关卡一
md5弱比较,为0e开头的会被识别为科学记数法,结果均为0
payload
param1=QNKCDZO¶m2=aabg7XSs
关卡二
md5强比较,此时如果传入的两个参数不是字符串,而是数组,md5()函数无法解出其数值,而且不会报错,就会得到===强比较的值相等
payload
param1[]=111¶m2[]=222
关卡三
image.png
真实md5碰撞,因为此时不能输入数组了,只能输入字符串
给两个md5碰撞的链接:
https://www.jianshu.com/p/c9089fd5b1ba
https://crypto.stackexchange.com/questions/1434/are-there-two-known-strings-which-have-the-same-md5-hash-value
这两串比较像的hex形式的bin文件,其md5是相同的
给出将这两串hex字符串转化为bin文件的代码,其实就是将hex字符串转化为ascii字符串,并写入文件
image.png
hex2bin.py
#!coding:utf-8 hexString1 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa200a8284bf36e8e4b55b35f427593d849676da0d1555d8360fb5f07fea2' hexString2 = '4dc968ff0ee35c209572d4777b721587d36fa7b21bdc56b74a3dc0783e7b9518afbfa202a8284bf36e8e4b55b35f427593d849676da0d1d55d8360fb5f07fea2' hexList1 = [] intList1 = [] asciiString1 ='' while True: intString1 = hexString1[0:2] hexString1 = hexString1[2:] hexList1.append(intString1) if (hexString1 == ''): break for i in hexList1: intList1.append(int(i,16)) for j in intList1: asciiString1 += chr(int(j)) f = open('1.bin','w') f.write(asciiString1) f.close() hexList2 = [] intList2 = [] asciiString2 ='' while True: intString2 = hexString2[0:2] hexString2 = hexString2[2:] hexList2.append(intString2) if (hexString2 == ''): break for i in hexList2: intList2.append(int(i,16)) for j in intList2: asciiString2 += chr(int(j)) f = open('2.bin','w') f.write(asciiString2) f.close()
考虑到要将一些不可见字符传到服务器,这里可以使用url编码
image.png
urlencode.py
#!coding:utf-8 import urllib urlString1='' urlString2 = '' for line in open('1.bin'): urlString1 += urllib.quote(line) for line in open('2.bin'): urlString2 += urllib.quote(line) print urlString1 print urlString2
payload
param1=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2¶m2=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2
这里也可以直接用python调用open并读取文件来传参
image.png
import requests url = 'http://39.107.33.96:10000/' S = requests.Session() p1 = 'QNKCDZO' p2 = 'aabg7XSs' data = {'param1':p1,'param2':p2} r = S.post(url,data = data) print r.text p1 = '111' p2 = '222' data = {'param1[]':p1,'param2[]':p2} r = S.post(url,data = data) print r.text p1 = open('1.bin') p2 = open('2.bin') data = {'param1':p1,'param2':p2} r = S.post(url,data = data) print r.text
a=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%00%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1U%5D%83%60%FB_%07%FE%A2
&b=M%C9h%FF%0E%E3%5C%20%95r%D4w%7Br%15%87%D3o%A7%B2%1B%DCV%B7J%3D%C0x%3E%7B%95%18%AF%BF%A2%02%A8%28K%F3n%8EKU%B3_Bu%93%D8Igm%A0%D1%D5%5D%83%60%FB_%07%FE%A2