This article is about how PHP type juggling and exploiting the Lottery challenge from SHU-CTF<\/a>.<\/p>\n\n\n\n
This challenge is hosted at http:\/\/120.79.191.75\/web-test\/lottery\/index.php<\/a> They were nice enough to provide us with the source code of the challenge. in api.php there is a function that will compare the winning lottery numbers against the user picked numbers. (api.php line 80)<\/p>\n\n\n\n The vulnerability lays in the comparison of the following line. A loose comparison == is used instead of a strict comparison ===<\/p>\n\n\n\n This means that if I am able to send true<\/em> instead a number it will match 1,2,3,4,5,6,7,8 and 9 the only number it won’t match is 0.<\/p>\n\n\n\n The only restrictions on the input is done on the client side. (buy.php line 7)<\/p>\n\n\n\n and the json is build up and ajax request send in buy.js (line 1)<\/p>\n\n\n\n I could just boot up burp suit and intercept and modify the requests. First get our self a session going by registering at http:\/\/120.79.191.75\/web-test\/lottery\/register.php<\/a> <\/p>\n\n\n\n After registering it will redirect you to the buy.php page. just enter any 7 numbers into the box next to the buy button on the page. now change line 12 from: press CTRL+S to activate the modified script.<\/p>\n\n\n\n And click the buy button until you have enough money to buy me a beer.<\/p>\n\n\n\n SHU-CTF – lottery Sorry about the Click-bait title.This article is about how PHP type juggling and exploiting the Lottery challenge from SHU-CTF. This challenge is hosted at http:\/\/120.79.191.75\/web-test\/lottery\/index.phpand at the time of writing still online. Finding the vulnerability They were nice enough to provide us with the source code of the challenge. So lets start … Lees “Juggling to win a Lottery!”<\/span> verder<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,3],"tags":[23,21,22,8],"class_list":["post-88","post","type-post","status-publish","format-standard","hentry","category-shu-ctf","category-writeups","tag-burpsuit","tag-php","tag-typejuggling","tag-web"],"_links":{"self":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/88","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/comments?post=88"}],"version-history":[{"count":9,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/88\/revisions"}],"predecessor-version":[{"id":102,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/posts\/88\/revisions\/102"}],"wp:attachment":[{"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/media?parent=88"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/categories?post=88"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/robertmccallum.nl\/index.php\/wp-json\/wp\/v2\/tags?post=88"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
and at the time of writing still online.<\/p>\n\n\n\nFinding the vulnerability <\/h5>\n\n\n\n
So lets start by checking how things work and see if we can find some bugs.<\/p>\n\n\n\nfunction buy($req){\n\trequire_registered();\n\trequire_min_money(2);\n\n\t$money = $_SESSION['money'];\n\t$numbers = $req['numbers'];\n\t$win_numbers = random_win_nums();\n\t$same_count = 0;\n\tfor($i=0; $i<7; $i++){\n\t\tif($numbers[$i] == $win_numbers[$i]){\n\t\t\t$same_count++;\n\t\t}\n\t}\n\tswitch ($same_count) {\n\t\tcase 2:\n\t\t\t$prize = 5;\n\t\t\tbreak;\n\t\tcase 3:\n\t\t\t$prize = 20;\n\t\t\tbreak;\n\t\tcase 4:\n\t\t\t$prize = 300;\n\t\t\tbreak;\n\t\tcase 5:\n\t\t\t$prize = 1800;\n\t\t\tbreak;\n\t\tcase 6:\n\t\t\t$prize = 200000;\n\t\t\tbreak;\n\t\tcase 7:\n\t\t\t$prize = 5000000;\n\t\t\tbreak;\n\t\tdefault:\n\t\t\t$prize = 0;\n\t\t\tbreak;\n\t}\n\t$money += $prize - 2;\n\t$_SESSION['money'] = $money;\n\tresponse(['status'=>'ok','numbers'=>$numbers, 'win_numbers'=>$win_numbers, 'money'=>$money, 'prize'=>$prize]);\n}<\/pre>\n\n\n\nif($numbers[$i] == $win_numbers[$i]){ $same_count++; }
<\/pre>\n\n\n\n![\"\"](\"http:\/\/robertmccallum.nl\/wp-content\/uploads\/2019\/02\/phploose.png\")
<\/a><\/figure>\n\n\n\n<input type=\"text\" name=\"numbers\" id=\"numbers\" minlength=\"7\" maxlength=\"7\" pattern=\"\\d{7}\" required placeholder=\"7 numbers\"><\/pre>\n\n\n\nfunction buy(){
$('#wait').show();
$('#result').hide();
var input = $('#numbers')[0];
if(input.validity.valid){
var numbers = input.value;
$.ajax({
method: \"POST\",
url: \"api.php\",
dataType: \"json\",
contentType: \"application\/json\",
data: JSON.stringify({ action: \"buy\", numbers: numbers })
}).done(function(resp){
if(resp.status == 'ok'){
show_result(resp);
} else {
alert(resp.msg);
}
})
} else {
alert('invalid');
}
$('#wait').hide();
}<\/pre>\n\n\n\nexploiting the vulnerability <\/h5>\n\n\n\n
or craft some curl requests. But for the sake of simplicity I’ll use my browsers debugger.<\/p>\n\n\n\n![\"\"](\"http:\/\/robertmccallum.nl\/wp-content\/uploads\/2019\/02\/reg.png\")
<\/figure>\n\n\n\n
Hit ‘f12’ to open up the debugging console in your browser.
<\/p>\n\n\n\n![\"\"](\"http:\/\/robertmccallum.nl\/wp-content\/uploads\/2019\/02\/debug-1024x331.png\")
<\/a><\/figure>\n\n\n\n
and go to the sources tab in the debugger and open ‘js\/buy.js’<\/em><\/p>\n\n\n\ndata: JSON.stringify({ action: \"buy\", numbers: numbers })<\/code>
to:data: JSON.stringify({ action: \"buy\", numbers: [true,true,true,true,true,true,true] })<\/code>
<\/p>\n\n\n\n![\"\"](\"http:\/\/robertmccallum.nl\/wp-content\/uploads\/2019\/02\/winner-1024x330.png\")
<\/a>