https://jacktaylor.tech/Recent content on Jack TaylorHugoenjack@jacktaylor.tech (Jack Taylor)jack@jacktaylor.tech (Jack Taylor)Sun, 12 Apr 2026 00:47:49 +0900https://jacktaylor.tech/2026/04/how-i-found-sql-injection-on-100000-wordpress-sites/Sun, 12 Apr 2026 00:47:49 +0900jack@jacktaylor.tech (Jack Taylor)https://jacktaylor.tech/2026/04/how-i-found-sql-injection-on-100000-wordpress-sites/<p>I recently reported an unauthenticated <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a> in <a href="https://www.relevanssi.com/">Relevanssi</a>, a WordPress search plugin that was active on more than 100,000 sites. There were two things that made this bug especially fun to work on: first, a type confusion issue where input that only <em>looked</em> like a numeric term ID could carry extra SQL with it, and second, an exploitation trick where one SQL injection payload was smuggled inside another in order to get around the limitations of the first query.</p>https://jacktaylor.tech/2022/05/nahamcon-2022-ctf-write-up-flaskmetal-alchemist/Sun, 01 May 2022 10:53:18 +0900jack@jacktaylor.tech (Jack Taylor)https://jacktaylor.tech/2022/05/nahamcon-2022-ctf-write-up-flaskmetal-alchemist/<p>One of the most fun challenges in NahamCon 2022 was Flaskmetal Alchemist. This is a medium web challenge that involves an SQL injection that is relatively easy to spot, but tricky to exploit. I learned a few new things from this, so hopefully this write-up will provide inspiration to all you reading this. In this post I will walk you through my thought process and how I eventually exploited the vulnerability.</p>https://jacktaylor.tech/2022/04/proxy-owasp-zap-through-a-vps/Sat, 02 Apr 2022 11:45:00 +0900jack@jacktaylor.tech (Jack Taylor)https://jacktaylor.tech/2022/04/proxy-owasp-zap-through-a-vps/<p>If you do any kind of penetration testing or bug bounty hunting from your home PC, then as a necessity you will be sending malicious-looking traffic to your target. If your target happens to be protected by Akamai or CloudFlare, and you don&rsquo;t take any special precautions, then unfortunate things may happen. Unfortunate, as in your home IP gets <a href="https://www.doyler.net/security-not-included/akamai-internet-banned">blocked from half the sites on the internet</a>.</p> <p>To avoid this, you need to make your web traffic look like it came from a different IP address than it actually did. This means using some kind of proxy server. There are a few different ways you can do this, but my preferred way is to use a virtual private server (VPS) rented out from a cloud provider.</p>https://jacktaylor.tech/2018/03/100-days-of-machine-learning/Wed, 21 Mar 2018 17:55:21 +0900jack@jacktaylor.tech (Jack Taylor)https://jacktaylor.tech/2018/03/100-days-of-machine-learning/<p>When I started my first developer job last August, I made a promise to myself. Landing the job was the culmination of several years of hard work: learning Japanese, learning how to program, preparing for the <a href="https://jacktaylor.tech/2017/03/introducing-the-information-technology-engineers-examination/">FE Exam</a>, and learning how to job-hunt the Japanese way. In my new job I was working in a new environment, in a new industry, and in a second language. I knew it was going to take time to adjust. However, I also knew that once I had got over that initial hurdle it would be all too easy to just coast&mdash;to learn just enough to do the job, but nothing more.</p> <p>My promise was this: after I had settled in to my job, I would continue to learn.</p>https://jacktaylor.tech/2017/03/installing-hugo-on-fedora-25/Mon, 27 Mar 2017 11:08:35 +0900jack@jacktaylor.tech (Jack Taylor)https://jacktaylor.tech/2017/03/installing-hugo-on-fedora-25/<p>For those not in the know, <a href="https://gohugo.io/">Hugo</a> is an amazing tool for building static websites&mdash;including the one you&rsquo;re reading right now. There are no RPMs available, though, so if you&rsquo;re using <a href="https://getfedora.org/">Fedora</a> or another RPM-based Linux distro, then you might think you&rsquo;re out of luck.</p> <p>In my case, when I saw that there were no Hugo RPMs, I looked to see if there were any unofficial ones. There were, but only for Hugo v0.16, and I needed v0.17 or later for the support for multilingual sites. So no luck there. Then I investigated installing it using <a href="https://snapcraft.io/">snap</a>, but Fedora doesn&rsquo;t support snaps out of the box, and I&rsquo;m still slightly skeptical of the idea of using snaps on my system. Then I looked into installing Hugo from source, but it requires <a href="https://golang.org/">Go</a> 1.8+, and Fedora 25 only has 1.7 in the official repositories. It was around this time that I started getting jealous of <a href="https://www.ubuntu.com/">Ubuntu</a> users&rsquo; ability to do a simple <code>sudo apt-get install hugo</code>. Would I have to replace my OS or set up a virtual machine just to make my website?</p> <p>Thankfully, in the end, the solution was simple.</p>https://jacktaylor.tech/2017/03/introducing-the-information-technology-engineers-examination/Thu, 16 Mar 2017 19:55:21 +0900jack@jacktaylor.tech (Jack Taylor)https://jacktaylor.tech/2017/03/introducing-the-information-technology-engineers-examination/<p>In May last year I passed the Fundamental Information Technology Engineers Examination.</p> <h4 id="the-what">The what?</h4> <p>The <a href="https://www.jitec.ipa.go.jp/index-e.html">Fundamental Information Technology Engineers Examination</a>, or FE for short. It&rsquo;s the most rigorous and widely-taken IT exam that you&rsquo;ve never heard of.</p> <h4 id="go-on-then-why-have-i-never-heard-of-it">Go on, then. Why have I never heard of it?</h4> <p>Probably because it&rsquo;s administered by a Japanese quasi-governmental organisation, in Japan, and it&rsquo;s all in Japanese.</p>https://jacktaylor.tech/page/about/Fri, 10 Mar 2017 22:33:37 +0900jack@jacktaylor.tech (Jack Taylor)https://jacktaylor.tech/page/about/<p>I am a software developer living in Sapporo, Hokkaido, Japan. My interests include Wikimedia, machine learning, and all things Python.</p>