php type juggling

Occurs when php mistreats data types that resulting in unintended output

eg : "1" + 2 = 3

(“Puppies” == 0) -> True

If string is empty then it means 0 if converted to integer

== Operator

$secret_password = "mYs3cr3tP@ssw0rd";
$input_password = "0e12345678"; // User input (not intended to be a number)

if ($secret_password == $input_password) {
    echo "Access granted!";
} else {
    echo "Access denied!";
}

0e12345678 represents 0 raised to the power of 12345678

Therefore

("mYs3cr3tP@ssw0rd" == 0) -> True

`=` Operator

$value = "admin"; // $value is a string containing "admin"

if ($value = "admintest") { // admin = string , adnintest = string
    echo "Condition is true.";// admin = admintest
} else {
    echo "Condition is false.";
}

PHP will treat both "admin" and "adminer" as strings , this is because the value "admintest" is assigned to username , and any non-empty string is considered true in a boolean context.

References : https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09

PreviousServer Site Attacks NextSSTI

Last updated 1 year ago

Was this helpful?