Tags: php bypass authentication 


# DataVault

## Description

Andrew, a data courier and PHP diehard, has secret data that he can’t have falling into the ZaibatsuCorp’s hands. Fortunately, we’ve established an online datalink with his wetware.

We’ve exposed the module’s access interface here: chal1.swampctf.com:1233

Can you bypass his CraniumStorage security module before he wakes up?

-= Created by andrewjkerr =-

## Solution

Accesing the provided link, the following page is shown:


When Submit was pressed, a POST request was sent to the server containing:


After playing arround a bit, we discovered that we could break the application by passing an array as the password.



This means that strcmp was barfing a NULL by comparing an array to a string, and type juggling probably came into play, making NULL==0 true

Flag: flag{wHy_d03S-php_d0-T41S}

Original writeup (https://danielcues.com/swampctf-2019-writeups/).
bbdogApril 8, 2019, 12:03 p.m.

strcmp(input,password) ,Compare the two string is equal , if we input array. then strcmp return null. when two string is equal return 0. php null == 0 => Ture

if(strcmp(input,password) == 0){
echo $flag;