Php Train

Censored

Have a look at the website’s code and analyse it one by one, i recommend testing the payload with your own localhost php site since that makes payload debugging much easier

First param1

    show_source("index.php");
    include 'constants.php';
    error_reporting(0);
    if(isset($_GET["param1"])) {
        if(!strcmp($_GET["param1"], CONSTANT1)) {
            echo FLAG1;
        }
    }

It uses strcmp on our input and a CONSTANT1, according to the docs this returns 0 if both strings are 0, else it will return the ascii difference of the two strings, to bypass this we simply need to enter a null string which returns 0 and !0 = 1, in php that comes in the form of empty array param1[]=

Now param2 and 3

    if(isset($_GET["param2"]) && isset($_GET["param3"])) {
        $str2 = $_GET["param2"];
        $str3 = $_GET["param3"];
        if(($str2 !== $str3) && (sha1($str2) === sha1($str3))) {
            echo FLAG2;
        }
    }

This uses strict comparisions which we can bypass with once again empty array param2[]=1&param3[]=2 reference

Param 4

    if(isset($_GET["param4"])) {
        $str4 = $_GET["param4"];
        $str4=trim($str4);
        if($str4 == '1.2e3' && $str4 !== '1.2e3') {
            echo FLAG3;
        }
    }

Compares our input to 1.2e3, simply run that in the console, which gives us 1200

Param5

    if(isset($_GET["param5"])) {
        $str5 = $_GET["param5"];
        if($str5 == 89 && $str5 !== '89' && $str5 !== 89 && strlen(trim($str5)) == 2) {
            echo FLAG4;
        }
    }

Our input string must be = 89(string or int), it can’t be int and cant be string, also the string lenght of the trimmed version must = 2, with that we can form our payload whitespace89whitespace where “whitespace” is a litteral whitespace i.e 89

For param 6 payload is just a 0 hashed in md4

Param 7

    if(isset($_GET["param7"])) {
        $str7 = $_GET["param7"];
        $var1 = 'helloworld';
        $var2 = preg_replace("/$var1/", '', $str7);
        if($var1 === $var2) {
            echo FLAG6;
        }
    }

preg_replace replaces anything that matches $var1 with empty string, but our input must = helloworld, we can do hellohelloworldworld

Finally param 8

    if(isset($_GET["param8"])) {
        $str8 = $_GET["param8"];
        $comp = range(1, 25);
        if(in_array($str8, $comp)) {
            if(preg_match("/\.env/", $str8)) {
                echo FLAG7;
            }
        }

The use of preg_match returns true with any string that contains .env, out input must also be a number in range [1 - 25] which means we can use something like this 1.env

Flag

p_ctf{ech0_1f_7h3_7r41n_d035_n07_5t0p_1n_y0ur_5t4t10n_7h3n_1t5_n07_y0ur_7r41n}
Home  |  /writeups/pragyanctf-2022/web/ Hugo theme modified from Yukuro's