phpctfarray-comparison

Type-juggling in php: bypass a comparison with non-empty array


On an CTF for my web-security-class I was able to find following php-code on the server

<?php 
        $user = array("user" => "admin");
        $secret = random_bytes(20);
          if (isset($_GET["usr"]) and isset($_GET["pwd"]))  {
            if ($_GET["usr"] == $user) {
              if (! strcmp($_GET["pwd"], $secret)) {
                echo var_dump(scandir($_GET["path"][1]));
              } else {
                echo "Wrong pwd!";
              }
            } else {
              echo "You are so close!";
            }
          }
?>

What payload do I have to send in order to bypass the $_GET["usr"] == $user comparison?

I tried sending NULL as "%00", also "0" and "1" because I guess that the weak ==-comparison could open up some type-juggling possibilities, but it didn't work.


Solution

  • The $user variable is an array. GET data can contain arrays, you can use the right syntax to "bypass" the condition:

    ?usr[user]=admin
    

    I don't think you can make use of type juggling here.