shoomy February 2016

html entities in a PHP code

I have a homework and it's a webpage (log-in page) and the task is to enter and bypass the login forum, well the first thing I have looked into was the page's source and I found that if I want the username I should go to /page.phps directory and I did that. After entering that directory I was redirected to another page with this piece of code

<?php
$super_admin_access = false;
// Set our super-admin level user?
if (isset($_GET['user'])) {
 $user = html_entity_decode($_GET['user']);
 if ($user === "<root>") {
   $super_admin_access = true;
 }
}
?>

<div class="logo"><img src="../assets/images/challenge-priserv-logo.svg" alt="Nethub logo"></div>

<div class="login">
  <form class="form" onsubmit="doLogin(); return false">
    <div class="message message-error" id="login-error-msg" style="display: none">Denied!</div>

    <div class="field">
      <div class="label">Username</div>

      <input type="text" name="username">
    </div>

    <div class="field">
      <div class="label">Password</div>

      <input type="password" name="password">
    </div>

    <!-- In case I forget, details are at page.phps -->

    <div class="actions">
      <input type="submit" value="Access server" class="btn">
    </div>
  </form>
</div>

I don't know if I understand the php code in the right way, but what I firstly though of was writing the "<root>" in a html entity format which become &#x22;&#x3C;root&#x3E;&#x22;, especially that there was a hint saying

Did you see the comment in the source code suggesting you take a look at page.phps? Take a look. What does urldecode do? Can you do the opposite of urldecode?

So I tried to login using the username "<root>" or the encoded one &quot;&lt;ro

Answers


Mulham Aryan February 2016

First it's must be $_GET['username'] NOT $_GET['user'] because input field name is is "username" not "user"


Kaspars February 2016

Form's input's name is username, but it checks for user. To get access to the super-duper-mega admin powers, pass a query parameter in the url

http://yoururl/page.php?user=&lt;root&gt


Tom Wright February 2016

Seeing as this is a piece of homework I won't give a direct answer, but rather point you in the right direction.

You are definitely on the right track, but you seem to have gotten a little confused with how PHP handles strings.

Let me give you an example. We go to the page login.php?user=tom.

<?php
$user = $_GET['user'];
$desiredUsername = "tom";
if ($user === $desiredUsername) {
    echo "You're in!";
}

Let's take a look at the check that if() is doing in this case.

$desiredUsername === "tom"; // true
$desiredUsername === "frank"; // false
$desiredUsername === "jonas"; // false

When you are setting the $user variable in your code, you are wrapping <root> with quotes like so.. "<root>". While the PHP code checks to see if $user === "<root>", the quotes in this case are actually just specifying that we want to see if $user contains the string <root>.

Test your method of using the encoded entities &quot;&lt;root&gt;&quot; with and without the quotes on either side and see what happens.

Post Status

Asked in February 2016
Viewed 3,697 times
Voted 14
Answered 3 times

Search




Leave an answer