PHP Type Juggling: Python Web Hacking | Natas: OverTheWire (Level 23)

John Hammond · Intermediate ·🔐 Cybersecurity ·7y ago

Key Takeaways

Exploits PHP type juggling vulnerability for a Python web hacking approach on Natas: OverTheWire (Level 23)

Full Transcript

level 23 of natus for the over the wire war game gets into a little bit of PHP variable type misunderstanding cuz see I'm actually looking at the source code in the webpage here because they're doing a little bit of the PHP highlight file where they're they throw a bunch of like span characters or HTML stuff that's not that good to look at in sublime text so I'm back in the web site here in in the Firefox in a web browser but we're determining okay if we've submitted to the form here which asks us do we want to enter a password and the PHP code tests if that key exists if we've actually submitted the form is there a stir stir or a string string whatever PHP function that is and is the request password greater than 10 so this stir stir looks like it's kind of comparing something like the requested password with a string I love you and and so and obviously this both of these conditions must be returned true to actually be retrieving the credentials for the next level password for NAT is 24 so I want to check out what these things were I wanted to see okay what is PHP stir stir and it looks like that will find the first occurrence of a string and it will return part of a haystack string starting to something from and including the first occurrence of the needle to the end of the haystack okay and that greater than 10 thing is interesting because that's expecting that request password to be an integer but we're using it as a string over here in this context so how do we get around this interesting thing is that PHP type conversions PHP doesn't entirely care really what your variable really is it all depends on what context you're using it in there how you're testing things with it PHP does not require support explicit type definition variable declarations the variable types determined by the context in which the variables being used so that is to say if string value is assigned to variable var var becomes a string if an integer variable as a sign of our it becomes an enter that's cool because it's dynamic type setting and stuff like that but it's also interesting when you're using comparison operators or just assignment operators on them so I'll shut up and I'll show you what I mean if we get back into our Python code we'll go ahead and request this page with the get function but if we wanted to post to this page we can change the method there set data to have the password and we'll set it to that string I love you so this will return wrong after I include a comment or a comma there because we're not getting that same greater than 10 thing in this case we're seeing that string I love you that the string password interpreted as a string and when it's being tested as less than or greater than 10 it's just gonna be nothing really or a zero I don't I don't entirely know I'll admit what PHP will evaluate it to however if we were to give it some numbers here like if we were to say 10 PHP is gonna start to think that this first part here when you're interpreting it as a number as an integer that's gonna be what takes precedence if you interpret it as a number so weird thing right what if I were to say oh 11 I love you because 11 is greater than 10 and the i-love-you string is still in there it'll return true on both of those cases 11 is greater than 10 and I love you is in the string it's returning that needle and the rest of the haystack so it gets it just fine here we go the credentials for the next level are password for NAT is 24 okay let's snag that but keep that in mind because PHP type juggling is seen like everywhere and a lot of web challenges and in CTF style stuff and I'm sure you'll probably run into it in the wild because PHP is still out there like crazy so definitely keep that in mind weird weird oddities with PHP that stuff gets into like magic hashes etc and PHP is just a bundle of bugs depending on on who you ask and what opinions you get but that is the solution for natus 23 let's save this for a script from natus 24 and we will move on to see what's next in this level are we getting the page perfect all right thank you guys so much for watching hope you're enjoying these if you did like the video please do press that like button if you want to comment tell me what you think what you like what you didn't like what I can do better much how much I suck etc if you want to subscribe and if you would like to support me please do check out my patreon account want to send a special shout out to the people that are supporting me already spencer clark thank you for supporting me on patreon I try to shout out everyone who does support me if they give anything more than just a dollar and five dollars or more we'll let you all showcase everything that I upload to YouTube as early as I can so even if it's scheduled for upload later I'll give it to you early access so thanks for watching guys see you soon

Original Description

If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010 E-mail: johnhammond010@gmail.com PayPal: http://paypal.me/johnhammond010 GitHub: https://github.com/JohnHammond Site: http://www.johnhammond.org Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

Related AI Lessons

Nobody Is Coming to Save Your Privacy. Build the Tools Yourself
Take charge of your own privacy by building tools yourself, as relying on others may not be effective
Dev.to · v. Splicer
The Billion Dollar Business of Making You Forget Passwords
Learn how the internet is shifting away from password-based security and what this means for cybersecurity, as companies invest billions in alternative authentication methods
Medium · Cybersecurity
Your ChatGPT History Is a Liability. I Fixed That With a $80 Chip and a Pi5.
Protect your ChatGPT history from being used as evidence against you by building a secure local solution using a Raspberry Pi and external chip
Medium · Cybersecurity
Aikido buys Root to patch open source in place, without the upgrade dance
Aikido Security acquires Root to patch open source vulnerabilities in-place, streamlining dependency management
Dev.to · Leo
Up next
Cyber security threats @FameWorldEducationalHub #cybersecurity #threats #shorts #ytshorts
FAME WORLD EDUCATIONAL HUB
Watch →