This video is about local SQLinjection vulnerability in Linux and MacOS desktop applications of Zoom – conference app that gained even more popularity as remote meeting got more common in 2020. Exploiting the SQLi required to bypass doubling quotes protection that Zoom app used.

Original writeup:
Keegan’s twitter:

Follow me on twitter:

00:00 Intro
00:25 Initial discovery – zoommtg:// links
01:24 Analysing the binary
03:06 SQLi protection
03:55 ASCII & UTF-8
05:17 bypassing the SQLi protection
06:45 Impact


Add comment

Your email address will not be published. Required fields are marked *