# MD5强碰撞

## 关卡一

md5弱比较，为0e开头的会被识别为科学记数法，结果均为0

param1=QNKCDZO&param2=aabg7XSs

## 关卡二

md5强比较，此时如果传入的两个参数不是字符串，而是数组，md5()函数无法解出其数值，而且不会报错，就会得到===强比较的值相等

param1[]=111&param2[]=222

## 关卡三

image.png

image.png
###### hex2bin.py
#!coding:utf-8
hexString1 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2'
hexString2 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2'

hexList1 = []
intList1 = []
asciiString1 =''

while True:
intString1 = hexString1[0:2]
hexString1 = hexString1[2:]
hexList1.append(intString1)
if (hexString1 == ''):
break

for i in hexList1:
intList1.append(int(i,16))
for j in intList1:
asciiString1 += chr(int(j))

f = open('1.bin','w')
f.write(asciiString1)
f.close()

hexList2 = []
intList2 = []
asciiString2 =''

while True:
intString2 = hexString2[0:2]
hexString2 = hexString2[2:]
hexList2.append(intString2)
if (hexString2 == ''):
break

for i in hexList2:
intList2.append(int(i,16))
for j in intList2:
asciiString2 += chr(int(j))

f = open('2.bin','w')
f.write(asciiString2)
f.close()

image.png
###### urlencode.py
#!coding:utf-8
import urllib

urlString1=''
urlString2 = ''

for line in open('1.bin'):
urlString1 +=  urllib.quote(line)

for line in open('2.bin'):
urlString2 +=  urllib.quote(line)

print urlString1
print urlString2

param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2&param2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2



###### 这里也可以直接用python调用open并读取文件来传参

image.png
import requests

url = 'http://39.107.33.96:10000/'
S = requests.Session()

p1 = 'QNKCDZO'
p2 = 'aabg7XSs'
data = {'param1':p1,'param2':p2}
r = S.post(url,data = data)
print r.text

p1 = '111'
p2 = '222'
data = {'param1[]':p1,'param2[]':p2}
r = S.post(url,data = data)
print r.text

p1 = open('1.bin')
p2 = open('2.bin')
data = {'param1':p1,'param2':p2}
r = S.post(url,data = data)
print r.text

a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2

posted @ 2019-12-01 22:28  -Zad-  阅读(3221)  评论(4编辑  收藏  举报
jQuery火箭图标返回顶部代码