# PHP Logins

## PHP Type Juggling

PHP Type juggling is an attack where the type confusion takes place in PHP applications. When the  comparison  statement is used in PHP application

```php
<?php
$dn = "dnoscp";
if ( $dn == "dnoscp"){
    echo "Same";
    }
?>   
```

The application is expected to provide output only when the compared statement (as of the example, line 3) are true.&#x20;

Which it actually does,&#x20;

![iamdnoscp is not equal to dnoscp so outputs Not Same](https://2587790434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsIDfsFf4ZaEESeP0YPTJ%2Fuploads%2FIzfxbHvXgyKJyzkOx6em%2Fphptj1.png?alt=media\&token=cef5667f-008b-4f9b-8f5d-9f666cca8807)

![dnoscp is equal to dnoscp so the output is Same](https://2587790434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsIDfsFf4ZaEESeP0YPTJ%2Fuploads%2FANFozGABxBBliPRxd3tB%2Fphptj2.png?alt=media\&token=14c69082-469f-4673-9319-b2ce34f80d90)

But when `==` are used instead of `===` for comparisons there will come the type confusion vulnerability. The vulnerability takes advantage of the boolean values to bypass the checks. Here the input is passed as `True` value other than the string value. Thus this check bypasses and the output is obtained as the same

![Boolean value True is used to bypass the check](https://2587790434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsIDfsFf4ZaEESeP0YPTJ%2Fuploads%2F9uIG1fvSmsKxZmK9yHRb%2Fphptj3.png?alt=media\&token=713f5368-35e0-42c2-81ab-ba5cf8d3f421)

![Even the value 0 bypasses the check](https://2587790434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsIDfsFf4ZaEESeP0YPTJ%2Fuploads%2FwxUfUIs95VXbByDdHRIX%2Fphptj4.png?alt=media\&token=17c6016e-4a80-42f6-9f24-22d9e76ed78e)

![This doesnt work with other values since 0 is the exit code of the value](https://2587790434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsIDfsFf4ZaEESeP0YPTJ%2Fuploads%2Ftf8KpVBsVaXLPmbPZFRa%2Fphptj5.png?alt=media\&token=6a5070d1-03ca-4ff5-87de-e7f86cba5409)

Whenever a PHP application uses a check for login its worth to try for juggling vulnerability

#### Machines

* Nineveh \[Empty array confusion] - <https://0xdf.gitlab.io/2020/04/22/htb-nineveh.html#department-type-confusion>
* Ransom - <https://www.youtube.com/watch?v=idC5SAsKhlE> | <https://youtu.be/YGoR2gSDaI4?t=608>

### Patch

Using `===` for comparison statements

![PHP Type Juggling Patch](https://2587790434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsIDfsFf4ZaEESeP0YPTJ%2Fuploads%2F7DNovHlYgdMImaRsBzSG%2Fphptj6.png?alt=media\&token=dce1be42-3111-418e-8e24-dcbea800578c)