web

Pwning PHP CTF Challenges

Short list and collection of links to learn about vulns used in PHP CTF Challenges

Ankur Sundara

Dec 31, 2018 • 2 min read

This is a short "guide", or list of common PHP vulnerabilties you'll find in CTF challenges. Please note that this guide is not tailored towards real-world PHP applications!

The best way to get practice with a lot of these vulnerabilities is the websec.fr wargame!

1. SQL Injection

Tons of PHP applications are vulnerable to SQL injection, even in the real world! Biggest reason for this? Tons of old PHP "database tutorials" used code samples that were vulnerable to SQL injection. Also, PHP is an easy beginners language, many devs are self-taught, and do not have any security knowledge.

Note that these challenges mostly test your knowledge of SQL, not of PHP.

Reading Links:

Intro: https://ctf101.org/web-exploitation/sql-injection/what-is-sql-injection/
Intro: https://en.wikipedia.org/wiki/SQL_injection#Incorrectly_filtered_escape_characters
Hands-On Testing: https://github.com/ryotosaito/beginner-sqli
Challenge Writeup: https://github.com/ctfs/write-ups-2014/tree/master/pico-ctf-2014/web-exploitation/injection-3-130
Challenge Writeup: https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
Tips & Tricks: https://medium.com/bugbountywriteup/sql-injection-in-ctf-bef1ae0c5d9b
Tips & Tricks: https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF

2. RFI/LFI

Remote file inclusion and local file inclusion vulnerabilities are abundant in PHP due to its stream wrappers api. Learn how to use it!

Any time code uses include, fopen, file_get_contents, file_put_contents, require_once or a whole host of other functions, it is potentially vulnerable!

Reading Links:

3. Type Errors/Type Juggling

PHP has no type safety, and developers must check every type with function calls such as is_string to ensure parameters are the correct type. Unfortunately, developers are often lazy or forget to perform these checks.

One common way to exploit this is passing a HTTP parameter as an array instead of a string.

For example, the site may read the request parameter $_GET['q']. Normally, this is a string, as it is in the url: http://vulnerable.site/search.php?q=hello. But, you can pass in an array instead via a requirest such as: http://vulnerable.site/search.php?q[0]=hello&q[1]=world

Type juggling is another (similar) vulnerability where comparisons are made with == instead of ===, and automatic type conversion occurs. This can lead to exploitable bugs within the application.

Reading Links:

4. Object Unserialization Injection

As usual, arbitrary object unserialization isn't safe. You can inject arbitrary objects to trigger logical bugs, or potentially call certain magic methods inside the PHP application.

Reading Links:

5. Other Misc. Stuff

I'll be adding to this list as I see new things...

Sandbox escaping: http://blog.dornea.nu/2016/06/20/ringzer0-ctf-jail-escaping-php/
Null byte injection: http://php.net/manual/en/security.filesystem.nullbytes.php
XXE attack (XML injection): https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE injection
preg_replace /e flag: https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace