ConCmarks

Challenge Information

• Category: Web Security

• Level: easy

• Points: 50

description

it might be useful to find a mark.

Solution

after access the lab we inspect main page

this mean we have endpoint called sourceXXXX and XXXX have value from 7000 --> 9000 so I'll first send request and intercepted it and send it to intruder to fuzz correct value to get access in this endpoint

now select payload type --> number and make number range from 7000 to 9000 and count step equal one so now we have 2001 request to check it

and select sniper attack

from status code select 200 OK one

and i search to bypass this condition and get flag

First i we'll explain what this condition do well, The code is a PHP script that takes two GET parameters (n1 and n2), hashes them using md5 with a salt, and checks if the hashes are identical while ensuring that input1 and input2 are different. If the condition is met, it prints the flag; otherwise, it prints "Sorry this value not valid."

if( $input1 !== $input2 && @hash("md5", $salt.$input1) === @hash("md5", $salt.$input2) ) /*check input1 must not be identical (!==) to input2 (strict comparison)
  and The MD5 hashes of salt + input1 and salt + input2 must be identical.*/

this means we need two different inputs that produce the same MD5 hash when concatenated with $salt so after search again i found the way to bypass this condition using PHP type juggling with arrays ,so i already use this payload to bypass n1[]= & n2[]=any_value , I'll explain it now . Instead of sending normal string values for n1 and n2,i send them as arrays using n1[]= & n2[]=1 and PHP automatically converts query parameters with [] into arrays ($_GET['n1'] and $_GET['n2'] become arrays instead of strings) , When PHP hashes an array with @hash("md5", $salt.$input1), it throws a warning and returns NULL so the condition evaluates to true, because $input1 !== $input2 (arrays are different ) and @hash("md5", NULL) === @hash("md5", NULL) is true. Now put this payload and send it