3

I came across a CTF that i'm trying to solve, the goal is fairly simple: Bypass the authentication form and access the admin-restricted area. You can find the code snippet below.

Things to consider:

  1. The CTF is a simulation and a demonstration for a very old PHP bug (before year 2007), meaning the code running in the server is slighlty different from the one given.
  2. A hint (not verified) one of the functions is vulnerable in PHP 5.1

How can I bypass the authentication form?

I read all the changelogs for PHP 4.x and PHP 5.x, and I could not spot any bug that may help me bypass the authentication form. I'm not asking for a working exploit or anything just point me to the right direction as it is an outdated bug and I can't find any resources online at this point.

Improve this question
5
  • OP, I'm smelling a vulnerability with the loose type comparison (!= instead of !==) in the if statement. If the password is something like 'QNKCDZO', then md5 of this is '0e830400451993494058024219903391' (a so-called 'magic hash') which PHP will treat as the integer 0 with loose type comparison. See github.com/swisskyrepo/PayloadsAllTheThings/blob/master/… for more info. Commented Apr 16, 2023 at 1:31
  • We won't analyse the code to find a vulnerability. And since your question is about vulnerabilities in PHP itself, the specific code in the CTF is not relevant. So I removed those parts. Commented Apr 16, 2023 at 9:21
  • Have you looked up CVEs for PHP? Commented Apr 16, 2023 at 9:21
  • This is not a type juggling, nor session related issue. I narrowed down the problem to this: $x = md5($in); unset($x); // somehow $x must not be unset and $in could be only a string nothing else. And Yes i looked into the CVE and I could not find an entry for that matter. FYI this CTF is classed extremly hard, and is my last one and I did all of the rest. Commented Apr 16, 2023 at 11:13
  • If it's not type juggling, than how else would you get the condition of the if statement to evaluate to false, so that it doesn't execute unset($pwd);? Commented Apr 16, 2023 at 13:40

0

Reset to default

You must log in to answer this question.