Php -- loose comparison root me
Description30 Points Link Another PHP type juggling StatementFind a way to get the flag. No bruteforce needed. ChallengeIn this challenge we are giving a web server with php in the backend and an nginx We are also giving the source code which is displayed below : Hum ... First thing i noticed was the loose comparison on line
and as the challenge describe, this is our entry point. Understanding the codeLet’s take a look at what this code does. First let’s check the functions provided with the source code. First Function
What this function does is generate 2 random If so it XOR with the following statement
Second Function
This function as it’s name state sanitizes user input. It replaces everything with isn’t alphanumeric with blank and returns the new string as the result. Third Function
What this function does is first call the ExploitationWe should first understand how php loose comparison works, Here is a link for you PHPMagicTricks-TypeJuggling.pdf. We should also note that we will be using PHP magic Hashes, the reason for that is that PHP evaluate strings which begins with So for example :
will be evaluated to TRUE since Another this we should put in our minds is
This means we should provide as a simple bypass for this is using And sinse Now all we have to do is provide an alphanumeric string wich the md5 of will evalute to 0.
For that i used this Github Repo. Payload
Flag
Updated Apr 30, 2020 2020-04-30T22:40:30+01:00 This post is licensed under CC BY 4.0 |