A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
Report
Share
Report
Share
1 of 49
Download to read offline
More Related Content
Polyglot payloads in practice by avlidienbrunn at HackPra
5. ‘ or ‘’=‘
• SELECT * FROM table WHERE username=‘HERE’
• UPDATE table SET username=(SELECT ‘HERE’)
• //user[name=‘HERE’]
6. What if there are vulnerabilities that can only be
found through polyglot payloads?
Maybe traditional testing (one payload per context) isn’t as
effective as we thought?
If one payload can do the same thing that two payloads can,
we can send one request less per input!
Why?
7. What are we going to
talk about?
• Introduction
• Why use polyglot payloads?
• Creating polyglot payloads
• MySQL Injection polyglots
• XSS polyglots
• File polyglots
• Polyglot payloads in practice
• Polyglots for other purposes
• Ending
9. How I view payloads
• Execution zone - Part of the payload that’s supposed to be
executed as code (MySQL Query)
• Dead zone - Part of the payload that’s not supposed to be
executed as code (Inside strings, comments, unreachable IF
clauses)
• Breaker sequence - Part of the payload that ends one of the
zones and start one of the others (‘ breaking out of string, */
breaking out of comment and into query)
10. Combining payloads
• Create one payload per context
• One at a time, put the next payload into the dead
zone of the previous
• If no deadzones are available, insert one!
• If that is not possible, you can combine payloads
by creating conditional execution zones
15. SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
• Works in single quote context
• Works in double quote context
• Works in “straight into query” context!
19. Polyglot files
• File formats are (usually) easy to understand,
header, contents, end
• Parsers/Renders are many times lazy, will allow
stuff before and after file as long as the file is valid
• Example: You can have (almost) anything before
PDF header, and anything after the PDF file
• Example 2: You can have anything after SWF file,
but nothing before
22. Observations
• It looked vulnerable!
• Could upload PDF that would be served inline (No
Content-Disposition header)
• Human verification of PDF
• Build on WordPress
23. Flash Content-Type sniffing
• Loaded with <object> tag, doesn’t care about
Content-Type
• Needs to be valid SWF file
• Needs to be served inline (no Content-Disposition
header)!
• Requests from Flash will be sent in the scope of
where the SWF is hosted
Blogpost1 Blogpost2
25. 1. Create Flash file that will fetch CSRF token
2. Upload to server as PDF
3. Load file from another domain using <object> tag
4. CSRF token == Aquired!
Attack pattern
27. What if I could make it look like a SWF and meet the
requirements?
28. 1. Create Flash file that will fetch CSRF token
2. Combine it with a PDF that will make it through the
human verification
3. Upload to server as PDF
4. Load file from another domain using <object> tag
5. CSRF token == Aquired!
Polyglot attack pattern
31. 1. Create 7zipped (SWZ) Flash file that will fetch
CSRF token
2. Combine it with a PDF that will make it through the
human verification
3. Upload to server as PDF
4. Load file from another domain using <object> tag
5. CSRF token == Aquired!
*New* Polyglot attack pattern
40. 1.MySQL Injection: /*‘ or ‘’=‘“ or “”=“*/
2.XSS: “ onclick=alert(1)//<button value=Click_Me ‘
onclick=alert(1)//> */ alert(1); /*
3.ASCII Art!
4.File!
41. • Problem: both MySQL and JavaScript payloads
use ‘ and “ as breaker sequence in one or more
parts
• Solution: Create code that will execute valid JS in
JS context and valid MySQL in MySQL context
43. “MySQL Server parses and executes the code within
the comment as it would any other SQL statement,
but other SQL servers will ignore the extensions.”
Conditional comments!
/*! LIKE_THIS() */
TL;DR: If the multiline comment starts with a !,
it will execute as SQL.
45. /*! SLEEP(1) /*/ onclick=alert(1)//<button value=Click_Me /*/*/
or' /*! or SLEEP(1) or /*/, onclick=alert(1)//> /*/*/‘or " /*! or
SLEEP(1) or /*/, onclick=alert(1)// /*/*/"/**/ /*!/*/ // /*/*/
• Works in (at least) 7 XSS contexts!
• Works in all (?) MySQL contexts!
*/-deadzone
48. Inspiration/Credits
• Polyglots: Crossing Origins by Crossing Formats by
Jonas Magazinius and Andrei Sabelfeld: http://www.cse.chalmers.se/~andrei/ccs13.pdf
• GIF/Javascript Polyglots by Jasvir nagra: http://www.thinkfu.com/blog/gifjavascript-polyglots
• (Flash) Content-Type Blues by nb:
http://50.56.33.56/blog/?p=242
• The polyglot list by Gary P. Thompson II: http://www.nyx.net/~gthompso/poly/polyglot.htm
• PoC||GTFO by Tract Association of POC||GTFO and friends:
https://twitter.com/search?q=PoC%7C%7CGTFO%20mirror
• Fredrik Almroth helping me writing some of the payloads: https://twitter.com/almroot