Updates php/challenge-90.md

Auto commit by GitBook Editor

Author: CHYbeta

SUMMARY.md

@@ -80,10 +80,20 @@
 * [Challenge 74](php/challenge-74.md)
 * [Challenge 75](php/challenge-75.md)
 * [Challenge 76](php/challenge-76.md)
-* Challenge 77
+* [Challenge 77](php/challenge-77.md)
 * [Challenge 78](php/challenge-78.md)
 * [Challenge 79](php/challenge-79.md)
 * [Challenge 80](php/challenge-80.md)
+* [Challenge 81](php/challenge-81.md)
+* [Challenge 82](php/challenge-82.md)
+* [Challenge 83](php/challenge-83.md)
+* [Challenge 84](php/challenge-84.md)
+* [Challenge 85](php/challenge-85.md)
+* [Challenge 86](php/challenge-86.md)
+* [Challenge 87](php/challenge-87.md)
+* [Challenge 88](php/challenge-88.md)
+* [Challenge 89](php/challenge-89.md)
+* [Challenge 90](php/challenge-90.md)
 
 ## RUBY
 

php/challenge-75.md

@@ -1,9 +1,45 @@
 # Challenge
 ```php 
+class Template {
+    public $cacheFile = '/tmp/cachefile';
+    public $template = '<div>Welcome back %s</div>';
 
+    public function __construct($data = null) {
+        $data = $this->loadData($data);
+        $this->render($data);
+    }
+
+    public function loadData($data) {
+        if (substr($data, 0, 2) !== 'O:'
+        && !preg_match('/O:\d:\/', $data)) {
+            return unserialize($data);
+        }
+        return [];
+    }
+
+    public function createCache($file = null, $tpl = null) {
+        $file = $file ?? $this->cacheFile;
+        $tpl = $tpl ?? $this->template;
+        file_put_contents($file, $tpl);
+    }
+
+    public function render($data) {
+        echo sprintf(
+            $this->template,
+            htmlspecialchars($data['name'])
+        );
+    }
+
+    public function __destruct() {
+        $this->createCache();
+    }
+}
+
+new Template($_COOKIE['data']);
 ```
 
 # Solution
+This challenge contains an PHP object injection vulnerability. In line 13 an attacker is able to pass user input into the unserialize() function by altering his cookie data. There are two checks in line 11 and 12 that try to prevent the deserialization of objects. The first check can be easily circumvented, for example by injecting an object into an array, leading to a payload string beginning with a:1: instead of O:. The second check can be bypassed by abusing PHP's flexible serialization syntax. It is possible to use the syntax O:+1: to bypass this regex. Finally, this means an attacker can inject an object of class Template into the application. After the serialized form is deserialized and the Template object is instantiated, its destructor is called when the script terminates (line 31). Now, the attacker controlled properties cacheFile and template of the injected object are used to write to a file in line 21. Thus, the attacker can create arbitraries files on the file system, for example a PHP shell in the document root: a:1:{i:0;O:%2b8:"Template":2:{s:9:"cacheFile";s:14:"/var/www/a.php";s:8:"template";s:16:"<?php%20phpinfo();";}} More information about this attack can be found in our blog posts.
 
 # Refference
-+ php-security-calendar-2017 
++ php-security-calendar-2017 Day 11 - Pumpkin Pie

php/challenge-76.md

@@ -1,9 +1,23 @@
 # Challenge
 ```php 
+$sanitized = [];
 
+foreach ($_GET as $key => $value) {
+    $sanitized[$key] = intval($value);
+}
+
+$queryParts = array_map(function ($key, $value) {
+    return $key . '=' . $value;
+}, array_keys($sanitized), array_values($sanitized));
+
+$query = implode('&', $queryParts);
+
+echo "<a href='/images/size.php?" .
+    htmlentities($query) . "'>link</a>";
 ```
 
 # Solution
+There is a cross-site scripting vulnerability in line 13. This bug depends on the fact that the keys of the $_GET array (the GET parameter names) are not sufficiently sanitized in the code. Both the keys and the sanitized GET values are passed to the href attribute of the <a> tag as a concatenated string. The sanitizer htmlentities() is used, however, single quotes are not affected by default by this built-in function. Hence, an attacker is able to perform an XSS attack against the user, for example using the following query parameter that breaks the href attribute and appends an eventhandler with JavaScript code: /?a'onclick%3dalert(1)%2f%2f=c. Note that the payload is within the parameter name, not the parameter value.
 
