1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
PHP在处理哈希字符串时,会利用”!
=
”或”
=
=
”来对哈希值进行比较,它把每一个以”
0E
”开头的哈希值都解释为
0
,所以如果两个不同的密码经过哈希以后,其哈希值都是以”
0E
”开头的,那么PHP将会认为他们相同,都是
0
。
关于PHP
hash
比较缺陷详细介绍:http:
/
/
www.freebuf.com
/
news
/
67007.html
0x01
md5(
str
)
QNKCDZO
0e830400451993494058024219903391
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
0x02
md5(md5())
0x03
md5(md5(
str
).
"SALT"
)
2
0e774261293712168181959463563504
|
ctf遇到一题,绕过 == 操作符判断的 php:md5 相等验证
原理在 stackoverflow上找到了答案
stackoverflow
php-expresses-two-different-strings-to-be-the-same
why-md5240610708-is-equal-to-md5qnkcdzo
Why does the following statement return true
?
"608E-4234" == "272E-3063"
"608E-4234"
is the float number format, so they will cast into number when they compares.
608E-4234
and 272E-3063
will both be float(0)
because they are too small.
For ==
in php,
If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically.
http://php.net/manual/en/language.operators.comparison.php
and
var_dump(md5('240610708') == md5('QNKCDZO'));
Output:
bool(true)
|
They are both float number format strings (numerical strings), and if you use Both of the strings are converted to |
类似
PHP 探测任意网站密码明文/加密手段办法: md5('240610708') == md5('QNKCDZO')
var_dump(md5('240610708') == md5('QNKCDZO'));var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
var_dump('0010e2' == '1e3');
var_dump('0x1234Ab' == '1193131');
var_dump('0xABCdef' == ' 0xABCdef');
https://news.ycombinator.com/item?id=9484757