PHP Logins

PHP Type Juggling

PHP Type juggling is an attack where the type confusion takes place in PHP applications. When the comparison statement is used in PHP application

<?php
$dn = "dnoscp";
if ( $dn == "dnoscp"){
    echo "Same";
    }
?>   

The application is expected to provide output only when the compared statement (as of the example, line 3) are true.

Which it actually does,

iamdnoscp is not equal to dnoscp so outputs Not Same

dnoscp is equal to dnoscp so the output is Same

But when == are used instead of === for comparisons there will come the type confusion vulnerability. The vulnerability takes advantage of the boolean values to bypass the checks. Here the input is passed as True value other than the string value. Thus this check bypasses and the output is obtained as the same

Boolean value True is used to bypass the check

Even the value 0 bypasses the check

This doesnt work with other values since 0 is the exit code of the value

Whenever a PHP application uses a check for login its worth to try for juggling vulnerability

Machines

• Nineveh [Empty array confusion] - https://0xdf.gitlab.io/2020/04/22/htb-nineveh.html#department-type-confusion

• Ransom - https://www.youtube.com/watch?v=idC5SAsKhlE | https://youtu.be/YGoR2gSDaI4?t=608

Patch

Using === for comparison statements

PHP Type Juggling Patch