CTF_ Web:php weak type bypass and MD5 collision

0x00 Preface

md5 Collision is just a kind of mastery php Weakly typed way , There are a lot of weakly typed content , Array 、 String comparison, etc , But no matter which way you test , All the knowledge points involved are interlinked , I hope to learn and make progress with you through the sharing of basic knowledge .

0x01 What is? md5

“MD5, Message digest algorithm ( English :MD5 Message-Digest Algorithm). Is a widely used cryptographic hash function , Put the data ( Like a paragraph of text ) The operation changes to another fixed length value , Is the basic principle of hash algorithm , I can produce one 128 position (16 byte ) Hash value (hash value), Used to ensure complete and consistent transmission of information .

obviously 128 Bits are not enough to calculate the summaries of all the news in the world without repetition , Now, of course, 16 byte （128 position ）、32 byte （256 position ） Of md5 There are also , Selecting the method with more digits can reduce hard collision to a certain extent （collision） The possibility of .

stay php In language calling md5 Is used as ：

<?php
$str = "hello world!";
echo "str_md5-->",md5($str),"<br/>"; // Calculate summary values for strings 
$files = "02.php";
echo "file_md5-->",md5_file($files);// Calculate summary values for files 
?>

Get the default 32 Byte ciphertext .

because php Medium md5 Default return 32 Byte result , So to get 16 Bytes need to be intercepted using a string .

<?php
$str = "hello world!";
echo "32byte-->",md5($str),"<br/>"; // Calculate summary values for strings 
$md5Str = substr(md5($str),8,16);// obtain 16 Summary value of bytes 
echo "16byte-->",$md5Str;
?>

This is because 32 Bytes in the middle of the string 8-24 Byte and 16 The result of byte encryption is the same , So in php In this way, we can get 16 Summary value of bytes .

0x02 What is? php Weak type

php It's a weak type of language , It doesn't strictly verify variable types , A variable can declare its type without showing it , Instead, the values are assigned directly at run time .

stay php There are two symbols for comparing equality in ：== and ===.
among == During comparison, variables or values of different types will be converted to the same type for comparison .
and === Then directly compare whether the types are the same , If the same type , Then compare the value .
that php Weak type here “ weak ”, It doesn't mean that there is something wrong with a certain type , But the whole php Some functions in the language deal with assignment 、 String comparison 、 In the process of variable comparison type Doesn't seem to care , Weakening the impact of type , When using a variable, we don't need to define the type of the variable , Instead, judge what type it is based on the content , This leads to the occurrence of various vulnerabilities .
for example ：

<?php
var_dump("a"==0);  //true
var_dump("1a"==1); //true
var_dump("a1"==1); //false
var_dump("a1"==0); //true
var_dump("0e123456"=="0e234567"); //true
var_dump(0=="1a"); //false
?> 

The result is ：

bool(true)
bool(true)
bool(false)
bool(true)
bool(true)
bool(false) 

The reason for the above judgment output is , stay php When a string is taken as a value in , If the string does not contain '.','e','E', And its numerical value is within the range of shaping , The string is treated as int To take a value , In all other cases, it is used as float To take a value , The beginning of the string determines its value , If the string starts with a legal value , Then use this value , Otherwise, it's worth 0.
So in the case above ,1a Convert to 1,a1 Convert to 0, and "0e123456"=="0e234567" When comparing each other , Will 0e This kind of string is recognized as the number of scientific counting method ,0 No matter how much power is zero , So equal .

0x03 md5== Bypass (0e Compare )

<?php
$flag = 'ook!';
$a = $_GET['a'];
if ($a != 'QNKCDZO' && md5($a) == md5('QNKCDZO')) {
    echo $flag;
}else{
echo(' Your answer is wrong 0.0');
}

The above code is the above 0e All the first strings are considered to be 0, So let's see md5('QNKCDZO') The result is 0e830400451993494058024219903391, So all 0e At the beginning md5 The string can meet the above conditions .
Commonly used ：

QNKCDZO
0e830400451993494058024219903391
240610708
0e462097431906509019562988736854
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904

Contains pure numbers 、 Pure letter 、 Numbers and letters combine three types of results , Without any restrictions , No matter which one you use, you can successfully bypass . Use... In the above code ?a=240610708, Ready to print flag value .

