yb2pin

导航

MD5

MD5

php的特性

1.数字与字符串比较

var_dump(0 == "a"); // 0 == 0 -> true  数字与字符串比较 先将字符串转成数字 
var_dump("1" == "01"); // 1 == 1 -> true 
var_dump("10" == "1e1"); // 10 == 10 -> true
var_dump(100 == "1e2"); // 100 == 100 -> true
  • 因为php把字母开头的转化为整型时,转化为0, 前面数字后面字母的话就只取到第一个字母出现的位置之前(如intval(''123abd45gf)结果为123)
  • 两个字符串比较,如果两个都是数字形式,则同时转换为数字进行比较
  • "="和"!"即strict比较符,只有在类型相同时才相等。"=="和"!="即non-strict比较符,会在类型转换后进行比较
var_dump("0e123456789012345678901234567890"==="0") //false
var_dump("0e123456789012345678901234567890"=="0") //true

md5('240610708') 的结果是:0e462097431906509019562988736854   
md5('QNKCDZO') 的结果是:0e830400451993494058024219903391

240610708、QNKCDZO、aabg7XSs、aabC9RqS

CTF题

<?php

if($_POST['param1']!=$_POST['param2'] && md5($_POST['param1'])==md5($_POST['param2'])){
		die("success!");
	}
?>

2.md5数组

md5(array) == NULL

CTF题

<?php

if($_POST['param1']!==$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
		die("success!");
	}
?>

3.Two different strings in hex format

4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2
4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2

both have MD5 hash:

008ee33a9d58b51cfeb425b0959121c9

PHP Example:

<?php
$hex1 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2';
$hex2 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2';
 
$bin1 = hex2bin($hex1);
$bin2 = hex2bin($hex2);
echo PHP_EOL;
if ($bin1 == $bin2)
	echo 'The binary data is the same' . PHP_EOL;
else 
	echo 'The binary data is not the same' . PHP_EOL . PHP_EOL;


$md51 = md5($bin1);
$md52 = md5($bin2);
 
echo 'MD5 hash for binary #1: ' . $md51 . PHP_EOL;
echo 'MD5 hash for binary #2: ' . $md52 . PHP_EOL;
 
if ($md51 == $md52)
	echo 'The MD5 hashes are the same' . PHP_EOL;
else 
	echo 'The MD5 hashes are not the same'. PHP_EOL;
?>

Another example (in hex):

0e306561559aa787d00bc6f70bbdfe3404cf03659e704f8534c00ffb659c4c8740cc942feb2da115a3f4155cbb8607497386656d7d1f34a42059d78f5a8dd1ef
0e306561559aa787d00bc6f70bbdfe3404cf03659e744f8534c00ffb659c4c8740cc942feb2da115a3f415dcbb8607497386656d7d1f34a42059d78f5a8dd1ef

both have MD5 hash:

cee9a457e790cf20d4bdaa6d69f01e41

Please note that above examples are hexadecimal representation of the strings. So to test it, you've to write these hex values into the binary files and then compare them as shown above.

Python Example:

# -*- coding:utf-8 -*-

import hashlib  
hex1 = "4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2"
hex2 = "4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2"

def HexToStr(hex):
	b = ''
	for i in range(0,len(hex),2):
		b += chr(int(hex[i:i+2],16))
	return b

print hashlib.md5(bytearray.fromhex(hex1)).hexdigest() #python2
print hashlib.md5(bytes.fromhex(hex1)).hexdigest() #python3
print hashlib.md5(HexToStr(hex1)).hexdigest()	#python2
print hashlib.md5(bytes.fromhex(hex1).encode('latin1')).hexdigest() #python3
  • python2与python3中md5区别

python3中,在 num<128 的时候,使用 chr(num).encode('utf-8') 得到的是一个字符的ascii十六进制,而 num>128 的时候,使用chr(num).encode('utf-8')得到的是两个字节的ascii十六进制.

