Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • MySQL
  • PHP
  • Compare string to integer
  • Compare string to string
  • Array comparison

Was this helpful?

  1. Web App Hacking
  2. Server Attacks

Loose Comparisons

PreviousBrute Forcing Web FormsNextUnrestricted File Upload

Last updated 3 years ago

Was this helpful?

MySQL

MySQL's = operator does loose comparisons by default. These comparisons all evaluate to true:

  • SELECT '0' = 0;

  • SELECT '0.0' = 0;

  • SELECT '0 ' = '0';

Note: Postgresql doesn't do loose comparisons by default.

PHP

PHP has loose comparisons ("==") and strict comparisons ("==="). Loose comparisons have some weird conversion rules which can be used to trick the application into doing what you want.

Note: Python and JS also have loose comparisons.

Use cases:

  • CSRF token bypass

  • Authentication bypass

  • Subverting application logic in general

JSON is really useful for exploiting this because if the application takes JSON input, you can specify the type of the variable you're sending. In other words, you can also send ints and booleans, not just strings.

Compare string to integer

Most strings are equal to the integer 0.

  • TRUE: "0000" == int(0)

  • TRUE: "1abc" == int(1)

  • TRUE: "0abc" == int(0)

  • TRUE: "abc" == int(0) // !!

Compare string to string

PHP does strange conversions between strings if they look like numbers.

  • TRUE: "0e12345" == "0e54321"

  • TRUE: "0e12345" <= "1"

  • TRUE: "0e12345" == "0"

  • TRUE: "0xF" == "15"

Array comparison

Let's say you want to bypass the following if-condition:

if (strcmp($_POST['password'], 'thePassword') == 0) {
 // do authenticated things
}

If you submit an array as $_POST['password'] like this: password[]= , then the strcmp operation will error out. The result will be NULL.

Thanks to type juggling, NULL == 0 is true, and you bypass the check and do authenticated things.

MySQL :: MySQL 8.0 Reference Manual :: 12.4.2 Comparison Functions and Operators
https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf
Logo