Challenge 1

> For the complete documentation index, see [llms.txt](https://ymiir.gitbook.io/nota/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ymiir.gitbook.io/nota/2025-stuff/learning-stuff/php.md). # PHP ## PHP Web Challenge ### preg\_replace() It is used in string manipulation to search and replace specific patterns with strings. `$final_string = preg_replace($pattern,$replace,$input)` > $pattern = strings being listed. > \ > $replace = to be replace if match > \ > $input = from user. ```javascript Example 1. $input = " Hello Master " $pattern = "/Master/i" // in regex, I represent case-insensitive. $replace = "hacker!" $result = preg_replace($pattern,$replace,$input) echo $result //Output : Hello hacker! ``` ```javascript $input = "My email is john.doe@example.com, and Jane's email is jane.doe@example.net."; $pattern = "/[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/"; $replacement = "[email]"; $result = preg_replace($pattern, $replacement, $input); echo $result; // Output: "My email is [email], and Jane's email is [email]." ``` ```javascript $input = "2 cats, 4 dogs, and 3 birds."; $pattern = "/\d+/"; $callback = function ($matches) { return $matches[0] * $matches[0]; }; $result = preg_replace_callback($pattern, $callback, $input); echo $result; // Output: "4 cats, 16 dogs, and 9 birds." ``` #### Sample CTF ```html Challenge 1

Source code says it all

HINT : see how preg_replace works

Try to reach super_secret_function()

See the source code ``` The above code can be divided into multiple parts. 1. Read Source Code ``` if (isset($_GET['source'])) { highlight_file(__FILE__); die(); } ``` Providing the URL with value source. `http://URL/index.php?source` 2. Get parameter ``` if (isset($_GET['anime_is_bae'])) { $your_entered_string = $_GET['anime_is_bae']; ``` Supply the URL with value `anime_is_bae` with any text. Then it will store in `$your_entered_string` 3. preg\_replace ``` $final_string = preg_replace("/$intermediate_string/", '', $your_entered_string); ``` It will check the `your_entered_string` with `preg_replace`. The pattern here is `/$intermediate_string/`, if similar it will return, (whitespace). 4. Condition check ``` if ($final_string === $intermediate_string) ``` Lastly, it will check `final_strings` with `intermediate_string`. If the condition meet, it will return `super_secret_function()` #### **Exploitation.** preg\_replace check for all character. For example "hello", 'c' and etc. If the input strings match 100% as the pattern. It will replace the strings with `$replace`. In this case, the `$intermediate_string` check with `$your_entered_string` ``` $your_entered_string = userinput $intermediate_string = hellotherehooman intermediate_string === final_string ``` As we can see, the user input can directly bypass since it only checks full words `"hellotherehooman"`

#### Another CTF ```html Welcome My Admin !
"; if (isset($_GET['pat']) && isset($_GET['rep']) && isset($_GET['sub'])) { $pattern = $_GET['pat']; $replacement = $_GET['rep']; $subject = $_GET['sub']; echo "original : ".$subject ."
"; echo "replaced : ".preg_replace($pattern, $replacement, $subject); }else{ die(); } ?> ``` We can see the URL receive 3 GET inputs, namely as `pat`, `rep` and `sub`. For each `GET`, it represent `pattern`, `replace` and `subject/input`. `http://URL/index.php?pat=/As/&rep=as&sub=your exploit`

**Exploitation** PHP version 5.0 and below. Can execute `/e/` modifier. `http://URL/index.php?pat=/a/e/&rep=phpinfo();&sub="Payload"`

Proof that we can bypass it. ### PHP Type Jungling PHP will automatically perform conversion from one data type to another based on context. This is referred to as type juggling. There are strict `(===)` and loose`(==)` comparisons. In PHP, **==** is used for the loose comparison of variables. This means PHP will attempt to convert variables where it appears to make sense The vulnerability occurs in loose comparison. ``` if (strcmp($username, $_POST['username']) == 0) { if (strcmp($password, $_POST['password']) == 0) { $_SESSION['user_id'] = 1; header("Location: /upload.php"); ``` If `(($username == _POST['username'] )==0)` and `(($password == _POST['password'] )==0)` it will return to the endpoint `/upload.php` Since the strcmp can be manipulated as an array. Assign the `$username` as an array to bypass comparison. `username[]=anything&password[]=anything` #### strcasecmp Binary safe case-insensitive string comparison where `trcasecmp(a,b)` will return `null` when either `a` or `b` is not a string. In addition, `null` has the same numerical value as `0`. Since we use `==` operator instead of `===` here, then `null == 0`. ```html if ($_SERVER['REQUEST_METHOD'] === 'POST') { $password = $_POST["password"]; if (strcasecmp($password, $FLAG) == 0) { echo $FLAG; } else { echo "That's the wrong password!"; } } ?> // There for, password[]=anything will return true. ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ymiir.gitbook.io/nota/2025-stuff/learning-stuff/php.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.