bsides2022 – Apples
17 October 2022 – Written by Valentin Huber – in ctf, php, and web
Challenge
Um…I forgot my password. Sorry. You’re a hacker - can you get in?
The provided website contains a single password field and a login button. Whatever password is entered is wrong.
Solution
The HTML of the website contains the following comment:
<!-- backup source located at source.txt -->
source.txt contains:
<?php
$FLAG = (file_get_contents("/challenge_flag.txt"));
$PASSWORD = (file_get_contents("/challenge_flag.txt"));
if(isset($_POST['password'])) {
if(strcmp($PASSWORD, $_POST['password']) == 0) {
$success = true;
}
else {
$success = false;
}
}
else {
$success = false;
}
if ($success) {
echo "<h1>Congratulations!</ha>";
echo "<p>Your flag is: $FLAG</p>";
}
else {
echo "<h1>Password incorrect.</h1>";
}
?>
The vulnerability we exploited is in the strcmp
. Assuming $PASSWORD
is a string, if we can manage to pass any other type to $_POST['password']
, strcmp
returns NULL
, which is equal to 0
, since we don’t check types (==
as opposed to ===
). This can be done by sending an array to the server.
The easiest way to do this is by modifying the name
attribute of the password input
element of the original website from password
to password[]
. Then we enter anything into the password field, send it to the server and get:
Warning: strcmp() expects parameter 2 to be string, array given in /var/www/html/login.php on line 6
Congratulations!
Your flag is: flag{strcmp_bypass_ftw}