Weak Session CTF STDiO 2022
Weak Session is Website CTF From STDiO CTF Competition
this site have source (index.php~) to see how it work.
After download index.php~, this site begins by create a session cookie, by check if don’t have cookie create them and sets them to expired for 30 days, then call generate_cookie function and first time on this site you’ll see “Hello, new guy. Nice to meet you!” and if cookie has already set It’s call verify_cookie function.
generate_cookie function it’s get $data from $cookie_value ‘{“username”:”user_[1–999]”}’ and insert signature by calling generate_signature function this function will encode text by use key and sha256 to create signature then return by encode with base64.
verify_cookie this function is used to prevent user to edit session.
at first I spend a lot of time on ?debug if use ?debug that will show first 32 sha256 of signature.
I try to edit session by change username to admin.
However, I only get first 32 sha256 of signature, which isn’t the right way to get flag.
I try to review code and go back to line 29 again I notice something weird so I try to search.
and I get this if (true == text) then it’ll be true, which means I might be able to bypass signature.
after that I edit signature to true and encode with base64.
At long last, I have the flag.
STDIO{PHP_th3_L3g3nd4ry_Juggl3r}Conclusion
from line 29 ($new_signature == $signature) php convert two variables to same type (signature == true) that why it can bypass
This Vulnerability is PHP Type Juggling, but this feature is a fault caused by the developer, not a real vulnerability.
Related Articles :
https://web.facebook.com/STDiO-CTF-Competition-107647900663121/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md
