Introduction
Can you identify a way to bypass our login logic? MD5 is supposed to be a one-way function right?
Source code:
|
|
There are 2 facts that stand out from the source code:
- Php hashes are base16 encoded so they go in form of “0exxx”. Also when it’s followed by all numbers (php magic hashes) it’s considered as a float:
$password_hash = "0e902564435691274142490923013038";
. - Using equality (
==
) instead of identity (===
) in php may be vulnerable:if(isset($_GET['password']) && md5($salt . $_GET['password']) == $password_hash)
.
What is php type juggling?
Type juggling is a popular php vulnerability. It occurs when you compare using “equality” and both operands looks like numbers, it will compare them and then perform a numeric comparison.
|
|
So it tranforms the string into a 0, then any hash that matches this regexp ^(0e)[0-9]*$
will make the equality true:
|
|
Exploitation
Once we know how it works, we need to generate a hash that fulfills those conditions. Keep in mind that it is also applying a salt. So when crafting the payload hash we need to append the salt beforehand.
Created a script to do so:
|
|
Finally use that password to bypass the login.