[wargame.kr&rootme] PHP TYPE CONFUSION & LOOSE COMPARISON WRITEUP!

FIRST OF ALL , WE SHOULD FOCUS ON THE DEFINITION

A loose comparison is one performed using two equals signs (==).It follows suit with the “best-guess” approach, which can lead to some unexpected results. 

TAKE A LOOK INTO THIS TABLE

[WARGAME.KR] MD5 PASSWORD VULNERABILITY WRITEUP!

THIS CHALL IS TO SUBMIT A PASSWORD WHICH WILL BE SENT TO md5($ps,true) FUNCTION AND THIS MD5 PASSWORD IS A PART OF THIS SQL QUERY :

$row=@mysql_fetch_array(mysql_query("select * from admin_password where password='".md5($ps,true)."'"));

OFCORSE WE DONT HAVE IDEA ABOUT PASSWORD , SO WE MUST FIND A WAY TO BYPASS THIS QUERY BY SQL INJECTION !

FIRST, TAKE A LOOK AT MD5() FUNCTION DEFINITION AND IT'S VULENERABILITY :

 string md5 ( string $str , [ bool $raw_output = false ] )