PHP Type Juggling

A vulnerability that exists, cause php is funny :)

Exploiting PHP array Vulnerability.

In this great video produced by Live Overflow below, a code was given and asked to search for a bug that could lead to remote code execution.

• In PHP, a user input $_GET[ ' bug_here ' ], can be come vulnerable.

• A user can specify an array as an input rather than the way a developer intended.

  • If the user used http://192.168.x.x/exploit?bug_here [ ] = "test"

  • This would cause a warning, and the output to be NULL.

Now as seen in the code below, taken from Live Overflow's Video we can pass in an array in the parameter of nonce, to make $_POST['nonce'] return NULL which will be stored as $secret. Which allows us to exploit the code.

Live Overflow(Let’s play a game: what is the deadly bug here?)

$hmac = hash_hmac('sha256', $_POST['host'], $secret). We can control the host parameter, and due to the vulnerability described above, the secret will be NULL.

This leads to a predictable hash result as shown below, which will be inserted into the $_POST['hmac'] parameter, the comparison will output TRUE, and ofcourse exec() can be used for OS Command Injection.

controllable $hmac variable generation

Live Overflow [ Let’s play a game: what is the deadly bug here? ]