Once we visit the URL, we are shown some code:
Clearly this is some type of Type Juggling exploit, but I'm not that familiar with it except for 0e
md5 hashes and stuff. However, there are some restrictions here:
There can be no e
character in either parameter
The two parameters must be the same length
They can't strictly equal each other (!==
) but they must loosely equal each other (==
)
PHP comparision is a known piece of junk, so we can find some weaknesses using PayloadsAllTheThings.
Once set of possible parameters is 01
and 1
, as they are both two characters long and - according to PHP's loose comparison - equal each other (thanks to nrabulinski for this solution after the CTF). It appears that objetcs are automatically converted to numbers for loose comparisions, as loose only compares values while strict also compares types. Therefore the example above would both equal 1
under loose comparison.
Another, more interesting set is 200
and 2E3
(thanks to 03sunf). Note that 2E3
is an exponential, equivalent to 2 * 10^2
. Once both are converted to integers, they pass the check.
Not really my forte, but here we go, I can only get better.