# Summary ### Some information The php console interpreter can be open by typing `php -a` in your console. Otherwise, there are online projects such as [onlinephpfunctions](http://sandbox.onlinephpfunctions.com/) that will help you along. Furthermore, for this examples I will be using `var_dump()`php's function to propperly see every side of the results. ### Beginning First of all, we need the presence of a [loose comparison](https://www.copterlabs.com/strict-vs-loose-comparisons-in-php/) (`==`) operator. The main difference between it and the `strict comparison` is that only the second one checks that the same type is being compared. Then, both of the variables should be controlled by us. (Knowing the value of one of them we don't control can be sometimes useful too) #### The key of this vulnerability Imagine having this background: ```php if ($j == $e) { eval(pwned); } ``` This is obviously never gonna happen (at least it should), but it's a nice example to make up some ideas. ```php php > var_dump("0e1337" == 0); bool(true) php > var_dump("0e1337" == "0"); bool(true) php > var_dump(0e1337 == "0"); bool(true) php > var_dump("2e2" == "200"); bool(true) ``` As you can see, the conversion is quite easy to understand. `XeY` stands for `print("X"+"0"*Y)`represented in python. #### A trick To propperly see the value that the string will return after the conversion, the `intval()` function can be used. ```php php > var_dump(intval("2e1")); int(20) php > var_dump(intval("2e2")); int(200) php > var_dump(intval("0e1337")); int(0) php > var_dump(intval("0e1337101")); int(0) ``` #### Involving hashing methods As seen before, if both of the values are user-controlled, or at least one does and the other value is known/guessable, it is relatively easy to exploit this vulnerability. However, there are tons of cases where the user-controlled variable is being passed to a hash function like `MD5` or `SHA1` and then compared through the `loose comparison operator`. For this, there's another trick we will be using called `Magic hashes`. Theese are strings whose specific hash returns a number like the ones we've seen before. Imagine having this background: ```php if (md5($a) == sha1($b)) { eval(pwned_again) } ``` In this example, using `$a = "0e1337"` and `$b = "0"` won't return true, because after the `loose comparison`, a hash function is made. Thanks to `PayloadAllTheThings` we have a list of `magic` strings that will return a value like the ones seen before. [git repo](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Type%20Juggling) To finish with, `$a = "240610708"` and `$b = "10932435112"` will definetely return true!