2

I'm preparing for this CTF challenge I'll be participating in next week, and I ran across this problem online which I can't manage to solve.

I only have control of the variables $user and $pass that the challenge function gets which I can send as a part of the POST request. I need to make the challenge function return true.

I tried sending an empty array as the password (by changing the password fields name to pass[]) but the regex function won't let me through.

<?php
//by Mawekl
//more challenges coming soon ;)

function validateuser($user)
{
    #Check username
    if(!preg_match('/^[A-Z][a-z]{1,15}$/',$user))
        die('Are you stupid hacker? Don\'t try inject my script!');
}

function validatepass($pass)
{
    #Check password (injection attempt?)
    if(!preg_match('/^[A-Za-z0-9_ ]+$/',$pass))
        header('Location: http://piv.pivpiv.dk/');
        #kick away stupid hacker!
}

function challenge($user, $pass) //Objective: return TRUE
{
    $users = array(
        "Admin" => $_VeryLongPasswords[0],
        "Mawekl" => $_VeryLongPasswords[1]
    );
    validateuser($user);
    validatepass($pass);
    return ($users[$user] == $pass);
}

?>
Improve this question
0

1 Answer 1

Reset to default
3

Since the script does not check that the user exists using some non-existing username with an empty password succeeds in my test:

 echo challenge('Foobar','') ? "MATCH\n":"nomatch\n";

 PHP Notice:  Undefined index: Foobar in ... 
 MATCH
Improve this answer
2
  • Since the password is empty it'll faill the validatepass regex check Commented Jun 12, 2016 at 12:00
  • ok thank u i realized thanks to you i just had to block the header('location') thing Commented Jun 12, 2016 at 12:12

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.