bugku:http://120.24.86.145:9009/19.php
Haven't finished reading the source code, I have directly added a password[]=1 result to get flag. Then look at the source code I do not understand why you can get the source code. Really, don't believe you see.
1<?PHP2$flag ="Flag";3 4 if(Isset ($_get['Password'])) {5 if(Ereg ("^[a-za-z0-9]+$", $_get['Password']) ===FALSE)6Echo'You password must be alphanumeric';7 Else if(Strpos ($_get['Password'],'--') !==FALSE)8Die'Flag:'. $flag);9 ElseTenEcho'Invalid Password'; One } A?>
Let's talk about the standard answer first:
First condition:
Must start with a number or letter (actually see Ereg can think of%00 truncation)
Second condition:
Must be found in the password parameter--。
So the following positive solutions are obtained:
index.php?password=a%00--
Then again, why direct password[]=a can bypass it?
1.ereg can only handle characters, and you are an array, so the return is null, and the three equals sign does not convert the type. So null is not equal to false.
The 2.strpos parameter is also not an array, so the return is still null,null not equal to False is also correct.
So we can get flag.
Summary:
1. Returns a null value if the function's argument does not meet its function requirements
Array returns null bypass