This module will cover the in-depth analysis and exploitation of a PHP Type Juggling vulnerability identified in ATutor.
4.2 Getting Started
In order to access the ATutor server, we have created a hosts file entry named “atutor” in our KaliLinux VM. We recommend making this configuration change in your Kali machine to follow along. Revert the ATutor virtual machine from your student control panel before starting your work.
In this module, the ATutor VM needs to be able to send emails so we will be using the Atmail VMas a SMTP relay. The ATutor VM already has Postfix installed but will need to be configured withthe correct IP address of your Atmail VM. In order to modify the Postfix configuration, you willneed to edit the /etc/postfix/transport file as the root user.
In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.
Explore unique challenges and vulnerabilities related to web applications
Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
As we saw earlier, ATutor version 2.2.1 contains a few interesting vulnerabilities that were worth exploring in depth. Besides the ones we have already discussed, this version of ATutor alsocontains a completely separate vulnerability that can be used to gain privileged access to the web application. In this case, the vulnerability revolves around the use of loose comparisons of user-controlled values, which results in the execution of implicit data type conversions, i.e. type juggling. Ultimately, this allows us to subvert the application logic and perform protectedoperations from an unauthenticated perspective.
4.4 PHP String Conversion to Numbers
While we briefly addressed loose comparison pitfalls in the previous section in general terms, we also need to take a look at the PHP rules for string to integer conversions to make better sense of them. Once again, we return to the PHP manual where we can find the following definitions:
When a string is evaluated in a numeric context, the resulting value and type are determined as follows.If the string does not contain any of the characters ‘.’, ‘e’, or ‘E’ and the numericvalue fits into integer type limits (as defined by PHP_INT_MAX), the string will be evaluated as an integer. In all other cases it will be evaluated as a float. The value is given by the initial portion of the string. If the string starts with valid numeric data, this will be the value used. Otherwise, the value will be 0 (zero). Valid numeric data is an optional sign, followed by one or more digits (optionally containing a decimal point), followed by an optional exponent. The exponent is an ‘e’ or ‘E’ followed by one or more digits.
4.5 Vulnerability Discovery
In the previous ATutor module, a SQL injection vulnerability, combined with a flawed authentication logic implementation, allowed us to gain unauthorized privileged access to the vulnerable ATutor instance. However, that is not the only way that an attacker could use to gain the same level of access. An unauthenticated attacker could accomplish the same goal using a type juggling vulnerability.
4.6 Attacking the Loose Comparison
At this point in our analysis, we should be recalling what we have learned about PHP and scientific exponent notation from the previous section. The question though is: what is the practical value of this knowledge from the perspective of an attacker? For that, we need to expand the explored concepts a bit further and introduce the topic of Magic Hashes.
As we have been able to demonstrate in this module, type juggling vulnerabilities provide us with another attack vector for PHP applications that is more likely to get overlooked by developers than more commonly known techniques such as SQL injections. Nevertheless, given the right circumstances, these vulnerabilities can be just as powerful and we, as attackers, should alwaysbe looking out for the use of loose comparisons when reviewing PHP applications.