Web - Tricks 1

120 points

Description

A couple of PHP Tricks, give it a try.

Solution

We are provided with the following source code.

From reading the code, it seems like we need to send a GET request with a different a and b values and yet, have the same sha1 and md5 hash. If it was just md5 hash, it would probably be easy to find a hash collision but to find both a sha1 collision which is also at the same time an md5 collision is almost impossible.

But luckily this is a web challenge so there must be a vulnerability somewhere. After some searching, it seems that if we pass an array instead of string into the sha1 and md5 function, they will return null, thereby passing the conditional checks.

Hence, by sending the payload /?a[]=x&b[]=y we can get the flag.

Flag: SBCTF{g07_2_w17h_0n3_SH07?}

Last updated 3 years ago