A loose comparison is one performed using two equals signs (==
).It follows suit with the “best-guess” approach, which can lead to some unexpected results.
TAKE A LOOK INTO THIS TABLEAS YOU CAN SEE , FOR EXAMPLE , IF WE COMPARE BOOL(TRUE) TO STRING "PHP" , IT WILL ALWAYS RETURN "TRUE" AND THE COMPARISON ALWAYS RESULT TRUE!
ANOTHER EXAMPLE IN ROOTME
WE FOCUS ON THIS !
 if($auth['data']['login'] == $USER)WE MUST COMPARE OUT INPUT TO $USER THAT WE PERHAPS NEVER KNOW THE VALUE OF IT ! SO WE MUST EXPLOIT THIS USING THE TABLE ABOVE . WE MUST COMPARE $USER TO BOOL(TRUE) . THIS STUFF MAKES IF CONDITON BECOME TRUE AND FLAG WILL BE PUSHED OUT (OFCOURSE IN THIS EXAMPLE , WE MUST FEED AN VALID INPUT TO THE FOLLOW CONDITION TOO ) !
LET'S CHECK THE CHALLENGE ABOUT THIS PROBLEM ON WARGAME.KR FOR A CLEAR VISION !
TYPE CONFUSION CHALLENGE :
<?phpAS YOU CAN SEE , WE MUST GIVE AN INPUT VALUE WHICH MAKE THE IF
if (isset($_GET['view-source'])) {
show_source(__FILE__);
exit();
}
if (isset($_POST['json'])) {
usleep(500000);
require("../lib.php"); // include for auth_code function.
$json = json_decode($_POST['json']);
$key = gen_key();
if ($json->key == $key) {
$ret = ["code" => true, "flag" => auth_code("type confusion")];
} else {
$ret = ["code" => false];
}
die(json_encode($ret));
}
function gen_key(){
$key = uniqid("welcome to wargame.kr!_", true);
$key = sha1($key);
return $key;
}?>
CONDITON BECOME TRUE . LET'S BEAT THIS CHALLENGE!
FIRST , LOOK AT THE CODE . ANY VALUE WHICH WE INPUT WILL BE DECODED TO JSON OBJECT (EXP: {"key":"4rth4s"} → key=>4rthas ) .ON THE ORDER HAND, THIS CHALLENGE FORCES US TO INPUT A JSON STRING WITH FORM {"key":blabla} !
SO , BASED ON WHAT WE HAVE LEARNED ABOVE , WE DONT HAVE IDEA ABOUT $key . BUT WE SHOULD KNOW THAT THIS $key HAVE A STRING FORM . SIMPLY , WE MUST COMPARE IT TO BOOL(TRUE)! LET'S DO THIS !
INPUT {"key":true} AND SEND TO SERVER VIA ZAP PROXY 2.8.0 MY BABE !
AND THE FLAG COMES UP !
HAPPY HACKING!