AWAE Course Syllabus

  1. 0.
  2. 0.1 About the AWAE Course
  3. 0.2 Our Approach
  4. 0.3 Obtaining Support
  5. 0.4 Legal
  6. 0.5 Offensive Security Labs
  7. 0.6 Backups
  8. 1.
  9. 1.1 Web Traffic Inspection
  10. 1.2 Interacting with Web Listeners with Python
  11. 1.3 Source Code Recovery
  12. 2.
  13. 2.1 Overview
  14. 2.2 Getting Started
  15. 2.3 Atmail Vulnerability Discovery
  16. 2.4 Session Hijacking
  17. 2.5 Session Riding
  18. 2.6 Gaining Remote Code Execution
  19. 2.7 Summary
  20. 3.
  21. 3.1 Overview
  22. 3.2 GetStarted
  23. 3.3 Initial Vulnerability Discovery
  24. 3.4 Brief Review of Blind SQL Injections
  25. 3.5 Digging Deeper
  26. 3.6 Data Exfiltration
  27. 3.7 Subverting the ATutor Authentication
  28. 3.8 Authentication Gone Bad
  29. 3.9 Bypassing File Upload Restrictions
  30. 3.10 Gaining Remote Code Execution
  31. 3.11 Summary
  32. 4.
  33. 4.1 Overview
  34. 4.2 Getting Started
  35. 4.3 PHP Loose and Strict Comparisons
  36. 4.4 PHPString Conversion to Numbers
  37. 4.5 Vulnerability Discovery
  38. 4.6 Attacking the Loose Comparison
  39. 4.7 Summary
  40. 5.
  41. 5.1 Overview
  42. 5.2 Getting Started
  43. 5.3 Vulnerability Discovery
  44. 5.4 Bypassing Character Restrictions
  45. 5.5 Blind Bats
  46. 5.6 Accessing the File System
  47. 5.7 PostgreSQL Extensions
  48. 5.8 UDF Reverse Shell
  49. 5.9 More Shells!!!
  50. 5.10 Summary
  51. 6.
  52. 6.1 Overview
  53. 6.2 Getting Started
  54. 6.3 The Bassmaster Plugin
  55. 6.4 Vulnerability Discovery
  56. 6.5 Triggering the Vulnerability
  57. 6.6 Obtaining a Reverse Shell
  58. 6.7 Summary
  59. 7.
  60. 7.1 Overview
  61. 7.2 Getting Started
  62. 7.3 Introduction
  63. 7.4 Serialization Basics
  64. 7.5 DotNetNuke Vulnerability Analysis
  65. 7.6 Payload Options
  66. 7.7 Putting It All Together
  67. 7.8 ysoserial.net
  68. 7.9 Summary

4. ATutor LMS Type Juggling Vulnerability

4.1 Overview

This module will cover the in-depth analysis and exploitation of a PHP Type Juggling vulnerability identified in ATutor.

4.2 Getting Started

In order to access the ATutor server, we have created a hosts file entry named “atutor” in our KaliLinux VM. We recommend making this configuration change in your Kali machine to follow along. Revert the ATutor virtual machine from your student control panel before starting your work.

In this module, the ATutor VM needs to be able to send emails so we will be using the Atmail VMas a SMTP relay. The ATutor VM already has Postfix installed but will need to be configured withthe correct IP address of your Atmail VM. In order to modify the Postfix configuration, you willneed to edit the /etc/postfix/transport file as the root user.

In order to access the rest of this course content, you must enroll in Offensive Security's Advanced Web Attacks and Exploitation online course.

  • Explore unique challenges and vulnerabilities related to web applications
  • Gain access to OffSec's innovative virtual labs for a unique, hands-on learning experience
  • Earn the highly sought-after Offensive Security Web Expert (OSWE) certification
  • 4.3 PHP Loose and Strict Comparisons

    As we saw earlier, ATutor version 2.2.1 contains a few interesting vulnerabilities that were worth exploring in depth. Besides the ones we have already discussed, this version of ATutor alsocontains a completely separate vulnerability that can be used to gain privileged access to the web application. In this case, the vulnerability revolves around the use of loose comparisons of user-controlled values, which results in the execution of implicit data type conversions, i.e. type juggling. Ultimately, this allows us to subvert the application logic and perform protectedoperations from an unauthenticated perspective.

  • 4.4 PHP String Conversion to Numbers

    While we briefly addressed loose comparison pitfalls in the previous section in general terms, we also need to take a look at the PHP rules for string to integer conversions to make better sense of them. Once again, we return to the PHP manual where we can find the following definitions:

    When a string is evaluated in a numeric context, the resulting value and type are determined as follows.If the string does not contain any of the characters ‘.’, ‘e’, or ‘E’ and the numericvalue fits into integer type limits (as defined by PHP_INT_MAX), the string will be evaluated as an integer. In all other cases it will be evaluated as a float. The value is given by the initial portion of the string. If the string starts with valid numeric data, this will be the value used. Otherwise, the value will be 0 (zero). Valid numeric data is an optional sign, followed by one or more digits (optionally containing a decimal point), followed by an optional exponent. The exponent is an ‘e’ or ‘E’ followed by one or more digits.
  • 4.5 Vulnerability Discovery

    In the previous ATutor module, a SQL injection vulnerability, combined with a flawed authentication logic implementation, allowed us to gain unauthorized privileged access to the vulnerable ATutor instance. However, that is not the only way that an attacker could use to gain the same level of access. An unauthenticated attacker could accomplish the same goal using a type juggling vulnerability.

  • 4.6 Attacking the Loose Comparison

    At this point in our analysis, we should be recalling what we have learned about PHP and scientific exponent notation from the previous section. The question though is: what is the practical value of this knowledge from the perspective of an attacker? For that, we need to expand the explored concepts a bit further and introduce the topic of Magic Hashes.

  • 4.7 Summary

    As we have been able to demonstrate in this module, type juggling vulnerabilities provide us with another attack vector for PHP applications that is more likely to get overlooked by developers than more commonly known techniques such as SQL injections. Nevertheless, given the right circumstances, these vulnerabilities can be just as powerful and we, as attackers, should alwaysbe looking out for the use of loose comparisons when reviewing PHP applications.

Menu
X Close

 

Certified Pentesting
Professional

OSCP
course starting at
$800 USD

Take Penetration Testing with Kali Linux to gain invaluable penetration testing skills and earn your OSCP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCP

Certified Pentesting
Expert

OSCE
course starting at
$1200 USD

Take Cracking the Perimeter to take your penetration testing skills to expert levels and earn your OSCE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSCE

 

Certified Pentesting
Web Expert

OSWE
course starting at
$1400 USD

Take Advanced Web Attacks and Exploitation, to deep dive into web apps to earn your OSWE.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWE

Certified Pentesting
Wireless Professional

OSWP
course starting at
$450 USD

Take Offensive Security Wireless Attacks to acquire knowledge about Wi-Fi attacks and earn your OSWP.

  • Self-paced, online course
  • Includes certification exam fee
  • Access innovative virtual labs
  • Hands-on experience
  • Become an OSWP

Certified Exploitation
Expert

OSEE
course starting at
See
Live Schedule

Take Advanced Windows Exploitation to develop exploits for Windows systems and earn your OSEE.

  • Live training course
  • Includes certification exam fee
  • Maximum instructor interaction
  • Highly challenging
  • Become an OSEE