On an CTF for my web-security-class I was able to find following php-code on the server
<?php
$user = array("user" => "admin");
$secret = random_bytes(20);
if (isset($_GET["usr"]) and isset($_GET["pwd"])) {
if ($_GET["usr"] == $user) {
if (! strcmp($_GET["pwd"], $secret)) {
echo var_dump(scandir($_GET["path"][1]));
} else {
echo "Wrong pwd!";
}
} else {
echo "You are so close!";
}
}
?>
What payload do I have to send in order to bypass the $_GET["usr"] == $user
comparison?
I tried sending NULL as "%00", also "0" and "1" because I guess that the weak ==-comparison could open up some type-juggling possibilities, but it didn't work.
The $user
variable is an array. GET data can contain arrays, you can use the right syntax to "bypass" the condition:
?usr[user]=admin
I don't think you can make use of type juggling here.