To win this level it would appear that we need to get $_REQUEST[“passwd”] to match the value of “censored”. Maybe there is another way though. Let’s see what the comments on php.net have to say about the strcmp() function.
As it turns out !strcmp(“foo”, array()) returns “1” AKA “true”,
For the win we can make $_REQUEST[“passwd”] an array, to do this just replace the “=” in the request to “” like so:
So we need to get $_REQUEST[“passwd”] to be greater than 10, AND strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate to true. Let’s examine the behavior of the PHP “>” operator:
According to php.net “If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically”. So it looks like this condition will evaluate true when $passwd is a number or starts with a number that is greater than 10, even if letters follow that number. Great! So we need to get strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate true and we’ll be set. The php.net manual says strstr() “Returns the portion of string [starting at the match, to the end of the string], or FALSE if needle is not found”. Here’s another example to chew on:
We should have all the information we need to win now:
If you though the last level was easy, this one is even easier.
Alls we have to do is set revelio=1 for the win:
This one was really easy:
Alls we have to do is set admin=1 for the win. Let’s try:
Well that didn’t work. What’s up with this experimenter thing anyway? I wonder what would happen if we used the PHPSESSID from that and made the same request?
Oh…that’s what happens.
There is a lot of code in this one so lets focus in on the some of the more important parts:
Line 23 tells us we need to set $_SESSION[“admin”] == 1. for the win. We don’t have direct control over the $_SESSION array, but the following code offers an entry point:
The focus is on lines 59 – 63. 59 sets up a for loop that iterates once per newline (\n) present in $data. This is made possible by the explode() function which “returns an array of strings, each of which is a substring of
string formed by splitting it on boundaries formed by the string
delimiter“. On line 61 they explode() each member of the array by a space (” “), and set the limit as 2 meaning that it will only split the string by the first space. Here’s an example to look at:
For this example I replaced $data with “friends love\nhappiness joy tranquility prosperity” and you can see that the first array key of $_SESSION was set to “friends” with the value “love”. The second array key was set to “happiness” with the value “joy tranquility prosperity”. For our hack we need to create an array key called “admin” with its value set to “1”. We can create the key like this:
Then all we have to do it set “admin” == 1: