Tags: php bypass authentication
Rating:
# DataVault
## Description
Andrew, a data courier and PHP diehard, has secret data that he can’t have falling into the ZaibatsuCorp’s hands. Fortunately, we’ve established an online datalink with his wetware.
We’ve exposed the module’s access interface here: chal1.swampctf.com:1233
Can you bypass his CraniumStorage security module before he wakes up?
-= Created by andrewjkerr =-
## Solution
Accesing the provided link, the following page is shown:
When Submit was pressed, a POST request was sent to the server containing:
```
password=yourinput
```
After playing arround a bit, we discovered that we could break the application by passing an array as the password.
```
password[]=
```
This means that strcmp was barfing a NULL by comparing an array to a string, and type juggling probably came into play, making NULL==0 true
Flag: flag{wHy_d03S-php_d0-T41S}
strcmp(input,password) ,Compare the two string is equal , if we input array. then strcmp return null. when two string is equal return 0. php null == 0 => Ture
if(strcmp(input,password) == 0){
echo $flag;
}
