bsides2022 – Apples

17 October 2022 – Written by Valentin Huber – in ctf, php, and web

Challenge

Um…I forgot my password. Sorry. You’re a hacker - can you get in?

The provided website contains a single password field and a login button. Whatever password is entered is wrong.

Solution

The HTML of the website contains the following comment:

<!-- backup source located at source.txt -->

source.txt contains:

<?php
    $FLAG = (file_get_contents("/challenge_flag.txt"));
    $PASSWORD = (file_get_contents("/challenge_flag.txt"));

    if(isset($_POST['password'])) {
        if(strcmp($PASSWORD, $_POST['password']) == 0) {
            $success = true;
        }
        else {
            $success = false;
        }
    }
    else {
        $success = false;
    }

    if ($success) {
        echo "<h1>Congratulations!</ha>";
        echo "<p>Your flag is: $FLAG</p>";
    }
    else {
        echo "<h1>Password incorrect.</h1>";
    }
?>

The vulnerability we exploited is in the strcmp. Assuming $PASSWORD is a string, if we can manage to pass any other type to $_POST['password'], strcmp returns NULL, which is equal to 0, since we don’t check types (== as opposed to ===). This can be done by sending an array to the server.

The easiest way to do this is by modifying the name attribute of the password input element of the original website from password to password[]. Then we enter anything into the password field, send it to the server and get:

Warning: strcmp() expects parameter 2 to be string, array given in /var/www/html/login.php on line 6
Congratulations!
Your flag is: flag{strcmp_bypass_ftw}