summaryrefslogblamecommitdiffstats
path: root/docs/writeups/Metasploit_Community_CTF_2020/php_equality.txt
blob: bddc5fa0af4c0fa8393c9055ed2853e74af328c2 (plain) (tree) 
452ba01











1
2
3
4
5
6
7
8
9
10
11











                                                                                                                                                                                                                                                                                      
PORT 8092

another web server which gives us a login page and the php source code for the login page.  The password we give is hashed with a secret salt and compared to a hash that we provide.  If we can guess the salted hash for a given password, we get the flag.

Obviously we aren't going to just guess a salted hash.  At first, I thought this would require us to brute force the salt's hash with an empty password, but this will be way too slow considering the alphabet size, a default 22 character salt, and cost=12 option used in the php.

Then I noticed that the hash was being compared with "==" instead of "===".  php's "fuzzy equality" check does some interesting things (docs/lang/php/loose_comparison.png).

I tried a couple things, but what I got working was to give an array as the password which will cause the password_hash function to return false.  This compared with a null string passed as the hash will actually equal true.

curl target/login.php --data "password[]=&hash="
cgit-1.2.3-r5 | srcnode v0.4.0