The source for this corporate zero-trust multi factor login portal has been leaked! Figure out how to defeat the super-secure one time code.
Source Code
index.php:
<?phpinclude'class/User.php';if (!empty($_POST)){// serialise POST data for easy logging $loginAttempt =serialize((object)$_POST);// log access//Logger::log(Logger::SENSITIVE, 'Login attempt: ' . $loginAttempt);// Hand over to federation login// TODO currently just a mock up// TODO encrypt information to avoid loos of confidentialityheader('Location: /?userdata='. base64_encode($loginAttempt));die();}if (!empty($_GET)&&isset($_GET['userdata'])){// prepare notification data structure $notification =newstdClass();// check credentials & MFAtry { $user =newUser(base64_decode($_GET['userdata']));if ($user->verify()) { $notification->type ='success'; $notification->text ='Congratulations, your flag is: '.file_get_contents('/flag.txt'); }else {thrownewInvalidArgumentException('Invalid credentials or MFA token value'); } }catch (Exception $e) { $notification->type ='danger'; $notification->text = $e->getMessage(); }}include'template/home.html';
MFA: Vulnerable to PHP object injection (unserialize() vulnerability)
The trick here is to initialize the mfa attribute as a reference to the _correctValue attribute (using the ampersand operator &). This will allow us to bypass the MFA check, which checks mfa against a randomly-generated _correctValue: