Bypassing PHP strcmp() (ABCTF2016 – L33t H4xx0r)

Another one of the ABCTF challenges this year involved a login page and bypassing PHP strcmp().

At first glance, the login page seemed fairly simple.

Bypassing PHP strcmp - Login

Not so hidden within the source of the page was where I could find the source for the form.

	<!-- source at source.txt -->

The source.txt file was straightforward, and was doing a simple strcmp between our GET request and the $PASSWORD variable.

<?php
	$FLAGWEB6 = (file_get_contents("flag.txt"));
	$PASSWORD =  (file_get_contents("flag.txt")); //haha


	if(isset($_GET['password'])){
	
	if(strcmp($PASSWORD, $_GET['password']) == 0){
			$success = true;
		}
		else{
			$success = false;
		}

	}
	else {
		$success = false;
	}
	
	

?>

From here, I actually spent quite awhile trying to pass a reference to $FLAGWEB6 in my get request, since those two variables would be the same. Unfortunately, I was never able to get this to work (contact me if I was just missing something silly here!).

Unable to make any headway on that front, I then took a look back at the hint provided with the challenge.

Some ways of comparing two strings are very insecure.

After a bit more research, it seemed that strcmp had some issues when comparing a string to something else.

If I set $_GET['password'] equal to an empty array, then strcmp would return a NULL. Due to some unherent weaknesses in PHP's comparisons, NULL == 0 will return true (more info)).

With this in mind, I sent the following request to the login page.

http://yrmyzscnvh.abctf.xyz/web6/?password[]=%22%22

Once I sent the request, I received the flag and the subsequent 70 points.

Bypassing PHP strcmp - Flag

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.