Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

Type-juggling in php: bypass a comparison with non-empty array

byMR
November 3, 2023

On an CTF for my web-security-class I was able to find following php-code on the server

<?php 
        $user = array("user" => "admin");
        $secret = random_bytes(20);
          if (isset($_GET["usr"]) and isset($_GET["pwd"]))  {
            if ($_GET["usr"] == $user) {
              if (! strcmp($_GET["pwd"], $secret)) {
                echo var_dump(scandir($_GET["path"][1]));
              } else {
                echo "Wrong pwd!";
              }
            } else {
              echo "You are so close!";
            }
          }
?>

What payload do I have to send in order to bypass the $_GET["usr"] == $user comparison?

I tried sending NULL as "%00", also "0" and "1" because I guess that the weak ==-comparison could open up some type-juggling possibilities, but it didn’t work.

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel

>Solution :

The $user variable is an array. GET data can contain arrays, you can use the right syntax to "bypass" the condition:

?usr[user]=admin

I don’t think you can make use of type juggling here.

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading