Updates php/challenge-74.md

CHYbeta · CHYbeta · commit 7ad8b402c83a · 2017-12-28T12:55:56.000+08:00
Auto commit by GitBook Editor
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -71,6 +71,13 @@
 * [Challenge 65](php/challenge-65.md)
 * [Challenge 66](php/challenge-66.md)
 * [Challenge 67](php/challenge-67.md)
+* [Challenge 68](php/challenge-68.md)
+* [Challenge 69](php/challenge-69.md)
+* [Challenge 70](php/challenge-70.md)
+* [Challenge 71](php/challenge-71.md)
+* [Challenge 72](php/challenge-72.md)
+* [Challenge 73](php/challenge-73.md)
+* [Challenge 74](php/challenge-74.md)
 
 ## RUBY
 
diff --git a/php/challenge-68.md b/php/challenge-68.md
@@ -0,0 +1,30 @@
+# Challenge 
+```
+class Login {
+    public function __construct($user, $pass) {
+        $this->loginViaXml($user, $pass);
+    }
+
+    public function loginViaXml($user, $pass) {
+        if (
+            (!strpos($user, '<') || !strpos($user, '>')) &&
+            (!strpos($pass, '<') || !strpos($pass, '>'))
+        ) {
+            $format = '<?xml version="1.0"?>' .
+                      '<user v="%s"/><pass v="%s"/>';
+            $xml = sprintf($format, $user, $pass);
+            $xmlElement = new SimpleXMLElement($xml);
+            // Perform the actual login.
+            $this->login($xmlElement);
+        }
+    }
+}
+
+new Login($_POST['username'], $_POST['password']);
+```
+
+# Solution
+This challenge suffers from an XML injection vulnerability in line 14. An attacker can manipulate the XML structure and hence bypass the authentication. There is an attempt to prevent exploitation in lines 8 and 9 by searching for angle brackets but the check can be bypassed with a specifically crafted payload. The bug in this code is the automatic casting of variables in PHP. The PHP built-in function strpos() returns the numeric position of the looked up character. This can be 0 if the first character is the one searched for. The 0 is then type-casted to a boolean false for the if comparison which renders the overall constraint to true. A possible payload could look like user=<"><injected-tag%20property="&pass=<injected-tag>.
+
+# Refference
++ php-security-calendar-2017 
diff --git a/php/challenge-69.md b/php/challenge-69.md
@@ -0,0 +1,8 @@
+# Challenge
+```php 
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 
diff --git a/php/challenge-70.md b/php/challenge-70.md
@@ -0,0 +1,8 @@
+# Challenge
+```php 
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 
diff --git a/php/challenge-71.md b/php/challenge-71.md
@@ -0,0 +1,8 @@
+# Challenge
+```php 
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 
diff --git a/php/challenge-72.md b/php/challenge-72.md
@@ -0,0 +1,8 @@
+# Challenge
+```php 
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 
diff --git a/php/challenge-73.md b/php/challenge-73.md
@@ -0,0 +1,8 @@
+# Challenge
+```php 
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 
diff --git a/php/challenge-74.md b/php/challenge-74.md
@@ -0,0 +1,8 @@
+# Challenge
+```php 
+```
+
+# Solution
+
+# Refference
++ php-security-calendar-2017 
