I was attempting to solve this PHP exploit, found on https://picoctf.com/problems/php3/ , with source code available at the above question, but couldn't.
I found a solution that claimed that any password whose md5 hash in byte form contained the string '=' or '|' (including the single quotes), would be accepted if paired with the username "admin".
solution originally found here:(in Vietnamese) http://blog.phuongnam.org/2013/07/picoctf.html
For instance, the following log on details are accepted:
admin
1184941
Apparently this is because the byte md5 hash of 1184941 is 8žt¼ø>Pý^0'|'
So why does this solution work?
I get that the True argument of the md5 produces a byte rather than hex hash, and that the @ prefixing
mysql_fetch_array
Forces sql to ignore the error caused by breaking the query, but beyond that I'm lost.
The pipe symbol in the query is a bitwise OR.
Splitting the query up a little bit for reading purposes, it would look like the following:
.. WHERE (pass = '8žt¼ø>Pý^0' |'')
The bitwise or is returning 0 (which I confirmed by opening my javascript console and entered '8žt¼ø>Pý^0' |''. When you're querying a char/varchar field against an integer, MySQL typecasts the contents of the field to an integer to compare. Any field without a valid integer will equate to 0. So its' now looking for a password that contains the value 0, which is everything that isn't a numeric value.
Alternatively; You could also login just using the username: ') OR 'a'='a' --