==is used in PHP, then there are unexpected cases where the comparison doesn't behave as expected. This is because "==" only compare values transformed to the same type, if you also want to compare that the type of the compared data is the same you need to use
"string" == 0 -> TrueA string which doesn't start with a number is equals to a number
"0xAAAA" == "43690" -> TrueStrings composed by numbers in dec or hex format can be compare to other numbers/strings with True as result if the numbers were the same (numbers in a string are interpreted as numbers)
"0e3264578" == 0 --> TrueA string starting with "0e" and followed by anything will be equals to 0
"0X3264578" == 0X --> TrueA string starting with "0" and followed by any letter (X can be any letter) and followed by anything will be equals to 0
"0e12334" == "0" --> TrueThis is very interesting because in some cases yo can control the string input of "0" and some content that is being hashed and compared to it. Therefore, if you can provide a value that will create a hash starting with "0e" and without any letter, you could bypass the comparison. You can find already hashed strings with this format here: https://github.com/spaze/hashes
"X" == 0 --> TrueAny letter in a string is equals to int 0
in_array()function by default (you need to set to true the third argument to make an strict comparison):
https://example.com/login.php/?username=admin&password=) and bypass this check:
===is being used there could be errors that makes the comparison vulnerable to type juggling. For example, if the comparison is converting the data to a different type of object before comparing:
preg_match()could be used to validate user input (it checks if any word/regex from a blacklist is present on the user input and if it's not, the code can continue it's execution).
preg_match()only checks the first line of the user input, then if somehow you can send the input in several lines, you could be able to bypass this check. Example:
%0A) or if you can send JSON data, send it in several lines:
preg_match()a valid very large input, it won't be able to process it and you will be able to bypass the check. For example, if it is blacklisting a JSON you could send:
$2y$). Note that PASSWORD_DEFAULT is frequently the same as PASSWORD_BCRYPT. And currently, PASSWORD_BCRYPT has a size limitation in the input of 72bytes. Therefore, when you try to hash something larger than 72bytes with this algorithm only the first 72B will be used:
assert("strpos($_GET['page']),'..') === false")--> In this case to get RCE you could do:
$file = "hola"
?order=id;}//: we get an error message (
Parse error: syntax error, unexpected ';'). We are probably missing one or more brackets.
?order=id);}//: we get a warning. That seems about right.
?order=id));}//: we get an error message (
Parse error: syntax error, unexpected ')' i). We probably have too many closing brackets.
display_errors = Onand restart apache :
sudo systemctl restart apache2