MD5强碰撞

关卡一

 
 

 
 

md5弱比较,为0e开头的会被识别为科学记数法,结果均为0

payload
param1=QNKCDZO&param2=aabg7XSs

 

关卡二

 
 

 
 

md5强比较,此时如果传入的两个参数不是字符串,而是数组,md5()函数无法解出其数值,而且不会报错,就会得到===强比较的值相等

payload
param1[]=111&param2[]=222

 

关卡三

 
 

 
image.png

真实md5碰撞,因为此时不能输入数组了,只能输入字符串

给两个md5碰撞的链接:
https://www.jianshu.com/p/c9089fd5b1ba
https://crypto.stackexchange.com/questions/1434/are-there-two-known-strings-which-have-the-same-md5-hash-value

 
 

这两串比较像的hex形式的bin文件,其md5是相同的

 

给出将这两串hex字符串转化为bin文件的代码,其实就是将hex字符串转化为ascii字符串,并写入文件

 
image.png
hex2bin.py
#!coding:utf-8
hexString1 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2'
hexString2 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2'

hexList1 = []
intList1 = []
asciiString1 =''

while True:
    intString1 = hexString1[0:2]
    hexString1 = hexString1[2:]
    hexList1.append(intString1)
    if (hexString1 == ''):
        break

for i in hexList1:
    intList1.append(int(i,16))
for j in intList1:
    asciiString1 += chr(int(j))

f = open('1.bin','w')
f.write(asciiString1)
f.close()

hexList2 = []
intList2 = []
asciiString2 =''

while True:
    intString2 = hexString2[0:2]
    hexString2 = hexString2[2:]
    hexList2.append(intString2)
    if (hexString2 == ''):
        break

for i in hexList2:
    intList2.append(int(i,16))
for j in intList2:
    asciiString2 += chr(int(j))

f = open('2.bin','w')
f.write(asciiString2)
f.close()

 


考虑到要将一些不可见字符传到服务器,这里可以使用url编码

 
image.png
urlencode.py
#!coding:utf-8
import urllib 

urlString1=''
urlString2 = ''

for line in open('1.bin'):
    urlString1 +=  urllib.quote(line)

for line in open('2.bin'):
    urlString2 +=  urllib.quote(line)

print urlString1
print urlString2

 

payload
param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

 

 

 
这里也可以直接用python调用open并读取文件来传参
 
image.png
import requests

url = 'http://39.107.33.96:10000/'
S = requests.Session()

p1 = 'QNKCDZO'
p2 = 'aabg7XSs'
data = {'param1':p1,'param2':p2}
r = S.post(url,data = data)
print r.text

p1 = '111'
p2 = '222'
data = {'param1[]':p1,'param2[]':p2}
r = S.post(url,data = data)
print r.text


p1 = open('1.bin')
p2 = open('2.bin')
data = {'param1':p1,'param2':p2}
r = S.post(url,data = data)
print r.text

 

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2


posted @ 2019-12-01 22:28  -Zad-  阅读(3221)  评论(4编辑  收藏  举报
jQuery火箭图标返回顶部代码