# PHP Master

Once we visit the URL, we are shown some code:

```php
<?php

include('flag.php');

$p1 = $_GET['param1'];
$p2 = $_GET['param2'];

if(!isset($p1) || !isset($p2)) {
    highlight_file(__FILE__);
    die();
}

if(strpos($p1, 'e') === false && strpos($p2, 'e') === false  && strlen($p1) === strlen($p2) && $p1 !== $p2 && $p1[0] != '0' && $p1 == $p2) {
    die($flag);
}

?>
```

Clearly this is some type of [Type Juggling](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Type%20Juggling) exploit, but I'm not that familiar with it except for `0e` md5 hashes and stuff. However, there are some restrictions here:

* There can be no `e` character in either parameter
* The two parameters must be the same length
* They can't strictly equal each other (`!==`) but they must loosely equal each other (`==`)

PHP comparision is a known piece of junk, so we can find some weaknesses using [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Type%20Juggling).

Once set of possible parameters is `01` and `1`, as they are both two characters long and - according to PHP's loose comparison - equal each other (thanks to [**nrabulinski** ](https://github.com/nrabulinski)for this solution after the CTF). It appears that objetcs are automatically **converted to numbers** for loose comparisions, as loose only compares *values* while strict *also compares types*. Therefore the example above would both equal `1` under loose comparison.

Another, more interesting set is `200` and `2E3` (thanks to [03sunf](https://gist.github.com/03sunf/ada95212b624d9354b9f9cc46b14f387)). Note that `2E3` is an **exponential**, equivalent to `2 * 10^2`. Once both are converted to integers, they pass the check.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ir0nstone.gitbook.io/notes/writeups/ctfs/x-mas-ctf-2020/web/php-master.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.