Thứ Tư, 18 tháng 12, 2019

[wargame.kr&rootme] PHP TYPE CONFUSION & LOOSE COMPARISON WRITEUP!

FIRST OF ALL , WE SHOULD FOCUS ON THE DEFINITION


A loose comparison is one performed using two equals signs (==).It follows suit with the “best-guess” approach, which can lead to some unexpected results. 
TAKE A LOOK INTO THIS TABLE






AS YOU CAN SEE , FOR EXAMPLE , IF WE COMPARE BOOL(TRUE) TO STRING "PHP" , IT WILL ALWAYS RETURN "TRUE" AND THE COMPARISON ALWAYS RESULT TRUE!

ANOTHER EXAMPLE IN ROOTME




WE FOCUS ON THIS !
 if($auth['data']['login'] == $USER)
WE MUST COMPARE OUT INPUT TO $USER THAT  WE PERHAPS NEVER KNOW  THE VALUE OF IT ! SO WE MUST EXPLOIT THIS USING THE TABLE ABOVE . WE MUST COMPARE $USER TO BOOL(TRUE) . THIS STUFF MAKES IF CONDITON BECOME TRUE AND FLAG WILL BE PUSHED OUT (OFCOURSE IN THIS EXAMPLE , WE MUST FEED AN VALID INPUT TO THE FOLLOW CONDITION TOO ) !

LET'S CHECK THE CHALLENGE ABOUT THIS PROBLEM ON WARGAME.KR FOR A CLEAR VISION !

TYPE CONFUSION CHALLENGE :


<?php
 
if (isset($_GET['view-source'])) {
     
show_source(__FILE__);
    exit();
 }
 if (isset(
$_POST['json'])) {
     
usleep(500000);
     require(
"../lib.php"); // include for auth_code function.
    
$json json_decode($_POST['json']);
    
$key gen_key();
    if (
$json->key == $key) {
        
$ret = ["code" => true"flag" => auth_code("type confusion")];
    } else {
        
$ret = ["code" => false
];
    }
    die(
json_encode($ret));
 }

 function 
gen_key(){
     
$key uniqid("welcome to wargame.kr!_"true);
    
$key sha1($key);
     return 
$key;
 }
?>
AS YOU CAN SEE , WE MUST GIVE AN INPUT VALUE WHICH MAKE THE IF 
CONDITON BECOME TRUE . LET'S BEAT THIS CHALLENGE!

FIRST , LOOK AT THE CODE . ANY VALUE WHICH WE INPUT WILL BE DECODED TO JSON OBJECT (EXP: {"key":"4rth4s"} → key=>4rthas ) .ON THE ORDER HAND, THIS CHALLENGE FORCES US TO INPUT A JSON STRING WITH FORM {"key":blabla} ! 

SO , BASED ON WHAT WE HAVE LEARNED ABOVE , WE DONT HAVE IDEA ABOUT $key . BUT WE SHOULD KNOW THAT THIS $key HAVE A STRING FORM . SIMPLY , WE MUST  COMPARE IT TO BOOL(TRUE)! LET'S DO THIS !

INPUT {"key":true} AND SEND TO SERVER VIA ZAP PROXY 2.8.0 MY BABE ! 





AND THE FLAG COMES UP !

HAPPY HACKING!
















Phổ Biến