  • 解决

改用 latin1 编码进行解码

CTF题

<?php
if((string)$_POST['param1']!==(string)$_POST['param2'] && md5($_POST['param1'])===md5($_POST['param2'])){
		die("success!");
	}
?>

4.文件MD5

windows下查询md5

certutil -hashfile C:\Users\Administrator\Desktop\Test.md MD5

Python查询 (md5sum.py)

import hashlib
import os

def get_md5_01(file_path):
  md5 = None
  if os.path.isfile(file_path):
    f = open(file_path,'rb')
    md5_obj = hashlib.md5()
    md5_obj.update(f.read())
    hash_code = md5_obj.hexdigest()
    f.close()
    md5 = str(hash_code).lower()
  return md5

if __name__ == "__main__":
  file_path = r'C:\Users\Administrator\Desktop\1.bin'
  md5_01 = get_md5_01(file_path)
  print(md5_01)

Python将hex写bin文件

import hashlib
import os

def write_bin(file_path,hex):
	f = open(file_path,'wb')
	b = bytes.fromhex(hex)
	f.write(b)
	f.close()
	print("Ok")

if __name__ == "__main__":
  file_path = r'C:\Users\Administrator\Desktop\1.bin'
  hex = "4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2"
  write_bin(file_path,hex)

5.Python 编写md5爆破

import hashlib
import string
import re

def md5_bp():
    mima = string.printable[:94]
    sha1 = string.hexdigits
    count = 0
    sha1_group = []
    for i in mima:
        for n in mima:
            for m in mima:
                for k in mima:
                    count += 1
                    str_mima = i+"7"+n+"5-"+m+"4"+k+"3?"
                    sha1 = hashlib.sha1(str_mima.encode()).hexdigest()
                    if re.match(r"619c20c.a4de755.9be9a8b.b7cbfa5.e8b4365.",sha1):
                        sha1_group.append(str_mima)
                        return(str_mima)
                    if count%3000000 == 0:
                        print(count)
print(md5_bp())

CTF题

http://p4.qhimg.com/t0196e3dd1efe057955.png

6.Python编写MD5截取验证

import string
import random
import hashlib

CHARS = string.ascii_letters + string.digits

def run_proc(substr,sublen,stop_event,start=0,size=20):
	global CHARS
	while not stop_event.is_set():
		minwen = ''.join([random.choice(CHARS) for i in range(size)]) 
		if hashlib.md5(minwen.encode()).hexdigest()[start:start+int(sublen)] == substr:
			print(minwen)
			stop_event.set()

if __name__ == '__main__':
	substr = '77516d'
	sublen = len(substr)
	cpus = multiprocessing.cpu_count()
	stop_event = multiprocessing.Event()
	ps = [multiprocessing.Process(target=run_proc, args=(substr,sublen,stop_event)) for i in range(cpus)]
	for p in ps:
		p.start()
	for p in ps:
		p.join()

通过字典用二分查找加快速度(原文

import hashlib
import string
import itertools
CHARS = string.ascii_letters + string.digits
md5_file = "md5_sorted.txt"
f = open(md5_file, "w")
for i in itertools.product(CHARS,repeat=8):
	str = ''.join(i)
	f.write("{0} {1}\n".format(hashlib.md5(str.encode()).hexdigest(),str))
f.close()

import itertools
import hashlib
import string
import os
def match(s):
    md5_file = "md5_sorted.txt"
    byte_size = os.path.getsize(md5_file)
    with open(md5_file, 'rb') as f:
        line_len = len(f.readline())
    print line_len
    with open(md5_file, "rb") as f:
      L = 0
      R = byte_size / line_len - 1
      while R - L > 0:
        C = L + (R - L) / 2
        offset = C * line_len
        f.seek(offset)
        ln = f.read(line_len).strip()
        #print ln
        head = ln[:len(s)]
        if s == head:
          return ln.split(" ")[1]
        if s < head:
          R = C
          continue
        L = C
      return
# print match('fef')

posted on 2018-04-04 19:10  yb2pin  阅读(501)  评论(0)    收藏  举报