So I'm doing some CTF and one of the challenge is about php type juggling. The code looks something like this
if($_GET['var1'] == hash('md4', $_GET['var1']))
{
//print flag
}
So I was 80% sure that I need to pass in an integer so it'll be true but all I can manipulate is the url. I tried using python request to do it but still failed.
import requests
url = 'http://example.com'
params = dict(var1=0)
r = requests.get(url=url, params=params)
Is there any special case where php will treat the variable pass into GET array as int? Or there is other way to do so?
The answer to this CTF can be found here https://medium.com/#Asm0d3us/part-1-php-tricks-in-web-ctf-challenges-e1981475b3e4
The general idea is to find a value which starts with 0e and its hash also starts with 0e. The page gives an example of 0e001233333333333334557778889 which produces a hash of 0e434041524824285414215559233446
This notation is called scientific notation. To understand why this kind of type juggling works you need to understand what both numbers are. If we convert from scientific notation to decimal it becomes obvious.
0e001233333333333334557778889 = 0×101233333333333334557778889
0e434041524824285414215559233446 = 0×10434041524824285414215559233446
From primary school maths we know that anything multiplied by 0 is 0, which means both numbers are 0.
All input provided in the $_GET or $_POST superglobals is of type string.
Thanks to PHP's type juggling system both strings are treated as floating point numbers written in scientific notation and when cast to float they both equal 0.
Related
So I am trying to cast a string value of ie: '0.0000143' to actual FLOAT or DECIMAL number value (so it must not be a string after conversion), but the actual number of 0.0000143 as it needs to be sent through some API call and the API requires it to be structured like that and not have an actual string value.
Can anyone help me achieve this (or is it actually even possible to do)?. Since I am out of ideas
To make things more clear, I have tried all the type casting possibilities there are in PHP (it is not working as I do not need something like 1.4E-5 returned to me, but the actual value like 0.0000143).
You can use Type casting in order to achieve that:
$string = '0.0000143';
$intValue = (int)$string;
$floatValue = (float)$string;
Suppose we have a string $str = "a"; and number $num = 2;
$str = 'a';
$num = 2;
echo $str*$num;
Output:
0
When performing arithmetic operations on a string operand, PHP will try to convert the string to a number.
It does this by looking for digits at the beginning of the string and will try to convert them into a value. If there are no digits, the value will be zero.
(There's an edge case for strings containing e or E (scientific notation), but that's not relevant here.)
Good Question.
Same i did ask to my teacher when i was in collage,
The answer is.
String * int= infinity; //According to scientific calculator answer is infinity.
but we need to continue our so program it provide 0.
it is made by code by default answer.
Simply said the string will be converted to an integer with a value of 0. This will include most of the cases when only alphabetic values are used. If you try to add a integer value at the beginning of the string it would in theory become a integer of that value.
I would recommend to read Why PHP Strings Equal Zero or Comparison Operators
Maybe you are looking for str_repeat, instead doing looping for that, its a default value that php serve to you, or you need to cast A into integer . When you try to do calculation for data that is not in Integer/float data type. Usually PHP auto-typecast the variables. In some cases it wont. Then we have to type cast it manually
I'm trying to parse basically an ini file without using parse_ini_file for a few reasons. I have the file parsing perfectly into a multidimensional array and am able to search through it properly and everything. The problem that I am having, is that I want the file to be parsed based on the type. There are strings, floats and integers in the file and I need to store these as such rather than all as strings.
The users will need to be able to get the values stored, so basically they would do "Get Float from Header section with the Budget key" and this would return 4.5. However if they tried to get the string or integer from the same section it would fail. I have it able to get the keys, but since they are all stored as strings that is the only thing that works. I'm wondering what how to change the type of the value from string to integer or float.
Anyone have any ideas how to do this?
It would be very difficult to accurately predict what type of value you are looking at. Strings could contain numbers, decimal points appear in sentences, etc...
