##Problem
##Solution
Loading the website the user is greeted by an empty PHP page. Checking the source, one would find the following:
<!--
CODE BACKUP ©SCTF CORPORATION EVEN THO WE AINT A CORPORATION:
$a = $_GET["plang"];
if(isset($a)) {
if(strpos($a,"answer") !== false && strlen($a) < 2) {
echo $flag;
} else {
echo "Sadly, yee hath given bad input.";
}
}
-->
After analysing the code the user would figure the PHP script utilises a GET tag called plang
, and the statement in which the user must break to retrieve the flag is the following:
if(strpos($a,"answer") !== false && strlen($a) < 2)
After some Googling it's found what strpos
and strlen
does:
strpos — Find the position of the first occurrence of a substring in a string.
strlen — Get string length.
The issue becomes evident. The variable submitted through plang
must contain the string answer
, but must also be smaller than length 2
, which is technically impossible. After some Googling on PHP variables and exploits, it's found that the compare statement ==
is (for lack of better terms) broken.
Simply running an array through plang
one would validate both conditions within the if statement.
The following is displayed:
arrays_and_strings
##Flag
arrays_and_strings