Can't bypass filter

Question

Trying some malicious injection against bWAPP and came across bypass captcha

Filter validating captcha is

if($_POST["captcha_user"] == $_SESSION["captcha"])

Tried input 1' || '2 but it doesn't bypass logical condition.

Hint: `==` is considered unsafe. [You'll find more information in this answer on SE](https://stackoverflow.com/a/40392064) — vidarlo, Oct 05 '20 at 06:04
You didn't ask a question. What is your question? Why do you attempt an SQL injection payload in a PHP comparison? — Sjoerd, Oct 05 '20 at 11:47
@Sjoerd I'm sorry. I corrected sql part. And my question is why my malicious input isn't bypassing the logical condition and executing corresponding branch — Ryuzaki, Oct 05 '20 at 13:48
@Ryuzaki what is `$_SESSION["captcha"]` likely to be? And how can you fool the `==` comparator? Have a look at the link I handed you. Besides; it's obvious that you don't understand the task you're attempting to perform, and thus it should be closed at this SE. — vidarlo, Oct 05 '20 at 14:08
@vidarlo I want to know why logical expression which I'm trying to make with malicious input (e.g. '1' || '2' =='randomcaptchstring') is evaluating to be false and stopping me from going past the filter. $_SESSION["captcha"] is any random string — Ryuzaki, Oct 05 '20 at 14:42
Because you are not supplying something that PHP evaluates as `==` to whatever the expected captcha value is. The post I linked details how the `==` operator works. Read it. Install PHP on your computer and play with it. — vidarlo, Oct 05 '20 at 14:45
So, the resulting string is: `if($_POST["1' || '2"] == $_SESSION["captcha"])` ? Can you see how that wouldn't work? — schroeder, Oct 05 '20 at 14:47
@schroeder that's probably wrong. `$_POST["captcha_user"]` is a variable in an array, so the eval becomes `"1' || '2" == "somestring"`. But `"1' || '2"` is a perfectly valid string in PHP, so it should not lead to any problems at *that* stage. — vidarlo, Oct 05 '20 at 14:53
@vidarlo I was not highlighting a syntax problem. I was highlighting what you ended up doing in your answer ... `1` OR `2` will never equal `captcha` ... — schroeder, Oct 05 '20 at 17:36
@schroeder yep, but as I read your comment, it's a bit unclear. `$_POST["captcha"]` gets the value `1' || '2`... it doesn't enter as part of the variable name. — vidarlo, Oct 05 '20 at 23:28

vidarlo · Accepted Answer · 2020-10-05T14:55:53.327

Ok, this is a prime example of why you have to understand a system for you to be able to breach it. That's probably the point of this exercise as well; you need to know and notice security vulnerabilities.

If you don't know a particular one: you have to be able to read technical documentation, and figure out how to use a particular weakness. In this case the weakness has been pointed out specifically: the == comparator - with a link to how it works. From the description of how it works, you have to be able to figure out how to attack it.

== is hilighted as insecure in many, many places. === is the recomended comparator when user input is involved (or in general even).

How == works is clearly documented, type for type. Furthermore, you can test what is the expected value of the $_SESSION["captcha"] by visiting the page and submitting a valid captcha.

And as you know the language and source code, you can trivially test it on your own computer:

<?php
$captcha = "somestring";
$userinput = true;
if ($userinput == $captcha) 
   {
   print("== leads to truthy eval\n");
   }
if ($userinput === $captcha)
   {
   print("=== leads to truthy eval\n");
   }
?>

What do you expect that this snippet will output? true is obviously not equal to "somestring".

That's the point of this excersize: hilight a common security vulnerability in PHP code, and teach you how it works, and what protections you can use against it.

Can't bypass filter

1 Answers1