Секретный ключ (Secret Key)

hackerlab

Task: PHP login form with strcmp() comparison. Solution: Type juggling bypass via array injection (secretKey[]=x) makes strcmp() return NULL which equals 0 in loose comparison.

php authentication_bypass apache type_juggling loose_comparison strcmp array_injection backup_file source_code_leak ubuntu

Source code analysisPHP strcmp() type juggling bypassBackup file discovery (backup.tar.gz)Array injection to bypass string comparison

$ ls tags/ techniques/

php authentication_bypass apache type_juggling loose_comparison strcmp array_injection backup_file source_code_leak ubuntu

Source code analysisPHP strcmp() type juggling bypassBackup file discovery (backup.tar.gz)Array injection to bypass string comparison

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Практикующий жонглер (Practice Juggler)— bug-makers
[web][Pro]Цирковой трюк (Circus Trick)— hackerlab
[web][Pro]Секрет (Secret)— hackerlab
[web][Pro]Магическая админка — hackerlab— hackerlab
[infra][Pro]Секретный кабинет (Secret Cabinet)— hackerlab