Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Another one of the ABCTF challenges this year involved a login page and bypassing PHP strcmp.
PHP strcmp Bypass – Introduction
This was a unique CTF authentication bypass challenge, and I just had to share it!
I recommend checking out ABCTF if you ever get a chance, as it is my favorite beginner-friendly CTF.
Finally, take a look at the PHP strcmp docs if you want to follow along at home.
YouTube Version of this Post
If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.
That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!
The Challenge
At first glance, the login page seemed fairly simple.
Not so hidden within the source of the page was where I could find the source for the form.
<!-- source at source.txt -->
The source.txt file was straightforward, and was doing a simple strcmp between our GET request and the $PASSWORD variable.
<?php
$FLAGWEB6 = (file_get_contents("flag.txt"));
$PASSWORD = (file_get_contents("flag.txt")); //haha
if(isset($_GET['password'])){
if(strcmp($PASSWORD, $_GET['password']) == 0){
$success = true;
}
else{
$success = false;
}
}
else {
$success = false;
}
?>
Authentication Bypass
From here, I actually spent quite awhile trying to pass a reference to $FLAGWEB6 in my get request, since those two variables would be the same. Unfortunately, I was never able to get this to work (contact me if I was just missing something silly here!).
Unable to make any headway on that front, I then took a look back at the hint provided with the challenge.
Some ways of comparing two strings are very insecure.
After a bit more research, it seemed that strcmp had some issues when comparing a string to something else.
If I set $_GET[‘password’] equal to an empty array, then strcmp would return a NULL. Due to some inherent weaknesses in PHP’s comparisons, NULL == 0 will return true (more info).
With this in mind, I sent the following request to the login page.
http://yrmyzscnvh.abctf.xyz/web6/?password[]=%22%22
Once I sent the request, I received the flag and the subsequent 70 points.
PHP strcmp Bypass – Conclusion
While this wasn’t a difficult challenge, I had a lot of fun with this bypass.
This is something that I might put in a future CTF challenge of my own, so be on the lookout for that!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
2 Comments
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
[…] Cái strcmp vuln có từ rất lâu rồi! Khi so sánh chuỗi với chuỗi thì không sao nhưng khi so sánh mảng thì lại cho kết quả NULL! Mà NULL == 0 => true (:v) Xem thêm tại Bypass strcmp php […]
[…] PHP strcmp Bypass (ABCTF2016 –… 13.2k views […]