PHP often known as a ‘loosely typed’ programming language
If we recall in PHP, no data types in any variable have to define. In the circumstance of comparisons of different variable, PHP will automatically convert the data into same data type.
For example, if we want to compare integer to string. PHP will convert string to integer.
Let’s assume a situation. We have a input field asking for the number of bottle.
|
When we try to submit 1 to num_bottles
. As we say early on, when comparing string($_GET[num_bottles] will be string data type
) and integer, it will auto convert strings to integer. so it match the first if
statement
┌──(root💀kali)-[~/Desktop/php-audit/day1] |
It seems nothing special that "1" == 1
What if the user input is “1bottle” ?
YES, PHP will treat “2bottles” as 2 because of it’s loosely comparison. It will abstract the leading numbers from the beginning of string and convert to integer.
┌──(root💀kali)-[~/Desktop/php-audit/day1] |
you might ask, what if there are no numbers?
PHP will treat the string as 0
┌──(root💀kali)-[~/Desktop/php-audit/day1] |
CTF Challenge - in_array() type juggling
CTF challenge from PHP SECURITY CALENDAR
class Challenge { |
The have to bypass the restriction of white listing check with the function in_array()
Description
in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] ) : bool
Searches for needle in haystack using loose comparison unless strict is set.
Parameters
neddle = The Searched Value
haystack = The array.
strict
If the third parameter strict is set to TRUE then the in_array() function will also check the types of the needle in the haystack.
How in_array()
is by comparing a needle to every values in an array. When strict
is not set to TRUE, it will not restrict in data types. That’s when PHP loosely comparison come into play.
if we want to upload a malicious PHP files, the filename has to be end with .php
but with the restricted white list, we are only allow to send file in the range of 1 - 24
.
We can easily construct a file with leading numbers, will bypass the in_array()
check
Environment
Docker for convenient
docker run --name app8 -d -p 8080:80 -v $(pwd):/var/www/app romeoz/docker-apache-php:7.0 |
A simple file for uploading
<!doctype html> |
name the malicious file as 1malicious.php
will bypass the restriction
CVE example
TBD