PHP处理0e开头md5哈希字符串缺陷/bug & PHP expresses two different strings to be the same [duplicate]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119

PHP在处理哈希字符串时，会利用”! = ”或” = = ”来对哈希值进行比较，它把每一个以” 0E ”开头的哈希值都解释为 0 ，所以如果两个不同的密码经过哈希以后，其哈希值都是以” 0E ”开头的，那么PHP将会认为他们相同，都是 0 。   关于PHP  hash 比较缺陷详细介绍：http: / / www.freebuf.com / news / 67007.html 0x01  md5( str )   QNKCDZO 0e830400451993494058024219903391    s878926199a 0e545993274517709034328855841020    s155964671a 0e342768416822451524974117254469    s214587387a 0e848240448830537924465865611904    s214587387a 0e848240448830537924465865611904    s878926199a 0e545993274517709034328855841020    s1091221200a 0e940624217856561557816327384675    s1885207154a 0e509367213418206700842008763514    s1502113478a 0e861580163291561247404381396064    s1885207154a 0e509367213418206700842008763514    s1836677006a 0e481036490867661113260034900752    s155964671a 0e342768416822451524974117254469    s1184209335a 0e072485820392773389523109082030    s1665632922a 0e731198061491163073197128363787    s1502113478a 0e861580163291561247404381396064    s1836677006a 0e481036490867661113260034900752    s1091221200a 0e940624217856561557816327384675    s155964671a 0e342768416822451524974117254469    s1502113478a 0e861580163291561247404381396064    s155964671a 0e342768416822451524974117254469    s1665632922a 0e731198061491163073197128363787    s155964671a 0e342768416822451524974117254469    s1091221200a 0e940624217856561557816327384675    s1836677006a 0e481036490867661113260034900752    s1885207154a 0e509367213418206700842008763514    s532378020a 0e220463095855511507588041205815    s878926199a 0e545993274517709034328855841020    s1091221200a 0e940624217856561557816327384675    s214587387a 0e848240448830537924465865611904    s1502113478a 0e861580163291561247404381396064    s1091221200a 0e940624217856561557816327384675    s1665632922a 0e731198061491163073197128363787    s1885207154a 0e509367213418206700842008763514    s1836677006a 0e481036490867661113260034900752    s1665632922a 0e731198061491163073197128363787    s878926199a 0e545993274517709034328855841020     0x02  md5(md5())    0x03  md5(md5( str ). "SALT" ) 2 0e774261293712168181959463563504

 

ctf遇到一题，绕过 == 操作符判断的 php:md5 相等验证

原理在 stackoverflow上找到了答案

stackoverflow

 php-expresses-two-different-strings-to-be-the-same 

 why-md5240610708-is-equal-to-md5qnkcdzo

Why does the following statement return true?

"608E-4234" == "272E-3063"

"608E-4234" is the float number format, so they will cast into number when they compares.

608E-4234 and 272E-3063 will both be float(0) because they are too small.

For == in php,

If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically.

http://php.net/manual/en/language.operators.comparison.php

and

var_dump(md5('240610708') == md5('QNKCDZO'));

Output:

bool(true)

md5('240610708') 's result is 0e462097431906509019562988736854. md5('QNKCDZO') 's result is 0e830400451993494058024219903391. They are both float number format strings (numerical strings), and if you use == in php, when compare a number with a string or the comparison involves numerical strings, then each string is converted to a number and the comparison performed numerically. Both of the strings are converted to 0 when compared with ==, if you want to compare them as string, remember to use ===(strict comparison) instead.

类似

PHP 探测任意网站密码明文/加密手段办法： md5('240610708') == md5('QNKCDZO')

var_dump(md5('240610708') == md5('QNKCDZO'));
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
var_dump('0010e2' == '1e3');
var_dump('0x1234Ab' == '1193131');
var_dump('0xABCdef' == ' 0xABCdef');

https://news.ycombinator.com/item?id=9484757