This POC demonstrates method for obtaining GPG private keys from gpg-agent memory under Windows. Normally this should be possible only within 10 minutes time frame (--default-cache-ttl value).

Obtain passwords from JetBrains IDE (like IntelliJ or PyCharm) and use those credentials inside TeamCity Continuous Integration Server

If you have Burp Pro, issues will also appear inside Scanner tab. Interesting things will be highlighted.

$_SERVER['PHP_AUTH_PW'] is directly passed to exec function.

We can access registerExternalLog without any user credentials.

$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.

CVE-2017-11151 allows remote attackers to upload arbitrary files to the specified directories.

When uploading a file, the FileUploadServlet class does not check the user-controlled fileName parameter using hasVulnerabilityInFileName function.