If you are dealing with a custom ini file that you are generating for your own use, you might be able to encode the type of value into the ini settings. A standard setting may look like this -
default_username=Zamereon
So you could append or prepend the data type to the setting -
(s)default_username=Zamereon // one character depicting the data type,
(i)default_reputation=1 // you could use strpos.
default_balance=0.5=f // use list($name,$value,$type) = explode('=',$setting)
References -
strpos()
list()
explode()
Another suggestion would be to leave them as strings in your parsed multidimensional array and only convert them when you actually need them. Within a function or line of code dealing with some inputted data from the ini file, you'll know exactly what data type you'll need, if it's a float just cast it to a float as you need it. There's not real need to cast every variable to it's correct form right away because their value will not change in it's textual representation; The conversion only truly needs to take place before performing some further manipulations.
You can use type casting
Type casting in PHP works much as it does in C: the name of the
desired type is written in parentheses before the variable which is to
be cast.
<?php
$foo = 10; // $foo is an integer
$bar = (boolean) $foo; // $bar is a boolean
?>
The casts allowed are:
(int), (integer) - cast to integer
(bool), (boolean) - cast to boolean
(float), (double), (real) - cast to float
(string) - cast to string
(array) - cast to array
(object) - cast to object
(unset) - cast to NULL (PHP 5)
I have a variable $x whose value is read in from an XML file. The value being read from the XML is 1.963788, nothing more, nothing less. When I output $x, I see that the value in $x is in fact 1.963788. All is right with the world.
But then when I use x in an equation such as
$pl = $x*125.0-200.0;
The value of $pl ends up being -75. For whatever reason, PHP seems to be ignoring, or just getting rid of, the digits to the right of the decimal point in $x, which makes $x contain 1. I thought maybe there was a snowball's chance in hell that this occurred in other languages too, so I wrote it up in C++ and, big surprise, I get the right answer of 45.4735.
Anyone ever encountered this before or know what's going on? Thanks.
Have you tried using floatval?
Maybe PHP interprets your number as a string and the standard conversion just casts it to integer.
It probably is due to the fact that $x is being interpreted as a string, and converted to an integer and not a float value.
Try:
$pl = (float) $x * 125.0 - 200.0;
Your number appears to have failed casting as a float. If I use '1,963788' I get your result. If I use '2,963788' I receive a result of 50. According to the PHP docs for intval (and that's what it appears PHP is trying to cast this as, an integer):
Strings will most likely return 0 although this depends on the leftmost characters of the string. The common rules of integer casting apply.
Check the value $x actually has carefully. It may not be what you expect since PHP seems to disagree that it is, in fact, a float or it would have typed it as such.
Just before you compute $pl, do a var_dump on $x to see what is the actual value stored in it. I've tried your code and it is returning the correct value 45.4735, so I might not be PHP's fault.
My $_POST value contains css friendly hex color value, for example: #ffffff. In order to make it friendly towards the ColorJizz library, I should have it in hexadecimal integer value. The code below doesn't work. If I replace the $color_hex variable with a hard coded value for example: 0xffffff, it works.
include('colorjizz.php');
$color_hex = '0x' . substr($_POST['color'], 1);
$color = new Hex($color_hex);
This is most likely a very noob level problem, but after hitting my head to the wall for a quite few hours, I'd be grateful for any advice. Thank you.
"Hexadecimal integer value" doesn't make much sense. Hex is a representation of a number (thus a string), while integer value speaks of the machine format of a number.
If you want the number, a quick Google search found hexdec
$color = hexdec(substr($_POST['color'], 1));
It appears to ignore leading "junk", so you could even use
$color = hexdec($_POST['color']);
If you have a string containing a hexadecimal representation of a number and you want to have it as a integer you have to convert from hex to dec. If I get your question right.
$dec = hexdec("ff0000");
http://php.net/hexdec
In PHP, the data type for a hexadecimal integer and a decimal integer is the same; being able to type 0xDEAD in your source code is just syntactic sugar. Thus, you can use intval() to convert the form input to a normal PHP integer from a string:
$color_hex = intval(substr($_POST['color'], 1), 16);
The final parameter, 16, specifies that the input string is in hexadecimal.