Bypassing PHP strcmp() (ABCTF2016 – L33t H4xx0r)

Another one of the ABCTF challenges this year involved a login page and bypassing PHP strcmp().

At first glance, the login page seemed fairly simple.

Bypassing PHP strcmp - Login

Not so hidden within the source of the page was where I could find the source for the form.

	<!-- source at source.txt -->

The source.txt file was straightforward, and was doing a simple strcmp between our GET request and the $PASSWORD variable.

<?php
	$FLAGWEB6 = (file_get_contents("flag.txt"));
	$PASSWORD =  (file_get_contents("flag.txt")); //haha


	if(isset($_GET['password'])){
	
	if(strcmp($PASSWORD, $_GET['password']) == 0){
			$success = true;
		}
		else{
			$success = false;
		}

	}
	else {
		$success = false;
	}
	
	

?>

From here, I actually spent quite awhile trying to pass a reference to $FLAGWEB6 in my get request, since those two variables would be the same. Unfortunately, I was never able to get this to work (contact me if I was just missing something silly here!).

Unable to make any headway on that front, I then took a look back at the hint provided with the challenge.

Some ways of comparing two strings are very insecure.

After a bit more research, it seemed that strcmp had some issues when comparing a string to something else.

If I set $_GET['password'] equal to an empty array, then strcmp would return a NULL. Due to some unherent weaknesses in PHP's comparisons, NULL == 0 will return true (more info)).

With this in mind, I sent the following request to the login page.

http://yrmyzscnvh.abctf.xyz/web6/?password[]=%22%22

Once I sent the request, I received the flag and the subsequent 70 points.

Bypassing PHP strcmp - Flag

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.