CTF中的md5 all in one

OceanSec
651 阅读2分钟

本文已参与「新人创作礼」活动,一起开启掘金创作之路

CTF中的md5,ALL IN ONE

MD5

md5弱类型比较

if(md5($_GET['a'])==md5($_GET['b']))
{
    var_dump($flag);
}

因为是if的判断条件是两个数弱类型相等,就可以利用hash比较缺陷去绕过

比如

var_dump("0e12345"=="0e66666");//true
var_dump(md5('240610708')==md5('QNKCDZ0'));//true

也就是只要两个数的md5加密后的值以0e开头就可以绕过,因为php在进行弱类型比较(即==)时,会现转换字符串的类型,在进行比较,而在比较是因为两个数都是以0e开头会被认为是科学计数法,0e后面加任何数在科学计数法中都是0,所以两数相等,在进行严格比较(===)时才会先判断字符串类型是否相等,在比较。

想这样特殊的md5值还有

QLTHNDT:0e405967825401955372549139051580
QNKCDZO:0e830400451993494058024219903391
PJNPDWY:0e291529052894702774557631701704
NWWKITQ:0e763082070976038347657360817689
NOOPCJF:0e818888003657176127862245791911
MMHUWUV:0e701732711630150438129209816536
MAUXXQC:0e478478466848439040434801845361

除了这些还有很多参考:github.com/spaze/hashe…

md5弱类型还有一种情况

    $md5=$_GET['md5'];
    if ($md5==md5($md5))
        include __DIR__."/flag.php";

只要找到0e开头并且md5后的值依然0e开头即可的字符串

0e215962017:0e291242476940776845150308577824

md5强类型比较数组绕过

if(md5((string)$_GET['a'])===md5((string)$_GET['b']))
{
    var_dump($flag);
}

此时两个md5后的值采用严格比较,没有规定字符串如果这个时候传入的是数组不是字符串,可以利用md5()函数的缺陷进行绕过

var_dump(md5([1,2,3])==md5([4,5,6]));//true

var_dump(md5($_GET['a'])==md5($_GET['b']));

?a[]=1&b[]=1//true

md5()函数的描述是string md5(string str[,boolstr[,bool raw_output=false])

md5中需要的是一个string参数,但是当你传入一个array(数组)是,md5()是不会报错的,只是无法求出array的md5的值,这样就会导致任意的2个array的md5的值都会相等

第一种情况也可以使用弱类型绕过

md5碰撞

if($_GET['a']!==$_GET['b'] && md5($_GET['a'])===md5($_GET['b']))
{
	echo 'ok';
}

真实md5碰撞,因为此时不能输入数组了,只能输入字符串

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

image-20201016193753698

两个关于md5碰撞的网站:

md5碰撞1

md5碰撞2

sql语句md5特殊值

$query = "SELECT * FROM flag WHERE password = '" . md5($_GET["hash4"],true) . "'";

这需要一个极其特殊的md5的值 ffifdyop

这个字符串进行md5后恰好结果是'or'6�]��!r,��b,他的前四位为'or'正好满足sql注入查询的条件,因此可以完美绕过

md5值暴破

爆破脚本和使用方式:

submd5.py

# -*- coding: utf-8 -*-

import multiprocessing
import hashlib
import random
import string
import sys
CHARS = string.letters + string.digits
def cmp_md5(substr, stop_event, str_len, start=0, size=20):
    global CHARS
	while not stop_event.is_set():
        rnds = ''.join(random.choice(CHARS) for _ in range(size))
        md5 = hashlib.md5(rnds)
        if md5.hexdigest()[start: start+str_len] == substr:
            print rnds
            stop_event.set()
if __name__ == '__main__':
    substr = sys.argv[1].strip()
    start_pos = int(sys.argv[2]) if len(sys.argv) > 1 else 0
    str_len = len(substr)
    cpus = multiprocessing.cpu_count()
    stop_event = multiprocessing.Event()
    processes = [multiprocessing.Process(target=cmp_md5, args=(substr,
                                         stop_event, str_len, start_pos))
                 for i in range(cpus)]
    for p in processes:
        p.start()
    for p in processes:
        p.join()

