PoC walkthrough.

Detailed vulnerability analysis of an Authenticated Remote Code Execution (RCE) in FacturaScripts (<= 2026). Explore the PoC via malicious plugin upload and learn about server hardening mitigations.

Explore the technical analysis of the Authenticated Remote Code Execution (RCE) vulnerability in EspoCRM <= v9.3.4. Learn how malicious extension uploads can lead to full OS command execution and find mitigation strategies. Official PoC and exploit details included.

This blog post explains the black-box exploitation of Composite C1 CMS via CVE-2019-18211. The deserialization vulnerability in the EntityTokenSerializer class allows attackers to achieve remote code execution (RCE) on the server. Step-by-step attack and mitigation recommendations are provided.

A detailed walkthrough of **Chain Lab** from **CyberExam.io**, demonstrating a Flask web app's **authentication bypass**, **SQL injection**, **hash cracking**, and **RCE exploitation**. Learn how to chain web vulnerabilities for real-world penetration testing.

Learn how to exploit Flask authentication and remote code execution (RCE) vulnerabilities in the Chain Lab challenge on CyberExam. This step-by-step writeup demonstrates bypassing Flask session authentication, uploading a reverse shell payload, and gaining full control over the system.

Explore the detection and exploitation of CVE-2022-29464, a critical vulnerability in WSO2 products that allows remote code execution. Learn how to bypass Cloudflare's security and achieve shell access with a custom web shell. This article provides a detailed step-by-step guide, highlighting important lessons in web application security and the need for constant testing and updating of defense mechanisms.