4

On an CTF for my web-security-class I was able to find following php-code on the server

<?php 
        $user = array("user" => "admin");
        $secret = random_bytes(20);
          if (isset($_GET["usr"]) and isset($_GET["pwd"]))  {
            if ($_GET["usr"] == $user) {
              if (! strcmp($_GET["pwd"], $secret)) {
                echo var_dump(scandir($_GET["path"][1]));
              } else {
                echo "Wrong pwd!";
              }
            } else {
              echo "You are so close!";
            }
          }
?>

What payload do I have to send in order to bypass the $_GET["usr"] == $user comparison?

I tried sending NULL as "%00", also "0" and "1" because I guess that the weak ==-comparison could open up some type-juggling possibilities, but it didn't work.

Improve this question
2
  • madirish.net/401: "As you can see the comparison operator does not have any problem with the null byte (\0)" - null bytes in strings don't trip == up any more. Commented Nov 3, 2023 at 10:43
  • I have to say that the example doesn't make much sense. Why would you compare $_GET['usr'] against an array to begin with? I get that it's an exercise, but testing improbable code isn't particularly useful, imho. Commented Nov 3, 2023 at 10:51

1 Answer 1

Reset to default
4

The $user variable is an array. GET data can contain arrays, you can use the right syntax to "bypass" the condition:

?usr[user]=admin

I don't think you can make use of type juggling here.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.