Extract变量覆盖

源码如下:

https://www.php.net/manual/zh/function.extract.php extract function will import variables from an array into the current symbol table. “Warning: Do not use extract() on untrusted data, like user input (e.g. $_GET, $_FILES).“ This is because extract function can cover the original variable. So here, we can use ?shiyan=&flag= to get the flag.

strcmp比较字符串
0;如果两者相等,返回 0。 //比较两个字符串(区分大小写) die('Flag: '.$flag); else print 'No'; } ?>

To analyze this section, we need to consider that:

  1. strcmp function has four different outputs: 0, >0, <0 and NULL. Specifically, null is given when an empty array is given into the function (strcmp(“foo”, array()) => NULL + PHP Warning)
  2. “==” comparison causes lots of issues. For instance, NULL == 0.
  3. So if we feed an empty array into the variable a, we get the answer: ?a[]=
urldecode二次编码绕过

After some reading, I understand that when $_GET[id] was received, urldecode is handled automatically. It can be verified when we replace h with %68. This means that there are two times of urldecode on the second time of verification. So we can further replace % with %25 and bypass the first round of id check.

md5()函数

Generally there are two ways: 1. make the username and password to be different while their MD5 collide; or use the property of md5 function cannot handle array, to generate NULL output. So the simple solution is: ?username[]=1&password[]=2