KCSC TTV 2023/Web/Phpri Phprai

# KCSC TTV 2023/Web/Phpri Phprai ![](https://hackmd.io/_uploads/S1WcvZjrh.png) ## Solution ![](https://hackmd.io/_uploads/rksiP-oS3.png) Vào chall ta thấy được source của chall được show ra và việc cần làm chỉ là bypass từ phần để lấy được toàn bộ flag ### Flag1: ![](https://hackmd.io/_uploads/S1gju-sr2.png) Flag will echo `if(($str1 !== $str2) && (md5($str1) == md5($str2))` `$str1` and `$str2` variables are got form url, so we can customize it. Addition, we know that `md5()` function only hash `string`. If we input a array, it will error ![](https://i.imgur.com/11VLkbL.png) So if we input two arrays for two variables `$str1` and `$str2`, after run `md5()` function them all error, the condition `(md5($str1) == md5($str2))` return TRUE! Now just add two different values for two variables `$str1` and `$str2` to the condition `($str1 !== $str2)` return TRUE Like that: `http://47.254.251.2:8889/?1[]=1&2[]=2` ![](https://hackmd.io/_uploads/HknShWjSn.png) ### Flag2: ![](https://hackmd.io/_uploads/Sy9F3boH2.png) In this part we have to bypass `strcmp()` to get flag2. About idea same flag1, [strcmp()](https://www.php.net/manual/en/function.strcmp.php) function just compare string, if we input array it will return NULL. ![](https://i.imgur.com/zj4Sbk3.png) And in PHP `NULL == 0` so that the conditon `( strcmp( $_GET['3'], $$flag ) == 0)` return TRUE! Now just input an array with any value returns flag2: URL: `http://47.254.251.2:8889/?1[]=1&2[]=2&3[]=3` ![](https://hackmd.io/_uploads/B18KaZjH2.png) ### Flag3: ![](https://hackmd.io/_uploads/Bkpjabjrh.png) This part is vuln about absolute comparison in php - with `==` or `!=` PHP try to return the same data type before starting comparision, including removing zeros at the beginning of the number sequence and removing extra spaces at the beginning and end of the string - with `===` or `!==` PHP compare both data types and values More than [PHP magic compare](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf) So with this condition `($str4 == '1.4e5' && $str4 !== '1.4e5')`, our variable `$str4` just like ` 1.4e5` or `01.4e5`. But in this case, variable `$str4` has been `trim()`, this function remove the ` ` space at start and end of string so we only use `01.4e5`. URL: `http://47.254.251.2:8889/?1[]=1&2[]=2&3[]=3&4=01.4e5` ![](https://hackmd.io/_uploads/HyAzlzsSh.png) ### Flag4: ![](https://hackmd.io/_uploads/SJd3xMoS3.png) About idea bypass similar flag3, this time we use ` 69` because after `trim()` that string the extra spaces are removed and `strlen()` return `2` URL: `http://47.254.251.2:8889/?1[]=1&2[]=2&3[]=3&4=01.4e5&5=%2069` ![](https://hackmd.io/_uploads/rkb9bMsBh.png) ### Flag5: ![](https://hackmd.io/_uploads/B1labfsS3.png) This part, with function `preg_replace()` variable `$str6` is got and match string `'KaCeEtCe'` and replace to `''`. We just inject one more time string `'KaCeEtCe'` like that `'KaCeKaCeEtCeEtCe'` to after replace that string once then variable `&str2 = 'KaCeEtCe'`. URL: `http://47.254.251.2:8889/?1[]=1&2[]=2&3[]=3&4=01.4e5&5=%2069&6=KaCeKaCeEtCeEtCe` ![](https://hackmd.io/_uploads/By2tQMoSn.png) Flag: **KCSC{B0_u_Bu_S4C_8usssssss_https://www.youtube.com/watch?v=xQtC3F8fH6g}**