PHP绕过MD5比较的各种姿势
2024-09-06 15:49:13
1.用==进行弱类型比较时, 可以通过两个0e开头后面纯数字的md5绕过
php在进行弱类型比较时,如果为字符串为纯数字,包括浮点数、科学计数法、十六进制数等,都会转化为数字类型再进行比较,利用这点,0e开头的科学计数法大小均为0,所有均相等,即可绕过
以下实例的md5均满足0e开头纯数字
byGcY
sonZ7y
240610708
s878926199a
s155964671a
s214587387a
s214587387a
s878926199a
QNKCDZO
aabg7XSs
aabC9RqS
2.碰撞出md5值相同的字符串
实例:
$s1 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab";
$s2 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%5f%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%f3%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%e9%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%13%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%a8%1b%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%39%05%39%95%ab";
$s3 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%ed%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%a7%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%e6%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%16%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%33%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%6f%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab";
echo $s1 != $s2 && $s1 != $s3 && $s2 != $s3 ; //返回False
echo md5(urldecode($s1)) === md5(urldecode($s2)) && md5(urldecode($s3)) === md5(urldecode($s1)) && md5(urldecode($s2)) === md5(urldecode($s3)) ; //返回True可以用软件碰撞生成指定前缀相同md5的字符串
3.利用数组的md5均为null来绕过
实例:http://127.0.0.1/?key1[]=2134&key2[]=21
php的md5()函数无法处理数组对象,遇到数组md5()全部返回NULL,即相等成功绕过
4.当允许传入非数组或字符串时,比如可以传入序列化对象时
实例:
<?php
class trick{
public $trick1;
public $trick2;
public function __destruct(){
$this->trick1 = (string)$this->trick1;
if(strlen($this->trick1) > 5 || strlen($this->trick2) > 5){
die("你太长了");
}
if($this->trick1 !== $this->trick2 && md5($this->trick1) === md5($this->trick2) && $this->trick1 != $this->trick2){
echo file_get_contents("/flag");
}
}
}
highlight_file(__FILE__);
unserialize($_GET['trick']);(1)利用浮点数精度问题绕过
0.1 + 0.2 为啥不等于 0.3 ? (正确结果:0.30000000000000004)
0.8 * 7 为啥不等于 5.6 ? (正确结果:5.6000000000000005)
由于浮点数底层是二进制的浮点表示法,一些在十进制下有穷的数字,在二进制下是无穷的,无限数运算自然会有微小差错,而且任然为无限循环数
这种无限循环数在被转化为字符串后就四舍五入了
$x->trick1 = 0.01;
$x->trick2 = 0.01000000000000001; //以下payload的trick1为正常数,trick2是个无限循环数
$x->trick1 = 0.3;
$x->trick2 = 0.1+0.2;
$x->trick1 = 5.6;
$x->trick2 = 0.8*7;
$x->trick1 = 5.6;
$x->trick2 = 5.6000000000000005;由于在进行数值比较时,!=会优先把字符串转化为浮点数进行比较,所以显然不同,而md5函数,是将其转化为字符串再进行md5运算,结果相同
(2)通过NAN、INF特殊常量绕过
某些数学运算会产生一个由常量 NAN 所代表的结果。此结果代表着一个在浮点数运算中未定义或不可表述的值。任何拿此值与其它任何值(除了 TRUE)进行的松散或严格比较的结果都是 FALSE。由于 NAN 代表着任何不同值,不应拿 NAN 去和其它值进行比较,包括其自身”。这里的说明就很清楚了,NAN代表着任何不同值,也就是说便面看上去(NAN == NAN)是判断自身是否等于自身,实际上等号前NAN和等号后的NAN代表着不同的值。
INF,这个值在PHP中代表的是无穷大的意思,计算不当,或者计算值超过服务器的上限是也会显示这个,例如下面这个公式
pow(9999,pow(99999,pow(99999,9999)))由于NAN和INF在php中都是不确定的值,所以他们在与自身做==比较时,都返回false,利用此即可绕过
最新文章
- 解决X64操作系统PL/SQL连接报错问题 make sure you have the 32 bits oracle client installed
- nginx的特点
- 最近在研究备份和虚拟磁带库(LEGATO + MHVTL + SCST + LanFree)
- Apache Common DbUtils
- shell 脚本执行,出现错误bad interpreter: No such file or directory
- 转载-清除Linux中MySQL的使用痕迹~/.mysql_history
- [置顶] IOS 基础入门教程
- Metadata Service 架构详解 - 每天5分钟玩转 OpenStack(165)
- Codeforce 854 A. Fraction
- 蓝桥杯 牌型种数 DFS
- 你需要Mobx还是Redux?
- SQL Server扩展事件的使用ring_buffer target时“丢失”事件的原因分析以及ring_buffer target潜在的问题
- 数组引用:C++ 数组做参数 深入分析
- 23. Merge k Sorted Lists (JAVA)
- 记录常用的adb命令
- 初学CSS-4-文字颜色属性
- 获取jdk支持的编码类型
- springboot+mysql实现quartz集群搭建
- Linux配置自动时间同步
- sdc docker连接