 # Refference
-+ php-security-calendar-2017 
++ php-security-calendar-2017 Day 12 - String Lights

php/challenge-77.md

@@ -0,0 +1,46 @@
+# Challenge
+```php 
+class LoginManager {
+    private $em;
+    private $user;
+    private $password;
+
+    public function __construct($user, $password) {
+        $this->em = DoctrineManager::getEntityManager();
+        $this->user = $user;
+        $this->password = $password;
+    }
+
+    public function isValid() {
+        $user = $this->sanitizeInput($this->user);
+        $pass = $this->sanitizeInput($this->password);
+        
+        $queryBuilder = $this->em->createQueryBuilder()
+            ->select("COUNT(p)")
+            ->from("User", "u")
+            ->where("user = '$user' AND password = '$pass'");
+        $query = $queryBuilder->getQuery();
+        return boolval($query->getSingleScalarResult());
+    }
+	
+    public function sanitizeInput($input, $length = 20) {
+        $input = addslashes($input);
+        if (strlen($input) > $length) {
+            $input = substr($input, 0, $length);
+        }
+        return $input;
+    }
+}
+
+$auth = new LoginManager($_POST['user'], $_POST['passwd']);
+if (!$auth->isValid()) {
+    exit;
+}
+```
+
+# Solution
+Today's challenge contains a DQL (Doctrine Query Language) injection vulnerability in line 19. A DQL injection is similar to a SQL injection but more limited, nonetheless the where() method of Doctrine is vulnerable. In line 13 and 14 sanitization is added to the input, however, the sanitizeInput() method has a bug. First, it uses addslashes() for escaping relevant characters by adding a backslash \ infront of them. In this case if we pass a \ as input, it get escaped to \\. But then, the substr() function is used to truncate the escaped string. This enables an attacker to send a string that is long enough that the escaped backslash is cut off and we are left with a single \ at the end of the string. This will then break the WHERE statement and allows the injection of own DQL syntax, for example the condition OR 1=1 that is always true and bypasses the authentication: user=1234567890123456789\&passwd=%20OR%201=1-. The resulting WHERE statement will look like user = '1234567890123456789\' AND password = ' OR 1=1-' in DQL. Note how the backslash confuses the quotes and allows to inject DQL into the password value. The resulting query does not look valid because of the trailing slash. Fortunately, Doctrine closes the last single quote on its own, so the resulting query looks like OR 1=1-''.
+To avoid DQL injections always use bound parameters for dynamic conditions. Never try to secure a DQL query with addslashes() or similar functions. Additionally, the password should be stored hashed in the database, for example in the BCrypt format.
+
+# Refference
++ php-security-calendar-2017 Day 13 - Turkey Baster

php/challenge-78.md

@@ -0,0 +1,31 @@
+# Challenge
+```php 
+class Carrot {
+    const EXTERNAL_DIRECTORY = '/tmp/';
+    private $id;
+    private $lost = 0;
+    private $bought = 0;
+
+    public function __construct($input) {
+        $this->id = rand(1, 1000);
+
+        foreach ($input as $field => $count) {
+            $this->$field = $count++;
+        }
+    }
+
+    public function __destruct() {
+        file_put_contents(
+            self::EXTERNAL_DIRECTORY . $this->id,
+            var_export(get_object_vars($this), true)
+        );
+    }
+}
+
+$carrot = new Carrot($_GET);
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 Day 14 - Snowman

php/challenge-79.md

@@ -1,9 +1,31 @@
 # Challenge
 ```php 
+class Redirect {
+    private $websiteHost = 'www.example.com';
 
+    private function setHeaders($url) {
+        $url = urldecode($url);
+        header("Location: $url");
+    }
+
+    public function startRedirect($params) {
+        $parts = explode('/', $_SERVER['PHP_SELF']);
+        $baseFile = end($parts);
+        $url = sprintf(
+            "%s?%s",
+            $baseFile,
+            http_build_query($params)
+        );
+        $this->setHeaders($url);
+    }
+}
+
+if ($_GET['redirect']) {
+    (new Redirect())->startRedirect($_GET['params']);
+}
 ```
 
 # Solution
 
 # Refference
-+ php-security-calendar-2017 
++ php-security-calendar-2017 Day 15 - Sleigh Ride

php/challenge-81.md

@@ -0,0 +1,9 @@
+# Challenge
+```php 
+
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 

php/challenge-82.md

@@ -0,0 +1,9 @@
+# Challenge
+```php 
+
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 

php/challenge-83.md

@@ -0,0 +1,9 @@
+# Challenge
+```php 
+
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 

php/challenge-84.md

@@ -0,0 +1,9 @@
+# Challenge
+```php 
+
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017