We can use Hash length extension vulnerability because of
How can we get
$auth === true after
unserialize() ? In PHP, Boolean serialization looks like this:
What is more interesting:
Because sha256 uses reversed
$_COOKIE["auth"] content, instead of
b:1; we put
;1:b at the end of string:
For extension attack we use Hash Extender by Ron Bowes.
We know that secret length is 40
Now change cookies:
We are inside admin panel. Second part is tricky. We need to get
flag.txt content. In old PHP versions it was possible to use null byte because of:
but this doesn’t work here. We use object injection instead.
$filename = "flag.txt".
But it will not work. Why? As you can read in PHP manual:
So browser render this text as:
But it really looks like:
hash_extender understand hex representation we convert our text.
Generate new payload:
Finally cookies looks like:
files.php and get
Unauthenticated message. Why?
We have our
File object in memory but it’s not
true. What’s next? It’s time for __destruct.
die("Unauthenticated"); is displayed, File destructor is called.
In this CTF file content is displayed when we pass
?debug=1 param in URL.
Success. View page source because
<!-- is treated as HTML comment.
Proof of Concept:
- 10-08-2015: CTF starts
- 23-08-2015: CTF ends