Tweet
Tweet

Slide 1

Slide 1 text

@fransrosen Web based format injection, dumping memory like it's 99 or "Please help"

Slide 2

Slide 2 text

@fransrosen Public Bug Bounty

Slide 3

Slide 3 text

@fransrosen RCE is 30,000 USD

Slide 4

Slide 4 text

@fransrosen Methodology • Found a domain not like the other ones

Slide 5

Slide 5 text

@fransrosen Methodology • Found a domain not like the other ones • Legacy on-premise PHP-app acquired by a huge tech organization

Slide 6

Slide 6 text

@fransrosen Methodology • Found a domain not like the other ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available

Slide 7

Slide 7 text

@fransrosen Methodology • Found a domain not like the other ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍

Slide 8

Slide 8 text

@fransrosen Methodology • Google + GitHub etc

Slide 9

Slide 9 text

@fransrosen Methodology • Google + GitHub etc

Slide 10

Slide 10 text

@fransrosen Methodology • Google + GitHub etc

Slide 11

Slide 11 text

@fransrosen Methodology • Google + GitHub etc

Slide 12

Slide 12 text

@fransrosen Methodology • Google + GitHub etc • wfuzz!

Slide 13

Slide 13 text

@fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting path: /cgi-bin/default/

Slide 14

Slide 14 text

@fransrosen Methodology • Google + GitHub etc • wfuzz! python wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ

Slide 15

Slide 15 text

@fransrosen Methodology • Google + GitHub etc • wfuzz!

Slide 16

Slide 16 text

@fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/

Slide 17

Slide 17 text

@fransrosen Methodology • Google + GitHub etc • wfuzz! python wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ

Slide 18

Slide 18 text

@fransrosen Methodology • Google + GitHub etc • wfuzz!

Slide 19

Slide 19 text

@fransrosen xml_api?

Slide 20

Slide 20 text

@fransrosen xml_api?

Slide 21

Slide 21 text

@fransrosen xml_api? YEAH! 👍

Slide 22

Slide 22 text

@fransrosen wtf!?

Slide 23

Slide 23 text

@fransrosen XXE!

Slide 24

Slide 24 text

@fransrosen XXE!

Slide 25

Slide 25 text

@fransrosen XXE!

Slide 26

Slide 26 text

@fransrosen XXE!

Slide 27

Slide 27 text

@fransrosen XXE!

Slide 28

Slide 28 text

@fransrosen XXE! ]> &exl;


Slide 29

Slide 29 text

@fransrosen XXE! ]> &exl;


Slide 30

Slide 30 text

@fransrosen XXE! %exl; ]>

Slide 31

Slide 31 text

@fransrosen XXE! %exl; ]>

Slide 32

Slide 32 text

@fransrosen XXE! %exl; ]> ???

Slide 33

Slide 33 text

@fransrosen

Slide 34

Slide 34 text

@fransrosen XXE! ]>

Slide 35

Slide 35 text

@fransrosen XXE! ]>

Slide 36

Slide 36 text

@fransrosen XXE!

Slide 37

Slide 37 text

@fransrosen XXE!

Slide 38

Slide 38 text

@fransrosen XXE! WOAH.

Slide 39

Slide 39 text

@fransrosen Format String Injection?

Slide 40

Slide 40 text

@fransrosen Format String Injection ON ZE WEB?

Slide 41

Slide 41 text

@fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

Slide 42

Slide 42 text

@fransrosen Format String Injection

Slide 43

Slide 43 text

@fransrosen Format String Injection

Slide 44

Slide 44 text

@fransrosen I can’t handle this shit

Slide 45

Slide 45 text

@fransrosen Help me, zetatwo

Slide 46

Slide 46 text

@fransrosen Help me, zetatwo

Slide 47

Slide 47 text

@fransrosen Help me, zetatwo

Slide 48

Slide 48 text

@fransrosen zetatwo: latin1!

Slide 49

Slide 49 text

@fransrosen zetatwo: latin1!

Slide 50

Slide 50 text

@fransrosen Limitations 0x20-0xFF (no 0x22)

Slide 51

Slide 51 text

@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

Slide 52

Slide 52 text

@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

Slide 53

Slide 53 text

@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

Slide 54

Slide 54 text

@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

Slide 55

Slide 55 text

@fransrosen We can read all ENVs for i in $(seq 8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’
 ]>
 '

Slide 56

Slide 56 text

@fransrosen We can read all ENVs for i in $(seq 8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’
 ]>
 '

Slide 57

Slide 57 text

@fransrosen Response "We are unable to see anything sensitive in the response. If you believe you have found sensitive information please provide this to us."

Slide 58

Slide 58 text

@fransrosen Response "We are unable to see anything sensitive in the response. If you believe you have found sensitive information please provide this to us."

Slide 59

Slide 59 text

@fransrosen Response "We are unable to see anything sensitive in the response. If you believe you have found sensitive information please provide this to us."

Slide 60

Slide 60 text

@fransrosen Want to collaborate? @fransrosen

Slide 61

Slide 61 text

@fransrosen Questions? Suggestions?