Hackover CTF – messagecenter


A long time since last writeup so i have decided comment a simple web level solved on «Hackover CTF». It’s very old vulnerability related with type safe comparation on PHP and serialize function. We have a web login with normal test users (demo, demo2) and a ‘remember login’ function that help us to keep login ‘passing data’ to autologin cookie, which have the vulnerability.  This cookie has the original format:


As wen can see the source code of the application we start analyzing vulnerable points on do_login method, seeing what’s really compared with this piece of serialized cookie string.

function do_login($username, $pw_hash, $autologin)
	global $db;
	if (isset($_SESSION['user_id'])) {
		return true;
	$sth = $db->prepare('SELECT id, password FROM account WHERE username = ?');
	$sth->bindValue(1, $username);
	$result = $sth->execute()->fetchArray();
	if ($result && $result['password'] == $pw_hash) { //<-- See how is compared, == instead === !!! 
		$_SESSION['user_id'] = $result['id'];
		if ($autologin) {
			setcookie('autologin', serialize(array(
				'username' => $username,
				'password' => $pw_hash
			)), time() + 60*60*24*14);
		header('Location: /');
	return false;

if (isset($_COOKIE['autologin'])) {
	$data = @unserialize($_COOKIE['autologin']);
	do_login($data['username'], $data['password'], true); // and here data unserialized. 

So the problem is we can set a boolean true value in serialized password data and this will produce ‘true’ comparation. Here it’s:


Ok. It’s all to get the flag.


If you are interested on this PHP serialize vulnerability and others like that, see this pdf: