PHP strcmp Bypass (ABCTF2016 – L33t H4xx0r)

Another one of the ABCTF challenges this year involved a login page and bypassing PHP strcmp.

PHP strcmp Bypass – Introduction

This was a unique CTF authentication bypass challenge, and I just had to share it!

I recommend checking out ABCTF if you ever get a chance, as it is my favorite beginner-friendly CTF.

Finally, take a look at the PHP strcmp docs if you want to follow along at home.

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

The Challenge

At first glance, the login page seemed fairly simple.

Bypassing PHP strcmp - Login

Not so hidden within the source of the page was where I could find the source for the form.

	<!-- source at source.txt -->

The source.txt file was straightforward, and was doing a simple strcmp between our GET request and the $PASSWORD variable.

<?php
	$FLAGWEB6 = (file_get_contents("flag.txt"));
	$PASSWORD =  (file_get_contents("flag.txt")); //haha


	if(isset($_GET['password'])){
	
	if(strcmp($PASSWORD, $_GET['password']) == 0){
			$success = true;
		}
		else{
			$success = false;
		}

	}
	else {
		$success = false;
	}
	
	

?>

Authentication Bypass

From here, I actually spent quite awhile trying to pass a reference to $FLAGWEB6 in my get request, since those two variables would be the same. Unfortunately, I was never able to get this to work (contact me if I was just missing something silly here!).

Unable to make any headway on that front, I then took a look back at the hint provided with the challenge.

Some ways of comparing two strings are very insecure.

After a bit more research, it seemed that strcmp had some issues when comparing a string to something else.

If I set $_GET[‘password’] equal to an empty array, then strcmp would return a NULL. Due to some inherent weaknesses in PHP’s comparisons, NULL == 0 will return true (more info).

With this in mind, I sent the following request to the login page.

http://yrmyzscnvh.abctf.xyz/web6/?password[]=%22%22

Once I sent the request, I received the flag and the subsequent 70 points.

Bypassing PHP strcmp - Flag

PHP strcmp Bypass – Conclusion

While this wasn’t a difficult challenge, I had a lot of fun with this bypass.

This is something that I might put in a future CTF challenge of my own, so be on the lookout for that!

2 Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM