Challenge Name: Big Number

a big number is needed to save the world

Let’s open the link and see :)

And as you can see here the paragraph You can help the world by providing 3 numbers can exceed 999 in value:

and password input field and a link called wanna source?

let’s click on the link to see the source :

We got this php code

Key Points:

• The valid password must be a numeric value.
• The length of the password must be less than 4 characters.
• The password must be greater than 999 to reveal the flag.
• If the password is between 0 and 999, it prints “Too little”.
• If the password is 4 or more characters long, it prints “Too long”.
• If the password is not numeric, it prints “Password is not numeric”.

We are now restricted to choosing a number greater than 999 but not between 0 and 999.

So I will try to add 1000 and see the results:

Because It’s not less than 4 characters, So let’s see how could we do that, we now understood the idea, so as a computer science student I studied that sometimes php treats a specific values as a scientific notation these values are written in hexadecimal and 1000 thousand is between them, so let’s see

I will use this simple python code to convert it:
hex_value = hex(1000)
print (hex_value)

So the value of 1000 in hexadecimal is : 0x3e8 I saw that it’s more than 4 characters and it’s not numeric but let’s try :)

} else
    print 'Password is not numeric';

• This block prints the message 'Password is not numeric' if the password passed is not entirely numeric.
• Don’t give up just try it without the 0x as I found in google and let’s see the results:

let’s ask chatgpt for more information and why 3E8 worked :

Why 3E8 Worked:

In some cases, PHP might treat certain non-decimal numeric-like strings, such as 3E8, as scientific notation. Here's how:

• 3E8 as Scientific Notation:
• In scientific notation, 3E8 represents 3×1083 \times 10^83×108, which is a valid numeric value in PHP. This means 3E8 is interpreted as 300,000,000 (three hundred million).
• Therefore, PHP passes the is_numeric() check because it sees 3E8 as a valid floating-point number.

Here are a few examples of other scientific notations that PHP might interpret as valid numbers, just like 3E8:

1. 1E3: Represents 1×1031 \times 10^31×103 or 1000.
2. 2E2: Represents 2×1022 \times 10^22×102 or 200.
3. 5E5: Represents 5×1055 \times 10^55×105 or 500,000.
4. 4E4: Represents 4×1044 \times 10^44×104 or 40,000.
5. 6E6: Represents 6×1066 \times 10^66×106 or 6,000,000.
6. 7E7: Represents 7×1077 \times 10^77×107 or 70,000,000.
7. 9E9: Represents 9×1099 \times 10^99×109 or 9,000,000,000.

let’s try another one and see, 1E3 for example :)

yea yea it worked bro don’t worry about that, now we learned that there is a specific hexa value that php will allow them to pass the entire code because it is treating them as a scientific notations :)

How the Code Reacts:

• is_numeric('3E8'): This returns true because PHP interprets 3E8 as a valid number in scientific notation.
• strlen('3E8') < 4:
• The length of the string 3E8 is exactly 3 characters, so this condition also passes.
• $_GET['password'] > 999:
• PHP interprets 3E8 as 300,000,000, which is obviously greater than 999.
• Since this condition is true, the code reaches die($flag), revealing the flag.

Conclusion:

In this case, PHP interpreted 3E8 as a scientific notation number, allowing it to pass all the conditions in the code. This is why we got the flag, despite the initial assumption that 3E8 might not be treated as a numeric value.

This behavior highlights an interesting quirk in PHP’s type conversion, where a string like 3E8 is considered numeric because it conforms to scientific notation, not hexadecimal.\

We Finished our challenge and this is the falg:

FLAG{Yes_Y0u_C4n_Use_Exp0nentiaL}

Hard work beats talent when talent doesn’t work hard. Believe in the power of your efforts, because consistent dedication turns dreams into reality.