Manipulate/bypass md5 in php?

Question

There is a programm from my University (IT-Securiy) where you have to try capturing "flags" by manipulating php or html code for example. We only see the code below and the programm runs on a website of them. So we need to somehow manipulate the url or something like this... but I really stuck on this one here:

<?php
require_once '_flags.php';


highlight_file(__FILE__);


if (isset($_GET['pw']) &&
        md5($_GET['pw']) == '0e13371337133713371337133713371337') {
    echo $doyouphp3_flag;
}

I know, that I have to submit a password by adding ...

?pw=...

... at the end of the url, but I just dont know what... Is there any way to bypass the md5 function for example, because I dont think they want me to brutforce the password...

Hope someone can help me or at least give me a hint.

Marius

Answer 1

You just need to observe that 0e13371337133713371337133713371337 is a number, and it isn't a valid md5 hash.

Then you need to know how php loose comparison (with the == operator) involving numerical strings works. You can read that on the documentation:

If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically.

So, now you know that

var_dump('0' == '0e13371337133713371337133713371337'); // true
var_dump('0e123' == '0e13371337133713371337133713371337'); // true
var_dump('0e65165165165165' == '0e13371337133713371337133713371337'); // true

So, you just need to find a md5 hash that's also a number.

The md5 hash of 240610708 is 0e462097431906509019562988736854, and "0e13371337133713371337133713371337" == "0e462097431906509019562988736854" is true. So you can use that. But also QNKCDZO should works just fine.

What's the lesson here? That md5('240610708') == md5('QNKCDZO') is true and it's dangerous, and that you should use === instead of ==.