使用方式:

爆破md5的值是以3e5f开头的字符串的值

img

image-20211031082800107

验证:

img

SHA1

弱类型

if(sha1($v1)==sha1($v2) && $v1!=$v2){

aaroZmOk
aaK1STfY
aaO8zKZF
aa3OFF9m
10932435112

数组绕过

    if ($_GET['user'] == $_GET['pass'])
        echo 'no no no no way for you to do so.';
    else if (sha1($_GET['user']) === sha1($_GET['pass']))
      die('G1ve u the flag'.$flag);

使用数组绕过

?user[1]=2&pass[1]=1

sha1碰撞

    if ($_GET['user'] == $_GET['pass'])
        echo 'no no no no way for you to do so.';
    else if(is_array($_GET['user']) || is_array($_GET['pass']))
        die('There is no way you can sneak me, young man!');
    else if (sha1($_GET['user']) === sha1($_GET['pass'])){

使用sha1碰撞

?user=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01sF%DC%91f%B6%7E%11%8F%02%9A%B6%21%B2V%0F%F9%CAg%CC%A8%C7%F8%5B%A8Ly%03%0C%2B%3D%E2%18%F8m%B3%A9%09%01%D5%DFE%C1O%26%FE%DF%B3%DC8%E9j%C2/%E7%BDr%8F%0EE%BC%E0F%D2%3CW%0F%EB%14%13%98%BBU.%F5%A0%A8%2B%E31%FE%A4%807%B8%B5%D7%1F%0E3.%DF%93%AC5%00%EBM%DC%0D%EC%C1%A8dy%0Cx%2Cv%21V%60%DD0%97%91%D0k%D0%AF%3F%98%CD%A4%BCF%29%B1&
&pass=%25PDF-1.3%0A%25%E2%E3%CF%D3%0A%0A%0A1%200%20obj%0A%3C%3C/Width%202%200%20R/Height%203%200%20R/Type%204%200%20R/Subtype%205%200%20R/Filter%206%200%20R/ColorSpace%207%200%20R/Length%208%200%20R/BitsPerComponent%208%3E%3E%0Astream%0A%FF%D8%FF%FE%00%24SHA-1%20is%20dead%21%21%21%21%21%85/%EC%09%239u%9C9%B1%A1%C6%3CL%97%E1%FF%FE%01%7FF%DC%93%A6%B6%7E%01%3B%02%9A%AA%1D%B2V%0BE%CAg%D6%88%C7%F8K%8CLy%1F%E0%2B%3D%F6%14%F8m%B1i%09%01%C5kE%C1S%0A%FE%DF%B7%608%E9rr/%E7%ADr%8F%0EI%04%E0F%C20W%0F%E9%D4%13%98%AB%E1.%F5%BC%94%2B%E35B%A4%80-%98%B5%D7%0F%2A3.%C3%7F%AC5%14%E7M%DC%0F%2C%C1%A8t%CD%0Cx0Z%21Vda0%97%89%60k%D0%BF%3F%98%CD%A8%04F%29%A1

MD4

if ($_GET["hash1"] != hash("md4", $_GET["hash1"]))
{
    die('level 1 failed');
}

0e251288019
0e898201062

MD2

<?php
for($i=0;$i<99999;$i++){
$x1=hash("md2", '0e'.$i.'024452');
if(substr($x1,0,2)==='0e'  and is_numeric($x1)){
break;
}
}
for($j=0;$j<999999;$j++){
$x2=hash('md2',hash("md2", '0e'.$j.'48399'));
if(substr($x2,0,2)==='0e'  and is_numeric($x2)){
break;
}
}
print('b=0e'.$i.'024452&c=0e'.$j.'48399');
?>

b=0e652024452&c=0e603448399

其他特殊的hash值(crc32......)

github.com/spaze/hashe…

感谢大神的整理

avatar
文章
阅读
粉丝