md5强比较,弱比较
强比较:使用三个 ''==='' 比较,比较值,也比较类型
弱比较:使用两个 ''=='' 比较,只比较值,不比较类型
-
• a==b 将a,b的值转换成同类型再比较值 -
• a===b 先判断a,b类型,若相同,则比较值,若不相同,则返回false
md5弱比较
$a=(string)$_GET['a'];``$b=(string)$_GET['b'];``$a !== $b``md5($a) == md5($b)
强制类型变换后如果传入数组,则b===string(5) “Array”
绕过方法:md5后都为0弱比较, 原理:为0e开头的在进行==弱比较时会被识别为科学记数法,结果均为0,所以只需找两个md5后都为0e开头且0e后面均为数字的值即可。
加密后的密文 原值QNKCDZO 0E830400451993494058024219903391240610708 0E462097431906509019562988736854s878926199a 0E545993274517709034328855841020s155964671a 0E342768416822451524974117254469s214587387a 0E848240448830537924465865611904
payload:?a=QNKCDZO&b=240610708附1:md5开头为0e- QNKCDZO- 240610708- s878926199a- s155964671a- s214587387a附2:两次md5开头为0e- CbDLytmyGm2xQyaLNhWn- 770hQgrBOjrcqftrlaZk- 7r4lGXCH2Ksu2JNT3BYM
md5强碰撞
$a=(string)$_GET['a'];``$b=(string)$_GET['b'];``$a !== $b``md5($a) === md5($b)
此时需要找两个真正数值且md5值相等
payload:a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3*Bu%93%D8Igm%A0%D1U%5D%83%60%FB*%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3*Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB*%07%FE%A2a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2$Param1=”x4dxc9x68xffx0exe3x5cx20x95x72xd4x77x7bx72x15x87xd3x6fxa7xb2x1bxdcx56xb7x4ax3dxc0x78x3ex7bx95x18xafxbfxa2x00xa8x28x4bxf3x6ex8ex4bx55xb3x5fx42x75x93xd8x49x67x6dxa0xd1x55x5dx83x60xfbx5fx07xfexa2”;$Param2=”x4dxc9x68xffx0exe3x5cx20x95x72xd4x77x7bx72x15x87xd3x6fxa7xb2x1bxdcx56xb7x4ax3dxc0x78x3ex7bx95x18xafxbfxa2x02xa8x28x4bxf3x6ex8ex4bx55xb3x5fx42x75x93xd8x49x67x6dxa0xd1xd5x5dx83x60xfbx5fx07xfexa2”;$data1=”xd1x31xddx02xc5xe6xeexc4x69x3dx9ax06x98xafxf9x5cx2fxcaxb5x07x12x46x7exabx40x04x58x3exb8xfbx7fx89x55xadx34x06x09xf4xb3x02x83xe4x88x83x25xf1x41x5ax08x51x25xe8xf7xcdxc9x9fxd9x1dxbdx72x80x37x3cx5bxd8x82x3ex31x56x34x8fx5bxaex6dxacxd4x36xc9x19xc6xddx53xe2x34x87xdax03xfdx02x39x63x06xd2x48xcdxa0xe9x9fx33x42x0fx57x7exe8xcex54xb6x70x80x28x0dx1exc6x98x21xbcxb6xa8x83x93x96xf9x65xabx6fxf7x2ax70”;$data2=”xd1x31xddx02xc5xe6xeexc4x69x3dx9ax06x98xafxf9x5cx2fxcaxb5x87x12x46x7exabx40x04x58x3exb8xfbx7fx89x55xadx34x06x09xf4xb3x02x83xe4x88x83x25x71x41x5ax08x51x25xe8xf7xcdxc9x9fxd9x1dxbdxf2x80x37x3cx5bxd8x82x3ex31x56x34x8fx5bxaex6dxacxd4x36xc9x19xc6xddx53xe2xb4x87xdax03xfdx02x39x63x06xd2x48xcdxa0xe9x9fx33x42x0fx57x7exe8xcex54xb6x70x80xa8x0dx1exc6x98x21xbcxb6xa8x83x93x96xf9x65x2bx6fxf7x2ax70”;
md5数组绕过
$_GET['a'] != $_GET['b']``md5($_GET['a']) === md5($_GET['b'])
绕过方法:数组绕过 原理: md5()函数无法处理数组,如果传入的为数组,会返回NULL,所以两个数组经过加密后得到的都是NULL,也就是强相等的。 payload: ?a[]=1&b[]=2
参考文章
https://blog.csdn.net/m0_75178803/article/details/130347016https://geekdaxue.co/read/neuqbiubiu@ty3vt8/tmuwyu
原文始发于微信公众号(无尽藏攻防实验室):PHP特性强比较与弱比较
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论