0x04 md5=== Bypass ( Array comparison )

stay php Medium hash function md5、sha1 If the value of an array is passed in, etc , An error will be reported NULL, The returned value is the same in type and content , So it can be used to bypass some scenes with controllable parameters on both sides , The above can only control the value of one side , So the array type is not applicable .

<?php
$flag = "ook!";
$a = $_GET['a'];
$b = $_GET['b'];
if ($a != $b && md5($a) === md5($b)) // here == You can also use arrays to bypass .
	echo $flag;
?>

In the above example, the ?a[]=a&b[]=b Can satisfy neither equality ,md5 Then equal conditions , Although the report is wrong , But the correct value is still output .

Warning: md5() expects parameter 1 to be string, array given in 1.php on line 5
Warning: md5() expects parameter 1 to be string, array given in 1.php on line 5
ook!

0x05 md5=== Bypass ( Hard collision )

As we mentioned earlier md5 Whether it's 32 A still 16 position , It is impossible to express all the information without repetition , This example of repetition is called Hard collision , There are the following codes ：

<?php
$s1 = $_GET['a'];
$s2 = $_GET['b'];
$s3 = $_GET['c'];
echo md5($s1),"<br/>";
echo md5($s2),"<br/>";
echo md5($s3),"<br/>";
?>

When the value passed in is （url After the coding ）

?a=%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab
&b=%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%5f%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%f3%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%e9%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%13%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%a8%1b%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%39%05%39%95%ab
&c=%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%ed%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%a7%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%e6%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%16%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%33%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%6f%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab

Three return the same md5 value , Certain conditions can be bypassed by its finite computational properties .

ea8b4156874b91a4ef00c5ca3e4a4a34
ea8b4156874b91a4ef00c5ca3e4a4a34
ea8b4156874b91a4ef00c5ca3e4a4a34

0x06 json Decoding bypass

php Processing incoming json Use when stringing json_decode Decode it , When comparing again , We don't need to know the contents of the comparison string , You can also use strings and 0 Compare the characteristics of true bypass .

<?php
$flag = 'ook!';
$a = $_GET['a'];
$b = json_decode($a);
echo $b->abc;
var_dump($b->abc == $flag);
if ($b->abc == $flag)
    echo $flag;
else
	echo "error!!";
?>

When it comes to ?a={"abc":0} when , Output, respectively,

0
bool(true) 
ook!

Notice the {"abc":0},0 It's the number. , And double quotation marks {"abc":"0"} Then there are characters on both sides , It's not equal .

0x07 array_search Bypass

The principle is the problem of type conversion , The prototype of the function is :

mixed array_search ( mixed $needle , array $haystack [, bool $strict = false ] )

among $needle,$haystack It's necessary ,$strict Optional Function judgement $haystack The value in exists $needle, If it exists, the key value of the value is returned （ Index of the array , For example, the value returns... In the first place 0, Second bit return 1）, The third parameter defaults to false, If set to true Will be strictly filtered （ With type comparison ）.

<?php
$a = array(0,1,2,3);
var_dump(array_search("a",$a));
var_dump(array_search("1a",$a));
var_dump(array_search("2a",$a));
var_dump(array_search("1a",$a,true));
?>

The result is ：

int(0) 
int(1)
int(2)
bool(false) 

0x08 Summary

We can see from the top , All bypass forms are based on weak type comparisons , Or value error handling for non compliant parameter types , Arrays and strings 、 String and integer, etc , We can't guarantee that every user will input the value we want , So in php It is particularly important to define the type and value of user input in .

Here to thank Mrsm1th Master's sharing , It will be faster to accept knowledge by yourself .