Type Juggling
So PHP type juggling is funky:
Don't like this style? Click here to change it! blue.css
I'd like to give you a flurry of useful CTF web exploits that are handy to be aware of:
So it's common that some loophole in the setup of an app will give you access to files you shouldn't be able to get.
When that happens you should fish around for flag.txt or ../../../../etc/passwd or look at your
own server's file structure and decide where the goods are and fish for that.
Flag 1: https://dtctf.herokuapp.com/
I think I'll just let the flag speak for itself:
So PHP type juggling is funky:
So a common exploit comes from pickling payloads. Here's what I mean:
Often we need to store a state in text, like a JSON object in localStorage, or data in a cookie. Then the program must parse that JSON object. The issue is that most of the time that object can be tampered with by users, and there are nefarious issues with malicious objects being unserialized (unpickled).
Here are several articles we're going to look over quickly:
Now let's look at these one by one
https://www.evonide.com/fuzzing-unserialize/
My version: https://pickledrick.herokuapp.com/
OK let's do it. Head to http://websec.fr/ and tackle level 20. Here's a HUGE hint.
The payload to get unserialized is: C:4:"Flag":1:{}; (check source when ready, don't spin wheels for too long).
You can also try problems 4 and 18 for practice.
Here is a more complex writeup: https://medium.com/bugbountywriteup/fireshell-ctf-2019-web-vice-writeup-2deee8d82556