# PHP Type Juggling

### Exploiting PHP array Vulnerability. 

In this great video produced by Live Overflow below, a code was given and asked to search for a bug that could lead to remote code execution.

* In PHP, a user input $\_GET*\[ ' bug*\_here ' ], can be come vulnerable.
* A user can specify an array as an input rather than the way a developer intended. 
  * If the user used <http://192.168.x.x/exploit?bug\\_here> \[ ] = "test"
  * This would cause a warning, and the output to be **NULL**.&#x20;

Now as seen in the code below, taken from Live Overflow's Video we can pass in an array in the parameter of nonce, to make **$\_POST\['nonce'] return NULL** which will be stored as $secret. Which allows us to exploit  the code.

![Live Overflow(Let’s play a game: what is the deadly bug here?)](https://1016642613-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MLICeMp-ugVlUqxbbIS%2F-MMzIQW2a-DbRc8pVAsF%2F-MMzJKkkUiO4o9Pf8-SS%2Fimage.png?alt=media\&token=54f277da-5d73-4ebf-8572-20cae12703ca)

**$hmac = hash\_hmac('sha256', $\_POST\['host'], $secret).** We can control the host parameter, and due to the vulnerability described above, the secret will be **NULL.**&#x20;

This leads to a predictable **hash result** as shown below, which will be inserted into the $\_POST\['hmac'] parameter, the comparison will output TRUE, and ofcourse exec() can be used for OS Command Injection.&#x20;

![controllable $hmac variable generation](https://1016642613-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MLICeMp-ugVlUqxbbIS%2F-MMzMvu_mF24kkV2_K7O%2F-MMzNe6TstznxlSpmis_%2Fimage.png?alt=media\&token=9cc40452-9155-4cbd-a05d-0c17ea0f7317)

**Live Overflow \[** [Let’s play a game: what is the deadly bug here?](https://www.youtube.com/watch?v=MpeaSNERwQA\&t=163s\&ab_channel=LiveOverflow) **]**