PHP Master
Last updated
Was this helpful?
Last updated
Was this helpful?
Once we visit the URL, we are shown some code:
Clearly this is some type of exploit, but I'm not that familiar with it except for 0e
md5 hashes and stuff. However, there are some restrictions here:
There can be no e
character in either parameter
The two parameters must be the same length
They can't strictly equal each other (!==
) but they must loosely equal each other (==
)
PHP comparision is a known piece of junk, so we can find some weaknesses using .
Once set of possible parameters is 01
and 1
, as they are both two characters long and - according to PHP's loose comparison - equal each other (thanks to for this solution after the CTF). It appears that objetcs are automatically converted to numbers for loose comparisions, as loose only compares values while strict also compares types. Therefore the example above would both equal 1
under loose comparison.
Another, more interesting set is 200
and 2E3
(thanks to ). Note that 2E3
is an exponential, equivalent to 2 * 10^2
. Once both are converted to integers, they pass the check.