關卡一
md5弱比較,為0e開頭的會被識別為科學記數法,結果均為0
payload
param1=QNKCDZO¶m2=aabg7XSs
關卡二
md5強比較,此時如果傳入的兩個參數不是字符串,而是數組,md5()函數無法解出其數值,而且不會報錯,就會得到===強比較的值相等
payload
param1[]=111¶m2[]=222
關卡三
image.png
真實md5碰撞,因為此時不能輸入數組了,只能輸入字符串
給兩個md5碰撞的鏈接:
https://www.jianshu.com/p/c9089fd5b1ba
https://crypto.stackexchange.com/questions/1434/are-there-two-known-strings-which-have-the-same-md5-hash-value
這兩串比較像的hex形式的bin文件,其md5是相同的
給出將這兩串hex字符串轉化為bin文件的代碼,其實就是將hex字符串轉化為ascii字符串,並寫入文件
image.png
hex2bin.py
#!coding:utf-8 hexString1 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2' hexString2 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2' hexList1 = [] intList1 = [] asciiString1 ='' while True: intString1 = hexString1[0:2] hexString1 = hexString1[2:] hexList1.append(intString1) if (hexString1 == ''): break for i in hexList1: intList1.append(int(i,16)) for j in intList1: asciiString1 += chr(int(j)) f = open('1.bin','w') f.write(asciiString1) f.close() hexList2 = [] intList2 = [] asciiString2 ='' while True: intString2 = hexString2[0:2] hexString2 = hexString2[2:] hexList2.append(intString2) if (hexString2 == ''): break for i in hexList2: intList2.append(int(i,16)) for j in intList2: asciiString2 += chr(int(j)) f = open('2.bin','w') f.write(asciiString2) f.close()
考慮到要將一些不可見字符傳到服務器,這里可以使用url編碼
image.png
urlencode.py
#!coding:utf-8 import urllib urlString1='' urlString2 = '' for line in open('1.bin'): urlString1 += urllib.quote(line) for line in open('2.bin'): urlString2 += urllib.quote(line) print urlString1 print urlString2
payload
param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2¶m2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
這里也可以直接用python調用open並讀取文件來傳參
image.png
import requests url = 'http://39.107.33.96:10000/' S = requests.Session() p1 = 'QNKCDZO' p2 = 'aabg7XSs' data = {'param1':p1,'param2':p2} r = S.post(url,data = data) print r.text p1 = '111' p2 = '222' data = {'param1[]':p1,'param2[]':p2} r = S.post(url,data = data) print r.text p1 = open('1.bin') p2 = open('2.bin') data = {'param1':p1,'param2':p2} r = S.post(url,data = data) print r.text
a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2