backdoorCTF 2014 - web200 writeup
Sunday, 23 March 2014، 03:01 AM
So, here's the PHP file in charge of authentication: See how line 12 is a conditional time-consuming statement. That may be (ab)used to launch a side channel attack: The amount of time a request takes to get processed is relative to the length of matched key prefix.
We may iterate over different characters until we observe significant (~200ms) increase in response time. That means we have that prefix matched, and we may continue to the remaining part.
Let's exploit it then:
Notes in the code:
- You MUST use keep-alive to reuse the TCP connection for different requests, so that the network latency effect (which may be pretty random in case of TCP handshakes) is minimized
- I've sent multiple requests to avoid random network glitches resulting in outcome-fuckery
