TechQA.

Type-juggling in php: bypass a comparison with non-empty array

275 views Asked by At

On an CTF for my web-security-class I was able to find following php-code on the server

<?php 
        $user = array("user" => "admin");
        $secret = random_bytes(20);
          if (isset($_GET["usr"]) and isset($_GET["pwd"]))  {
            if ($_GET["usr"] == $user) {
              if (! strcmp($_GET["pwd"], $secret)) {
                echo var_dump(scandir($_GET["path"][1]));
              } else {
                echo "Wrong pwd!";
              }
            } else {
              echo "You are so close!";
            }
          }
?>

What payload do I have to send in order to bypass the $_GET["usr"] == $user comparison?

I tried sending NULL as "%00", also "0" and "1" because I guess that the weak ==-comparison could open up some type-juggling possibilities, but it didn't work.

php ctf array-comparison
Original Q&A
1

There are 1 answers

0
AymDev On BEST ANSWER

The $user variable is an array. GET data can contain arrays, you can use the right syntax to "bypass" the condition:

?usr[user]=admin

I don't think you can make use of type juggling here.

Related Questions in PHP

Related Questions in CTF

Related Questions in ARRAY-COMPARISON

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions