Another one of the ABCTF challenges this year involved a login page and bypassing PHP strcmp. Show PHP strcmp Bypass – IntroductionThis was a unique CTF authentication bypass challenge, and I just had to share it! I recommend checking out ABCTF if you ever get a chance, as it is my favorite beginner-friendly CTF. Finally, take a look at the PHP strcmp docs if you want to follow along at home. YouTube Version of this PostIf you prefer video and audio over just reading the text, then you can find the YouTube version of this post below. That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel! The ChallengeAt first glance, the login page seemed fairly simple. Not so hidden within the source of the page was where I could find the source for the form. <!-- source at source.txt --> The source.txt file was straightforward, and was doing a simple strcmp between our GET request and the $PASSWORD variable. <?php $FLAGWEB6 = (file_get_contents("flag.txt")); $PASSWORD = (file_get_contents("flag.txt")); //haha if(isset($_GET['password'])){ if(strcmp($PASSWORD, $_GET['password']) == 0){ $success = true; } else{ $success = false; } } else { $success = false; } ?> Authentication BypassFrom here, I actually spent quite awhile trying to pass a reference to $FLAGWEB6 in my get request, since those two variables would be the same. Unfortunately, I was never able to get this to work (contact me if I was just missing something silly here!). Unable to make any headway on that front, I then took a look back at the hint provided with the challenge. Some ways of comparing two strings are very insecure. After a bit more research, it seemed that strcmp had some issues when comparing a string to something else. If I set $_GET[‘password’] equal to an empty array, then strcmp would return a NULL. Due to some inherent weaknesses in PHP’s comparisons, NULL == 0 will return true (more info). With this in mind, I sent the following request to the login page. http://yrmyzscnvh.abctf.xyz/web6/?password[]=%22%22 Once I sent the request, I received the flag and the subsequent 70 points. PHP strcmp Bypass – ConclusionWhile this wasn’t a difficult challenge, I had a lot of fun with this bypass. This is something that I might put in a future CTF challenge of my own, so be on the lookout for that! Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification! He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks. This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases. Sep 21, 2015 • webchallenges, ctf-web CSAW 2015 Web 200 challenge writeup Well this challenge was very easy and I guess it has the highest number of solves in web category during CSAW 2015. Here we have a simple login form and and we should login to get the flag. But the register is not working and SQL injection also doesn’t
seems to work. So I was wondering how can the check be in server side and if it is using php function FOr those who don’t know how this works, lets say we have an example code like this:
If this is the code, if we give post request like this
Security Engineer @CRED | Web Application Security ♥ | Google, Microsoft, Zendesk, Gitlab Hall of Fames | Blogger | CTF lover - @teambi0s | Certs - eWDP, OSCP |