Analysis of the First Web Question of the 360 cup information security technology competition

The original question is as follows, prompting that it is a bad habit for programmers.

Add. Bak after the current URL as prompted to obtain the source code

<?phperror_reporting(0); function auth($password, $hidden_password){    $res=0;    if (isset($password) && $password!=""){                if ( $password == $hidden_password ){                        $res=1;                }    }    $_SESSION["logged"]=$res;    return $res;} function display($res){    $aff= "          
After research, we found the variable coverage vulnerability:
The auth function is used to determine whether the password submitted by the user is the same as the hidden_password [360] In the program. If the password is the same, set $ _ session ["logged"] = 1, as hidden_password [360] can be overwritten, the following link is constructed:
Http: // localhost: 8080/1. php? Hidden_password [360] = 1
After the page is opened, the submit password is 1
if (( isset ($password) && $password!="" && auth($password,$hidden_password[360])==1) || (is_array($_SESSION) && $_SESSION["logged"]==1 ) )
The condition for this statement is "the password submitted by the user is not blank and the password is the same as hidden_password [360]" or "$ _ session [" logged "] = 1"
After accessing the above link, hidden_password [360] is overwritten as 1 and the submitted password is also 1. In the auth function, $ _ session ["logged"] will be set, access http: // localhost: 8080/1 again based on the if conditions. PHP to get the original value of $ hidden_password [360 ].