PHP Master

Once we visit the URL, we are shown some code:

<?php

include('flag.php');

$p1 = $_GET['param1'];
$p2 = $_GET['param2'];

if(!isset($p1) || !isset($p2)) {
    highlight_file(__FILE__);
    die();
}

if(strpos($p1, 'e') === false && strpos($p2, 'e') === false  && strlen($p1) === strlen($p2) && $p1 !== $p2 && $p1[0] != '0' && $p1 == $p2) {
    die($flag);
}

?>

Clearly this is some type of Type Juggling exploit, but I'm not that familiar with it except for 0e md5 hashes and stuff. However, there are some restrictions here:

• There can be no e character in either parameter

• The two parameters must be the same length

• They can't strictly equal each other (!==) but they must loosely equal each other (==)

PHP comparision is a known piece of junk, so we can find some weaknesses using PayloadsAllTheThings.

Once set of possible parameters is 01 and 1, as they are both two characters long and - according to PHP's loose comparison - equal each other (thanks to nrabulinski for this solution after the CTF). It appears that objetcs are automatically converted to numbers for loose comparisions, as loose only compares values while strict also compares types. Therefore the example above would both equal 1 under loose comparison.

Another, more interesting set is 200 and 2E3 (thanks to 03sunf). Note that 2E3 is an exponential, equivalent to 2 * 10^2. Once both are converted to integers, they pass the check.